[{"assets":[{"id":"1TaBnImYgTebDlQuPQWOph","url":"https://github.com/HathorNetwork/hathor-wallet","type":"websites_and_applications","addedAt":"2023-03-06T18:13:40.442Z","revision":0,"description":"Desktop wallet","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1azUEn0aB0KceObUYb2jOy","url":"https://github.com/HathorNetwork/hathor-wallet-mobile","type":"websites_and_applications","addedAt":"2023-03-06T18:13:27.564Z","revision":0,"description":"Mobile wallet","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7BhJhDGfSbfYOq16jj0BiE","url":"https://github.com/HathorNetwork/hathor-wallet-lib","type":"websites_and_applications","addedAt":"2023-03-06T18:13:12.671Z","revision":0,"description":"wallet-lib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7H0YCXhiS5eqVsHkj97x4u","url":"https://github.com/HathorNetwork/hathor-core","type":"blockchain_dlt","addedAt":"2023-03-06T18:12:56.364Z","revision":0,"description":"Blockchain/DLT","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7zSkdE3D8FGCq0y6nCazhD","url":"https://github.com/HathorNetwork/hathor-wallet-headless","type":"websites_and_applications","addedAt":"2023-03-06T18:13:55.111Z","revision":0,"description":"Headless wallet","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"Only the latest release is in scope for Blockchain/DLT and Web/App assets. You can access the latest release for a repository by adding \"releases/latest\" to the end of a repository's URL.\n\nNever run tests on Hathor's production environments such as the mainnet. If you believe your attack would only work in our production environment, get in touch with us at security@hathor.network. \n\nAll config and test files are considered as out-of-scope of this bug bounty program. \n\nhathor-core/hathor/wallet is out-of-scope.  [https://github.com/HathorNetwork/hathor-core/tree/master/hathor/wallet](https://github.com/HathorNetwork/hathor-core/tree/master/hathor/wallet)\n\nNano Contracts have been launched in a controlled rollout. It currently does not have fees or proper sandboxing. For that reason, users cannot freely send contracts (blueprints, the code that runs nano contracts) to the network. Everything is reviewed by Hathor Labs before being added to the network. Therefore, reports such as unbounded loops or unmetered resources are not valid for nano contracts. Nano contracts code is here: [https://github.com/HathorNetwork/hathor-core/tree/master/hathor/nanocontracts](https://github.com/HathorNetwork/hathor-core/tree/master/hathor/nanocontracts)\n\nAll code of Hathor Network can be found at [https://github.com/HathorNetwork.](https://github.com/HathorNetwork) However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nDocumentation and instruction for PoC can be found here:\n- [https://hathor.gitbook.io/hathor/](https://hathor.gitbook.io/hathor/)\n- [https://github.com/HathorNetwork/rfcs/blob/master/text/0033-private-network-guide.md](https://github.com/HathorNetwork/rfcs/blob/master/text/0033-private-network-guide.md)","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["JavaScript","Python"],"launchDate":"2023-03-15T19:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5jW460UDYEbPDo4PZAOuZE/dd602e17d4ff01851c727c387eeecc5a/KEBPir98_400x400.jpg","maxBounty":20000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - low","websites_and_applications - critical"],"primaryPaymentWallet":"OtherNonEVML1","prioritizedVulnerabilities":"_blank_","productType":["L1","Wallet"],"programOverview":"Hathor is a digital platform for financial transactions and contracts with a unique combination of high scalability and high decentralization. It creates the perfect environment for multiple use cases where scale, efficiency, long-term security, and censorship-resistance through network distribution combined are needed or can drastically cut current costs and bureaucracy.\n\nFor more information about Hathor Network, please visit [https://hathor.network/  ](https://hathor.network/)","programType":["Websites and Applications","Blockchain/DLT"],"project":"Hathor Network","projectType":["Blockchain"],"rewardsBody":"All Blockchain/DLT and Web/App bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. Bug reports are required to include a runnable PoC in order to prove impact. Exceptions may be made in cases where the vulnerability is objectively evident from simply mentioning the vulnerability and where it exists. However, the bug reporter may be required to provide a PoC at any point in time.\n\nHathor Labs requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. The information needed is a government ID and proof of address.\n\nUnlike other bug bounty programs on Immunefi, all bug report submissions, including associated vulnerabilities, become the exclusive property of Hathor Labs. By making a submission to this program and in consideration for a bounty, the bug submitter conveys all ownership rights, titles, and interests in the bug report to Hathor Labs. Thus, the final decision on whether a postmortem will be written is at the sole discretion of Hathor Labs.\n\nPayouts are handled by the __Hathor Labs__ team directly and are denominated in USD. However, payouts are done in __HTR__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"HTR","slug":"hathornetwork","tenPercentEconomicRule":false,"updatedDate":"2026-04-02T21:00:03.628Z","impactsBody":null,"websiteUrl":"https://hathor.network/","githubUrl":"https://github.com/HathorNetwork","eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Hathor is a digital platform for financial transactions and contracts with a unique combination of high scalability and high decentralization. It creates the perfect environment for multiple use cases where scale, efficiency, long-term security, and censorship-resistance through network distribution combined are needed or can drastically cut current costs and bureaucracy.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"Attacks that cost significantly more to execute than their expected payoff will not be eligible for rewards. For example, mining a block on the network is expensive due to the high hash rate. If an attack relies on producing a block but offers no financial benefit to the attacker, it will not be eligible to rewards.","customProhibitedActivities":[],"impacts":[{"id":3945,"type":"blockchain_dlt","severity":"critical","title":"Creation of tokens, including HTR, without following blockchain and consensus rules"},{"id":6043,"type":"blockchain_dlt","severity":"high","title":"Unintended chain split (network partition)"},{"id":6044,"type":"blockchain_dlt","severity":"high","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":6045,"type":"blockchain_dlt","severity":"low","title":"Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":2,"type":"blockchain_dlt","severity":"critical","title":"Unintended permanent chain split requiring hard fork (network partition requiring hard fork)"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":44,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user NFTs"}],"rewards":[{"id":44139,"primacy":null,"severity":"critical","assetType":"blockchain_dlt","maxReward":20000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":44140,"primacy":null,"severity":"high","assetType":"blockchain_dlt","fixedReward":10000,"rewardModel":"fixed"},{"id":44141,"primacy":null,"severity":"low","assetType":"blockchain_dlt","fixedReward":1000,"rewardModel":"fixed"},{"id":44142,"primacy":null,"severity":"critical","assetType":"websites_and_applications","fixedReward":10000,"rewardModel":"fixed"}],"audits":[{"id":"1329","url":"https://www.halborn.com/audits/hathor-labs-hathor-network/nano-contracts-c4e9b1","auditor":"Halborn","date":"2025-08-01T00:00:00.000Z"}]},{"assets":[{"id":"7eMscTV8uIHjJ6Yo8TWAyE","url":"https://app.granite.world/","type":"websites_and_applications","addedAt":"2026-01-20T13:47:10.617Z","revision":0,"description":"Front end App for Granite","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1IfHzarGbzLWnUdacngRcA","url":"https://explorer.hiro.so/txid/SP1CGXWEAMG6P6FT04W66NVGJ7PQWMDAC19R7PJ0Y.pyth-traits-v2?chain=mainnet","type":"smart_contract","addedAt":"2025-09-19T13:59:56.598Z","revision":0,"description":"pyth-traits-v2.clar","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1ObLcODhPTEbfFJShZWMl2","url":"https://explorer.hiro.so/txid/SP35E2BBMDT2Y1HB0NTK139YBGYV3PAPK3WA8BRNA.constants-v1?chain=mainnet","type":"smart_contract","addedAt":"2025-02-12T10:43:56.385Z","revision":0,"description":"constants-v1.clar","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"23niITp3y9we0NvAEcIPdQ","url":"https://explorer.hiro.so/txid/SP1CGXWEAMG6P6FT04W66NVGJ7PQWMDAC19R7PJ0Y.pyth-governance-v3?chain=mainnet","type":"smart_contract","addedAt":"2025-09-19T13:59:54.872Z","revision":0,"description":"pyth-governance-v3.clar","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2WJ5gSeR989VA4OV4RoHWe","url":"https://explorer.hiro.so/txid/SP26NGV9AFZBX7XBDBS2C7EC7FCPSAV9PKREQNMVS.pyth-adapter-v1?chain=mainnet","type":"smart_contract","addedAt":"2025-09-05T07:23:51.550Z","revision":0,"description":"pyth-adapter-v1.clar","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2XnPSkbRuWHUBO4kL60rjG","url":"https://explorer.hiro.so/txid/SP35E2BBMDT2Y1HB0NTK139YBGYV3PAPK3WA8BRNA.constants-v1?chain=mainnet","type":"smart_contract","addedAt":"2025-09-05T07:23:51.558Z","revision":0,"description":"constants-v1.clar","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3597paDdeF6tf9QPZcE6is","url":"https://explorer.hiro.so/txid/SP1CGXWEAMG6P6FT04W66NVGJ7PQWMDAC19R7PJ0Y.pyth-pnau-decoder-v3?chain=mainnet","type":"smart_contract","addedAt":"2025-09-19T13:59:56.482Z","revision":0,"description":"pyth-pnau-decoder-v3.clar","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3QeHeE6xiuXeAoC25tJCVi","url":"https://explorer.hiro.so/txid/SP1CGXWEAMG6P6FT04W66NVGJ7PQWMDAC19R7PJ0Y.wormhole-core-v4?chain=mainnet","type":"smart_contract","addedAt":"2025-09-19T13:59:54.865Z","revision":0,"description":"wormhole-core-v4.clar","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3yTkuuj6Y78Vl0FjBvDaxm","url":"https://explorer.hiro.so/txid/SP26NGV9AFZBX7XBDBS2C7EC7FCPSAV9PKREQNMVS.governance-v1?chain=mainnet","type":"smart_contract","addedAt":"2025-09-05T07:23:51.556Z","revision":0,"description":"governance-v1.clar","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"44c0kYgjUT7NqZnKUX5e13","url":"https://explorer.hiro.so/txid/SP35E2BBMDT2Y1HB0NTK139YBGYV3PAPK3WA8BRNA.math-v1?chain=mainnet","type":"smart_contract","addedAt":"2025-02-12T10:45:34.232Z","revision":0,"description":"math-v1.clar","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"44mgTU2SCDIaEdzVyC0IQ7","url":"https://explorer.hiro.so/txid/SP3BJR4P3W2Y9G22HA595Z59VHBC9EQYRFWSKG743.constants-v1?chain=mainnet","type":"smart_contract","addedAt":"2025-09-05T07:23:53.111Z","revision":0,"description":"constants-v2.clar","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5QDpLpBK8Sn9uzV3uqsD7W","url":"https://explorer.hiro.so/txid/SP26NGV9AFZBX7XBDBS2C7EC7FCPSAV9PKREQNMVS.borrower-v1?chain=mainnet","type":"smart_contract","addedAt":"2025-09-05T07:23:51.561Z","revision":0,"description":"borrower-v1.clar","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5h3c1q3agpo28w6PGKYwrp","url":"https://explorer.hiro.so/txid/SP26NGV9AFZBX7XBDBS2C7EC7FCPSAV9PKREQNMVS.flash-loan-v1?chain=mainnet","type":"smart_contract","addedAt":"2025-09-05T07:23:51.567Z","revision":0,"description":"flash-loan-v1.clar","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5rGkFcGnoobYOR9fRbyx68","url":"https://immunefi.com","type":"smart_contract","addedAt":"2025-02-12T10:47:26.008Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"61vUMUkMfcaOLH5QV453xw","url":"https://explorer.hiro.so/txid/SP35E2BBMDT2Y1HB0NTK139YBGYV3PAPK3WA8BRNA.meta-governance-v1?chain=mainnet","type":"smart_contract","addedAt":"2025-02-12T10:44:52.611Z","revision":0,"description":"meta-governance-v1.clar","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6HitUmyuJaeXksSJy3R3gG","url":"https://explorer.hiro.so/txid/SP1CGXWEAMG6P6FT04W66NVGJ7PQWMDAC19R7PJ0Y.wormhole-traits-v2?chain=mainnet","type":"smart_contract","addedAt":"2025-09-19T13:59:54.867Z","revision":0,"description":"wormhole-traits-v2.clar","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6isLBKQuM1m8VPrbzfmzr","url":"https://explorer.hiro.so/txid/SP26NGV9AFZBX7XBDBS2C7EC7FCPSAV9PKREQNMVS.liquidator-v1?chain=mainnet","type":"smart_contract","addedAt":"2025-09-05T07:23:51.555Z","revision":0,"description":"liquidator-v1.clar","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6u9HNjpsU7f7YRlPdSElm3","url":"https://explorer.hiro.so/txid/SP35E2BBMDT2Y1HB0NTK139YBGYV3PAPK3WA8BRNA.state-v1?chain=mainnet","type":"smart_contract","addedAt":"2025-02-12T10:45:05.434Z","revision":0,"description":"state-v1.clar","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7E3kcFcbGoWtkIrwCZvys4","url":"https://explorer.hiro.so/txid/SP3BJR4P3W2Y9G22HA595Z59VHBC9EQYRFWSKG743.staking-v1?chain=mainnet","type":"smart_contract","addedAt":"2025-09-05T07:23:51.567Z","revision":0,"description":"staking-v1.clar","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7c0oLmpTkjrLgM6WEsQ75K","url":"https://explorer.hiro.so/txid/SP26NGV9AFZBX7XBDBS2C7EC7FCPSAV9PKREQNMVS.withdrawal-caps-v1?chain=mainnet","type":"smart_contract","addedAt":"2025-09-05T07:23:53.172Z","revision":0,"description":"withdrawal-caps-v1","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"D1PVcksVzYtuYf0U4o688","url":"https://explorer.hiro.so/txid/SP26NGV9AFZBX7XBDBS2C7EC7FCPSAV9PKREQNMVS.liquidity-provider-v1?chain=mainnet","type":"smart_contract","addedAt":"2025-09-05T07:23:53.228Z","revision":0,"description":"liquidity-provider-v1.clar","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"I9iWaAVd87KXObHnPJ2YD","url":"https://explorer.hiro.so/txid/SP1CGXWEAMG6P6FT04W66NVGJ7PQWMDAC19R7PJ0Y.pyth-governance-v3?chain=mainnet","type":"smart_contract","addedAt":"2025-09-19T13:59:55.020Z","revision":0,"description":"pyth-governance-v3.clar","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"KpjYg6xHawrPeDlc4pcHC","url":"https://explorer.hiro.so/txid/SP1CGXWEAMG6P6FT04W66NVGJ7PQWMDAC19R7PJ0Y.pyth-oracle-v4?chain=mainnet","type":"smart_contract","addedAt":"2025-09-19T13:59:54.876Z","revision":0,"description":"pyth-oracle-v4.clar","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"iHjQ8r82QBhtJFsfP5QLl","url":"https://explorer.hiro.so/txid/SP35E2BBMDT2Y1HB0NTK139YBGYV3PAPK3WA8BRNA.linear-kinked-ir-v1?chain=mainnet","type":"smart_contract","addedAt":"2025-02-12T10:45:19.646Z","revision":0,"description":"linear-kinked-ir-v1.clar","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"tZvW7CgeHq5Rz5ZNgTs79","url":"https://explorer.hiro.so/txid/SP1CGXWEAMG6P6FT04W66NVGJ7PQWMDAC19R7PJ0Y.pyth-storage-v4?chain=mainnet","type":"smart_contract","addedAt":"2025-09-19T13:59:54.913Z","revision":0,"description":"pyth-storage-v4.clar","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98685","url":"https://explorer.hiro.so/txid/SP3M2BYF7RGF8WKW5FVDNJ6WR8D7AR9BHDXAKPXZE.state-v1?chain=mainnet","type":"smart_contract","addedAt":"2026-01-30T23:05:58.621Z","revision":0,"description":"USDCx Market","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98686","url":"https://explorer.hiro.so/txid/SP3M2BYF7RGF8WKW5FVDNJ6WR8D7AR9BHDXAKPXZE.liquidity-provider-v1?chain=mainnet","type":"smart_contract","addedAt":"2026-01-30T23:05:58.621Z","revision":0,"description":"Supplier USDCx","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98687","url":"https://explorer.hiro.so/txid/SP3M2BYF7RGF8WKW5FVDNJ6WR8D7AR9BHDXAKPXZE.liquidator-v1?chain=mainnet","type":"smart_contract","addedAt":"2026-01-30T23:05:58.621Z","revision":0,"description":"Liquidator USDCx","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98688","url":"https://explorer.hiro.so/txid/SP3M2BYF7RGF8WKW5FVDNJ6WR8D7AR9BHDXAKPXZE.linear-kinked-ir-v1?chain=mainnet","type":"smart_contract","addedAt":"2026-01-30T23:05:58.621Z","revision":0,"description":"USDCx interest rate kink","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98689","url":"https://explorer.hiro.so/txid/SP3M2BYF7RGF8WKW5FVDNJ6WR8D7AR9BHDXAKPXZE.borrower-v1?chain=mainnet","type":"smart_contract","addedAt":"2026-01-30T23:05:58.621Z","revision":0,"description":"Borrow USDCx ","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99338","url":"https://www.granite.world/","type":"websites_and_applications","addedAt":"2026-03-23T21:08:36.691Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"99339","url":"https://www.granite.world/","type":"websites_and_applications","addedAt":"2026-03-23T21:45:10.221Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"99456","url":"https://app.granite.world/market","type":"websites_and_applications","addedAt":"2026-04-02T13:47:15.270Z","revision":0,"description":"New markets added to Granite's front end","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Stacks"],"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Essential"],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":false,"language":["Clarity"],"launchDate":"2025-02-26T15:58:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3fdopun3Bz1q6QKlheZ9Qm/62bce98dda30c5ee99ffa4baa9593945/Granite_Protocol.png","maxBounty":100000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"Stacks","prioritizedVulnerabilities":"_blank_","productType":["Lending"],"programOverview":"The Granite Protocol is an autonomous Bitcoin liquidity protocol where users can participate as liquidity providers, borrowers, or liquidators. \nThe protocol allows borrowers to take stablecoin loans using Bitcoin as collateral, without exposure to counterparty or rehypothecation risk. Liquidity providers can earn yield on stablecoins by providing liquidity to the pool, which is then lent to borrowers.\n\nLoans in Granite are best thought of as lines of credit, without set terms or repayment schedules. As long as the borrower maintains an adequate loan-to-value ratio (LTV), keeping their account in good health, they are not subject to liquidation. If a borrower’s LTV falls too low, a portion of their capital will be liquidated to bring their account back to a health state.\n\nGranite enables BTC users to access DeFi without centralized custodians by leveraging Stacks’ Nakamoto upgrade and sBTC Bitcoin bridge.\nFor more information about Granite Protocol, please visit [https://www.granite.world/](https://www.granite.world/)\n\nGranite Protocol provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the **Rewards by Threat Level** section further below. \n\nThis bug bounty program will have a hard cap of **USD $1,000,000**. If multiple bug reports are submitted that exceed this amount, the rewards will be provided on a first come first served basis until that cap is reached.\n\n__Responsible Publication__\n\nGranite Protocol adheres to **category 2 - Notice Required**. This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nGranite Protocol adheres to the Primacy of Impact for the following levels:\n\n- Smart Contract - Critical\n- Smart Contract - High\n- Smart Contract - Medium\n- Smart Contract - Low\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered issues (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- **Liquidation risk from soft liquidations**\nLiquidation risk  incurred through dynamic soft liquidations will be managed by ecosystem liquidators and by enabling public participation in liquidations through a Liquidations page.\n- **Automated testing framework**\nIn development.\n- **Input validation on Governance Functions**\nWe assume that governance members will validate any action before execution: input validation on the governance side is out of scope. Additionally, a malicious takeover of governance is excluded from the scope of this audit.\n- **Deployment parameter validation**\nIssues related to deployment parameter validation fall under incorrect deployment or deployment best practices. Ensuring proper contract deployment and initialization is a fundamental responsibility of any blockchain-based protocol.\n- **References to non-existent smart contract methods**\nIssues referencing methods that do not exist in the latest version of the smart contract are out of scope. The audit covers only the most recent code, older versions or deprecated versions are excluded by default.\n\n__Previous Audits__\n\nGranite Protocol’s completed audit reports can be found at [https://github.com/GraniteProtocol/audits](https://github.com/GraniteProtocol/audits). Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\nStacks Pyth Bridge’s completed audit reports can be found at [https://github.com/Trust-Machines/stacks-pyth-bridge/tree/clarity-v3/audits](https://github.com/Trust-Machines/stacks-pyth-bridge/tree/clarity-v3/audits). Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.","programType":["Smart Contract","Websites and Applications"],"project":"Granite Protocol","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 100,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 25,000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\nFor critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 5,000 to USD 25,000 depending on the funds at risk, capped at the maximum high reward.  \n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Granite Protocol team directly and are denominated in USD. However, payments are done in USDC on Ethereum or USDCx on Stacks.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"granite-protocol","tenPercentEconomicRule":false,"updatedDate":"2026-04-02T13:47:15.667Z","impactsBody":null,"websiteUrl":"https://www.granite.world/","githubUrl":"https://github.com/GraniteProtocol","eligibilityCriteria":[],"responsiblePublicationCategory":"category_2","description":"The Granite Protocol is an autonomous Bitcoin liquidity protocol where users can participate as liquidity providers, borrowers, or liquidators.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":5848,"type":"websites_and_applications","severity":"high","title":"New markets added to Granite's front end"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":39,"type":"websites_and_applications","severity":"critical","title":"Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:\n- Changing registration information\n- Commenting\n- Voting\n- Making trades\n- Withdrawals, etc."},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":43,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:\n- Modifying transaction arguments or parameters\n- Substituting contract addresses\n- Submitting malicious transactions"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":5361,"type":"smart_contract","severity":"high","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"}],"rewards":[{"id":44112,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":25000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":44113,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":25000,"minReward":5000,"rewardModel":"range"},{"id":44114,"primacy":null,"severity":"medium","assetType":"smart_contract","fixedReward":2500,"rewardModel":"fixed"},{"id":44115,"primacy":null,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":44116,"primacy":null,"severity":"critical","assetType":"websites_and_applications","maxReward":25000,"minReward":10000,"rewardModel":"range"},{"id":44117,"primacy":null,"severity":"high","assetType":"websites_and_applications","maxReward":10000,"minReward":5000,"rewardModel":"range"},{"id":44118,"primacy":null,"severity":"medium","assetType":"websites_and_applications","maxReward":5000,"minReward":1000,"rewardModel":"range"}],"audits":[{"id":"viMDh8HMucyAvEbxxN89e","url":"https://github.com/GraniteProtocol/core-v1/blob/master/audits/2024-06-12%20Granite%20Code%20Review%20-%20Strata%20Labs.pdf","auditor":"Strata Labs","date":"2024-06-12T00:00:00.000Z"},{"id":"7kpbePoU2QwzjKXSl94oux","url":"https://github.com/GraniteProtocol/core-v1/blob/master/audits/2024-07%20Granite%20Audit%20-%20Halipot.pdf","auditor":"HaliPot","date":"2024-07-01T00:00:00.000Z"},{"id":"6pDe2EAqbc2YxIicbNyQAr","url":"https://github.com/GraniteProtocol/core-v1/blob/master/audits/2024-08-12%20Granite%20Audit%20-%20ABA.pdf","auditor":"ABA","date":"2024-08-12T00:00:00.000Z"},{"id":"5zXGykj02aqMFjykbBkeyJ","url":"https://github.com/GraniteProtocol/core-v1/blob/master/audits/2024-09-03%20Granite%20Safety%20Module%20Audit%20-%20ABA.pdf","auditor":"ABA","date":"2024-09-03T00:00:00.000Z"},{"id":"6n088A2Znv6pu0A60N9H4W","url":"https://github.com/GraniteProtocol/core-v1/blob/master/audits/2024-10-11%20Granite%20Audit%20-%20Clarity%20Alliance.pdf","auditor":"Clarity Alliance","date":"2024-10-11T00:00:00.000Z"},{"id":"5x6thjJ9PalckuNh98flXv","url":"https://github.com/GraniteProtocol/core-v1/blob/master/audits/2025-02-06%20Granite%20Misc%20Upgrades%20Audit%20-%20Clarity%20Alliance.pdf","auditor":"Clarity Alliance","date":"2025-02-06T00:00:00.000Z"},{"id":"7aU1kXjOE3pDOPQtiw9qfB","url":"https://github.com/GraniteProtocol/core-v1/blob/master/audits/2025-07-07%20Granite%20(Upgrade%20v2)%20-%20Clarity%20Alliance.pdf","auditor":"Clarity Alliance","date":"2025-07-07T00:00:00.000Z"}]},{"assets":[{"id":"db_f3d44b67-7e98-424c-a2cd-f25efd2ddf8f","url":"https://github.com/rsksmart/powpeg-node","type":"blockchain_dlt","addedAt":"2026-02-10T11:12:44.567Z","revision":0,"description":"powpeg-node","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_170ebfb4-e970-435c-ab08-2351520ac370","url":"https://github.com/rsksmart/rskj","type":"blockchain_dlt","addedAt":"2026-02-10T11:12:58.424Z","revision":0,"description":"rskj","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_2336af48-7f56-4fad-8299-579e1bd3cf91","url":"https://github.com/rsksmart/rsk-powhsm/releases/latest","type":"blockchain_dlt","addedAt":"2026-02-10T11:13:17.525Z","revision":0,"description":"PowHSM","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_c1d99a16-fc84-42eb-8a79-44960508a0d7","url":"https://rootstock.blockscout.com/address/0xB107Cc96A5CFC4be502e9Bbb1208de4792044BA7","type":"smart_contract","addedAt":"2026-02-10T11:14:03.539Z","revision":0,"description":"Signature Validator","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_1d4726b1-fa29-4c72-abeb-b5abbecb4590","url":"https://rootstock.blockscout.com/address/0x0fCf6eD9DBa0aE3ad3F6908A9499285720a6d43d","type":"smart_contract","addedAt":"2026-02-10T11:14:18.710Z","revision":0,"description":"BtcUtils","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_bab9ca8a-dc33-4101-b3bd-4b935a704828","url":"https://rootstock.blockscout.com/address/0xAa9caf1e3967600578727f975F283446a3dA6612","type":"smart_contract","addedAt":"2026-02-10T11:14:32.921Z","revision":0,"description":"LiquidityBridgeContract (proxy)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_dc4ef1b8-2802-4bf0-87e5-084c6aafad5c","url":"https://rootstock.blockscout.com/address/0x0123EF8aE46f9FcBF67c706F73d46bcCE3df44f7?tab=index","type":"smart_contract","addedAt":"2026-02-10T11:14:47.403Z","revision":0,"description":"QuoteV2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_90f5541c-7930-466c-8b68-425e3613fcee","url":"https://github.com/rsksmart/bridges-core-sdk","type":"websites_and_applications","addedAt":"2026-02-10T11:15:02.639Z","revision":0,"description":"bridges-core-sdk","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_6d9bfb6f-e229-4b6c-8d62-bc62f400ff83","url":"https://github.com/rsksmart/flyover-sdk","type":"websites_and_applications","addedAt":"2026-02-10T11:15:20.257Z","revision":0,"description":"flyover-sdk","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_09b10592-5e32-4746-9d8d-7f56f7e6d72a","url":"https://github.com/rsksmart/liquidity-provider-server","type":"websites_and_applications","addedAt":"2026-02-10T11:15:34.689Z","revision":0,"description":"liquidity-provider-server","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_cc77dd69-9a77-4bce-9a4b-6c72fc9d3f40","url":"https://github.com/rsksmart/2wp-api","type":"websites_and_applications","addedAt":"2026-02-10T11:15:49.329Z","revision":0,"description":"2wp-api","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_b7d49efa-8e25-4ab2-be72-22b13fe1e47e","url":"https://github.com/rsksmart/2wp-app","type":"websites_and_applications","addedAt":"2026-02-10T11:16:03.208Z","revision":0,"description":"2wp-app","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_70ee9995-6d01-49a8-ab94-964bc13dc02a","url":"https://immunefi.com/bug-bounty/rootstocklabs","type":"smart_contract","addedAt":"2026-02-10T11:17:53.178Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"99185","url":"https://www.rootstocklabs.com/","type":"websites_and_applications","addedAt":"2026-03-12T22:49:13.352Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"99186","url":"https://www.rootstocklabs.com/","type":"blockchain_dlt","addedAt":"2026-03-12T22:49:13.352Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Rootstock"],"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Essential","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":[],"launchDate":"2026-02-10T01:55:00.000Z","logo":"https://qn5bmgziiocgawpp.public.blob.vercel-storage.com/program-logos/phuongn%40immunefi.com-HRRlntLm0wgUL3yHO1ooa-mhtM4syqoqcMMRp6oHThrtRpWBVMt4.png","maxBounty":200000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","smart_contract - critical","smart_contract - high","websites_and_applications - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":[],"programOverview":"RootstockLabs, previously IOVLabs, have been longstanding contributors to Rootstock, Bitcoin’s DeFi layer. Launched in 2018, Rootstock allows anyone to develop apps and services on top of the planet’s most secure and decentralized financial infrastructure; Bitcoin. \nToday we continue to contribute to Rootstock’s evolution by building tools and technology focused on scaling Bitcoin and making it work for everyone. \n\nRootstockLabs is making Bitcoin work for everyone. We believe Bitcoin will play a crucial role in breaking down barriers to economic participation, providing the world’s most secure and decentralized financial infrastructure to empower people everywhere to exercise their economic rights more fully.\n\nSeamless payments without punitive charges for small businesses; savings that protect people from inflation; remittances that allow the ninety-nine percent to move capital as easily as the one; and loans that fuel grassroots economic growth—all denominated in stablecoins and available through the intuitive smartphone interfaces of today’s Web2—this is what we call Everyday DeFi.\n\nFor more information about RootstockLabs, please visit [https://www.rootstocklabs.com/](https://www.rootstocklabs.com/), [https://rootstock.io/](https://rootstock.io/) and/or [https://rif.technology](https://rif.technology/)\n\nRootstockLabs provides rewards in USDC on ETH, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n__Responsible Publication__\n\nRootstockLabs adheres to **Category 2: Notice Required**. This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nRootstockLabs adheres to the Primacy of Impact for the following impacts:\n- Blockchain/DLT  —  Critical\n- Blockchain/DLT  —  High\n- Smart Contract  —  Critical\n- Smart Contract  —  High\n- Website & Application  —  Critical\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. \n\nFor more information, please see [Best Practices: Primacy of Impact ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n__Previous Audits__\n\nRootstockLabs’s completed audit reports can be found at [http://rootstock.io/blog/rsk-security-audit-results/](http://rootstock.io/blog/rsk-security-audit-results/) and [https://rootstock.io/blog/rsk-powhsm-is-now-open-source/.](https://rootstock.io/blog/rsk-powhsm-is-now-open-source/)\nAny unfixed vulnerabilities mentioned in these reports are not eligible for a reward.","programType":["Smart Contract","Websites and Applications","Blockchain/DLT"],"project":"RootstockLabs","projectType":[],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\nFinal severity is determined by combining the potential impact of the vulnerability with the likelihood of successful exploitation. In assessing likelihood, we consider factors such as attacker motivation, the capital required (and whether it exceeds potential gains), and whether the exploit provides a direct benefit to the attacker.\n\n__Reward Calculation for Critical Level Reports__\n\nFor critical Blockchain/DLT bugs on HSM Firmware, the reward amount is 10% of the funds directly affected, capped at the maximum critical reward **USD 200 000**. However, a minimum reward of **USD 20 000** is to be rewarded in order to incentivize security researchers against withholding on a bug report.\n\nFor critical Blockchain/DLT bugs on powpeg-node and rskj, the reward amount is 10% of the funds directly affected, capped at the maximum critical reward USD 50 000. However, a minimum reward of USD 10 000 is to be rewarded in order to incentivize security researchers against withholding on a bug report.\n\nFor critical Blockchain/DLT bugs with a non-funds-at risk impact, the reward will be paid out as follows:\n- Total network shutdown (network not being able to confirm new transactions) via propagated/chained effect USD $10 000\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 100 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 10 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\nFor critical web/apps bugs, reports will be rewarded with USD 10 000, only if the impact leads to:\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of USD 5 000. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. \n- The amount of funds at risk will be calculated with the impact of the first attack being at **100%** and then a reduction of **25%** from the amount of the first attack for every **[150 blocks]** the attack needs for subsequent attacks from the first attack, rounded down.\n\n__Reward Calculation for High Level Reports__\n\nFor all High level bugs found on HSM Firmware, the reward will be USD 10 000. For High level bugs found on powpeg-node and rskj, the reward will be USD 5 000.\n\n__Reward Calculation for Medium Level Reports__\n\nFor all Medium level bugs found on HSM Firmware, the reward will be USD 5 000. For Medium level bugs found on powpeg-node and rskj, the reward will be USD 2 500.\n\n__Reward Calculation for Low Level Reports__\n\nFor all Low level bugs found on HSM Firmware, the reward will be USD 2 500. For Low level bugs found on powpeg-node and rskj, the reward will be USD 1 000.\n\n__Reward Payment Terms__\n\nPayouts are handled by the RootstockLabs team directly and are denominated in USD. However, payments are done in USDC on ETH.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"rootstocklabs","tenPercentEconomicRule":false,"updatedDate":"2026-04-01T20:49:29.654Z","impactsBody":"__Vector Definition__\n\n__Deployment assumptions__\n\n- HSM, middleware, and Powpeg-Node run on the same host.\n- HSM and middleware expose no external network interfaces (no inbound remote access paths).\n- Powpeg-Node is the only externally connected component, used to sync blockchain data and forward it to the middleware, and its public exposure is limited.\n\n__Remote__\n\n“Remote” means the attacker cannot directly reach the HSM or middleware over the network and has no local access to the host. The only realistic remote reachability is indirect, via untrusted but consensus-valid on-chain data produced and propagated by the RSK network, synchronized by Powpeg-Node, and forwarded to the middleware (and subsequently to the HSM) for processing, where it may trigger vulnerable parsing/validation/logic.\n\n__Local__\n\n“Local” means the attacker has obtained root (or equivalent) control of the host running Powpeg-Node, the middleware, and the HSM (for example via shell/SSH access, a compromised account, or malware), but does not require physical access to the machine or device. With this level of access, the attacker can directly issue commands to the HSM via its local interfaces, ultimately affecting HSM operations.\n\n__Physical__\n\n“Physical” means the attacker has obtained physical access to the HSM device, enabling direct interaction and potential hardware tampering. With this level of access, the attacker may be able to probe, manipulate, reset, fault, or modify the device or its connections, potentially bypassing logical protections and ultimately affecting HSM operations.","websiteUrl":"https://www.rootstocklabs.com/","githubUrl":"https://github.com/rsksmart","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_2","description":"RootstockLabs, previously IOVLabs, have been longstanding contributors to Rootstock, Bitcoin’s DeFi layer. Launched in 2018, Rootstock allows anyone to develop apps and services on top of the planet’s most secure and decentralized financial infrastructure; Bitcoin. \nToday we continue to contribute to Rootstock’s evolution by building tools and technology focused on scaling Bitcoin and making it work for everyone.","knownIssues":[{"id":1254,"link":"https://docs.google.com/document/d/161O90SVWDMGG5x3jLFCf_j2ehk1D-aA_E4H9PaLEEzw/edit?tab=t.0#heading=h.cv82oamvvho","description":"False Positive Reports","lastUpdatedAt":"2026-02-11T00:00:00.000Z","relatedImpactInScope":"smart_contract"}],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"These impacts are out of scope for this bug bounty program. \n\n__All Categories:__\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers\n\n\n__Blockchain/DLT & Smart Contract Specific:__\n\n- Incorrect data supplied by third party oracles\n- Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n- Impacts requiring physical access or local user level access to a user's device.\n- Impact from previously known vulnerable libraries without a working PoC.\n- Attacks requiring thousands of transactions, peg-ins, or substantial capital expenditure to cause minimal impact.\n- Denial-of-service scenarios that are economically impractical to execute, including those requiring fees considerably higher above prevailing network averages.\n- Issues that require privileged access, operator misconfiguration, or cannot be realistically triggered by an unauthenticated external attacker under default configurations.\n- Self-inflicted impact: losses or negative outcomes resulting from use of the protocol or software outside of supported, documented, or expected functionality.\n- Reports describing purely theoretical or extremely impractical attack scenarios.\n- Rsk-powhsm:\n    - Impacts related to the Ledger devices used on rsksmart/rsk-powhsm; including their physical security.\n    - Impacts which ultimately don't allow for the arbitrary or unsecure use of the keys derived from the device seed for project rsksmart/rsk-powhsm.\n    - Impacts related to the TCPSigner component, which is made solely for testing and fuzzing purposes for project rsksmart/rsk-powhsm.\n    - Impacts related to code under the following path firmware/src/hal/src/x86/ since it’s a part of the code related to the TCPSigner component for project rsksmart/rsk-powhsm.\n    - Impacts related to the SGX code for project rsksmart/rsk-powhsm.\n    - Impacts related to DoS by physical or local access to the Ledger device.\n    - Impacts related to Ledger company source code will be eligible for rewards after 90 days from the initial disclosure from Ledger.\n    - Impacts related to Ledger company source code will be rewarded according to the general reward table specified for the bug bounty program, rather than the powHSM project reward table.\n- Rskj\n    - Impacts related to the encryption or access control of the integrated wallet of rsksmart/rskj.\n    - Impacts related to the configuration option that allows storing private keys on disk.\n    - JSON RPC personal module and the filter API including eth_newFilter, eth_blockFilter,eth_getLogs for rsksmart/rskj.\n    - DoS attacks on any JSON RPC module that is not enabled by default (admin, debug, trace, etc).\n    - DoS or resource consumption issues are limited to nodes deployed following the official Ubuntu installation guide (https://dev.rootstock.io/node-operators/setup/installation/ubuntu), as it reflects the intended production setup with the correct system-level settings for node operators. Any DoS or resource consumption issues affecting nodes installed or configured using any other method are out of scope.\n    - DoS reports based solely on long-running transaction, contract, or block execution are out of scope if execution completes within RSK's expected block time (~30 seconds).\n    - Denial-of-service attacks on P2P networking protocols (peer discovery, RSK wire protocol) are temporarily out of scope and will not be accepted at this time.\n    - Vulnerabilities in features that are under development and not enabled by default.\n    - Liquidity-bridge-contract\n    - contracts/Quotes.sol and contracts/LiquidityBridgeContract.sol are out-of-scope for rsksmart/liquidity-bridge-contract\n\n\n__Websites and Apps__\n\n- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n- This does not exclude reflected HTML injection with or without JavaScript\n- This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering\n\n\n__Prohibited Activities:__\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","customProhibitedActivities":[],"impacts":[{"id":55,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as:\n- Locking up the victim from login\n- Cookie bombing, etc."},{"id":48,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:\n- Email address\n- Phone number\n- Physical address, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":50,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Changing the first/last name of user\n- Enabling/disabling notifications"},{"id":51,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as:\n- Reflected HTML Injection\n- Loading external site data"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":53,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction, such as:\n- Iframing leading to modifying the backend/browser state (must demonstrate impact with PoC)"},{"id":54,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links, such as:\n- Social media handles, etc."},{"id":5925,"type":"blockchain_dlt","severity":"medium","title":"Temporary remote disruption of the HSM device or middleware requiring a device reboot or firmware update for recovery, without loss of seed/key material"},{"id":5926,"type":"blockchain_dlt","severity":"critical","title":"Remote extraction of HSM seed or private keys"},{"id":5927,"type":"blockchain_dlt","severity":"high","title":"Remote HSM seed wipe or remote transition of HSM into a wipe-required state"},{"id":5928,"type":"blockchain_dlt","severity":"medium","title":"Remote shutdown of targeted nodes without brute force actions, but does not shut down the network"},{"id":5931,"type":"blockchain_dlt","severity":"medium","title":"RPC API crash"},{"id":5932,"type":"blockchain_dlt","severity":"high","title":"Temporary freezing of network transactions by sustainably and substantially delaying block production (that could affect the network's gas consumption capabilities)"},{"id":5933,"type":"blockchain_dlt","severity":"critical","title":"Total network shutdown (network not being able to confirm new transactions) via propagated/chained effect"},{"id":5934,"type":"blockchain_dlt","severity":"high","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":6032,"type":"blockchain_dlt","severity":"high","title":"A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior resulting in direct, exploitable risk to user funds (e.g., unauthorized transfer, permanent loss)"},{"id":6033,"type":"blockchain_dlt","severity":"medium","title":"A bug in the VM implementation that results in incorrect smart contract execution relative to expected VM semantics, with demonstrable impact, but no direct risk to funds"},{"id":6034,"type":"blockchain_dlt","severity":"low","title":"A significant and abnormal increase in network processing and node resource consumption without brute-force activity, with observable impact"},{"id":6035,"type":"blockchain_dlt","severity":"high","title":"Extraction of seed or private keys through local access to the HSM device or middleware"},{"id":6036,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of significant non recoverable funds"},{"id":5,"type":"blockchain_dlt","severity":"high","title":"Unintended chain split (network partition)"},{"id":7,"type":"blockchain_dlt","severity":"high","title":"Causing network processing nodes to process transactions from the mempool beyond set parameters"},{"id":13,"type":"blockchain_dlt","severity":"low","title":"Modification of transaction fees outside of design parameters"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":39,"type":"websites_and_applications","severity":"critical","title":"Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:\n- Changing registration information\n- Commenting\n- Voting\n- Making trades\n- Withdrawals, etc."},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":43,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:\n- Modifying transaction arguments or parameters\n- Substituting contract addresses\n- Submitting malicious transactions"},{"id":46,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:\n- HTML injection without JavaScript\n- Replacing existing text with arbitrary text\n- Arbitrary file uploads, etc."},{"id":47,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Email\n- Password of the victim etc."},{"id":5885,"type":"blockchain_dlt","severity":"critical","title":"Direct Theft of Bridge Funds"},{"id":5888,"type":"blockchain_dlt","severity":"high","title":"Theft of funds via BTC path signing through local access to the HSM device or middleware"},{"id":5889,"type":"blockchain_dlt","severity":"medium","title":"Extraction of seed or private keys through physical access to the HSM device"},{"id":5890,"type":"blockchain_dlt","severity":"medium","title":"Theft of funds via BTC path signing through physical access to the HSM device or middleware"},{"id":5891,"type":"blockchain_dlt","severity":"medium","title":"Attacks that fake an authentic attestation on a device running different versions of either the UI or Signer."},{"id":5892,"type":"blockchain_dlt","severity":"medium","title":"Attacks that allow producing an authentic attestation on a device with a pre-generated or well-known seed"},{"id":5893,"type":"blockchain_dlt","severity":"low","title":"Local access to HSM device resulting in crash due to memory corruption issues in secure element part"}],"rewards":[{"id":44073,"primacy":null,"severity":"critical","assetType":"blockchain_dlt","maxReward":200000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":44074,"primacy":null,"severity":"high","assetType":"blockchain_dlt","maxReward":10000,"minReward":5000,"rewardModel":"range"},{"id":44075,"primacy":null,"severity":"medium","assetType":"blockchain_dlt","maxReward":5000,"minReward":2500,"rewardModel":"range"},{"id":44076,"primacy":null,"severity":"low","assetType":"blockchain_dlt","maxReward":2500,"minReward":1000,"rewardModel":"range"},{"id":44077,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":44078,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":10000,"minReward":5000,"rewardModel":"range"},{"id":44079,"primacy":null,"severity":"medium","assetType":"smart_contract","fixedReward":2500,"rewardModel":"fixed"},{"id":44080,"primacy":null,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":44081,"primacy":null,"severity":"critical","assetType":"websites_and_applications","maxReward":10000,"minReward":5000,"rewardModel":"range"},{"id":44082,"primacy":null,"severity":"high","assetType":"websites_and_applications","fixedReward":2500,"rewardModel":"fixed"},{"id":44083,"primacy":null,"severity":"medium","assetType":"websites_and_applications","fixedReward":1500,"rewardModel":"fixed"},{"id":44084,"primacy":null,"severity":"low","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[{"id":"db_26a992ae-6c6a-4953-a6e8-0055a7587903","url":"https://rootstock.io/blog/rsk-powhsm-is-now-open-source/","auditor":"Audit","date":"2026-02-10T00:00:00.000Z"},{"id":"db_debc0dee-eb66-45af-ae2d-a01996161f7b","url":"http://rootstock.io/blog/rsk-security-audit-results/","auditor":"Audit","date":"2026-02-10T00:00:00.000Z"}]},{"assets":[{"id":"3lhpWqv4OFtxrcFTl0pIj5","url":"https://github.com/OpenZeppelin/uniswap-hooks","type":"smart_contract","addedAt":"2025-10-09T11:43:14.849Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3jyyGKuBiXhHwlmi9ZT9ar","url":"https://github.com/OpenZeppelin/openzeppelin-contracts","type":"smart_contract","addedAt":"2022-02-12T09:40:13.911Z","revision":0,"description":"Smart Contract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6ETI0ohXTF3lFiZdx90vei","url":"https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable","type":"smart_contract","addedAt":"2024-04-21T11:53:30.551Z","revision":0,"description":"Smart Contract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99455","url":"https://github.com/OpenZeppelin/openzeppelin-confidential-contracts/releases/tag/v0.4.0","type":"smart_contract","addedAt":"2026-04-01T20:49:04.675Z","revision":0,"description":"OpenZeppelin Confidential Contracts (only the latest release v.0.4.0 (7ac7cee5fec408dc81b31121f90417dfd87f3d13) is in-scope, mocks and examples are also out-of-scope)","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"All smart contracts in the “contracts” directory are included in the bug bounty, except those under “contracts/mocks”, which are testing artifacts, and those under “contracts/vendor”.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2021-11-15T15:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4tl7aEnEwJyvmUxPKqR2KH/2ad9232b3e2e462c88aa27262ce93deb/OpenZeppelin_Logo.jpeg","maxBounty":25000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. They refer to a regular impact rating in our likelihood/impact matrix (up to high severity) and will partially define the report’s final threat. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Services"],"programOverview":"As the premier crypto cybersecurity technology and services company, we’ve built OpenZeppelin Contracts with our best [security practices](https://contracts.openzeppelin.com/security). We are committed to ensuring the utmost security in our community-vetted smart contracts, and our bounty program provides rewards of up to $25,000 USD for reporting critical vulnerabilities in our smart contracts library.\nThis bug bounty program is focused on OpenZeppelin Contracts and mainly intends to prevent:\n\n- Loss of funds by freezing another user’s funds, or theft of another user’s funds\n- Permanent denial of service (smart contract is made unable to operate)\n- Access control bypass, including privilege escalation\n- Smart contract not behaving as intended\n\nThis is an overlay bug bounty program for OpenZeppelin’s Contracts library. A vulnerability in an OpenZeppelin contract would likely affect many other projects and could trigger various other bounties. This program would be potentially additive to those cases. \n\nOpenZeppelin may issue [GHSA/CVEs](https://cve.report/vendor/openzeppelin) for reported vulnerabilities and will offer to credit issue reports in those public reports.\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nOpenZeppelin adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page. \n\n__Previous Audits__\n\nOpenZeppelin’s completed audit reports can be found at [OpenZeppelin Contracts’ Security Center](https://contracts.openzeppelin.com/security) while previous security advisories are available at [GHSA/CVEs](https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories). OpenZeppelin will offer to credit issue reports in those public reports. Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n__Feasibility Limitations__\n\nOpenZeppelin will assess likelihood depending on the complexity of the steps involved in its execution and the exposure created by the vulnerability, as well as impact depending on the assets or systems at risk, capped to the worst-case impacted instance using the affected code.\n\nOpenZeppelin will evaluate the vulnerability of the affected code considering whether the issue arises directly from the library code while used as provided or if it requires a custom user implementation. Determining the likelihood of exploit on custom implementations will depend on how likely a library user is to make such an implementation and how common is the pattern leading to it.\n\nFor example, if a data structure can be cleared by any caller of a smart contract, its likelihood will be **high** if it holds user balances, although, if the vulnerability allows overriding non-critical values such as an already executed governor proposal flag, its likelihood will be **low** but can escalate to **medium** if it comes with side effects that increase the incentives of exploitation (e.g. proposal re-execution).\n\nSimilarly, if an instance of an AccessManager can be made unusable, its impact will be **high** but could be lowered to **medium** if the attacker requires special permissions in the system, and finally, it will be considered **low** if the contract is frozen only during 1 block before a threshold is met.\n\nThe final threat level will be decided based on the matrix above. For a vulnerability with **low** impact, if its likelihood is **high** because the cost of exploiting a single instance is negligible, then its final threat level will be **medium severity**.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, OpenZeppelin has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).\n\n__KYC Requirements__\n\nOpenZeppelin’s bug bounty program requires an invoice to be submitted and a KYC screen to be performed prior to OpenZeppelin providing a bug bounty reward. Once a payout is confirmed, a member of OpenZeppelin will reach out to you directly to collect the necessary information, including:\n- Full Legal Name\n- Email Address\n- Mailing Address\n- Wallet Address (Ethereum Mainnet Only)","programType":["Smart Contract"],"project":"OpenZeppelin","projectType":["Defi","Exchange","NFT"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. \n\nThe rewards stated here are additive to any existing bug bounty programs hosted by projects that are currently using OpenZeppelin contracts. \n\nBounty rewards are given according to an impact/likelihood [matrix for assessing threat levels.](https://raw.githubusercontent.com/OpenZeppelin/immunefi-assets/main/impact-likelihood-matrix.png) Each issue is assessed considering the likelihood of the vulnerability being successfully exploited and the expected impact in scope to a single instance of the affected smart contract. Note that, as can be seen in the matrix, if the impact is Critical then the threat is always Critical, for other impacts the maximum reduction is one level only if the likelihood is low, and if the likelihood is high then the threat is increased one level above the impact. \n\n__Proof of Concept (PoC) Requirements__\n\nA PoC compliant with [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules) is required for the following severity levels:\n- Smart Contract: Critical\n- Smart Contract: High\n\nBugs introduced by a release candidate version and reported during the review period, the dates for which will be declared by OpenZeppelin on each release, will receive a 50% bonus.\n\nPayouts are handled by the __OpenZeppelin__ team directly and are denominated in USD. However, payouts are done in __ETH__ or __USDC__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"openzeppelin","tenPercentEconomicRule":false,"updatedDate":"2026-04-01T20:49:04.771Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_1","description":"As the premier crypto cybersecurity technology and services company, we’ve built OpenZeppelin Contracts with our best [security practices](https://contracts.openzeppelin.com/security).","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques\n- ERC mandated behaviors","customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":1325,"type":"smart_contract","severity":"low","title":"Temporary denial of service (smart contract is made unable to operate for one block, functionality is restored in the next block)"},{"id":1326,"type":"smart_contract","severity":"low","title":"Invalid events are emitted, potentially confusing indexers (internal storage is unaffected)"},{"id":1327,"type":"smart_contract","severity":"high","title":"Governance voting result manipulation"},{"id":1328,"type":"smart_contract","severity":"high","title":"Permanent freezing of funds"},{"id":1329,"type":"smart_contract","severity":"high","title":"Permanent denial of service (smart contract is made unable to operate)"},{"id":1330,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield / Permanent freezing of unclaimed yield - Impact severity is determined by potential yield lost"},{"id":1331,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds - Impact severity depends on funds at risk"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":1332,"type":"smart_contract","severity":"critical","title":"Direct theft of user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":1333,"type":"smart_contract","severity":"critical","title":"Access control is bypassed, including privilege escalation"}],"rewards":[{"id":44069,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":25000,"minReward":5000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":44070,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":5000,"minReward":2500,"rewardModel":"range"},{"id":44071,"primacy":null,"severity":"medium","assetType":"smart_contract","fixedReward":2500,"rewardModel":"fixed"},{"id":44072,"primacy":null,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[{"id":"1330","url":"https://github.com/OpenZeppelin/openzeppelin-confidential-contracts/tree/master/audits","auditor":"OpenZeppelin","date":"2025-12-26T00:00:00.000Z"}]},{"assets":[{"id":"2qfzfAx3OBErYehBiEJJLj","url":"https://github.com/term-structure/termmax-contract-v2","type":"smart_contract","addedAt":"2025-09-15T06:21:34.577Z","revision":0,"description":"TermMax V2 smart contract. This is the most up-to-date contract and the primary contract to review.","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"42fd7DYaL9DjhWPGEatuGr","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2024-06-07T12:25:23.611Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"6iVglIOrthhjr2uxyCImgY","url":"https://ts.finance","type":"websites_and_applications","addedAt":"2025-04-16T06:39:57.277Z","revision":0,"description":"Term Structure Labs website","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"XcRAu9DMy5FTkj9rKYFS9","url":"https://app.termmax.ts.finance/","type":"websites_and_applications","addedAt":"2025-04-15T14:42:06.843Z","revision":0,"description":"TermMax Taker App","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99377","url":"https://ts.finance","type":"websites_and_applications","addedAt":"2026-03-26T06:23:09.294Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Pro","Arbitration","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2024-06-12T03:22:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6rB2UnvCtcaZKo2NLotubD/287fcccf956bc219626bbc5792446bfa/TermMax-Logo-transparent.png","maxBounty":50000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","websites_and_applications - critical","websites_and_applications - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Lending"],"programOverview":"TermMax, built by Term Structure Labs, streamlines DeFi borrowing, lending, and leveraging with one-click token trading. By reinventing the Uniswap V3 AMM with fixed-rate mechanisms and customizable pricing curves, TermMax empowers users with predictable borrowing costs and stable returns, removing the need for complex, multi-step processes.\n\nFor more information about Term Structure Labs, please visit [ts.finance](https://ts.finance/).\n\nTerm Structure Labs provides rewards in USDC on ETH, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nTerm Structure Labs adheres to the Primacy of Impact for the following impacts:\n\n- Smart contract - Critical\n- Smart contract - High\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact. \n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n__Known Issue Assurance__\n\nTerm Structure Labs commits to providing Known Issue Assurance to bug submissions through their program. This means that Term Structure Labs will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission. \n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.\n\n__Previous Audits__\n\nTerm Structure Labs’ completed audit reports can be found [here](https://github.com/term-structure/audits). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Term Structure Labs has satisfied the requirements for the [Immunefi Standard Badge.](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209)","programType":["Smart Contract","Websites and Applications"],"project":"TermMax","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD $50,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 10,000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\nFor critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 5,000 to USD 25,000 depending on the funds at risk, capped at the maximum high reward.  \n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Term Structure Labs team directly and are denominated in USD. However, payments are done in USDC on Ethereum\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"termstructurelabs","tenPercentEconomicRule":false,"updatedDate":"2026-04-01T09:03:10.368Z","impactsBody":null,"websiteUrl":"https://ts.finance","githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"TermMax is a DeFi protocol that reinvents borrowing, lending, and leveraging by combining fixed-rate mechanisms with customizable Automated Market Maker (AMM) pricing curves.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"","customProhibitedActivities":[],"impacts":[{"id":5507,"type":"websites_and_applications","severity":"high","title":"Taking down the application/website"},{"id":6030,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction (https://app.termmax.ts.finance)"},{"id":6031,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction (https://app.termmax.ts.finance)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":39,"type":"websites_and_applications","severity":"critical","title":"Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:\n- Changing registration information\n- Commenting\n- Voting\n- Making trades\n- Withdrawals, etc."},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":43,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:\n- Modifying transaction arguments or parameters\n- Substituting contract addresses\n- Submitting malicious transactions"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"},{"id":46,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:\n- HTML injection without JavaScript\n- Replacing existing text with arbitrary text\n- Arbitrary file uploads, etc."}],"rewards":[{"id":44033,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":50000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":44034,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":25000,"minReward":5000,"rewardModel":"range"},{"id":44035,"primacy":null,"severity":"critical","assetType":"websites_and_applications","maxReward":10000,"minReward":3000,"rewardModel":"range"},{"id":44036,"primacy":null,"severity":"high","assetType":"websites_and_applications","fixedReward":1500,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"1VhifmWuIJhiNqgBBEu9NA","url":"https://ens.domains","type":"websites_and_applications","addedAt":"2024-03-28T15:34:44.098Z","revision":0,"description":"ENS landing page","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3b6EMEFZTCiJIuzF1PkMwj","url":"https://metadata.ens.domains/docs","type":"websites_and_applications","addedAt":"2024-03-28T15:34:14.642Z","revision":0,"description":"ENS Metadata service","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4K5qQfK8FCVpQUsv8wU7hW","url":"https://github.com/ensdomains/ensdomains-landing","type":"websites_and_applications","addedAt":"2024-06-05T08:42:15.461Z","revision":0,"description":"Ens landing page source code","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4kO6SpylroAiGU6USq09R4","url":"https://github.com/ensdomains/ens-app-v3","type":"websites_and_applications","addedAt":"2024-03-28T15:31:06.890Z","revision":0,"description":"ENS app source code","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4nsdcxyULff8bmJnvDnD8L","url":"https://app.ens.domains/","type":"websites_and_applications","addedAt":"2024-03-28T15:30:49.799Z","revision":0,"description":"ENS app","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4xFPxDWSafDVwzD06MjQG","url":"https://github.com/ensdomains/ens-metadata-service","type":"websites_and_applications","addedAt":"2024-03-28T15:34:29.909Z","revision":0,"description":"ENS Metadata service source code","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5yUy17EJ8LjB0vx94El4Zf","url":"https://metadata.ens.domains/","type":"websites_and_applications","addedAt":"2024-03-28T15:33:59.546Z","revision":0,"description":"ENS Metadata service","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7hMUZ2kUH5Y8Rtruxw6qS8","url":"https://github.com/ensdomains/ens-contracts/wiki/ENS-Contract-Deployments","type":"smart_contract","addedAt":"2024-03-28T15:24:40.935Z","revision":0,"description":"Smart Contracts","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99452","url":"https://immunefi.com","type":"smart_contract","addedAt":"2026-03-31T18:56:59.134Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"99453","url":"https://immunefi.com","type":"websites_and_applications","addedAt":"2026-03-31T18:56:59.134Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":"ENS’s codebase can be found at https://github.com/orgs/ensdomains/repositories. Documentation and further resources can be found on https://docs.ens.domains.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity","NextJS"],"launchDate":"2024-05-10T03:11:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4eTVMLtAvVcZKfzuVivfV0/fa593db62bd32e8d72b2194b76ae4205/ethereum-name-service-ens-logo.png","maxBounty":250000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["Services"],"programOverview":"#### ENS\nThe Ethereum Name Service (ENS) is a distributed, open, and extensible naming system based on the Ethereum blockchain.\n\nENS's job is to map human-readable names like 'alice.eth' to machine-readable identifiers such as Ethereum addresses, other cryptocurrency addresses, content hashes, and metadata. ENS also supports 'reverse resolution', making it possible to associate metadata such as canonical names or interface descriptions with Ethereum addresses. ENS has similar goals to DNS, the Internet's Domain Name Service, but has significantly different architecture due to the capabilities and constraints provided by the Ethereum blockchain. Like DNS, ENS operates on a system of dot-separated hierarchical names called domains, with the owner of a domain having full control over subdomains.\n\nTop-level domains, like '.eth' and '.test', are owned by smart contracts called registrars, which specify rules governing the allocation of their subdomains. Anyone may, by following the rules imposed by these registrar contracts, obtain ownership of a domain for their own use. ENS also supports importing in DNS names already owned by the user for use on ENS.\n\nBecause of the hierarchical nature of ENS, anyone who owns a domain at any level may configure subdomains — for themselves or others — as desired. For instance, if Alice owns 'alice.eth', she can create 'pay.alice.eth' and configure it as she wishes.\n\nENS is deployed on the Ethereum main network and on several test networks. If you use a library such as the ensjs Javascript library, or an end-user application, it will automatically detect the network you are interacting with and use the ENS deployment on that network.\n\nFor more information about ENS, please visit [ens.domains](https://ens.domains/)\n\nENS provides rewards in USDC, denominated in USD. For more details about the payment process, please view the Reward Payment Terms section below.\n\n__Immunefi Vault Program__\n\nThe ENS bug bounty program includes a public Immunefi Vault that transparently displays the funds allocated for bug bounty rewards. The vault is deployed on Ethereum and holds assets designated exclusively for vulnerability payouts.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, ENS has satisfied the requirements for the Immunefi Standard Badge.\n\n**KYC Requirements** \n\nKYC is generally not required to participate in or receive rewards from the ENS bug bounty program. However, ENS reserves the right to request identity verification or additional information where required by applicable law, payment processors, sanctions compliance or internal risk assessment.","programType":["Websites and Applications","Smart Contract"],"project":"ENS","projectType":["Infrastructure"],"rewardsBody":"**Classification & Reward Discretion**\n\nRewards are paid in USDC on Ethereum and are determined based on severity under the Immunefi Vulnerability Severity Classification System (V2.3).\n\nRewards are broadly based on the principles set forth within the [Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\nFinal reward amounts are determined by ENS in its sole discretion after assessing factors such as:\n\n- Likelihood of exploitation\n- Scope of affected systems\n- Ease of execution\n- Quality of the report\n- Whether the disclosure was responsible and novel\n- Whether exploitation requires assuming that ENS Labs or its authorized operators act maliciously or are compromised rather than exploiting a flaw in the deployed smart contract logic. \n\nFinal amounts will be no less than the respective minimum amounts of each severity level, based on the final severity classification of the bug report. ENS only pays for the first disclosure of a vulnerability. This discretion is exercised in good faith and is subject to mediation.\n\nDepending on the severity and internal assessment, ENS retains the right to reward above the stated amounts at its discretion.\n\nThe **“10% of funds at risk”** clause **does not apply** to the ENS bug bounty program.\n\n### External Dependency Discount\n\nWhere a valid vulnerability can only be exploited if a third-party system outside ENS's control fails or behaves abnormally (e.g., oracle failures, bridge compromises, or third-party dependency malfunctions), ENS may reduce the reward by up to 50% to reflect the conditional nature of the risk. This discount does not apply where ENS has the ability to mitigate or protect its users through its own action, in such cases, the full reward applies. Any reduction under this clause must be accompanied by a brief written explanation identifying the specific external dependency and the rationale for the discount applied.\n\nFor the sake of clarity, in the event of a conflict between that classification system and the rewards schema set forth below, the below language will control. \n\n### Critical Reward Calculation\n\nThe reward for critical smart contract vulnerabilities is calculated as 10% of funds directly affected, up to a maximum of USD 250,000, calculated as follows:\n\n| &nbsp;&nbsp;&nbsp;Base: 10% of funds directly affected, up to $250,000 | Up to $250,000 |\n| :---- | :---- |\n| &nbsp;&nbsp;&nbsp;Where funds directly affected exceed $1,500,000: | Minimum $150,000 |\n| &nbsp;&nbsp;&nbsp;Where funds directly affected are between $500,000 and $1,500,000: | Minimum $75,000 |\n| &nbsp;&nbsp;&nbsp;Where funds directly affected are below $500,000, or not objectively calculable | Minimum $25,000 |\n| &nbsp;&nbsp;&nbsp;Where the vulnerability affects fewer than 50 on-chain assets or accounts: reward may be &nbsp;&nbsp;&nbsp;further adjusted downward at the program’s discretion. | Minimum $10,000 |\n\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused,only the initial attack will be considered for a reward within the mitigation window (12 hours for Security Council, 9 days for DAO vote)\n. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\nFor critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n### High Reward Calculation\n\nThe reward for high-severity smart contract vulnerabilities ranges between USD 25,000 and USD 100,000, based on the assessed impact and funds at risk.\n\n| &nbsp;&nbsp;&nbsp;High vulnerabilities concerning theft or permanent freezing of unclaimed yield or &nbsp;&nbsp;&nbsp;royalties are considered at the full amount of funds at risk, capped at the maximum high &nbsp;&nbsp;&nbsp;reward. This is to encourage security researchers to uncover and responsibly disclose &nbsp;&nbsp;&nbsp;vulnerabilities that may not have significant monetary value today but could still be &nbsp;&nbsp;&nbsp;damaging to the project if left unaddressed. | Up to <br>$100,000 |\n| :---- | :---- |\n| &nbsp;&nbsp;&nbsp;Temporary freezing of funds is classified as High severity. The reward is determined within the &nbsp;&nbsp;&nbsp;High reward range based on the value of funds affected and the estimated duration of the &nbsp;&nbsp;&nbsp;freeze. | Up to<br>$100,000 |\n| &nbsp;&nbsp;&nbsp;For high smart contract bugs on testnet assets, the reward ranges between contingent upon &nbsp;&nbsp;&nbsp;the ability to calculate the equivalent mainnet impact. | Minimum $25,000 Maximum $75,000 |\n| &nbsp;&nbsp;&nbsp;In cases where objective calculation is not feasible, there will be a base reward, with the &nbsp;&nbsp;&nbsp;discretion to increase the amount. | Base $25,000 |\n\n**Track B:  Websites and Applications**\n\n### **Critical Web / App Reward Calculation**\n\nCritical web/application bug reports will be rewarded with USD 25,000, **only** if the impact leads to:\n\n- A loss of funds involving an attack that does not require any user action  \n- Unauthorized minting of tokens on-chain.  \n- Private key or private key generation leakage leading to unauthorized access to user funds.\n\n__Severity Assessment for XSS Reports:__\n\n- Injection of malicious content into app.ens.domains to initiate a malicious transaction without requiring unusual user interaction will be considered critical.\n- Injection of malicious scripts into other ENS subdomains (besides app.ens.domains) that offer web3 wallet connections will be considered high for stored XSS and medium for reflected XSS.\n- XSS on staging/dev or static ENS websites like metadata.ens.domains, which do not offer web3 functionality, will be considered low unless a direct impact on app.ens.domains is demonstrated.\n\n__Reward Payment Terms__\n\nPayouts are handled by the ENS team directly and are denominated in USD. However, payments are done in USDC.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.\n\n**Eligible Versions** \n\nCommits tagged with vx.x.x-RCX (e.g. v1.2.3-RC0), vx.x.x- (e.g. v1.2.3-testnet) or vx.x.x (e.g. v1.2.3) are potentially eligible for the bug bounty. To be clear this includes testnet releases. For testnet releases, only version numbers greater than or equal to the latest mainnet release are eligible. For mainnet, only the latest release is eligible. See releases here: https://github.com/ensdomains/ens-contracts/releases.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"ens","tenPercentEconomicRule":false,"updatedDate":"2026-03-31T19:06:44.545Z","impactsBody":"Primacy of Impact: Impact is prioritized over specific assets for Critical and High levels. This determines eligibility, not automatically the maximum reward.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"The Ethereum Name Service (ENS) is a distributed, open, and extensible naming system based on the Ethereum blockchain.","knownIssues":[{"id":1262,"link":"https://discuss.ens.domains/t/security-advisory-a-malicious-dao-update-could-reduce-the-registration-duration-of-registered-eth-2lds/17576/12","description":"Malicious DAO can steal names using an upgrade to the NameWrapper","lastUpdatedAt":"2023-08-16T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1261,"link":"https://discuss.ens.domains/t/security-advisory-a-malicious-dao-update-could-reduce-the-registration-duration-of-registered-eth-2lds/17576/12","description":"Malicious DAO can reduce the expiration of names","lastUpdatedAt":"2023-08-16T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":77,"link":"https://discuss.ens.domains/t/front-running-vulnerability-in-namewrapper/19938","description":"Namewrapper race condition allowing fuses to be set inappropriately ","lastUpdatedAt":"2023-09-30T16:00:00.000Z","relatedImpactInScope":"smart_contract"}],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Taking over broken links from sources that are no longer considered active, such as links related to meeting minutes, past events etc., as this content is left up for archival purposes and should not be changed. \n\n- Products funded or maintained by the DAO unless otherwise stated","customProhibitedActivities":["https://ens.dev is Out of Scope of the Bug bounty program"],"impacts":[{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":28,"type":"smart_contract","severity":"high","title":"Temporary freezing of NFTs"},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":44,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user NFTs"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"},{"id":4796,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links, such as:  Social media handles, etc."},{"id":4797,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as:  Locking up the victim from login, Cookie bombing, etc."},{"id":4798,"type":"smart_contract","severity":"high","title":"Theft of registration fee"},{"id":4799,"type":"smart_contract","severity":"high","title":"Permanent freezing of registration fees"},{"id":4800,"type":"websites_and_applications","severity":"high","title":"Changing NFT metadata"},{"id":4801,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:  HTML injection without JavaScript, Replacing existing text with arbitrary text, Arbitrary file uploads, etc"},{"id":4802,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:  Email address, Phone number, Physical address, etc."},{"id":4804,"type":"websites_and_applications","severity":"high","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction, such as: Iframing leading to modifying the backend/browser state (demonstrate impact with PoC)"},{"id":4805,"type":"websites_and_applications","severity":"medium","title":"Taking down the application/website"},{"id":4806,"type":"websites_and_applications","severity":"medium","title":"Taking down the NFT URI"},{"id":4807,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:  Changing the name of user, Enabling/disabling notifications"},{"id":4808,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as:  Reflected HTML injection, Loading external site data"},{"id":5177,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":4809,"type":"smart_contract","severity":"critical","title":"Theft of treasury funds"},{"id":4810,"type":"smart_contract","severity":"critical","title":"Permanent freezing of treasury funds"},{"id":4811,"type":"smart_contract","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:   Access tokens"},{"id":4812,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:   Changing registration information, Voting, Changing ENS records"},{"id":4813,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:  Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions"},{"id":4814,"type":"websites_and_applications","severity":"critical","title":"Changing sensitive details of transactions (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: Registration Timer, Cached Transaction History"}],"rewards":[{"id":44016,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":250000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":44017,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":100000,"minReward":25000,"rewardModel":"range"},{"id":44018,"primacy":"primacy_of_rules","severity":"medium","assetType":"smart_contract","fixedReward":10000,"rewardModel":"fixed"},{"id":44019,"primacy":null,"severity":"critical","assetType":"websites_and_applications","fixedReward":25000,"rewardModel":"fixed"},{"id":44020,"primacy":null,"severity":"high","assetType":"websites_and_applications","maxReward":20000,"minReward":5000,"rewardModel":"range"},{"id":44021,"primacy":"primacy_of_rules","severity":"medium","assetType":"websites_and_applications","fixedReward":10000,"rewardModel":"fixed"},{"id":44022,"primacy":"primacy_of_rules","severity":"low","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[{"id":"db_2d93f227-ccaa-4ecb-b904-9626cf1836ce","url":"https://code4rena.com/reports/2023-04-ens","auditor":"Code4rena audit","date":"2023-04-16T00:00:00.000Z"},{"id":"db_d27fac3b-63f3-411e-8dc6-b3b0d9900fc0","url":"https://code4rena.com/reports/2022-07-ens","auditor":"Code4rena audit","date":"2022-07-18T00:00:00.000Z"}]},{"assets":[{"id":"db_4864371a-5a7c-4a0c-ab97-86b87bf5f563","url":"https://explorer.hiro.so/txid/0x834662426960938e9d483ebfb7ecae90a6c5c0d4327e2cb4011700387d2167bf?chain=mainnet","type":"smart_contract","addedAt":"2026-02-11T16:52:21.792Z","revision":0,"description":"HQ","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_f28b3bea-d99b-4cf0-9a17-681be6d4836e","url":"https://explorer.hiro.so/txid/0x0f1ad52bafc2099b9b75ecff15933546dc09a4c60ed93f902998c7eb570563e9?chain=mainnet","type":"smart_contract","addedAt":"2026-02-11T16:52:36.300Z","revision":0,"description":"Blacklist","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_d118a8eb-fb4f-4121-b691-a1558bbb2e91","url":"https://explorer.hiro.so/txid/0x99e0e204634af511074897cae5d7b79602a808b1b4569a7f900fedb0ec2af245?chain=mainnet","type":"smart_contract","addedAt":"2026-02-11T16:52:49.994Z","revision":0,"description":"Token","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_56b45f07-341f-40b1-a214-112febb3f206","url":"https://explorer.hiro.so/txid/0x49512dd2cf400a9b1ace64687d386b3d3d1ad40444de83f6dda1c29cebe01919?chain=mainnet","type":"smart_contract","addedAt":"2026-02-11T16:52:59.677Z","revision":0,"description":"State","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_8e8db56b-68b7-4362-be12-a61db764387c","url":"https://explorer.hiro.so/txid/0xdd73e479841dbedba4fa6eee29be9dcef5d64e6093b905016ec1ba74dabba2ba?chain=mainnet","type":"smart_contract","addedAt":"2026-02-11T16:53:16.395Z","revision":0,"description":"Reserve Fund","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_f6f03ee2-8c30-44ab-8ae5-2ac22ef8c5f1","url":"https://explorer.hiro.so/txid/0xb8ce9c1fb139bc4338ae3b6d6c5fa4525fafb87ed9f9ce515b213a0cc0022449?chain=mainnet","type":"smart_contract","addedAt":"2026-02-11T16:53:29.002Z","revision":0,"description":"Reserve","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_779b9777-1844-48d8-9ee1-141cdd5594be","url":"https://explorer.hiro.so/txid/0x8a6cfafb63b1fb9549d42789cf2b9a160bcf5859257f4c578451d77dafd0a2e0?chain=mainnet","type":"smart_contract","addedAt":"2026-02-11T16:53:50.147Z","revision":0,"description":"Controller","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_8a4dfe64-c239-4f46-87eb-4be98c8392fc","url":"https://explorer.hiro.so/txid/0x87f8c3bc9625579280050678cdddf46b00f678009be32aab76e5d9beca4e7056?chain=mainnet","type":"smart_contract","addedAt":"2026-02-11T16:54:00.557Z","revision":0,"description":"Fee Collector","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_8a6e2bcf-7e70-4ed8-b45f-514cb7570ae3","url":"https://explorer.hiro.so/txid/0xc1c3face1d66819ce2cd6f28876b07577c252812c4c43b2145ac89af61819117?chain=mainnet","type":"smart_contract","addedAt":"2026-02-11T16:57:47.592Z","revision":0,"description":"Hermetica Interface","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_abe5a77b-7550-4005-acd5-09403a9880d3","url":"https://explorer.hiro.so/txid/0x570b90c20a3b63e431a387a50ee3c9f6a3a709527731a8cbde75b731e9c7369a?chain=mainnet","type":"smart_contract","addedAt":"2026-02-11T16:58:00.511Z","revision":0,"description":"Zest Interface","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_63db3c45-2de4-4955-a8e7-d43676e441b9","url":"https://explorer.hiro.so/txid/0x9e2cd7bdd7cc29cf30750835155060a42ebd26943c1f35d2a83b8e6e81f90a35?chain=mainnet","type":"smart_contract","addedAt":"2026-02-11T16:58:15.958Z","revision":0,"description":"Trading","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_e5e5c1f8-e6f3-4b82-94ba-0c89ac02bbbb","url":"http://app.hermetica.fi","type":"websites_and_applications","addedAt":"2026-02-11T16:58:54.822Z","revision":0,"description":"App","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_c7869905-41da-4ceb-82e6-f23c96098427","url":"https://immunefi.com/bug-bounty/hermetica/information/","type":"smart_contract","addedAt":"2026-02-11T16:59:25.182Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99449","url":"https://hermetica.fi/","type":"websites_and_applications","addedAt":"2026-03-31T16:50:36.366Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"99450","url":"https://hermetica.fi/","type":"smart_contract","addedAt":"2026-03-31T16:50:36.366Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"99451","url":"https://explorer.hiro.so/txid/0xb8e567a6f918e041e1fa5a9ca317fdf3048d14f57b0fefdd836cba9da14d3c6e?chain=mainnet","type":"smart_contract","addedAt":"2026-03-31T16:50:36.366Z","revision":0,"description":"Vault","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":false,"language":[],"launchDate":"2026-02-12T09:27:00.000Z","logo":"https://qn5bmgziiocgawpp.public.blob.vercel-storage.com/program-logos/phuongn%40immunefi.com-tAU4WIInnssdEbEADCndS.png","maxBounty":100000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","websites_and_applications - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":[],"programOverview":"Hermetica brings decades of experience from leading crypto and financial institutions, including Kraken, to build Bitcoin finance.\n\nHermetica believes a decentralized, Bitcoin-powered financial system is a foundational pillar of a prosperous and free society. Hermetica builds open, durable financial infrastructure designed to operate globally and at scale, empowering individuals with resilient financial tools in their pursuit of financial freedom.\n\nThere’s one product in scope for the program: hBTC, a Bitcoin yield vault written in Clarity with ERC-4626–style share mint/redeem, daily NAV updates, and strategy execution via external protocol integrations.\n\nFor more information about Hermetica, please visit [https://docs.hermetica.fi/](https://docs.hermetica.fi/)\n\nHermetica provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n__Responsible Publication__\n\nHermetica adheres to  Category 3: Approval Required . This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our Responsible Publication page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nHermetica adheres to the Primacy of Impact for the following impacts:\n\n- Smart Contract  —  Critical\n- Smart Contract  —  High\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. \n\nFor more information, please see [Best Practices: Primacy of Impact ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the I[mmunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Previous Audits__\n\nHermetica’s completed audit reports can be found at [https://docs.hermetica.fi/hbtc/audits](https://docs.hermetica.fi/hbtc/audits). Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.","programType":["Smart Contract","Websites and Applications"],"project":"Hermetica","projectType":[],"rewardsBody":"__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 100 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 20 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\nFor critical web/apps bugs, reports will be rewarded with USD 25 000, only if the impact leads to:\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of USD 5 000. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward\n- The amount of funds at risk will be calculated with the impact of the first attack being at **100%** and then a reduction of **25%** from the amount of the first attack for every **[300 blocks]** the attack needs for subsequent attacks from the first attack, rounded down.\n\n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of **USD 1 000 to USD 20 000** depending on the funds at risk, capped at the maximum high reward.  \n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n\n__Reward Payment Terms__\n\nPayouts are handled by the Hermetica team directly and are denominated in USD. However, payments are done in USDC on Ethereum.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"hermetica","tenPercentEconomicRule":false,"updatedDate":"2026-03-31T16:50:36.545Z","impactsBody":null,"websiteUrl":"https://hermetica.fi/","githubUrl":"https://github.com/hermetica-fi/","eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Hermetica brings decades of experience from leading crypto and financial institutions, including Kraken, to build Bitcoin finance.\n\nHermetica believes a decentralized, Bitcoin-powered financial system is a foundational pillar of a prosperous and free society. Hermetica builds open, durable financial infrastructure designed to operate globally and at scale, empowering individuals with resilient financial tools in their pursuit of financial freedom.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":39,"type":"websites_and_applications","severity":"critical","title":"Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:\n- Changing registration information\n- Commenting\n- Voting\n- Making trades\n- Withdrawals, etc."},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":43,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:\n- Modifying transaction arguments or parameters\n- Substituting contract addresses\n- Submitting malicious transactions"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"}],"rewards":[{"id":43973,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43974,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":20000,"minReward":1000,"rewardModel":"range"},{"id":43975,"primacy":null,"severity":"critical","assetType":"websites_and_applications","maxReward":25000,"minReward":5000,"rewardModel":"range"}],"audits":[{"id":"db_42968034-65c4-4fec-a3e8-0a50f14da017","url":"https://docs.hermetica.fi/hbtc/audits","auditor":"Audit","date":"2026-02-11T00:00:00.000Z"}]},{"assets":[{"id":"98904","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/util/SSZ.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Set of utilities for working with SSZ serialisation and merklelisation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98905","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/util/LinkedListStorageHelper.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"A linked list storage helper to test internal functions","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98906","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/util/LinkedListStorage.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"A linked list storage helper for the deposit requests queue data","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98907","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/util/BeaconStateVerifier.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Verifier for beacon state proofs","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98908","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/util/AddressSetStorage.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Address set storage helper for RocketStorage data","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98909","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/util/AddressQueueStorage.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Address queue storage helper for RocketStorage data ","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98910","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/token/RocketTokenRPL.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"RPL token contract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98911","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/token/RocketTokenRETH.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"rETH liquid staking token contract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98912","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/RocketVault.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"The RocketVault contract must not be upgraded","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98913","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/RocketStorage.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"The primary persistent storage for Rocket Pool","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98914","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/RocketBase.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Base settings / modifiers for each contract in Rocket Pool","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98915","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/rewards/RocketSmoothingPool.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Receives priority fees and MEV via fee_recipient","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98916","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/rewards/RocketRewardsPool.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Holds RPL and ETH generated by the network for distribution each reward cycle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98917","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/rewards/RocketMerkleDistributorMainnet.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Mainnet merkle reward claim distributor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98918","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/rewards/RocketClaimDAO.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Recipient of pDAO RPL from inflation. Performs treasury spends and handles recurring payments.","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98919","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/node/RocketNodeStaking.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Handles staking of RPL by node operators","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98920","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/node/RocketNodeManager.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Node registration and management","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98921","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/node/RocketNodeDistributorStorageLayout.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"RocketNodeDistributor storage layout","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98922","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/node/RocketNodeDistributorFactory.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"RocketNodeDistributor Create2 factory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98923","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/node/RocketNodeDistributorDelegate.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Contains the logic for RocketNodeDistributors","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98924","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/node/RocketNodeDistributor.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Execution layer reward fee recipient for non-smoothing pool minipool operators","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98925","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/node/RocketNodeDeposit.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Entry point for node operators to perform deposits for the creation of new validators on the network","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98926","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/network/RocketNetworkVoting.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Accounting for snapshotting of governance related values based on block numbers","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98927","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/network/RocketNetworkSnapshotsTime.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Accounting for snapshotting of values based on block timestamps","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98928","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/network/RocketNetworkSnapshots.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Accounting for snapshotting of values based on block numbers","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98929","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/network/RocketNetworkRevenues.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Handles the calculations of revenue splits for the protocol's Universal Adjustable Revenue Split","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98930","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/network/RocketNetworkPrices.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Oracle contract for network token price data","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98931","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/network/RocketNetworkPenalties.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Applies penalties to minipools for MEV theft","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98932","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/network/RocketNetworkFees.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Network node demand and commission rate","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98933","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/network/RocketNetworkBalances.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Oracle contract for network balance data","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98934","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/minipool/RocketMinipoolStorageLayout.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"The RocketMinipool contract storage layout, shared by RocketMinipoolDelegate","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98935","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/minipool/RocketMinipoolQueue.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Minipool queueing for deposit assignment","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98936","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/minipool/RocketMinipoolPenalty.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Non-upgradable contract which gives guardian control over maximum penalty rates","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98937","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/minipool/RocketMinipoolManager.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Minipool creation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98938","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/minipool/RocketMinipoolFactory.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Performs CREATE2 deployment of minipool contracts","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98939","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/minipool/RocketMinipoolDelegate.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Minipools exclusively DELEGATECALL into this contract it is never called directly","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98940","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/minipool/RocketMinipoolBondReducer.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Handles bond reduction window and trusted node cancellation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98941","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/minipool/RocketMinipoolBase.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Contains the initialisation and delegate upgrade logic for minipools","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98942","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/megapool/RocketMegapoolStorageLayout.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"The RocketMegapool contract storage layout","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98943","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/megapool/RocketMegapoolProxy.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Contains the initialisation and delegate upgrade logic for megapools.","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98944","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/megapool/RocketMegapoolPenalties.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Applies penalties to megapools for MEV theft","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98945","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/megapool/RocketMegapoolManager.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Handles protocol-level megapool functionality","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98946","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/megapool/RocketMegapoolFactory.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Performs deterministic deployment of megapool delegate contracts and handles deprecation of old ones","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98947","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/megapool/RocketMegapoolDelegateBase.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"All megapool delegate contracts must extend this base to include the expected deprecation functionality","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98948","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/megapool/RocketMegapoolDelegate.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"This contract manages multiple validators belonging to an individual node operator.","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98949","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/deposit/RocketDepositPool.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Accepts user deposits and mints rETH; handles assignment of deposited ETH to megapools","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98950","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/security/RocketDAOSecurityUpgrade.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Proposal contract for the security council upgrade veto powers","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98951","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/security/RocketDAOSecurityProposals.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Proposal contract for the security council","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98952","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/security/RocketDAOSecurityActions.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Executes proposals which affect security council members","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98953","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/security/RocketDAOSecurity.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"The Rocket Pool Security Council DAO","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98954","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/RocketDAOProposal.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"A DAO proposal","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98955","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/protocol/settings/RocketDAOProtocolSettingsSecurity.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Protocol parameters relating to the security council","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98956","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/protocol/settings/RocketDAOProtocolSettingsRewards.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Settings relating to RPL reward intervals","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98957","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/protocol/settings/RocketDAOProtocolSettingsProposals.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Settings related to proposals in the protocol DAO","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98958","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/protocol/settings/RocketDAOProtocolSettingsNode.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Network auction settings","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98959","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/protocol/settings/RocketDAOProtocolSettingsNetwork.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Network auction settings","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98960","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/protocol/settings/RocketDAOProtocolSettingsMinipool.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Network minipool settings","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98961","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/protocol/settings/RocketDAOProtocolSettingsMegapool.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Network megapool settings","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98962","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/protocol/settings/RocketDAOProtocolSettingsInflation.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"RPL Inflation settings in RP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98963","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/protocol/settings/RocketDAOProtocolSettingsDeposit.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Network deposit settings","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98964","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/protocol/settings/RocketDAOProtocolSettingsAuction.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Network auction settings","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98965","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/protocol/settings/RocketDAOProtocolSettings.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Protocol DAO settings","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98966","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/protocol/RocketDAOProtocolVerifier.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Implements the protocol DAO optimistic fraud proof proposal system","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98967","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/protocol/RocketDAOProtocolProposals.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Manages protocol DAO proposals","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98968","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/protocol/RocketDAOProtocolProposal.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Manages protocol DAO proposals","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98969","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/protocol/RocketDAOProtocolActions.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"The Rocket Pool Network DAO Actions","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98970","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/protocol/RocketDAOProtocol.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"The Rocket Pool Protocol DAO (pDAO)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98971","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/node/settings/RocketDAONodeTrustedSettingsRewards.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"The Trusted Node DAO Rewards settings","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98972","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/node/settings/RocketDAONodeTrustedSettingsProposals.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"The Trusted Node DAO Members","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98973","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/node/settings/RocketDAONodeTrustedSettingsMinipool.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"The Trusted Node DAO Minipool settings","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98974","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/node/settings/RocketDAONodeTrustedSettingsMembers.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"The Trusted Node DAO Members","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98975","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/node/settings/RocketDAONodeTrustedSettings.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Trusted node settings","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98976","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/node/RocketDAONodeTrustedUpgrade.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Handles network contract upgrades","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98977","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/node/RocketDAONodeTrustedProposals.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"The Trusted Node DAO Proposals","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98978","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/node/RocketDAONodeTrustedActions.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"The Trusted Node DAO Actions","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98979","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/dao/node/RocketDAONodeTrusted.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"The Trusted Node DAO","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98980","url":"https://github.com/rocket-pool/rocketpool/blob/v1.4/contracts/contract/auction/RocketAuctionManager.sol","type":"smart_contract","addedAt":"2026-02-17T13:18:36.488Z","revision":0,"description":"Facilitates RPL liquidation auctions","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"The Rocket Pool explainer series provides information about how Rocket Pool works; purpose, general concepts, actors, and interactions:\n\n__Part 1 - Overview and users of the protocol__\n[https://medium.com/rocket-pool/rocket-pool-staking-protocol-part-1-8be4859e5fbd](https://medium.com/rocket-pool/rocket-pool-staking-protocol-part-1-8be4859e5fbd)\n\n__Part 2 - The Protocol and Oracle Node DAO's__\n[https://medium.com/rocket-pool/rocket-pool-staking-protocol-part-2-e0d346911fe1](https://medium.com/rocket-pool/rocket-pool-staking-protocol-part-2-e0d346911fe1)\n\n __Part 3 - RPL & Tokenomics__\n[ https://medium.com/rocket-pool/rocket-pool-staking-protocol-part-3-3029afb57d4c](https://medium.com/rocket-pool/rocket-pool-staking-protocol-part-3-3029afb57d4c)\n\nRocket Pool also has quick-start guides for:\n\n__Stakers__ [(https://medium.com/rocket-pool/rocket-pool-stakers-guide-2c5c324b1749)](https://medium.com/rocket-pool/rocket-pool-stakers-guide-2c5c324b1749) \n\n__Node Operators__ [(https://medium.com/rocket-pool/rocket-pool-node-quickstart-guide-d40bc3d0de6d)](https://medium.com/rocket-pool/rocket-pool-node-quickstart-guide-d40bc3d0de6d) \n\nComprehensive documentation can be found here: [https://docs.rocketpool.net/guides/](https://docs.rocketpool.net/guides/) \n\nFor additional reference, please view their GitHub here - [https://github.com/rocket-pool/rocketpool/tree/master.](https://github.com/rocket-pool/rocketpool/tree/master)","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-09-08T14:00:00.000Z","logo":"https://qn5bmgziiocgawpp.public.blob.vercel-storage.com/14418-DXFyXv__MxF7LZmviqmzR.png","maxBounty":150000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["Staking"],"programOverview":"Rocket Pool is a decentralised, non-custodial, and community owned staking protocol for Ethereum. Rocket Pool aligns the interests of two user groups; those that wish to participate in tokenised liquid staking; and those that wish to stake ETH and run a node.                                                                    \t \n  - Liquid staking - in exchange for staking ETH with Rocket Pool, users receive our liquid staking token, which is fully composable in the DeFi landscape, while accruing value from ETH rewards generated in Ethereum's Beacon Chain.\n\n  - Node operators - running a node with Rocket Pool only requires 16 ETH per validator vs 32 ETH outside the protocol. Node operators earn greater returns in Rocket Pool than solo satking; they earn rewards on their own ETH, a commission on the protocol's ETH, and RPL rewards.\n\nFor more information about Rocket Pool, please visit [https://www.rocketpool.net/](https://www.rocketpool.net/).   \n\nThis bug bounty program is focused on their smart contracts and is focused on preventing the following impacts:\n\n  - Theft/loss of user funds\n  - Exploits leading to the protocol not honouring its commitment to liquid staking token holders and node operators","programType":["Smart Contract"],"project":"Rocket Pool","projectType":["Defi","Infrastructure"],"rewardsBody":"Payouts are handled by the __Rocket Pool__ team directly and are denominated in USD. However, payouts are done in __RPL__.\n\n#### Reward Calculation for Critical Level Reports\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of **USD $150,000**. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of **USD $15,000** is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n#### Repeatable Attack Limitations\n\n* If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward.   \n* The amount of funds at risk will be calculated with the impact of the first attack being at **100%** and then a reduction of **25%** from the amount of the first attack for every \\[**300 blocks\\]** the attack needs for subsequent attacks from the first attack, rounded down.\n\n#### Reward Calculation for High Level Reports\n\nHigh impacts concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of **$5,000** to **$15,000**.  with the reward calculated based on **100%** of the funds at risk, though capped at the maximum high reward. \n\n#### Reward Calculation for Medium Level Reports\n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"RPL","slug":"rocketpool","tenPercentEconomicRule":false,"updatedDate":"2026-03-31T03:00:29.998Z","impactsBody":null,"websiteUrl":"https://rocketpool.net","githubUrl":"https://github.com/rocket-pool","eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Rocket Pool is a decentralised, non-custodial, and community owned staking protocol for Ethereum. Rocket Pool aligns the interests of two user groups; those that wish to participate in tokenised liquid staking; and those that wish to stake ETH and run a node.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":6018,"type":"smart_contract","severity":"low","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":6019,"type":"smart_contract","severity":"low","title":"Manipulation to gain unfair yield or commission advantage"},{"id":6020,"type":"smart_contract","severity":"medium","title":"Manipulation of governance voting result deviating from voted outcome"},{"id":6021,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds"},{"id":6029,"type":"smart_contract","severity":"medium","title":"Direct theft of principal user funds with value < $50,000 (excluding unclaimed yield), whether at-rest or in-motion"},{"id":6022,"type":"smart_contract","severity":"high","title":"Manipulation of governance voting result deviating from voted outcome with cost impact"},{"id":6023,"type":"smart_contract","severity":"high","title":"Direct theft of unclaimed yield, whether at-rest or in-motion"},{"id":6028,"type":"smart_contract","severity":"high","title":"Direct theft of principal user funds with value > $50,000 and <$150,000 (excluding unclaimed yield), whether at-rest or in-motion"},{"id":6027,"type":"smart_contract","severity":"critical","title":"Direct theft of principal user funds exceeding $150,000 (excluding unclaimed yield), whether at-rest or in-motion"},{"id":6024,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds (cannot be rescued)"}],"rewards":[{"id":43916,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":150000,"minReward":15000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43917,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":15000,"minReward":5000,"rewardModel":"range"},{"id":43918,"primacy":null,"severity":"medium","assetType":"smart_contract","maxReward":5000,"rewardModel":"up_to"},{"id":43919,"primacy":null,"severity":"low","assetType":"smart_contract","maxReward":1000,"rewardModel":"up_to"}],"audits":[{"id":"1281","url":"https://github.com/trailofbits/publications/blob/master/reviews/RocketPool.pdf","auditor":"Trail of Bits","date":"2021-04-30T00:00:00.000Z"},{"id":"1282","url":"https://rocketpool.net/files/audits/chainsafe-audit-houston.pdf","auditor":"ChainSafe","date":"2024-03-31T00:00:00.000Z"},{"id":"1283","url":"https://consensys.net/diligence/audits/2021/04/rocketpool/","auditor":"Consensys Diligence","date":"2021-04-30T00:00:00.000Z"},{"id":"1284","url":"https://rocketpool.net/files/audits/consensys-audit-redstone.pdf","auditor":"Consensys Diligence","date":"2022-05-31T00:00:00.000Z"},{"id":"1285","url":"https://rocketpool.net/files/audits/consensys-audit-atlas.pdf","auditor":"Consensys Diligence","date":"2022-12-31T00:00:00.000Z"},{"id":"1286","url":"https://consensys.io/diligence/audits/2023/12/rocket-pool-houston/","auditor":"Consensys Diligence","date":"2023-11-30T00:00:00.000Z"},{"id":"1287","url":"https://rocketpool.net/files/audits/sigma-prime-audit.pdf","auditor":"Sigma Prime","date":"2021-04-30T00:00:00.000Z"},{"id":"1288","url":"https://rocketpool.net/files/audits/sigma-prime-fix-review.pdf","auditor":"Sigma Prime","date":"2021-10-31T00:00:00.000Z"},{"id":"1289","url":"https://rocketpool.net/files/audits/sigma-prime-audit-redstone.pdf","auditor":"Sigma Prime","date":"2022-05-31T00:00:00.000Z"},{"id":"1290","url":"https://rocketpool.net/files/audits/sigma-prime-audit-atlas.pdf","auditor":"Sigma Prime","date":"2022-11-30T00:00:00.000Z"},{"id":"1291","url":"https://rocketpool.net/files/audits/sigma-prime-audit-houston.pdf","auditor":"Sigma Prime","date":"2024-02-29T00:00:00.000Z"},{"id":"1292","url":"https://rocketpool.net/files/audits/sigma-prime-houston-hotfix-review.pdf","auditor":"Sigma Prime","date":"2024-08-31T00:00:00.000Z"},{"id":"1293","url":"https://rocketpool.net/files/audits/sigma-prime-audit-saturn-1.pdf","auditor":"Sigma Prime","date":"2026-02-05T00:00:00.000Z"},{"id":"1294","url":"https://rocketpool.net/files/audits/bailsec-audit-saturn-1.pdf","auditor":"Bailsec","date":"2026-01-29T00:00:00.000Z"},{"id":"1295","url":"https://rocketpool.net/files/audits/cantina-audit-saturn-1.pdf","auditor":"Cantina","date":"2025-12-22T00:00:00.000Z"}]},{"assets":[{"id":"1JNQN7Kv8NSZRkAPdYo349","url":"https://github.com/alchemix-finance/v2-foundry/tree/master/src","type":"smart_contract","addedAt":"2022-09-09T00:23:57.487Z","revision":0,"description":"EXCEPT the folders “external/aave”, “mocks”, and “test”.","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99352","url":"https://immunefi.com","type":"smart_contract","addedAt":"2026-03-25T05:46:51.681Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":"All smart contracts of Alchemix can be found at [https://github.com/alchemix-finance/v2-foundry](https://github.com/alchemix-finance/v2-foundry). However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.  The in scope contracts can be found in the “src” folder, [https://github.com/alchemix-finance/v2-foundry/tree/master/src](https://github.com/alchemix-finance/v2-foundry/tree/master/src), but excludes the “external/aave”, “mocks”, and “test” folder. All 3rd party code in any folder is also out of scope.\n\nThough only the proxy contracts are listed as in-scope, current implementation and any further updates to the implementation contracts are considered in scope. When reporting a bug, please make sure to select the relevant proxy smart contract as the target. \n\nIf an impact can be caused to any other asset managed by Alchemix that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project. This only applies to Critical and High impacts.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","ETH","Optimism"],"endDate":null,"evaluationEndDate":null,"features":["Arbitration","Managed Triage: Expert Assessment","Subscription Plan: Elite"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2022-08-25T07:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2NgcBC2slhGYI8qYGnTsCw/0616521e1a588b3a5373af0215dd2a2b/Alchemix-logo.png","maxBounty":300000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["DAO","Synthetic Assets","Token"],"programOverview":"Alchemix Finance is a future-yield-backed synthetic asset platform and community DAO. The platform gives you advances on your yield farming via a synthetic token that represents a fungible claim on underlying collateral in the Alchemix protocol. \n\nFor more information about Alchemix, please visit [https://alchemix.fi/](https://alchemix.fi/).  \n\n__Primacy of Impact vs Primacy of Rules__\n\nAlchemix adheres to the Primacy of Rules.\nLearn more about report validity best practices here: [Best Practice - Primacy of Impact vs Primacy of Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact).","programType":["Smart Contract"],"project":"Alchemix","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported. \n\nAll bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. All Medium, High and Critical Smart Contract bug reports require a PoC and a suggestion for a fix to be eligible for a reward. All Low Smart Contract bug reports require a suggestion for a fix to be eligible for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nCritical smart contract vulnerabilities are capped at __10%__ of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. In cases of repeatable attacks, only the first attack is considered unless the smart contract cannot be upgraded or paused. However, there is a minimum reward of __USD 35 000__ and a maximum of __USD 300 000__. For High vulnerability reports, the payouts will be primarily calculated as 10% of potential economic damage, primarily taking into account funds at risk but also PR and branding aspects, and bounded by the payout range for the vulnerability level. \n\nThe following vulnerabilities are not eligible for a reward:\n\n  - All vulnerabilities listed here [https://github.com/code-423n4/2022-05-alchemix-findings/issues?q=is%3Aopen+is%3Aissue++-label%3A%22G+%28Gas+Optimization%29%22+-label%3A%22QA+%28Quality+Assurance%29%22 ](https://github.com/code-423n4/2022-05-alchemix-findings/issues?q=is%3Aopen+is%3Aissue++-label%3A%22G+%28Gas+Optimization%29%22+-label%3A%22QA+%28Quality+Assurance%29%22)(succinct) \n  - All vulnerabilities listed here [https://github.com/code-423n4/2022-05-alchemix-findings/issues?q=is%3Aopen+is%3Aissue+](https://github.com/code-423n4/2022-05-alchemix-findings/issues?q=is%3Aopen+is%3Aissue+) (full)\n  - All vulnerabilities listed in [Runtime Verification audit](https://github.com/runtimeverification/publications/blob/main/reports/smart-contracts/Alchemix_v2.pdf)\n\nPayouts are handled by the __Alchemix__ team directly and are denominated in USD. However, payouts are done in __ALCX__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"ALCX","slug":"alchemix","tenPercentEconomicRule":true,"updatedDate":"2026-03-30T17:19:49.962Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Alchemix is your unified platform for saving, earning, borrowing, and fixed-term fixed-yield opportunities—all in one place. Built on years of iteration since launching the original self-repaying loan in 2021, Alchemix v3 brings all three pillars together with a smarter, more flexible design. The protocol allows you to:\n\n- Save and grow – deposit ETH or USDC and let our vault invest and earn yield across diversified strategies.\n- Borrow up to 90% LTV – access liquidity now while your collateral grows with yield and your leverage is reduced over time through scheduled redemptions. No interest rates to monitor, no price-based liquidations.\n- Earn fixed-rate yield – lock in predictable returns through fixed-term redemptions of alETH or alUSD.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques\n  - Specifically for the crosschaincanonicalbase.sol contract: This contract is outdated bridging code for Layer 2 alAssets, however, the layer 2 alAssets were upgraded and still contain state variables related to this code, therefore the code has not been stripped from the Layer 2 alAssets. The crosschaincanonicalbase.sol contract is out of scope, EXCEPT for any bugs that would allow anyone besides a trusted admin/multisig to access the functions, or any issues with the current implementation of the bridge/L2 token (alchemicalTokenBase) created by this contract.","customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":43792,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":300000,"rewardModel":"up_to","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"23P1dzAUFYnWIIuykouKGJ","url":"https://etherscan.io/address/0x9Bd2177027edEE300DC9F1fb88F24DB6e5e1edC6","type":"smart_contract","addedAt":"2023-04-06T01:20:08.323Z","revision":0,"description":"ipUSDT","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2kGYBS5Zs7TeGtDyc8z8Hr","url":"https://etherscan.io/address/0xB3d1c1aB4D30800162da40eb18B3024154924ba5","type":"smart_contract","addedAt":"2023-04-06T01:24:17.621Z","revision":0,"description":"AmmStorageUsdcProx","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3Mikwzkt4XIB1gfqOFJKGj","url":"https://immunefi.com","type":"smart_contract","addedAt":"2023-10-05T15:29:37.950Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"3XzwaQZZOenUOmOl7Go0va","url":"https://etherscan.io/address/0xcC2fF2D38666723ea56c122097F6215B90d74196","type":"smart_contract","addedAt":"2024-03-14T13:39:30.659Z","revision":0,"description":"Ethereum - AmmTreasuryWeEthProxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4azkPf1Z6EY7iNm0GbySZy","url":"https://etherscan.io/address/0xaC5B04988BC71bEE96f8D93040777Db3ef166125","type":"smart_contract","addedAt":"2024-03-14T13:39:47.928Z","revision":0,"description":"Ethereum - ipweETH","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"51U0XAfLuiiZHRFHpU38n7","url":"https://etherscan.io/address/0x16d104009964e694761C0bf09d7Be49B7E3C26fd","type":"smart_contract","addedAt":"2023-11-27T08:08:52.378Z","revision":0,"description":"IporProtocolRouterProxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5SXh0rc8P12rp9jWIp9niS","url":"https://etherscan.io/address/0x364f116352EB95033D73822bA81257B8c1f5B1CE","type":"smart_contract","addedAt":"2023-04-06T01:24:02.061Z","revision":0,"description":"AmmStorageUsdtProx","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6rlwyEjFbAW5OQ0d6ODyG0","url":"https://etherscan.io/address/0x137000352B4ed784e8fa8815d225c713AB2e7Dc9","type":"smart_contract","addedAt":"2023-04-06T01:28:23.840Z","revision":0,"description":"AmmTreasuryUsdcProxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7dyrQFLVfOIcH9uQofHq8f","url":"https://etherscan.io/address/0x63395EDAF74a80aa1155dB7Cd9BBA976a88DeE4E","type":"smart_contract","addedAt":"2023-11-27T08:10:14.293Z","revision":0,"description":"AmmTreasuryEthProxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7uBXCY14S3PiSEXZhc4NNj","url":"https://etherscan.io/address/0x28BC58e600eF718B9E97d294098abecb8c96b687","type":"smart_contract","addedAt":"2023-04-06T01:28:10.112Z","revision":0,"description":"AmmTreasuryUsdtProxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Y9WE5v0u5W4aR1KPNYJkb","url":"https://etherscan.io/address/0x7c0e72f431FD69560D951e4C04A4de3657621a88","type":"smart_contract","addedAt":"2023-04-06T01:20:29.064Z","revision":0,"description":"ipUSDC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"b0leB1OMXobPG7CxBkBiH","url":"https://etherscan.io/address/0x77Fe3a8E8d1d73Df54Ca07674Bf1bD6C5841e3b5","type":"smart_contract","addedAt":"2024-03-14T13:40:01.080Z","revision":0,"description":"Ethereum - AmmStorageWeEthProxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"ttwvpTDyjnoib8YcU1Pqg","url":"https://etherscan.io/address/0xc40431b6C510AeB45Fbb5e21E40D49F12b0c1F0c","type":"smart_contract","addedAt":"2023-11-27T08:09:11.274Z","revision":0,"description":"ipstETH","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"Impacts only apply to assets in active use by the project like contracts on mainnet or web/app assets used in production. Any impact that applies to assets not in active use, like test or mock files, are out-of-scope of the bug bounty program unless explicitly mentioned as in-scope. \n\n__Smart Contracts__ \n\n- __Smart Contracts - PoC__, Smart Contract bug reports are to include a runnable Proof of Concept (PoC) in order to prove impact.  \n- For more information on PoCs please visit: [Proof of Concept (PoC) Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n\nWhitehats are highly encouraged to review any potential subdomains and what specific port(s) are in scope. Even though the domain may be the same, different ports may point to different assets.  \n\n__Dev Environment and Documentation:__\n\nIPOR has included dev documentation and/or instructions to help in reviewing code and exploring for bugs:\n- [https://docs.ipor.io/](https://docs.ipor.io/)\n- [https://github.com/IPOR-Labs/ipor-protocol/blob/main/README.md](https://github.com/IPOR-Labs/ipor-protocol/blob/main/README.md)\n- [https://github.com/IPOR-Labs/ipor-power-tokens/blob/main/README.md](https://github.com/IPOR-Labs/ipor-power-tokens/blob/main/README.md)\n\n__Impacts to other assets:__\n\nHackers are encouraged to submit issues outside of the outlined Impacts and Assets in Scope. \n\nIf whitehats can demonstrate a critical impact on code in production for an asset not in scope, IPOR encourages you to submit your bug report using the “primacy of impact exception” asset. \n\n__Impacts in Scope:__\n\n(For Blockchain/DLTR and Smart Contracts Only) This program is considered to be governed by Primacy of Impact. For more information on what this means visit: [Best Practice - Primacy of Impact vs Primacy of Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact) \n\nImpacts are based on the [Immunefi Vulnerability Severity Classification System V2.2.](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/)\n\nAt Immunefi, we classify bugs on a simplified 5-level scale:\n- Critical\n- High\n- Medium\n- Low\n- None","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2023-04-11T18:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1PWUkjxOSqZ6A6oiZIr4hc/c02ae0b18f6f29eb5e977088ba93db88/tVLWWz2T_400x400.jpg","maxBounty":20000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["AMM","Asset Management","DEX","Derivatives","L2","Staking"],"programOverview":"IPOR refers to a set of protocols, smart contracts, and software that forms a set of Decentralized Applications (DApps) for Decentralized Finance (DeFi) focused on interest rate derivatives. The core IPOR infrastructure consists of three main parts: the IPOR Index (Index), Liquidity Pools with an Automated Market Maker (AMM) and Asset Management smart contracts. The first type of interest rate derivatives supported by the AMM are Interest Rate Swaps (Swap or IRS). The system also incorporates a Decentralized Autonomous Organization (DAO) and a Treasury in the spirit of decentralization.\n\nFor more information about IPOR, please visit [https://www.ipor.io/ ](https://www.ipor.io/) \n\n__For Whitehats:__ It is highly recommended that you review the details of this program in full. Although many Bug Bounty programs have standard terms and conditions, each also has their own unique details that are critical to your success.  \n\nPrior to submitting a report please review the [Immunefi Bug Report Template and Best Practices. ](https://immunefisupport.zendesk.com/hc/en-us/articles/12435277406481-Bug-Report-Template)","programType":["Smart Contract"],"project":"IPOR","projectType":["Defi"],"rewardsBody":"Please review how rewards are distributed based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale system with separate scales for Smart Contracts and Websites/Apps.\n\n__Payouts and Payout Requirements:__\n\nPayouts are handled by the IPOR team directly and are denominated in USD. However, payouts are done in USDC and IPOR. For critical vulnerability, IPOR DAO will pay 50% in USDC and 50% in IPOR tokens.  IPOR commits to honoring payouts according to the terms set out in this program at the time of report submission, and to treat this program as the agreement and source of truth concerning bug reports and responsible disclosures. \n\n| Impact     | Criteria for assessing economic damage     |\n| ---------- | ---------- |\n| Critical       | Risk Ratio = Funds at Risk / ( IPOR TVL). If the risk ratio is at or below 0.5, the payout is calculated linearly between 0$ and 25K. If the risk ratio is above 0.5, the payout is calculated linearly between USD $25K and USD $100K; with a maximum cap of $100K. In the event that the funds at risk is greater than the IPOR TVL, the maximum reward will not exceed USD $100K.\n\nFor the purposes of determining report validity, this is a Primacy of Impact program. \n\nLearn more about report validity best practices here: [Best Practice - Primacy of Impact vs Primacy of Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact) \n\n__KYC Requirements:__\n\nIPOR __does not__ have a Know Your Customer (KYC) requirement for bug bounty payouts. \n\n__Audit Discoveries and Known Issues:__\n\nBug reports covering previously-discovered bugs are not eligible for any reward through the bug bounty program. If a bug report covers a known issue, it may be rejected together with proof of the issue being known before escalation of the bug report via Immunefi. \n\n__Description of known issue:__\n- IPOR index value manipulation through AAVE & Compound\n- reports reported via github [https://github.com/IPOR-Labs/ipor-audit-reports](https://github.com/IPOR-Labs/ipor-audit-reports)\n- The issue with liquidity pools amount equals zero\n- asset management relies on the published token exchange rate (gas optimization)\n- when opening swaps the asset management holdings are calculated without the interest (gas optimisation)","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC, IPOR","slug":"ipor","tenPercentEconomicRule":false,"updatedDate":"2026-03-30T16:01:29.290Z","impactsBody":null,"websiteUrl":null,"githubUrl":"https://github.com/IPOR-Labs","eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"IPOR refers to a set of protocols, smart contracts, and software that forms a set of Decentralized Applications (DApps) for Decentralized Finance (DeFi) focused on interest rate derivatives. The core IPOR infrastructure consists of three main parts: the IPOR Index (Index), Liquidity Pools with an Automated Market Maker (AMM) and Asset Management smart contracts.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Broken link hijacking is out of scope\n- Best practice critiques\n- IPOR index value manipulation through AAVE & Compound\n- Issues when the liquidity of liquidity pools equals zero\n- Interest Rate Swaps opening and closing","customProhibitedActivities":["The following activities are prohibited by this bug bounty program. Violation of these rules can result in a temporary suspension or permanent ban from the Immunefi platform at the sole discretion of the Immunefi team, which may also result in: 1) the forfeiture and loss of access to all bug submissions, and 2) zero payout.","Please note that Immunefi has no tolerance for spam/low-quality/incomplete bug reports, “beg bounty” behavior, and misrepresentation of assets and severity. Immunefi exists to protect the global crypto community, not facilitate grift."],"impacts":[{"id":4078,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds for 24 hours"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"}],"rewards":[{"id":43789,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":20000,"minReward":5000,"rewardModel":"range","rewardCalculationPercentage":0},{"id":43790,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":5000,"minReward":2000,"rewardModel":"range"},{"id":43791,"primacy":null,"severity":"medium","assetType":"smart_contract","fixedReward":2000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"4sJ5FafysWydMsuEgquzwl","url":"https://explorer.inkonchain.com/address/0xcaae49fb7f74cCFBE8A05E6104b01c097a78789f","type":"smart_contract","addedAt":"2026-01-21T09:44:13.560Z","revision":0,"description":"BalancedUSDC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"40fa1pSomFAwCRm0EwlRQY","url":"https://explorer.inkonchain.com/address/0x0C4dF79d9e35E5C4876BC1aE4663E834312DDc67","type":"smart_contract","addedAt":"2026-01-21T09:44:24.014Z","revision":0,"description":"AccountantWithYieldStreaming","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1lRsA1ZMLKwvFETkH1UHGT","url":"https://explorer.inkonchain.com/address/0xC151E263d5c890FD0Bceb33a6525F1A76a8329fC","type":"smart_contract","addedAt":"2026-01-21T09:44:34.279Z","revision":0,"description":"TellerWithYieldStreaming","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7qwdSZTM2oR5pS1x6E1Fj3","url":"https://explorer.inkonchain.com/address/0xC2867bd44E58B43e74859cbd1c320477b3ca9f33?tab=contract","type":"smart_contract","addedAt":"2026-01-21T09:44:49.141Z","revision":0,"description":"AaveV3BufferHelper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1FIQG1mCBCb6WDvrBF1IvZ","url":"https://explorer.inkonchain.com/address/0x4c433Ed6d57316170565D7Fedc11a841832cDc3d","type":"smart_contract","addedAt":"2026-01-21T09:45:16.739Z","revision":0,"description":"BoringOnChainQueue","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1li2P8xrI0yIXS0eeXrRor","url":"https://explorer.inkonchain.com/address/0xFfDffb178Cb469002B77b47f7e4a6bCAd041a9b6","type":"smart_contract","addedAt":"2026-01-21T09:45:26.972Z","revision":0,"description":"BoringSolver","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1fwGj2SyWTHj4BRRTRqVH3","url":"https://explorer.inkonchain.com/address/0x3E8B0ee1D05267fE9F8d2b1f8CB48F2e23d69c6B","type":"smart_contract","addedAt":"2026-01-21T09:45:53.201Z","revision":0,"description":"RolesAuthority","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"53pwcL713ft6XEty59wTL6","url":"https://explorer.inkonchain.com/address/0x3C72F147CA6200dfAFe6d8D4e808ccC4bB612C54","type":"smart_contract","addedAt":"2026-01-21T09:46:06.376Z","revision":0,"description":"Pauser","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"38TdAHWzC9XFuZoQoRkgK2","url":"https://explorer.inkonchain.com/address/0xDbD87325D7b1189Dcc9255c4926076fF4a96A271","type":"smart_contract","addedAt":"2026-01-21T09:46:17.448Z","revision":0,"description":"BoostedUSDC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6BbRS0q2nzWFYCWyYrsQH","url":"https://explorer.inkonchain.com/address/0x9c2477D4Ea17d3cCC45e6b1087c94d14926F54C9","type":"smart_contract","addedAt":"2026-01-21T09:46:32.178Z","revision":0,"description":"AccountantWithYieldStreaming","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2eMZujAV41L9l4UQXYtGOl","url":"https://explorer.inkonchain.com/address/0xc46f2443b3521632E2E2a903D6da8f965B46f6a0","type":"smart_contract","addedAt":"2026-01-21T09:46:43.558Z","revision":0,"description":"TellerWithYieldStreaming","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4fYujxvmyxX2M876kZcKRv","url":"https://explorer.inkonchain.com/address/0xC2867bd44E58B43e74859cbd1c320477b3ca9f33?tab=contract","type":"smart_contract","addedAt":"2026-01-21T09:46:56.813Z","revision":0,"description":"AaveV3BufferHelper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1xKo0nKrdcEbrMGKTYbdNt","url":"https://explorer.inkonchain.com/address/0x406E63323EF5d39D41C6fD895Ef9665AF926184c","type":"smart_contract","addedAt":"2026-01-21T09:47:07.289Z","revision":0,"description":"BoringOnChainQueue","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3LCElzPa63psfhevV4vNph","url":"https://explorer.inkonchain.com/address/0xdf4123c18DC985ed94061f2C08cE17b7b17f21fF","type":"smart_contract","addedAt":"2026-01-21T09:47:19.091Z","revision":0,"description":"BoringSolver","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7hzMde80BtNhUk2Tux93Lr","url":"https://explorer.inkonchain.com/address/0x1F53135155d6fF516bCcfDd9424fcdB8AD1eFB77","type":"smart_contract","addedAt":"2026-01-21T09:47:41.861Z","revision":0,"description":"RolesAuthority","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2WVjIjnXJ5xooAri8XoRRb","url":"https://explorer.inkonchain.com/address/0x4B0B3164B6731ACd96e29F13bF6c112204d5f024","type":"smart_contract","addedAt":"2026-01-21T09:47:54.877Z","revision":0,"description":"Pauser","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99409","url":"https://scrollscan.com/address/0xf0bb20865277aBd641a307eCe5Ee04E79073416C","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidETH - boring_vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99410","url":"https://scrollscan.com/address/0xea23ac6d7d11f6b181d6b98174d334478adae6b0","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidBTC - accountant","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99411","url":"https://scrollscan.com/address/0xe3F8fa039fF7A8Fe42fA2C6e9DC8565EcE6f7042","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidETH - boring_solver","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99412","url":"https://scrollscan.com/address/0xc315D6e14DDCDC7407784e2Caf815d131Bc1D3E7","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidUSD - accountant","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99413","url":"https://scrollscan.com/address/0xaFa8c08bedB2eC1bbEb64A7fFa44c604e7cca68d","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidBTC - manager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99414","url":"https://scrollscan.com/address/0x9AA79C84b79816ab920bBcE20f8f74557B514734","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidETH - teller","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99415","url":"https://scrollscan.com/address/0x8Ea0B382D054dbEBeB1d0aE47ee4AC433C730353","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidBTC - teller","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99416","url":"https://scrollscan.com/address/0x7b57Ad1A0AA89583130aCfAD024241170D24C13C","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidUSD - manager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99417","url":"https://scrollscan.com/address/0x77A2fd42F8769d8063F2E75061FC200014E41Edf","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidBTC - boring_queue","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99418","url":"https://scrollscan.com/address/0x7102C6889B0BB93Acf4A895f3EbeB17080D91d29","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidBTC - boring_solver","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99419","url":"https://scrollscan.com/address/0x6632d22A2062415bB37C8d7b6A5EC86c35bb2610","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidUSD - boring_solver","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99420","url":"https://scrollscan.com/address/0x5f46d540b6eD704C3c8789105F30E075AA900726","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidBTC - boring_vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99421","url":"https://scrollscan.com/address/0x4DE413a26fC24c3FC27Cc983be70aA9c5C299387","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidUSD - teller","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99422","url":"https://scrollscan.com/address/0x38FC1BA73b7ED289955a07d9F11A85b6E388064A","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidUSD - boring_queue","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99423","url":"https://scrollscan.com/address/0x227975088C28DBBb4b421c6d96781a53578f19a8","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidETH - manager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99424","url":"https://scrollscan.com/address/0x0D2dF071207E18Ca8638b4f04E98c53155eC2cE0","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidETH - boring_queue","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99425","url":"https://scrollscan.com/address/0x0d05D94a5F1E76C18fbeB7A13d17C8a314088198","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidETH - accountant","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99426","url":"https://scrollscan.com/address/0x08c6F91e2B681FaF5e17227F2a44C307b3C1364C","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidUSD - boring_vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99427","url":"https://etherscan.io/address/0xf9f7969C357ce6dfd7973098Ea0D57173592bCCa","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidETH - manager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99428","url":"https://etherscan.io/address/0xf0bb20865277aBd641a307eCe5Ee04E79073416C","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidETH - boring_vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99429","url":"https://etherscan.io/address/0xED41172438897BcB22c9dd72B9F9bbF9A8bF8929","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidBTC - boring_solver","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99430","url":"https://etherscan.io/address/0xEa23aC6D7D11f6b181d6B98174D334478ADAe6b0","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidBTC - accountant","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99431","url":"https://etherscan.io/address/0xe3F8fa039fF7A8Fe42fA2C6e9DC8565EcE6f7042","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidETH - boring_solver","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99432","url":"https://etherscan.io/address/0xc315D6e14DDCDC7407784e2Caf815d131Bc1D3E7","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidUSD - accountant","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99433","url":"https://etherscan.io/address/0xaFa8c08bedB2eC1bbEb64A7fFa44c604e7cca68d","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidBTC - manager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99434","url":"https://etherscan.io/address/0x9AA79C84b79816ab920bBcE20f8f74557B514734","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidETH - teller","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99435","url":"https://etherscan.io/address/0x92b10e02825986bAc2375BdACaFA3e89E3f612aA","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidUSD - boring_solver","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99436","url":"https://etherscan.io/address/0x8Ea0B382D054dbEBeB1d0aE47ee4AC433C730353","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidBTC - teller","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99437","url":"https://etherscan.io/address/0x7b57Ad1A0AA89583130aCfAD024241170D24C13C","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidUSD - manager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99438","url":"https://etherscan.io/address/0x77A2fd42F8769d8063F2E75061FC200014E41Edf","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidBTC - boring_queue","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99439","url":"https://etherscan.io/address/0x5f46d540b6eD704C3c8789105F30E075AA900726","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidBTC - boring_vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99440","url":"https://etherscan.io/address/0x4DE413a26fC24c3FC27Cc983be70aA9c5C299387","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidUSD - teller","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99441","url":"https://etherscan.io/address/0x38FC1BA73b7ED289955a07d9F11A85b6E388064A","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidUSD - boring_queue","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99442","url":"https://etherscan.io/address/0x0D2dF071207E18Ca8638b4f04E98c53155eC2cE0","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidETH - boring_queue","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99443","url":"https://etherscan.io/address/0x0d05D94a5F1E76C18fbeB7A13d17C8a314088198","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidETH - accountant","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99444","url":"https://etherscan.io/address/0x08c6F91e2B681FaF5e17227F2a44C307b3C1364C","type":"smart_contract","addedAt":"2026-03-30T15:39:31.395Z","revision":0,"description":"LiquidUSD - boring_vault","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Essential","Managed Triage: Time Saver","Boost","Safe Harbor Documents Signed"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":[],"launchDate":"2026-01-21T15:00:08.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7sPnqpegIJPwnGefGAuA4G/5004455ff135c3909c69a6337075934d/3ELNfUvR_400x400.png","maxBounty":1000000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - high","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":[],"programOverview":"Veda is a DeFi vault primitive, which is a protocol-level mechanism for pricing, accounting, securing, optimizing, and automating capital. Designed to be non-custodial, trust-minimized, and composable, Veda empowers businesses, asset issuers, protocols, chains, wallets and applications to build enterprise-grade DeFi products without reinventing complex smart contract and offchain infrastructure.\n\nBy abstracting away the intricacies of cross-chain operations, yield optimization, and risk mitigation, Veda significantly lowers the barriers to entry for onchain finance for both consumer and institutional participants. Protocols integrating Veda can seamlessly onboard users with transparent safeguards in real time.\n\nVeda has demonstrated consistent market leadership in the vault and curation category. Notable achievements include:\n- Recognized as the largest vault provider and curator in DeFi, securing over $3 billion in TVL with over 100k users\n- Developed the BoringVault, the most widely used vault standard across DeFi\n- Onboarded the first vault token, eBTC, onto Aave's main market\n- Distributed in Binance Web3 wallet and ByBit Web3 wallet\n\nFor more information about Veda, please visit [https://veda.tech/](https://veda.tech/).\n\nVeda provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n__Responsible Publication__\n\nVeda adheres to **Category 2: Notice Required** . This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nVeda adheres to the Primacy of Rules for all impacts\nhttps://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact \n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.\n\n__Previous Audits__\n\nVeda’s completed audit reports can be found at [https://docs.veda.tech/audits](https://docs.veda.tech/audits). Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.","programType":["Smart Contract"],"project":"Veda","projectType":[],"rewardsBody":"__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD  1 000 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 100 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n\"Funds directly affected” is narrowly defined as:\n\n(1) the funds held only in the specific smart-contract instance where the vulnerability exists;\n\n(2) Funds at risk of irreversible loss through exploitation, where the exploit is executable against the in-scope contracts as deployed on mainnet, using publicly available infrastructure and without requiring privileged access, protocol misconfiguration, or conditions not present at the time of submission.\n\nAnd expressly excludes:\n\n- funds in other contracts, vaults, strategies, or positions;\n- theoretical or maximum mathematical drainability;\n- impacts resulting from exploitation of external protocols or integrations outside of the defined scope\n- funds accessible only via MEV, timing manipulation, or reordering assumptions;\n- impacts dependent on liquidity movement or oracle price conditions.\n\nIf a vulnerability affects accounting, pricing, or internal state without placing funds at imminent risk of loss in a single transaction, the bug may be reclassified to High or Medium or Low severity based on Immunefi Feasibility Limitation standards, as defined in section below. \n\nThe minimum critical reward applies only where:\n\n(a) The vulnerability is exploitable against the in-scope contracts as deployed on mainnet. Multi-transaction or multi-block execution shall not diminish severity classification where the researcher demonstrates that the full attack path is executable without requiring external dependencies, privileged access, or conditions not present at time of submission.;\n(b) The researcher demonstrates exploitability against the in-scope contracts as deployed on mainnet. Assessment of feasibility and severity shall follow Immunefi's standard rules, including Feasibility Limitations.. \nIf these criteria are not met, the minimum reward does not apply.\n\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward.. For avoidance of doubt, if mitigation is reasonably possible through pause, upgrade, parameter adjustment, or operational intervention, only the initial exploitable instance counts toward funds-at-risk.\n\n\nThe amount of funds at risk will be calculated with the impact of the first attack being at 100% and then a reduction of 25% from the amount of the first attack for every [3600 blocks] the attack needs for subsequent attacks from the first attack, rounded down Cumulative reward calculations apply only where repeated exploitation is realistically feasible under normal adversarial conditions and does not require MEV, builder manipulation, extreme gas tactics, or non-standard environmental assumptions.\n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 10 000 to USD 25 000 with the reward calculated based on 100% of the funds at risk, though capped at the maximum high reward. \nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. \n\n__Reward Payment Terms__\n\nPayouts are handled by the Veda team directly and are denominated in USD. However, payments are done in USDC on Ethereum.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"veda","tenPercentEconomicRule":false,"updatedDate":"2026-03-30T15:39:31.585Z","impactsBody":null,"websiteUrl":"https://veda.tech/","githubUrl":"https://github.com/Veda-Labs/boring-vault/","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_auditor","no_employee"],"responsiblePublicationCategory":"category_2","description":"Veda is a DeFi vault primitive, which is a protocol-level mechanism for pricing, accounting, securing, optimizing, and automating capital. Designed to be non-custodial, trust-minimized, and composable, Veda empowers businesses, asset issuers, protocols, chains, wallets and applications to build enterprise-grade DeFi products without reinventing complex smart contract and offchain infrastructure.","knownIssues":[{"id":1259,"link":"https://github.com/veda-Labs/boring-vault","description":"Known Issue: The protocol is aware of potential inaccuracies in fee calculations related to yield streaming and vesting mechanics. These are   known, accounted for operationally, and do not result in loss of user funds. Reports related to fee calculation precision in the accountant's   vesting logic will not be eligible for reward.","lastUpdatedAt":"2026-01-01T07:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1263,"link":"https://github.com/veda-Labs/boring-vault","description":"Known Issue: The protocol is aware that certain edge cases exist when vault.totalSupply() == 0. Reports requiring an empty vault as a precondition will not be eligible for reward","lastUpdatedAt":"2026-01-01T07:00:00.000Z","relatedImpactInScope":"smart_contract"}],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"}],"rewards":[{"id":43777,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":1000000,"minReward":100000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43778,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":25000,"minReward":10000,"rewardModel":"range"}],"audits":[{"id":"5jzBP3chcUrWGRHuh8nxHj","url":"https://docs.veda.tech/audits","auditor":"All Audits","date":"2026-01-21T00:00:00.000Z"}]},{"assets":[{"id":"1cFlNFrrvEGU4suzp0zOro","url":"https://etherscan.io/address/0x8236a87084f8b84306f72007f36f2618a5634494","type":"smart_contract","addedAt":"2024-09-02T07:18:17.238Z","revision":0,"description":"LBTC Mainnet","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4a7sAYkwE7aqtIMzzrzFeO","url":"https://etherscan.io/address/0x055E84e7FE8955E2781010B866f10Ef6E1E77e59","type":"smart_contract","addedAt":"2024-09-02T07:18:36.271Z","revision":0,"description":"Proxy Upgrade Timelock","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7pgeTVcHh30UO1DKlDQVps","url":"https://lombard.finance","type":"websites_and_applications","addedAt":"2024-09-02T07:18:52.267Z","revision":0,"description":"Home Page","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6IzcNYPl243cRuxIR9mfVf","url":"https://lombard.finance/app/","type":"websites_and_applications","addedAt":"2024-09-02T07:19:07.948Z","revision":0,"description":"Dapp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98753","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"98717","url":"https://immunefi.com/","type":"websites_and_applications","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"99340","url":"https://etherscan.io/address/0xdad58dfa5c1a7a34419afdbe1f0d610efeea95e4","type":"smart_contract","addedAt":"2026-03-24T08:40:25.000Z","revision":0,"description":"Consortium","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99341","url":"https://etherscan.io/address/0xc750eCAC7250E0D18ecE2C7a5F130E3A765dc260","type":"smart_contract","addedAt":"2026-03-24T08:40:25.000Z","revision":0,"description":"BasculeV1","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99342","url":"https://etherscan.io/address/0xC3ecFE771564e3f28CFB7a9b203F4d10279338eD","type":"smart_contract","addedAt":"2026-03-24T08:40:25.000Z","revision":0,"description":"GMPBasculeV1","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99343","url":"https://etherscan.io/address/0xB0F70C0bD6FD87dbEb7C10dC692a2a6106817072","type":"smart_contract","addedAt":"2026-03-24T08:40:25.000Z","revision":0,"description":"BTC.b","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99344","url":"https://etherscan.io/address/0x9eCe5fB1aB62d9075c4ec814b321e24D8EA021ac","type":"smart_contract","addedAt":"2026-03-24T08:40:25.000Z","revision":0,"description":"AssetRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99345","url":"https://etherscan.io/address/0x964677F337d6528d659b1892D0045B8B27183fc0","type":"smart_contract","addedAt":"2026-03-24T08:40:25.000Z","revision":0,"description":"Mailbox","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99346","url":"https://etherscan.io/address/0x451c54981C7DA5d95901b770C540547cF5FE0A2D","type":"smart_contract","addedAt":"2026-03-24T08:40:25.000Z","revision":0,"description":"BridgeV2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99347","url":"https://etherscan.io/address/0x1De9fcfeDF3E51266c188ee422fbA1c7860DA0eF","type":"smart_contract","addedAt":"2026-03-24T08:40:25.000Z","revision":0,"description":"StakedLBTCOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99383","url":"https://github.com/lombard-finance/sui-move-contracts/tree/main/move/lbtc","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"Sui LBTC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99384","url":"https://github.com/lombard-finance/sui-move-contracts/tree/main/move/consortium","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"Sui Consortium","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99385","url":"https://github.com/lombard-finance/sui-move-contracts/tree/main/move/bridge_vault","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"Sui Bridge Vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99386","url":"https://github.com/lombard-finance/sui-move-contracts/tree/main/move/bascule","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"Sui Bascule","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99387","url":"https://github.com/lombard-finance/starknet-cairo-contracts/tree/main/packages/token","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"Starknet LBTC Token","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99388","url":"https://github.com/lombard-finance/starknet-cairo-contracts/tree/main/packages/consortium","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"Starknet Consortium","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99389","url":"https://github.com/lombard-finance/starknet-cairo-contracts/tree/main/packages/bascule","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"Starknet Bascule","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99390","url":"https://github.com/lombard-finance/starknet-cairo-contracts/tree/main/packages/asset_router","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"Starknet AssetRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99391","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/main/contracts/stakeAndBake/veda/ERC4626VaultTokenWrapper.sol","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"BTCe","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99392","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/main/contracts/stakeAndBake/StakeAndBake.sol","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"StakeAndBake","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99393","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/main/contracts/LBTC/StakedLBTCOracle.sol","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"StakedLBTCOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99394","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/main/contracts/LBTC/StakedLBTC.sol","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"LBTC Mainnet","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99395","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/main/contracts/LBTC/NativeLBTC.sol","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"BTC.b","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99396","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/main/contracts/LBTC/BridgeTokenAdapter.sol","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"BridgeTokenAdapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99397","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/main/contracts/LBTC/AssetRouter.sol","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"AssetRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99398","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/main/contracts/gmp/Mailbox.sol","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"Mailbox","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99399","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/main/contracts/consortium/LombardTimeLock.sol","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"Proxy Upgrade Timelock","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99400","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/main/contracts/consortium/Consortium.sol","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"Consortium","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99401","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/main/contracts/bridge/providers/LombardTokenPoolV2.sol","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"LombardTokenPoolV2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99402","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/main/contracts/bridge/providers/BridgeTokenPool.sol","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"BridgeTokenPool","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99403","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/main/contracts/bridge/BridgeV2.sol","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"BridgeV2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99404","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/main/contracts/bascule/GMPBasculeV2.sol","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"GMPBasculeV2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99405","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/main/contracts/bascule/GMPBasculeV1.sol","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"GMPBasculeV1","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99406","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/main/contracts/bascule/BasculeV2.sol","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"BasculeV2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99407","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/main/contracts/bascule/Bascule.sol","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"BasculeV1","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99408","url":"https://github.com/Liquid-Bitcoin/BARD/blob/main/contracts/BARD/BARD.sol","type":"smart_contract","addedAt":"2026-03-30T15:30:46.030Z","revision":0,"description":"BARD","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"---\n\nThe scope references GitHub URLs to specific contract source files. The same contracts are deployed across multiple chains — deployed addresses can be found in our public mainnet.json files.\n\n**EVM chains:** Ethereum, BNB Chain, Base, Berachain, Sonic, Morph, Etherlink, Ink, Katana, TAC, Scroll, BOB, Avalanche, Monad, Stable, MegaETH — https://github.com/lombard-finance/evm-smart-contracts/blob/main/mainnet.json\n\n**Sui** — https://github.com/lombard-finance/sui-move-contracts/blob/main/mainnet.json\n\n**Starknet** — https://github.com/lombard-finance/starknet-cairo-contracts/blob/main/mainnet.json\n\nNote: not all contracts listed in mainnet.json are in scope — only those explicitly included in the scope section above.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Bitcoin"],"endDate":null,"evaluationEndDate":null,"features":["Managed Triage: Time Saver","Subscription Plan: Essential","Vault","Arbitration"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":[],"launchDate":"2024-09-04T00:00:00.000Z","logo":"https://qn5bmgziiocgawpp.public.blob.vercel-storage.com/62368-OIo8lLqnFjUCyS2rK1Azh.png","maxBounty":250000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low","websites_and_applications - critical","websites_and_applications - medium","websites_and_applications - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Lombard’s codebase can be found at [https://github.com/lombard-finance](https://github.com/lombard-finance). Documentation and further resources can be found on [https://docs.lombard.finance/](https://github.com/lombard-finance).","productType":["Bug bounty"],"programOverview":"Lombard is on a mission to unlock Bitcoin's potential as a dynamic financial tool by connecting it to DeFi with LBTC. LBTC is a secure Bitcoin LST, developed by Lombard on top of Babylon. It's a yield-bearing, natively cross-chain, liquid Bitcoin backed 1:1 by BTC. With LBTC, Bitcoin can be held as a store of value and simultaneously used to lend, borrow, stake, trade, and transfer in DeFi across multiple blockchain ecosystems.\n\nFounded in April 2024, Lombard is dedicated to unlocking Bitcoin's potential as a dynamic financial tool by connecting it to DeFi.  Lombard is building the universal standard for Bitcoin. Secured by Bitcoin-aligned ecosystem players, Lombard enables the yield-bearing BTC to move cross-chain without fragmenting liquidity, paving the way to become the single largest catalyst for onboarding net new capital into DeFi.\n\nBitcoin represents over 50% of the cryptocurrency market. But its interoperability with DeFi has been limited to date. \n\nOur flagship product, LBTC—a yield-bearing, cross-chain, liquid Bitcoin backed 1:1 by BTC— changes this and brings DeFi interoperability to ‘digital gold’. For the first time Bitcoin can be held as a store of value, and simultaneously used to earn, stake, trade, and transfer in DeFi at scale. Jump to LBTC.\n\nLBTC opens up new opportunities for Bitcoin holders to earn, stake, and trade on-chain, all while retaining Bitcoin as a store of value. For DeFi protocols, LBTC provides increased liquidity and user activity by unlocking $1.4 trillion new capital.\n\nLombard is currently live on Ethereum mainnet in Public Beta, where eligible participants are staking native BTC and minting LBTC.\n\nFor more information about Lombard, please visit [https://www.lombard.finance/](https://www.lombard.finance/)\n\nLombard provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n__KYC Requirement__ \n\nLombard will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nLombard adheres to the Primacy of Impact for the following impacts:\n- Smart contract - Critical\n- Smart Contract - High\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact) \n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- All issues covered by previous audits.\n- All issues previously reported via bug bounty or audit competitions.\n\n__Previous Audits__\n\nLombard’s completed audit reports can be found at [https://github.com/lombard-finance/evm-smart-contracts/tree/main/docs/audit](https://github.com/lombard-finance/evm-smart-contracts/tree/main/docs/audit). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Lombard has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","programType":["Websites and Applications","Smart Contract"],"project":"Lombard Finance","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 250 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 50 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n- For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\n- High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of $10,000 to $50,000 depending on the funds at risk, capped at the maximum high reward.  \n- In the event of temporary freezing, the reward doubles from the full frozen value for every additional [24h] that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__For critical web/apps bug reports will be rewarded with USD 30 000, only if the impact leads to:__\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of USD 15 000. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Reward Payment Terms__\n\nPayouts are handled by the Lombard team directly and are denominated in USD. However, payments are done in USDC on Ethereum.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"lombard-finance","tenPercentEconomicRule":false,"updatedDate":"2026-03-30T15:30:46.236Z","impactsBody":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","websiteUrl":"https://www.lombard.finance/","githubUrl":"https://github.com/lombard-finance/","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Lombard is an onchain Bitcoin company, issuing institutional-grade Bitcoin assets, onchain financial solutions and core infrastructure. Founded in 2024, the company's products—including LBTC, the leading yield-bearing Bitcoin, BTC.b, the Lombard SDK, and Bitcoin Smart Accounts—enable Bitcoin to become productive capital across decentralized finance.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"1)Theoretical misconfiguration vulnerabilities. Reports based on hypothetical admin misconfigurations (e.g., \"if the admin sets parameter X to an unsafe value\") are out of scope. Exception: if the misconfiguration already exists in production, it is in scope.\n\n2)Third-party services not managed by Lombard. This includes RPC providers, indexers, and similar infrastructure. These are non-critical dependencies that can be switched to alternative providers. For third-party protocols integrating Lombard assets (e.g., oracles, vaults, DeFi protocols holding LBTC/BTC.b) — these protocols typically have their own bug bounty programs and should be reported there first. If no bug bounty exists or the third party is unresponsive, and the issue directly affects Lombard assets in scope, you may submit a report. It will be treated as out of scope, with reward decisions made at the team's discretion.\n\n3)Disabled or deprecated contracts. Contracts that have been disabled (e.g., removed from minters, paused, blocked in any other way) or deprecated and are no longer actively used are out of scope, even if previously listed. If a disabled/deprecated contract still poses a direct risk to assets listed in scope, the report will be reviewed under Primacy of Impact.","customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"},{"id":5081,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds (over 10 Days)"},{"id":5082,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:  HTML injection without JavaScript Replacing existing text with arbitrary text Arbitrary file uploads, etc"},{"id":5083,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:  Email Password of the victim etc."},{"id":5084,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:  Email address Phone number Physical address, etc."},{"id":5085,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction: Changing the first/last name of user, Enabling/disabling notifications"},{"id":5086,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as:  Reflected HTML injection Loading external site data"},{"id":5087,"type":"smart_contract","severity":"critical","title":"Primacy of Impact"},{"id":5088,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:   /etc/shadow, database passwords, blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":5089,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:   Changing registration information, Commenting, Voting, Making trades, Withdrawals, etc."},{"id":5090,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:  Modifying transaction arguments or parameters Substituting contract addresses Submitting malicious transactions"}],"rewards":[{"id":43770,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":250000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43771,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":50000,"minReward":10000,"rewardModel":"range"},{"id":43772,"primacy":null,"severity":"medium","assetType":"smart_contract","fixedReward":2500,"rewardModel":"fixed"},{"id":43773,"primacy":null,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":43774,"primacy":null,"severity":"critical","assetType":"websites_and_applications","maxReward":30000,"minReward":15000,"rewardModel":"range"},{"id":43775,"primacy":null,"severity":"high","assetType":"websites_and_applications","fixedReward":10000,"rewardModel":"fixed"},{"id":43776,"primacy":null,"severity":"medium","assetType":"websites_and_applications","fixedReward":2000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"5c7BpMfhc7RY0FJYWhm0IW","url":"https://etherscan.io/address/0xE6343ad0675C9b8D3f32679ae6aDbA0766A2ab4c","type":"smart_contract","addedAt":"2023-12-27T14:08:31.897Z","revision":0,"description":"Clearinghouse v2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5WnJNoWXRXXaZFeFhjVKk5","url":"https://etherscan.io/address/0x04906695D6D12CF5459975d7C3C03356E4Ccd460?utm_source=immunefi","type":"smart_contract","addedAt":"2022-02-07T11:57:29.181Z","revision":0,"description":"sOHM v2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7syzpfzs4xu7jGXtN2h9s0","url":"https://etherscan.io/address/0x64aa3364F17a4D01c6f1751Fd97C2BD3D7e7f1D5?utm_source=immunefi","type":"smart_contract","addedAt":"2022-02-07T11:58:07.838Z","revision":0,"description":"OHM v2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2PA3GGrap7GgVbcj6HoSOh","url":"https://etherscan.io/address/0xB63cac384247597756545b500253ff8E607a8020?utm_source=immunefi","type":"smart_contract","addedAt":"2022-02-07T11:59:10.819Z","revision":0,"description":"Staking v2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6mNeOhPLlDLmCf7dl1vd2m","url":"https://etherscan.io/address/0x0ab87046fBb341D058F17CBC4c1133F25a20a52f?utm_source=immunefi","type":"smart_contract","addedAt":"2022-02-07T11:59:37.175Z","revision":0,"description":"gOHM","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"NEEE3CVYr1Luzue6kJLP4","url":"https://etherscan.io/address/0x2286d7f9639e8158FaD1169e76d1FbC38247f54b?utm_source=immunefi","type":"smart_contract","addedAt":"2023-02-27T15:04:13.533Z","revision":0,"description":"Kernel","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2pAGzNogzWs19HZ2RUQrhb","url":"https://etherscan.io/address/0x9229b0b6FA4A58D67Eb465567DaA2c6A34714A75?utm_source=immunefi","type":"smart_contract","addedAt":"2023-02-27T15:04:34.485Z","revision":0,"description":"Emergency","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6Um9RprDvPpW7Bv2jNILki","url":"https://etherscan.io/address/0xb216d714d91eeC4F7120a732c11428857C659eC8?utm_source=immunefi","type":"smart_contract","addedAt":"2023-02-27T15:05:54.047Z","revision":0,"description":"Roles Admin","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5lq7dQ6KuVEqhkGNyfuAmH","url":"https://etherscan.io/address/0xC9518AC915e46D707585116451Dc19c164513Ccf?utm_source=immunefi","type":"smart_contract","addedAt":"2023-02-27T15:06:10.553Z","revision":0,"description":"Treasury Custodian","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"tIpB5UuQflJvjUjUsgH1I","url":"https://etherscan.io/address/0xf6D5d06A4e8e6904E4360108749C177692F59E90?utm_source=immunefi","type":"smart_contract","addedAt":"2023-02-27T15:06:26.079Z","revision":0,"description":"Olympus Price Config","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6dcVtm9wKxuwPUygctJbol","url":"https://etherscan.io/address/0xf577c77ee3578c7F216327F41B5D7221EaD2B2A3?utm_source=immunefi","type":"smart_contract","addedAt":"2023-02-27T15:06:42.933Z","revision":0,"description":"Bond Manager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"XZlJNCZjjBAFbyGofr8pX","url":"https://etherscan.io/address/0xd6C4D723fdadCf0D171eF9A2a3Bfa870675b282f?utm_source=immunefi#code","type":"smart_contract","addedAt":"2023-02-27T15:06:58.768Z","revision":0,"description":"Olympus Price","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5UKTfH9AcRQAxPQWrxnK5I","url":"https://etherscan.io/address/0xa8687A15D4BE32CC8F0a8a7B9704a4C3993D9613?utm_source=immunefi","type":"smart_contract","addedAt":"2023-02-27T15:07:30.400Z","revision":0,"description":"Olympus Treasury","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"64KLxYs8SlOMhXQV44SUaK","url":"https://etherscan.io/address/0xa90bFe53217da78D900749eb6Ef513ee5b6a491e?utm_source=immunefi","type":"smart_contract","addedAt":"2023-02-27T15:07:45.516Z","revision":0,"description":"Olympus Minter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1gt4PoWFOqYr9tgnTuJbXc","url":"https://etherscan.io/address/0x6CAfd730Dc199Df73C16420C4fCAb18E3afbfA59?utm_source=immunefi","type":"smart_contract","addedAt":"2023-02-27T15:08:04.612Z","revision":0,"description":"Olympus Roles","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"mMAjjWOFZR1DosiuTnYF4","url":"https://etherscan.io/address/0x7fdD4e808ee9608f1b2f05157A2A8098e3D432cD?utm_source=immunefi","type":"smart_contract","addedAt":"2023-04-19T20:58:44.119Z","revision":0,"description":"Boosted Liquidity Vault Implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5Lak1xLs4VseMNewnWXoVY","url":"https://etherscan.io/address/0xafe729d57d2CC58978C2e01b4EC39C47FB7C4b23?utm_source=immunefi","type":"smart_contract","addedAt":"2023-04-19T20:58:58.106Z","revision":0,"description":"Boosted Liquidity Vault Manager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1YNjWNvrAuM9Tdc5oyDoGt","url":"https://etherscan.io/address/0x375E06C694B5E50aF8be8FB03495A612eA3e2275?utm_source=immunefi","type":"smart_contract","addedAt":"2023-04-19T21:01:25.294Z","revision":0,"description":"Boosted Liquidity Registry","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4SUiL4v9lsCXXyWGm6twl7","url":"https://arbiscan.io/token/0xf0cb2dc0db5e6c66B9a70Ac27B06b878da017028?utm_source=immunefi","type":"smart_contract","addedAt":"2023-05-15T12:02:56.288Z","revision":0,"description":"OHM (Arbitrum)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3d5BjwFnEAy4lcI5SNBxrR","url":"https://arbiscan.io/token/0x8D9bA570D6cb60C7e3e0F31343Efe75AB8E65FB1?utm_source=immunefi","type":"smart_contract","addedAt":"2023-05-15T12:03:09.255Z","revision":0,"description":"gOHM - (Arbitrum)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"wzQZQX0S7Hyvr0Lvv5XCY","url":"https://snowtrace.io/token/0x321e7092a180bb43555132ec53aaa65a5bf84251?utm_source=immunefi","type":"smart_contract","addedAt":"2023-05-15T12:03:28.580Z","revision":0,"description":"gOHM - (Avalanche)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2GgJwD21jOuj4VtNdSC39u","url":"https://polygonscan.com/token/0xd8cA34fd379d9ca3C6Ee3b3905678320F5b45195?utm_source=immunefi","type":"smart_contract","addedAt":"2023-05-15T12:03:46.430Z","revision":0,"description":"gOHM - (Polygon/MATIC)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5eNhqdmwoOzrQhgPzFteAK","url":"https://ftmscan.com/token/0x91fa20244fb509e8289ca630e5db3e9166233fdc?utm_source=immunefi","type":"smart_contract","addedAt":"2023-05-15T12:04:03.007Z","revision":0,"description":"gOHM - (Fantom)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"46dZw6djgxdLhQeWqMRhwh","url":"https://optimistic.etherscan.io/token/0x0b5740c6b4a97f90eF2F0220651Cca420B868FfB?utm_source=immunefi","type":"smart_contract","addedAt":"2023-05-15T12:04:19.248Z","revision":0,"description":"gOHM - (Optimism)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"58olmIrcZQhK2UdVLVTO9A","url":"https://app.olympusdao.finance/?utm_source=immunefi#/dashboard","type":"websites_and_applications","addedAt":"2022-02-07T12:01:20.851Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99044","url":"https://optimistic.etherscan.io/address/0xb1fA0Ac44d399b778B14af0AAF4bCF8af3437ad1","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"RolesAdmin - (Optimism)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99045","url":"https://optimistic.etherscan.io/address/0x623164A9Ee2556D524b08f34F1d2389d7B4e1A1C","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"MINTR - (Optimism)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99046","url":"https://optimistic.etherscan.io/address/0x22AE99D07584A2AE1af748De573c83f1B9Cdb4c0","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"CrossChainBridge - (Optimism)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99047","url":"https://etherscan.io/address/0xFbf6383dC3F6010d403Ecdf12DDC1311701D143D","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"CCIPCrossChainBridge","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99048","url":"https://etherscan.io/address/0xF35193DA8C10e44aF10853Ba5a3a1a6F7529E39a","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"CD Auctioneer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99049","url":"https://etherscan.io/address/0xEBDe552D851DD6Dfd3D360C596D3F4aF6e5F9678","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"CD Facility","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99050","url":"https://etherscan.io/address/0xe045bd0a0d85e980aa152064c06eae6b6ae358d2","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"Periphery - Cooler v2 Migrator - (Ethereum)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99052","url":"https://etherscan.io/address/0xdb591Ea2e5Db886dA872654D58f6cc584b68e7cC","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"MonoCooler (v2)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99053","url":"https://etherscan.io/address/0xD98B5b2E4D5d6Cd554115DE19EfB7A9084BEddd1","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"ReceiptTokenMgr","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99054","url":"https://etherscan.io/address/0xD58d7406E9CE34c90cf849Fc3eed3764EB3779B0","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"Policy - Treasury Borrower - (Ethereum)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99055","url":"https://etherscan.io/address/0xD3204Ae00d6599Ba6e182c6D640A79d76CdAad74","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"Module - DLGTE - (Ethereum)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99056","url":"https://etherscan.io/address/0xcb4E21Eb404d80F3e1dB781aAd9AD6A1217fbbf2","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"DepositManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99057","url":"https://etherscan.io/address/0xa61b846d5d8b757e3d541e0e4f80390e28f0b6ff","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"EmissionManager v1.2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99058","url":"https://etherscan.io/address/0xa6013bBFd70d6190FA1cc1afD0cB3859847711B4","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"Governor Bravo Delegate","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99059","url":"https://etherscan.io/address/0xa5588e518CE5ee0e4628C005E4edAbD5e87de3aD","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"CCIPLockReleaseTokenPool","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99061","url":"https://etherscan.io/address/0x9ee9f0c2e91E4f6B195B988a9e6e19efcf91e8dc","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"Cooler v2 LTV Oracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99062","url":"https://etherscan.io/address/0x953EA3223d2dd3c1A91E9D6cca1bf7Af162C9c39","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"Timelock","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99063","url":"https://etherscan.io/address/0x89631595649cc6deba249a8012a5b2d88c8dde48","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"RGSTY Module","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99064","url":"https://etherscan.io/address/0x7d8f82A0D5B67d5FDd1B77A899FF517818FaFc2e","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"CD Auctioneer Limit Orders","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99065","url":"https://etherscan.io/address/0x73df08ce9dcc8d74d22f23282c4d49f13b4c795e","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"BondCallback v1.1","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99066","url":"https://etherscan.io/address/0x69a3e97027d21a5984b6a543b36603ffbc6543a4","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"CHREG Module","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99067","url":"https://etherscan.io/address/0x6593768feBF9C95aC857Fb7Ef244D5738D1C57Fd","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"Periphery - Cooler v2 Composites - (Ethereum)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99068","url":"https://etherscan.io/address/0x6417F206a0a6628Da136C0Faa39026d0134D2b52","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"Operator v1.5","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99069","url":"https://etherscan.io/address/0x5824850D8A6E46a473445a5AF214C7EbD46c5ECB","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"Heart v1.7","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99070","url":"https://etherscan.io/address/0x45e563c39cddba8699a90078f42353a57509543a","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"CrossChainBridge - (Mainnet)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99071","url":"https://etherscan.io/address/0x399cd3685912bb56aaed0949119db6ce5df60fb5","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"RANGE v2.0","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99072","url":"https://etherscan.io/address/0x30Ce56e80aA96EbbA1E1a74bC5c0FEB5B0dB4216","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"CoolerFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99074","url":"https://etherscan.io/address/0x271e35a8555a62F6bA76508E85dfD76D580B0692","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"YRF v1.2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99075","url":"https://etherscan.io/address/0x20a3d8510f2e1176E8Db4CeA9883a8287a9029Db","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"DepositRedemptionVault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99076","url":"https://etherscan.io/address/0x1e094fe00e13fd06d64eea4fb3cd912893606fe0","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"Clearinghouse v1.2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99077","url":"https://etherscan.io/address/0x0941233c964e7d7Efeb05D253176E5E634cEFfcD","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"Governor Bravo Delegator","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99078","url":"https://etherscan.io/address/0x02331A4c97a4841084dF54d7c0eC04DD3f1A9F1c","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"CDEPO Module","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99079","url":"https://etherscan.io/address/0x007F7735baF391e207E3aA380bb53c4Bd9a5Fed6","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"BondTeller","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99080","url":"https://berascan.io/address/0xbC9eE0D911739cBc72cd094ADA26F56E0C49EeAE","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"MINTR - (Bera)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99081","url":"https://berascan.com/token/0x18878df23e2a36f81e820e4b47b4a40576d3159c","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"OHM - (Bera)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99082","url":"https://berascan.com/address/0xe37D9a2791707BBB858012d219960D5FBD190794","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"RolesAdmin - (Bera)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99083","url":"https://berascan.com/address/0xBA42BE149e5260EbA4B82418A6306f55D532eA47","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"CrossChainBridge - (Bera)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99084","url":"https://berascan.com/address/0x0D33c811D0fcC711BcB388DFB3a152DE445bE66F","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"Treasury Custodian - (Bera)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99085","url":"https://basescan.org/token/0x060cb087a9730E13aa191f31A6d86bFF8DfcdCC0","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"OHM - (Base)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99086","url":"https://basescan.org/address/0xb1fA0Ac44d399b778B14af0AAF4bCF8af3437ad1","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"RolesAdmin - (Base)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99087","url":"https://basescan.org/address/0x6CA1a916e883c7ce2BFBcF59dc70F2c1EF9dac6e","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"CrossChainBridge - (Base)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99088","url":"https://basescan.org/address/0x623164A9Ee2556D524b08f34F1d2389d7B4e1A1C","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"MINTR - (Base)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99089","url":"https://arbiscan.io/address/0xeac3eC0CC130f4826715187805d1B50e861F2DaC","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"Kernel - (Arbitrum)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99090","url":"https://arbiscan.io/address/0x8f6406eDbFA393e327822D4A08BcF15503570D87","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"MINTR - (Arbitrum)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99091","url":"https://arbiscan.io/address/0x69168c08AcF66f002fd02E1B169f38C022c93b70","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"RolesAdmin - (Arbitrum)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99092","url":"https://arbiscan.io/address/0x20B3834091f038Ce04D8686FAC99CA44A0FB285c","type":"smart_contract","addedAt":"2026-02-20T15:33:48.311Z","revision":0,"description":"CrossChainBridge - (Arbitrum)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99119","url":"https://etherscan.io/address/0x5131654eFCd63f7b797e00118792e0d0dD90B8B0","type":"smart_contract","addedAt":"2026-03-02T16:04:24.572Z","revision":0,"description":"v1 Migrator ","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","Avalanche","Boba Network","ETH","Fantom","Optimism","Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2022-01-06T17:45:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7csKh5iZlfBPWyb3cJUY5h/1b7fd615e0a6edce69010e2913edbef6/final_logo_01_07_22_OLYMPUS.png","maxBounty":3333333,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","websites_and_applications - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the following types:\n\n__Smart Contracts and Blockchain__ \n\n  - Any vulnerability that directly has an impact in scope.\n\n__Websites and Applications__\n\n  - Any vulnerability that directly has an impact in scope.","productType":["DAO","Token"],"programOverview":"Olympus is building the value layer of global finance. A programmatic treasury-backed framework for monetary policy, credit, and liquidity\n\nFor more information about Olympus, please visit [https://www.olympusdao.finance/](https://www.olympusdao.finance/)\n\nThis bug bounty program is focused on their smart contracts and app and is focused on preventing:\n\n  - Loss of treasury funds\n  - Loss of user funds\n  - Loss of bond funds\n\nThis bug bounty program is managed by OlympusDAO under the provisions of [OIP-38](https://forum.olympusdao.finance/d/197-oip-38-formalize-partnership-with-immunefi-for-the-bug-bounty-program), an extension of [OIP-17](https://forum.olympusdao.finance/d/72-oip-17-creation-funding-of-bug-bounty-program) and [OIP-34.](https://forum.olympusdao.finance/d/165-oip-34-adding-language-to-tier-1-of-bug-bounty/2) Note that this bounty is not available to Olympus Contributors, who should submit via the Olympus Discord page found [here](https://discord.com/channels/838651642190495804/905317734387175474/1192854877630627911).\n\nOlympus provides rewards in OHM, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__Responsible Publication__\n\nOlympus adheres to category __3 - Approval Required__. This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nOlympus adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms stated in this page.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n\n__Previous Audits__\n\nA full list of Olympus completed audit reports can be accessed below. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.\n\n  - [https://docs.olympusdao.finance/main/security/audits](https://docs.olympusdao.finance/main/security/audits) \n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Olympus has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/6427157117713-The-Immunefi-Standard-Badge-).","programType":["Smart Contract","Websites and Applications"],"project":"Olympus","projectType":["Defi"],"rewardsBody":"This is a Custom Program, governed by __OlympusDAO__. The program is subcategorized into three tiers, with only the below impacts considered for a reward:\n\n  - Tier 1: For bugs/exploits which would lead to a loss of deposited funds or a loss of user funds, a reward amount equal to the potential loss of funds up to __USD 333 333__ (paid in OHM) is provided.\n\n  - Tier 2: For bugs/exploits which would lead to a direct economic loss* of treasury-controlled funds or assets, a reward equal to the potential loss up to USD 3,333,333 (paid in OHM) is provided. \n\n- - *For clarity, “economic loss” includes: \n    - Extracting assets from the treasury without authorization\n    - Acquiring protocol-owned tokens or assets at an improperly discounted rate due to a bug\n    - Forcing the protocol to sell or redeem assets below intended pricing\n    - Any exploit that allows value to leave the system to an attacker\n- - It does **not** include: \n    - Rebalancing, accounting errors, or internal value shifts where assets remain within treasury or protocol-controlled contracts\n    - Manipulations that do not result in net value extraction from the system\n\n  - Tier 3: The Bug Bounty Management team may from time to time, at its discretion, issue an award of up to __$16,942.00__ for submissions which do not qualify for bounties under other tiers, but which the team feels nonetheless are high effort, high quality, and of material use in improving Olympus’ security. Note that this bounty is not available to Olympus contributors, who should contact the Bug Bounty Management team directly for a bounty if they have found a bug or inefficiency that is outside of their mandate as a contributor. Further note that this bounty will not be awarded regularly. It is meant only for extremely high quality submissions which have significant material impacts to Olympus. No person submitting a bounty should assume that they are entitled to this or will be awarded it, as the bar to qualify for it will be very high.\n\nFor vulnerabilities of websites and applications, only bugs that lead to direct financial damage listed in the Impacts in Scope are accepted and are categorized as critical. All others are not accepted. An example of an acceptable vulnerability in this category would be [https://rekt.news/badger-rekt/ ](https://rekt.news/badger-rekt/)\n\nBugs that have been previously disclosed, either publicly or in an earlier bug submission, are ineligible for a reward.\n\nPayouts are handled by the __Olympus DAO__ directly and are denominated in __USD__, under the terms set out in OIP-38. However, payouts are done in __OHM__.\n\n__Reward Payment Terms__\n\nPayouts are handled by the __Olympus__ team directly and are denominated in __USD__. However, payments are done in __OHM__\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"OHM","slug":"olympus","tenPercentEconomicRule":false,"updatedDate":"2026-03-30T15:13:33.291Z","impactsBody":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table. Impacts caused by attacks requiring governance to approve an action related to a malicious contract/asset are not in scope.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Olympus is building the value layer of global finance. A programmatic treasury-backed framework for monetary policy, credit, and liquidity","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":null,"defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":1613,"type":"smart_contract","severity":"critical","title":"Loss of treasury funds"},{"id":1614,"type":"websites_and_applications","severity":"critical","title":"Loss of treasury funds"},{"id":1615,"type":"smart_contract","severity":"critical","title":"Loss of user funds"},{"id":1616,"type":"websites_and_applications","severity":"critical","title":"Loss of user funds"},{"id":1617,"type":"smart_contract","severity":"critical","title":"Loss of bond funds"},{"id":1618,"type":"websites_and_applications","severity":"critical","title":"Loss of bond funds"}],"rewards":[{"id":43768,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":3333333,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":43769,"primacy":null,"severity":"critical","assetType":"websites_and_applications","maxReward":3333333,"rewardModel":"up_to"}],"audits":[]},{"assets":[{"id":"7mBG0yiFvAHJye1ddVcGMA","url":"https://github.com/scroll-tech/go-ethereum","type":"blockchain_dlt","addedAt":"2023-10-10T11:11:35.263Z","revision":0,"description":"l2geth","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5ss4rU8xgRDH92uTLOEUKk","url":"https://etherscan.io/address/0x33996CC9EEe2dc20B10b8E57d313d0FacC7a0828","type":"smart_contract","addedAt":"2023-10-11T09:49:48.796Z","revision":0,"description":"ZkEvmVerifierV1","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"43bWWxMfdJNCozKBGrOuHt","url":"https://etherscan.io/address/0x1Ea29d57dAC237152d878758bAe4BeB2668998f6","type":"smart_contract","addedAt":"2023-10-11T09:50:09.359Z","revision":0,"description":"MultipleVersionRollupVerifier","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7z1IydcHQKlpkuqtgdVowb","url":"https://etherscan.io/address/0x259204DDd2bA29bD9b1B9A5c9B093f73d7EAcf37","type":"smart_contract","addedAt":"2023-10-11T09:50:27.107Z","revision":0,"description":"L1Whitelist","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"78HWlHvcBQ74AzDfPXJpvA","url":"https://etherscan.io/address/0x0d7E906BD9cAFa154b048cFa766Cc1E54E39AF9B","type":"smart_contract","addedAt":"2023-10-11T09:50:40.562Z","revision":0,"description":"L1MessageQueue","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3Zy38N3q7H7ZugJiVCZlt5","url":"https://etherscan.io/address/0x987e300fDfb06093859358522a79098848C33852","type":"smart_contract","addedAt":"2023-10-11T09:50:58.744Z","revision":0,"description":"L2GasPriceOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7pgSF6m1UE0VeGze89p01F","url":"https://etherscan.io/address/0xa13BAF47339d63B743e7Da8741db5456DAc1E556","type":"smart_contract","addedAt":"2023-10-11T09:51:12.516Z","revision":0,"description":"L1ScrollChain","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3Wo15rAmVYHqYsV0gZhyX","url":"https://etherscan.io/address/0x7F2b8C31F88B6006c382775eea88297Ec1e3E905","type":"smart_contract","addedAt":"2023-10-11T09:51:27.016Z","revision":0,"description":"L1ETHGateway","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"aM1yMtavrbA3fVJaI4i0s","url":"https://etherscan.io/address/0x7AC440cAe8EB6328de4fA621163a792c1EA9D4fE","type":"smart_contract","addedAt":"2023-10-11T09:51:41.779Z","revision":0,"description":"L1WETHGateway","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6rMfCLFfwXEFvAMgq6DKYG","url":"https://etherscan.io/address/0xD8A791fE2bE73eb6E6cF1eb0cb3F36adC9B3F8f9","type":"smart_contract","addedAt":"2023-10-11T09:51:55.261Z","revision":0,"description":"L1StandardERC20Gateway","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"752Z9CXIM51cKcrDYP6nYH","url":"https://etherscan.io/address/0xF8B1378579659D8F7EE5f3C929c2f3E332E41Fd6","type":"smart_contract","addedAt":"2023-10-11T09:53:13.451Z","revision":0,"description":"L1GatewayRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"37YwkR0yDaLSy9jgmu1A6Q","url":"https://etherscan.io/address/0x6774Bcbd5ceCeF1336b5300fb5186a12DDD8b367","type":"smart_contract","addedAt":"2023-10-11T09:53:25.982Z","revision":0,"description":"L1ScrollMessenger","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2lv3XpSzqffEpH5NibCGfL","url":"https://etherscan.io/address/0x72CAcBcfDe2d1e19122F8A36a4d6676cd39d7A5d","type":"smart_contract","addedAt":"2023-10-11T09:53:39.580Z","revision":0,"description":"EnforcedTxGateway","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"FW9Qin594xmfHwNhHkv2I","url":"https://etherscan.io/address/0xb2b10a289A229415a124EFDeF310C10cb004B6ff","type":"smart_contract","addedAt":"2023-10-11T09:53:53.006Z","revision":0,"description":"L1CustomERC20Gateway","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2kFxyDdjOljSNYjajpwkLs","url":"https://etherscan.io/address/0x6260aF48e8948617b8FA17F4e5CEa2d21D21554B","type":"smart_contract","addedAt":"2023-10-11T09:54:06.206Z","revision":0,"description":"L1ERC721Gateway","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7CMr8tzuERagjqGLKj0Gyp","url":"https://etherscan.io/address/0xb94f7F6ABcb811c5Ac709dE14E37590fcCd975B6","type":"smart_contract","addedAt":"2023-10-11T09:54:20.920Z","revision":0,"description":"L1ERC1155Gateway","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1Hngltlyrqe8dreqd8IA4U","url":"https://etherscan.io/address/0x798576400F7D662961BA15C6b3F3d813447a26a6","type":"smart_contract","addedAt":"2023-10-11T09:54:35.732Z","revision":0,"description":"L1ScrollOwner","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6aLvgRTyL1FPNeFpirH8RU","url":"https://scrollscan.com/address/0x5300000000000000000000000000000000000002","type":"smart_contract","addedAt":"2023-10-11T09:54:50.087Z","revision":0,"description":"L1GasPriceOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5GD7MGuvxEAhpOzhPRjiQq","url":"https://scrollscan.com/address/0x5300000000000000000000000000000000000000","type":"smart_contract","addedAt":"2023-10-11T09:55:03.709Z","revision":0,"description":"L2MessageQueue","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4rKQrzJER0Num3htnd3VTY","url":"https://scrollscan.com/address/0x5300000000000000000000000000000000000005","type":"smart_contract","addedAt":"2023-10-11T09:55:18.491Z","revision":0,"description":"L2TxFeeVault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4rJCGq8KMjG0yHZ7sKhysg","url":"https://scrollscan.com/address/0x5300000000000000000000000000000000000003","type":"smart_contract","addedAt":"2023-10-11T09:55:32.047Z","revision":0,"description":"L2Whitelist","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4CjT30E0K3AfBAAOIS42tV","url":"https://scrollscan.com/address/0x781e90f1c8Fc4611c9b7497C3B47F99Ef6969CbC","type":"smart_contract","addedAt":"2023-10-11T09:55:45.692Z","revision":0,"description":"L2ScrollMessenger","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2s6hC7S0hEwhdflQYJvo35","url":"https://scrollscan.com/address/0x6EA73e05AdC79974B931123675ea8F78FfdacDF0","type":"smart_contract","addedAt":"2023-10-11T09:56:00.173Z","revision":0,"description":"L2ETHGateway","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4NMe4mfqe1jQ0Q38K4ipNe","url":"https://scrollscan.com/address/0x7003E7B7186f0E6601203b99F7B8DECBfA391cf9","type":"smart_contract","addedAt":"2023-10-11T09:56:13.157Z","revision":0,"description":"L2WETHGateway","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"41bN4hOd9lLWpH7W4atTCn","url":"https://scrollscan.com/address/0xE2b4795039517653c5Ae8C2A9BFdd783b48f447A","type":"smart_contract","addedAt":"2023-10-11T09:56:28.402Z","revision":0,"description":"L2StandardERC20Gateway","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6JvoMpVxJMmayKF95Hw3gX","url":"https://scrollscan.com/address/0x4C0926FF5252A435FD19e10ED15e5a249Ba19d79","type":"smart_contract","addedAt":"2023-10-11T09:56:41.442Z","revision":0,"description":"L2GatewayRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6MFYyseN5BUnJ6bTfsMN0H","url":"https://scrollscan.com/address/0xC7d86908ccf644Db7C69437D5852CedBC1aD3f69","type":"smart_contract","addedAt":"2023-10-11T09:56:54.262Z","revision":0,"description":"ScrollStandardERC20","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7CtIk0uLIq2r4kISMrPCNG","url":"https://scrollscan.com/address/0x66e5312EDeEAef6e80759A0F789e7914Fb401484","type":"smart_contract","addedAt":"2023-10-11T09:57:07.195Z","revision":0,"description":"ScrollStandardERC20Factory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3xva7DNWgmVn2uVJTt9a0K","url":"https://scrollscan.com/address/0x64CCBE37c9A82D85A1F2E74649b7A42923067988","type":"smart_contract","addedAt":"2023-10-11T09:57:20.937Z","revision":0,"description":"L2CustomERC20Gateway","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6bPFBeBiXniPpp3k4w1PeC","url":"https://scrollscan.com/address/0x62597Cc19703aF10B58feF87B0d5D29eFE263bcc","type":"smart_contract","addedAt":"2023-10-11T09:57:34.351Z","revision":0,"description":"L2ERC1155Gateway","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6F1vSnRdyNjHwMWIarpvPH","url":"https://scrollscan.com/address/0x13D24a7Ff6F5ec5ff0e9C40Fc3B8C9c01c65437B","type":"smart_contract","addedAt":"2023-10-11T09:57:46.870Z","revision":0,"description":"L2ScrollOwner","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2O7OZNsHRMCjxMZyVJgMI3","url":"https://etherscan.io/address/0x8432728A257646449245558B8b7Dbe51A16c7a4D","type":"smart_contract","addedAt":"2025-05-14T20:15:49.838Z","revision":0,"description":"SystemConfig","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"26PY7xgRn6lRy9k5DS3CB3","url":"https://etherscan.io/address/0x4CEA3E866e7c57fD75CB0CA3E9F5f1151D4Ead3F#code","type":"smart_contract","addedAt":"2025-05-14T20:16:04.232Z","revision":0,"description":"MultipleVersionRollupVerifier","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4FFa7OO0u8slfiCuYmM3w1","url":"https://etherscan.io/address/0x56971da63A3C0205184FEF096E9ddFc7A8C2D18a","type":"smart_contract","addedAt":"2025-05-14T20:16:23.253Z","revision":0,"description":"L1MessageQueue (V2)","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"..","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH","Scroll"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Go","Solidity"],"launchDate":"2023-10-17T09:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/IzdR0T8CiuGHqOpDEOGaJ/dadd27860fb4f34caa41477494233b28/Fq5O0LeN_400x400.jpg","maxBounty":250000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Bridge","L2"],"programOverview":"Scroll is an EVM-compatible zk-Rollup built to scale the Ethereum network. Our goal is to provide users with near instant and cost efficient transactions while also upholding the high security properties offered by the Ethereum network.\n\nFor more information about Scroll, please visit [https://scroll.io/](https://scroll.io/)\n\nScroll provides rewards in USDC. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__\n\nThe provision of KYC is required to receive a reward for this bug bounty program where the following information will be required to be provided:\n\n- Wallet address, Full Name, Email Address, Proof of Identity (i.e. Government ID)\n\nKYC information is only required on confirmation of the validity of a bug report.   \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nScroll adheres to the Primacy of Impact for the following severity levels:\n- Blockchain/DLT: Critical\n- Blockchain/DLT: High\n- Smart Contracts: Critical\n- Smart Contracts: High\n- Smart Contracts: Medium\n\nIf a category’s severity level is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program as long as it involves an impact under that respective severity level. When submitting a report, just select the Primacy of Impact asset placeholder. If the team behind this project has multiple projects, those other projects are not covered under the Primacy of Impact of this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nAll other severity levels not listed here are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program. \n\n__Immunefi Standard Badge__\n\nScroll has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/6427157117713-The-Immunefi-Standard-Badge-), which is given to projects that adhere to our best practices.","programType":["Smart Contract","Blockchain/DLT"],"project":"Scroll","projectType":["Blockchain","Infrastructure"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below. \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical Blockchain/DLT bugs, the reward is dependent on the ratio between the funds at risk,  which includes all affected projects on top of the respective blockchain/DLT, and the market cap according to the average between CoinMarketCap.com and CoinGecko.com calculated at the time the bug report is submitted. However, a minimum reward of USD $50,000 is to be rewarded in order to incentivize security researchers against withholding on a bug report.\n\nThis ratio is known as the “risk ratio”, i.e.: Risk Ratio = Funds at Risk / Scroll Market Cap\n\nThe reward is then calculated linearly from 0:1 to 1:1, where 1:1 results in a reward of USD $250,000. In the event of where the funds at risk are greater than the market cap, the maximum reward remains as the hard cap.\n\nFor critical Smart Contract bugs, the reward amount is 10% of the funds directly affected, with a maximum reward amount of USD $250,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD $20,000 is to be rewarded in order to incentivize security researchers against withholding a bug report.  \n\n__Reward Calculation for High Level Reports__\n\nHigh smart contract vulnerabilities have a reward amount of 100% of the funds affected, subject to repeatable attacks and feasibility limitations with a maximum cap of USD $20,000. \n\n__Repeatable Attack Limitations__\n\nIn cases of repeatable attacks for blockchain/DLT bugs, only the first attack is considered if the component where the vulnerability exists can be upgraded, paused, or killed. If the attack impacts a component directly holding funds that cannot be upgraded, paused, or killed, the amount of funds at risk will be calculated with the first attack being at 100% of the funds at actual risk. A reduction of 25% from the first amount of the first attack for every 1 hour the attack needs for subsequent attacks from the first attack, rounded down. For avoidance of doubt, if a second attack would happen at 2 hours and then a third at 3 hours, the additional rewards would be counted at 50% and 75% reduction of the reward from the first attack, respectively.\n\nIn cases of repeatable attacks for smart contract bugs, only the first attack is considered if the smart contracts where the vulnerability exists can be upgraded, paused, or killed. If the attack impacts a smart contract directly holding funds that cannot be upgraded or paused, the amount of funds at risk will be calculated with the first attack being at 100% of the funds that could be stolen and then a reduction of 25% from the amount of the first attack for every 300 blocks the attack needs for subsequent attacks from the first attack, rounded down. For avoidance of doubt, if a second attack would happen at 600 blocks and then a third at 900 blocks,  the additional rewards would be counted at 50% and 75% reduction of the reward from the first attack, respectively.\n\n__Restrictions on Security Researcher Eligibility__  \n\nSecurity researchers who fall under any of the following are ineligible for a reward\n- Current and past employees, vendors (auditors), partners and contractors are not eligible to participate in the bug bounty program\n\n__Previous Audits__\n\nScroll has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.\n- Blockchain\n   - [zkTrie (Trail of Bits)](https://github.com/trailofbits/publications/blob/master/reviews/2023-07-scroll-zktrie-securityreview.pdf)\n   - [L2geth (Trail of Bits)](https://github.com/trailofbits/publications/blob/master/reviews/2023-08-scrollL2geth-initial-securityreview.pdf)\n   - [L2geth diff (Trail of Bits)](https://github.com/trailofbits/publications/blob/master/reviews/2023-08-scrollL2geth-securityreview.pdf)\n   - [ZkEVM EIP-4844 Blob Support](https://github.com/trailofbits/publications/blob/master/reviews/2024-04-scroll-4844-blob-securityreview.pdf)\n- Smart Contracts\n   - [OpenZeppelin Phase 1](https://blog.openzeppelin.com/scroll-layer-1-audit-1)\n   - [OpenZeppelin Phase 2](https://blog.openzeppelin.com/scroll-phase-2-audit)\n   - [OpenZeppelin GasSwap, Multiple Verifier, Wrapped Ether and Diff](https://blog.openzeppelin.com/scroll-gasswap-multiple-verifier-wrapped-ether-and-diff-audit)\n   - [OpenZeppelin ScrollOwner and Rate Limiter](https://blog.openzeppelin.com/scrollowner-and-rate-limiter-audit)\n   - [OpenZeppelin USDC Gateway](https://blog.openzeppelin.com/scroll-usdc-gateway-audit)\n   - [OpenZeppelin contract diff](https://blog.openzeppelin.com/scroll-diff-audit-report)\n   - [OpenZeppelin Bridge Gas Optimizations](https://blog.openzeppelin.com/scroll-bridge-gas-optimizations-audit)\n   - [OpenZeppelin ZKTrie Verifier](https://blog.openzeppelin.com/scroll-zktrieverifier-audit)\n   - [OpenZeppelin EIP-4844](https://blog.openzeppelin.com/scroll-eip-4844-support-audit)\n   - [OpenZeppelin Batch Token Bridge](https://blog.openzeppelin.com/scroll-batch-token-bridge-audit)\n   - [Zellic v1](https://github.com/Zellic/publications/blob/master/Scroll%20-%2005.26.23%20Zellic%20Audit%20Report.pdf)\n   - [Zellic v2](https://github.com/Zellic/publications/blob/master/Scroll%20-%2009.27.23%20Zellic%20Audit%20Report.pdf)\n   - [Scroll Lido Gateway - Zellic](https://github.com/Zellic/publications/blob/master/Scroll%20Lido%20Gateway%20-%20Zellic%20Audit%20Report.pdf)\n   - [ScrollOwner and Rate Limiter Audit](https://blog.openzeppelin.com/scrollowner-and-rate-limiter-audit)\n   - [Scroll Euclid Upgrade Phase 1 (Trail Of Bits)](https://github.com/trailofbits/publications/blob/master/reviews/2025-04-scroll-euclid-phase1-securityreview.pdf)\n   - [Scroll Euclid Upgrade Phase 2 (Trail Of Bits)](https://github.com/trailofbits/publications/blob/master/reviews/2025-04-scroll-euclid-phase2-securityreview.pdf)\n\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n- Blockchain/DLT: Critical\n- Blockchain/DLT: High\n- Smart Contracts: Critical\n- Smart Contracts: High\n- Smart Contracts: Medium\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules). Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Scroll team directly and are denominated in USD. However, payments are done in USDC.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"scroll","tenPercentEconomicRule":false,"updatedDate":"2026-03-30T13:03:54.623Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_employee","no_auditor"],"responsiblePublicationCategory":"category_2","description":"Scroll is an EVM-compatible zk-Rollup built to scale the Ethereum network. Our goal is to provide users with near instant and cost efficient transactions while also upholding the high security properties offered by the Ethereum network.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice recommendations\n- Problems caused by L1 Gas Pricing\n- Logic errors with rebase tokens and interest-bearing tokens\n- Attacks related to deposit and withdraw limits\n- Issues that affect geth (upstream) and are not caused by changes made in the scroll implementation\n- Freezing of own funds due to mistaken operation\n- Throttling or suppression of operations without loss of user funds\n- Issues related to OpenVM are excluded from this scope. For any issues found in that component, please reach out to security@openvm.dev","customProhibitedActivities":["Throttling or suppression of operations without loss of user funds","Issues related to code/components already being deprecated prior to the bug bounty submission will be evaluated on a case-by-case basis.","Issues related to JSON-RPC"],"impacts":[{"id":7,"type":"blockchain_dlt","severity":"high","title":"Causing network processing nodes to process transactions from the mempool beyond set parameters"},{"id":4482,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 24h"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":4483,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hard fork)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":4484,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds (that cannot be fixed by upgrade)"}],"rewards":[{"id":43757,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":250000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43758,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":20000,"minReward":10000,"rewardModel":"range"},{"id":43759,"primacy":null,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":43755,"primacy":null,"severity":"critical","assetType":"blockchain_dlt","maxReward":250000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43756,"primacy":null,"severity":"high","assetType":"blockchain_dlt","maxReward":20000,"minReward":10000,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"1N1HgQLV1Jo21pZJXbiVHa","url":"https://github.com/ethereum-optimism/optimism/tree/develop/op-dispute-mon","type":"blockchain_dlt","addedAt":"2024-05-29T17:58:17.221Z","revision":0,"description":"op-dispute-mon","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1XP19NNGRAMIWLfOFQfseL","url":"https://etherscan.io/address/0xbEb5Fc579115071764c7423A4f12eDde41f106Ed","type":"smart_contract","addedAt":"2024-03-11T16:19:11.388Z","revision":0,"description":"OptimismPortal","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1qIGQyLBxnCcZitlgJ8Lpi","url":"https://github.com/ethereum-optimism/op-geth","type":"blockchain_dlt","addedAt":"2024-05-29T17:57:33.303Z","revision":0,"description":"op-geth","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1x1u9XbBjLmXFY1xrJBBgu","url":"https://etherscan.io/address/0x543bA4AADBAb8f9025686Bd03993043599c6fB04","type":"smart_contract","addedAt":"2024-03-11T16:20:39.288Z","revision":0,"description":"ProxyAdmin","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"245QnuEWh0OdcwQfbiJFjI","url":"https://etherscan.io/address/0xe5965Ab5962eDc7477C8520243A95517CD252fA9","type":"smart_contract","addedAt":"2024-05-29T17:59:38.385Z","revision":0,"description":"DisputeGameFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2BzZXRDs0deOAa5VEN5gi","url":"https://etherscan.io/address/0xdfe97868233d1aa22e815a266982f2cf17685a27","type":"smart_contract","addedAt":"2024-03-11T16:18:51.663Z","revision":0,"description":"L2OutputOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2S68vHDiFh3kAKC2TN9mIn","url":"https://community.optimism.io/","type":"websites_and_applications","addedAt":"2025-10-03T12:44:22.025Z","revision":0,"description":"Optimism's Community page","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2XBXFqud18DwQhQsXXstNV","url":"https://specs.optimism.io/","type":"websites_and_applications","addedAt":"2025-10-03T12:43:35.379Z","revision":0,"description":"Optimism's Specs","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2YA1oGnMRFQ4i3AWWwyfIS","url":"https://etherscan.io/address/0x75505a97BD334E7BD3C476893285569C4136Fa0F","type":"smart_contract","addedAt":"2024-03-11T16:20:24.447Z","revision":0,"description":"OptimismMintableERC20Factory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2tb8MvF8W3BR2WGxdYxESo","url":"https://etherscan.io/address/0x25ace71c97B33Cc4729CF772ae268934F7ab5fA1","type":"smart_contract","addedAt":"2024-03-11T16:19:31.496Z","revision":0,"description":"L1CrossDomainMessenger","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2xXQkUvJ6ufC4Zp016RHdq","url":"https://etherscan.io/address/0xE9daD167EF4DE8812C1abD013Ac9570C616599A0","type":"smart_contract","addedAt":"2025-10-03T12:36:59.399Z","revision":0,"description":"PermissionedDisputeGame","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"38HbxPFk6v4ZOYG80PjQul","url":"https://blog.oplabs.co/","type":"websites_and_applications","addedAt":"2025-10-03T12:45:01.190Z","revision":0,"description":"Main OP Labs blog","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3JsYbeu9DWvzdTcqqqZTEU","url":"https://www.oplabs.co/","type":"websites_and_applications","addedAt":"2025-10-03T12:44:50.965Z","revision":0,"description":"Main OP Labs website","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3R0SAP3XxfljFVqbRtrO64","url":"https://github.com/ethereum-optimism/optimism/tree/develop/op-node","type":"blockchain_dlt","addedAt":"2024-05-29T17:57:46.850Z","revision":0,"description":"op-node","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3SuGvzqmXmt2UMf9uMr1U8","url":"https://etherscan.io/address/0xE497B094d6DbB3D5E4CaAc9a14696D7572588d14","type":"smart_contract","addedAt":"2025-10-03T12:36:10.005Z","revision":0,"description":"DelayedWETH","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3X2cjYCosE995DtPDb5A33","url":"https://docs.optimism.io/","type":"websites_and_applications","addedAt":"2025-10-03T12:43:23.581Z","revision":0,"description":"Optimism's Docs","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3uO0iz1F8GiSdeLYuqiKYM","url":"https://www.optimism.io/","type":"websites_and_applications","addedAt":"2025-10-03T12:40:23.158Z","revision":0,"description":"Main Optimism website","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3zM5afAp9622DbGqeLjmST","url":"https://etherscan.io/address/0x18DAc71c228D1C32c99489B7323d441E1175e443","type":"smart_contract","addedAt":"2025-10-03T12:36:32.956Z","revision":0,"description":"AnchorStateRegistry","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"478GlzY2biYK3uwcIGovY6","url":"http://gateway.optimism.io/","type":"websites_and_applications","addedAt":"2025-10-03T12:42:42.309Z","revision":0,"description":"Optimism's Gateway","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4Ji74B6NGlEJE1CJeXx28e","url":"https://etherscan.io/address/0xe2F826324b2faf99E513D16D266c3F80aE87832B","type":"smart_contract","addedAt":"2024-05-29T17:59:18.302Z","revision":0,"description":"OptimismPortal Implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"51pq8YWLp6xOdx6DR4wSYe","url":"https://etherscan.io/address/0x4146DF64D83acB0DcB0c1a4884a16f090165e122","type":"smart_contract","addedAt":"2025-10-03T12:37:22.329Z","revision":0,"description":"FaultDisputeGame","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5W0HRdTsp8R8vqWqCgmYmT","url":"https://console.optimism.io/","type":"websites_and_applications","addedAt":"2025-10-03T12:43:47.023Z","revision":0,"description":"Optimism's Console","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5cuRC97IK57W5XgVblZ40","url":"https://app.optimism.io/","type":"websites_and_applications","addedAt":"2025-10-03T12:42:55.325Z","revision":0,"description":"Optimism's App","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6MgWFP7DdOWKcURQP6IsgM","url":"https://etherscan.io/address/0xD326E10B8186e90F4E2adc5c13a2d0C137ee8b34","type":"smart_contract","addedAt":"2025-10-03T12:35:27.051Z","revision":0,"description":"PreimageOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"79b2VsZaisysXDY1EPL9pV","url":"http://jobs.optimism.io/","type":"websites_and_applications","addedAt":"2025-10-03T12:44:40.908Z","revision":0,"description":"Optimism's Careers page","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7DXv5Q2Tok6F6Aff5wmIFf","url":"https://etherscan.io/address/0x229047fed2591dbec1eF1118d64F7aF3dB9EB290","type":"smart_contract","addedAt":"2024-03-11T16:18:33.354Z","revision":0,"description":"SystemConfig","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7qCP6a3MsQrBU4q3Muor67","url":"https://etherscan.io/address/0x5a7749f83b81B301cAb5f48EB8516B986DAef23D","type":"smart_contract","addedAt":"2024-03-11T16:19:49.675Z","revision":0,"description":"L1ERC721Bridge","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"KPdYyqHmhXsnCmuk8Mbt9","url":"https://op-geth.optimism.io/","type":"websites_and_applications","addedAt":"2025-10-03T12:43:59.472Z","revision":0,"description":"Optimism's Geth","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"NOufjO8nOog6dzQuce3sp","url":"https://etherscan.io/address/0x99C9fc46f92E8a1c0deC1b1747d010903E884bE1","type":"smart_contract","addedAt":"2024-03-11T16:20:06.291Z","revision":0,"description":"L1StandardBridge","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Rm6pfrrVmKygshgsFzyuT","url":"https://etherscan.io/address/0x0f8EdFbDdD3c0256A80AD8C0F2560B1807873C9c","type":"smart_contract","addedAt":"2025-10-03T12:34:58.263Z","revision":0,"description":"MIPS","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"z0g4zdwLt79CZvOERVoaz","url":"https://etherscan.io/address/0xdE1FCfB0851916CA5101820A69b13a4E276bd81F","type":"smart_contract","addedAt":"2024-03-11T16:20:53.513Z","revision":0,"description":"AddressManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99181","url":"https://immunefi.com","type":"blockchain_dlt","addedAt":"2026-03-11T16:00:51.834Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"99182","url":"https://immunefi.com","type":"smart_contract","addedAt":"2026-03-11T16:00:51.834Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"db_5e9d116b-a0da-4958-9a50-2888ea38c1a5","url":"https://etherscan.io/address/0xD587A11d2755647Da4207E60cEd98200C6C2578f","type":"smart_contract","addedAt":"2026-03-28T09:52:50.113Z","revision":0,"description":"PolicyEngineStaking.sol","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"**Whenever the asset is a smart contract proxy, its implementation is also in scope.**\n\nHowever, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH","Optimism"],"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Essential","Managed Triage: Signal Booster"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["C/C++","Go","Solidity"],"launchDate":"2022-01-14T07:00:00.000Z","logo":"https://qn5bmgziiocgawpp.public.blob.vercel-storage.com/75509-lZCayrCTytqHks6hhqjFb-81Kn1Z8SSg5DCSCLlX91oISNPhHMUL.png","maxBounty":2000042,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","blockchain_dlt - high","blockchain_dlt - critical","websites_and_applications - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["L1","L2"],"programOverview":"Optimism is a project dedicated to scaling Ethereum's technology and expanding its ability to coordinate people from across the world to build effective decentralized economies and governance systems. \n\nThe OP Stack is the modular, decentralized software stack that powers Optimism, forms the backbone of blockchains like OP Mainnet and Base, and is maintained by the Optimism Collective . \n\nThe first release of the OP Stack codebase is called Bedrock. The Bedrock release primarily consists of the core software required to run L2 blockchains and was originally designed to power an upgrade to the OP Mainnet network. Bedrock improves on its predecessor by reducing transaction fees using optimized batch compression and Ethereum as a data availability layer; shortening delays of including L1 transactions in rollups by handling L1 re-orgs more gracefully; enabling modular proof systems through code re-use; and improving node performance by removing technical debt.\n\nTo read more about Optimism, please visit [https://www.optimism.io/](https://www.optimism.io/). To learn about the OP Stack, please visit [https://stack.optimism.io/](https://stack.optimism.io/). \n\nThis bounty program is focused on preventing\n\n- Theft of assets held in their smart contracts;\n- Theft, freezing or other loss of funds due to vulnerabilities in the smart contracts’ or the critical blockchain client services (op-node and op-geth).\n\n__Primacy of Impact vs Primacy of Rules__\n\nOptimism adheres to the Primacy of Impact for the following impacts:\n\n- Smart Contract  —  Critical\n- Smart Contract  —  High\n- Smart Contract  —  Medium\n- Blockchain/DLT  —  Critical\n- Blockchain/DLT  —  High\n- Blockchain/DLT  —  Medium \n- Websites and Applications  —  **Please note that Primacy of Rules applies to Websites and Applications, regardless of the Reward Table indicating otherwise.**\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. \n\nFor more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.","programType":["Blockchain/DLT","Smart Contract","Websites and Applications"],"project":"Optimism","projectType":["Defi","NFT"],"rewardsBody":"__Rewards by Threat Level__:\n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System.](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/) This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nSince Optimism uses a fork of Geth, issues which are responsibly disclosed to upstream cannot be \"replayed\" against Optimism’s bug bounty program if the vulnerability has already been made public. If the vulnerability is disclosed to Optimism at the same time as upstream Geth, the vulnerability is eligible for the bug bounty program.\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\nFor KYC, OptimismPBC will request a W-9 if you reside in the US or a W-8 if you reside outside the US.\n\nCritical vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum of __USD 75 000__ for Critical bug reports.\n\nFor testing any exploits involving cross-domain transactions, we recommend working with our [dockerized services](https://github.com/ethereum-optimism/optimism/blob/6f8e432506a5f4ba094f091b22a0bb6acc53fdac/ops/README.md) and modifying our [integration tests](https://github.com/ethereum-optimism/optimism/blob/6f8e432506a5f4ba094f091b22a0bb6acc53fdac/integration-tests/test/bridged-tokens.spec.ts)\n\n__Governance Proposals:__\n\nIn addition to the above assets listed, the calldata and code for the latest Protocol Upgrade Proposals (not for Governor Upgrade proposals, or proposal previews) is also in scope. This must be an official governance proposal, meaning it has either (1) moved to onchain vote appearing on vote.optimism.io, or (2) has been posted by someone from OP Labs or the Optimism Foundation, or (3) a comment has been left by someone from OP Labs or the Optimism Foundation indicating it's eligible for the bounty. The latest in-flight governance proposal can be found at https://gov.optimism.io/c/technical-proposals/protocol-upgrade/.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"optimism","tenPercentEconomicRule":true,"updatedDate":"2026-03-28T09:53:30.943Z","impactsBody":"- Bugs in op-challenger that result in \"Incorrectly resolved dispute game, detected by op-dispute-mon\" are NOT in scope for this bounty program because of existing ability to detect and resolve these issues.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Optimism is a blockchain infrastructure provider that enables developers and enterprises to launch scalable, secure and customizable networks and applications. The company serves fintechs, payment providers, institutions and crypto companies creating the next generation of onchain products. Optimism's open-source OP Stack delivers Ethereum-grade security, nearly-free transactions, and the flexibility to meet complex business needs at scale.","knownIssues":[{"id":60,"link":"https://docs.google.com/document/d/1injxmWl88FFE0IIaXyfviD4vaoO8xTBsKUakAZ_a3M8/edit?tab=t.0#heading=h.ywrl5obw9xjx","description":"Known issues Smart Contracts (Optimism)","lastUpdatedAt":"2025-06-12T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":59,"link":"https://docs.google.com/document/d/16Fo6ET4pXK4hNxxg6ImpHk6vnie39Nb1dzUPO_eBYXw/edit?tab=t.0","description":"Known issues Blockchain / DLT (Optimism)","lastUpdatedAt":"2025-06-12T00:00:00.000Z","relatedImpactInScope":"blockchain_dlt"}],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- explorer.optimism.io\n- testnet-explorer.optimism.io\n- vote.optimism.io\n- retrofunding.optimism.io\n- atlas.optimism.io\n- public-grafana.optimism.io\n- discord.optimism.io\n- kyc.optimism.io\n- kyb.optimism.io\n- raas.optimism.io\n- contribute.optimism.io\n- superfest.optimism.io\n- welovetheart.optimism.io\n- Additionally, any other asset belonging to Optimism but not under Optimism’s control will also be out of scope.\n\nProgram’s custom out-of-scope information:\n\n- Vulnerabilities in the implementation of ‘custom token bridges’ which are written by third parties for bridging tokens to their network\n- Vulnerabilities requiring the user to have publicly exposed an API, such as JSON-RPC or the Beacon API, are out of scope of the bug bounty program.\n- Since Optimism uses a fork of Geth, issues which are responsibly disclosed to upstream cannot be \"replayed\" against Optimism’s bug bounty program if the vulnerability has already been made public. If the vulnerability is disclosed to Optimism at the same time as upstream Geth, the vulnerability is eligible for the bug bounty program.\n\nThe following known issues are considered to be out of scope of this bug bounty program:\n\n - All currently known issues with devp2p here: [https://github.com/ethereum/devp2p/blob/master/rlpx.md#known-issues-in-the-current-version](https://github.com/ethereum/devp2p/blob/master/rlpx.md#known-issues-in-the-current-version)\n\n__Blockchain / DLT__:\n- When running in non-archive mode, op-geth has difficulty executing deep reorgs. We are working on a fix.\n\n__Smart Contracts__:\n- Proof of whale based attacks on Fault Proofs.\n- There appears to be an obvious bug which would allow an attacker to withdraw a fake ERC20 token from L2 in exchange for a real ERC20 (such as WBTC) token on L1. There is no check in the L2StandardBridge, however the withdrawal is prevented from finalizing by a check in the L1StandardBridge. Naturally if you do find a way to circumvent our protections, then we would reward you.\n- A bug in ResolvedDelegateProxy.sol which could result in a storage slot key collision overwriting the address of the implementation. This bug is dependent on the layout of the implementation contract, and Optimism is not affected.\n- There is an edge case in which ETH deposited to the OptimismPortal by a contract can be irrecoverably stranded:\n  - When a deposit transaction fails to execute, the sender’s account balance is still credited with the mint value. However, if the deposit’s L1 sender is a contract, the tx.origin on L2 will be aliased, and this aliased address will receive the minted on L2. In general the contract on L1 will not be able to recover these funds. We have documented this risk and encourage users to take advantage of our CrossDomainMessenger contracts which provide additional safety measures.\n- Sending cross-chain messages with very large amounts of data, or very specific amounts of gas can open up griefing attacks causing the sender’s funds to be stuck and requiring an upgrade to release them.\n- Deposit transactions can be griefed at a cost to the attacker, by filling up the MAX_RESOURCE_LIMIT. This issue is mitigated by PR 5064, which does not completely resolve the issue but does increase the cost of a sustained griefing attack. A more complete fix will require architectural changes.\n- There are various ‘foot guns’ in the bridge which may arise from misconfiguration of a token. To minimize complexity our bridge design does not try to prevent all forms of developer and user error. Examples of such foot guns include:\n  - Having both (or neither of) the local and remote tokens be OptimismMintable.\n  - Tokens which dynamically alter the amount of a token held by an account, such as fee-on-transfer and rebasing tokens.\n\n\n__The following domains are operated by Agora and are not in scope of this bug bounty program__:\n\n*Security researchers who discover vulnerabilities on these domains are encouraged to report them directly to Agora at security@voteagora.com. However, if a vulnerability on these domains leads to a direct financial impact on the OP Stack or the Optimism protocol itself, the impact remains in scope under the Primacy of Impact and should be submitted through this bug bounty program.*\n- vote.optimism.io\n- atlas.optimism.io","customProhibitedActivities":[],"impacts":[{"id":5849,"type":"smart_contract","severity":"medium","title":"Incorrectly resolved dispute game, detected by op-dispute-mon, excluding bugs in op-challenger"},{"id":5850,"type":"smart_contract","severity":"critical","title":"Protocol insolvency, not including proposer/challenger bonds or fee vaults"},{"id":5851,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds, not including proposer/challenger bonds or fee vaults (e.g. recoverable via an upgrade)"},{"id":5852,"type":"smart_contract","severity":"critical","title":"Loss of user funds by direct theft, not including proposer/challenger bonds or fee vaults"},{"id":5853,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds, not including proposer/challenger bonds or fee vaults"},{"id":5854,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds, not including proposer/challenger bonds or fee vaults"},{"id":5855,"type":"smart_contract","severity":"medium","title":"Incorrectly initiated dispute game bond withdrawal other than by incorrectly resolved dispute game, mitigated by a delay"},{"id":5856,"type":"smart_contract","severity":"high","title":"Incorrectly proven withdrawal other than by incorrectly resolved dispute game, mitigated by a delay"},{"id":5859,"type":"smart_contract","severity":"high","title":"Incorrectly resolved dispute game, not detected by op-dispute-mon, allows proving invalid withdrawal"},{"id":5860,"type":"smart_contract","severity":"medium","title":"Incorrectly resolved dispute game, not detected by op-dispute-mon, does not allow proving invalid withdrawal"},{"id":5861,"type":"smart_contract","severity":"medium","title":"Incorrectly resolved dispute game, detected by op-dispute-mon"},{"id":1659,"type":"blockchain_dlt","severity":"high","title":"Network not being able to confirm new transactions (Total network shutdown)"},{"id":48,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:\n- Email address\n- Phone number\n- Physical address, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":5910,"type":"smart_contract","severity":"medium","title":"Direct theft or permanent loss of fee vault funds (excluding missed revenue, unrealized yield, or failure to collect fees from pending transactions)"},{"id":5911,"type":"blockchain_dlt","severity":"medium","title":"Direct theft or permanent loss of fee vault funds (excluding missed revenue, unrealized yield, or failure to collect fees from pending transactions)"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":39,"type":"websites_and_applications","severity":"critical","title":"Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:\n- Changing registration information\n- Commenting\n- Voting\n- Making trades\n- Withdrawals, etc."},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":43,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:\n- Modifying transaction arguments or parameters\n- Substituting contract addresses\n- Submitting malicious transactions"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"},{"id":46,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:\n- HTML injection without JavaScript\n- Replacing existing text with arbitrary text\n- Arbitrary file uploads, etc."},{"id":1661,"type":"blockchain_dlt","severity":"high","title":"Freezing of funds (fix requires L2 hardfork)"},{"id":5731,"type":"websites_and_applications","severity":"high","title":"Taking down the application/website"}],"rewards":[{"id":42754,"primacy":null,"severity":"critical","assetType":"blockchain_dlt","maxReward":2000042,"rewardModel":"up_to","rewardCalculationPercentage":0},{"id":42755,"primacy":null,"severity":"high","assetType":"blockchain_dlt","fixedReward":50000,"rewardModel":"fixed"},{"id":42756,"primacy":null,"severity":"medium","assetType":"blockchain_dlt","fixedReward":15000,"rewardModel":"fixed"},{"id":42757,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":2000042,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":42758,"primacy":null,"severity":"high","assetType":"smart_contract","fixedReward":50000,"rewardModel":"fixed"},{"id":42759,"primacy":null,"severity":"medium","assetType":"smart_contract","fixedReward":15000,"rewardModel":"fixed"},{"id":42760,"primacy":"primacy_of_rules","severity":"critical","assetType":"websites_and_applications","maxReward":50000,"minReward":5000,"rewardModel":"range"},{"id":42761,"primacy":"primacy_of_rules","severity":"high","assetType":"websites_and_applications","fixedReward":5000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"db_5ce349e5-9313-4776-9b9a-35a32054657b","url":"https://katanascan.com/address/0x7f1f4b4b29f5058fa32cc7a97141b8d7e5abdc2d","type":"smart_contract","addedAt":"2026-02-11T09:06:08.748Z","revision":0,"description":"KAT","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_157c6a86-4590-46b0-8dff-b2e1e5529b4d","url":"https://katanascan.com/address/0xEE7D8BCFb72bC1880D0Cf19822eB0A2e6577aB62","type":"smart_contract","addedAt":"2026-02-11T09:06:23.440Z","revision":0,"description":"WETH (aka vbETH)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_16151d33-2ced-4a6d-bbb6-015395e5b04e","url":"https://katanascan.com/address/0x0913DA6Da4b42f538B445599b46Bb4622342Cf52","type":"smart_contract","addedAt":"2026-02-11T09:06:38.318Z","revision":0,"description":"WBTC (aka vbWBTC)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_612a2640-8632-41df-a1ce-3439211bbed3","url":"https://katanascan.com/address/0x203A662b0BD271A6ed5a60EdFbd04bFce608FD36","type":"smart_contract","addedAt":"2026-02-11T09:06:54.660Z","revision":0,"description":"USDC (aka vbUSDC)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_b939507d-582c-4887-b56c-b1d16a86c95d","url":"https://katanascan.com/address/0x2DCa96907fde857dd3D816880A0df407eeB2D2F2","type":"smart_contract","addedAt":"2026-02-11T09:07:11.610Z","revision":0,"description":"USDT (aka vbUSDT)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_cd10b2e1-ac3c-47ac-95c0-fead8c7c143e","url":"https://katanascan.com/address/0x62D6A123E8D19d06d68cf0d2294F9A3A0362c6b3","type":"smart_contract","addedAt":"2026-02-11T09:07:31.739Z","revision":0,"description":"USDS (aka vbUSDS)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_e5ed9cdd-e447-440c-89e3-880c43f36945","url":"https://katanascan.com/address/0xE007CA01894c863d7898045ed5A3B4Abf0b18f37","type":"smart_contract","addedAt":"2026-02-11T09:07:47.877Z","revision":0,"description":"yvvbETH","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_60aea89f-7046-4328-9b57-c9be93c22d99","url":"https://katanascan.com/address/0x80c34BD3A3569E126e7055831036aa7b212cB159","type":"smart_contract","addedAt":"2026-02-11T09:08:04.878Z","revision":0,"description":"yvvbUSDC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_8e612b95-afef-4877-853d-66ac4eea990e","url":"https://katanascan.com/address/0x9A6bd7B6Fd5C4F87eb66356441502fc7dCdd185B","type":"smart_contract","addedAt":"2026-02-11T09:08:19.922Z","revision":0,"description":"yvvbUSDT","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_0cbf8d9e-0cc3-40d3-84f9-01857b756567","url":"https://katanascan.com/address/0xAa0362eCC584B985056E47812931270b99C91f9d","type":"smart_contract","addedAt":"2026-02-11T09:08:45.599Z","revision":0,"description":"yvvbWBTC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_7ee7806a-153d-4eaf-a0cd-8f5f38c55d01","url":"https://katanascan.com/address/0x93Fec6639717b6215A48E5a72a162C50DCC40d68","type":"smart_contract","addedAt":"2026-02-11T09:08:59.198Z","revision":0,"description":"yvvbAUSD","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_192149a9-2333-4ad3-9b1b-47719512d6ea","url":"https://katanascan.com/address/0xa6b0db1293144ebe9478b6a84f75dd651e45914a","type":"smart_contract","addedAt":"2026-02-11T09:09:40.058Z","revision":0,"description":"NativeConverter vbETH","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_e14b77c4-1240-497f-be0e-a9e20dd0cec4","url":"https://katanascan.com/address/0x97a3500083348A147F419b8a65717909762c389f","type":"smart_contract","addedAt":"2026-02-11T09:09:54.805Z","revision":0,"description":"NativeConverter vbUSDC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_9085002d-38fa-49b8-9b08-06e805f466a7","url":"https://katanascan.com/address/0x053FA9b934b83E1E0ffc7e98a41aAdc3640bB462","type":"smart_contract","addedAt":"2026-02-11T09:10:09.129Z","revision":0,"description":"NativeConverter vbUSDT","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_c43a287c-8a77-4418-b9be-9669f06b453c","url":"https://katanascan.com/address/0xb00aa68b87256E2F22058fB2Ba3246EEc54A44fc","type":"smart_contract","addedAt":"2026-02-11T09:10:22.102Z","revision":0,"description":"NativeConverter vbWBTC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_a52bc139-a9fd-4633-9708-c5bcfb7d1557","url":"https://katanascan.com/address/0x639f13D5f30B47c792b6851238c05D0b623C77DE","type":"smart_contract","addedAt":"2026-02-11T09:10:40.696Z","revision":0,"description":"NativeConverter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_e257abdb-7f50-4b2e-83d1-c016f775a0e9","url":"https://immunefi.com/bug-bounty/katana/information/","type":"smart_contract","addedAt":"2026-02-11T17:00:18.715Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99380","url":"https://katana.network/","type":"smart_contract","addedAt":"2026-03-27T10:52:01.973Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Essential","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":[],"launchDate":"2026-02-11T14:57:23.000Z","logo":"https://qn5bmgziiocgawpp.public.blob.vercel-storage.com/program-logos/phuongn%40immunefi.com-IIZaco2x4WFmJ9SSnn33a-UJclQl91ZY5ZpTKCtaGRU7vOEw1kn9.png","maxBounty":80000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":[],"programOverview":"Katana is a chain designed specifically for DeFi. It rethinks DeFi to offer what users care about most: deeper liquidity and higher yields, all in a sustainable way. This happens through mechanisms to ensure that all liquidity on Katana is absorbed in only one lending protocol (Morpho), one spot DEX (Sushi), which are the core applications on Katana with hundreds of applications building on top of them. This is achieved with a unique approach to maximizing yield that can be used as incentives on the core applications, including from Vault Bridge, sequencer fees, and Agora USD revenue.\n\nKatana has deeply embedded, user-focused interoperability, using Agglayer for all users to onboard seamlessly. Katana uses ZK proofs to validate state transitions, allowing users to exit the chain without long wait periods.\n\nFor more information about Katana, please visit [https://katana.network/](https://katana.network/)\n\nKatana provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n__Responsible Publication__\n\nKatana adheres to **Category 3: Approval Required**. This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nKatana adheres to the Primacy of Impact for the following impacts:\n- Smart Contract  —  Critical\n- Smart Contract  —  High\n- Smart Contract  —  Medium\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. \n\nFor more information, please see [Best Practices: Primacy of Impact ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Previous Audits__\n\nKatana’s completed audit reports can be found here:\n\n- [https://github.com/katana-network/kat-token/tree/main/audit](https://github.com/katana-network/kat-token/tree/main/audit)\n- [https://github.com/agglayer/vault-bridge/tree/v1.0.0/audit](https://github.com/agglayer/vault-bridge/tree/v1.0.0/audit)\n- [https://github.com/yearn/yearn-vaults-v3/tree/master/audits](https://github.com/yearn/yearn-vaults-v3/tree/master/audits)\n- [https://github.com/agglayer/lxly-bridge-and-call/tree/main/audit](https://github.com/agglayer/lxly-bridge-and-call/tree/main/audit)\n- [https://github.com/agglayer/ulxly-contracts/tree/develop/audits](https://github.com/agglayer/ulxly-contracts/tree/develop/audits)\n\nAny unfixed vulnerabilities mentioned in these reports are not eligible for a reward.","programType":["Smart Contract"],"project":"Katana","projectType":[],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of **USD 80 000**. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of **USD 20 000** is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. \n- The amount of funds at risk will be calculated with the impact of the first attack being at **100%** and then a reduction of **25%** from the amount of the first attack for every **[300 blocks]** the attack needs for subsequent attacks from the first attack, rounded down. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of **USD 3 000 to USD 15 000** with the reward calculated based on **100%** of the funds at risk, though capped at the maximum high reward\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. \n\n__Reward Payment Terms__\n\nPayouts are handled by the Katana team directly and are denominated in USD. However, payments are done in USDC on Ethereum.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"katana","tenPercentEconomicRule":false,"updatedDate":"2026-03-27T10:52:02.210Z","impactsBody":null,"websiteUrl":"https://katana.network/","githubUrl":"https://github.com/katana-network","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Katana is a chain designed specifically for DeFi. It rethinks DeFi to offer what users care about most: deeper liquidity and higher yields, all in a sustainable way. This happens through mechanisms to ensure that all liquidity on Katana is absorbed in only one lending protocol (Morpho), one spot DEX (Sushi), which are the core applications on Katana with hundreds of applications building on top of them. This is achieved with a unique approach to maximizing yield that can be used as incentives on the core applications, including from Vault Bridge, sequencer fees, and Agora USD revenue.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Any vulnerability originating in the AggLayer bridge contracts is out of scope unless it results in direct, irreversible loss of funds from the Vault Bridge contracts.","customProhibitedActivities":[],"impacts":[{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":5894,"type":"smart_contract","severity":"low","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":5895,"type":"smart_contract","severity":"low","title":"Theft of gas"},{"id":5896,"type":"smart_contract","severity":"low","title":"Unbounded gas consumption"}],"rewards":[{"id":43714,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":80000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43715,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":15000,"minReward":3000,"rewardModel":"range"},{"id":43716,"primacy":null,"severity":"medium","assetType":"smart_contract","fixedReward":2000,"rewardModel":"fixed"},{"id":43717,"primacy":null,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[{"id":"db_19beb347-e609-4468-92fe-042a97729bea","url":"https://github.com/katana-network/kat-token/tree/main/audit","auditor":"Audit","date":"2026-02-11T00:00:00.000Z"},{"id":"db_d7531560-5c09-4fc9-8624-3400c462c971","url":"https://github.com/agglayer/vault-bridge/tree/v1.0.0/audit","auditor":"Audit","date":"2026-02-11T00:00:00.000Z"},{"id":"db_58a93c34-618d-4617-af68-8cf22d8e70c9","url":"https://github.com/yearn/yearn-vaults-v3/tree/master/audits","auditor":"Audit","date":"2026-02-11T00:00:00.000Z"},{"id":"db_2581d05d-ff2b-4f83-bb92-b804945c08cf","url":"https://github.com/agglayer/lxly-bridge-and-call/tree/main/audit","auditor":"Audit","date":"2026-02-11T00:00:00.000Z"},{"id":"db_425b3aa3-ee36-4661-95ae-3a0235c2fba7","url":"https://github.com/agglayer/ulxly-contracts/tree/develop/audits","auditor":"Audit","date":"2026-02-11T00:00:00.000Z"}]},{"assets":[{"id":"40Hi0IrxIZVK2InNJxWMY0","url":"https://docs.lido.fi/deployed-contracts","type":"smart_contract","addedAt":"2022-02-11T10:39:06.472Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5riYRwlznbFEw62j0l7bdr","url":"https://github.com/lidofinance/core","type":"smart_contract","addedAt":"2022-02-11T10:40:33.518Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6RpZVfsfN95MrrxAHXTWVW","url":"https://github.com/lidofinance/aave-delivery-infrastructure","type":"smart_contract","addedAt":"2025-06-02T02:43:15.941Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5tKd5yjKIl3V7yAlDUqnab","url":"https://github.com/lidofinance/governance-crosschain-bridges","type":"smart_contract","addedAt":"2025-06-02T02:43:44.952Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2tVegIs4LvQTmwi9pIj0Rn","url":"https://github.com/lidofinance/lido-l2","type":"smart_contract","addedAt":"2025-06-02T02:44:02.836Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6XL9w3y6fvBTObC2qjkBvo","url":"https://github.com/lidofinance/lido-l2-with-steth","type":"smart_contract","addedAt":"2025-06-02T02:44:24.095Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1EQaTC2lDDMnsZITI5VeD9","url":"https://github.com/lidofinance/mev-boost-relay-allowed-list","type":"smart_contract","addedAt":"2025-06-02T02:44:52.694Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3PlIcUtXp5nzRtjidntz8Q","url":"https://github.com/lidofinance/gate-seals","type":"smart_contract","addedAt":"2025-06-02T02:45:18.248Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1vZi4ROO7PfFa7lzQB0NSN","url":"https://github.com/lidofinance/onchain-mon","type":"websites_and_applications","addedAt":"2025-06-02T02:45:41.303Z","revision":0,"description":"Auxiliary Services","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"B8CFxZDtm4ZLerxMoZf75","url":"https://github.com/lidofinance/community-staking-module","type":"smart_contract","addedAt":"2025-06-02T02:46:42.103Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7HlVrl8VDddyEPDm7eSttM","url":"https://github.com/lidofinance/easy-track","type":"smart_contract","addedAt":"2025-06-02T02:47:00.802Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4IGGFif9ieIdgBLJ1rFhnS","url":"https://github.com/lidofinance/stonks","type":"smart_contract","addedAt":"2025-06-02T02:47:19.239Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3QoaTfEUYyWsziqdame04g","url":"https://github.com/lidofinance/lido-vesting-escrow","type":"smart_contract","addedAt":"2025-06-02T02:47:35.462Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4jR1WBC4gZDUwKJtT5vAKh","url":"https://github.com/lidofinance/dual-governance","type":"smart_contract","addedAt":"2025-06-02T02:47:46.709Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4tdVsd2yYvBsNAtpOPGgEB","url":"https://github.com/lidofinance/aragon-apps","type":"smart_contract","addedAt":"2025-06-02T02:48:02.372Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7I6qZcicxedkZjX70ll2hU","url":"https://github.com/lidofinance/lido-council-daemon","type":"smart_contract","addedAt":"2025-06-02T02:48:20.136Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"66rt1meZwJegWJVTt8gYwN","url":"https://github.com/lidofinance/lido-oracle","type":"smart_contract","addedAt":"2025-06-02T02:48:31.571Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5Zo8F43Lwbo5iozWU4i0yo","url":"https://github.com/lidofinance/lido-keys-api","type":"smart_contract","addedAt":"2025-06-02T02:48:44.113Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6ilyLSPnOPc067Z4UQBafP","url":"https://github.com/lidofinance/validator-ejector","type":"smart_contract","addedAt":"2025-06-02T02:48:59.505Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5kPJSzsG9nAttPIACvDLSr","url":"https://github.com/lidofinance/oz-merkle-tree","type":"smart_contract","addedAt":"2025-06-02T02:49:14.259Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5GctTWTDtNUziGCaErNeGe","url":"https://stake.lido.fi","type":"websites_and_applications","addedAt":"2025-06-02T03:02:45.645Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"434ZSklAwgzqhT5d0XrwhK","url":"https://csm.lido.fi","type":"websites_and_applications","addedAt":"2025-06-02T03:03:04.938Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1V699wmUojfrZpEkzNtFrX","url":"https://lido.fi","type":"websites_and_applications","addedAt":"2025-06-02T03:03:22.107Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"G0OiPdu0SnutGvvz6EUYu","url":"https://operators.lido.fi","type":"websites_and_applications","addedAt":"2025-06-02T03:04:19.134Z","revision":0,"description":"Auxiliary Services","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2IZhw6cT7cBzHH3HIx5pkq","url":"https://blog.lido.fi","type":"websites_and_applications","addedAt":"2025-06-02T03:04:30.135Z","revision":0,"description":"Auxiliary Services","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6L0AyGx6Mp27IMqbI4QfQG","url":"https://docs.lido.fi","type":"websites_and_applications","addedAt":"2025-06-02T03:04:44.295Z","revision":0,"description":"Auxiliary Services","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"LKrmd8dOyDQVLPp9Cktwv","url":"https://trp.lido.fi","type":"websites_and_applications","addedAt":"2025-06-02T03:04:54.752Z","revision":0,"description":"Auxiliary Services","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_bc0e3580-4b30-4aeb-a42c-5c1dedc782da","url":"http://dao.lido.fi/","type":"websites_and_applications","addedAt":"2026-03-26T09:28:49.939Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_cd913a4c-be18-40b4-9264-07bbd5eb5238","url":"http://stvaults.lido.fi/","type":"websites_and_applications","addedAt":"2026-03-26T09:28:57.421Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"Smart Contracts labeled or categorized as testnet are not in scope of this bug bounty program. \n\nReports regarding domains not listed under the scope section are paid at contributors discretion.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":["Managed Triage: Time Saver","Subscription Plan: Elite"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity","Vyper"],"launchDate":"2021-05-22T05:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/62hsATkPdR14taAS7FTlXW/2b3efcb09394982db6e67d0b028a271c/G2czctJJ_400x400.png","maxBounty":2000000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["DAO","Liquid Staking","Staking"],"programOverview":"Lido is a liquid staking solution for Ethereum, backed by industry-leading staking providers and community stakers. It allows users to stake their ETH without locking up assets or maintaining infrastructure, while still participating in on-chain activities.\n\nLido aims to solve the key challenges of early Ethereum staking — illiquidity, immovability, and limited accessibility — by making staked ETH liquid and enabling participation with any amount. This helps strengthen the security of the Ethereum network.\n\nFor more information about Lido, please visit [Lido.fi](https://lido.fi/). \n\nThe bug bounty program covers its smart contracts and applications, focusing on preventing loss of user funds, some types of denial of service attacks, governance hijacks, data breaches, and data leaks.\n\n**Relationship with Lido's Safe Harbor Program**\n\nBug Bounty is distinct from [Lido's Safe Harbor Program](https://docs.lido.fi/security/safeharbor):\n\n- Bug bounty: for responsible disclosure of vulnerabilities before an active exploit, following Immunefi rules.\n- Safe Harbor: for live, active exploits where immediate intervention is needed and normal disclosure is too slow.\n\nSafe Harbor and the Bug Bounty program are mutually exclusive from a rewards perspective. A Whitehat rewarded via the Bug Bounty program cannot receive a reward for the same exploit under Safe Harbor, even if Safe Harbor's legal protections apply.","programType":["Smart Contract","Websites and Applications"],"project":"Lido","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3). This is a simplified 4-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nAll web and app bugs must come with a PoC in order to be accepted. All web and app bug reports without a PoC will be rejected with a request for a PoC.\n\n### Smart Contracts Rewards Breakdown\n\n**Critical**\n\n- **Loss of user funds:**\n    - When a minimum of 2,000,000 USD of assets is at risk\n    - Reward: **Minimum 100,000 USD**, **Maximum 2,000,000 USD**\n- **Loss of non-user funds (e.g., treasury):**\n    - When a minimum of 1,000,000 USD of assets is at risk\n    - Reward: **Minimum 50,000 USD**, **Maximum 1,000,000 USD**\n\n **High**\n\n- When a minimum of 250,000 USD of assets is at risk\n- Reward: **Minimum 10,000 USD**, **Maximum 250,000 USD**\n\n**Medium**\n\n- When a minimum of 50,000 USD of assets is at risk\n- Reward: **Minimum 1,000 USD**, **Maximum 50,000 USD**\n\n**Low**\n\n- Reward: **1,000 USD**\n\n---\n\n### Web/App Rewards Breakdown\n\n#### Critical\n\n* Reward: **Minimum 50,000 USD**, **Maximum 100,000 USD**\n\n#### High\n\n* Reward: **Minimum 5,000 USD**, **Maximum 50,000 USD**\n\n#### Medium\n\n* Reward: **Minimum 1,000 USD**, **Maximum 5,000 USD**\n\n#### Low\n\n* Reward: **500 USD**\n\n---\n\n- (Smart contracts Out Of Scope) Rewards on partner contracts are paid at contributors discretion.\n- Reports regarding domains not listed under the scope section are paid at contributors discretion.\n\nPayouts are handled by the __Lido__ contributors directly and are denominated in __USD__. Payouts can be done in __USDC__, __USDS__, __DAI__, or __USDT__, at the decision of the bug bounty hunter.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC/USDS/DAI/USDT","slug":"lido","tenPercentEconomicRule":false,"updatedDate":"2026-03-26T12:35:47.838Z","impactsBody":"If the smart contract where the vulnerability exists can be paused, only the initial attack window of 1-hour will be considered for a reward. This is because the project can mitigate the risk of further exploitation by pausing the component where the vulnerability exists.\n\nIf the smart contract where the vulnerability exists can only be upgraded, only the initial attack window of 5-days for Critical issues and 9 days for other issues will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading the component where the vulnerability exists.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Lido is a liquid staking solution for Ethereum, backed by industry-leading staking providers and community stakers. It allows users to stake their ETH without locking up assets or maintaining infrastructure, while still participating in on-chain activities.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":null,"customOutOfScopeInformation":"- Best practice critiques.\n- Only accept reports targeting deployed contracts, not latest contracts in repos.\n- Only accept reports associated with releases, not develop or feature branches.\n- All impact of an attack on Oracles or KAPI must be described in t\nerms of impact on protocol itself and classified accordingly.\n- All impact of an attack on re-entrancy must be described in terms of impact on protocol itself and classified accordingly.\n- Rewards on partner contracts are paid at contributors discretion.\n- For Auxiliary services only accept vulnerabilities leading to application takeover as \"Execute arbitrary system commands\"\n- Reports regarding domains not listed under the scope section are paid at contributors discretion.\n- Smart Contracts labeled or categorized as testnet are not in scope of this bug bounty program.","customProhibitedActivities":["Public disclosure of an unpatched vulnerability in an embargoed bounty","Automated testing of services that generates significant amounts of traffic","Any denial of service attacks that are executed against project assets","Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)","Attempting phishing or other social engineering attacks against our contributors and/or stakers","Any testing with pricing oracles or third-party smart contracts","Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet","Any other actions prohibited by the Immunefi Rules - https://immunefi.com/rules/"],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":459,"type":"smart_contract","severity":"high","title":"Theft of tokenized staking yield"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":39,"type":"websites_and_applications","severity":"critical","title":"Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:\n- Changing registration information\n- Commenting\n- Voting\n- Making trades\n- Withdrawals, etc."},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":43,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:\n- Modifying transaction arguments or parameters\n- Substituting contract addresses\n- Submitting malicious transactions"},{"id":47,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Email\n- Password of the victim etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":53,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction, such as:\n- Iframing leading to modifying the backend/browser state (must demonstrate impact with PoC)"},{"id":54,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links, such as:\n- Social media handles, etc."},{"id":460,"type":"smart_contract","severity":"high","title":"Permanent freezing of tokenized staking yield"},{"id":461,"type":"smart_contract","severity":"high","title":"Acquiring owner/admin rights or roles without contract’s owner/admin action"},{"id":462,"type":"smart_contract","severity":"high","title":"Missing access controls / unprotected internal interfaces"},{"id":463,"type":"smart_contract","severity":"high","title":"Economic/financial attacks"},{"id":469,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":470,"type":"smart_contract","severity":"medium","title":"Susceptibility to frontrunning"},{"id":473,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":5577,"type":"smart_contract","severity":"high","title":"Reversible freezing of funds"},{"id":5578,"type":"smart_contract","severity":"high","title":"Off-chain apps sensitive data extraction (e.g. Oracle private keys)"},{"id":5579,"type":"smart_contract","severity":"high","title":"Theft or loss of funds from a treasury"},{"id":5580,"type":"websites_and_applications","severity":"high","title":"Retrieve sensitive data/files from a running server, such as:  /etc/shadow database passwords blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":5581,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript injection such as HTML injection, replacing existing text with arbitrary text, arbitrary file uploads, etc."},{"id":5582,"type":"websites_and_applications","severity":"medium","title":"Improperly disclosing confidential user information such as email address, phone number, IP address, etc."},{"id":5583,"type":"websites_and_applications","severity":"low","title":"Taking down the application/website"},{"id":5584,"type":"websites_and_applications","severity":"low","title":"Changing non- sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as changing the first/last name of user, or en/disabling"}],"rewards":[{"id":43684,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":2000000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43685,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":250000,"minReward":10000,"rewardModel":"range"},{"id":43686,"primacy":null,"severity":"medium","assetType":"smart_contract","maxReward":50000,"minReward":1000,"rewardModel":"range"},{"id":43687,"primacy":null,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":43688,"primacy":null,"severity":"critical","assetType":"websites_and_applications","maxReward":100000,"minReward":50000,"rewardModel":"range"},{"id":43689,"primacy":null,"severity":"high","assetType":"websites_and_applications","maxReward":50000,"minReward":5000,"rewardModel":"range"},{"id":43690,"primacy":null,"severity":"medium","assetType":"websites_and_applications","maxReward":5000,"minReward":1000,"rewardModel":"range"},{"id":43691,"primacy":null,"severity":"low","assetType":"websites_and_applications","fixedReward":500,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"5W6asDHP81W97jTABhCqZa","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/alloc.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:41:52.333Z","revision":0,"description":"Cairo - alloc.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6jyUeP7jMRypBfZxshbzbH","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/bitwise.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:42:11.507Z","revision":0,"description":"Cairo - bitwise.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2JAF8mfQzxhxbL0wZo9JRx","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/bool.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:42:26.627Z","revision":0,"description":"Cairo - bool.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6kBOy4bbRYFNImH0toyxh3","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/cairo_builtins.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:42:43.155Z","revision":0,"description":"Cairo - cairo_builtins.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3ggzfXDTcaLTKjo5nP9Tvf","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/default_dict.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:42:58.211Z","revision":0,"description":"Cairo - default_dict.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1VoHJwx1Rm0KBZL1DyxGTA","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/dict.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:43:14.991Z","revision":0,"description":"Cairo - dict.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"44ZKSDoH4mIOT0idQ8VwrM","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/dict_access.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:43:29.701Z","revision":0,"description":"Cairo - dict_access.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5RADhAsnNh2PNzU5T6MZUM","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/ec.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:43:42.884Z","revision":0,"description":"Cairo - ec.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4iQiCSm8aNM5DKGAjQWXtj","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/ec_point.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:43:56.972Z","revision":0,"description":"Cairo - ec_point.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7xuymkfriRK7eVomcIwTtT","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/find_element.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:44:19.291Z","revision":0,"description":"Cairo - find_element.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"180xmR3CnLErOLhofCVpk2","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/hash.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:44:33.210Z","revision":0,"description":"Cairo - hash.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3FIgF88TNIHUP8OY1zo3wZ","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/hash_chain.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:44:51.003Z","revision":0,"description":"Cairo - hash_chain.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"34zTATvfZawakNMwKAuBba","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/hash_state.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:45:06.873Z","revision":0,"description":"Cairo - hash_state.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4D1YMn54EoEtfqeRPBwibI","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/invoke.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:45:22.466Z","revision":0,"description":"Cairo - invoke.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4GUhfDdvhEWHmnEtYU6QPu","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/keccak.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:45:41.994Z","revision":0,"description":"Cairo - keccak.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6edVY7DWpz8gjAlQgVfczV","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/math.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:45:57.246Z","revision":0,"description":"Cairo - math.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"JeIHtRQIyTvj1lrQnHwvb","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/math_cmp.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:46:13.662Z","revision":0,"description":"Cairo - math_cmp.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6w6lQ2Fles0eFF7WpwJznI","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/memcpy.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:46:32.725Z","revision":0,"description":"Cairo - memcpy.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"01c5VYCr10xsd0WiVCuiHv","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/memset.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:46:50.136Z","revision":0,"description":"Cairo - memset.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"63GFIYQcA5Uea8BrlMdHEd","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/merkle_multi_update.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:47:05.217Z","revision":0,"description":"Cairo - merkle_multi_update.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"65P6VEkOIOoiFcoQNWa77R","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/merkle_update.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:47:21.595Z","revision":0,"description":"Cairo - merkle_update.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5QPFr4tbUlVLwS5LJ0yLdq","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/patricia.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:47:43.037Z","revision":0,"description":"Cairo - patricia.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1e97hRJ8e07FF8zDqxaIfi","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/pow.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:48:07.293Z","revision":0,"description":"Cairo - pow.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7n73cnpfTZBmIotIS97m5L","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/registers.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:48:23.303Z","revision":0,"description":"Cairo - registers.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"24riGMq1rvVANbk5EAl9Z","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/segments.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:48:39.146Z","revision":0,"description":"Cairo - segments.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"zNqv5WNvcwfovGIEu0k8i","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/serialize.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:48:57.719Z","revision":0,"description":"Cairo - serialize.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7Kyd2pfFNZJYL9ihcdzmEV","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/set.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:49:13.317Z","revision":0,"description":"Cairo - set.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"62T9OlvnSD74O4VETBoRl1","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/signature.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:49:29.708Z","revision":0,"description":"Cairo - signature.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6CRHzgVp7TeO5FTksVnmxx","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/small_merkle_tree.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:49:46.464Z","revision":0,"description":"Cairo - small_merkle_tree.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4r0yBtRHgviPrtsAxj8JM1","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/squash_dict.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:52:47.693Z","revision":0,"description":"Cairo - squash_dict.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2k3NuaFNJ01lZlWP4zxDM","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/uint256.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:53:02.217Z","revision":0,"description":"Cairo - uint256.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4WDQJ5uYVef2as0MITqJIj","url":"https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/cairo/common/usort.cairo","type":"blockchain_dlt","addedAt":"2022-10-12T16:53:16.449Z","revision":0,"description":"Cairo - usort.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2a7C0pwaSiNq9wkhyglRVS","url":"https://starkgate.starknet.io/","type":"websites_and_applications","addedAt":"2024-09-25T14:11:44.313Z","revision":0,"description":"StarkGate main site","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99226","url":"https://github.com/starkware-libs/sequencer/tree/main-v0.14.2/crates/apollo_starknet_os_program/src/cairo/starkware/starknet/core/os","type":"blockchain_dlt","addedAt":"2026-03-16T12:32:56.457Z","revision":0,"description":"Starknet OS","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99227","url":"https://github.com/starkware-libs/cairo-lang/tree/master/src/starkware/starknet/solidity","type":"blockchain_dlt","addedAt":"2026-03-16T12:32:56.457Z","revision":0,"description":"StarkNet L1 Core Contracts","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99228","url":"https://github.com/starkware-libs/cairo-lang/tree/master/src/starkware/solidity/libraries","type":"blockchain_dlt","addedAt":"2026-03-16T12:32:56.457Z","revision":0,"description":"StarkNet L1 Core Contracts Libraries","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99229","url":"https://github.com/starkware-libs/cairo-lang/tree/master/src/starkware/solidity/interfaces","type":"blockchain_dlt","addedAt":"2026-03-16T12:32:56.457Z","revision":0,"description":"StarkNet L1 Core Contracts Interfaces","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99230","url":"https://github.com/starkware-libs/cairo-lang/tree/master/src/starkware/solidity/components","type":"blockchain_dlt","addedAt":"2026-03-16T12:32:56.457Z","revision":0,"description":"Starknet L1 Core Contract components","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99231","url":"https://github.com/starknet-io/starkgate-contracts/tree/cairo-1/src/solidity","type":"smart_contract","addedAt":"2026-03-16T12:32:56.457Z","revision":0,"description":"StarkGate Solidity Contracts","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99232","url":"https://github.com/starknet-io/starkgate-contracts/tree/cairo-1/src/cairo","type":"smart_contract","addedAt":"2026-03-16T12:32:56.457Z","revision":0,"description":"StarkGate Cairo Contracts","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"All code of StarkNet can be found at [https://github.com/starkware-libs](https://github.com/starkware-libs), hwile all StarkGate code can be found at [https://github.com/starknet-io/starkgate-contracts](https://github.com/starknet-io/starkgate-contracts). However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nIf an impact can be caused to any other asset managed by StarkWare that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Cairo","Solidity"],"launchDate":"2022-10-19T06:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4ZifqdIHOxX3ckxGAMiQc6/4158480f9932b5fe099a1236902cd588/starknet.png","maxBounty":350000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical","blockchain_dlt - critical","blockchain_dlt - high","websites_and_applications - critical","websites_and_applications - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["L2"],"programOverview":"StarkNet is a validity rollup based on zk-STARK proofs. It operates as an L2 network over Ethereum, enabling any dApp to achieve scale for its computation – without compromising Ethereum's composability and security.\n\nStarkNet is currently still in “alpha” stage. For more information about StarkNet, please visit [https://starknet.io/](https://starknet.io/) and [https://docs.starknet.io/](https://docs.starknet.io/).","programType":["Blockchain/DLT","Smart Contract","Websites and Applications"],"project":"Starknet","projectType":["Blockchain"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll smart contract bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nRewards for critical Blockchain/DLT vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of __USD 40 000__ and a maximum reward of __USD 350 000__.\n\nRewards for critical Smart Contract vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of __USD 50 000__ and a maximum reward of __USD 1 000 000__.\n\nStarkNet requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. The information needed is a full legal name, residential address, date of birth and copy of national ID\\ passport. Bounty hunters must pass OFAC Screening. Rewards cannot be paid out if hunters are on the OFAC SDN list and/or do not complete the KYC.\n\nThe following person(s) are ineligible to receive bug bounty payout rewards: StarkWare Staff, Auditors and Contractors engaged by StarkWare, persons in possession of privileged information, and any other associated parties. \n\nPayouts are handled by the __StarkNet__ team directly and are denominated in USD. However, payouts are done in __USDC__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"starknet","tenPercentEconomicRule":false,"updatedDate":"2026-03-26T11:09:34.151Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_official_contributor","no_auditor"],"responsiblePublicationCategory":null,"description":"StarkNet is a validity rollup based on zk-STARK proofs. It operates as an L2 network over Ethereum, enabling any dApp to achieve scale for its computation – without compromising Ethereum's composability and security.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques\n  - Sequencer bugs \n  - Exploits as a result of a malicious operator, with the exception of malicious verifie, until Starknet is fully decentralized.\n - All test files and helpers included in the asset directory.","customProhibitedActivities":[],"impacts":[{"id":3447,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as: HTML injection without JavaScript, Replacing existing text with arbitrary text, Arbitrary file uploads, etc"},{"id":3448,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds"},{"id":3449,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds"},{"id":5882,"type":"blockchain_dlt","severity":"high","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":5,"type":"blockchain_dlt","severity":"high","title":"Unintended chain split (network partition)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"}],"rewards":[{"id":43046,"primacy":null,"severity":"critical","assetType":"blockchain_dlt","maxReward":350000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43047,"primacy":null,"severity":"high","assetType":"blockchain_dlt","fixedReward":15000,"rewardModel":"fixed"},{"id":43048,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":350000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43049,"primacy":null,"severity":"critical","assetType":"websites_and_applications","maxReward":10000,"minReward":5000,"rewardModel":"range"},{"id":43050,"primacy":null,"severity":"high","assetType":"websites_and_applications","maxReward":2500,"minReward":1250,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"6AHweDS9bnQTH9EV95H76n","url":"https://sonicscan.org/address/0x8509b92145Bb2645F47c6847Bb61A46bE61AE3F2","type":"smart_contract","addedAt":"2022-08-30T15:58:34.197Z","revision":0,"description":"InterestRateModelV2.sol - Silo Lending","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2e3It5AFVgq8EELpvu8uOd","url":"https://sonicscan.org/address/0xE83fDb15b5efeD3E3D3FD2a086219c33686b7231","type":"smart_contract","addedAt":"2022-08-30T16:00:28.765Z","revision":0,"description":"ShareDebtToken.sol - Silo Lending","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"18Z9uWmNS2X9ngB8ORrVub","url":"https://sonicscan.org/address/0x1a36C81756d09950AcBd1aBDC522C0DD41363353","type":"smart_contract","addedAt":"2025-06-09T17:51:09.331Z","revision":0,"description":"ShareProtectedCollateralToken.sol - Silo Lending","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3dBdyhPZKzWIWIYjplTsof","url":"https://sonicscan.org/address/0x435Ab368F5fCCcc71554f4A8ac5F5b922bC4Dc06","type":"smart_contract","addedAt":"2025-06-09T17:51:26.387Z","revision":0,"description":"Silo.sol - Silo Lending","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3TNj4xjohjthEpvXjyeAkK","url":"https://sonicscan.org/address/0x4e9dE3a64c911A37f7EB2fCb06D1e68c3cBe9203","type":"smart_contract","addedAt":"2025-06-09T17:51:56.311Z","revision":0,"description":"SiloFactory.sol - Silo Lending","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"uFDms3P9btyn6Aq5AkwIS","url":"https://sonicscan.org/address/0x1D9289efd4424F50c9155cf8b591944B0fba0fD0","type":"smart_contract","addedAt":"2025-06-09T17:52:16.757Z","revision":0,"description":"SiloHookV1.sol - Silo Lending","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"GAuUEQ5pIXgqZmwWQKBGF","url":"https://sonicscan.org/address/0xff1d0359CAd3BC603584A63D852D884BF5b17A67","type":"smart_contract","addedAt":"2025-06-09T17:52:32.338Z","revision":0,"description":"SiloRouterV2.sol","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4aFIMHXgDcHDLcPFZvex7y","url":"https://sonicscan.org/address/0xC95149D52dA227cfeb0425ac6803086Db5A193b7","type":"smart_contract","addedAt":"2025-06-09T17:52:53.497Z","revision":0,"description":"PublicAllocator.sol  - Silo Vaults","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2Th05O6sTtLQZ40AogHkja","url":"https://sonicscan.org/address/0x4e125E605FDcf3B07BDE441DECf8EDAd423D5DC6","type":"smart_contract","addedAt":"2025-06-09T17:53:29.847Z","revision":0,"description":"SiloVaultsFactory.sol - Silo Vaults","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6p9AYmezLanw7C7EpDD1bV","url":"https://sonicscan.org/address/0xDED4aC8645619334186f28B8798e07ca354CFa0e","type":"smart_contract","addedAt":"2025-06-12T13:19:44.658Z","revision":0,"description":"Example of SiloVault.sol - Silo Vaults","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98760","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"99354","url":"https://github.com/silo-finance/silo-contracts-v3/blob/master/silo-vaults/contracts/SiloVaultsFactory.sol","type":"smart_contract","addedAt":"2026-03-25T18:42:11.573Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99355","url":"https://github.com/silo-finance/silo-contracts-v3/blob/master/silo-vaults/contracts/SiloVault.sol","type":"smart_contract","addedAt":"2026-03-25T18:42:11.573Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99356","url":"https://github.com/silo-finance/silo-contracts-v3/blob/master/silo-vaults/contracts/PublicAllocator.sol","type":"smart_contract","addedAt":"2026-03-25T18:42:11.573Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99357","url":"https://github.com/silo-finance/silo-contracts-v3/blob/master/silo-vaults/contracts/incentives/VaultIncentivesModule.sol","type":"smart_contract","addedAt":"2026-03-25T18:42:11.573Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99358","url":"https://github.com/silo-finance/silo-contracts-v3/blob/master/silo-vaults/contracts/IdleVaultsFactory.sol","type":"smart_contract","addedAt":"2026-03-25T18:42:11.573Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99359","url":"https://github.com/silo-finance/silo-contracts-v3/blob/master/silo-vaults/contracts/IdleVault.sol","type":"smart_contract","addedAt":"2026-03-25T18:42:11.573Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99360","url":"https://github.com/silo-finance/silo-contracts-v3/blob/master/silo-core/contracts/utils/ShareProtectedCollateralToken.sol","type":"smart_contract","addedAt":"2026-03-25T18:42:11.573Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99361","url":"https://github.com/silo-finance/silo-contracts-v3/blob/master/silo-core/contracts/utils/ShareDebtToken.sol","type":"smart_contract","addedAt":"2026-03-25T18:42:11.573Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99362","url":"https://github.com/silo-finance/silo-contracts-v3/blob/master/silo-core/contracts/SiloFactory.sol","type":"smart_contract","addedAt":"2026-03-25T18:42:11.573Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99363","url":"https://github.com/silo-finance/silo-contracts-v3/blob/master/silo-core/contracts/SiloConfig.sol","type":"smart_contract","addedAt":"2026-03-25T18:42:11.573Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99364","url":"https://github.com/silo-finance/silo-contracts-v3/blob/master/silo-core/contracts/Silo.sol","type":"smart_contract","addedAt":"2026-03-25T18:42:11.573Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99365","url":"https://github.com/silo-finance/silo-contracts-v3/blob/master/silo-core/contracts/silo-router/SiloRouterV2Implementation.sol","type":"smart_contract","addedAt":"2026-03-25T18:42:11.573Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99366","url":"https://github.com/silo-finance/silo-contracts-v3/blob/master/silo-core/contracts/silo-router/SiloRouterV2.sol","type":"smart_contract","addedAt":"2026-03-25T18:42:11.573Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99367","url":"https://github.com/silo-finance/silo-contracts-v3/blob/master/silo-core/contracts/leverage/LeverageUsingSiloFlashloanWithGeneralSwap.sol","type":"smart_contract","addedAt":"2026-03-25T18:42:11.573Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99368","url":"https://github.com/silo-finance/silo-contracts-v3/blob/master/silo-core/contracts/leverage/LeverageRouter.sol","type":"smart_contract","addedAt":"2026-03-25T18:42:11.573Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99369","url":"https://github.com/silo-finance/silo-contracts-v3/blob/master/silo-core/contracts/interestRateModel/kink/DynamicKinkModelFactory.sol","type":"smart_contract","addedAt":"2026-03-25T18:42:11.573Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99370","url":"https://github.com/silo-finance/silo-contracts-v3/blob/master/silo-core/contracts/interestRateModel/kink/DynamicKinkModelConfig.sol","type":"smart_contract","addedAt":"2026-03-25T18:42:11.573Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99371","url":"https://github.com/silo-finance/silo-contracts-v3/blob/master/silo-core/contracts/interestRateModel/kink/DynamicKinkModel.sol","type":"smart_contract","addedAt":"2026-03-25T18:42:11.573Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99372","url":"https://github.com/silo-finance/silo-contracts-v3/blob/master/silo-core/contracts/incentives/SiloIncentivesControllerFactory.sol","type":"smart_contract","addedAt":"2026-03-25T18:42:11.573Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99373","url":"https://github.com/silo-finance/silo-contracts-v3/blob/master/silo-core/contracts/incentives/SiloIncentivesControllerCompatible.sol","type":"smart_contract","addedAt":"2026-03-25T18:42:11.573Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99374","url":"https://github.com/silo-finance/silo-contracts-v3/blob/master/silo-core/contracts/hooks/SiloHookV3.sol","type":"smart_contract","addedAt":"2026-03-25T18:42:11.573Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99375","url":"https://github.com/silo-finance/silo-contracts-v3/blob/master/silo-core/contracts/hooks/SiloHookV2.sol","type":"smart_contract","addedAt":"2026-03-25T18:42:11.573Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99376","url":"https://github.com/silo-finance/silo-contracts-v3/blob/master/silo-core/contracts/hooks/SiloHookV1.sol","type":"smart_contract","addedAt":"2026-03-25T18:42:11.573Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2022-08-30T17:30:00.000Z","logo":"https://qn5bmgziiocgawpp.public.blob.vercel-storage.com/33187-kA_wCDBD9XOKxLzFnGw6z.png","maxBounty":350000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Asset Management","Lending"],"programOverview":"Silo Finance consists of two prototocls: \n\n- Silo Lending: A non-custodial protocol that creates isolated, programmable lending markets.\n- Silo Vaults: Single-asset vaults that deploy and manage funds within Silo’s lending markets.\n\nFor more information about Silo Finance, please visit https://www.silo.finance/ and https://docs.silo.finance/.\n\nSilo Finance provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.","programType":["Smart Contract"],"project":"Silo Finance (v2 & v3)","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3). \n\nAll Critical/High severity smart contract bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nRewards for critical smart contract vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of __USD 20 000__ and a maximum of __USD 350 000__ for Critical smart contract bug reports.\n\n\n__Repeatable Attack Limitations__\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n- For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\n- High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of 1,000 to 20,000 depending on the funds at risk, capped at the maximum high reward.  \n\n- In the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\nPayouts are handled by the __Silo Finance__ team directly and are denominated in USD. However, payouts are done in __USDC__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"silofinance-v2","tenPercentEconomicRule":false,"updatedDate":"2026-03-25T18:42:11.752Z","impactsBody":null,"websiteUrl":"https://www.silo.finance/","githubUrl":"https://github.com/silo-finance/silo-contracts-v3","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Silo Finance consists of two prototocls: \n- Silo Lending: A non-custodial protocol that creates isolated, programmable lending markets.\n- Silo Vaults: Single-asset vaults that deploy and manage funds within Silo’s lending markets.","knownIssues":[{"id":1286,"link":"https://github.com/silo-finance/silo-contracts-v3/tree/master/audits","description":"All issues publicly disclosed by audits reports hosted in smart contracts repository are considered known issues.","lastUpdatedAt":"2025-12-31T23:00:00.000Z","relatedImpactInScope":"smart_contract"}],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":3132,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":28,"type":"smart_contract","severity":"high","title":"Temporary freezing of NFTs"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":5590,"type":"smart_contract","severity":"medium","title":"Miner-extractable value (MEV)"}],"rewards":[{"id":43653,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":350000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43654,"primacy":null,"severity":"high","assetType":"smart_contract","fixedReward":20000,"rewardModel":"fixed"},{"id":43655,"primacy":null,"severity":"medium","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"99348","url":"https://moonscan.io/address/0xfa62B5962a7923A2910F945268AA65C943D131e9","type":"smart_contract","addedAt":"2026-03-24T18:04:19.928Z","revision":0,"description":"veNFT","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99349","url":"https://moonscan.io/address/0x9B81835b2f7B51447D5E4C07Ae18f05dfe627150#code","type":"smart_contract","addedAt":"2026-03-24T18:04:19.928Z","revision":0,"description":"Integral Vault Factory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99350","url":"https://moonscan.io/address/0x3069A7955408D261069F7D4ed3eFdB9Ea8D95d7b","type":"smart_contract","addedAt":"2026-03-24T18:04:19.928Z","revision":0,"description":"stGLMR Funds Manager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99351","url":"https://moonscan.io/address/0x091a177FbC5f493920c2e027eDc89658c1cED495#code","type":"smart_contract","addedAt":"2026-03-24T18:04:19.928Z","revision":0,"description":"Voter","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Moonbeam"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2022-07-08T03:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6VjUd6TYgNL1uVO6NNEkW8/f29e40ff28110cfcdcd80688bca5cd87/StellaSwap_Logo_Small.png","maxBounty":2337,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - high","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Bridge","Crosschain Liquidity","DEX","Staking"],"programOverview":"StellaSwap is the leading DEX on Moonbeam that offers an integrated gateway to the DeFi world. A hybrid DEX by design with both a standard and stable AMM, StellaSwap aims to provide the most secure and optimal trading experience for all users. With a strong focus on simplifying the user experience, StellaSwap’s design principles is predicated on abstracting DeFcomplexities\n\nBeyond being a central liquidity hub, users can swap, earn, yield farm, bridge assets, explore new projects and engage in NFT trading all from a single unified platform.\n\nFor more information about StellaSwap, please visit [https://stellaswap.com/](https://stellaswap.com/).","programType":["Smart Contract"],"project":"StellaSwap","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll bug reports must come with a suggestion for a fix in order to be considered for a reward.\n\nAll issues previously highlighted in the following audit reports are also considered out of scope: \n  - [Certik Full Audit Report](https://2598174527-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fk79kvXbQmvjLmP78Scbp%2Fuploads%2Ft3l7dQ9CV3XBe5ByzBWo%2FCertik%20Full%20Audit.pdf?alt=media&token=28f17b42-930a-489d-90cc-39ba517235ea)\n  - [https://www.certik.com/projects/stellaswap](https://www.certik.com/projects/stellaswap) \n  - [https://github.com/solidproof/smart-contract-audits/blob/main/SmartContract_Audit_Solidproof_StellaSwap.pdf](https://github.com/solidproof/smart-contract-audits/blob/main/SmartContract_Audit_Solidproof_StellaSwap.pdf) \n  - [https://github.com/solidproof/projects/tree/main/StellaSwap](https://github.com/solidproof/projects/tree/main/StellaSwap) \n  - [SolidProof Stable AMM Audit Report](https://2598174527-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fk79kvXbQmvjLmP78Scbp%2Fuploads%2FmMbSu0hMsw6p30u3UcEZ%2FSmartContract_Audit_Solidproof_StellaSwap_Stable%20AMM.pdf?alt=media&token=855c69b6-dc9a-4a9f-a512-91a47cd647db) \n\nPayouts are handled by the __StellaSwap__ team directly and are denominated in USD. However, payouts are done in __STELLA__.  Rewards for High severity bug reports are vested monthly over a 6-month period. Rewards for Critical severity bug reports are vested monthly over a 12-month period.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"STELLA","slug":"stellaswap","tenPercentEconomicRule":false,"updatedDate":"2026-03-25T17:13:25.129Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"StellaSwap is the leading DEX on Moonbeam that offers an integrated gateway to the DeFi world. A hybrid DEX by design with both a standard and stable AMM, StellaSwap aims to provide the most secure and optimal trading experience for all users. With a strong focus on simplifying the user experience, StellaSwap’s design principles is predicated on abstracting DeFcomplexities","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":2968,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 3 days"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"}],"rewards":[{"id":43651,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":2337,"minReward":1000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43652,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":1337,"minReward":1000,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"38S6MzIEUiJwmWA9Ul7Lfv","url":"https://github.com/sei-protocol/sei-js","type":"blockchain_dlt","addedAt":"2026-01-14T17:14:18.070Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1uIkdc4TQaQ0dOsfsGPAYp","url":"https://github.com/sei-protocol/go-ethereum","type":"blockchain_dlt","addedAt":"2024-05-31T13:43:01.926Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"YnqcLKug1avYOe95M4ZhL","url":"https://github.com/sei-protocol/sei-chain","type":"blockchain_dlt","addedAt":"2023-11-13T14:58:33.805Z","revision":0,"description":"Sei Chain","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98765","url":"https://immunefi.com/","type":"blockchain_dlt","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"99132","url":"https://immunefi.com","type":"blockchain_dlt","addedAt":"2026-03-05T12:47:08.831Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":"All code of Sei Foundation can be found at https://github.com/sei-protocol. Documentation for the assets provided in the table can be found at [https://github.com/sei-protocol/sei-chain/blob/main/whitepaper/Sei_Whitepaper.pdf](https://github.com/sei-protocol/sei-chain/blob/main/whitepaper/Sei_Whitepaper.pdf)","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Sei"],"endDate":null,"evaluationEndDate":null,"features":["Managed Triage: Signal Booster","Arbitration","Subscription Plan: Elite"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Go","Rust"],"launchDate":"2023-11-30T09:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1lOFdVmQG8KNmJhGtr8lhs/40400407c90b0736a8e506b081b70887/Sei_Labs_Logo.png","maxBounty":500000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - medium","blockchain_dlt - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["Bridge","L1","Staking"],"programOverview":"Sei is the fastest Layer 1 blockchain, designed to scale with the industry.\n\nFor more information about Sei Foundation, please visit [https://www.sei.io/.](https://www.sei.io/)\n\nSei Foundation provides rewards in SEI, or USDT/C at the foundation's discretion. This is denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.  \n\nSei Foundation has a Know Your Customer (KYC) requirement for bug bounty payouts. \n\nPlease refer to the following for KYC requirements:\n- Full Name\n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of passport or other government issued ID\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nIf an impact is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program. When submitting a report, just select the Primacy of Impact asset placeholder. If the team behind this project has multiple projects, those other projects are not covered under the Primacy of Impact of this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nTestnet and mock files are not covered under the Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program.\n\nSei Foundation adheres to the Primacy of Impact for the following severity levels:\n- Blockchain/DLT: Critical\n- Blockchain/DLT: High\n\nIf a category’s severity level is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program as long as it involves an impact under that respective severity level. When submitting a report, just select the Primacy of Impact asset placeholder. If the team behind this project has multiple projects, those other projects are not covered under the Primacy of Impact of this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nTestnet and mock files are not covered under the Primacy of Impact. \n\nAll other severity levels not listed here are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program.\n\n__Known Issue Assurance__\n\nSei Foundation commits to providing Known Issue Assurance to bug submissions through their program. This means that Sei Foundation will either disclose known issues publicly or at the very least privately via a self-reported bug submission in order to allow for a more objective and streamlined mediation process to prove that an issue is known. Otherwise, assuming the bug report itself is valid, it would result in the bug report being considered in-scope and due 100% of the reward with respect to the bug bounty program terms. \n\n__Immunefi Standard Badge__\n\nSei Foundation has satisfied the requirements for the [Immunefi Standard Badge,](https://immunefisupport.zendesk.com/hc/en-us/articles/6427157117713-The-Immunefi-Standard-Badge-) which is given to projects that adhere to our best practices.","programType":["Blockchain/DLT"],"project":"Sei","projectType":["Blockchain"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below.\n\n__Reward Calculation for Critical Level Reports__\n\nFor Critical Blockchain/DLT vulnerabilities, rewards are determined based on the ratio between the total funds at risk—including all affected projects built on the Sei blockchain—and the Sei market capitalization, calculated as the average market cap reported by CoinMarketCap and CoinGecko at the time the report is submitted.\n\nA minimum reward of **USD $50,000** is guaranteed for all valid Critical reports in order to incentivize timely and responsible disclosure.\n\nThis ratio is referred to as the **risk ratio**, defined as:\n\nRisk Ratio = Funds at Risk / Sei Market Capitalization\n\nRewards scale linearly from a 0:1 to a 1:1 risk ratio, where a 1:1 ratio corresponds to a maximum reward of **USD $500,000**.  \nIf the funds at risk exceed the market capitalization, the reward remains capped at **USD $500,000**.\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs acknowledged below are not eligible for any reward through the bug bounty program.\n- Project operation risk in tokenfactory module\n\n__Previous Audits__\n\nSei Foundation has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.\n- [https://github.com/oak-security/audit-reports/blob/master/Sei/2023-05-15%20Audit%20Report%20-%20Sei%20Cosmos%20v1.0.pdf](https://github.com/oak-security/audit-reports/blob/master/Sei/2023-05-15%20Audit%20Report%20-%20Sei%20Cosmos%20v1.0.pdf)\n- [https://github.com/oak-security/audit-reports/blob/master/Sei/2023-05-15%20Audit%20Report%20-%20Sei%20Tendermint%20v1.0.pdf](https://github.com/oak-security/audit-reports/blob/master/Sei/2023-05-15%20Audit%20Report%20-%20Sei%20Tendermint%20v1.0.pdf)\n- [https://github.com/oak-security/audit-reports/blob/master/Sei/2023-05-19%20Audit%20Report%20-%20Sei%20Chain%20and%20CosmWasm%20v1.0.pdf](https://github.com/oak-security/audit-reports/blob/master/Sei/2023-05-19%20Audit%20Report%20-%20Sei%20Chain%20and%20CosmWasm%20v1.0.pdf)\n\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n- Blockchain/DLT: Critical\n- Blockchain/DLT: High\n- Blockchain/DLT: Medium\n- Blockchain/DLT: Low\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules) Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\nFor Medium, High and Critical reports, we ask that whitehats provide a PoC using a local 4-node cluster. You can follow these steps to provide this PoC:\n\n1. Spin up the local testnet with `make docker-cluster-start`\n2. Connect to node0 with `docker exec -it sei-node-0 /bin/bash`\n3. Carry out attack\n\nNote that any PoC submitted against testnet **must not**:\n- Set any `GIGA_*` flag to `true`\n- Explicitly enable any configuration under sections prefixed with `giga`\n\nPoCs that rely on enabling Giga-related functionality will be considered **out of scope** and will not be eligible for a bounty. See [scope](https://immunefi.com/bug-bounty/sei/scope/#top) for further information.\n\n\n__Reward Payment Terms__\n\nRewards are denominated in USD and paid by the Sei Foundation team.\n\nPayouts are made in **SEI** or **USDT/C**, at the Foundation’s discretion. For additional details on payout mechanics and reward amounts, please refer to the **Rewards by Threat Level** section below.\n\n__Malicious Proposer Rule__ \n\nIf an attack requires the attacker to be a block proposer (or equivalent privileged validator role), its severity is reduced by one level (e.g. Critical → High, Low → Informational/Out of Scope). \n\n**Note, direct loss of funds remains Critical regardless of attacker role.**","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"SEI","slug":"sei","tenPercentEconomicRule":false,"updatedDate":"2026-03-24T15:26:17.017Z","impactsBody":"__Excluded Giga-Related Functionality__\n\nAny functionality related to **Giga** is currently **out of scope** for this bug bounty program.\n\nSpecifically, the following are excluded from scope:\n\n- Any code paths that require setting **any `GIGA_*` configuration flag to `true`**\n- Any configuration options defined under configuration sections **prefixed with `giga`**\n- All code contained within the **`giga` Go package**\n\nAll Giga-related configuration flags and settings are **disabled by default** in all supported environments.\n\nAs a result:\n- Vulnerabilities that are only exploitable when Giga-related configuration flags are enabled\n- Vulnerabilities that exist exclusively within the `giga` Go package\n- Vulnerabilities reachable solely through execution paths gated by Giga configuration\n\nare **not eligible for rewards** under this bug bounty program.\n\n---\n\n__Excluded StateSync Peer Functionality__\n\nAny functionality related to **StateSync Peers** is currently **out of scope** for this bug bounty program.\n\nA StateSync Peer is a trusted node that provides state synchronization data to other nodes during initial sync. These are nodes explicitly configured as RPC servers and persistent peers for the purpose of state sync. They serve trust height, trust hash, and block/state data that the syncing node consumes directly.\n\nSpecifically, the following are excluded from scope:\n\n- Any vulnerabilities that require a **malicious or compromised StateSync Peer** to be exploited\n- Any attack vectors that depend on a StateSync Peer returning **tampered block data, trust hashes, or state snapshots**\n- Any vulnerabilities that rely on **poisoning the persistent peers list** with attacker-controlled node IDs obtained through compromised StateSync Peer RPC responses\n- Any vulnerabilities related to **P2P-mode state sync**, where any connected P2P peer can serve as a state provider. P2P-mode state sync is **disabled by default** and is not used in Sei's supported state sync workflow\n\nStateSync Peers are considered trusted infrastructure within the Sei network's threat model. As a result:\n- Vulnerabilities that assume a StateSync Peer is acting maliciously or has been compromised\n- Vulnerabilities that are only exploitable by controlling or impersonating a StateSync Peer endpoint\n- Vulnerabilities reachable solely through tampered RPC responses from a trusted StateSync Peer\n- Vulnerabilities that exist exclusively within P2P-mode state sync code paths\n\nare **not eligible for rewards** under this bug bounty program.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Sei is the fastest Layer 1 blockchain, designed to scale with the industry. Pushing the boundaries of blockchain technology through open source development, Sei stands to unlock a brand new design space for consumer facing applications.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":6005,"type":"blockchain_dlt","severity":"medium","title":"Block production delay exceeding 2.5 seconds on realistic validator hardware, caused by crafted transactions or messages"},{"id":6006,"type":"blockchain_dlt","severity":"low","title":"Manipulation of transaction fee calculation resulting in fees outside protocol-defined bounds"},{"id":6007,"type":"blockchain_dlt","severity":"low","title":"Causing network processing nodes to include or order mempool transactions outside of protocol-defined selection and priority rules"},{"id":6008,"type":"blockchain_dlt","severity":"low","title":"Crash or halt of <10% of validators via crafted (non-brute-force) messages, where the network retains liveness"},{"id":6009,"type":"blockchain_dlt","severity":"medium","title":"Malicious proposer block freeze: delay of ≥10 minutes caused by a single proposer beyond simply skipping their own proposal slot(s)"},{"id":6010,"type":"blockchain_dlt","severity":"medium","title":"Bug in layer 0/1/2 network code that causes deterministic unintended smart contract execution, with no funds directly at risk"},{"id":6011,"type":"blockchain_dlt","severity":"medium","title":"Crash of RPC nodes running default configuration via direct unauthenticated network access to RPC/gRPC endpoints"},{"id":6012,"type":"blockchain_dlt","severity":"medium","title":"Crash or halt of ≥10% but <1/3 of validators via crafted (non-brute-force) messages, where the network retains liveness"},{"id":6013,"type":"blockchain_dlt","severity":"high","title":"Crash or halt of ≥1/3 of validators (assuming no direct network access to validator nodes), resulting in loss of network liveness"},{"id":6014,"type":"blockchain_dlt","severity":"high","title":"Unintended permanent chain split requiring hard fork to resolve (network partition with no automatic recovery)"},{"id":6015,"type":"blockchain_dlt","severity":"high","title":"Crash of RPC nodes running default configuration without assuming direct network access (e.g. via malicious block/transaction payloads propagated through the network)"},{"id":6016,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds with no on-chain remediation path, excluding general network unavailability (fix requires hard fork)"},{"id":6017,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds (including but not limited to unauthorized transfers, token minting, or token burning)"}],"rewards":[{"id":43619,"primacy":null,"severity":"critical","assetType":"blockchain_dlt","maxReward":500000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":0},{"id":43620,"primacy":null,"severity":"high","assetType":"blockchain_dlt","fixedReward":25000,"rewardModel":"fixed"},{"id":43621,"primacy":null,"severity":"medium","assetType":"blockchain_dlt","fixedReward":5000,"rewardModel":"fixed"},{"id":43622,"primacy":null,"severity":"low","assetType":"blockchain_dlt","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"cC2hBNCF0nM2dQNqYbgJ0","url":"https://github.com/enzymefinance/protocol-onyx/blob/85570db648edb66240564ae844d88d5a3f8fe610/src/components/value/position-trackers/LinearCreditDebtTracker.sol","type":"smart_contract","addedAt":"2026-01-26T17:05:24.474Z","revision":0,"description":"LinearCreditDebtTracker","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1GpqXEyFR1csrwRt8qhkOe","url":"https://github.com/enzymefinance/protocol-onyx/blob/b98576fa39213b3c8aecb8b5b104c9acaa24eff0/src/components/roles/LimitedAccessLimitedCallForwarder.sol","type":"smart_contract","addedAt":"2025-09-03T17:48:17.365Z","revision":0,"description":"LimitedAccessLimitedCallForwarder","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1lxYhwaQSjYQ3p8MAKUC16","url":"https://github.com/enzymefinance/protocol-onyx/blob/b98576fa39213b3c8aecb8b5b104c9acaa24eff0/src/shares/Shares.sol","type":"smart_contract","addedAt":"2025-09-03T17:48:17.369Z","revision":0,"description":"Shares","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3a2KMVVFmlxV04qJR275Bq","url":"https://github.com/enzymefinance/protocol-onyx/blob/b98576fa39213b3c8aecb8b5b104c9acaa24eff0/src/utils/StorageHelpersLib.sol","type":"smart_contract","addedAt":"2025-09-03T17:48:19.116Z","revision":0,"description":"StorageHelpersLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"47gqDfHbzTZ8g3qzco0Lx2","url":"https://github.com/enzymefinance/protocol-onyx/blob/b98576fa39213b3c8aecb8b5b104c9acaa24eff0/src/components/value/ValuationHandler.sol","type":"smart_contract","addedAt":"2025-09-03T17:48:17.333Z","revision":0,"description":"ValuationHandler","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4vZ8TyuGH5uc7Zgxzokycz","url":"https://github.com/enzymefinance/protocol-onyx/blob/b98576fa39213b3c8aecb8b5b104c9acaa24eff0/src/components/fees/management-fee-trackers/ContinuousFlatRateManagementFeeTracker.sol","type":"smart_contract","addedAt":"2025-09-03T17:48:17.428Z","revision":0,"description":"ContinuousFlatRateManagementFeeTracker","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"50sciYr24pFjZuDUXscQFW","url":"https://github.com/enzymefinance/protocol-onyx/blob/b98576fa39213b3c8aecb8b5b104c9acaa24eff0/src/infra/oracles/OneToOneAggregator.sol","type":"smart_contract","addedAt":"2025-09-03T17:48:18.995Z","revision":0,"description":"OneToOneAggregator","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5GgSOotezBM7jd26IKHXUz","url":"https://github.com/enzymefinance/protocol-onyx/blob/b98576fa39213b3c8aecb8b5b104c9acaa24eff0/src/components/value/position-trackers/AccountERC20Tracker.sol","type":"smart_contract","addedAt":"2025-09-03T17:48:18.934Z","revision":0,"description":"AccountERC20Tracker","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5RFLShgqBX1Za1455zTrVn","url":"https://github.com/enzymefinance/protocol-onyx/blob/b98576fa39213b3c8aecb8b5b104c9acaa24eff0/src/components/roles/OpenAccessLimitedCallForwarder.sol","type":"smart_contract","addedAt":"2025-09-03T17:48:19.354Z","revision":0,"description":"OpenAccessLimitedCallForwarder","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5wZaa27Bav3oatoFBQwLQ5","url":"https://github.com/enzymefinance/protocol-onyx/blob/b98576fa39213b3c8aecb8b5b104c9acaa24eff0/src/components/fees/FeeHandler.sol","type":"smart_contract","addedAt":"2025-09-03T17:48:17.366Z","revision":0,"description":"FeeHandler","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"66B33THY54dkcAmiiwsHZe","url":"https://github.com/enzymefinance/protocol-onyx/blob/b98576fa39213b3c8aecb8b5b104c9acaa24eff0/src/global/Global.sol","type":"smart_contract","addedAt":"2025-09-03T17:48:19.031Z","revision":0,"description":"Global","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7H1UAtLRwkQiUWr5w5zyWo","url":"https://github.com/enzymefinance/protocol-onyx/blob/b98576fa39213b3c8aecb8b5b104c9acaa24eff0/src/components/issuance/redeem-handlers/ERC7540LikeRedeemQueue.sol","type":"smart_contract","addedAt":"2025-09-03T17:48:18.983Z","revision":0,"description":"ERC7540LikeRedeemQueue","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7hDKBBZmjL7Eqep9n50eBD","url":"https://github.com/enzymefinance/protocol-onyx/blob/b98576fa39213b3c8aecb8b5b104c9acaa24eff0/src/factories/ComponentBeaconProxy.sol","type":"smart_contract","addedAt":"2025-09-03T17:48:17.373Z","revision":0,"description":"ComponentBeaconProxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"cjldh6LXFfMxrHoWa7JDk","url":"https://github.com/enzymefinance/protocol-onyx/blob/6bde0489b1a3196e6290b59e119748ecbeb8b8e4/src/components/fees/performance-fee-trackers/ContinuousFlatRatePerformanceFeeTracker.sol","type":"smart_contract","addedAt":"2025-12-08T07:58:36.370Z","revision":0,"description":"ContinuousFlatRatePerformanceFeeTracker","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98716","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"99109","url":"https://github.com/enzymefinance/protocol-onyx/blob/61ef53d2dfd17d83183d832529b148e6e15c26ab/src/infra/lists/address-list/OwnableAddressList.sol","type":"smart_contract","addedAt":"2026-02-24T13:14:13.104Z","revision":0,"description":"OwnableAddressList","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99110","url":"https://github.com/enzymefinance/protocol-onyx/blob/61ef53d2dfd17d83183d832529b148e6e15c26ab/src/components/shares-transfer-validators/AddressListsSharesTransferValidator.sol","type":"smart_contract","addedAt":"2026-02-24T13:14:13.104Z","revision":0,"description":"AddressListsSharesTransferValidator","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99111","url":"https://github.com/enzymefinance/protocol-onyx/blob/61ef53d2dfd17d83183d832529b148e6e15c26ab/src/components/lists/SharesOwnedAddressList.sol","type":"smart_contract","addedAt":"2026-02-24T13:14:13.104Z","revision":0,"description":"SharesOwnedAddressList","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99112","url":"https://github.com/enzymefinance/protocol-onyx/blob/61ef53d2dfd17d83183d832529b148e6e15c26ab/src/components/issuance/deposit-handlers/ERC7540LikeDepositQueue.sol","type":"smart_contract","addedAt":"2026-02-24T13:14:13.104Z","revision":0,"description":"ERC7540LikeDepositQueue - latest audited","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99113","url":"https://github.com/enzymefinance/protocol-onyx/blob/61ef53d2dfd17d83183d832529b148e6e15c26ab/src/components/automations/chainlink-cre/CreWorkflowConsumer.sol","type":"smart_contract","addedAt":"2026-02-24T13:14:13.104Z","revision":0,"description":"CreWorkflowConsumer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99133","url":"https://github.com/enzymefinance/protocol-onyx/blob/df697194bdfbb883b6eff7a667b08debfcf467a0/src/utils/ValueHelpersLib.sol","type":"smart_contract","addedAt":"2026-03-05T12:48:01.994Z","revision":0,"description":"ValueHelpersLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99134","url":"https://github.com/enzymefinance/protocol-onyx/blob/df697194bdfbb883b6eff7a667b08debfcf467a0/src/components/issuance/deposit-handlers/SyncDepositHandler.sol","type":"smart_contract","addedAt":"2026-03-05T12:48:01.994Z","revision":0,"description":"SyncDepositHandler","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99285","url":"https://github.com/enzymefinance/protocol-onyx/blob/e68728ca987a3d003f8ccc962151ee333d3dcc0f/src/components/issuance/deposit-handlers/ERC7540LikeDepositQueue.sol","type":"smart_contract","addedAt":"2026-03-17T14:00:04.730Z","revision":0,"description":"ERC7540LikeDepositQueue - live","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Essential","Managed Triage: Time Saver","Safe Harbor Documents Signed"],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2025-09-04T10:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3iP5zSqWcE9ivBa4KHRO7o/f6b068029c43b748115d87919d8387fc/S5wC58QC_400x400.png","maxBounty":200000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["Asset Management"],"programOverview":"Onyx by Enzyme Finance is a tokenization protocol for asset management vehicles. It facilitates bespoke ERC20 shares issuance, including fees and tools for valuation accounting.\n\nDeployed contracts [here](https://docs.google.com/spreadsheets/d/1HMAEUe1Gcnfun8dsPZ89WZzXbQ61FGm9m6-6U2siuG4/edit?gid=0#gid=0)","programType":["Smart Contract"],"project":"Enzyme Onyx","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System v2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/).","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"enzyme-onyx","tenPercentEconomicRule":false,"updatedDate":"2026-03-24T08:39:58.592Z","impactsBody":null,"websiteUrl":null,"githubUrl":"https://github.com/enzymefinance/protocol-onyx","eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Onyx by Enzyme Finance is a tokenization protocol for asset management vehicles. It facilitates bespoke ERC20 shares issuance, including fees and tools for valuation accounting.\n\n**Before submitting a report, please review our Bug Bounty program guidelines carefully. Reports that only cover issues already listed in the program scope will be closed and marked as spam.**\n\nSmart contracts may have both a currently deployed version and the latest audited version that is scheduled for deployment. These are labeled as follows:\n- Live — the smart contract that is currently deployed and in use\n- Latest audited — the most recently audited smart contract, not yet deployed but planned for future release\nIf no labels are present, it means the deployed (live) smart contract is already up to date with the latest audited version.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"}],"rewards":[{"id":43595,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":200000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43596,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":20000,"minReward":5000,"rewardModel":"range"},{"id":43597,"primacy":null,"severity":"medium","assetType":"smart_contract","maxReward":5000,"minReward":1000,"rewardModel":"range"}],"audits":[{"id":"1276","url":"https://github.com/enzymefinance/protocol-onyx/tree/main/audits","auditor":"ChainSecurity","date":"2025-09-01T00:00:00.000Z"}]},{"assets":[{"id":"1T6YqYvr7SeDIycagiw12U","url":"https://immunefi.com","type":"smart_contract","addedAt":"2025-01-16T08:42:18.903Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"2N6HkzvYmMhqqdAETtMzRs","url":"https://immunefi.com","type":"websites_and_applications","addedAt":"2025-01-16T08:42:32.883Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"db_44a87bcf-ff98-4eda-b51d-1889072daf6f","url":"https://etherscan.io/address/0xcD9f5907F92818bC06c9Ad70217f089E190d2a32","type":"smart_contract","addedAt":"2026-02-19T16:23:41.327Z","revision":0,"description":"Senior Royco USDC (srRoyUSDC)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_f6251375-6ed9-44db-8cc6-a349ca601907","url":"https://etherscan.io/address/0x170ff06326eBb64BF609a848Fc143143994AF6c8","type":"smart_contract","addedAt":"2026-02-19T16:24:17.140Z","revision":0,"description":"Multisig Safe","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_5311d96c-40df-43b0-9c1b-965289eb1fdc","url":"https://etherscan.io/address/0xd3F8Edff57570c4F9B11CC95eA65117e2D7A6C2D","type":"smart_contract","addedAt":"2026-02-19T16:24:26.070Z","revision":0,"description":"Multisig Strategy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_6d92499b-3892-4390-85db-5e0e09097382","url":"https://etherscan.io/address/0xD567cCbb336Eb71eC2537057E2bCF6DB840bB71d","type":"smart_contract","addedAt":"2026-02-19T16:24:39.904Z","revision":0,"description":"Factory (ETH)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_052292d1-4b7f-49f5-9eee-1e448089feb3","url":"https://snowscan.xyz/address/0xD567cCbb336Eb71eC2537057E2bCF6DB840bB71d#code","type":"smart_contract","addedAt":"2026-02-19T16:24:49.176Z","revision":0,"description":"Factory (AVAX)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_a0bc4655-cc10-4839-b653-8800e221b9bd","url":"https://etherscan.io/address/0x071B0FA065774b403B8dae0aE93A09Df5DE3DFAc","type":"smart_contract","addedAt":"2026-02-19T16:25:03.020Z","revision":0,"description":"Yield Distribution Model (ETH)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_db0eb646-fc2f-44a3-8924-e5141b98c891","url":"https://snowscan.xyz/address/0x071B0FA065774b403B8dae0aE93A09Df5DE3DFAc#code","type":"smart_contract","addedAt":"2026-02-19T16:25:27.176Z","revision":0,"description":"Yield Distribution Model (AVAX)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_f0516f87-b3e1-44fc-a4ae-e826fb09ac8f","url":"https://dawn.royco.org/","type":"websites_and_applications","addedAt":"2026-02-19T16:25:43.806Z","revision":0,"description":"Royco Dawn & related subpages","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":[],"launchDate":"2026-02-17T10:24:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4Hh4QPr7P8sC92rhy3vTc9/ef9957de799e11eb119a3d25f4db6d00/Royco.png","maxBounty":250000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","websites_and_applications - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":[],"programOverview":"Royco is a non-custodial, perpetual risk-tranching protocol. Its smart contracts divide yield opportunities into senior and junior tranches. The senior tranche is protected, at a minimum, from a preset market-defined drawdown percentage in the underlying investment, with the junior tranche serving as first-loss capital. In exchange, the junior tranche receives a portion of the senior yield as a risk premium, in addition to earning its own.\n\nFor more information about Royco Dawn, please visit [https://www.royco.org/](https://www.royco.org/).\n\nRoyco Dawn provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n__Responsible Publication__\n\nRoyco Dawn adheres to  **Category 3: Approval Required**. This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nRoyco Dawn adheres to the Primacy of Impact for the following impacts:\n- Smart Contract  —  Critical  \n- Website & Application  —  Critical \n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. \n\nFor more information, please see [Best Practices: Primacy of Impact \n](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Previous Audits__\n\nRoyco Dawn’s completed audit reports can be found at [https://github.com/roycoprotocol/royco-dawn/tree/main/audit](https://github.com/roycoprotocol/royco-dawn/tree/main/audit). Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.","programType":["Smart Contract","Websites and Applications"],"project":"Royco Dawn","projectType":[],"rewardsBody":"__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of **USD 250 000**. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of **USD 50 000** is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\nFor critical web/apps bugs, reports will be rewarded with **USD 10 000**, only if the impact leads to:\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of **USD 2 000**. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward.\n- The amount of funds at risk will be calculated with the impact of the first attack being at **100%** and then a reduction of **25%** from the amount of the first attack for every **[300 blocks]** the attack needs for subsequent attacks from the first attack, rounded down.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Royco Dawn team directly and are denominated in USD. However, payments are done in USDC on Ethereum.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"royco","tenPercentEconomicRule":false,"updatedDate":"2026-03-24T08:39:40.168Z","impactsBody":"__Whitelisting & Fund Recovery Context__\n\nRoyco Dawn operates with a whitelisted architecture where certain trusted addresses and parties have privileged access to protocol functions. These whitelisted parties are assumed to act in good faith, and funds sent to whitelisted addresses (or addresses explicitly specified by whitelisted parties) are considered recoverable through administrative action or protocol upgrades.\n\n__In-Scope Impacts for Direct Theft Rewards:__\n\nFor a vulnerability to qualify as a Direct Theft finding eligible for reward, it must demonstrate: \n\nPermanent loss of (non-dust) user funds that cannot be remediated through a protocol upgrade or administrative action — Either through theft to non-whitelisted addresses (or addresses not intended by whitelisted parties), or through funds being permanently locked. This includes abuse of privileged roles beyond their intended permissions.","websiteUrl":"https://www.royco.org/","githubUrl":"https://github.com/roycoprotocol/","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Royco is a non-custodial, perpetual risk-tranching protocol. Its smart contracts divide yield opportunities into senior and junior tranches. The senior tranche is protected, at a minimum, from a preset market-defined drawdown percentage in the underlying investment, with the junior tranche serving as first-loss capital. In exchange, the junior tranche receives a portion of the senior yield as a risk premium, in addition to earning its own.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"__Blockchain/DLT & Smart Contract Specific:__\n\n- Incorrect data supplied by third party oracles\n- Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n- Whitelisted/admin parties behaving maliciously (assumed trusted and funds recoverable)\n- Incorrect amounts sent to whitelisted parties or their specified recipients (reversible)\n- External protocol bugs\n- Centralization risks\n- MEV, gas griefing, frontrunning\n- Frontend or off-chain components\n\n__Websites and Apps__\n\n- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n- This does not exclude reflected HTML injection with or without JavaScript\n- This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","customProhibitedActivities":[],"impacts":[{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"}],"rewards":[{"id":43593,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":250000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43594,"primacy":null,"severity":"critical","assetType":"websites_and_applications","maxReward":10000,"minReward":2000,"rewardModel":"range"}],"audits":[{"id":"db_1f233cc7-f23d-4a2e-98a2-5e2f1f564cb6","url":"https://github.com/roycoprotocol/royco-dawn/tree/main/audit","auditor":"All audits","date":"2026-02-17T00:00:00.000Z"}]},{"assets":[{"id":"14eMQwkij18FHkdwJ8W3aB","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/machine_configurations/full_isa_with_delegation_no_exceptions/mod.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:55.378Z","revision":0,"description":"Full RV32I+M ISA machine configuration with delegation circuit support (CSR-triggered precompiles like BigInt and BLAKE2)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"162eSGxRo4G5ZHPxz2wPdc","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/delegation/blake2_round_with_extended_control/mod.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:50.562Z","revision":0,"description":"Extended BLAKE2s delegation circuit","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"19EkFgxBYYbiIBqXkIA8hX","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/ops/lui_auipc.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:02.604Z","revision":0,"description":"LUI/AUIPC instructions circuit","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1EFOSlj0IPVQjauS2JTzG9","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/ops/add_sub.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:59.711Z","revision":0,"description":"SUB/ADD circuit","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1FX5vHuRa6yX49QZWI62cE","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/machine_configurations/mod.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:58.486Z","revision":0,"description":"Module coordinator that exports all machine configurations","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1KiAJU1ta2P0vfzrV7JHA5","url":"https://github.com/matter-labs/zksync-os/tree/4af87fdb6d30b8215d4affd81e6e5e9a8dbf8f52/zk_ee/","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:45.215Z","revision":0,"description":"ZK Execution Environment","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1Mv5RIDzMytvOJN62tHpUZ","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/cs/circuit.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:46.132Z","revision":0,"description":"Main circuits logic (CS)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1POou9IprZ7QBuPkiRZfSl","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/machine_configurations/minimal_no_exceptions/basic_state_transition.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:56.301Z","revision":0,"description":"Minimal RV32I base ISA machine configuration (without M extension: no MUL/DIV/REM) using trusted code model and no exception handling, for simpler/smaller circuits.","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1Wtokczlst2NsCLv3TABlO","url":"https://github.com/matter-labs/zksync-os/tree/4af87fdb6d30b8215d4affd81e6e5e9a8dbf8f52/storage_models","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:42.717Z","revision":0,"description":"Storage models","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1YiBQey06DkCDD8eBHG5E0","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/machine_configurations/state_transition_parts/decode_and_read_operands.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:57.182Z","revision":0,"description":"Decoder circuit parts","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1dni9vu1h2UlxhX3YgaIMN","url":"https://immunefi.com","type":"blockchain_dlt","addedAt":"2025-12-01T08:23:33.787Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"1g7fGApe3b5hAWGKu4v4Nl","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/machine_configurations/full_isa_no_exceptions/basic_state_transition.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:54.120Z","revision":0,"description":"Full RV32I+M ISA machine configuration with trusted code model (no exception handling)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1kOJnOIcF1SfnMXBworx6T","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/verifier/src/concrete/size_constants.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:06.183Z","revision":0,"description":"Full statement verifier","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2IM2Y5XpdD9eqf3JhARdvA","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/devices/diffs.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:51.472Z","revision":0,"description":"Defines instruction execution state changes","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2MyuMtryiWllFae0bOdxeW","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/cs/spec_selection.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:47.200Z","revision":0,"description":"Orthogonal varians circuits","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2N7WTQaNBpjiHoeTdjPwKQ","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/csr_properties.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:48.597Z","revision":0,"description":"Special csr properties table","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2hHoqUFUQ7cow3mEFAvIjG","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/ops/csr.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:01.143Z","revision":0,"description":"CSR primitives","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2hxwPh5wICdQU3D5UtXOc9","url":"https://github.com/matter-labs/zksync-os/tree/4af87fdb6d30b8215d4affd81e6e5e9a8dbf8f52/supporting_crates/u256","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:44.235Z","revision":0,"description":"U256","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2kFIfrnoo4AtMRlJBMIbHS","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/ops/common_impls/csr.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:59.256Z","revision":0,"description":"Non-determinism csr circuit","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2kyIa5C2gKDwAY351nmk1a","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/devices/risc_v_types.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:52.351Z","revision":0,"description":"RISC-V ISA type definitions","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2zccnSE6w64GcnCnE1NPwx","url":"https://github.com/matter-labs/zksync-os/blob/4af87fdb6d30b8215d4affd81e6e5e9a8dbf8f52/callable_oracles","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:40.554Z","revision":0,"description":"Callable oracles","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"32zX9g047seKC7lLThB777","url":"https://github.com/matter-labs/zksync-os/tree/4af87fdb6d30b8215d4affd81e6e5e9a8dbf8f52/basic_bootloader","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:39.594Z","revision":0,"description":"Basic bootloader","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"373nbQeUnJCllDdm6MatXj","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/ops/conditional.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:00.674Z","revision":0,"description":"Branch instructions circuit","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3CqZ3dhOhXpZsuPdWCiPRI","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/machine_configurations/minimal_no_exceptions_with_delegation/mod.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:56.735Z","revision":0,"description":"Minimal RV32I base ISA machine configuration (without M extension) with delegation circuit support for CSR-triggered precompiles","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3Eime4DLzWeRqfzumVJkjM","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/ops/mop.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:03.193Z","revision":0,"description":"Modular operation primitives","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3GKPYtc04ykgxab0uojomB","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/verifier_common/src/structs.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:09.692Z","revision":0,"description":"Full statement verifier","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3HPkr7r5Cx81VgiA45QpNc","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/machine_configurations/minimal_state.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:58.088Z","revision":0,"description":"Utilities for minimal machine state","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3I9L4cpiA3u4GtSiW0xh77","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/ops/jump.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:01.615Z","revision":0,"description":"Jump instructions circuit","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3OVi6MG9ziZhUZEZa56RtS","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/verifier_common/src/proof_flattener.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:09.250Z","revision":0,"description":"Full statement verifier","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3PE3C7BsiRHpJ6pjx3I40T","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/verifier_generator/src/inlining_generator/everywhere_except_last.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:11.069Z","revision":0,"description":"Full statement verifier","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3U0KERUxswouBJiBfhXkZ0","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/delegation/bigint_with_control/mod.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:50.120Z","revision":0,"description":"Delegated circuit for Big U256 Integer operations","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3jMZLcvoFwqaCnxRfia5UY","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/field/src/field.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:13.141Z","revision":0,"description":"Base field operations","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3sMYQ1Zt1jQo6dWwyWuHya","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/field/src/quartic.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:14.438Z","revision":0,"description":"Quartic extensions","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3to1W47Jw4zuLoazwMdgc8","url":"https://github.com/matter-labs/zksync-os/tree/4af87fdb6d30b8215d4affd81e6e5e9a8dbf8f52/supporting_crates/modexp","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:43.748Z","revision":0,"description":"Modexp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3uvNZmwK2T8yi6b54v5gUD","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/verifier_generator/src/generator.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:10.058Z","revision":0,"description":"Full statement verifier","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"41cpAG8MXvCM6JK8XzMtS","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/instruction_decoding_data/mod.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:53.675Z","revision":0,"description":"Instruction decoding data","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4EBaRxDqizglfbyXeev1WG","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/prover/src/prover_stages/stage3.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:05.296Z","revision":0,"description":"Evaluate the constraint quotient on the coset domain. Contains a large set of hardcoded constraints","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4FwnbdV0GjHO8ivuUgH2dN","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/verifier/src/concrete/skeleton_instance.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:06.624Z","revision":0,"description":"Full statement verifier","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4HSXmqYR9fuqhNlApMtjXj","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/ops/binops.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:00.208Z","revision":0,"description":"Binary operation circuit","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4HXrzZPf2AlOcgu91C7HlC","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/machine_configurations/full_isa_no_exceptions/mod.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:54.556Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4NvKFD4k2Rwu1WFJobvfJE","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/ops/mul_div.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:03.647Z","revision":0,"description":"MUL/DIV/REM operations circuit","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4Nw8nGZ7E0d2By4GsN12ja","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/ops/load.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:02.097Z","revision":0,"description":"Load instructions circuit","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4R6WmYYocobYbGbMnrtP6b","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/machine_configurations/full_isa_with_delegation_no_exceptions_no_signed_mul_div/mod.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:55.815Z","revision":0,"description":"Full RV32I+M ISA machine configuration with delegation circuit support but without signed multiplication/division","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4XBxn5P2BHmhztxpz7jNAB","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/cs/cs_reference.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:46.731Z","revision":0,"description":"Reference implementation of CS","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4cUtvbFSp4QYMvKjv0FYtk","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/devices/utils.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:52.806Z","revision":0,"description":"Utilities for the RISC-V circuit","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4mE6mjQUokpCWF66kuR12k","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/verifier/src/utils.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:07.943Z","revision":0,"description":"Full statement verifier","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"59PeBFV0G3WBLlVYRaNB20","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/constraint.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:48.151Z","revision":0,"description":"Definition of constraints","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5FS5qTgo9ZD5DXWvGr6GlP","url":"https://github.com/matter-labs/zksync-os/tree/4af87fdb6d30b8215d4affd81e6e5e9a8dbf8f52/supporting_crates/delegated_u256","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:43.286Z","revision":0,"description":"Delegated U256","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5PQgNswSZFt4VC5AkYkKXm","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/devices/optimization_context.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:51.935Z","revision":0,"description":"Optimization framework for RISC-V circuit","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5a6jI6Vjsol86YtfbliLl0","url":"https://github.com/matter-labs/zksync-os/tree/4af87fdb6d30b8215d4affd81e6e5e9a8dbf8f52/evm_interpreter","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:41.396Z","revision":0,"description":"EVM interpreter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5tSad8cKN7NQM28eMUMWh5","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/cs/utils.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:47.694Z","revision":0,"description":"Utilities for constraint system","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5vWf4o7Cm2i7pmbdiweaOG","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/verifier_generator/src/inlining_generator/first_or_last_rows.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:11.445Z","revision":0,"description":"Full statement verifier","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"65lUiKaiRy7redy2iQvy10","url":"https://github.com/matter-labs/zksync-os/blob/4af87fdb6d30b8215d4affd81e6e5e9a8dbf8f52/crypto","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:40.945Z","revision":0,"description":"Crypto","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"69HzdJLyMcmcLHRP3TrsJk","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/types.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:49.660Z","revision":0,"description":"Core type definition","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6J8BhEBqejaubqZra5UJ4h","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/verifier_generator/src/inlining_generator/everywhere_except_last_two.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:10.491Z","revision":0,"description":"Full statement verifier","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6SCNxbCOK6UHwA8T1bt4eG","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/devices/aux_data.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:51.009Z","revision":0,"description":"Helper data structures","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6WoRPmkhzAG4B9q1HUksHv","url":"https://github.com/matter-labs/zksync-os/blob/4af87fdb6d30b8215d4affd81e6e5e9a8dbf8f52/basic_system","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:40.094Z","revision":0,"description":"Basic system","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6ke0pScVon7lsJgvCvyumL","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/field/src/complex.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:13.961Z","revision":0,"description":"Complex extensions","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6sfzPcV8mN3owKh9EdZki8","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/verifier/src/lib.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:07.043Z","revision":0,"description":"Full statement verifier","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6xejhZhef3S2hukrQrJDE","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/field/src/ops.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:15.299Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6xoD6QCoxN1JVpRf3OcZpK","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/tables.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:49.192Z","revision":0,"description":"Lookup tables","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"71imvw2hev1Zo2Gbij3BO","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/field/src/base.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:13.564Z","revision":0,"description":"Base field operations","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"72iaT0tj2dJ2fNTHHMpyee","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/verifier/src/skeleton.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:07.485Z","revision":0,"description":"Full statement verifier","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7A7KmRdMHn51MgMqI4hEpI","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/machine_configurations/state_transition_parts/writeback_no_exceptions.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:57.715Z","revision":0,"description":"Writeback phase of the state transition circuit","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7FnxlWS5jCjBTaf2BH7CeN","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/ops/common_impls/csr_with_delegation.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:58.890Z","revision":0,"description":"Csr circuit with delegation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7GGSEdSzLPLruC10qcjZqP","url":"https://github.com/matter-labs/zksync-os/tree/4af87fdb6d30b8215d4affd81e6e5e9a8dbf8f52/zksync_os/","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:45.662Z","revision":0,"description":"ZKsync OS program","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7c4MHE9bqiTNeHi59Z00mA","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/ops/shift.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:04.043Z","revision":0,"description":"Shift operations circuit","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7eWqG7NgwYBOcKGUPWDars","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/verifier_generator/src/inlining_generator/mod.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:12.288Z","revision":0,"description":"Full statement verifier","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"B7sIkdZzNS9mcjr8SPvVy","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/ops/store.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:04.427Z","revision":0,"description":"Store instructions circuit","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"DxmysUl5nICfGLbMjvsAf","url":"https://github.com/matter-labs/zksync-os/tree/4af87fdb6d30b8215d4affd81e6e5e9a8dbf8f52/proof_running_system","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:42.280Z","revision":0,"description":"Proof running system","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"GlIct7L3Nxj3JYxAf8s1g","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/one_row_compiler/compile_layout.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:04.894Z","revision":0,"description":"Circuit layout compiler","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"OQeeYAZurKt6TJM9C7usy","url":"https://github.com/matter-labs/zksync-os/tree/4af87fdb6d30b8215d4affd81e6e5e9a8dbf8f52/system_hooks/","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:44.729Z","revision":0,"description":"System hooks","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"PFzq4q5z7WpEgY5H1d0Y0","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/verifier_generator/src/inlining_generator/memory_accumulators.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:11.820Z","revision":0,"description":"Full statement verifier","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"XW1e2SJj13ysRH8ukZ7ts","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/verifier_common/src/lib.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:08.807Z","revision":0,"description":"Full statement verifier","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"aexfGTHwJvJq7fDafnRFG","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/verifier_generator/src/inlining_generator/utils.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:12.677Z","revision":0,"description":"Full statement verifier","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"dbo9twJXkCd83jmTziW5i","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/machine_configurations/full_isa_no_exceptions/optimized_state_transition.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:54.978Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"fqPQUF4521cf5pFB8GCnU","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/cs/src/machine/decoder/decode_optimized_must_handle_csr.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:53.259Z","revision":0,"description":"RISC-V decoder circuit","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"gh8Sol1r6ThxTX4lQec4R","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/prover/src/prover_stages/stage1.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:05.749Z","revision":0,"description":"Commitment generation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"jvPFCPq3aSLhv32leXBE5","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/verifier_common/src/fri_folding.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:08.380Z","revision":0,"description":"Full statement verifier","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"rB3kzXmblq5UbvQglmQXv","url":"https://github.com/matter-labs/zksync-airbender/blob/0a0b78c1f14bd4cf8c3719b7c5c1f074c343690b/field/src/field_like.rs","type":"blockchain_dlt","addedAt":"2025-11-24T08:18:14.897Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"vfUky53xlUTHevl0AZcy0","url":"https://github.com/matter-labs/zksync-os/tree/4af87fdb6d30b8215d4affd81e6e5e9a8dbf8f52/oracle_provider/","type":"blockchain_dlt","addedAt":"2025-11-24T08:17:41.824Z","revision":0,"description":"Oracle provider","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99290","url":"https://github.com/matter-labs/zkos-wrapper/tree/574764c0da18bef56e1e9d04d8b92ca43c982251/wrapper/src","type":"blockchain_dlt","addedAt":"2026-03-21T11:09:58.188Z","revision":0,"description":"Boojum-based verifier for the final ZKSO layer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99291","url":"https://github.com/matter-labs/zkos-wrapper/tree/574764c0da18bef56e1e9d04d8b92ca43c982251/wrapper_generator/src","type":"blockchain_dlt","addedAt":"2026-03-21T11:09:58.188Z","revision":0,"description":"Generator for inlined verifier files (quotient_evaluator and circuit_layout)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99292","url":"https://github.com/matter-labs/zkos-wrapper/tree/574764c0da18bef56e1e9d04d8b92ca43c982251/circuit_mersenne_field/src","type":"blockchain_dlt","addedAt":"2026-03-21T11:09:58.188Z","revision":0,"description":"Boojum-based circuit implementation of the Mersenne field and its extension ","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["zkSync"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":true,"language":[],"launchDate":"2025-11-24T08:16:26.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/bqfH2eaRX9bOByRgNuuL4/aceec9b93efea1ad81061596d6d2ee11/zkSync.png","maxBounty":100000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":[],"programOverview":"ZKsync OS is an efficient, modular blockchain execution layer that enables chains to run different virtual machines, such as EVM, EraVM, or WASM. Currently, only the EVM is supported. The ZKsync OS program is designed to be compiled to RISC-V, with ZKsync Airbender used to prove the execution of this RISC-V program.\n\nAirbender is ZKsync’s next-generation proof system, purpose-built to enable efficient zero-knowledge proofs of RISC-V bytecode execution. Built on highly optimized STARK/FRI implementations, Airbender is designed to support ZKsync’s long-term scaling strategy by being fast, cost-efficient, and adaptable to a wide range of use cases — without compromising security.\n\n*As a promotional event to attract more security researchers, the ZKsync team has intentionally included a bug in their codebase that would lead to a Medium-level impact according to the Impacts in Scope section. The ZKsync team has committed to paying the first valid report on this impact, and agrees to waive the known issue rejection rights for it, including if the security researcher finds a higher level impact than intended.*\n\nFor more information about ZKsync OS, please visit [https://www.zksync.io/](https://www.zksync.io/).\n\nZKsync OS provides rewards in **USDC** on **ZKsync Era**, denominated in **USD**. For more details about the payment process, please view the **Rewards by Threat Level** section.\n\n__KYC Requirement__\n\nZKsync OS will be requesting KYC information in order to pay for successful bug submissions.\n\n__Eligibility Criteria__\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nZKsync OS adheres to  **Category 3: Approval Required**. This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nZKsync OS adheres to the Primacy of Impact for the following impacts:\n\n- Blockchain/DLT  —  Critical\n- Blockchain/DLT  —  High\n- Blockchain/DLT  —  Medium\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. \n\nFor more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n__Previous Audits__\n\nZKsync OS’s completed audit reports can be found at [https://docs.zksync.io/zksync-protocol/security/audits](https://docs.zksync.io/zksync-protocol/security/audits). Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\nIssues that can be effectively mitigated by security measures such as a consistency checker and/or realistic, authorized actions by the Security Council will be considered lower impact than vulnerabilities that would cause irreparable or irreversible harm, and thus will be downgraded or classified as out of scope, at the discretion of ZkSync. A maximum possible payout for a Critical severity submission is only possible in cases where special access is not required to steal or permanently freeze funds (freezing funds with no way to restore them other than a hard fork).","programType":["Blockchain/DLT"],"project":"ZKsync OS","projectType":[],"rewardsBody":"For critical Blockchain/DLT bugs, the reward is dependent on the ratio between the funds at risk, which includes all affected projects on top of the respective blockchain/DLT, and the market cap according to the average between CoinMarketCap.com and CoinGecko.com, calculated at the time the bug report is submitted. \n\n__Reward Payment Terms__\n\nPayouts are handled by the ZKsync OS team directly and are denominated in **USD**. However, payments are done in **USDC** on **ZKsync Era**.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"zksync-os","tenPercentEconomicRule":false,"updatedDate":"2026-03-21T11:09:58.773Z","impactsBody":null,"websiteUrl":"https://zksync.io","githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Airbender is ZKsync’s next-generation proof system, purpose-built to enable efficient zero-knowledge proofs of RISC-V bytecode execution. Built on highly optimized STARK/FRI implementations, Airbender is designed to support ZKsync’s long-term scaling strategy by being fast, cost-efficient, and adaptable to a wide range of use cases — without compromising security.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":5844,"type":"blockchain_dlt","severity":"medium","title":"Undocumented deviation from EVM behavior"},{"id":5839,"type":"blockchain_dlt","severity":"critical","title":"Direct and publicly triggerable loss of funds"},{"id":5840,"type":"blockchain_dlt","severity":"high","title":"Underconstraints in the circuit that make invalid ZKsync OS executions provable"},{"id":5841,"type":"blockchain_dlt","severity":"high","title":"Circuit, node, or program mismatches that make valid ZKsync OS executions unprovable and require verification key regeneration"}],"rewards":[{"id":43332,"primacy":null,"severity":"critical","assetType":"blockchain_dlt","maxReward":100000,"minReward":30000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43333,"primacy":null,"severity":"high","assetType":"blockchain_dlt","fixedReward":20000,"rewardModel":"fixed"},{"id":43334,"primacy":null,"severity":"medium","assetType":"blockchain_dlt","fixedReward":5000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"1EuzDXtrPNaK0hyotdK7bR","url":"https://github.com/byteball/ocore","type":"blockchain_dlt","addedAt":"2022-02-18T10:58:18.208Z","revision":0,"description":"Core Library","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5BrR3Gh8B48mwsQ3A1JkY2","url":"https://github.com/byteball/obyte-gui-wallet","type":"websites_and_applications","addedAt":"2022-02-18T10:58:50.691Z","revision":0,"description":"Wallet","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6yYOyngFvpgo3OXDpvmorv","url":"https://github.com/byteball/counterstake-bridge","type":"smart_contract","addedAt":"2022-05-10T15:55:28.523Z","revision":0,"description":"Smart Contracts and Autonomous Agents for Counterstake cross-chain bridge","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7CjclpdJvZh7Q8DSV4VNgT","url":"https://github.com/byteball/obyte-cascading-donations","type":"smart_contract","addedAt":"2025-08-19T22:06:57.725Z","revision":0,"description":"Autonomous Agent for cascading donations to github repos (kivach.org)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7bfAYRTnc0IJpwRuP6khx1","url":"https://github.com/byteball/prediction-markets-aa","type":"smart_contract","addedAt":"2025-08-19T22:07:14.019Z","revision":0,"description":"Autonomous Agent for prediction markets (prophet.ooo)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"vBS4nbCcc1ogVN9EMM3zA","url":"https://github.com/byteball/perpetual-aa","type":"smart_contract","addedAt":"2025-08-19T22:07:29.796Z","revision":0,"description":"Autonomous Agent for Pythagorean perpetual futures (pyth.ooo)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"31OyxOMkfBDGMuTkLZzsH0","url":"https://github.com/byteball/oswap-token-aa","type":"smart_contract","addedAt":"2025-08-19T22:07:57.143Z","revision":0,"description":"Autonomous Agent for OSWAP token (token.oswap.io)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7r5Po32ZC3ueYx4qMVpECx","url":"https://github.com/byteball/token-registry-aa","type":"smart_contract","addedAt":"2025-08-19T22:08:13.250Z","revision":0,"description":"Autonomous Agent for Obyte token registry (tokens.ooo)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"16rV26S7jtissXQ9CCVYxY","url":"https://github.com/byteball/city-aa","type":"smart_contract","addedAt":"2025-08-19T22:08:30.283Z","revision":0,"description":"Autonomous Agent for Obyte City (city.obyte.org)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99122","url":"https://github.com/byteball/friend-aa","type":"smart_contract","addedAt":"2026-03-03T18:42:11.169Z","revision":0,"description":"Smart Contract - Autonomous Agent for Obyte Friends (friends.obyte.org)","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Obyte"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["JavaScript"],"launchDate":"2020-12-01T07:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5Wy12MgPYWNvcH7ihgHVqT/684f80d914af4b26229e0109d7185145/Obyte-logo.svg","maxBounty":50000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","smart_contract - medium","smart_contract - high","smart_contract - critical","blockchain_dlt - medium","blockchain_dlt - high","blockchain_dlt - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["L1","Wallet"],"programOverview":"Obyte is a distributed ledger based on directed acyclic graph **(DAG)** and is without middlemen. Unlike centralized ledgers and blockchains, access to the Obyte ledger is decentralized, disintermediated, free (as in freedom), equal, and open.\n\nThe Obyte Foundation is interested in securing their network, their core library, their GUI wallet, and some of their autonomous agents (smart contracts that operate completely independently). Primary areas of concern are around loss of user funds, DoS(not DDoS), and total network shutdown.\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nObyte adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms stated in this page.","programType":["Smart Contract","Blockchain/DLT","Websites and Applications"],"project":"Obyte","projectType":["Blockchain"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below.\n\n__Repeatable Attack Limitations__\n\nGiven that the reward for High is flat, there is no distinction between a one-time attack and an attack that is repeated and the reward stays the same. \n\n__Restrictions on Security Researcher Eligibility__\n\nSecurity researchers who fall under any of the following are ineligible for a reward:\n\n- Compensated team members of the Obyte Foundation\n- Employees and team members of third-party suppliers to an Obyte Foundation affiliate that operate in a technical capacity and have assets covered in this bug bounty program\n\n__Reward Calculation for Critical Level Reports__\n\nFor Blockchain/DLT bug reports, in order to qualify for the reward of USD 50 000, the bug reported must be able to cause unrecoverable total network shutdown of the entire Obyte network or allow the unpermitted execution of transactions from accounts of other users without their private keys. All other critical bug reports are capped at a flat rate of USD 2 500.\n\nFor Critical Smart Contract and Web/App reports, the reward amount is 10% of the funds directly affected up to a maximum of USD 2 500.\n\n__Other Restrictions__\n\nFor all impacts directly involving funds being lost, the minimum impact is USD 1000. Anything below is considered out-of-scope. \n\nThe web/app  impacts of “Stealing User Cookies” and “Bypassing Authentication” are only accepted if they result in a loss of at least USD 1 000. The web/app impact of “Ability to execute system commands” is only accepted if the actions are done as root.\n\n\n__Poc Requirements__\nAll web and app bug reports must come with a PoC. All bug reports submitted without PoC will be rejected with instructions to provide PoC.\n\nPayouts are handled by the Obyte Foundation directly and are denominated in USD. The payout can be completed in GBYTE, BTC, or USDT.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"GBYTE, BTC, USDT","slug":"obyte","tenPercentEconomicRule":false,"updatedDate":"2026-03-20T16:50:50.373Z","impactsBody":"All Smart Contract impacts are only related to the Autonomous Agent assets.","websiteUrl":"https://obyte.org","githubUrl":"https://github.com/byteball","eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Obyte is a distributed ledger based on directed acyclic graph **(DAG)** and is without middlemen. Unlike centralized ledgers and blockchains, access to the Obyte ledger is decentralized, disintermediated, free (as in freedom), equal, and open.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Impacts with direct financial damage whereby the total is less than or equal to 200% of the total expense used by the attacker","customProhibitedActivities":[],"impacts":[{"id":218,"type":"blockchain_dlt","severity":"high","title":"Temporary freezing of network transactions by delaying adequate processing for at least 1 day"},{"id":219,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 1 year"},{"id":220,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:         - HTML injection without JavaScript         - Replacing existing text with arbitrary text         - Arbitrary file uploads, etc."},{"id":221,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:         - Email address         - Phone number         - Physical address, etc."},{"id":222,"type":"blockchain_dlt","severity":"medium","title":"Temporary freezing of network transactions by delaying adequate processing for at least 1 hour"},{"id":224,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds"},{"id":227,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as:         - Reflected HTML injection         - Loading external site data"},{"id":228,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:         - database passwords usable from the open internet ,        - wallet private keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":229,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions that lead to loss of funds on behalf of other users without any interaction by that user."},{"id":5912,"type":"blockchain_dlt","severity":"critical","title":"Network permanently unable to confirm new transactions (total network shutdown)"},{"id":2,"type":"blockchain_dlt","severity":"critical","title":"Unintended permanent chain split requiring hard fork (network partition requiring hard fork)"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":4,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"}],"rewards":[{"id":43316,"primacy":null,"severity":"critical","assetType":"blockchain_dlt","maxReward":50000,"minReward":2500,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43317,"primacy":null,"severity":"high","assetType":"blockchain_dlt","fixedReward":1700,"rewardModel":"fixed"},{"id":43318,"primacy":null,"severity":"medium","assetType":"blockchain_dlt","fixedReward":1000,"rewardModel":"fixed"},{"id":43319,"primacy":null,"severity":"critical","assetType":"smart_contract","fixedReward":2500,"rewardModel":"fixed","rewardCalculationPercentage":10},{"id":43320,"primacy":null,"severity":"high","assetType":"smart_contract","fixedReward":1700,"rewardModel":"fixed"},{"id":43321,"primacy":null,"severity":"medium","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":43322,"primacy":null,"severity":"critical","assetType":"websites_and_applications","fixedReward":2500,"rewardModel":"fixed"},{"id":43323,"primacy":null,"severity":"high","assetType":"websites_and_applications","fixedReward":1700,"rewardModel":"fixed"},{"id":43324,"primacy":null,"severity":"medium","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"6aUkdsvYMWokJ0JyBunmgd","url":"https://megaeth.blockscout.com/address/0xB8CE59FC3717ada4C02eaDF9682A9e934F625ebb","type":"smart_contract","addedAt":"2026-01-20T13:45:52.250Z","revision":0,"description":"USDT0 MegaEth","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2Cuil4A6CBUPpMV8VMGFEo","url":"https://megaeth.blockscout.com/address/0x9151434b16b9763660705744891fA906F660EcC5","type":"smart_contract","addedAt":"2026-01-20T13:45:52.286Z","revision":0,"description":"OApp MegaEth","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1Bm5pM4kU4iy5QkXbw7AeN","url":"https://flarescan.com/address/0xe7cd86e13AC4309349F30B3435a9d337750fC82D","type":"smart_contract","addedAt":"2025-07-16T12:55:34.124Z","revision":0,"description":"USDT0 Flare","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1GW6N7B8lVrbUAhtZU2P3c","url":"https://optimistic.etherscan.io/address/0xF03b4d9AC1D5d1E7c4cEf54C2A313b9fe051A0aD","type":"smart_contract","addedAt":"2025-07-16T12:55:35.755Z","revision":0,"description":"OApp Optimism","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1NxFTazyOsDqqLk6JOQJPr","url":"https://monadscan.com/address/0xe7cd86e13AC4309349F30B3435a9d337750fC82D","type":"smart_contract","addedAt":"2025-11-25T09:43:31.949Z","revision":0,"description":"USDT0 Monad","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1pfm53bg5UYArKfFmMivvG","url":"https://plasmascan.to/address/0x02ca37966753bDdDf11216B73B16C1dE756A7CF9","type":"smart_contract","addedAt":"2025-11-14T08:18:04.322Z","revision":0,"description":"OApp Plasma","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1qEEorrigT8TyOheBQv7E4","url":"https://purrsec.com/address/0xB8CE59FC3717ada4C02eaDF9682A9e934F625ebb","type":"smart_contract","addedAt":"2025-07-16T12:55:34.121Z","revision":0,"description":"USDT0 HyperEVM (HyperliquidExtension)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1rPkTbuiotoXmyJNulcLZK","url":"https://arbiscan.io/address/0x14E4A1B13bf7F943c8ff7C51fb60FA964A298D92","type":"smart_contract","addedAt":"2025-01-29T09:37:10.001Z","revision":0,"description":"OApp Arbitrum Contract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1znBszmEfLRk3aW67ZhqQZ","url":"https://monadscan.com/address/0x9151434b16b9763660705744891fA906F660EcC5","type":"smart_contract","addedAt":"2025-11-25T09:43:31.951Z","revision":0,"description":"OApp Monad","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"298tp4DY6jgXI9FWqlszxk","url":"https://cornscan.io/address/0xB8CE59FC3717ada4C02eaDF9682A9e934F625ebb/contract/21000000/readContract","type":"smart_contract","addedAt":"2025-07-16T12:55:35.747Z","revision":0,"description":"USDT0 Corn","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2AWQYK9UJGYZNbE03FNoY5","url":"https://seitrace.com/token/0x56Fe74A2e3b484b921c447357203431a3485CC60?chain=pacific-1","type":"smart_contract","addedAt":"2025-07-16T12:55:34.076Z","revision":0,"description":"OApp Sei","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2xNXMosSWdV6C6h3fVZaxb","url":"https://explorer.inkonchain.com/address/0x0200C29006150606B650577BBE7B6248F58470c1","type":"smart_contract","addedAt":"2025-01-29T08:49:47.208Z","revision":0,"description":"USDT0 INK","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"35DiMx2op3LEk8QRkMyJVw","url":"https://mantlescan.xyz/address/0xcb768e263FB1C62214E7cab4AA8d036D76dc59CC","type":"smart_contract","addedAt":"2025-11-27T17:21:11.759Z","revision":0,"description":"OApp Mantle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3FG7c7xaXvMVIuyl8jp0Yf","url":"https://arbiscan.io/address/0xfd086bc7cd5c481dcc9c85ebe478a1c0b69fcbb9","type":"smart_contract","addedAt":"2025-01-29T09:37:25.759Z","revision":0,"description":"USDT0 Arbitrum","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3HO6xO1XjsSjgudMDJmNtV","url":"https://polygonscan.com/address/0x6BA10300f0DC58B7a1e4c0e41f5daBb7D7829e13","type":"smart_contract","addedAt":"2025-08-28T07:56:32.544Z","revision":0,"description":"OApp Polygon","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3SFYNHRlWlGWY6gTQp3QJr","url":"https://www.oklink.com/x-layer/address/0x94bcca6bdfd6a61817ab0e960bfede4984505554","type":"smart_contract","addedAt":"2025-09-15T08:48:37.869Z","revision":0,"description":"OApp X-Layer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3gNpk4tG4yMZHWSMVcTqM3","url":"https://flarescan.com/address/0x567287d2A9829215a37e3B88843d32f9221E7588","type":"smart_contract","addedAt":"2025-07-16T12:55:34.128Z","revision":0,"description":"OApp Flare","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3jYsiXUeLHLj6gFtpX7FUB","url":"https://explorer.inkonchain.com/address/0x1cB6De532588fCA4a21B7209DE7C456AF8434A65","type":"smart_contract","addedAt":"2025-01-29T08:49:32.807Z","revision":0,"description":"OApp INKSmart Contract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3rUrMzYgU9HkHM7QCHq1mE","url":"https://seitrace.com/token/0x9151434b16b9763660705744891fA906F660EcC5?chain=pacific-1","type":"smart_contract","addedAt":"2025-07-16T12:55:35.650Z","revision":0,"description":"USDT0 Sei","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4M7mUSl4DSvBVKtvpvsgHj","url":"https://stablescan.xyz/address/0xedaba024be4d87974d5aB11C6Dd586963CcCB027","type":"smart_contract","addedAt":"2025-12-15T09:53:52.953Z","revision":0,"description":"OApp Stable","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4Q7b8bQLu9yijNk0hsSCGy","url":"https://rootstock.blockscout.com/address/0x779dED0C9e1022225F8e0630b35A9B54Be713736","type":"smart_contract","addedAt":"2025-07-16T12:55:35.742Z","revision":0,"description":"USDT0 Rootstock","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5IWgDZOHERDhF18s4cFav5","url":"https://www.oklink.com/x-layer/address/0x779Ded0c9e1022225f8E0630b35a9b54bE713736","type":"smart_contract","addedAt":"2025-09-15T08:48:37.860Z","revision":0,"description":"USDT0 X-Layer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5JARn5d14N4X9UNqWbOofe","url":"https://berascan.com/address/0x3Dc96399109df5ceb2C226664A086140bD0379cB","type":"smart_contract","addedAt":"2025-07-16T12:55:34.056Z","revision":0,"description":"OApp Berachain","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5pD53p6aBJi39gzsO71F0G","url":"https://cornscan.io/address/0x3f82943338a8a76c35BFA0c1828aA27fd43a34E4","type":"smart_contract","addedAt":"2025-07-16T12:55:34.104Z","revision":0,"description":"OApp Corn","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5qUoV7nGalqx2FsZfQIsYj","url":"https://mantlescan.xyz/address/0x779Ded0c9e1022225f8E0630b35a9b54bE713736","type":"smart_contract","addedAt":"2025-11-27T17:21:11.738Z","revision":0,"description":"USDT0 Mantle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5yYQhjw2Z4fPjTEMkT1fJa","url":"https://polygonscan.com/address/0xc2132D05D31c914a87C6611C10748AEb04B58e8F#code","type":"smart_contract","addedAt":"2025-08-28T07:56:32.562Z","revision":0,"description":"USDT0 Polygon","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"65tLIitO0PkB300uQAul4y","url":"https://purrsec.com/address/0x904861a24F30EC96ea7CFC3bE9EA4B476d237e98/contract","type":"smart_contract","addedAt":"2025-07-16T12:55:34.118Z","revision":0,"description":"OApp HyperEVM","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"66aE1oLRPtgm9qBsxku7Og","url":"https://stablescan.xyz/address/0x779Ded0c9e1022225f8E0630b35a9b54bE713736","type":"smart_contract","addedAt":"2025-12-15T09:53:52.957Z","revision":0,"description":"USDT0 Stable","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6Dgap6C0RkxkoMn1SMXgY","url":"https://evm.confluxscan.net/address/0xaf37e8b6c9ed7f6318979f56fc287d76c30847ff","type":"smart_contract","addedAt":"2025-11-14T08:18:04.318Z","revision":0,"description":"USDT0 Conflux","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6oKvAqw9SZTV2Pq1vz8PXh","url":"https://unichain.blockscout.com/address/0x9151434b16b9763660705744891fA906F660EcC5","type":"smart_contract","addedAt":"2025-07-16T12:55:34.132Z","revision":0,"description":"USDT0 Unichain","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6xkXIgc7NpIyF4Hk5G8KWo","url":"https://optimistic.etherscan.io/address/0x01bFF41798a0BcF287b996046Ca68b395DbC1071","type":"smart_contract","addedAt":"2025-07-16T12:55:34.068Z","revision":0,"description":"USDT0 Optimism","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7GrlGgk2EPxb0BZTKvliwG","url":"https://plasmascan.to/address/0xB8CE59FC3717ada4C02eaDF9682A9e934F625ebb","type":"smart_contract","addedAt":"2025-11-14T08:18:04.320Z","revision":0,"description":"USDT0 Plasma","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7a173IZJ8OqX7mVs4L4KEv","url":"https://evm.confluxscan.net/address/0xc57efa1c7113d98bda6f9f249471704ece5dd84a","type":"smart_contract","addedAt":"2025-11-14T08:18:04.328Z","revision":0,"description":"OApp Conflux","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7wsMfQPOPBfB7TmRXSRVib","url":"https://rootstock.blockscout.com/address/0x1a594d5d5d1c426281C1064B07f23F57B2716B61","type":"smart_contract","addedAt":"2025-07-16T12:55:35.818Z","revision":0,"description":"OApp Rootstock","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"JorzgTAwiA40OFc14BnBg","url":"https://unichain.blockscout.com/address/0xc07bE8994D035631c36fb4a89C918CeFB2f03EC3","type":"smart_contract","addedAt":"2025-07-16T12:55:35.806Z","revision":0,"description":"OApp Unichain","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"RyGoEspexCJZGI0oVELeB","url":"https://etherscan.io/address/0x6c96de32cea08842dcc4058c14d3aaad7fa41dee","type":"smart_contract","addedAt":"2025-01-29T08:49:18.862Z","revision":0,"description":"OApp Adapter Ethereum","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"cDgZDvotE03oOftDQo9UU","url":"https://beratrail.io/token/0x779Ded0c9e1022225f8E0630b35a9b54bE713736","type":"smart_contract","addedAt":"2025-07-16T12:55:34.114Z","revision":0,"description":"USDT0 Berachain","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98707","url":"https://explorer.morph.network/address/0xe7cd86e13AC4309349F30B3435a9d337750fC82D","type":"smart_contract","addedAt":"2026-02-06T11:43:38.078Z","revision":0,"description":"USDT0 Morph","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98708","url":"https://explorer.morph.network/address/0xcb768e263FB1C62214E7cab4AA8d036D76dc59CC","type":"smart_contract","addedAt":"2026-02-06T11:43:38.078Z","revision":0,"description":"OApp Morph","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99184","url":"https://hashscan.io/mainnet/contract/0xe3119e23fC2371d1E6b01775ba312035425A53d6","type":"smart_contract","addedAt":"2026-03-12T12:01:26.357Z","revision":0,"description":"OApp Hedera","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99289","url":"https://explore.mainnet.tempo.xyz/address/0xaf37E8B6C9ED7f6318979f56Fc287d76c30847ff","type":"smart_contract","addedAt":"2026-03-19T16:37:02.152Z","revision":0,"description":"OApp Tempo","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Pro","Managed Triage: Signal Booster"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Typescript","Solidity"],"launchDate":"2025-01-30T14:58:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4qpRnmuoUMcdOxUOuFQUeN/278e2ad4821b6e2dadf60d84e3a4bb4f/USDT0.png","maxBounty":6000000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Vulnerabilities are priorities according to impact and/or severity.","productType":["Stablecoin","Crosschain Liquidity"],"programOverview":"USDT0 acts as a one stop solution for USDT’s interoperability and expansion to new chains. At the heart of USDT0 is LayerZero’s Omnichain Fungible Token (OFT). \n\nHere’s how it works:\n\n1. Locking Assets: USDT gets locked in a secure smart contract on Ethereum Mainnet.\n2. Issuance on Destination Chains: Equivalent USDT0 tokens are minted on the destination chain, reflecting the locked amount.\n3. Cross-Chain Transfers: Users can move USDT0 across supported chains without worrying about liquidity. The OFT model ensures that transfers happen securely, quickly, and cheaply.\n4. Redemption: USDT0 tokens can be redeemed by unlocking the corresponding USDT on Ethereum, from any supported chain, always maintaining a strict 1:1 backing. \n\nFor more information about USDT0, please visit [https://usdt0.to/](https://usdt0.to/)\n\nUSDT0 provides rewards in Fiat USD via wire transfer or USDT and USDT0, denominated in USD. For more details about the payment process, please view the **Rewards by Threat Level** section.\n\n__KYC Requirement__\n\nUSDT0 requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. The information needed are:\n\n- Invoice is required with Name, Address, and Payment Instructions\n- Proof of address (either a redacted bank statement with your address or a recent utility bill with your name, address, and issuer of the bill)\n- Copy of your passport or other Government ID will be required\n- Bounty hunters must pass OFAC Screening. Rewards cannot be paid out if hunters are on the OFAC SDN list\n- The collection of this information will be done by the USDT0 compliance team.\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nUSDT0 adheres to **category 3 - Approval Required**. This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nUSDT0 adheres to the Primacy of Impact for the following impact:\n- Smart Contract - Critical - Direct Theft of Funds\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Previous Audits__\n\nUSDT0’s completed audit reports can be found at [https://github.com/Everdawn-Labs/usdt0-audit-reports](https://github.com/Everdawn-Labs/usdt0-audit-reports). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.","programType":["Smart Contract"],"project":"USDT0","projectType":["Defi","Infrastructure"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nCritical Smart Contracts reports are reports that affect USDT redemptions on Ethereum, by either exploiting the Lockbox on ETH, or minting unbacked USDT0 on receival chains that will then be able to be redeemed on ETH.\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 6 000 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 50 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n\nUSDT0 is built on LayerZero, using the OFT v2 standard. Reports with impacts that are  already covered under the LayerZero Bug Bounty Program will be forwarded to the relevant LayerZero Bug Bounty Program. If the report is accepted by LayerZero's program, rewards will be determined and paid through their bounty program. Additional rewards from the USDT0 program for such issues are discretionary and may be awarded by the USDT0 team.\n\n\nFor the Protocol Insolvency impact, the amount considered at risk is the amount of USDT tokens kept in the USDT0 lockbox on ETH.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n- For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward.\n\n__Reward Payment Terms__\n\nPayouts are handled by the USDT0 team directly and are denominated in USD. However, payments are done in Fiat USD via wire transfer or USDT and USDT0.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"","slug":"usdt0","tenPercentEconomicRule":false,"updatedDate":"2026-03-19T16:37:02.534Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"USDT0 acts as a one stop solution for USDT’s interoperability and expansion to new chains. At the heart of USDT0 is LayerZero’s Omnichain Fungible Token (OFT).","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"}],"rewards":[{"id":43314,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":6000000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43315,"primacy":null,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"}],"audits":[{"id":"2r33Le6zrhja1d4SFcaneE","url":"https://github.com/Everdawn-Labs/usdt0-audit-reports/tree/main/Paladin","auditor":"Paladin","date":"2025-01-10T00:00:00.000Z"}]},{"assets":[{"id":"0N1SSvIJmutCYWO48m2Lp","url":"https://neutron.celat.one/neutron-1/contracts/neutron1jm5x56f6z9n7ca7545y93runm00hd4lafqeq929w0a7ug6nwd20s4a8cfw","type":"smart_contract","addedAt":"2024-06-21T11:26:47.055Z","revision":0,"description":"Lockdrop PCL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1Im0DGbyxhlsTNvgwQOLg7","url":"https://neutron.celat.one/neutron-1/contracts/neutron1ug740qrkquxzrk2hh29qrlx3sktkfml3je7juusc2te7xmvsscns0n2wry","type":"smart_contract","addedAt":"2024-06-21T11:32:48.330Z","revision":0,"description":"Lido Satellite (neutron-1)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1MEQ3XFbtO5PYQRXvpZeQi","url":"https://neutron.celat.one/neutron-1/contracts/neutron1ryhxe5fzczelcfmrhmcw9x2jsqy677fw59fsctr09srk24lt93eszwlvyj","type":"smart_contract","addedAt":"2024-06-21T11:00:09.730Z","revision":0,"description":"Lockdrop","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1QsgF8M6iBN33B5y9GOsHO","url":"https://neutron.celat.one/neutron-1/contracts/neutron1hulx7cgvpfcvg83wk5h96sedqgn72n026w6nl47uht554xhvj9nsgs8v0z","type":"smart_contract","addedAt":"2024-06-21T10:45:28.242Z","revision":0,"description":"Single Pre-Proposal Module","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1ViFULC47Ne3pBoIu9HhyD","url":"https://neutron.celat.one/neutron-1/contracts/neutron14q5elxj4ghktt7d7d0uw0cs0gqyeay25h5fkree897gjm38gevxqmvqsq5","type":"smart_contract","addedAt":"2024-06-21T11:32:09.002Z","revision":0,"description":"Neutron Vesting Investors","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1ZNcjukfPEi63wW3Lghd60","url":"https://neutron.celat.one/neutron-1/contracts/neutron1zjdv3u6svlazlydmje2qcp44yqkt0059chz8gmyl5yrklmgv6fzq9chelu","type":"smart_contract","addedAt":"2024-06-21T10:56:07.318Z","revision":0,"description":"Grants subDAO Core","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1cGLis0RAYTVQlNaWXkS0I","url":"https://neutron.celat.one/neutron-1/contracts/neutron1zjd5lwhch4ndnmayqxurja4x5y5mavy9ktrk6fzsyzan4wcgawnqjk5g26","type":"smart_contract","addedAt":"2024-06-21T10:54:47.698Z","revision":0,"description":"Security subDAO Pre-Proposal Module","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1sXjyqGupi3uGRbfw7uCnt","url":"https://neutron.celat.one/neutron-1/contracts/neutron1wastjc07zuuy46mzzl3egz4uzy6fs59752grxqvz8zlsqccpv2wqhjw0cl","type":"smart_contract","addedAt":"2024-06-21T10:55:07.646Z","revision":0,"description":"Security subDAO Voting Module","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1zrIKAEVH3vQNIvOhrppaz","url":"https://github.com/neutron-org/neutron/tree/main/x/harpoon","type":"blockchain_dlt","addedAt":"2025-06-09T07:16:53.635Z","revision":0,"description":"Harpoon (module)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"248NvBeZn5KpbYg1iUfXkX","url":"https://neutron.celat.one/neutron-1/contracts/neutron1pvrwmjuusn9wh34j7y520g8gumuy9xtl3gvprlljfdpwju3x7ucsj3fj40","type":"smart_contract","addedAt":"2024-06-21T10:45:47.661Z","revision":0,"description":"Multiple Proposal Module","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2GR9zSugAkDfCghABUeDtQ","url":"https://etherscan.io/address/0x8A5fcd88B4aC70A1939955fAeA4E12bd0C7B1237","type":"smart_contract","addedAt":"2024-06-21T11:33:07.953Z","revision":0,"description":"GMP Helper (Ethereum)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2Ndd5jmEXs2Gn93tEfzkrR","url":"https://neutron.celat.one/neutron-1/contracts/neutron1suhgf5svhu4usrurvxzlgn54ksxmn8gljarjtxqnapv8kjnp4nrstdxvff","type":"smart_contract","addedAt":"2024-06-21T10:44:48.405Z","revision":0,"description":"Neutron DAO Core","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2UY9Z36DcZL52hWIKCE5e1","url":"https://neutron.celat.one/neutron-1/contracts/neutron1w3uu5eex3hduqcj6pgx30z3xf9ar4gelk56j7c36qzdjkjlvjuws8a6x7g","type":"smart_contract","addedAt":"2024-06-21T11:31:22.399Z","revision":0,"description":"Neutron Vesting LP PCL [ATOM]","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2dVsRtkUTiGusDsMLhtO6U","url":"https://immunefi.com/bug-bounty/neutron/information/","type":"smart_contract","addedAt":"2024-12-18T14:52:58.487Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"2ereMkIIX1n6ax8Dnw1uZk","url":"https://neutron.celat.one/neutron-1/contracts/neutron1lvl674duw26psvzux5050du5kfg40kmy5z70t6am8pw6yje2wfjq66lmj2","type":"smart_contract","addedAt":"2024-06-21T10:55:28.814Z","revision":0,"description":"Timelock Module","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2lILsxmmEjSh6TPO7Ck6Og","url":"https://neutron.celat.one/neutron-1/contracts/neutron1fuyxwxlsgjkfjmxfthq8427dm2am3ya3cwcdr8gls29l7jadtazsuyzwcc","type":"smart_contract","addedAt":"2024-06-21T10:50:00.848Z","revision":0,"description":"Security subDAO Core","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2lsksmVQYWfmwnpkGXWbbW","url":"https://neutron.celat.one/neutron-1/contracts/neutron1kf9yq7vuyj9rshwpr52xru779y832g7jpgyysprvpm9xzu2m6mlsm6r64n","type":"smart_contract","addedAt":"2025-06-09T07:20:08.032Z","revision":0,"description":"Neutron Staking Tracker","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2mqQMauO5w7s1CaYKL1snq","url":"https://neutron.celat.one/neutron-1/contracts/neutron1qeyjez6a9dwlghf9d6cy44fxmsajztw257586akk6xn6k88x0gus5djz4e","type":"smart_contract","addedAt":"2024-06-21T10:47:47.590Z","revision":0,"description":"NTRN Vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2nLIMLBcAJtnLblLMQDUk5","url":"https://neutron.celat.one/neutron-1/contracts/neutron1f6jlx7d9y408tlzue7r2qcf79plp549n30yzqjajjud8vm7m4vdspg933s","type":"smart_contract","addedAt":"2024-06-21T10:47:27.551Z","revision":0,"description":"Voting Registry","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2rMkM0ORTHeQygrQ7O8PF8","url":"https://neutron.celat.one/neutron-1/contracts/neutron1dmd56h7hlevuwssp203fgc2uh0qdtwep2m735fzksuavgq3naslqp0ehvx","type":"smart_contract","addedAt":"2024-06-21T10:49:44.538Z","revision":0,"description":"Vesting Investors Vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"30PnUbMOXueqIpHVOv8WG8","url":"https://immunefi.com/bug-bounty/neutron/information/","type":"blockchain_dlt","addedAt":"2024-12-18T14:54:19.592Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"340Kmmb5jOfWeX8gMP0DMF","url":"https://github.com/neutron-org/neutron/tree/main/x/feeburner","type":"blockchain_dlt","addedAt":"2024-06-21T10:40:38.389Z","revision":0,"description":"Feeburner (module)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3nPKN650bs7fmsqFcjJEB9","url":"https://neutron.celat.one/neutron-1/contracts/neutron1adavpfxyp5kgs3zp0n0vkc37qakeh5eqwxqxzysgg0ahlx82rmsqp4rnz8","type":"smart_contract","addedAt":"2024-06-21T10:49:01.747Z","revision":0,"description":"LP Vesting Vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3ot228vD7zXzX3ltfpQ67y","url":"https://github.com/neutron-org/neutron/tree/main/x/revenue","type":"blockchain_dlt","addedAt":"2025-06-09T07:16:40.075Z","revision":0,"description":"Revenue (module)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"41FH7hsW5QP2hFIcNhNN57","url":"https://neutron.celat.one/neutron-1/contracts/neutron1436kxs0w2es6xlqpp9rd35e3d0cjnw4sv8j3a7483sgks29jqwgshlt6zh","type":"smart_contract","addedAt":"2024-06-21T10:45:05.873Z","revision":0,"description":"Single Proposal Module","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4A71DN2HlG0tjAv2DycFmP","url":"https://github.com/neutron-org/neutron/tree/main/x/interchaintxs","type":"blockchain_dlt","addedAt":"2024-06-21T10:40:15.322Z","revision":0,"description":"Interchain Transactions (module)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4HyNjWKRIkkO9OgEgCEzcp","url":"https://neutron.celat.one/neutron-1/contracts/neutron1hyja4uyjktpeh0fxzuw2fmjudr85rk2qu98fa6nuh6d4qru9l0ssh3kgnu","type":"smart_contract","addedAt":"2024-06-21T10:55:48.586Z","revision":0,"description":"Security subDAO CW4 Group","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4LvUjOstAinWXMrcoICj1","url":"https://neutron.celat.one/neutron-1/contracts/neutron19j2m9enzvq4kpd72tr3cz46z2kq6rnedc2q4pj6w5wq6v86va58qkled36","type":"smart_contract","addedAt":"2025-06-09T07:19:49.658Z","revision":0,"description":"Neutron Staking Vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4OywqjrNbhPPV2MIHGpLKg","url":"https://neutron.celat.one/neutron-1/contracts/neutron1w2jqqefaalu9ylyh6sge8atxg0re4llade8xwc5r2tx4zkdj4keq5r4pxk","type":"smart_contract","addedAt":"2024-06-21T10:49:21.180Z","revision":0,"description":"LP Vesting Vault PCL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4minT7k0DzBvsSRcZ7Kaf7","url":"https://neutron.celat.one/neutron-1/contracts/neutron1gqq3c735pj6ese3yru5xr6ud0fvxgltxesygvyyzpsrt74v6yg4sgkrgwq","type":"smart_contract","addedAt":"2025-06-09T07:20:23.490Z","revision":0,"description":"Neutron Staking Rewards","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4wsoLjlSurBkIaLieeCac6","url":"https://github.com/neutron-org/neutron/tree/main/x/interchainqueries","type":"blockchain_dlt","addedAt":"2024-06-21T10:42:12.386Z","revision":0,"description":"Interchain Queries (module)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4zH1kYs8dhISIBnaZZ1vM4","url":"https://github.com/neutron-org/neutron-dao/tree/main/contracts/subdaos/proposal/cwd-subdao-proposal-single","type":"smart_contract","addedAt":"2024-06-21T10:57:22.613Z","revision":0,"description":"Security subDAO Pre-Proposal Module(without timelock)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"56AoTfrzcCU7dqZwEzXh0f","url":"https://neutron.celat.one/neutron-1/contracts/neutron15m728qxvtat337jdu2f0uk6pu905kktrxclgy36c0wd822tpxcmqvnrurt","type":"smart_contract","addedAt":"2024-06-21T10:54:26.994Z","revision":0,"description":"Security subDAO Single Proposal Module","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"59e7otGfWuicAK6nPh48xe","url":"https://github.com/neutron-org/neutron/tree/main/x/feerefunder","type":"blockchain_dlt","addedAt":"2024-06-21T10:44:22.463Z","revision":0,"description":"Feerefunder (module)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5BMGhceKhdpZ2rDWDxxkQn","url":"https://github.com/neutron-org/neutron/tree/main/x/feeburner","type":"blockchain_dlt","addedAt":"2024-06-21T10:44:01.336Z","revision":0,"description":"Feeburner (module)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5JCPgbEB2LBo3teA3lsOsw","url":"https://neutron.celat.one/neutron-1/contracts/neutron14n7jt2qkngxtgr7dgdt50g4xn2a29llz79h9y25lrsqyxrwmngmsmt9kta","type":"smart_contract","addedAt":"2024-06-21T10:56:27.650Z","revision":0,"description":"Grants subDAO Single Proposal Module","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5MAb1Tip4mJ8ycJ9N5yK0D","url":"https://neutron.celat.one/neutron-1/contracts/neutron15lc33nfyp943s59pxylz8kvhhqxdfsurn2e70380evqzzkns422qnzt6n3","type":"smart_contract","addedAt":"2024-06-21T10:48:44.390Z","revision":0,"description":"Lockdrop Vault PCL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5UtPlBokOV5SLLRQx8HOip","url":"https://neutron.celat.one/neutron-1/contracts/neutron1w798gp0zqv3s9hjl3jlnwxtwhykga6rn93p46q2crsdqhaj3y4gsum0096","type":"smart_contract","addedAt":"2024-06-21T10:47:09.073Z","revision":0,"description":"Overrule Pre-Proposal Module","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5iQ5thNtydtpUE3cv8ss94","url":"https://github.com/neutron-org/neutron/tree/main/x/cron","type":"blockchain_dlt","addedAt":"2024-06-21T10:43:12.149Z","revision":0,"description":"CRON (module)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5smJRVaajP36NMNCmIe6Y1","url":"https://neutron.celat.one/neutron-1/contracts/neutron12pwnhtv7yat2s30xuf4gdk9qm85v4j3e6p44let47pdffpklcxlq56v0te","type":"smart_contract","addedAt":"2024-06-21T10:46:45.817Z","revision":0,"description":"Overrule Proposal Module","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"60wBSx53QcurAJM1M1qnk8","url":"https://neutron.celat.one/neutron-1/contracts/neutron1hptk0k5kng7hjy35vmh009qd5m6l33609nypgf2yc6nqnewduqasxplt4e","type":"smart_contract","addedAt":"2024-06-21T11:29:26.415Z","revision":0,"description":"Factory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6UzXwRZ2xmcOSHRzLBFbhO","url":"https://neutron.celat.one/neutron-1/contracts/neutron1kkwp7pd4ts6gukm3e820kyftz4vv5jqtmal8pwqezrnq2ddycqasr87x9p","type":"smart_contract","addedAt":"2024-06-21T11:30:31.419Z","revision":0,"description":"Neutron Vesting LP [ATOM]","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6mecnvEpKTXDOGP5nYaDDD","url":"https://neutron.celat.one/neutron-1/contracts/neutron1wgzzn83hhcc5asrtslqvaw2wuqqkfulgac7ze94dmqkrxu8nsensmy9dkv","type":"smart_contract","addedAt":"2024-06-21T11:30:57.092Z","revision":0,"description":"Neutron Vesting LP [USDC]","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6n9H7BpXGJkA9HjwbaIU2S","url":"https://github.com/neutron-org/neutron/tree/main/x/contractmanager","type":"blockchain_dlt","addedAt":"2024-06-21T10:42:45.994Z","revision":0,"description":"ContractManager (module)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6qIAu4CrermrMm0DIWPeWi","url":"https://neutron.celat.one/neutron-1/contracts/neutron190apdalu43hq6qm4x5sjvyx7ccsc65tx3paaphc59d32lld27fkslg052r","type":"smart_contract","addedAt":"2024-06-21T11:31:50.273Z","revision":0,"description":"Neutron Vesting LP PCL [USDC]","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6sAZf80K1CKjFZURsFGxjm","url":"https://neutron.celat.one/neutron-1/contracts/neutron1aj3xpcumkx3jr5kncr6gvtduuy4suu6m628ftadv8x8vx9vrfhxs8gkzk7","type":"smart_contract","addedAt":"2024-06-21T10:57:05.313Z","revision":0,"description":"Grants subDAO Voting Module","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"71BMGmII201Zr6pulOdJry","url":"https://neutron.celat.one/neutron-1/contracts/neutron1a5xz4zm0gkpcf92ddm7fw8pghg2mf4wm6cyu6cgcruq35upf7auslnnfye","type":"smart_contract","addedAt":"2024-06-21T11:32:29.782Z","revision":0,"description":"LTI Vesting","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"71hEVlw7hcwAkwudFupDPZ","url":"https://neutron.celat.one/neutron-1/contracts/neutron1up07dctjqud4fns75cnpejr4frmjtddzsmwgcktlyxd4zekhwecqt2h8u6","type":"smart_contract","addedAt":"2024-06-21T10:46:08.003Z","revision":0,"description":"Multiple Pre-Proposal Module","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"78WIXBdkEJ4xcKZCIGxKng","url":"https://neutron.celat.one/neutron-1/contracts/neutron1rxwzsw37ulveefk20575mlxl3hzhzv9k46c8gklfkt4g2vk4w3tse8usrs","type":"smart_contract","addedAt":"2024-06-21T10:48:05.313Z","revision":0,"description":"Credits Vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7K2QrvVp3leQU01CtSfe0W","url":"https://github.com/neutron-org/neutron/tree/main/x/dex","type":"blockchain_dlt","addedAt":"2024-10-01T15:35:29.393Z","revision":0,"description":"DEX (module)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7gTmK0jQ451VC8xNy5nPGK","url":"https://neutron.celat.one/neutron-1/contracts/neutron1f8gs4rp232ngyta3g2efwfkznymvv85du7qm9y0mhvjxpp3cq68qgquudm","type":"smart_contract","addedAt":"2024-06-21T10:48:23.660Z","revision":0,"description":"Lockdrop Vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7hcK4mqzihGCb2hkfufhjV","url":"https://github.com/neutron-org/neutron-dao/tree/main/contracts/dao","type":"blockchain_dlt","addedAt":"2024-06-21T10:41:03.965Z","revision":0,"description":"DAO (contracts)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"PRDNZI3dlsSaxMNJhZG6O","url":"https://neutron.celat.one/neutron-1/contracts/neutron1s0fjev2pmgyaj0uthszzp3tpx59yp2p07vwhj0467sl9j343dk9qss6x9w","type":"smart_contract","addedAt":"2024-06-21T10:56:45.985Z","revision":0,"description":"Grants subDAO Pre-Proposal Module","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"Neutron’s codebase can be found at [https://github.com/neutron-org](https://github.com/neutron-org). Documentation and further resources can be found on [https://docs.neutron.org/](https://docs.neutron.org/).","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Cosmos"],"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Essential","Arbitration"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Go","Rust"],"launchDate":"2024-07-02T08:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6s6q2dCluzikNzgkxSk7Zk/51597fa7af11044282aa1d70d80cfd57/Neutron.png","maxBounty":100000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - medium","blockchain_dlt - low","smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["L1"],"programOverview":"By granting smart contracts the powers of an appchain, Neutron enables developers to build breakthrough applications and onboard users from anywhere.\nFor more information about Neutron, please visit [https://www.neutron.org/](https://www.neutron.org/).  \n\nNeutron provides rewards in NTRN, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__Primacy of Impact vs Primacy of Rules__\n\nNeutron adheres to the Primacy of Impact for the following impacts:\n- Blockchain/DLT - Critical \n- Blockchain/DLT - High \n- Smart Contracts - Critical \n- Smart Contracts - High \n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Previous Audits__\n\nNeutron’s completed audit reports can be found at [https://github.com/neutron-org/audits/blob/3b17d63a2e5f39567b9c0169a8c4590c00e4d6c0/07.12.2022%20OAK%20Security%20Audit%20Report.pdf](https://github.com/neutron-org/audits/blob/3b17d63a2e5f39567b9c0169a8c4590c00e4d6c0/07.12.2022%20OAK%20Security%20Audit%20Report.pdf) and [https://github.com/neutron-org/audits/blob/3b17d63a2e5f39567b9c0169a8c4590c00e4d6c0/06.04.2023%20Informal%20Systems%20Audit%20Report.pdf](https://github.com/neutron-org/audits/blob/3b17d63a2e5f39567b9c0169a8c4590c00e4d6c0/06.04.2023%20Informal%20Systems%20Audit%20Report.pdf). Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\n__Note for Blockchain/DLT assets__\n\n- Interchain Transactions (module) - This module allows smart contracts to control accounts on remote chains.\n- Feeburner (module) - This module reduces the supply of NTRN by burning gas fees that were collected in NTRN.\n- DAO (contracts) - The DAO contracts, including the core contract, are effectively the governance of the chain (the core has superuser privileges, e.g., it can change chain params, burn NTRN, etc.) Also the core contract’s balance can hold significant amounts of funds at various points in time. \n- DEX (module) - This module implements a DEX and can potentially hold a lot of funds.\n- Interchain Queries (module) - This module allows smart contracts to retrieve information from remote chains in a trustless manner.\n- ContractManager (module) - This module helps the interchain accounts module process interchain transactions and their callbacks.\n- CRON (module) - This module allows regular (EndBlocker) execution of a list of contracts approved by the DAO.\n- Feeburner (module) - This module implements the deflationary tokenomics (burns a certain portion of block rewards before sending them to the validators).\n- Feerefunder (module) - This module manages the fees that are collected from the users of the interchain queries & interchain txs module.\n- Revenue (module) - This module introduces a performance-based validator revenue distribution system designed to allocate NTRN rewards to validators based on their uptime and oracle voting activity.\n- Harpoon (module) - This module enables contracts to subscribe to specific validator and delegation hooks, such as when a validator is created, bonded, or slashed.","programType":["Blockchain/DLT","Smart Contract"],"project":"Neutron","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical Blockchain/DLT bugs, the reward amount is 10% of the funds directly affected, capped at the maximum critical reward USD 100 000 (in NTRN). However, a minimum reward of USD 10 000 (in NTRN) is to be rewarded in order to incentivize security researchers against withholding on a bug report.\n\nFor critical Blockchain/DLT bugs with a non-funds-at risk impact, the reward will be paid out as follows: \nNetwork not being able to confirm new transactions (total network shutdown)\nUSD 10 000 (in NTRN)\nUnintended permanent chain split requiring hard fork (network partition requiring hard fork)\nUSD 10 000  (in NTRN)\nPermanent freezing of funds (fix requires hardfork)\nUSD 10 000 (in NTRN)\n\nFor high Blockchain/DLT non-funds-at risk impacts, the reward will be paid out as follows: \n\n- Temporary freezing of network transactions by delaying one block by 2400% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments - USD 10 000 (in NTRN)\n- Causing network processing nodes to process transactions from the mempool beyond set parameters - USD 10 000 (in NTRN)\n- RPC API crash affecting projects with greater than or equal to 25% of the market capitalization on top of the respective layer - USD 10 000 (in NTRN)\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 100 000 (in NTRN). The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 5 000 (in NTRN) is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n- For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Payment Terms__\n\nPayouts are handled by the Neutron team directly and are denominated in USD. However, payments are done in NTRN. \n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"NTRN","slug":"neutron","tenPercentEconomicRule":false,"updatedDate":"2026-03-19T15:00:44.727Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"By granting smart contracts the powers of an appchain, Neutron enables developers to build breakthrough applications and onboard users from anywhere. For more information about Neutron, please visit [https://www.neutron.org/](https://www.neutron.org/).","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":12,"type":"blockchain_dlt","severity":"low","title":"Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":5,"type":"blockchain_dlt","severity":"high","title":"Unintended chain split (network partition)"},{"id":4946,"type":"blockchain_dlt","severity":"high","title":"Temporary freezing of network transactions by delaying one block by 2400% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments"},{"id":7,"type":"blockchain_dlt","severity":"high","title":"Causing network processing nodes to process transactions from the mempool beyond set parameters"},{"id":4947,"type":"blockchain_dlt","severity":"high","title":"RPC API crash affecting projects with greater than or equal to 25% of the market capitalization on top of the respective layer"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":28,"type":"smart_contract","severity":"high","title":"Temporary freezing of NFTs"},{"id":9,"type":"blockchain_dlt","severity":"medium","title":"Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours"},{"id":10,"type":"blockchain_dlt","severity":"medium","title":"Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":1,"type":"blockchain_dlt","severity":"critical","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":2,"type":"blockchain_dlt","severity":"critical","title":"Unintended permanent chain split requiring hard fork (network partition requiring hard fork)"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":4,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":4948,"type":"smart_contract","severity":"critical","title":"Direct theft of any treasury funds"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":5526,"type":"blockchain_dlt","severity":"low","title":"A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk"}],"rewards":[{"id":43307,"primacy":null,"severity":"critical","assetType":"blockchain_dlt","maxReward":100000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43308,"primacy":null,"severity":"high","assetType":"blockchain_dlt","fixedReward":10000,"rewardModel":"fixed"},{"id":43309,"primacy":null,"severity":"medium","assetType":"blockchain_dlt","fixedReward":5000,"rewardModel":"fixed"},{"id":43310,"primacy":null,"severity":"low","assetType":"blockchain_dlt","fixedReward":1000,"rewardModel":"fixed"},{"id":43311,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43312,"primacy":null,"severity":"high","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":43313,"primacy":null,"severity":"medium","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[{"id":"4XvoQ2aDUrreYC5o1qXvnx","url":"https://github.com/neutron-org/audits/blob/3b17d63a2e5f39567b9c0169a8c4590c00e4d6c0/07.12.2022%20OAK%20Security%20Audit%20Report.pdf?utm_source=immunefi","auditor":"Oak Security","date":"2022-12-07T00:00:00.000Z"},{"id":"J29IZ1oKIBcFf1PPkE1Iz","url":"https://github.com/neutron-org/audits/blob/3b17d63a2e5f39567b9c0169a8c4590c00e4d6c0/06.04.2023%20Informal%20Systems%20Audit%20Report.pdf?utm_source=immunefi","auditor":"Informal Systems","date":"2023-04-06T00:00:00.000Z"}]},{"assets":[{"id":"1LVHnnGVPitrmmspqvvmL2","url":"https://optimistic.etherscan.io/address/0xd5f8c9d87b7691449dec453d041d9054e0fdd228","type":"smart_contract","addedAt":"2025-12-23T10:48:57.996Z","revision":0,"description":"Refunder","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1V0KaH6mQm6WZ9wbEOIS8","url":"https://optimistic.etherscan.io/address/0x22ab31Cd55130435b5efBf9224b6a9d5EC36533F","type":"smart_contract","addedAt":"2023-04-04T13:55:04.639Z","revision":0,"description":"MarketWstETH","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1nfvL1cjoIFWKTG6CSik1q","url":"https://optimistic.etherscan.io/address/0xa430A427bd00210506589906a71B54d6C256CEdb","type":"smart_contract","addedAt":"2023-04-04T13:54:10.059Z","revision":0,"description":"MarketOP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2oP0md7J1SV7LrmolI80Xj","url":"https://optimistic.etherscan.io/address/0x8C2F35c8076bCb5D4b696bAE11AcA0ac0Dd873e4","type":"smart_contract","addedAt":"2023-04-04T13:52:55.450Z","revision":0,"description":"InterestRateModelUSDC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3INBY4MGLd7z9GAlhnCeIP","url":"https://optimistic.etherscan.io/address/0x6E1Bb47F2895E84160f61df922e7fF0B656f3Cff","type":"smart_contract","addedAt":"2025-12-23T10:48:58.205Z","revision":0,"description":"InstallmentsRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3YoWFBKAbC4QQvSeZj0dmk","url":"https://optimistic.etherscan.io/address/0xbea586A167853ADddEF12818f264f1F9823fBc18","type":"smart_contract","addedAt":"2024-03-14T15:40:02.320Z","revision":0,"description":"EscrowedEXA","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3lgNXnYiYnzHJjVxsZVxC2","url":"https://optimistic.etherscan.io/address/0x6926B434CCe9b5b7966aE1BfEef6D0A7DCF3A8bb","type":"smart_contract","addedAt":"2025-12-23T10:48:58.276Z","revision":0,"description":"MarketUSDC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3pa0T0fKtQEmTchWiCvVoU","url":"https://optimistic.etherscan.io/address/0x59a644e490e48235adf8ba9b814a4f666c4feb3a","type":"smart_contract","addedAt":"2025-12-23T10:48:58.267Z","revision":0,"description":"IssuerChecker","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3uoLPtBN8N18FuNTBqUNFm","url":"https://optimistic.etherscan.io/address/0x92024C4bDa9DA602b711B9AbB610d072018eb58b","type":"smart_contract","addedAt":"2023-04-04T13:55:22.780Z","revision":0,"description":"TimelockController","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"40nPHy3vAX4bruIHbiG1ZV","url":"https://optimistic.etherscan.io/address/0xBd1ba78A3976cAB420A9203E6ef14D18C2B2E031","type":"smart_contract","addedAt":"2023-09-13T21:59:43.489Z","revision":0,"description":"RewardsController","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"49vSJ557AOuzSYMl5695dw","url":"https://optimistic.etherscan.io/address/0xb27113B72135942065E0Fa09984FE2Bf008d5f3c","type":"smart_contract","addedAt":"2023-09-13T21:59:55.969Z","revision":0,"description":"DebtManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4ATbPdawhCbB67wAIW90tZ","url":"https://optimistic.etherscan.io/address/0x81C9A7B55A4df39A9B7B5F781ec0e53539694873","type":"smart_contract","addedAt":"2023-04-04T13:54:28.600Z","revision":0,"description":"MarketUSDC.e","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4M14IfdKqDNfay4ZPLkke1","url":"https://optimistic.etherscan.io/address/0x6817974ca2c354f2fa40d8349b725b5bf81c8338","type":"smart_contract","addedAt":"2025-12-23T10:48:58.247Z","revision":0,"description":"ProposalManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4NuWqxfo9kD5dQPyBDXZuM","url":"https://optimistic.etherscan.io/address/0x3d73D0fb9e63c49ba8e9cd738964D5E08C047f3e","type":"smart_contract","addedAt":"2025-12-23T10:48:58.426Z","revision":0,"description":"ExaPlugin","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4O6YtLVN7xFwzXK7YdTaSb","url":"https://optimistic.etherscan.io/address/0xCEed2bFE740F02dB6094eBE89FF93b1031be752b","type":"smart_contract","addedAt":"2025-12-23T10:48:58.024Z","revision":0,"description":"StakedEXA","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6kIlOOfFiCAqfmWeKIkzra","url":"https://optimistic.etherscan.io/address/0x6f748FD65d7c71949BA6641B3248C4C191F3b322","type":"smart_contract","addedAt":"2025-12-23T10:48:58.020Z","revision":0,"description":"MarketWBTC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6supz6dIpct5pkwSAtEmfU","url":"https://optimistic.etherscan.io/address/0xc4d4500326981eacD020e20A81b1c479c161c7EF","type":"smart_contract","addedAt":"2023-04-04T13:54:47.215Z","revision":0,"description":"MarketWETH","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6zmjv0MyfnFODRJCEQpJhV","url":"https://optimistic.etherscan.io/address/0xaEb62e6F27BC103702E7BC879AE98bceA56f027E","type":"smart_contract","addedAt":"2022-12-07T23:18:28.397Z","revision":0,"description":"Auditor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7GyAMB8JcKsUTq19Cp4yhg","url":"https://optimistic.etherscan.io/address/0x8f498c8240E621f8050249D1C2F5f2AAeE484ca0","type":"smart_contract","addedAt":"2025-12-23T10:48:58.011Z","revision":0,"description":"WebAuthnOwnerPlugin","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7IkIFISAg3Es78sk2ecWJo","url":"https://optimistic.etherscan.io/address/0x29bAbFF3eBA7B517a75109EA8fd6D1eAb4A10258","type":"smart_contract","addedAt":"2023-04-04T13:53:52.050Z","revision":0,"description":"MarketETHRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"RK50eXqrvLNYZEMRD7tyD","url":"https://optimistic.etherscan.io/address/0x3179265d20d13cE507157b8087dE48759eb21006","type":"smart_contract","addedAt":"2023-04-04T13:53:11.527Z","revision":0,"description":"InterestRateModelWETH","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"kDNFXgKmLcuVInFoWISOG","url":"https://optimistic.etherscan.io/address/0x60D92e570D096f8E5C99A600bD130d71295AaF38","type":"smart_contract","addedAt":"2023-04-04T13:53:37.446Z","revision":0,"description":"InterestRateModelWstETH","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98733","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":"Only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nThough only the proxy contracts are listed as in-scope, current implementation and any further updates to the implementation contracts are considered in scope. When reporting a bug, please make sure to select the relevant proxy smart contract as the target. \n\nIf an impact can be caused to any other asset managed by Exactly that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for consideration by the project. This only applies to Critical and High impacts.\n\nPeriphery Contracts have a reward cap equal to “High” (USD 25 000). This means that regardless of the complexity, impact, or exploitability of a potential vulnerability discovered within these contracts, the bounty paid out will not exceed that limit.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Optimism"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2022-12-08T21:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5GCy1Eo4QWn4rGzZmgQlYp/87a84ca80ce45355b0db3d1b7090b51c/Exactly_logo_copy.png","maxBounty":25000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["Lending"],"programOverview":"Exactly is a decentralized, non-custodial, and open-source protocol that provides an autonomous fixed and variable interest rate market enabling users to frictionlessly exchange the time value of their assets and complete the DeFi credit market.\n\nFor more information about Exactly, please visit [https://exact.ly/](https://exact.ly/).","programType":["Smart Contract"],"project":"Exactly","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAudit Discoveries and Known Issues\n\nBug reports covering previously-discovered bugs are not eligible for any reward through the bug bounty program. If a bug report covers a known issue (e.g., the use of deprecated Chainlink API was reported in [EXA-36](https://github.com/exactly/audits/blob/main/Coinspect%204th%20audit%20(Oct-22).pdf)), it may be rejected together with proof of the issue being known before escalation of the bug report via Immunefi.\n\nPrevious audits and known issues can be found at: [https://docs.exact.ly/security/audits](https://docs.exact.ly/security/audits).\n\nAll High and Critical Smart Contract bug reports require a PoC to be eligible for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nCritical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of __USD 20 000__. \n\nKYC is required for this bug bounty program. Government identification, legal name, and country of residence will need to be supplied.\n\nPayouts are handled by the __Exactly__ team directly and are denominated in USD. However, payouts are done in __USDC and DAI__, with the choice of the ratio at the team's discretion.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"exactly","tenPercentEconomicRule":false,"updatedDate":"2026-03-19T13:56:12.606Z","impactsBody":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered in-scope, even if they affect something in the assets in the scope table.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Exactly is a decentralized, non-custodial, and open-source protocol that provides an autonomous fixed and variable interest rate market enabling users to frictionlessly exchange the time value of their assets and complete the DeFi credit market.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Griefing\n  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":3707,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 4 hours"},{"id":3708,"type":"smart_contract","severity":"high","title":"Substantial generation of bad debt on the protocol"},{"id":3709,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":3710,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"},{"id":3711,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":43305,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":25000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43306,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":10000,"minReward":5000,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"9Nmco23IoBQmAZvIS02pJ","url":"https://github.com/smartcontractkit/external-adapters-js/","type":"websites_and_applications","addedAt":"2025-08-12T09:06:01.722Z","revision":0,"description":"External Adapters","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4rgl20wfOgFSQTeBJfeZQl","url":"https://github.com/smartcontractkit/chainlink-ccip/tree/main/execute","type":"websites_and_applications","addedAt":"2025-08-12T09:06:01.714Z","revision":0,"description":"CCIP OCR Execute Plugin","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5Ehy5RPaW6DVusFp3nRNs3","url":"https://github.com/smartcontractkit/chainlink-ccip/tree/main/commit","type":"websites_and_applications","addedAt":"2025-08-12T09:06:01.726Z","revision":0,"description":"CCIP OCR Commit Plugin","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"IKCjI3yX5Twme2cgGHDyw","url":"https://github.com/smartcontractkit/chainlink-ccip/tree/main/chains/evm/contracts","type":"smart_contract","addedAt":"2025-08-12T09:06:01.734Z","revision":0,"description":"CCIP EVM","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6B7nrAxhjV2TuYqMpnT11P","url":"https://github.com/smartcontractkit/chainlink-ccip/tree/main/chains/solana/contracts","type":"smart_contract","addedAt":"2025-08-12T09:06:01.718Z","revision":0,"description":"CCIP Solana","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1VWtvpVJHpMyHH20uPX3X5","url":"https://github.com/smartcontractkit/libocr","type":"websites_and_applications","addedAt":"2022-02-12T11:02:38.892Z","revision":0,"description":"LibOCR","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1Wbnz8N7jAKeL96vAwt22G","url":"https://github.com/smartcontractkit/chainlink-evm/tree/develop/contracts","type":"smart_contract","addedAt":"2025-05-02T07:22:40.540Z","revision":0,"description":"Chainlink EVM Contracts","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1a8Lrz8SdfuS3K8NsaAi1v","url":"https://github.com/smartcontractkit/chainlink/tree/develop/core","type":"websites_and_applications","addedAt":"2022-02-12T11:02:18.856Z","revision":0,"description":"Chainlink Core Node","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1ayIto05eO0PKlYpbJ9I8Z","url":"https://github.com/smartcontractkit/chainlink-solana/tree/develop/contracts","type":"smart_contract","addedAt":"2022-02-12T11:02:58.477Z","revision":0,"description":"Solana programs","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2Dnc2a5BhzXg1Mz9n1ZyIs","url":"https://faucets.chain.link/","type":"websites_and_applications","addedAt":"2022-02-12T11:03:39.413Z","revision":0,"description":" Faucets","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2nWDv42dy7jycyocMgUeDd","url":"https://data.chain.link/","type":"websites_and_applications","addedAt":"2022-10-12T23:13:38.662Z","revision":0,"description":"Data","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2zRHBhOyGw8wmpyRvpfXVp","url":"https://immunefi.com","type":"smart_contract","addedAt":"2024-03-27T10:55:32.480Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"3TJ8F6eRYeBreaevwkEXc0","url":"https://chain.link/","type":"websites_and_applications","addedAt":"2022-10-12T23:13:54.951Z","revision":0,"description":"Main Web App","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3wPkKlG255ht5jMNxGmIqO","url":"https://github.com/smartcontractkit/operator-ui","type":"websites_and_applications","addedAt":"2024-03-27T10:36:10.780Z","revision":0,"description":"Chainlink Core Node UI","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4BHmbpPhI9nz7ZG0w3mwAV","url":"https://github.com/smartcontractkit/ccip-owner-contracts/tree/main","type":"smart_contract","addedAt":"2024-03-27T10:26:34.622Z","revision":0,"description":"CCIP Owner","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99123","url":"https://immunefi.com","type":"websites_and_applications","addedAt":"2026-03-04T09:57:16.516Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"99142","url":"https://github.com/smartcontractkit/chainlink-sui/tree/main/relayer","type":"websites_and_applications","addedAt":"2026-03-06T07:31:19.239Z","revision":0,"description":"Sui Offchain Relayer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99143","url":"https://github.com/smartcontractkit/chainlink-sui/tree/develop/contracts/mcms/mcms","type":"smart_contract","addedAt":"2026-03-06T07:31:19.239Z","revision":0,"description":"Sui MCMS","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99144","url":"https://github.com/smartcontractkit/chainlink-sui/tree/develop/contracts/link","type":"smart_contract","addedAt":"2026-03-06T07:31:19.239Z","revision":0,"description":"Sui LINK","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99145","url":"https://github.com/smartcontractkit/chainlink-sui/tree/develop/contracts/ccip","type":"smart_contract","addedAt":"2026-03-06T07:31:19.239Z","revision":0,"description":"Sui CCIP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99146","url":"https://github.com/smartcontractkit/chainlink-solana/tree/develop/pkg/solana","type":"websites_and_applications","addedAt":"2026-03-06T07:31:19.239Z","revision":0,"description":"Solana Offchain","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99147","url":"https://github.com/smartcontractkit/chainlink-common/tree/main/keystore","type":"websites_and_applications","addedAt":"2026-03-06T07:31:19.239Z","revision":0,"description":"Common Keystore","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99148","url":"https://github.com/smartcontractkit/chainlink-aptos/tree/develop/relayer","type":"websites_and_applications","addedAt":"2026-03-06T07:31:19.239Z","revision":0,"description":"Aptos Offchain Relayer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99149","url":"https://github.com/smartcontractkit/chainlink-aptos/tree/develop/contracts","type":"smart_contract","addedAt":"2026-03-06T07:31:19.239Z","revision":0,"description":"Aptos","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99150","url":"https://cre.chain.link","type":"websites_and_applications","addedAt":"2026-03-06T07:31:19.239Z","revision":0,"description":"CRE Web App","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"The following are considered out of scope for the program:\n\n  - Any files in a dev, example, test, dummy, mock folder\n  - Any contract with a `typeAndVersion` string which contains `-dev`\n  - Any files with XXX in their name\n  - Any *.smartcontract.com assets\n  - Any test, example, dummy, mock, or vendored code\n\nAlso, for any file to be in scope, it has to be part of a release, not including pre-releases.\n\nIf an impact can be caused to any other asset managed by Chainlink that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for consideration by the project.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","Base","Celo","ETH","Fantom","Gnosis","Linea","Metis","Moonriver","Optimism","Polygon","Scroll","Solana","Aptos"],"endDate":null,"evaluationEndDate":null,"features":["Managed Triage: Expert Assessment"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Go","Rust","Solidity","Typescript"],"launchDate":"2021-05-11T05:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2NbXmUd05dVTI4CddDDFEK/62bc8a522d1b1bf77183097a87ee45d7/1200px-Chainlink_Logo__1_.png","maxBounty":3000000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["Oracle"],"programOverview":"__Program Overview__\n\nChainlink is the industry-standard Web3 services platform. It has enabled trillions of dollars in transaction volume across DeFi, on-chain finance, gaming, NFTs, and other major industries. As the leading decentralized oracle network, Chainlink empowers developers to build feature-rich Web3 applications with seamless access to real-world data and off-chain computation across any blockchain and provides global enterprises with a universal gateway to all blockchains.\n\nLearn more about Chainlink by visiting [chain.link](https://chain.link/) or reading the developer documentation at [docs.chain.link](https://docs.chain.link/). To discuss an integration, [reach out to an expert](https://chainlinkcommunity.typeform.com/to/OYQO67EF?page=announcement&typeform-source=www.google.com).\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nChainlink adheres to the Primacy of Impact, meaning that if you believe you have found a bug that causes an “In-scope Impact”, even if the affected system is not strictly within the assets listed, we still encourage you to submit it to the program for consideration. Chainlink adheres to the Primacy of Impact for the following severity levels:\n- Smart Contract - Critical\n- Smart Contract - High\n- Websites and Applications - Critical\n- Websites and Applications - High","programType":["Smart Contract","Websites and Applications"],"project":"Chainlink","projectType":["Infrastructure"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.  \n\nAll Smart Contracts bug reports require a proof of concept (PoC) and a suggestion for a fix to be eligible for a reward. All Websites and Applications bug reports must come with a PoC with an end-effect impacting an asset in scope in order to be considered for a reward. Explanations and statements are not accepted as PoCs and code is required.\n\nRewards for Critical Smart Contract vulnerabilities are at the sole and exclusive discretion of Chainlink Labs, with maximum reward of USD $3,000,000.\n\nSpecific reward amounts are determined based on a number of factors, such as the impact of proposed issues, ease of exploitability, and how likely the exploit conditions might occur.\n\nAny supplementary reward beyond the minimum for the assigned criticality rating is at the discretion of Chainlink Labs.\n\n__KYC/KYB requirement__\n\nTo ensure compliance, Chainlink Labs requires Know-Your-Customer (KYC) or Know-Your-Business (KYB)  information to be provided for all reports prior to a bounty being awarded.\n\nThe information required:\n\n- Full Legal Name of individual (First, middle, and last, plus any prefix, and/or suffix)\n- Full Legal Name of entity (if applicable)\n- If you are a U.S. citizen, permanent resident, partnership, LLC, corporation, estate or trust, please send a filled-out and signed W-9 (https://www.irs.gov/pub/irs-pdf/fw9.pdf)\n- If you are not a U.S. citizen, permanent resident, partnership, LLC, corporation, estate or trust:\n  - Please send a filled-out and signed W-8BEN for individual and W-8 BEN-E for entities (https://www.irs.gov/pub/irs-pdf/fw8ben.pdf; https://www.irs.gov/pub/irs-pdf/fw8bene.pdf)\n  - Provide a statement to certify that all services are performed outside of the U.S.\n- Ethereum Wallet Address (for transfer of payment)\n\nAll bug bounty reporters must pass a screening check, to include but not limited to Office of Foreign Asset Control (OFAC) and Specially Designated Nationals And Blocked Persons List (SDN). \n\nPayouts are denominated in USD and sent in USD Coin (USDC).\n\n__Repeatable Attacks__\n\nIn the event a report applies to multiple contracts or can be triggered multiple times, if a contract or product can be paused (either through on or off-chain means) only the impact of the first usage will be considered. If a product is not pausable such that there is no realistic way to prevent repeated usage of the attack, the entire amount at risk will be considered when evaluating impact.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"chainlink","tenPercentEconomicRule":false,"updatedDate":"2026-03-19T08:46:09.589Z","impactsBody":"Only the following impacts are accepted within this bug bounty program. All other impacts are out of scope, even if they affect an in scope asset.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn"],"responsiblePublicationCategory":"category_3","description":"Chainlink is the industry-standard oracle platform bringing the capital markets onchain and the market leader powering the majority of decentralized finance (DeFi). The Chainlink stack provides the essential data, interoperability, compliance, and privacy standards needed to power advanced blockchain use cases for institutional tokenized assets, lending, payments, stablecoins, and more. Since inventing decentralized oracle networks, Chainlink has enabled tens of trillions in transaction value and now secures the vast majority of DeFi. \n\nMany of the world’s largest financial services institutions have also adopted Chainlink’s standards and infrastructure, including Swift, Euroclear, Mastercard, Fidelity International, UBS, S&P Dow Jones Indices, FTSE Russell, WisdomTree, ANZ, and top protocols such as Aave, Lido, GMX, and many others. Chainlink leverages a novel fee model where offchain and onchain revenue from enterprise adoption is converted to LINK tokens and stored in a strategic Chainlink Reserve. Learn more at chain.link.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques\n- Disclosure of vulnerabilities will require the approval of the Chainlink team\n- Issues resulting in documentation-only mitigation","customProhibitedActivities":[],"impacts":[{"id":399,"type":"smart_contract","severity":"low","title":"Smart contract fails to deliver expected return(s) but doesn’t result in loss of value"},{"id":400,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction such as iframing leading to modifying the backend/browser state (demonstrate impact with PoC)"},{"id":401,"type":"websites_and_applications","severity":"low","title":"Redirecting users to malicious websites (open redirect)"},{"id":402,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as locking up the victim from login, cookie bombing, etc"},{"id":404,"type":"smart_contract","severity":"high","title":"Theft of protocol revenue"},{"id":405,"type":"smart_contract","severity":"high","title":"Rate limit violations"},{"id":406,"type":"smart_contract","severity":"high","title":"Delaying delivery of oracle responses, including randomness, unrelated to congestion of the underlying blockchain"},{"id":407,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc"},{"id":408,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as email or password of the victim, etc"},{"id":409,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information such as email address, phone number, physical address, etc"},{"id":410,"type":"websites_and_applications","severity":"high","title":"Taking down the application/website with methods other than DDoS"},{"id":411,"type":"smart_contract","severity":"medium","title":"Loss of protocol revenue (i.e skipping all or part of protocol fees)"},{"id":412,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as changing the first/last name of user, or en/disabling notification"},{"id":413,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without Javascript (Reflected) such as reflected HTML injection or loading external site data"},{"id":414,"type":"websites_and_applications","severity":"medium","title":"Subdomain takeover"},{"id":415,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":416,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of downstream services"},{"id":417,"type":"smart_contract","severity":"critical","title":"Misreporting of prices and/or data"},{"id":418,"type":"smart_contract","severity":"critical","title":"RMN bypass"},{"id":419,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and blockchain keys"},{"id":420,"type":"websites_and_applications","severity":"critical","title":"Injecting code that results in malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions"},{"id":5681,"type":"smart_contract","severity":"medium","title":"Griefing in the condition where the cost of carrying out attack is less than or equal to the damage"},{"id":5682,"type":"smart_contract","severity":"low","title":"Griefing in the condition where the cost of carrying out attack is more than the damage"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"}],"rewards":[{"id":43292,"primacy":null,"severity":"low","assetType":"websites_and_applications","maxReward":1000,"rewardModel":"up_to"},{"id":43285,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":3000000,"minReward":100000,"rewardModel":"range","rewardCalculationPercentage":0},{"id":43286,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":75000,"rewardModel":"up_to"},{"id":43287,"primacy":null,"severity":"medium","assetType":"smart_contract","maxReward":10000,"rewardModel":"up_to"},{"id":43288,"primacy":null,"severity":"low","assetType":"smart_contract","maxReward":5000,"rewardModel":"up_to"},{"id":43289,"primacy":null,"severity":"critical","assetType":"websites_and_applications","maxReward":100000,"rewardModel":"up_to"},{"id":43290,"primacy":null,"severity":"high","assetType":"websites_and_applications","maxReward":10000,"rewardModel":"up_to"},{"id":43291,"primacy":null,"severity":"medium","assetType":"websites_and_applications","maxReward":2000,"rewardModel":"up_to"}],"audits":[]},{"assets":[{"id":"4KSLqQPjXhl3cyKd3TsBro","url":"https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5","type":"smart_contract","addedAt":"2022-10-07T16:50:18.352Z","revision":0,"description":"L1 Beanstalk","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4YBp4ml5Zp2O7RMrMif5Hj","url":"https://arbiscan.io/address/0xD1A0060ba708BC4BCD3DA6C37EFa8deDF015FB70","type":"smart_contract","addedAt":"2022-10-07T16:49:10.580Z","revision":0,"description":"L2 Beanstalk","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"34Ud9zeoCSHbhD74qBbS9t","url":"https://arbiscan.io/address/0xBEA0005B8599265D41256905A9B3073D397812E4","type":"smart_contract","addedAt":"2022-10-07T16:49:30.841Z","revision":0,"description":"Bean ERC-20 token","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2LPAlfkL0PC3bz3gu0ctwa","url":"https://arbiscan.io/address/0x1BEA054dddBca12889e07B3E076f511Bf1d27543","type":"smart_contract","addedAt":"2022-10-07T16:49:44.248Z","revision":0,"description":"Unripe Bean ERC-20 token","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1kdyZcXvWSxyPOAscboo7C","url":"https://arbiscan.io/address/0x1BEA059c3Ea15F6C10be1c53d70C75fD1266D788","type":"smart_contract","addedAt":"2022-10-07T16:50:00.382Z","revision":0,"description":"Unripe LP ERC-20 token","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1huzfDmoAA9QwReApnO5LM","url":"https://arbiscan.io/address/0xFEFEFECA5375630d6950F40e564A27f6074845B5","type":"smart_contract","addedAt":"2023-08-23T14:34:02.140Z","revision":0,"description":"Fertilizer ERC-1155 token","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7FYqW68BIsnwFMkfAXZLrt","url":"https://arbiscan.io/address/0xFEFEFE2cfb089aEF0b0578573eF3CFAbC15f1490","type":"smart_contract","addedAt":"2023-08-23T14:35:30.964Z","revision":0,"description":"Fertilizer Implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4MwUSIrJ79aveCct0dXmhz","url":"https://arbiscan.io/address/0xCCCCCC35b53c8a16404Ae414AFa31F30A5B35626","type":"smart_contract","addedAt":"2023-08-23T14:36:00.493Z","revision":0,"description":"LSD Chainlink Oracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"69OveamruG3LZjyS5wrCLa","url":"https://arbiscan.io/address/0x555555987d98079b9f43CDcDBD52DbB24FfEEef5","type":"smart_contract","addedAt":"2023-08-23T14:36:26.431Z","revision":0,"description":"Shipment Planner","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"384xMyeMKSA2CY3Irj6wKF","url":"https://arbiscan.io/address/0x5A5A5ADe4C9713172a5228703213d4D39608E2cD","type":"smart_contract","addedAt":"2023-08-23T14:37:16.535Z","revision":0,"description":"Junctions","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4O7EGxvLfwTuXW5lwNPGkX","url":"https://arbiscan.io/address/0xD6Fc4a63d7E93267c3007eA176081052369A4749","type":"smart_contract","addedAt":"2023-07-17T20:22:13.251Z","revision":0,"description":"Unwrap and Send ETH","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7KTe6cMNwsUl9IKNEvfjXp","url":"https://arbiscan.io/address/0xBA51AAAa8C2f911AE672e783707Ceb2dA6E97521","type":"smart_contract","addedAt":"2023-07-17T20:22:26.643Z","revision":0,"description":"Aquifer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5tm4LMpCiOlbDfLkqqAuiR","url":"https://arbiscan.io/address/0xBA15000450Bf6d48ec50BD6327A9403E401b72b4","type":"smart_contract","addedAt":"2024-08-14T07:36:51.011Z","revision":0,"description":"Constant Product 2 Well Function","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4UWJPWZhEKIT0p4FjYP2Is","url":"https://arbiscan.io/address/0xba150052e11591D0648b17A0E608511874921CBC","type":"smart_contract","addedAt":"2024-10-15T04:42:26.020Z","revision":0,"description":"Stable 2 Well Function","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4wD7yseY6hAHcXlAzVyzJ3","url":"https://arbiscan.io/address/0xBA51055dAD14d3920e1798D2e8A152d91CaDb461","type":"smart_contract","addedAt":"2024-08-14T07:37:40.942Z","revision":0,"description":"Stable 2 Well Function, Lookup Table with A = 1","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1yuFQd1D7WnppOWTv6iHYz","url":"https://arbiscan.io/address/0xBA150002660BbCA20675D1C1535Cd76C98A95b13","type":"smart_contract","addedAt":"2024-10-15T04:38:49.621Z","revision":0,"description":"Multi Flow Pump","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"26lza6G3J8LyD4nPv8fm4s","url":"https://arbiscan.io/address/0xBA5106bd62b342afAcB93f1078fe60177A62d1a9","type":"smart_contract","addedAt":"2024-10-15T04:39:25.081Z","revision":0,"description":"Well Implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4df7kxOfJ3euX3IMjTarPz","url":"https://arbiscan.io/address/0xBA510995783111be5301d93CCfD5dE4e3B28e50B","type":"smart_contract","addedAt":"2024-10-15T04:39:41.830Z","revision":0,"description":"Upgradable Well Implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4lcLbE1zOoSztqpHRuGCFa","url":"https://arbiscan.io/address/0xb1bE000644bD25996b0d9C2F7a6D6BA3954c91B0","type":"smart_contract","addedAt":"2024-10-15T04:39:55.488Z","revision":0,"description":"Pipeline","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4fAUUgPNEjQl140QbPTTv4","url":"https://arbiscan.io/address/0xdeb0f082ed3b0efe9257aea9f2e6e974aa4120c3","type":"smart_contract","addedAt":"2024-10-15T04:40:09.935Z","revision":0,"description":"Depot","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"21QcIiaXxQNPwSbhRLYj6E","url":"https://app.bean.money","type":"websites_and_applications","addedAt":"2023-04-12T16:49:37.056Z","revision":0,"description":"Beanstalk UI","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"385YXLhLn32kMJHLs4MIMS","url":"https://basin.exchange","type":"websites_and_applications","addedAt":"2023-12-20T14:35:50.794Z","revision":0,"description":"Basin UI","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"__Additional Resources__\n\nAll Beanstalk smart contracts and the Beanstalk UI can be found at [https://github.com/BeanstalkFarms/Beanstalk](https://github.com/BeanstalkFarms/Beanstalk). However, only those in the Assets in Scope section are considered as in-scope of the bug bounty program. The following links may also be helpful:\n\nBeanstalk\n  - [Beanstalk Whitepaper](https://bean.money/beanstalk.pdf)\n  - [Beanstalk Docs](https://docs.bean.money/almanac/)\n  - [Beanstalk Technical Docs](https://docs.bean.money/developers)\n  - [Beanstalk GitHub](https://github.com/BeanstalkFarms/Beanstalk)\n  - [Beanstalk Discord](https://discord.gg/beanstalk)\n  - [Beanstalk on Louper](https://louper.dev/diamond/0xc1e088fc1323b20bcbee9bd1b9fc9546db5624c5) \n\nBasin\n  - [Basin Whitepaper](https://basin.exchange/basin.pdf)\n  - [Multi Flow Pump Whitepaper](https://basin.exchange/multi-flow-pump.pdf)\n  - [Basin Docs](https://docs.basin.exchange/)\n  - [Basin GitHub](https://github.com/BeanstalkFarms/Basin)\n  - [Basin Discord](https://basin.exchange/discord)\n\nPipeline\n  - [Pipeline Whitepaper](https://evmpipeline.org/pipeline.pdf)\n  - [Pipeline GitHub](https://github.com/BeanstalkFarms/Pipeline)","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":["Boost"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity","Typescript"],"launchDate":"2022-10-11T19:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3H8XDjXYI9JfMPAHZRNEGw/0652faecfc8a425182a7567cc93f00e5/Beanstalk_logo.jpeg","maxBounty":1100000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - medium","smart_contract - high","websites_and_applications - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["DAO","DEX","Stablecoin"],"programOverview":"This bug bounty program is focused on securing all 3 of the following projects:\n\n  - [Beanstalk](https://bean.money/) is a permissionless fiat stablecoin protocol;\n  - [Basin](https://basin.exchange/) is a composable EVM-native decentralized exchange protocol; and\n  - [Pipeline](https://evmpipeline.org/) is a sandbox contract that can execute an arbitrary number of actions within the EVM from an EOA in a single transaction. \n\nThere is a list of resources (docs, repositories, etc.) under the Assets in Scope section. You can also check out [past bug reports](https://community.bean.money/bug-reports?utm_source=immunefi) and [past bounty payouts](https://snapshot.org/?utm_source=immunefi#/beanstalkbugbounty.eth) for this bug bounty program.\n\nBounties are paid in BEAN via the [Beanstalk Immunefi Committee Multisig (BICM)](https://docs.bean.money/almanac/governance/beanstalk/bicm-dashboard). For more details about the payment process, please view the Rewards by Threat Level section further below. \n\nAs the Beanstalk and Pinto Bug Bounty Programs are operated by the same team, any valid submission that affects both programs, whether reported under Pinto or Beanstalk, will be considered a known issue in the other.\n\n__Eligibility Criteria__ \n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n\n— A member of the Beanstalk Immunefi Committee (BIC); or\n\n—A private auditor that has been paid by Beanstalk Farms or a related party to review the code that is reported to be vulnerable.\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nThe Beanstalk bug bounty program adheres to the Primacy of Rules, which means that the bug bounty program is run strictly under the terms stated on this page.\n\n__Previous Audits__ \n\nAudit reports of the various in-scope assets can be found at [https://github.com/BeanstalkFarms/Beanstalk-Audits](https://github.com/BeanstalkFarms/Beanstalk-Audits?utm_source=immunefi). Any unfixed vulnerabilities mentioned in these reports (or otherwise known by the BIC or BCM) are not eligible for a reward.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, the Beanstalk bug bounty program has satisfied the requirements for the [Immunefi Standard Badge.](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209)","programType":["Smart Contract","Websites and Applications"],"project":"Beanstalk","projectType":["Defi","Infrastructure"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). The following is a simplified 3-level scale, focusing on the impact of the vulnerability reported. The complete scope can be found below.\n\nIn order to be considered for the maximum potential reward, bug reports must come with a Proof of Concept (PoC). Explanations and statements are not accepted in lieu of a PoC. Bug reports that do not come with a PoC may qualify for a maximum of up to 30% of the potential reward outlined below, as determined by the Beanstalk Immunefi Committee. \n\nFunds at Risk for a given bug report are defined as follows:\n\n  - Funds at Risk are determined based on the token amounts and USD values at time of the bug report submission;\n  - For Beans, Funds at Risk are determined based on the liquidatable USD value of the Beans at risk;\n  - For non-Beans (ETH, WETH, 3CRV, USDC, DAI, USDT, etc.) in any in-scope assets, the Funds at Risk are determined based on their respective USD values;\n  - For Circulating non-Beans (i.e., outside of any in-scope assets), the Funds at Risk are determined to be 50% of their respective USD values; and\n  - If the smart contract where the vulnerability exists can be upgraded or paused, only the Funds at Risk in initial attacks that can be executed within the first hour will be considered for a reward.\n\n__Reward Calculation for Critical Smart Contract Reports__\n\nRewards for Critical smart contract vulnerabilities are capped at the lower of (a) 10% of practicable economic damage, or (b) __USD 1 100 000__, primarily taking into consideration the Funds at Risk. However, there is a minimum reward of __USD 100 000__ for Critical severity smart contract bug reports.\n\n__Reward Calculation for High Smart Contract Reports__\n\nRewards for High smart contract vulnerabilities are capped at the lower of (a) 10% of practicable economic damage, or (b) __USD 100 000__, primarily taking into consideration the Funds at Risk. However, there is a minimum reward of __USD 10 000__ for High severity smart contract bug reports.\n\n__Reward Calculation for Medium Smart Contract and All Website and Applications Reports__\n\nRewards for Medium severity smart contract vulnerabilities and all website and applications vulnerabilities are scaled based on a set of internal criteria established by the BIC. However, there is a minimum reward of USD 1 000 for Medium smart contract bug reports and Critical website and applications bug reports. The BIC will primarily take into account:\n\n  - The exploitability of the bug;\n  - The impact it causes; and\n  - The likelihood of the vulnerability presenting itself.\n\n__Reward Payment Terms__\n\nPayouts are handled by the [Beanstalk Immunefi Committee Multisig (BICM)](https://docs.bean.money/almanac/governance/beanstalk/bicm-dashboard) directly and are done in BEAN. Note that due to the decentralized governance process for rewarding bug bounties, rewards can take several days to be paid out after a report is confirmed to be valid.\n\n__BIC Determination__\n\nThe BIC shall determine whether a submitting party is entitled to a bug bounty/reward, and if so, the amount of such bounty/reward (and specifically, whether such submission qualifies for a Critical, High or Medium Impact bounty/reward, what is the potential practicable economic damage of such bug based on the Funds at Risk, and what the appropriate bounty/reward should be within each Impact range). The BIC’s determination of (i) whether such submission qualifies for a Critical, High or Medium Impact bounty/reward, (ii) what is the potential practicable economic damage of such bug based on the Funds at Risk, and (iii) whether such submission came with a PoC, thereby enabling it to be considered for the maximum potential applicable reward (vs. a submission that did not come with a PoC, thereby limiting such submission to a maximum of up to 30% of the applicable reward), shall be made in the BIC’s sole and absolute discretion absolute and shall be final, and not be subject to any appeal or challenge.\n\nA submitting party may only dispute the BIC’s determination (a) that a submitting party is not entitled to any bug bounty/reward, or (b) what the appropriate bounty/reward should be within each Impact range. In such disputes, Immunefi will conduct a binding mediation. If the submitting party disputes the BIC’s decision that a submitting party is not entitled to any bug bounty/reward, Immunefi will mediate, and shall determine, in its sole and absolute discretion, which is non-appealable, whether the submitting party is entitled to any bug bounty/reward, and if so, the amount of such bug bounty/reward, up to __USD 10 000__ in the case of a smart contract bug reports (i.e., as if it were a Medium Impact fix), and up to __USD 1 000__ in the case of a website and applications bug report (i.e, as if it were a Critical Impact fix). If the submitting party disputes the BIC’s determination what the appropriate bounty/reward should be within a specific Impact range, Immunefi will mediate, and shall determine, in its sole and absolute discretion, which is non-appealable, the amount of such bug bounty/reward in the relevant Impact category; however, Immunefi may not modify or change (i) the practicable economic damage determination made by the BIC, or (b) the BIC’s determination whether such submission came with a PoC, thereby enabling it to be considered it for the maximum potential applicable reward (vs. a submission that did not come with a PoC, thereby limiting such submission to a maximum of up to 30% of the applicable reward).","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"BEAN","slug":"beanstalk","tenPercentEconomicRule":false,"updatedDate":"2026-03-19T03:31:04.921Z","impactsBody":"If an impact can be caused to any other asset related to Beanstalk that isn’t on this section but for which the impact is in the Impacts in Scope section below, bug bounty hunters are encouraged to submit it for consideration by the BIC. \n\nNote that unexpected outcomes (like loss of funds) due to misuse of Pipeline and/or Depot do not qualify as valid bug reports. Read more [here](https://evmpipeline.org/pipeline.pdf?utm_source=immunefi#section.6).\n\nAlso note that the various ecosystem subgraphs ([Beanstalk](https://graph.node.bean.money/subgraphs/name/beanstalk/graphql), [Bean](https://graph.node.bean.money/subgraphs/name/beanstalk/bean), [Basin](https://graph.node.bean.money/subgraphs/name/beanstalk/basin), etc.) are not included as Assets in Scope. \n\n__Undeployed Code in Scope__\n\nThe BIC also maintains a list of pull requests/repositories whose code is considered in-scope but has not yet been deployed on-chain. This code has been audited. The following code is in-scope of the bug bounty program:\n  - None at this time","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_1","description":"This bug bounty program is focused on securing all 3 of the following projects:\n  - [Beanstalk](https://bean.money/) is a permissionless fiat stablecoin protocol;\n  - [Basin](https://basin.exchange/) is a composable EVM-native decentralized exchange protocol; and\n  - [Pipeline](https://evmpipeline.org/) is a sandbox contract that can execute an arbitrary number of actions within the EVM from an EOA in a single transaction.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":null,"customOutOfScopeInformation":"- Impacts related to attacks that the reporter has already exploited themselves, leading to damage;\n- Impacts caused by attacks requiring access to leaked keys/credentials;\n- Impacts caused by attacks requiring access to privileged addresses (owner address);\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in the code;\n- Impacts that involve frontrunning transactions, i.e., impacts that require users to send transactions through the public mempool;\n- Mentions of secrets, access tokens, API keys, private keys, etc. in GitHub will be considered out of scope;\n- Best practice recommendations;\n- Feature requests; and\n- Impacts on test and configuration files unless stated otherwise in the bug bounty program.","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":3387,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 1 hour"},{"id":3388,"type":"smart_contract","severity":"high","title":"Illegitimate minting of protocol native assets"},{"id":3390,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":3391,"type":"smart_contract","severity":"medium","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":3392,"type":"smart_contract","severity":"medium","title":"Invariant is missing on a function where it should be implemented"},{"id":3393,"type":"smart_contract","severity":"medium","title":"Exploit is possible but is exclusively prevented by an invariant"},{"id":3396,"type":"websites_and_applications","severity":"critical","title":"Ability to execute arbitrary system commands"},{"id":3397,"type":"websites_and_applications","severity":"critical","title":"Injecting code that results in malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions"},{"id":3398,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as voting in governance"}],"rewards":[{"id":43281,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":1100000,"minReward":100000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43282,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":100000,"minReward":10000,"rewardModel":"range"},{"id":43283,"primacy":null,"severity":"medium","assetType":"smart_contract","maxReward":10000,"minReward":1000,"rewardModel":"range"},{"id":43284,"primacy":null,"severity":"critical","assetType":"websites_and_applications","maxReward":50000,"minReward":1000,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"5cigmkKnPEWTDcWhpHGR7G","url":"https://etherscan.io/address/0xc9ff605003A1b389980f650e1aEFA1ef25C8eE32","type":"smart_contract","addedAt":"2026-01-22T19:46:01.217Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"01G16pX9xhpoSNjSMzq23d","url":"https://basescan.org/address/0x983eC82E45C61a42FDDA7B3c43B8C767004c8A74","type":"smart_contract","addedAt":"2025-11-07T09:08:42.322Z","revision":0,"description":"ALM_RATE_LIMITS","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"10cTJu0uZgnYEYAHUZ8IUs","url":"https://unichain.blockscout.com/address/0x7B8ee8b0fD62662F7FB1ac9e5E6cEAad5195A3bF","type":"smart_contract","addedAt":"2025-11-07T08:47:59.223Z","revision":0,"description":"SPARK_RECEIVER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"12ZBZvSuKk7aejrTAQoFTB","url":"https://github.com/marsfoundation/spark-dev-docs","type":"websites_and_applications","addedAt":"2024-06-27T09:29:12.970Z","revision":0,"description":"Spark Developer Documentation (devs.spark.fi)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"178YZEgdMJxHPmJCTj7J4T","url":"https://blockscout.com/xdai/mainnet/address/0x1022E390E2457A78E18AEEE0bBf0E96E482EeE19#code","type":"smart_contract","addedAt":"2025-12-05T20:38:23.369Z","revision":0,"description":"SXDAI_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"17d97yNKkud7FvxfaWPdMr","url":"https://arbiscan.io/address/0xcA61540eC2AC74E6954FA558B4aF836d95eCb91b#code","type":"smart_contract","addedAt":"2025-12-05T20:35:51.561Z","revision":0,"description":"DSR_RECEIVER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"18BFBuj3lywkik6f2Mz3WD","url":"https://etherscan.io/address/0x02C3eA4e34C0cBd694D2adFa2c690EECbC1793eE#code","type":"smart_contract","addedAt":"2025-12-05T20:30:25.896Z","revision":0,"description":"POOL_ADDRESSES_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"19k7ATjdJgEkGw6SgDpR4z","url":"https://explorer.optimism.io/address/0x1d54A093b8FDdFcc6fBB411d9Af31D96e034B3D5#code","type":"smart_contract","addedAt":"2025-12-05T20:40:39.887Z","revision":0,"description":"ALM_CONTROLLER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1A7cIRrlK2Ha2VbyhjACt0","url":"https://etherscan.io/address/0xF7b656C95420194b79687fc86D965FB51DA4799F#code","type":"smart_contract","addedAt":"2025-12-05T20:33:41.322Z","revision":0,"description":"POOL_CONFIGURATOR_IMPL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1ACNqsgtA9NUSsG1F8l7ju","url":"https://subnets.avax.network/c-chain/address/0x7566DEbC906C17338524A414343fA61BcA26A8430xd905be48983D405C6fD7f5a983D2351fb61C691F","type":"smart_contract","addedAt":"2025-11-07T09:09:10.341Z","revision":0,"description":"SPARK_RECEIVER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1AKRZbPCiH4yfj0P8q5uvh","url":"https://etherscan.io/address/0x57a2957651DA467fCD4104D749f2F3684784c25a#code","type":"smart_contract","addedAt":"2025-12-05T20:31:09.608Z","revision":0,"description":"GNO_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1CatiwKVthSCKWzv9Rodlm","url":"https://etherscan.io/address/0x4042127DecC0cF7cc0966791abebf7F76294DeF3#code","type":"smart_contract","addedAt":"2025-12-05T20:28:24.678Z","revision":0,"description":"OPTIMISM_DSR_FORWARDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1DMRARjzwLuq8OdyDbt2ym","url":"https://github.com/marsfoundation/xchain-ssr-oracle/blob/master/src/forwarders/SSROracleForwarderBase.sol","type":"smart_contract","addedAt":"2024-10-30T04:11:36.781Z","revision":0,"description":"SSROracleForwarderBase","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1GXHwUhZq2PEodnViAlqZL","url":"https://github.com/marsfoundation/spark-alm-controller/blob/master/src/ALMProxy.sol","type":"smart_contract","addedAt":"2024-10-30T04:09:53.177Z","revision":0,"description":"ALMProxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1HA5SnLdr2byUGiiT5rpDI","url":"https://gnosisscan.io/address/0xd4bAbF714964E399f95A7bb94B3DeaF22d9F575d","type":"smart_contract","addedAt":"2025-11-07T09:08:53.347Z","revision":0,"description":"GNO_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1LUL3Nl2MCZ6dyhA8Tqcw7","url":"https://gnosisscan.io/address/0x397b97b572281d0b3e3513BD4A7B38050a75962b","type":"smart_contract","addedAt":"2025-11-07T09:09:00.685Z","revision":0,"description":"USDCE_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1N14FlpyC1KvaosYUCMnzP","url":"https://optimistic.etherscan.io/address/0x1d54A093b8FDdFcc6fBB411d9Af31D96e034B3D5","type":"smart_contract","addedAt":"2025-11-07T09:09:44.728Z","revision":0,"description":"ALM_CONTROLLER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1OxbSEqAOgWLQw12GTFEms","url":"https://explorer.optimism.io/address/0x876664f0c9Ff24D1aa355Ce9f1680AE1A5bf36fB#code","type":"smart_contract","addedAt":"2025-12-05T20:40:43.564Z","revision":0,"description":"ALM_PROXY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1Qt3Yz3K3CqWb3vWJDQKbi","url":"https://gnosisscan.io/address/0x40BF0Bf6AECeE50eCE10C74E81a52C654A467ae4","type":"smart_contract","addedAt":"2025-11-07T09:08:59.026Z","revision":0,"description":"USDC_STABLE_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1SDXn63YLvC19W5hIgA3vf","url":"https://github.com/marsfoundation/xchain-ssr-oracle/blob/master/src/SSRAuthOracle.sol","type":"smart_contract","addedAt":"2024-10-30T04:10:52.799Z","revision":0,"description":"SSRAuthOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1T3lIQlboAHsASRVmqJuCO","url":"https://explorer.optimism.io/address/0x15ACEE5F73b36762Ab1a6b7C98787b8148447898#code","type":"smart_contract","addedAt":"2025-12-05T20:41:16.487Z","revision":0,"description":"DSR_BALANCER_RATE_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1Ty5uSG4rNFr6MUAcyMmUE","url":"https://etherscan.io/address/0x78f897F0fE2d3B5690EbAe7f19862DEacedF10a7#code","type":"smart_contract","addedAt":"2025-12-05T20:31:51.833Z","revision":0,"description":"SDAI_SPTOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1aTAJRELpKZazsa2onSeLq","url":"https://gnosisscan.io/address/0x3294dA2E28b29D1c08D556e2B86879d221256d31","type":"smart_contract","addedAt":"2025-11-07T09:08:55.776Z","revision":0,"description":"WSTETH_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1bYv3o0R5jDcUUxTtbRNx1","url":"https://etherscan.io/address/0xE52d643B27601D4d2BAB2052f30cf936ed413cec#code","type":"smart_contract","addedAt":"2025-12-05T20:42:56.125Z","revision":0,"description":"ALM_CONTROLLER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1dHNHalaQNDpVbyvuYD1Ng","url":"https://etherscan.io/address/0x80128DbB9f07b93DDE62A6daeadb69ED14a7D354#code","type":"smart_contract","addedAt":"2025-12-05T20:43:22.438Z","revision":0,"description":"SPPYUSD","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1eGyAVLu9CWRcveTDuQ4AZ","url":"https://gnosisscan.io/address/0x4cB3F681B5e393947BD1e5cAE84764f5892923C2","type":"smart_contract","addedAt":"2025-11-07T09:09:01.461Z","revision":0,"description":"USDT_STABLE_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1ex8EmJxhp30tFsL6P7jMl","url":"https://gnosisscan.io/address/0x1022E390E2457A78E18AEEE0bBf0E96E482EeE19","type":"smart_contract","addedAt":"2025-11-07T09:08:58.234Z","revision":0,"description":"SXDAI_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1gMNRtWnxCXdrZm0Tx2YJ0","url":"https://etherscan.io/address/0x7b481aCC9fDADDc9af2cBEA1Ff2342CB1733E50F#code","type":"smart_contract","addedAt":"2025-12-05T20:31:13.674Z","revision":0,"description":"GNO_SPTOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1hLTbV3E85rZvZruYdGZ3b","url":"https://etherscan.io/address/0x1b992302652A92611DCd5090D1Cb388C6377f455#code","type":"smart_contract","addedAt":"2025-12-05T20:24:36.892Z","revision":0,"description":"SPARK_VAULT_V2_IMPL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1hsgllFn35eYJdxpUeCZiB","url":"https://etherscan.io/address/0xbaf21A27622Db71041Bd336a573DDEdC8eB65122#code","type":"smart_contract","addedAt":"2025-12-05T20:30:01.223Z","revision":0,"description":"SPARK_REWARDS","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1jETEgnKeVCiPJnSknrWyu","url":"https://blockscout.com/xdai/mainnet/address/0xE877b96caf9f180916bF2B5Ce7Ea8069e0123182#code","type":"smart_contract","addedAt":"2025-12-05T20:38:14.540Z","revision":0,"description":"SXDAI_ATOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1kxhNVgXDTOisG4kIbYNvr","url":"https://etherscan.io/address/0xc2bD6d2fEe70A0A73a33795BdbeE0368AeF5c766#code","type":"smart_contract","addedAt":"2025-12-05T20:32:54.207Z","revision":0,"description":"WEETH_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1lBUn90joLPsFMpU8Exkpl","url":"https://gnosisscan.io/address/0xe04ba71E46fCd7DBB9334D8FBa13d476f38EB0f8","type":"smart_contract","addedAt":"2025-11-07T09:09:07.527Z","revision":0,"description":"RATES_FACTORY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1llqvWYGuN867uX0MiPsOk","url":"https://etherscan.io/address/0x4197ba364AE6698015AE5c1468f54087602715b2#code","type":"smart_contract","addedAt":"2025-12-05T20:32:49.996Z","revision":0,"description":"WBTC_SPTOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1oAsNSxwj7vUZ4o4zq6oFn","url":"https://etherscan.io/address/0x45d91340B3B7B96985A72b5c678F7D9e8D664b62#code","type":"smart_contract","addedAt":"2025-12-05T20:28:34.284Z","revision":0,"description":"UNICHAIN_SSR_FORWARDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1pvclBWecRb5TvXR17xDKI","url":"https://etherscan.io/address/0xdA135Cd78A086025BcdC87B038a1C462032b510C#code","type":"smart_contract","addedAt":"2025-12-05T20:30:08.370Z","revision":0,"description":"ACL_MANAGER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1s3akq33JGKgdSTvMo6yMt","url":"https://etherscan.io/address/0xe7dF13b8e3d6740fe17CBE928C7334243d86c92f#code","type":"smart_contract","addedAt":"2025-12-05T20:32:35.820Z","revision":0,"description":"USDT_SPTOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1tG1vZsaI6TCIUN0zibJET","url":"https://etherscan.io/address/0x7ac96180C4d6b2A328D3a19ac059D0E7Fc3C6d41#code","type":"smart_contract","addedAt":"2025-12-05T20:29:54.478Z","revision":0,"description":"PFL3_REWARDS","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1uCAoTXrAcKLtYxvy6Gxzs","url":"https://etherscan.io/address/0x779224df1c756b4EDD899854F32a53E8c2B2ce5d#code","type":"smart_contract","addedAt":"2025-12-05T20:31:28.000Z","revision":0,"description":"PYUSD_SPTOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1ufawCxmaBXQ0LxlA2KbQ1","url":"https://blockscout.com/xdai/mainnet/address/0x4370D3b6C9588E02ce9D22e684387859c7Ff5b34#code","type":"smart_contract","addedAt":"2025-12-05T20:39:54.100Z","revision":0,"description":"STABLE_DEBT_TOKEN_IMPL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1uxPcgYjpo5OZj8gqMZzFu","url":"https://etherscan.io/address/0xBa2C8F2eA5B56690bFb8b709438F049e5Dd76B96#code","type":"smart_contract","addedAt":"2025-12-05T20:31:31.931Z","revision":0,"description":"RETH_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1vDvGszngkbqPAbd3ci6Ia","url":"https://etherscan.io/address/0xd5c3E3B566a42A6110513Ac7670C1a86D76E13E6#code","type":"smart_contract","addedAt":"2025-12-05T20:33:08.861Z","revision":0,"description":"WSTETH_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1wA5Eti9egDs6H0SB3FFI3","url":"https://optimistic.etherscan.io/address/0x6B34A6B84444dC3Fc692821D5d077a1e4927342d","type":"smart_contract","addedAt":"2025-11-07T09:09:45.526Z","revision":0,"description":"ALM_RATE_LIMITS","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1xQxwL2oSNTmpriANvDkcW","url":"https://basescan.org/address/0xfda082e00EF89185d9DB7E5DcD8c5505070F5A3B","type":"smart_contract","addedAt":"2025-11-07T09:08:41.034Z","revision":0,"description":"SPARK_RECEIVER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1y7GgxBBSwNSdL2d2lV34M","url":"https://snowtrace.io/address/0xb79972e8B21f0dE911E65AC342ac85ad38C9A77a#code","type":"smart_contract","addedAt":"2025-12-05T20:36:15.577Z","revision":0,"description":"ALM_RATE_LIMITS","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"20QIwmFtRrzIUpZJ1PHfoQ","url":"https://snowtrace.io/address/0x4eE67c8Db1BAa6ddE99d936C7D313B5d31e8fa38#code","type":"smart_contract","addedAt":"2025-12-05T20:42:48.588Z","revision":0,"description":"ALM_CONTROLLER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"20vsRXxJFFSltWiRXvPcvh","url":"https://gnosisscan.io/address/0x3A98aBC6F46CA2Fc6c7d06eD02184D63C55e19B2","type":"smart_contract","addedAt":"2025-11-07T09:09:01.970Z","revision":0,"description":"USDT_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"21AtXMkDeWgZH8hlDaIuXk","url":"https://uniscan.xyz/address/0x1566BFA55D95686a823751298533D42651183988#code","type":"smart_contract","addedAt":"2025-12-05T20:41:42.413Z","revision":0,"description":"SSR_AUTH_ORACLE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"26QcodZDmb2tznbEonUUkY","url":"https://blockscout.com/xdai/mainnet/address/0x2Dae5307c5E3FD1CF5A72Cb6F698f915860607e0#code","type":"smart_contract","addedAt":"2025-12-05T20:36:45.592Z","revision":0,"description":"POOL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"27dMBVeWuj5coh1BIuZLHV","url":"https://basescan.org/address/0x2Dd2a2Fe346B5704380EfbF6Bd522042eC3E8FAe","type":"smart_contract","addedAt":"2025-11-07T09:08:44.834Z","revision":0,"description":"DSR_AUTH_ORACLE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"28He8JeUM6Fxhvcyq1oAJ3","url":"https://etherscan.io/address/0xfE57e187EF6285e90d7049e6a21571aa47cF11a2#code","type":"smart_contract","addedAt":"2025-12-05T20:34:04.993Z","revision":0,"description":"RATES_FACTORY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"28usUZspSMEyQplnOouIf7","url":"https://etherscan.io/address/0x9985dF20D7e9103ECBCeb16a84956434B6f06ae8#code","type":"smart_contract","addedAt":"2025-12-05T20:31:35.586Z","revision":0,"description":"RETH_SPTOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2BUz6pDiLs4FHLTgTcXgkl","url":"https://arbiscan.io/address/0x2B05F8e1cACC6974fD79A673a341Fe1f58d27266#code","type":"smart_contract","addedAt":"2025-12-05T20:35:27.345Z","revision":0,"description":"PSM3","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2DTAzzj4p2ZqLoA6v2WMSO","url":"https://arbiscan.io/address/0x73750DbD85753074e452B2C27fB9e3B0E75Ff3B8#code","type":"smart_contract","addedAt":"2025-12-05T20:35:55.436Z","revision":0,"description":"DSR_BALANCER_RATE_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2EtutcmkQMyOOrNhTgyfVT","url":"https://etherscan.io/address/0x2Ad00613A66D71Ff2B0607fB3C4632C47a50DADe#code","type":"smart_contract","addedAt":"2025-12-05T20:34:48.845Z","revision":0,"description":"EMODE_LOGIC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2G8zcvIkmFgaJsHLeKfXwr","url":"https://blockscout.com/xdai/mainnet/address/0x397b97b572281d0b3e3513BD4A7B38050a75962b#code","type":"smart_contract","addedAt":"2025-12-05T20:38:47.640Z","revision":0,"description":"USDCE_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2JhGnmlzfippQF5M3UKWUi","url":"https://explorer.optimism.io/address/0xE2868095814c2714039b3A9eBEE035B9E2c411E5#code","type":"smart_contract","addedAt":"2025-12-05T20:41:04.123Z","revision":0,"description":"SSR_RECEIVER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2KncAiGsAy2M96bhhOwCvy","url":"https://snowtrace.io/address/0x7566DEbC906C17338524A414343fA61BcA26A843#code","type":"smart_contract","addedAt":"2025-12-05T20:35:59.378Z","revision":0,"description":"SPARK_EXECUTOR","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2KuL2pIV9TgvA9KFrJDnHK","url":"https://snowscan.xyz/address/0x28B3a8fb53B741A8Fd78c0fb9A6B2393d896a43d","type":"smart_contract","addedAt":"2025-10-21T06:52:38.982Z","revision":0,"description":"spUSDC Avalanche","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2MkkGLdNtIbL9HJLr7ouEZ","url":"https://blockscout.com/xdai/mainnet/address/0x868ADfDf12A86422524EaB6978beAE08A0008F37#code","type":"smart_contract","addedAt":"2025-12-05T20:38:10.658Z","revision":0,"description":"WXDAI_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2Ni8nj9iiCgATBY0ktWwan","url":"https://snowtrace.io/address/0xC2C0582D1cCe30449cF561C7b9C4D6d527547F12#code","type":"smart_contract","addedAt":"2025-12-05T20:36:20.035Z","revision":0,"description":"SPARK_VAULT_V2_IMPL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2O2In1BsuRxps1OCGWFRlQ","url":"https://etherscan.io/address/0x4662C88C542F0954F8CccCDE4542eEc32d7E7e9a#code","type":"smart_contract","addedAt":"2025-12-05T20:34:37.529Z","revision":0,"description":"BORROW_LOGIC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2PBh9nBQfkFNQAHs3LPW02","url":"https://snowtrace.io/address/0xecE6B0E8a54c2f44e066fBb9234e7157B15b7FeC#code","type":"smart_contract","addedAt":"2025-12-05T20:36:11.857Z","revision":0,"description":"ALM_PROXY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2QAIpsSn5Bsox7MUKwpmZx","url":"https://etherscan.io/address/0x3254F7cd0565aA67eEdC86c2fB608BE48d5cCd78#code","type":"smart_contract","addedAt":"2025-12-05T20:33:57.291Z","revision":0,"description":"CONFIG_ENGINE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2QOasskwZRigVtfTjZAZin","url":"https://arbiscan.io/address/0xE206AEbca7B28e3E8d6787df00B010D4a77c32F3#code","type":"smart_contract","addedAt":"2025-12-05T20:35:47.605Z","revision":0,"description":"DSR_AUTH_ORACLE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2V4iZqwOAU7F5PwjrQtaD5","url":"https://blockscout.com/xdai/mainnet/address/0xCF86A65779e88bedfF0319FE13aE2B47358EB1bF#code","type":"smart_contract","addedAt":"2025-12-05T20:39:50.767Z","revision":0,"description":"POOL_IMPL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2WoxoxpN3FSQWiTq0AHKp1","url":"https://gnosisscan.io/address/0xd2AeF86F51F92E8e49F42454c287AE4879D1BeDc","type":"smart_contract","addedAt":"2025-11-07T09:09:09.555Z","revision":0,"description":"WALLET_BALANCE_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2Xrd3jqqD1XAB81i2V2Erf","url":"https://subnets.avax.network/c-chain/address/0x7566DEbC906C17338524A414343fA61BcA26A8430x4E64b576F72c237690F27727376186639447f096","type":"smart_contract","addedAt":"2025-11-07T09:09:10.727Z","revision":0,"description":"ALM_CONTROLLER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2YQ4N8e5QCp1if0NkQH5jc","url":"https://uniscan.xyz/address/0x5A1a44D2192Dd1e21efB9caA50E32D0716b35535#code","type":"smart_contract","addedAt":"2025-12-05T20:41:35.358Z","revision":0,"description":"ALM_RATE_LIMITS","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2Zp1DxDmnw69XRYG03bHII","url":"https://unichain.blockscout.com/address/0x93c81ADc7F98FdBC8C7a15eCBeD312c8F6adbcB3","type":"smart_contract","addedAt":"2025-11-07T08:48:02.202Z","revision":0,"description":"SSR_BALANCER_RATE_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2a6IFWTXNsA7nMdJvhX7WA","url":"https://etherscan.io/address/0x856900aa78e856a5df1a2665eE3a66b2487cD68f#code","type":"smart_contract","addedAt":"2025-12-05T20:30:11.843Z","revision":0,"description":"DAI_TREASURY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2dlmoVCTK60mPKhgDqDlE0","url":"https://blockscout.com/xdai/mainnet/address/0x08B0cAebE352c3613302774Cd9B82D08afd7bDC4#code","type":"smart_contract","addedAt":"2025-12-05T20:38:51.910Z","revision":0,"description":"USDT_ATOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2ei6BsL4kShB7YX96rmgiP","url":"https://etherscan.io/address/0x777803CbDD89D5D5Bc1DdD2151B51b0B07F6bf37#code","type":"smart_contract","addedAt":"2025-12-05T20:34:08.833Z","revision":0,"description":"TRANSPARENT_PROXY_FACTORY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2eliVtRqlZ83QyHTa1Px8d","url":"https://etherscan.io/address/0x542DBa469bdE58FAeE189ffB60C6b49CE60E0738#code","type":"smart_contract","addedAt":"2025-12-05T20:30:33.139Z","revision":0,"description":"POOL_CONFIGURATOR","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2f7b4E1Bz7yEQEuo3HkCZT","url":"https://blockscout.com/xdai/mainnet/address/0xf76B8262dfd60fb7432C6b55E91f42b6da953647#code","type":"smart_contract","addedAt":"2025-12-05T20:40:05.461Z","revision":0,"description":"PROXY_ADMIN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2gYDN1I4orGTl3YARnGGeP","url":"https://etherscan.io/address/0x9e2890BF7f8D5568Cc9e5092E67Ba00C8dA3E97f#code","type":"smart_contract","addedAt":"2025-12-05T20:29:16.625Z","revision":0,"description":"SPELL_FREEZE_ALL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2hxicRBeMkKZA40KvIGHME","url":"https://blockscout.com/xdai/mainnet/address/0x764b4AB9bCA18eB633d92368F725765Ebb8f047C#code","type":"smart_contract","addedAt":"2025-12-05T20:39:27.047Z","revision":0,"description":"INCENTIVES_IMPL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2iBFTOQkwxc6UvLyLFSLcB","url":"https://etherscan.io/address/0x4DEDf26112B3Ec8eC46e7E31EA5e123490B05B8B#code","type":"smart_contract","addedAt":"2025-12-05T20:30:58.756Z","revision":0,"description":"DAI_SPTOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2kY9jEM8TkvfwBS8YHjuQM","url":"https://blockscout.com/xdai/mainnet/address/0x9Ee4271E17E3a427678344fd2eE64663Cb78B4be#code","type":"smart_contract","addedAt":"2025-12-05T20:37:36.827Z","revision":0,"description":"WSTETH_ATOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2mEHL2g0ZFUuZ8GyoG1aRl","url":"https://gnosisscan.io/address/0x8220096398c3Dc2644026E8864f5D80Ef613B437","type":"smart_contract","addedAt":"2025-11-07T09:08:51.559Z","revision":0,"description":"TREASURY_CONTROLLER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2mQBMDgokD5AktkpQGYyeg","url":"https://uniscan.xyz/address/0x345E368fcCd62266B3f5F37C9a131FD1c39f5869#code","type":"smart_contract","addedAt":"2025-12-05T20:41:30.760Z","revision":0,"description":"ALM_PROXY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2o6IoG7SRJ3obb2hqzyiOf","url":"https://subnets.avax.network/c-chain/address/0x7566DEbC906C17338524A414343fA61BcA26A8430xC2C0582D1cCe30449cF561C7b9C4D6d527547F12","type":"smart_contract","addedAt":"2025-11-07T09:09:12.017Z","revision":0,"description":"SPARK_VAULT_V2_IMPL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2ojbRKvtgoiJZJ4KPXS2NH","url":"https://arbiscan.io/address/0x567214Dc57a2385Abc4a756f523ddF0275305Cbc#code","type":"smart_contract","addedAt":"2025-12-05T20:35:43.684Z","revision":0,"description":"SSR_RECEIVER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2qU1fH8KlLc7m7PQtNwA6","url":"https://arbiscan.io/address/0xc0737f29b964e6fC8025F16B30f2eA4C2e2d6f22#code","type":"smart_contract","addedAt":"2025-12-05T20:35:35.673Z","revision":0,"description":"SSR_BALANCER_RATE_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2qxpz1wfRgOq0HqaeJGABB","url":"https://etherscan.io/address/0x8Ed551D485701fe489c215E13E42F6fc59563e0e#code","type":"smart_contract","addedAt":"2025-12-05T20:28:18.081Z","revision":0,"description":"BASE_DSR_FORWARDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2rJlzGL50JQoyEJPbJHEcC","url":"https://github.com/marsfoundation/xchain-ssr-oracle/blob/master/src/forwarders/SSROracleForwarderOptimism.sol","type":"smart_contract","addedAt":"2024-10-30T04:11:54.538Z","revision":0,"description":"SSROracleForwarderOptimism","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2rYq1WxGbLNiZC2L6sjXZO","url":"https://github.com/marsfoundation/aave-v3-core/blob/master/contracts/protocol/tokenization/StableDebtToken.sol","type":"smart_contract","addedAt":"2023-10-30T15:53:14.948Z","revision":0,"description":"StableDebtToken (proxy)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2tJ6AnKWMExno1FVgufxks","url":"https://uniscan.xyz/address/0x4A71f81C6109230932978bAB7CA746f0be0C4580#code","type":"smart_contract","addedAt":"2025-12-05T20:41:53.969Z","revision":0,"description":"SSR_RECEIVER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2tQeD1bKwjKHDwYOiraB65","url":"https://etherscan.io/address/0xb9E6DBFa4De19CCed908BcbFe1d015190678AB5f","type":"smart_contract","addedAt":"2023-10-30T15:52:59.424Z","revision":0,"description":"SavingsDaiOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2tvRy3GhNizSPH3pc2Lzct","url":"https://etherscan.io/address/0x8c147debea24Fb98ade8dDa4bf142992928b449e#code","type":"smart_contract","addedAt":"2025-12-05T20:32:19.361Z","revision":0,"description":"USDS_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2u5HN68GQiLzm5V2sTfyFS","url":"https://etherscan.io/address/0xd2AeF86F51F92E8e49F42454c287AE4879D1BeDc#code","type":"smart_contract","addedAt":"2025-12-05T20:34:31.725Z","revision":0,"description":"WALLET_BALANCE_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"33IhVJxlgcYGGvXtxc6WZk","url":"https://basescan.org/address/0xCBA0C0a2a0B6Bb11233ec4EA85C5bFfea33e724d#code","type":"smart_contract","addedAt":"2025-12-05T20:43:14.951Z","revision":0,"description":"ALM_PROXY_FREEZABLE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"34qVklqtg2EZvKn7NhIY5t","url":"https://uniscan.xyz/address/0x93c81ADc7F98FdBC8C7a15eCBeD312c8F6adbcB3#code","type":"smart_contract","addedAt":"2025-12-05T20:41:45.952Z","revision":0,"description":"SSR_BALANCER_RATE_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"38LCJTJa886MPhCqLQmsGq","url":"https://etherscan.io/address/0x5aE329203E00f76891094DcfedD5Aca082a50e1b#code","type":"smart_contract","addedAt":"2025-12-05T20:33:45.118Z","revision":0,"description":"POOL_IMPL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"38vhutX32HFTmmsWHOhDXw","url":"https://etherscan.io/address/0x856f1Ea78361140834FDCd0dB0b08079e4A45062#code","type":"smart_contract","addedAt":"2025-12-05T20:31:44.092Z","revision":0,"description":"RSETH_SPTOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"39osx9FCvBeI6Hl53vXnEk","url":"https://basescan.org/address/0xeC0C14Ea7fF20F104496d960FDEBF5a0a0cC14D0","type":"smart_contract","addedAt":"2025-11-07T09:08:45.865Z","revision":0,"description":"DSR_BALANCER_RATE_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3BH4GP3XreT6N5KenP49jA","url":"https://gnosisscan.io/address/0x629D562E92fED431122e865Cc650Bc6bdE6B96b0","type":"smart_contract","addedAt":"2025-11-07T09:08:53.748Z","revision":0,"description":"WETH_ATOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3GbqIPm2l8C1DJF7pb8t2p","url":"https://github.com/marsfoundation/aave-v3-core/blob/master/contracts/protocol/tokenization/AToken.sol","type":"smart_contract","addedAt":"2023-10-30T15:50:07.642Z","revision":0,"description":"AToken (proxy)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3HttN6eIbU83FE3j6gufLw","url":"https://blockscout.com/xdai/mainnet/address/0xb9E6DBFa4De19CCed908BcbFe1d015190678AB5f#code","type":"smart_contract","addedAt":"2025-12-05T20:37:00.570Z","revision":0,"description":"TREASURY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3M1DgFovmJudbBP6d9hh69","url":"https://etherscan.io/address/0xaBc57081C04D921388240393ec4088Aa47c6832B#code","type":"smart_contract","addedAt":"2025-12-05T20:31:47.952Z","revision":0,"description":"SDAI_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3MHrV1AeFiadltRxN3vMKr","url":"https://gnosisscan.io/address/0x91277b74a9d1Cc30fA0ff4927C287fe55E307D78","type":"smart_contract","addedAt":"2025-11-07T09:09:07.951Z","revision":0,"description":"TRANSPARENT_PROXY_FACTORY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3MJHLdpKlFypK0gayvxlJk","url":"https://etherscan.io/address/0xC02aB1A5eaA8d1B114EF786D9bde108cD4364359#code","type":"smart_contract","addedAt":"2025-12-05T20:32:24.029Z","revision":0,"description":"USDS_SPTOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3OEu2tvNsAwHHm2Eyef7z4","url":"https://blockscout.com/xdai/mainnet/address/0x2a002054A06546bB5a264D57A81347e23Af91D18#code","type":"smart_contract","addedAt":"2025-12-05T20:40:19.543Z","revision":0,"description":"PROTOCOL_DATA_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3OZjHDfUdrYBJ1pmhHILQi","url":"https://etherscan.io/address/0x46256841e36b7557BB8e4c706beD38b17A9EB2c1#code","type":"smart_contract","addedAt":"2025-12-05T20:35:05.382Z","revision":0,"description":"SUPPLY_LOGIC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3R85r6baZpJJ7QtEPmIYYl","url":"https://blockscout.com/xdai/mainnet/address/0x86C71796CcDB31c3997F8Ec5C2E3dB3e9e40b985#code","type":"smart_contract","addedAt":"2025-12-05T20:36:35.004Z","revision":0,"description":"ACL_MANAGER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3RmtDZXuZxBkvOJr3LpING","url":"https://etherscan.io/address/0x2276f52afba7Cf2525fd0a050DF464AC8532d0ef#code","type":"smart_contract","addedAt":"2025-12-05T20:33:16.064Z","revision":0,"description":"CAP_AUTOMATOR","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3SCKGqwWacKFEW2zf2OKKI","url":"https://blockscout.com/xdai/mainnet/address/0x856900aa78e856a5df1a2665eE3a66b2487cD68f#code","type":"smart_contract","addedAt":"2025-12-05T20:39:21.441Z","revision":0,"description":"A_TOKEN_IMPL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3TUcULkt0uKkuKSpwsF1LB","url":"https://subnets.avax.network/c-chain/address/0x7566DEbC906C17338524A414343fA61BcA26A8430xAf76856f788519704a9411839614e144FEd52d8a","type":"smart_contract","addedAt":"2025-11-07T09:09:12.776Z","revision":0,"description":"SPARK_REWARDS","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3UTg87AJDNs20iU2vnAHgV","url":"https://etherscan.io/address/0xfE6eb3b609a7C8352A241f7F3A21CEA4e9209B8f#code","type":"smart_contract","addedAt":"2025-12-05T20:28:07.826Z","revision":0,"description":"SPARK_VAULT_V2_SPETH","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3V3tQ5Q6lhHM46sqEHNR8e","url":"https://blockscout.com/xdai/mainnet/address/0x36eddc380C7f370e5f05Da5Bd7F970a27f063e39#code","type":"smart_contract","addedAt":"2025-12-05T20:40:09.004Z","revision":0,"description":"CONFIG_ENGINE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3VXa1HGuAzyA7SvKw2FA3w","url":"https://gnosisscan.io/address/0x8105f69D9C41644c6A0803fDA7D03Aa70996cFD9","type":"smart_contract","addedAt":"2025-11-07T09:08:47.533Z","revision":0,"description":"AAVE_ORACLE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3VYH8ebOr4ceEcr45Y6yus","url":"https://gnosisscan.io/address/0x2Fc8823E1b967D474b47Ae0aD041c2ED562ab588","type":"smart_contract","addedAt":"2025-11-07T09:08:50.719Z","revision":0,"description":"POOL_CONFIGURATOR","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3Wu8nWRZmCxyFA73AtXVrI","url":"https://arbiscan.io/address/0x19D08879851FB54C2dCc4bb32b5a1EA5E9Ad6838#code","type":"smart_contract","addedAt":"2025-12-05T20:35:24.065Z","revision":0,"description":"ALM_RATE_LIMITS","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3Ydla40e1HG5q2ZC3yDVmv","url":"https://blockscout.com/xdai/mainnet/address/0x571501be53711c372cE69De51865dD34B87698D5#code","type":"smart_contract","addedAt":"2025-12-05T20:39:58.085Z","revision":0,"description":"TREASURY_IMPL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3bEe6FdKatO6LfysyCcZYh","url":"https://unichain.blockscout.com/address/0xb037C43b433964A2017cd689f535BEb6B0531473","type":"smart_contract","addedAt":"2025-11-07T08:47:58.618Z","revision":0,"description":"SPARK_EXECUTOR","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3cQUlD87ThRpWnlPmEd3AQ","url":"https://blockscout.com/xdai/mainnet/address/0xF028c2F4b19898718fD0F77b9b881CbfdAa5e8Bb#code","type":"smart_contract","addedAt":"2025-12-05T20:40:26.783Z","revision":0,"description":"UI_POOL_DATA_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3cZVPWnB1MxQV9VOHPfPtx","url":"https://unichain.blockscout.com/address/0x345E368fcCd62266B3f5F37C9a131FD1c39f5869","type":"smart_contract","addedAt":"2025-11-07T08:48:00.100Z","revision":0,"description":"ALM_PROXY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3dcNxJgOQiex21ETQbpZFk","url":"https://etherscan.io/address/0xc6132FAF04627c8d05d6E759FAbB331Ef2D8F8fD#code","type":"smart_contract","addedAt":"2025-12-05T20:03:04.674Z","revision":0,"description":"STSPK","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3eWf4zHVk8sHoMsTVWz2Zd","url":"https://gnosisscan.io/address/0x571501be53711c372cE69De51865dD34B87698D5","type":"smart_contract","addedAt":"2025-11-07T09:09:05.940Z","revision":0,"description":"TREASURY_IMPL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3gLfcSssYCEvUS0etiavzN","url":"https://unichain.blockscout.com/address/0x4A71f81C6109230932978bAB7CA746f0be0C4580","type":"smart_contract","addedAt":"2025-11-07T08:48:03.165Z","revision":0,"description":"SSR_RECEIVER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3iCh8lDY4peelbErp2ljnV","url":"https://etherscan.io/address/0x909A86f78e1cdEd68F9c2Fe2c9CD922c401abe82#code","type":"smart_contract","addedAt":"2025-12-05T20:33:23.018Z","revision":0,"description":"KILL_SWITCH_ORACLE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3jMxCWebQqQBF7tNNhGX83","url":"https://gnosisscan.io/address/0x49d24798d3b84965F0d1fc8684EF6565115e70c1","type":"smart_contract","addedAt":"2025-11-07T09:08:50.323Z","revision":0,"description":"POOL_ADDRESSES_PROVIDER_REGISTRY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3jtK84Ef1A5UhpL8bKNaGF","url":"https://gnosisscan.io/address/0x868ADfDf12A86422524EaB6978beAE08A0008F37","type":"smart_contract","addedAt":"2025-11-07T09:08:56.994Z","revision":0,"description":"WXDAI_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3kGY22oQ7U7by7v8nrVfBW","url":"https://blockscout.com/xdai/mainnet/address/0xC9Fe2D32E96Bb364c7d29f3663ed3b27E30767bB#code","type":"smart_contract","addedAt":"2025-12-05T20:37:49.124Z","revision":0,"description":"WXDAI_ATOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3lSDhPUHUli6qRVYDVAL7","url":"https://etherscan.io/address/0x577Fa18a498e1775939b668B0224A5e5a1e56fc3#code","type":"smart_contract","addedAt":"2025-11-05T07:08:20.811Z","revision":0,"description":"ALM_CONTROLLER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3mCyJSiiBRBCyTjIovtjrU","url":"https://etherscan.io/address/0x1A229AdbAC83A948226783F2A3257B52006247D5#code","type":"smart_contract","addedAt":"2025-12-05T20:28:14.723Z","revision":0,"description":"ARBITRUM_SSR_FORWARDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3mzTWkEli4zKibjo6GiC2W","url":"https://etherscan.io/address/0x425b0de240b4c2DC45979DB782A355D090Dc4d37#code","type":"smart_contract","addedAt":"2025-12-05T20:29:37.779Z","revision":0,"description":"SPELL_PAUSE_ALL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3omDjUh3BYoJ5sRBcLRoAf","url":"https://snowtrace.io/address/0x4E64b576F72c237690F27727376186639447f096#code","type":"smart_contract","addedAt":"2025-12-05T20:36:07.459Z","revision":0,"description":"ALM_CONTROLLER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3qdYySCeSy2L37Vjgzh0Pf","url":"https://optimistic.etherscan.io/address/0x8e3b08e65cC59d293932F5e9aF3186970087a529","type":"smart_contract","addedAt":"2025-11-07T09:09:47.028Z","revision":0,"description":"SSR_CHAINLINK_RATE_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3qopENbLZ2ZY4Rif8QeJeQ","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2023-10-30T15:56:15.852Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"3qvCRZAbl3X2gdxRDmrCdq","url":"https://etherscan.io/address/0x7B70D04099CB9cfb1Db7B6820baDAfB4C5C70A67#code","type":"smart_contract","addedAt":"2025-12-05T20:32:11.922Z","revision":0,"description":"USDC_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3rOwvOkwwmAOeOVPp7e8n0","url":"https://gnosisscan.io/address/0x4370D3b6C9588E02ce9D22e684387859c7Ff5b34","type":"smart_contract","addedAt":"2025-11-07T09:09:05.514Z","revision":0,"description":"STABLE_DEBT_TOKEN_IMPL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3rVlhgledbfabhhXvjs0gw","url":"https://uniscan.xyz/address/0x9B1BEB11CFE05117029a30eb799B6586125321FF#code","type":"smart_contract","addedAt":"2025-12-05T20:41:26.977Z","revision":0,"description":"ALM_CONTROLLER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3tBacSGRq763JHgFC629jJ","url":"https://blockscout.com/xdai/mainnet/address/0x8220096398c3Dc2644026E8864f5D80Ef613B437#code","type":"smart_contract","addedAt":"2025-12-05T20:37:06.538Z","revision":0,"description":"TREASURY_CONTROLLER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3tHaCTsyMbhNDKNp4hy3tM","url":"https://etherscan.io/address/0x6Ac25B8638767a3c27a65597A74792d599038724#code","type":"smart_contract","addedAt":"2025-12-05T20:28:28.164Z","revision":0,"description":"OPTIMISM_SSR_FORWARDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3u6xhmDOi7ZcbSBiqp1uBE","url":"https://gnosisscan.io/address/0x80F87B8F9c1199e468923D8EE87cEE311690FDA6","type":"smart_contract","addedAt":"2025-11-07T09:09:03.051Z","revision":0,"description":"EURE_STABLE_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3urOZjwHxEuoPSm9PrykXk","url":"https://basescan.org/address/0xaDEAf02Ddb5Bed574045050B8096307bE66E0676","type":"smart_contract","addedAt":"2025-11-07T09:08:45.454Z","revision":0,"description":"DSR_RECEIVER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3vxdAvidHB6lc7viErBRIk","url":"https://optimistic.etherscan.io/address/0x6E53585449142A5E6D5fC918AE6BEa341dC81C68","type":"smart_contract","addedAt":"2025-11-07T09:09:46.266Z","revision":0,"description":"SSR_AUTH_ORACLE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3wtwiPOdsuOdsWII7HwkAF","url":"https://arbiscan.io/address/0x98f567464e91e9B4831d3509024b7868f9F79ee1#code","type":"smart_contract","addedAt":"2025-12-05T20:35:16.982Z","revision":0,"description":"ALM_CONTROLLER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3xJNOeQQKRkXo185CaNyEv","url":"https://blockscout.com/xdai/mainnet/address/0x3A98aBC6F46CA2Fc6c7d06eD02184D63C55e19B2#code","type":"smart_contract","addedAt":"2025-12-05T20:38:59.808Z","revision":0,"description":"USDT_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3y1p3Bjlm7xZME2wl07jEx","url":"https://etherscan.io/address/0x9107F5f940226A9f21433F373A4f938228d20e1A#code","type":"smart_contract","addedAt":"2025-12-05T20:29:44.944Z","revision":0,"description":"COOKIE3_REWARDS","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3y6dD1n4a8aqHiK1SDV4tq","url":"https://arbiscan.io/address/0xC40611AC4Fff8572Dc5F02A238176edCF15Ea7ba#code","type":"smart_contract","addedAt":"2025-12-05T20:43:07.058Z","revision":0,"description":"ALM_CONTROLLER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"406XaHPLwUjKPA4iUJdgA0","url":"https://blockscout.com/xdai/mainnet/address/0xd4bAbF714964E399f95A7bb94B3DeaF22d9F575d#code","type":"smart_contract","addedAt":"2025-12-05T20:37:22.961Z","revision":0,"description":"GNO_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"40mVLkmFJ6YBNnCctbwHbr","url":"https://blockscout.com/xdai/mainnet/address/0xA7F8A757C4f7696c015B595F51B2901AC0121B18#code","type":"smart_contract","addedAt":"2025-12-05T20:40:22.968Z","revision":0,"description":"UI_INCENTIVE_DATA_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"43laizI7xBT3cbXz12RVF5","url":"https://blockscout.com/xdai/mainnet/address/0x5671b0B8aC13DC7813D36B99C21c53F6cd376a14#code","type":"smart_contract","addedAt":"2025-12-05T20:37:15.978Z","revision":0,"description":"GNO_ATOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"45Kf5HUTtu47kvcn7T11fl","url":"https://etherscan.io/address/0x7f44e1c1dE70059D7cc483378BEFeE2a030CE247#code","type":"smart_contract","addedAt":"2025-12-05T20:34:52.515Z","revision":0,"description":"FLASH_LOAN_LOGIC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4ACRtj6oukRXA9JR1hcICO","url":"https://gnosisscan.io/address/0x86C71796CcDB31c3997F8Ec5C2E3dB3e9e40b985","type":"smart_contract","addedAt":"2025-11-07T09:08:47.987Z","revision":0,"description":"ACL_MANAGER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4Bd6Pkx8kNI1uTkzXl1Xbb","url":"https://etherscan.io/address/0xF1E57711Eb5F897b415de1aEFCB64d9BAe58D312#code","type":"smart_contract","addedAt":"2025-12-05T20:33:33.850Z","revision":0,"description":"DAI_TREASURY_IMPL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4EfnWLDLemmR4Zuq3jiSlc","url":"https://explorer.optimism.io/address/0x6E53585449142A5E6D5fC918AE6BEa341dC81C68#code","type":"smart_contract","addedAt":"2025-12-05T20:40:53.487Z","revision":0,"description":"SSR_AUTH_ORACLE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4GwxksMpaVuWZr1bV1DHt7","url":"https://explorer.optimism.io/address/0x8e3b08e65cC59d293932F5e9aF3186970087a529#code","type":"smart_contract","addedAt":"2025-12-05T20:41:00.438Z","revision":0,"description":"SSR_CHAINLINK_RATE_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4GyviWrnCvdloSmGtC4okY","url":"https://gnosisscan.io/address/0x856900aa78e856a5df1a2665eE3a66b2487cD68f","type":"smart_contract","addedAt":"2025-11-07T09:09:03.946Z","revision":0,"description":"A_TOKEN_IMPL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4HT6CgorXjnEcyBaW80rKj","url":"https://etherscan.io/address/0x026a5B6114431d8F3eF2fA0E1B2EDdDccA9c540E#code","type":"smart_contract","addedAt":"2025-12-05T20:33:48.991Z","revision":0,"description":"STABLE_DEBT_TOKEN_IMPL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4LNfGyNRpZxZCFjT7EDN5f","url":"https://gnosisscan.io/address/0xBD7D6a9ad7865463DE44B05F04559f65e3B11704","type":"smart_contract","addedAt":"2025-11-07T09:08:51.996Z","revision":0,"description":"WETH_GATEWAY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4MBU0hDbZtNqiak8WLXI1r","url":"https://github.com/marsfoundation/spark-alm-controller/blob/master/src/ForeignController.sol","type":"smart_contract","addedAt":"2024-10-30T04:10:05.933Z","revision":0,"description":"ForeignController","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4N1nzuTeOivzYXr0ulKWeK","url":"https://explorer.optimism.io/address/0x689502bc817E6374286af8f171Ed4715721406f7#code","type":"smart_contract","addedAt":"2025-12-05T20:43:00.061Z","revision":0,"description":"ALM_CONTROLLER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4PQQR9BZUD1JZ6qiiNOFvR","url":"https://gnosisscan.io/address/0xf76B8262dfd60fb7432C6b55E91f42b6da953647","type":"smart_contract","addedAt":"2025-11-07T09:09:06.695Z","revision":0,"description":"PROXY_ADMIN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4QsD3iDhfFU22x5RsJu5Qz","url":"https://unichain.blockscout.com/address/0x5A1a44D2192Dd1e21efB9caA50E32D0716b35535","type":"smart_contract","addedAt":"2025-11-07T08:48:00.725Z","revision":0,"description":"ALM_RATE_LIMITS","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4UwFctn3MtNeIWtrwcJIjV","url":"https://snowtrace.io/address/0xd905be48983D405C6fD7f5a983D2351fb61C691F#code","type":"smart_contract","addedAt":"2025-12-05T20:36:03.797Z","revision":0,"description":"SPARK_RECEIVER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4UweEjpUOoCxDpxAxwOiuN","url":"https://blockscout.com/xdai/mainnet/address/0xe21Bf3FB5A2b5Bf7BAE8c6F1696c4B097F5D2f93#code","type":"smart_contract","addedAt":"2025-12-05T20:37:29.854Z","revision":0,"description":"WETH_STABLE_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4XD8GpBzQK5s0MawMGVlHY","url":"https://etherscan.io/address/0xF028c2F4b19898718fD0F77b9b881CbfdAa5e8Bb#code","type":"smart_contract","addedAt":"2025-12-05T20:34:20.545Z","revision":0,"description":"UI_POOL_DATA_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4Y88AEFJgDd4v3FHNqWqh1","url":"https://blockscout.com/xdai/mainnet/address/0x91277b74a9d1Cc30fA0ff4927C287fe55E307D78#code","type":"smart_contract","addedAt":"2025-12-05T20:40:16.047Z","revision":0,"description":"TRANSPARENT_PROXY_FACTORY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4Z28UgfonzSEw2GUx1UOIi","url":"https://blockscout.com/xdai/mainnet/address/0xBD7D6a9ad7865463DE44B05F04559f65e3B11704#code","type":"smart_contract","addedAt":"2025-12-05T20:37:10.513Z","revision":0,"description":"WETH_GATEWAY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4bhYRvKxyv1jZU1rbGXUnw","url":"https://etherscan.io/address/0xA34437dAAE56A7CC6DC757048933D7777b3e547B#code","type":"smart_contract","addedAt":"2025-12-05T20:28:37.996Z","revision":0,"description":"WORLD_CHAIN_DSR_FORWARDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4dOaadDV57JmmHMkW82oXM","url":"https://blockscout.com/xdai/mainnet/address/0x629D562E92fED431122e865Cc650Bc6bdE6B96b0#code","type":"smart_contract","addedAt":"2025-12-05T20:37:26.515Z","revision":0,"description":"WETH_ATOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4gGcNKtDF4fbVyA6ny2t8r","url":"https://optimistic.etherscan.io/address/0xE206AEbca7B28e3E8d6787df00B010D4a77c32F3","type":"smart_contract","addedAt":"2025-11-07T09:09:48.218Z","revision":0,"description":"DSR_RECEIVER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4ilwhBm7unazU9i275vR6k","url":"https://etherscan.io/address/0x883A82BDd3d07ae6ACfD151020faD350df25087e#code","type":"smart_contract","addedAt":"2025-12-05T20:34:00.958Z","revision":0,"description":"PROXY_ADMIN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4kKN9dv4UzA8hcS89ocnyU","url":"https://github.com/marsfoundation/xchain-ssr-oracle/blob/master/src/adapters/SSRBalancerRateProviderAdapter.sol","type":"smart_contract","addedAt":"2024-10-30T04:11:16.125Z","revision":0,"description":"SSRBalancerRateProviderAdapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4nK4UJZBd39QGY3OZeZIjT","url":"https://blockscout.com/xdai/mainnet/address/0x0b33480d3FbD1E2dBE88c82aAbe191D7473759D5#code","type":"smart_contract","addedAt":"2025-12-05T20:39:17.448Z","revision":0,"description":"EURE_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4qT3ok3Mf9RUopruuPaesG","url":"https://etherscan.io/address/,0xce6Ca9cDce00a2b0c0d1dAC93894f4Bd2c960567","type":"smart_contract","addedAt":"2025-11-07T09:09:27.052Z","revision":0,"description":"TBTC_SPTOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4r7zF7loGlKOOFZNYX1yFo","url":"https://basescan.org/address/0x65d946e533748A998B1f0E430803e39A6388f7a1","type":"smart_contract","addedAt":"2025-11-07T09:08:43.139Z","revision":0,"description":"SSR_AUTH_ORACLE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4riRcqM1NJRb314E5LjYe0","url":"https://blockscout.com/xdai/mainnet/address/0x49d24798d3b84965F0d1fc8684EF6565115e70c1#code","type":"smart_contract","addedAt":"2025-12-05T20:36:52.617Z","revision":0,"description":"POOL_ADDRESSES_PROVIDER_REGISTRY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4seKAXHuc5axwNVAnH6dq1","url":"https://optimistic.etherscan.io/address/0x205216D89a00FeB2a73273ceecD297BAf89d576d","type":"smart_contract","addedAt":"2025-11-07T09:09:43.941Z","revision":0,"description":"SPARK_EXECUTOR","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4t0QlEYix9Ks8utbsQd48z","url":"https://gnosisscan.io/address/0x0F0e336Ab69D9516A9acF448bC59eA0CE79E4a42","type":"smart_contract","addedAt":"2025-11-07T09:08:55.372Z","revision":0,"description":"WSTETH_STABLE_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4tpqLktgO4VhvBQXjTVLGP","url":"https://unichain.blockscout.com/address/0x9B1BEB11CFE05117029a30eb799B6586125321FF","type":"smart_contract","addedAt":"2025-11-07T08:47:59.670Z","revision":0,"description":"ALM_CONTROLLER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4u3nC5xX7HupLlCKJ6bjn","url":"https://gnosisscan.io/address/0xA34DB0ee8F84C4B90ed268dF5aBbe7Dcd3c277ec","type":"smart_contract","addedAt":"2025-11-07T09:08:59.850Z","revision":0,"description":"USDCE_ATOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4ujj4gaYFiHSC1Ojsf0Dhr","url":"https://etherscan.io/address/0x6aEa92693C527bC2c7B3171C6f2598d67d619088#code","type":"smart_contract","addedAt":"2025-12-05T20:34:57.120Z","revision":0,"description":"LIQUIDATION_LOGIC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4vIhZI3X01p5Qe0krJ5LoX","url":"https://worldscan.org/address/0xE206AEbca7B28e3E8d6787df00B010D4a77c32F3#code","type":"smart_contract","addedAt":"2025-12-05T20:42:39.024Z","revision":0,"description":"DSR_BALANCER_RATE_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4wXOY7Di84ZfVjGpyTC3SV","url":"https://optimistic.etherscan.io/address/0x15ACEE5F73b36762Ab1a6b7C98787b8148447898","type":"smart_contract","addedAt":"2025-11-07T09:09:48.679Z","revision":0,"description":"DSR_BALANCER_RATE_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"51817iw1DK9LFCuicpgKKt","url":"https://etherscan.io/address/0xA7F8A757C4f7696c015B595F51B2901AC0121B18#code","type":"smart_contract","addedAt":"2025-12-05T20:34:17.155Z","revision":0,"description":"UI_INCENTIVE_DATA_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"558gJPLFaGZdYWzwpDar1W","url":"https://etherscan.io/address/0x096bdDFEE63F44A97cC6D2945539Ee7C8f94637D#code","type":"smart_contract","addedAt":"2025-12-05T20:31:17.236Z","revision":0,"description":"LBTC_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"56a025JtxFzsGKC8Qp1IQ0","url":"https://subnets.avax.network/c-chain/address/0x7566DEbC906C17338524A414343fA61BcA26A8430xecE6B0E8a54c2f44e066fBb9234e7157B15b7FeC","type":"smart_contract","addedAt":"2025-11-07T09:09:11.131Z","revision":0,"description":"ALM_PROXY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"56r03VcnR29ej2CP4TkRTs","url":"https://blockscout.com/xdai/mainnet/address/0xBC4f20DAf4E05c17E93676D2CeC39769506b8219#code","type":"smart_contract","addedAt":"2025-12-05T20:38:35.996Z","revision":0,"description":"USDC_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"57CR1GZ82X8sxw5rK92Nld","url":"https://etherscan.io/address/0x2C54924711E479E639032704146b865E12f0C6D1#code","type":"smart_contract","addedAt":"2025-12-05T20:34:44.752Z","revision":0,"description":"BRIDGE_LOGIC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"57ksWnxC24ZNB4sojafBcM","url":"https://etherscan.io/address/0xB131cD463d83782d4DE33e00e35EF034F0869bA1#code","type":"smart_contract","addedAt":"2025-12-05T20:31:05.994Z","revision":0,"description":"EZETH_SPTOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"58H4jZT1smnDxeWYu7agRy","url":"https://blockscout.com/xdai/mainnet/address/0x80F87B8F9c1199e468923D8EE87cEE311690FDA6#code","type":"smart_contract","addedAt":"2025-12-05T20:39:10.155Z","revision":0,"description":"EURE_STABLE_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"59X5Zim9Csf57sSj0CAaQj","url":"https://blockscout.com/xdai/mainnet/address/0x0aD6cCf9a2e81d4d48aB7db791e9da492967eb84#code","type":"smart_contract","addedAt":"2025-12-05T20:37:33.516Z","revision":0,"description":"WETH_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"59ap85jghehpUHH1BYOUEz","url":"https://etherscan.io/address/0xa9d4EcEBd48C282a70CfD3c469d6C8F178a5738E#code","type":"smart_contract","addedAt":"2025-12-05T20:31:20.857Z","revision":0,"description":"LBTC_SPTOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5A3JFOzcF73PrvmzGixRSf","url":"https://etherscan.io/address/0xc20059e0317DE91738d13af027DfC4a50781b066#code","type":"smart_contract","addedAt":"2025-12-05T20:01:18.218Z","revision":0,"description":"SPK","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5AMQL9dorgC6AFGl7ZZ738","url":"https://gnosisscan.io/address/0xC9Fe2D32E96Bb364c7d29f3663ed3b27E30767bB","type":"smart_contract","addedAt":"2025-11-07T09:08:56.201Z","revision":0,"description":"WXDAI_ATOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5BEZ7Or9dcMwWWNirw6qKF","url":"https://gnosisscan.io/address/0xE877b96caf9f180916bF2B5Ce7Ea8069e0123182","type":"smart_contract","addedAt":"2025-11-07T09:08:57.406Z","revision":0,"description":"SXDAI_ATOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5EExwBePB9rtdjw0ivptP8","url":"https://gnosisscan.io/address/0x98e6BcBA7d5daFbfa4a92dAF08d3d7512820c30C","type":"smart_contract","addedAt":"2025-11-07T09:08:48.806Z","revision":0,"description":"INCENTIVES","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5FFCQOMvLRkhyw11oI7Sip","url":"https://github.com/marsfoundation/xchain-ssr-oracle/blob/master/src/SSROracleBase.sol","type":"smart_contract","addedAt":"2024-10-30T04:11:08.507Z","revision":0,"description":"SSROracleBase","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5GVYOC5XkEiB7SdySoU7lC","url":"https://optimistic.etherscan.io/address/0xe0F9978b907853F354d79188A3dEfbD41978af62","type":"smart_contract","addedAt":"2025-11-07T09:09:45.894Z","revision":0,"description":"PSM3","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5HCDE0uU3TmGhD3bS5OIJx","url":"https://arbiscan.io/address/0x212871A1C235892F86cAB30E937e18c94AEd8474#code","type":"smart_contract","addedAt":"2025-12-05T20:35:13.397Z","revision":0,"description":"SPARK_RECEIVER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5HMtSBEILl0x4De0tbc7Gf","url":"https://etherscan.io/address/0x0ee554F6A1f7a4Cb4f82D4C124DdC2AD3E37fde1#code","type":"smart_contract","addedAt":"2025-12-05T20:33:37.733Z","revision":0,"description":"INCENTIVES_IMPL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5HZWqy4ppjUyWZXzdVNaKI","url":"https://etherscan.io/address/0x529b6158d1D2992E3129F7C69E81a7c677dc3B12#code","type":"smart_contract","addedAt":"2025-12-05T20:32:28.036Z","revision":0,"description":"USDT_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5KnILhUIPlaKnzGK87Xu1u","url":"https://etherscan.io/address/0x3300f198988e4C9C63F75dF86De36421f06af8c4#code","type":"smart_contract","addedAt":"2025-12-05T19:53:19.088Z","revision":0,"description":"SPARK_PROXY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5N9YdEki3yWYq2BGB7j7fN","url":"https://gnosisscan.io/address/0x5671b0B8aC13DC7813D36B99C21c53F6cd376a14","type":"smart_contract","addedAt":"2025-11-07T09:08:52.503Z","revision":0,"description":"GNO_ATOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5OxC6F2jSUCrXwGlBJfilz","url":"https://etherscan.io/address/0x12B54025C112Aa61fAce2CDB7118740875A566E9#code","type":"smart_contract","addedAt":"2025-12-05T20:33:12.617Z","revision":0,"description":"WSTETH_SPTOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5R2QGy75WV4IE1iamfa6Kd","url":"https://uniscan.xyz/address/0xF16DE710899C7bdd6D46873265392CCA68e5D5bA#code","type":"smart_contract","addedAt":"2025-12-05T20:43:03.634Z","revision":0,"description":"ALM_CONTROLLER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5StDvcW5E59KM3T1FyrFEm","url":"https://optimistic.etherscan.io/address/0x33a3aB524A43E69f30bFd9Ae97d1Ec679FF00B64","type":"smart_contract","addedAt":"2025-11-07T09:09:47.843Z","revision":0,"description":"DSR_AUTH_ORACLE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5UoCmSvatqCiXMbOhAwllj","url":"https://github.com/marsfoundation/xchain-ssr-oracle/blob/master/src/forwarders/SSROracleForwarderArbitrum.sol","type":"smart_contract","addedAt":"2024-10-30T04:11:24.365Z","revision":0,"description":"SSROracleForwarderArbitrum","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5VOgc0A42ykZMxF7vjXRef","url":"https://gnosisscan.io/address/0x0ee554F6A1f7a4Cb4f82D4C124DdC2AD3E37fde1","type":"smart_contract","addedAt":"2025-11-07T09:09:06.315Z","revision":0,"description":"VARIABLE_DEBT_TOKEN_IMPL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5WFD8uGHNZbv8YtUdzlrKQ","url":"https://blockscout.com/xdai/mainnet/address/0x4d988568b5f0462B08d1F40bA1F5f17ad2D24F76#code","type":"smart_contract","addedAt":"2025-12-05T20:36:38.502Z","revision":0,"description":"EMISSION_MANAGER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5XQ2OhUxCKupczrMTWfg2d","url":"https://gnosisscan.io/address/0x0b33480d3FbD1E2dBE88c82aAbe191D7473759D5","type":"smart_contract","addedAt":"2025-11-07T09:09:03.506Z","revision":0,"description":"EURE_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5YukYtXZjKzGk7qEW1NdEl","url":"https://basescan.org/address/0xC0bcbb2554D4694fe7b34bB68b9DdfbB55D896BC","type":"smart_contract","addedAt":"2025-11-05T07:08:20.789Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5aUO17Td16ux2FyFF8fv7m","url":"https://blockscout.com/xdai/mainnet/address/0x0ee554F6A1f7a4Cb4f82D4C124DdC2AD3E37fde1#code","type":"smart_contract","addedAt":"2025-12-05T20:40:01.972Z","revision":0,"description":"VARIABLE_DEBT_TOKEN_IMPL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5c7BtjL0vwGwrwCXobJWGo","url":"https://unichain.blockscout.com/address/0x7ac96180C4d6b2A328D3a19ac059D0E7Fc3C6d41","type":"smart_contract","addedAt":"2025-11-07T08:48:02.726Z","revision":0,"description":"SSR_CHAINLINK_RATE_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5ckduD4ECNsXRF0zfgh520","url":"https://gnosisscan.io/address/0x2Dae5307c5E3FD1CF5A72Cb6F698f915860607e0","type":"smart_contract","addedAt":"2025-11-07T09:08:49.450Z","revision":0,"description":"POOL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5dG7bjsYHVmQUjlpZ7NTPi","url":"https://etherscan.io/address/0x3357D2DB7763D6Cd3a99f0763EbF87e0096D95f9#code","type":"smart_contract","addedAt":"2025-12-05T20:31:24.546Z","revision":0,"description":"PYUSD_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5dOZXLCh2HRpO2Nd3z3CDp","url":"https://gnosisscan.io/address/0x2cF710377b3576287Be7cf352FF75D4472902789","type":"smart_contract","addedAt":"2025-11-07T09:08:57.813Z","revision":0,"description":"SXDAI_STABLE_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5jRKkrIVjyV4UBNvhwqkGT","url":"https://etherscan.io/address/0x8105f69D9C41644c6A0803fDA7D03Aa70996cFD9#code","type":"smart_contract","addedAt":"2025-12-05T20:30:04.735Z","revision":0,"description":"AAVE_ORACLE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5nAIU92bHHHlzVpyqzI83z","url":"https://explorer.optimism.io/address/0x61Baf0Ce69D23C8318c786e161D1cAc285AA4EA3#code","type":"smart_contract","addedAt":"2025-12-05T20:40:36.552Z","revision":0,"description":"SPARK_RECEIVER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5nrRHInd1LOJVJ4JzPu6q0","url":"https://uniscan.xyz/address/0x7B8ee8b0fD62662F7FB1ac9e5E6cEAad5195A3bF#code","type":"smart_contract","addedAt":"2025-12-05T20:41:23.604Z","revision":0,"description":"SPARK_RECEIVER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5qVaHj5XboHwANfQmZlAes","url":"https://explorer.optimism.io/address/0x205216D89a00FeB2a73273ceecD297BAf89d576d#code","type":"smart_contract","addedAt":"2025-12-05T20:40:33.358Z","revision":0,"description":"SPARK_EXECUTOR","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5r0hEI4rm7KB7ho9clX0Rt","url":"https://basescan.org/address/0x026a5B6114431d8F3eF2fA0E1B2EDdDccA9c540E","type":"smart_contract","addedAt":"2025-11-07T09:08:43.986Z","revision":0,"description":"SSR_CHAINLINK_RATE_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5tT74lWj567OmwwiO0tTA6","url":"https://github.com/marsfoundation/aave-v3-core/blob/master/contracts/protocol/tokenization/VariableDebtToken.sol","type":"smart_contract","addedAt":"2023-10-30T15:53:59.119Z","revision":0,"description":"VariableDebtToken (proxy)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5tZbAYd8GrosTH1yUOlZwF","url":"https://gnosisscan.io/address/0x2a002054A06546bB5a264D57A81347e23Af91D18","type":"smart_contract","addedAt":"2025-11-07T09:09:08.349Z","revision":0,"description":"PROTOCOL_DATA_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5u7Sw9ondp41piOsHIjPUo","url":"https://optimistic.etherscan.io/address/0x282dAfE8B97e2Db5053761a4601ab2E1CB976318#code","type":"smart_contract","addedAt":"2025-11-05T07:08:20.742Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5y6FC4ioRhrsZ05z9u8MQV","url":"https://basescan.org/address/0x49aF4eE75Ae62C2229bb2486a59Aa1a999f050f0","type":"smart_contract","addedAt":"2025-11-07T09:08:43.561Z","revision":0,"description":"SSR_BALANCER_RATE_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5ydgYmaWUwVQBFZmY8PBBk","url":"https://explorer.optimism.io/address/0xe0F9978b907853F354d79188A3dEfbD41978af62#code","type":"smart_contract","addedAt":"2025-12-05T20:40:50.128Z","revision":0,"description":"PSM3","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5zNxn1GyKMOOLiGcH9PPEB","url":"https://etherscan.io/address/0x4e89b83f426fED3f2EF7Bb2d7eb5b53e288e1A13#code","type":"smart_contract","addedAt":"2025-12-05T20:31:55.958Z","revision":0,"description":"SUSDS_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"63sYD8AfBvclAbeEsZ2yj2","url":"https://etherscan.io/address/0xB2833392527f41262eB0E3C7b47AFbe030ef188E#code","type":"smart_contract","addedAt":"2025-12-05T20:28:21.378Z","revision":0,"description":"BASE_SSR_FORWARDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"64vp1o2eKb7V2T5fEzSscz","url":"https://gnosisscan.io/address/0x6175ddEc3B9b38c88157C10A01ed4A3fa8639cC6","type":"smart_contract","addedAt":"2025-11-07T09:09:04.733Z","revision":0,"description":"POOL_CONFIGURATOR_IMPL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"67njNs2cWdWIS2AcxBxzTg","url":"https://gnosisscan.io/address/0x0aD6cCf9a2e81d4d48aB7db791e9da492967eb84","type":"smart_contract","addedAt":"2025-11-07T09:08:54.572Z","revision":0,"description":"WETH_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"69D1HcXfcKukWxR5DfRfDE","url":"https://gnosisscan.io/address/0xe21Bf3FB5A2b5Bf7BAE8c6F1696c4B097F5D2f93","type":"smart_contract","addedAt":"2025-11-07T09:08:54.174Z","revision":0,"description":"WETH_STABLE_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"69z4dnDQdesUnZ31QlnirB","url":"https://etherscan.io/address/0xf09e48dd4CA8e76F63a57ADd428bB06fee7932a4#code","type":"smart_contract","addedAt":"2025-12-05T20:30:15.329Z","revision":0,"description":"EMISSION_MANAGER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6AHlY9WqhuTXksRnBc8tUQ","url":"https://blockscout.com/xdai/mainnet/address/0x2Fc8823E1b967D474b47Ae0aD041c2ED562ab588#code","type":"smart_contract","addedAt":"2025-12-05T20:36:56.000Z","revision":0,"description":"POOL_CONFIGURATOR","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6ArYiNKiLKs0AOxwZEqYq4","url":"https://unichain.blockscout.com/address/0x7b42Ed932f26509465F7cE3FAF76FfCe1275312f","type":"smart_contract","addedAt":"2025-11-07T08:48:01.199Z","revision":0,"description":"PSM3","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6C1CgGlwADOIGaUbdFtFC3","url":"https://blockscout.com/xdai/mainnet/address/0xA34DB0ee8F84C4B90ed268dF5aBbe7Dcd3c277ec#code","type":"smart_contract","addedAt":"2025-12-05T20:38:39.575Z","revision":0,"description":"USDCE_ATOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6CMRz0151ivgUdSVUFoxO2","url":"https://snowtrace.io/address/0x45d91340B3B7B96985A72b5c678F7D9e8D664b62#code","type":"smart_contract","addedAt":"2025-12-05T20:43:11.181Z","revision":0,"description":"ALM_PROXY_FREEZABLE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6EWlg0S5AqegHqNODYg8q9","url":"https://blockscout.com/xdai/mainnet/address/0x0F0e336Ab69D9516A9acF448bC59eA0CE79E4a42#code","type":"smart_contract","addedAt":"2025-12-05T20:37:40.181Z","revision":0,"description":"WSTETH_STABLE_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6Fjhu6tBbcSUGUUpeFYCPc","url":"https://explorer.optimism.io/address/0x6B34A6B84444dC3Fc692821D5d077a1e4927342d#code","type":"smart_contract","addedAt":"2025-12-05T20:40:46.944Z","revision":0,"description":"ALM_RATE_LIMITS","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6H3qIl4ePoXI313Kxk3yZB","url":"https://etherscan.io/address/0xCBA0C0a2a0B6Bb11233ec4EA85C5bFfea33e724d#code","type":"smart_contract","addedAt":"2025-12-05T20:29:48.760Z","revision":0,"description":"IGNITION_REWARDS","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6K7sglbux4sV2uHDz9SKKd","url":"https://etherscan.io/address/0xa2039bef2c5803d66E4e68F9E23a942E350b938c#code","type":"smart_contract","addedAt":"2025-12-05T20:29:33.837Z","revision":0,"description":"SPELL_FREEZE_DAI","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6N0xeKOxt2xVQ8m5QfmaDY","url":"https://etherscan.io/address/0x59cD1C87501baa753d0B5B5Ab5D8416A45cD71DB#code","type":"smart_contract","addedAt":"2025-12-05T20:33:05.367Z","revision":0,"description":"WETH_SPTOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6Q3Zg0N82UorgdZpi84Ex3","url":"https://github.com/marsfoundation/spark-docs","type":"websites_and_applications","addedAt":"2024-06-27T09:28:44.446Z","revision":0,"description":"Spark User Documentation (docs.spark.fi)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6QW03OHeJX6EWi0gIK9SCo","url":"https://optimistic.etherscan.io/address/0x876664f0c9Ff24D1aa355Ce9f1680AE1A5bf36fB","type":"smart_contract","addedAt":"2025-11-07T09:09:45.107Z","revision":0,"description":"ALM_PROXY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6Rv7fBqHfDgxdE44DqzYKT","url":"https://optimistic.etherscan.io/address/0x61Baf0Ce69D23C8318c786e161D1cAc285AA4EA3","type":"smart_contract","addedAt":"2025-11-07T09:09:44.365Z","revision":0,"description":"SPARK_RECEIVER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6TmkDDmwIWgjVTi9JxnsEy","url":"https://etherscan.io/address/0x6175ddEc3B9b38c88157C10A01ed4A3fa8639cC6#code","type":"smart_contract","addedAt":"2025-12-05T20:33:30.013Z","revision":0,"description":"A_TOKEN_IMPL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6TvHWJQYxaX2cUE01NYZgw","url":"https://uniscan.xyz/address/0x7CD6EC14785418aF694efe154E7ff7d9ba99D99b#code","type":"smart_contract","addedAt":"2025-11-05T07:08:20.753Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6U8Rd4d72oOUQ3LYgoemvv","url":"https://subnets.avax.network/c-chain/address/0x7566DEbC906C17338524A414343fA61BcA26A8430xb79972e8B21f0dE911E65AC342ac85ad38C9A77a","type":"smart_contract","addedAt":"2025-11-07T09:09:11.571Z","revision":0,"description":"ALM_RATE_LIMITS","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6VZKXZW1leew4JxGEElqtG","url":"https://blockscout.com/xdai/mainnet/address/0x5850D127a04ed0B4F1FCDFb051b3409FB9Fe6B90#code","type":"smart_contract","addedAt":"2025-12-05T20:38:27.731Z","revision":0,"description":"USDC_ATOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6ajC1Qqn7vut3JGGA9Upwk","url":"https://optimistic.etherscan.io/address/0xe1e4953C93Da52b95eDD0ffd910565D3369aCd6b","type":"smart_contract","addedAt":"2025-11-07T09:09:46.613Z","revision":0,"description":"SSR_BALANCER_RATE_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6cKWP6kgH393JoH6WviNM7","url":"https://github.com/marsfoundation/xchain-ssr-oracle/blob/master/src/forwarders/SSROracleForwarderGnosis.sol","type":"smart_contract","addedAt":"2024-10-30T04:11:45.551Z","revision":0,"description":"SSROracleForwarderGnosis","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6gpw4IYk3ZtsvHOj9h1CrU","url":"https://etherscan.io/address/0x1601843c5E9bC251A3272907010AFa41Fa18347E#code","type":"smart_contract","addedAt":"2025-12-05T20:23:23.954Z","revision":0,"description":"ALM_PROXY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6gsMbbwcwgyLpUpXKgrnDQ","url":"https://etherscan.io/address/0x57027B6262083E3aC3c8B2EB99f7e8005f669973#code","type":"smart_contract","addedAt":"2025-12-05T20:33:26.410Z","revision":0,"description":"SSR_RATE_SOURCE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6hJBk5XOXqRheMkeLns8Aj","url":"https://gnosisscan.io/address/0x36eddc380C7f370e5f05Da5Bd7F970a27f063e39","type":"smart_contract","addedAt":"2025-11-07T09:09:07.116Z","revision":0,"description":"CONFIG_ENGINE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6jOuExkwfiWJjZY6gpreCn","url":"https://github.com/marsfoundation/sparklend/blob/master/src/DaiInterestRateStrategy.sol","type":"smart_contract","addedAt":"2023-10-30T15:50:22.131Z","revision":0,"description":"DaiInterestRateStrategy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6ksAkX88QMmFrpB8FxdD8U","url":"https://etherscan.io/address/0x237e3985dD7E373F2ec878EC1Ac48A228Cf2e7a3#code","type":"smart_contract","addedAt":"2025-12-05T20:33:19.665Z","revision":0,"description":"FREEZER_MOM","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6nKzsWo2PrxmEzyngLnIrV","url":"https://blockscout.com/xdai/mainnet/address/0x98e6BcBA7d5daFbfa4a92dAF08d3d7512820c30C#code","type":"smart_contract","addedAt":"2025-12-05T20:36:42.105Z","revision":0,"description":"INCENTIVES","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6nLVMxbM8dToHdmWHvNIdA","url":"https://explorer.optimism.io/address/0x33a3aB524A43E69f30bFd9Ae97d1Ec679FF00B64#code","type":"smart_contract","addedAt":"2025-12-05T20:41:08.832Z","revision":0,"description":"DSR_AUTH_ORACLE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6oaTt2e0uH75ECUhtQzAyv","url":"https://etherscan.io/address/0xBD7D6a9ad7865463DE44B05F04559f65e3B11704#code","type":"smart_contract","addedAt":"2025-12-05T20:30:44.437Z","revision":0,"description":"WETH_GATEWAY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6r21gJOmPf63EDkxJvBJc","url":"https://github.com/marsfoundation/spark-app","type":"websites_and_applications","addedAt":"2024-06-27T09:28:16.371Z","revision":0,"description":"Spark Application (app.spark.fi)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6rzsE5fNAGsOpEq6RFiuWv","url":"https://etherscan.io/address/0x7F36E7F562Ee3f320644F6031e03E12a02B85799#code","type":"smart_contract","addedAt":"2025-12-05T20:28:11.320Z","revision":0,"description":"ARBITRUM_DSR_FORWARDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6sLDoPFWNMKUED15N2jZ3e","url":"https://gnosisscan.io/address/0x9Ee4271E17E3a427678344fd2eE64663Cb78B4be","type":"smart_contract","addedAt":"2025-11-07T09:08:54.968Z","revision":0,"description":"WSTETH_ATOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6uX7taeYGd3iXAGBhtJPU7","url":"https://etherscan.io/address/0xC13e21B648A5Ee794902342038FF3aDAB66BE987#code","type":"smart_contract","addedAt":"2025-12-05T20:30:22.478Z","revision":0,"description":"POOL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6utl9uFeRPEK92ZiFCch4W","url":"https://etherscan.io/address/0xce6Ca9cDce00a2b0c0d1dAC93894f4Bd2c960567#code","type":"smart_contract","addedAt":"2025-12-05T20:32:08.210Z","revision":0,"description":"TBTC_SPTOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6wKfK6P1lURAamMg2t8gQf","url":"https://gnosisscan.io/address/0xab1B62A1346Acf534b581684940E2FD781F2EA22","type":"smart_contract","addedAt":"2025-11-07T09:08:56.598Z","revision":0,"description":"WXDAI_STABLE_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6ym6keOrfqOUeNfQqhKhOJ","url":"https://gnosisscan.io/address/0xA98DaCB3fC964A6A0d2ce3B77294241585EAbA6d","type":"smart_contract","addedAt":"2025-11-07T09:08:49.888Z","revision":0,"description":"POOL_ADDRESSES_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"704YfYbzmdD0CqWuTlFr4O","url":"https://blockscout.com/xdai/mainnet/address/0xab1B62A1346Acf534b581684940E2FD781F2EA22#code","type":"smart_contract","addedAt":"2025-12-05T20:38:07.025Z","revision":0,"description":"WXDAI_STABLE_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"74TUoyVrOxtBC9QbirMRRL","url":"https://snowtrace.io/address/0x28B3a8fb53B741A8Fd78c0fb9A6B2393d896a43d#code","type":"smart_contract","addedAt":"2025-12-05T20:36:24.100Z","revision":0,"description":"SPARK_VAULT_V2_SPUSDC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"77hgtQ5YA58X63f6RDkWl6","url":"https://etherscan.io/address/0xb137E7d16564c81ae2b0C8ee6B55De81dd46ECe5#code","type":"smart_contract","addedAt":"2025-12-05T20:30:37.403Z","revision":0,"description":"TREASURY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"77ivLO2LuegmWWQm7We4nj","url":"https://blockscout.com/xdai/mainnet/address/0x6175ddEc3B9b38c88157C10A01ed4A3fa8639cC6#code","type":"smart_contract","addedAt":"2025-12-05T20:39:47.594Z","revision":0,"description":"POOL_CONFIGURATOR_IMPL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7825FDXaBtZ7i6Nd60UGmu","url":"https://uniscan.xyz/address/0xb037C43b433964A2017cd689f535BEb6B0531473#code","type":"smart_contract","addedAt":"2025-12-05T20:41:20.144Z","revision":0,"description":"SPARK_EXECUTOR","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"79fge3cTBJJ9TsQih9edvF","url":"https://blockscout.com/xdai/mainnet/address/0x6dc304337BF3EB397241d1889cAE7da638e6e782#code","type":"smart_contract","addedAt":"2025-12-05T20:39:05.349Z","revision":0,"description":"EURE_ATOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7B01hBHhPAfVy1SeoL1YgC","url":"https://gnosisscan.io/address/0x5850D127a04ed0B4F1FCDFb051b3409FB9Fe6B90","type":"smart_contract","addedAt":"2025-11-07T09:08:58.632Z","revision":0,"description":"USDC_ATOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7BTp0gVqYzauGUY9J7Du43","url":"https://blockscout.com/xdai/mainnet/address/0xd2AeF86F51F92E8e49F42454c287AE4879D1BeDc#code","type":"smart_contract","addedAt":"2025-12-05T20:40:30.131Z","revision":0,"description":"WALLET_BALANCE_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7EHaL93yNwWIHBgZPcDVeJ","url":"https://github.com/marsfoundation/spark-gov-relay/blob/master/src/Executor.sol","type":"smart_contract","addedAt":"2024-10-30T04:10:44.548Z","revision":0,"description":"Executor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7GHaa5CjyZ9PLzQlrK3jd","url":"https://gnosisscan.io/address/0x764b4AB9bCA18eB633d92368F725765Ebb8f047C","type":"smart_contract","addedAt":"2025-11-07T09:09:04.325Z","revision":0,"description":"INCENTIVES_IMPL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7KuyLaOsMSONCzdCBPhI4m","url":"https://worldscan.org/address/0x33a3aB524A43E69f30bFd9Ae97d1Ec679FF00B64#code","type":"smart_contract","addedAt":"2025-12-05T20:42:01.795Z","revision":0,"description":"DSR_RECEIVER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7LVo5RSSTlGKQSKi4Xxz8I","url":"https://blockscout.com/xdai/mainnet/address/0x40BF0Bf6AECeE50eCE10C74E81a52C654A467ae4#code","type":"smart_contract","addedAt":"2025-12-05T20:38:32.402Z","revision":0,"description":"USDC_STABLE_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7LZ7HcN2PAF55dQBN3mlPO","url":"https://gnosisscan.io/address/0xA7F8A757C4f7696c015B595F51B2901AC0121B18","type":"smart_contract","addedAt":"2025-11-07T09:09:08.751Z","revision":0,"description":"UI_INCENTIVE_DATA_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7LZkGKb4pxWxdBXOxcmq4B","url":"https://etherscan.io/address/0xFc21d6d146E6086B8359705C8b28512a983db0cb#code","type":"smart_contract","addedAt":"2025-12-05T20:34:12.778Z","revision":0,"description":"PROTOCOL_DATA_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7aWGYwIdxYzMpBi58VKO6R","url":"https://gnosisscan.io/address/0x6dc304337BF3EB397241d1889cAE7da638e6e782","type":"smart_contract","addedAt":"2025-11-07T09:09:02.342Z","revision":0,"description":"EURE_ATOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7bRrou7nf86Bl7eCEwLqxf","url":"https://gnosisscan.io/address/0x08B0cAebE352c3613302774Cd9B82D08afd7bDC4","type":"smart_contract","addedAt":"2025-11-07T09:09:01.089Z","revision":0,"description":"USDT_ATOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7dgd1hoNIamiQDYkmHCyFk","url":"https://etherscan.io/address/0xc528F0C91CFAE4fd86A68F6Dfd4d7284707Bec68#code","type":"smart_contract","addedAt":"2025-12-05T20:31:40.049Z","revision":0,"description":"RSETH_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7fGwer3KaIMfuzCjq4YzEq","url":"https://github.com/marsfoundation/aave-v3-core/blob/master/contracts/protocol/pool/DefaultReserveInterestRateStrategy.sol","type":"smart_contract","addedAt":"2023-10-30T15:50:38.439Z","revision":0,"description":"DefaultReserveInterestRateStrategy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7gJQKrGVEijrmb4juWcFAU","url":"https://basescan.org/address/0x212871A1C235892F86cAB30E937e18c94AEd8474","type":"smart_contract","addedAt":"2025-11-07T09:08:44.403Z","revision":0,"description":"SSR_RECEIVER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7jeOjynjowEvPsgiUZ7sDi","url":"https://blockscout.com/xdai/mainnet/address/0x8105f69D9C41644c6A0803fDA7D03Aa70996cFD9#code","type":"smart_contract","addedAt":"2025-12-05T20:36:31.337Z","revision":0,"description":"AAVE_ORACLE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7kmJDIUsybNZx2Lh8RU5n2","url":"https://etherscan.io/address/0xf705d2B7e92B3F38e6ae7afaDAA2fEE110fE5914#code","type":"smart_contract","addedAt":"2025-12-05T20:30:54.655Z","revision":0,"description":"DAI_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7mAH9GRQwW5ZX3ctCyAlwM","url":"https://arbiscan.io/address/0x65d946e533748A998B1f0E430803e39A6388f7a1#code","type":"smart_contract","addedAt":"2025-12-05T20:35:09.639Z","revision":0,"description":"SPARK_EXECUTOR","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7n9zc9uvXa4vXWOA65N8TT","url":"https://snowscan.xyz/address/0xC2C0582D1cCe30449cF561C7b9C4D6d527547F12","type":"smart_contract","addedAt":"2025-10-21T06:52:39.032Z","revision":0,"description":"Spark Vault V2 Implementation Avalanche","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7pAyK9NPcrrmkUW9kndqy9","url":"https://etherscan.io/address/0x764591dC9ba21c1B92049331b80b6E2a2acF8B17#code","type":"smart_contract","addedAt":"2025-12-05T20:32:03.934Z","revision":0,"description":"TBTC_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7pYTmJmJyFnm6jqhv3gx5W","url":"https://etherscan.io/address/0x2e7576042566f8D6990e07A1B61Ad1efd86Ae70d#code","type":"smart_contract","addedAt":"2025-12-05T20:33:01.417Z","revision":0,"description":"WETH_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7q94dYjpWHOAO8GVm1rNwQ","url":"https://explorer.optimism.io/address/0xE206AEbca7B28e3E8d6787df00B010D4a77c32F3#code","type":"smart_contract","addedAt":"2025-12-05T20:41:12.897Z","revision":0,"description":"DSR_RECEIVER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7qINWRvLm6JsFlLOxmNNEj","url":"https://arbiscan.io/address/0xEE2816c1E1eed14d444552654Ed3027abC033A36#code","type":"smart_contract","addedAt":"2025-12-05T20:35:31.245Z","revision":0,"description":"SSR_AUTH_ORACLE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7qjRn4HcyBp0pp236uc4uA","url":"https://github.com/marsfoundation/spark-alm-controller/blob/master/src/MainnetController.sol","type":"smart_contract","addedAt":"2024-10-30T04:10:17.961Z","revision":0,"description":"MainnetController","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7r5umWBrjamLzxYBfYZHqR","url":"https://arbiscan.io/address/0x92afd6F2385a90e44da3a8B60fe36f6cBe1D8709#code","type":"smart_contract","addedAt":"2025-12-05T20:35:20.384Z","revision":0,"description":"ALM_PROXY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7rFEELX2GcQQjpFLViB4wj","url":"https://basescan.org/address/0x2917956eFF0B5eaF030abDB4EF4296DF775009cA","type":"smart_contract","addedAt":"2025-11-07T09:08:41.877Z","revision":0,"description":"ALM_PROXY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7sBOB3Y18NfaeiXb85HWHP","url":"https://blockscout.com/xdai/mainnet/address/0x2cF710377b3576287Be7cf352FF75D4472902789#code","type":"smart_contract","addedAt":"2025-12-05T20:38:19.110Z","revision":0,"description":"SXDAI_STABLE_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7tVsNX78b1YSLZbooEGxWY","url":"https://basescan.org/address/0x86036CE5d2f792367C0AA43164e688d13c5A60A8#code","type":"smart_contract","addedAt":"2025-12-05T20:42:52.825Z","revision":0,"description":"ALM_CONTROLLER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7tsLPZLhllEJ1lVMGj8irr","url":"https://etherscan.io/address/0x1761a0f74032963B6Ad0774C5EBF4586c0bD7604#code","type":"smart_contract","addedAt":"2025-12-05T20:35:00.770Z","revision":0,"description":"POOL_LOGIC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7uWs6m06oWFWXY5wPxkMw4","url":"https://basescan.org/address/0x1601843c5E9bC251A3272907010AFa41Fa18347E","type":"smart_contract","addedAt":"2025-11-07T09:08:42.728Z","revision":0,"description":"PSM3","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7vA39m9FB0cBDz73MDIxSt","url":"https://gnosisscan.io/address/0xC5dfde524371F9424c81F453260B2CCd24936c15","type":"smart_contract","addedAt":"2025-11-07T09:09:00.261Z","revision":0,"description":"USDCE_STABLE_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7vzvFi4ZE6Cgb5PLv09H9l","url":"https://explorer.optimism.io/address/0xe1e4953C93Da52b95eDD0ffd910565D3369aCd6b#code","type":"smart_contract","addedAt":"2025-12-05T20:40:57.038Z","revision":0,"description":"SSR_BALANCER_RATE_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7wn2IfxU5hz6fl7QSiq9aV","url":"https://etherscan.io/address/0x6715bc100A183cc65502F05845b589c1919ca3d3#code","type":"smart_contract","addedAt":"2025-12-05T20:31:59.959Z","revision":0,"description":"SUSDS_SPTOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"CnYRDG85KUMmYbs8o8Cwe","url":"https://gnosisscan.io/address/0xBC4f20DAf4E05c17E93676D2CeC39769506b8219","type":"smart_contract","addedAt":"2025-11-07T09:08:59.446Z","revision":0,"description":"USDC_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Cq1DEYMQWfyBoKlZQzAx2","url":"https://etherscan.io/address/0xf6fEe3A8aC8040C3d6d81d9A4a168516Ec9B51D2#code","type":"smart_contract","addedAt":"2025-12-05T20:32:46.196Z","revision":0,"description":"WBTC_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Eg4ZigoFj26VWMqiRykWT","url":"https://etherscan.io/address/0xe2e7a17dFf93280dec073C995595155283e3C372#code","type":"smart_contract","addedAt":"2025-12-05T20:26:44.597Z","revision":0,"description":"SPARK_VAULT_V2_SPUSDT","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Fipi9v6PAxjA7NrQm4eFz","url":"https://blockscout.com/xdai/mainnet/address/0xC5dfde524371F9424c81F453260B2CCd24936c15#code","type":"smart_contract","addedAt":"2025-12-05T20:38:42.703Z","revision":0,"description":"USDCE_STABLE_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"H0npbMRbZUUF3Ylu5YNBt","url":"https://snowscan.xyz/address/0xAf76856f788519704a9411839614e144FEd52d8a","type":"smart_contract","addedAt":"2025-11-03T06:26:54.215Z","revision":0,"description":"SparkRewards","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"JF9BxmKkrTKGN4btn7nM3","url":"https://etherscan.io/address/0x86C71796CcDB31c3997F8Ec5C2E3dB3e9e40b985#code","type":"smart_contract","addedAt":"2025-12-05T20:33:53.383Z","revision":0,"description":"VARIABLE_DEBT_TOKEN_IMPL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"K7A8pcwlE28uF8fonOJST","url":"https://gnosisscan.io/address/0x2f589BADbE2024a94f144ef24344aF91dE21a33c","type":"smart_contract","addedAt":"2025-11-07T09:08:52.929Z","revision":0,"description":"GNO_STABLE_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"KOL4o9CjiVfMC6WC4KnFp","url":"https://uniscan.xyz/address/0x7ac96180C4d6b2A328D3a19ac059D0E7Fc3C6d41#code","type":"smart_contract","addedAt":"2025-12-05T20:41:49.503Z","revision":0,"description":"SSR_CHAINLINK_RATE_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"KeO6ezRyJxikV6Q7GH5CF","url":"https://github.com/marsfoundation/spark-alm-controller/blob/master/src/RateLimitHelpers.sol","type":"smart_contract","addedAt":"2024-10-30T04:10:25.932Z","revision":0,"description":"RateLimitHelpers","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Ky0XjXI2YUnpqsAJeP88f","url":"https://etherscan.io/address/0xCacB88e39112B56278db25b423441248cfF94241#code","type":"smart_contract","addedAt":"2025-12-05T20:29:41.445Z","revision":0,"description":"SPELL_PAUSE_DAI","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"MaWJYjSfqUDZGjoNDorOI","url":"https://github.com/marsfoundation/spark-psm/blob/master/src/PSM3.sol","type":"smart_contract","addedAt":"2024-10-30T04:10:33.384Z","revision":0,"description":"PSM3","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"McdpCnoevPjF6ouuvJ8ig","url":"https://etherscan.io/address/0x9Ad87668d49ab69EEa0AF091de970EF52b0D5178#code","type":"smart_contract","addedAt":"2025-12-05T20:43:18.559Z","revision":0,"description":"ALM_PROXY_FREEZABLE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"NYVBZ5CGLY04Itx47e1Mc","url":"https://etherscan.io/address/0x7A5FD5cf045e010e62147F065cEAe59e5344b188#code","type":"smart_contract","addedAt":"2025-12-05T20:23:56.953Z","revision":0,"description":"ALM_RATE_LIMITS","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"OfPS07Mu5g2yiYf1edeCM","url":"https://gnosisscan.io/address/0xCF86A65779e88bedfF0319FE13aE2B47358EB1bF","type":"smart_contract","addedAt":"2025-11-07T09:09:05.133Z","revision":0,"description":"POOL_IMPL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"OjZVtNLJAXHDWChBLzgzf","url":"https://etherscan.io/address/0xB0B14Dd477E6159B4F3F210cF45F0954F57c0FAb#code","type":"smart_contract","addedAt":"2025-12-05T20:31:02.594Z","revision":0,"description":"EZETH_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"OoKRk80VrmXacbvCEZwKp","url":"https://uniscan.xyz/address/0x7b42Ed932f26509465F7cE3FAF76FfCe1275312f#code","type":"smart_contract","addedAt":"2025-12-05T20:41:38.722Z","revision":0,"description":"PSM3","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Pse9iynPPZGGUXPk5ounO","url":"https://worldscan.org/address/0x779053E25267B591Dcfbb20b2397462aaaD6B776#code","type":"smart_contract","addedAt":"2025-12-05T20:41:57.420Z","revision":0,"description":"DSR_AUTH_ORACLE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Q1FnQr2XQ18FOemLl4UNL","url":"https://blockscout.com/xdai/mainnet/address/0x2f589BADbE2024a94f144ef24344aF91dE21a33c#code","type":"smart_contract","addedAt":"2025-12-05T20:37:19.545Z","revision":0,"description":"GNO_STABLE_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Qsx3wtQMnJskYVwNdTlLD","url":"https://basescan.org/address/0xF93B7122450A50AF3e5A76E1d546e95Ac1d0F579","type":"smart_contract","addedAt":"2025-11-07T09:08:40.484Z","revision":0,"description":"SPARK_EXECUTOR","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"RK7ziL9rMVnuLWAqWIZec","url":"https://snowtrace.io/address/0xAf76856f788519704a9411839614e144FEd52d8a#code","type":"smart_contract","addedAt":"2025-12-05T20:36:27.847Z","revision":0,"description":"SPARK_REWARDS","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"RShSQSyctimHyQs6lOh0q","url":"https://gnosisscan.io/address/0xF028c2F4b19898718fD0F77b9b881CbfdAa5e8Bb","type":"smart_contract","addedAt":"2025-11-07T09:09:09.145Z","revision":0,"description":"UI_POOL_DATA_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"TnCdZSIfJcHarhw22wAH9","url":"https://etherscan.io/address/0x92eF091C5a1E01b3CE1ba0D0150C84412d818F7a#code","type":"smart_contract","addedAt":"2025-12-05T20:30:41.210Z","revision":0,"description":"TREASURY_CONTROLLER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"U5pOEw2qX9qepodZM6QYd","url":"https://blockscout.com/xdai/mainnet/address/0xe04ba71E46fCd7DBB9334D8FBa13d476f38EB0f8#code","type":"smart_contract","addedAt":"2025-12-05T20:40:12.624Z","revision":0,"description":"RATES_FACTORY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"VniZPlPw2Jw61ne5iRZIv","url":"https://unichain.blockscout.com/address/0x1566BFA55D95686a823751298533D42651183988","type":"smart_contract","addedAt":"2025-11-07T08:48:01.764Z","revision":0,"description":"SSR_AUTH_ORACLE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"ayhnmJ3mzFFcVbJ2PSF2M","url":"https://basescan.org/address/0xC0bcbb2554D4694fe7b34bB68b9DdfbB55D896BC","type":"smart_contract","addedAt":"2025-11-07T09:08:41.463Z","revision":0,"description":"ALM_CONTROLLER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"b8lDiA9LIAY4wzjekdR5l","url":"https://arbiscan.io/address/0x3a1d3A9B0eD182d7B17aa61393D46a4f4EE0CEA5","type":"smart_contract","addedAt":"2025-11-05T07:08:21.041Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"d2wYakivqPHpVvKBUYL0x","url":"https://blockscout.com/xdai/mainnet/address/0x3294dA2E28b29D1c08D556e2B86879d221256d31#code","type":"smart_contract","addedAt":"2025-12-05T20:37:43.644Z","revision":0,"description":"WSTETH_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"e8khQy3NkIFd1JJiX4Eub","url":"https://github.com/sparkdotfi/spark-vaults-v2/blob/dev/src/SparkVault.sol","type":"smart_contract","addedAt":"2025-10-21T06:52:38.987Z","revision":0,"description":"Spark Savings V2 contracts","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"eSXFnWWKv2QmF8RXbuAXL","url":"https://etherscan.io/address/0x4370D3b6C9588E02ce9D22e684387859c7Ff5b34#code","type":"smart_contract","addedAt":"2025-12-05T20:30:18.741Z","revision":0,"description":"INCENTIVES","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"j4IbogEPJ4Dwj0i1HZ6IV","url":"https://etherscan.io/address/0x377C3bd93f2a2984E1E7bE6A5C22c525eD4A4815#code","type":"smart_contract","addedAt":"2025-12-05T20:32:15.687Z","revision":0,"description":"USDC_SPTOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"kyZ3xGV0XJKAylwXglkUU","url":"https://blockscout.com/xdai/mainnet/address/0x4cB3F681B5e393947BD1e5cAE84764f5892923C2#code","type":"smart_contract","addedAt":"2025-12-05T20:38:56.031Z","revision":0,"description":"USDT_STABLE_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"lKqBuHKnou6OQSUKl99Q6","url":"https://subnets.avax.network/c-chain/address/0x7566DEbC906C17338524A414343fA61BcA26A8430x28B3a8fb53B741A8Fd78c0fb9A6B2393d896a43d","type":"smart_contract","addedAt":"2025-11-07T09:09:12.391Z","revision":0,"description":"SPARK_VAULT_V2_SPUSDC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"lboifgQaeQEwpYrljpIKx","url":"https://etherscan.io/address/0x28B3a8fb53B741A8Fd78c0fb9A6B2393d896a43d#code","type":"smart_contract","addedAt":"2025-12-05T20:26:11.369Z","revision":0,"description":"SPARK_VAULT_V2_SPUSDC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"lnAH4YkT54Zk2256PToRQ","url":"https://etherscan.io/address/0x03cFa0C4622FF84E50E75062683F44c9587e6Cc1#code","type":"smart_contract","addedAt":"2025-12-05T20:30:29.736Z","revision":0,"description":"POOL_ADDRESSES_PROVIDER_REGISTRY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"ncqfkA3otGFe93OrLwpuY","url":"https://etherscan.io/address/0x3CFd5C0D4acAA8Faee335842e4f31159fc76B008#code","type":"smart_contract","addedAt":"2025-12-05T20:32:57.813Z","revision":0,"description":"WEETH_SPTOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"od3DhlnSXu1vAFqWW3V5x","url":"https://subnets.avax.network/c-chain/address/0x7566DEbC906C17338524A414343fA61BcA26A843","type":"smart_contract","addedAt":"2025-11-07T09:09:09.952Z","revision":0,"description":"SPARK_EXECUTOR","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"pGlG6ChG9jb7lPcMAyJ8r","url":"https://etherscan.io/address/0x661fE667D2103eb52d3632a3eB2cAbd123F27938#code","type":"smart_contract","addedAt":"2025-12-05T20:30:47.641Z","revision":0,"description":"CBBTC_DEBT_TOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"qhldtKkg9csldmBD4ss74","url":"https://etherscan.io/address/0xe9eaE48Ed66C63fD4D12e315BC7d31Aacd89a909#code","type":"smart_contract","addedAt":"2025-12-05T20:29:57.980Z","revision":0,"description":"POINTS_REWARDS","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"raNbOY91NnYcgIhuwL0n2","url":"https://arbiscan.io/address/0x84AB0c8C158A1cD0d215BE2746cCa668B79cc287#code","type":"smart_contract","addedAt":"2025-12-05T20:35:39.597Z","revision":0,"description":"SSR_CHAINLINK_RATE_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"sIvFBXcDhKSZ4k72dJzod","url":"https://optimistic.etherscan.io/address/0xE2868095814c2714039b3A9eBEE035B9E2c411E5","type":"smart_contract","addedAt":"2025-11-07T09:09:47.405Z","revision":0,"description":"SSR_RECEIVER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"sluYN7TcwHPLQmZmD5vyM","url":"https://blockscout.com/xdai/mainnet/address/0xA98DaCB3fC964A6A0d2ce3B77294241585EAbA6d#code","type":"smart_contract","addedAt":"2025-12-05T20:36:49.239Z","revision":0,"description":"POOL_ADDRESSES_PROVIDER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"tAqlIZ3ndJrrFTTFYlUqF","url":"https://gnosisscan.io/address/0xb9E6DBFa4De19CCed908BcbFe1d015190678AB5f","type":"smart_contract","addedAt":"2025-11-07T09:08:51.148Z","revision":0,"description":"TREASURY","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"txBChnIe8tVuLzbXKuS05","url":"https://github.com/marsfoundation/xchain-ssr-oracle/blob/master/src/SSRMainnetOracle.sol","type":"smart_contract","addedAt":"2024-10-30T04:11:00.691Z","revision":0,"description":"SSRMainnetOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"uTaWqFyuFR4joI1VbEsMb","url":"https://etherscan.io/address/0xb3973D459df38ae57797811F2A1fd061DA1BC123#code","type":"smart_contract","addedAt":"2025-12-05T20:30:51.185Z","revision":0,"description":"CBBTC_SPTOKEN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"wzaK3ByMG9trXWhW2ubeY","url":"https://gnosisscan.io/address/0x4d988568b5f0462B08d1F40bA1F5f17ad2D24F76","type":"smart_contract","addedAt":"2025-11-07T09:08:48.393Z","revision":0,"description":"EMISSION_MANAGER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_f3e22ce3-c434-4b90-9af3-7cd87f70200d","url":"https://etherscan.io/address/0x5c46Fc65855c0C7465a1EA85EEA0B24B601502D3","type":"smart_contract","addedAt":"2026-03-05T12:01:01.841Z","revision":0,"description":"ALM_CONTROLLER_v1.11.0","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_d93c1eb4-3daf-48f5-884e-d24ef5542e2a","url":"https://etherscan.io/address/0x4C1341636721b8B687647920B2E9481f3AB1F2eE","type":"smart_contract","addedAt":"2026-03-05T12:01:17.578Z","revision":0,"description":"SPARKLEND_CAP_AUTOMATOR_v1.1.0","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_bb13069b-1adb-4d13-b1b7-48b506120756","url":"https://etherscan.io/address/0x64B157212C21097002920D57322B671b88DFcCBC","type":"smart_contract","addedAt":"2026-03-05T12:01:34.142Z","revision":0,"description":"CBBTC_BTC_RATIO_ORACLE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_693b6076-2fa7-42f2-89d4-1cd99d56ca59","url":"https://etherscan.io/address/0x4C805FD3c64B79840d36813Fc90c165bf77bb7E4","type":"smart_contract","addedAt":"2026-03-05T12:01:49.155Z","revision":0,"description":"WEETH_ETH_RATIO_ORACLE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_0c8ccdfe-25ee-4a0d-a162-2840e3167986","url":"https://etherscan.io/address/0xd0B378dA552D06B6D3497e4b5ba2A83418f78d06","type":"smart_contract","addedAt":"2026-03-05T12:02:02.922Z","revision":0,"description":"RETH_ETH_RATIO_ORACLE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_55876df6-fed4-4de4-8200-20a9c1bd89d9","url":"https://etherscan.io/address/0x592B7DB9906E6f8924C4D74c2A0aB86CE44fDDDf","type":"smart_contract","addedAt":"2026-03-18T14:02:23.377Z","revision":0,"description":"SPARK_SAVINGS_INTENTS","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"All code of Spark can be found in the following repositories: \n- [https://github.com/sparkdotfi/sparklend ](https://github.com/sparkdotfi/sparklend)\n- [https://github.com/sparkdotfi/aave-v3-core/ ](https://github.com/sparkdotfi/aave-v3-core/)\n- [https://github.com/sparkdotfi/aave-v3-periphery/ ](https://github.com/sparkdotfi/aave-v3-periphery/)\n- [https://github.com/sparkdotfi/spark-app](https://github.com/sparkdotfi/spark-app)\n- [https://github.com/sparkdotfi/spark-alm-controller](https://github.com/sparkdotfi/spark-alm-controller)\n- [https://github.com/sparkdotfi/spark-gov-relay](https://github.com/sparkdotfi/spark-gov-relay)\n- [https://github.com/sparkdotfi/spark-rewards](https://github.com/sparkdotfi/spark-rewards)\n- [https://github.com/sparkdotfi/spark-vaults-v2](https://github.com/sparkdotfi/spark-vaults-v2)\n- [https://github.com/sparkdotfi/spark-app](https://github.com/sparkdotfi/spark-app)\n\nDocumentation for the assets provided in the table can be found at [https://devs.spark.fi/](https://devs.spark.fi/)\n\nAssets in scope for Applications - [http://app.spark.fi](http://app.spark.fi)\n\nAssets in scope for Websites - [spark.fi](spark.fi), [docs.spark.fi](docs.spark.fi), [devs.spark.fi](devs.spark.fi), [api-v2.spark.fi](api-v2.spark.fi)","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":["Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":[],"launchDate":"2023-11-01T15:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6PSQWUew0V3et86JKkvxs0/152af27a6fa55003a4cc5511f0641d17/badge__1_.png","maxBounty":5000000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Lending"],"programOverview":"Spark is an at-scale stablecoin allocation engine capturing yield across DeFi, RWAs and exchanges. This yield is provided cross-chain to Savings USDS holders.\n\nFor more information about Spark, please visit [https://spark.fi/ ](https://spark.fi/)\n\nSpark provides rewards in DAI. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__Primacy of Impact vs Primacy of Rules__\n\nSpark adheres to the Primacy of Impact for the following impacts:\n- Smart Contract - Critical \n\nIf an impact is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program. When submitting a report, just select the Primacy of Impact asset placeholder. If the team behind this project has multiple projects, those other projects are not covered under the Primacy of Impact of this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nTestnet and mock files are not covered under the Primacy of Impact. \n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program.\n\n__Known Issue Assurance__\n\nSpark commits to providing Known Issue Assurance to bug submissions through their program. This means that Spark will either disclose known issues publicly or at the very least privately via a self-reported bug submission in order to allow for a more objective and streamlined mediation process to prove that an issue is known. Otherwise, assuming the bug report itself is valid, it would result in the bug report being considered in-scope and due 100% of the reward with respect to the bug bounty program terms. \n\n__Immunefi Standard Badge__\n\nSpark has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209), which is given to projects that adhere to our best practices.","programType":["Smart Contract","Websites and Applications"],"project":"Spark","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below. \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical Smart Contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 5 000 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 50 000 is to be rewarded in order to incentivize security researchers against withholding a bug report.  \n\n__Repeatable Attack Limitations__\n\nIn cases of repeatable attacks for smart contract bugs, only the first attack is considered if the smart contracts where the vulnerability exists can be upgraded, paused, or killed. If the attack impacts a smart contract directly holding funds that cannot be upgraded or paused, the  amount of funds at risk will be calculated with the impact of the first attack being at 100% and then for every 300 blocks the attack needs for subsequent attacks from the first attack the impact will be counted at a reduction of 25% from the impact of the first attack, rounded down. For avoidance of doubt, if a second attack would happen at 600 blocks and then a third at 900 blocks, the funds at risk would be counted at 50% and 25% of the reward from the first attack, respectively.\n\nHowever, for smart contracts directly holding funds that cannot be paused, if a discovered vulnerability includes the temporary locking of funds that could otherwise be withdrawn and thus prevented from being stolen but still accessible to the exploiter to take the funds, the time is extended to the exact same time as temporary locking. Extensions of the temporary locking that introduce a gap where withdrawals can happen will not be considered. \n\nWe do not consider funds locked if:\n- Funds are not used as collateral and can eventually be recovered by a governance action\n\n__Reward Calculation for High Level Reports__\n\nHigh smart contract impacts will be capped at up to 100% of the funds affected. In the event of temporary freezing, the reward doubles for every additional 300 blocks that the funds could be temporarily frozen, rounded down to the nearest multiple of 300, up to the hard cap of USD 100 000. However, if it is within the hard cap, there is a further hard cap of 1000% of the funds affected. \n\nHowever, a temporary freezing impact with less than 150 blocks will be rewarded the flat amount of  USD 10 000.\n\nWe do not consider funds frozen if:\n- Funds are not used as collateral and can eventually be recovered by a governance action\n\n\n__Restrictions on Security Researcher Eligibility__\n\nSecurity researchers who fall under any of the following are ineligible for a reward\n- Compensated contributors of Spark and/or MakerDAO who have written code for at least one of the assets in scope below\n\n__Previous Audits__\n\nSpark has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.\n- [https://devs.spark.fi/security/security-and-audits ](https://devs.spark.fi/security/security-and-audits)\n\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n- Smart Contract - Critical\n- Smart Contract - High\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules) Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Other Terms and Information__\n\n- In the calculation of the USD value of the total value locked metric in determining the funds at risk, it does not include outstanding borrows.\n- Referenced libraries, proxy implementations and inherited contracts of all listed assets in scope are also considered in scope of the bug bounty program.\n   - In selecting an asset in scope that is impacted, please select the most relevant asset.\n- In order to be eligible for a reward, the vulnerability must exist in the deployed smart contract and not just the GitHub file. In the event that a vulnerability exists on the GitHub file but not on the most recently deployed contract, this may be due to a fix to address a vulnerability but done in a discreet manner until proper communication can be done. \n\n__Reward Payment Terms__\n\nReward Denomination:\nPayments are denominated in USD. However, payouts are done in DAI assuming a full 1:1 ratio with the USD. However, if the price of DAI deviates from the USD value by more than 1%, the amount of DAI will be adjusted.\n\nPayout Process:\nAll bounty payouts are handled by MakerDAO governance. Upon confirmation, bug bounty payouts should be included in the next possible ‘executive spell’, which is a governance vote with an onchain payload attached to it. This would involve sending DAI directly from the protocol’s buffer to the whitehat hacker.\n\nImmunefi will publicly contact one of the Governance Facilitators with the request, including a specification of the respective vulnerability report, the requested amount and the Ethereum mainnet addresses of the beneficiaries. This should also include the payment details of the Immunefi fee, if it applies. Immunefi and the Maker Governance Facilitators should make sure the payout occurs up to one full calendar month after the report was approved.\n\nFor bug bounty rewards over USD 1 000 000, after the first million is paid out, the remaining amount is paid out over time with up to USD 1 000 000 per consecutive month until the determined amount for payout is reached.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"DAI","slug":"sparklend","tenPercentEconomicRule":false,"updatedDate":"2026-03-18T14:02:28.322Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Spark is an at-scale stablecoin allocation engine capturing yield across DeFi, RWAs and exchanges. This yield is provided cross-chain to Savings USDS holders.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":4512,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds (see out of scope impacts for scenarios where this does not apply)"},{"id":4513,"type":"websites_and_applications","severity":"high","title":"Taking down the Spark website (spark.fi) or documentation portals (docs.spark.fi / devs.spark.fi)"},{"id":4514,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc."},{"id":4515,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as email or password of the victim, etc."},{"id":4516,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information such as email address, phone number, physical address, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":4517,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as changing the first/last name of user, or en/disabling notification"},{"id":4518,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without Javascript (Reflected) such as reflected HTML injection or loading external site data"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":4519,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc."},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":4520,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions"}],"rewards":[{"id":11353,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":5000000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":11354,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":100000,"minReward":10000,"rewardModel":"range"},{"id":11355,"primacy":null,"severity":"critical","assetType":"websites_and_applications","maxReward":50000,"minReward":5000,"rewardModel":"range"},{"id":11356,"primacy":null,"severity":"high","assetType":"websites_and_applications","maxReward":5000,"minReward":2500,"rewardModel":"range"},{"id":11357,"primacy":null,"severity":"medium","assetType":"websites_and_applications","maxReward":2500,"minReward":1000,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"6pSbcid6gogfvxnA5uRqsn","url":"https://github.com/flare-foundation/fassets/blob/main/audit/BugBountyScope.md","type":"smart_contract","addedAt":"2026-01-29T07:55:25.054Z","revision":0,"description":"FAssets - Smart Contracts","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1C1CkLXVnZUGaE4Y8cGfT2","url":"https://portal.flare.network/","type":"websites_and_applications","addedAt":"2024-06-25T13:37:25.444Z","revision":0,"description":"Flare Portal","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2k4Uj6zgHNhDvAWXtesnpj","url":"https://coston-explorer.flare.network/","type":"websites_and_applications","addedAt":"2024-06-25T13:35:58.905Z","revision":0,"description":"Block Explorer - Coston","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3C6UWCQSBSoUGSP8viUMUz","url":"https://github.com/flare-foundation/bug-bounty/blob/main/smart-contracts.md","type":"smart_contract","addedAt":"2024-06-25T13:35:17.944Z","revision":0,"description":"Flare Smart Contracts","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"52Q7OwO0Cxy93pQisy4axj","url":"https://staking.flare.network","type":"websites_and_applications","addedAt":"2024-06-25T13:37:42.239Z","revision":0,"description":"Flare Staking Tool","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5JD7YL2nduUD1C2Pjs7kyK","url":"https://songbird-explorer.flare.network/","type":"websites_and_applications","addedAt":"2024-06-25T13:36:45.931Z","revision":0,"description":"Block Explorer - Songbird","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5OIQfcVyHo2JfAWbUH7nj7","url":"https://coston2-explorer.flare.network/","type":"websites_and_applications","addedAt":"2024-06-25T13:36:16.964Z","revision":0,"description":"Block Explorer - Coston2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5qQ9JcJpd7klXCWfVNxlvO","url":"https://flare-explorer.flare.network/","type":"websites_and_applications","addedAt":"2024-06-25T13:37:04.814Z","revision":0,"description":"Block Explorer - Flare","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6gTME5OHUqocg2WhmLwGZQ","url":"https://faucet.flare.network/","type":"websites_and_applications","addedAt":"2024-06-25T13:38:03.706Z","revision":0,"description":"Testnet Token Faucet","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98755","url":"https://immunefi.com/","type":"websites_and_applications","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"98715","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"99286","url":"https://flare.network/","type":"websites_and_applications","addedAt":"2026-03-18T09:17:00.368Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"99287","url":"https://flare.network/","type":"smart_contract","addedAt":"2026-03-18T09:17:00.368Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Essential","Arbitration","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity","Go","Typescript"],"launchDate":"2024-07-16T12:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/Dhej3RK2qOIzzJ7QDeqWJ/dad95d7b2af0cc0e566f06060f26a405/JgfEVRQA_400x400.png","maxBounty":250000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["L1","Bridge"],"programOverview":"Flare is the blockchain for data. It is a layer 1, EVM smart contract platform designed to expand the utility of blockchain by delivering data certainty for dApp builders.\n\nThe infrastructure providers, which perform a dual function as both validators and data providers, power two native and enshrined oracles: the FTSO and the Data Connector. \n\nThese enshrined oracles, which inherit the security and decentralization of the layer 1 blockchain, provide developers access to all the data they need for their dApps when they need it – reliable data that is accurate and up to date, neither censored nor manipulated, and for free.\n\nBy giving developers trustless access to the broadest range of data needed by the software they build, Flare can advance the development of more blockchain use cases where data is key, such as in Decentralized Finance (DeFi), gaming, Non-fungible tokens (NFT), music, social networks, Real World Assets (RWAs), Machine Learning (ML), and Artificial Intelligence (AI).\n\nFor more information about Flare, please visit [https://flare.network/](https://flare.network/)\n\nFlare provides rewards in FLR, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nFlare adheres to the Primacy of Impact for the following levels:\n- Blockchain/DLT - Critical\n- Blockchain/DLT - High\n- Blockchain/DLT - Medium\n- Blockchain/DLT - Low\n- Smart Contract - Critical\n- Smart Contract - High\n- Web/app - Critical\n\nPrimacy of Impact means that priority is given to impact rather than to a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n\n__Public Disclosure of Known Issues__\n\nBug reports that cover previously-discovered bugs are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk.\n\nVulnerabilities from an upstream repository that have already been disclosed are considered known issues. These include, but are not limited to the following repositories:\n\n- [https://github.com/ava-labs/coreth](https://github.com/ava-labs/coreth)\n- [https://github.com/ava-labs/avalanchego](https://github.com/ava-labs/avalanchego)\n\n__Previous Audits__\n\nFlare’s completed audit reports can be found at [https://dev.flare.network/support/audits](https://dev.flare.network/support/audits). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Flare has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","programType":["Smart Contract","Websites and Applications"],"project":"Flare Network","projectType":["Infrastructure","Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical Blockchain/DLT bugs, the reward amount is 10% of the funds directly affected, capped at the maximum critical reward USD 100 000. However, a minimum reward of USD 30 000 is to be rewarded in order to incentivize security researchers against withholding on a bug report.\n\nFor critical Blockchain/DLT bugs with a non-funds-at risk impact, the reward will be paid out as follows: \n- Network not being able to confirm new transactions (total network shutdown) - USD 100 000 \n- Unintended permanent chain split requiring hard fork (network partition requiring hard fork) - USD 100 000\n- Permanent freezing of funds (fix requires hardfork) - USD 100 000\n- Ability to exfiltrate a validator's staking keys (TLS or BLS) without direct machine access - USD 100 000\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 250 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 20 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\nFor critical web/apps bugs, reports will be rewarded with USD 30 000, only if the impact leads to:\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n- All other impacts that would be classified as Critical would be rewarded a flat amount of USD 6 000. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Reward Calculation for High Level Reports__\n\nFor high severity smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 30 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 10 000 is to be rewarded in order to incentivize security researchers against withholding a bug report.\n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional [24h] that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n- For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Payment Terms__\n\nPayouts are handled by the Flare team directly and are denominated in USD. However, payments are done in FLR on Flare.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"FLR","slug":"flarenetwork","tenPercentEconomicRule":false,"updatedDate":"2026-03-18T13:30:31.976Z","impactsBody":"FAssets:\n- Impacts achieved with frontrunning attacks will have severity lowered by one level. \n- Impacts requiring malicious agent actions will have severity lowered by one level.\n- Theft, freezing or loss of dust amounts of funds below the value of $1000 will be considered as griefing.\n- Loss of funds caused by penalisation is not considered as theft of funds.","websiteUrl":"https://flare.network/","githubUrl":"https://github.com/flare-foundation/","eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Flare is the blockchain for data. It is a layer 1, EVM smart contract platform designed to expand the utility of blockchain by delivering data certainty for dApp builders.\n\nFAssets is a trustless, over-collateralized bridge built on Flare that connects non smart contract networks to Flare/Songbird. It enables the creation of wrapped tokens (FAssets) for assets like BTC, DOGE and XRP.","knownIssues":[{"id":1248,"link":"https://github.com/flare-foundation/fassets/blob/main/KNOWN_ISSUES.md","description":"FAssets Known Issues","lastUpdatedAt":"2025-10-08T21:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1284,"link":"https://gitlab.com/flarenetwork/flare-smart-contracts/-/blob/master/%20KNOWN_ISSUES.md","description":"Flare Legacy Smart Contracts Known Issues","lastUpdatedAt":"2026-03-04T22:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1285,"link":"https://github.com/flare-foundation/flare-smart-contracts-v2/blob/main/KNOWN_ISSUES.md","description":"Flare Smart Contracts Known Issues","lastUpdatedAt":"2026-03-04T22:00:00.000Z","relatedImpactInScope":"smart_contract"}],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"These impacts are out of scope for this bug bounty program. \n\n- Impacts caused by vulnerabilities disclosed in the repositories of assets in scope, or in those of any dependencies.\n\n- Impacts from Denial-of-Service attacks \n- Consensus liveness failure requiring network control.\n- Unintended node behavior caused by local disk failures.\n- Unintended node behavior caused by unusual node configuration deviating from best practices for node configurations.\n- Compile time or runtime errors due to using unsupported hardware or operating systems.\n- Inability to automatically perform NAT-hole punching on specific router hardware.\n- FAssets: any attacks related to FBTC, FDOGE, or UTXO-based logic in general, are out of scope.\n- Impacts based on unrealistic market or chain conditions","customProhibitedActivities":[],"impacts":[{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":5879,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of tokens"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":43,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:\n- Modifying transaction arguments or parameters\n- Substituting contract addresses\n- Submitting malicious transactions"},{"id":46,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:\n- HTML injection without JavaScript\n- Replacing existing text with arbitrary text\n- Arbitrary file uploads, etc."},{"id":47,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Email\n- Password of the victim etc."},{"id":50,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Changing the first/last name of user\n- Enabling/disabling notifications"},{"id":51,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as:\n- Reflected HTML Injection\n- Loading external site data"},{"id":5393,"type":"websites_and_applications","severity":"medium","title":"Taking down the application/website"}],"rewards":[{"id":43267,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":250000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43268,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":30000,"minReward":10000,"rewardModel":"range"},{"id":43269,"primacy":null,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":43270,"primacy":null,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":43271,"primacy":null,"severity":"critical","assetType":"websites_and_applications","maxReward":30000,"minReward":6000,"rewardModel":"range"},{"id":43272,"primacy":null,"severity":"high","assetType":"websites_and_applications","fixedReward":5000,"rewardModel":"fixed"},{"id":43273,"primacy":null,"severity":"medium","assetType":"websites_and_applications","fixedReward":2000,"rewardModel":"fixed"}],"audits":[{"id":"6i9z7NVvp4fZIkHXMquBWi","url":"https://dev.flare.network/support/audits","auditor":"All Audits","date":"2026-01-22T00:00:00.000Z"}]},{"assets":[{"id":"1MbO2MlGzeAsoK6wEvMVdw","url":"https://ostium.app/","type":"websites_and_applications","addedAt":"2025-04-29T12:33:34.120Z","revision":0,"description":"App","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"xTHZaz5MaXZIbBRFSTaWX","url":"https://t.me/ostiumbot","type":"websites_and_applications","addedAt":"2025-04-29T12:34:00.970Z","revision":0,"description":"Telegram App","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98722","url":"https://immunefi.com/","type":"websites_and_applications","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":["Managed Triage: Time Saver","Subscription Plan: Essential"],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":true,"language":[],"launchDate":"2025-04-30T00:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/28Y1opgIz9KYOLep9I9LeJ/59cbd0b6b78fd59315392da40c22d2e8/Screenshot_2025-04-30_at_6.36.13â__pm_Small.png","maxBounty":100000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":[],"programOverview":"The Ostium Protocol is an open-sourced, decentralised exchange on Ethereum Layer 2 Arbitrum, enabling transparent and non-custodial perpetuals exposure to Real World Assets. Ostium is customized to support fractional onchain trading of assets like gold, oil, S&P, JPY and other traditional markets from a crypto wallet. \n\nFor more information about Ostium, please visit https://www.ostium.io/.\n\nOstium provides rewards in USDC on Arbitrum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n__Primacy of Impact vs Primacy of Rules__\n\nOstium adheres to the Primacy of Impact for the following impacts:\n- Website & Application  —  Critical\n- Website & Application  —  High\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope.\n \nFor more information, please see Best Practices: [Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.","programType":["Websites and Applications"],"project":"Ostium","projectType":[],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n\n__Reward Calculation for Critical Level Reports__\n\nFor critical web/apps bugs, reports will be rewarded with $25,000, only if the impact leads to:\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of $5,000. The rest of the severity levels are paid out according to the Impact in Scope table.\n\n\n__Reward Payment Terms__\n\nPayouts are handled by the Ostium team directly and are denominated in USD. However, payments are done in USDC on Arbitrum.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"ostium","tenPercentEconomicRule":false,"updatedDate":"2026-02-06T23:13:32.110Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"The Ostium Protocol is an open-sourced, decentralised exchange on Ethereum Layer 2 Arbitrum, enabling transparent and non-custodial perpetuals exposure to Real World Assets. Ostium is customized to support fractional onchain trading of assets like gold, oil, S&P, JPY and other traditional markets from a crypto wallet.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":39,"type":"websites_and_applications","severity":"critical","title":"Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:\n- Changing registration information\n- Commenting\n- Voting\n- Making trades\n- Withdrawals, etc."},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":43,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:\n- Modifying transaction arguments or parameters\n- Substituting contract addresses\n- Submitting malicious transactions"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"},{"id":46,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:\n- HTML injection without JavaScript\n- Replacing existing text with arbitrary text\n- Arbitrary file uploads, etc."},{"id":47,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Email\n- Password of the victim etc."},{"id":48,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:\n- Email address\n- Phone number\n- Physical address, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":50,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Changing the first/last name of user\n- Enabling/disabling notifications"},{"id":51,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as:\n- Reflected HTML Injection\n- Loading external site data"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"}],"rewards":[{"id":40176,"severity":"critical","assetType":"websites_and_applications","maxReward":50000,"minReward":5000,"rewardModel":"range"},{"id":40177,"severity":"high","assetType":"websites_and_applications","fixedReward":2500,"rewardModel":"fixed"},{"id":40178,"severity":"medium","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"wSk0zmvxEawdKRG2gLaTB","url":"https://github.com/berachain/beacon-kit","type":"blockchain_dlt","addedAt":"2025-01-18T08:36:01.113Z","revision":0,"description":"Beacon Kit","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5ah23IiGzOIsWSO5Ic8jPx","url":"https://github.com/berachain/contracts","type":"smart_contract","addedAt":"2025-01-18T08:36:32.148Z","revision":0,"description":"Berachain Smart Contracts","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1kmK3F3vjT0hHvvdYfY3fc","url":"https://github.com/berachain/airdrop-contracts","type":"smart_contract","addedAt":"2025-02-19T14:00:53.407Z","revision":0,"description":"Berachain Airdrop Contracts","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Essential"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Go","Solidity","Rust"],"launchDate":"2025-02-06T11:58:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/28aHSz4GDuMcAuSR8VmJ4P/b943afe474489ec74fab8cf921f17118/NEW_Berachain.png","maxBounty":250000,"outOfScopeAndRules":"These impacts are out of scope of this bug bounty program. \n\n__All Categories:__\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers\n- Impacts relying on theoretical user interactions without any demonstration of regular or significant occurrence\n\n__Blockchain/DLT & Smart Contract Specific:__\n\n- Incorrect data supplied by third-party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n\n__Prohibited Activities:__\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - medium","blockchain_dlt - low","smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["L1"],"programOverview":"Berachain is a high-performance EVM-Identical Layer 1 (L1) blockchain utilizing Proof-of-Liquidity (PoL) as a consensus mechanism and built on top of a modular EVM-focused consensus client framework named BeaconKit.\n\nBeaconKit is a modular framework for building EVM-based consensus clients. The framework offers the most user-friendly way to build and operate an EVM blockchain while ensuring a functionally identical execution environment to the Ethereum Mainnet.\n\nFor more information about Berachain, please visit our [docs](https://docs.berachain.com/) or our [code](https://github.com/berachain).\n\nBerachain provides rewards in BERA on Berachain, denominated in USD. Please see the **Rewards by Threat Level** section for more details about the payment process. \n\n__KYC Requirement__\n\nBerachain will be requesting KYC information to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with the address or a recent utility bill)\n- Copy of Passport or other Government ID\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement outlined in this program and cannot be:\n\n- On OFAC SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors who directly or indirectly participated in the audit review\n\n\n__Responsible Publication__\n\nBerachain adheres to category 3 - Approval Required. This Policy determines what information researchers can make public from their submitted bug reports. For more details on the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\nBerachain adheres to the Primacy of Rules, meaning the whole bug bounty program is run strictly under the terms and conditions stated on this page. \n\n__Proof of Concept (PoC) Requirements__\n\nA PoC demonstrating the bug's impact is required for this program and must comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n* https://github.com/berachain/beacon-kit/issues\n* https://github.com/berachain/beacon-kit/pulls\n* https://github.com/berachain/contracts/issues/\n* https://github.com/berachain/contracts/pulls\n* https://github.com/berachain/cometbft/issues\n* https://github.com/berachain/cometbft/pulls\n\n__Previous Audits__\n\n- https://github.com/berachain/security-audits\n\n**Current known issues related to the [Berachain Airdrops Contract](https://github.com/berachain/airdrop-contracts) are presented in the following audit reports:**\n- https://github.com/berachain/security-audits/blob/main/20250131-Airdrop-Zenith.pdf\n- https://github.com/berachain/security-audits/blob/main/20250205-Airdrop-Cantina.pdf\n- https://github.com/berachain/security-audits/blob/main/20241223-Airdrop-Zellic.pdf\n\n__Feasibility Limitations__\n\nThe project may receive valid reports (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack is. Conversely, there may also be mitigation measures that projects can take to prevent the bug's impact, which are not viable or would require unconventional action.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) that, by default, state what security researchers and projects can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Berachain has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).\n\nIf you are interested in exploring **Berachain (Web/Apps)**, check out our **Websites and Applications** bug bounty program here: https://immunefi.com/bug-bounty/berachain-webapps/information/","programType":["Blockchain/DLT","Smart Contract"],"project":"Berachain","projectType":["Blockchain","Infrastructure"],"rewardsBody":"***STOP!*** **Is your report `Web/Apps` related?**\n\n**If yes, please visit:** https://immunefi.com/bug-bounty/berachain-webapps/information/\n\n___\n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical Blockchain/DLT bugs, the reward amount is 10% of the funds directly affected, capped at the maximum critical reward of $250,000. However, a minimum reward of USD $50,000 is to be rewarded to incentivize security researchers against withholding a bug report.\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD $250,000. Calculating the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD $50,000 is to be rewarded to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n\n- For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. The project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High-Level Reports__\n\n- High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within $10,000 to $50,000 depending on the funds at risk, capped at the maximum high reward.\n\n- In the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for more significant damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures more substantial incentives for bug disclosure of this nature.\n \n__Reward Payment Terms__\n\nPayouts are handled by the Berachain team directly and are denominated in USD. However, payments are made in BERA on Berachain.\n\nThe net amount rewarded is calculated based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"","slug":"berachain","tenPercentEconomicRule":false,"updatedDate":"2026-03-17T13:51:55.669Z","impactsBody":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered in scope, even if they affect something in the assets in the scope table.\n\n__For Blockchain/DLT__\n\nThe set of attack vectors listed in this bullet list represents potential exploits that may result in one or more of the impacts defined in the table.\n\n- Remote code execution on validator node\n- Exposure of cryptographic key material\n- Impersonation of validator’s authenticated actions, e.g. forging of signatures or votes\n- Bugs that would allow the extraction, or the destruction, or the generation of surplus monetary rewards other than what is designated in the protocol\n- Any bug that would lead to a perceivable advantage other than the validator’s voting power, e.g. election bias\n- Confused deputy on equivocating or slashable behavior, e.g. the validator node is induced into voting twice involuntarily\n- Attacks lead a percentage of nodes to crash, halting the chain\n- Bugs leading to a percentage of nodes into an inconsistent state, without stopping the chain\n- Non-generic attacks lead to a chain halt or make the chain unable to progress\n- Safety and correctness flaws that would require the combination of extraordinary conditions to occur\n- Extended degradation of performances by non-generic means \n- Non-generic attacks mean that there must be an omission or a defect in the code that would result in any significant computational advantage.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Berachain is a high-performance EVM-Identical Layer 1 (L1) blockchain utilizing Proof-of-Liquidity (PoL) as a consensus mechanism and built on top of a modular EVM-focused consensus client framework named BeaconKit.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"This Program, as it pertains to the [Berachain Airdrops Contract](https://github.com/berachain/airdrop-contracts), is specifically designed to address reports that result in financial loss. In particular, any exploit related to airdrop components already claimed by users, which consequently cannot translate in any financial losses, will not be considered.\n\nThe following assets are OOS of this program:\n - https://github.com/berachain/airdrop-contracts/blob/main/src/Distributor1.sol\n\nFor all other contracts, which means all except the `Airdrops Contract`, the following impacts are out of scope of this bug bounty program.\n\n__All Categories:__\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers\n- Impacts relying on theoretical user interactions without any demonstration of regular or significant occurrence\n\n__Blockchain/DLT & Smart Contract Specific:__\n\n- Incorrect data supplied by third-party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n- Node REST API (/eth/v1/beacon/*) is out of scope\n- DoS against default-off components doesn't qualify\n\n__Prohibited Activities:__\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","customProhibitedActivities":[],"impacts":[{"id":10,"type":"blockchain_dlt","severity":"medium","title":"Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":5291,"type":"blockchain_dlt","severity":"medium","title":"Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":4,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":8,"type":"blockchain_dlt","severity":"high","title":"RPC API crash affecting programs with greater than or equal to 25% of the market capitalization on top of the respective layer"},{"id":9,"type":"blockchain_dlt","severity":"medium","title":"Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours"},{"id":11,"type":"blockchain_dlt","severity":"medium","title":"A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk"},{"id":12,"type":"blockchain_dlt","severity":"low","title":"Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":13,"type":"blockchain_dlt","severity":"low","title":"Modification of transaction fees outside of design parameters"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":28,"type":"smart_contract","severity":"high","title":"Temporary freezing of NFTs"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":5292,"type":"blockchain_dlt","severity":"medium","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":5293,"type":"blockchain_dlt","severity":"medium","title":"Unintended chain split (network partition)"}],"rewards":[{"id":43247,"primacy":null,"severity":"critical","assetType":"blockchain_dlt","maxReward":250000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43248,"primacy":null,"severity":"high","assetType":"blockchain_dlt","maxReward":50000,"minReward":10000,"rewardModel":"range"},{"id":43249,"primacy":null,"severity":"medium","assetType":"blockchain_dlt","maxReward":10000,"minReward":2000,"rewardModel":"range"},{"id":43250,"primacy":null,"severity":"low","assetType":"blockchain_dlt","fixedReward":2000,"rewardModel":"fixed"},{"id":43251,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":250000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43252,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":50000,"minReward":10000,"rewardModel":"range"},{"id":43253,"primacy":null,"severity":"medium","assetType":"smart_contract","maxReward":10000,"minReward":2000,"rewardModel":"range"},{"id":43254,"primacy":null,"severity":"low","assetType":"smart_contract","fixedReward":2000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"3aMMT7OIjyCNyiCQELpKQ5","url":"https://defi.instadapp.io","type":"websites_and_applications","addedAt":"2024-05-24T12:44:19.896Z","revision":0,"description":"Instadapp Pro","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2Nkg4c2y9j07kJYxScahlq","url":"https://avocado.instadapp.io","type":"websites_and_applications","addedAt":"2024-05-24T12:44:36.756Z","revision":0,"description":"Avocado","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1UN9BmAavrtOZEpWHbFloz","url":"https://fluid.instadapp.io/","type":"websites_and_applications","addedAt":"2024-05-24T12:44:52.242Z","revision":0,"description":"Fluid","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"hzChemEcM0sJPi7zeBoB3","url":"https://atlas.instadapp.io/","type":"websites_and_applications","addedAt":"2024-05-24T12:45:06.012Z","revision":0,"description":"Governance","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1zWzo0WwcBaoC9OrSnoQXe","url":"https://github.com/Instadapp/dsa-contracts","type":"smart_contract","addedAt":"2024-05-24T12:45:24.914Z","revision":0,"description":"Instadapp Pro","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4cyVfWyPl29b2Wg7odmok","url":"https://github.com/Instadapp/avocado-sdk","type":"websites_and_applications","addedAt":"2024-05-24T12:45:40.644Z","revision":0,"description":"Avocado","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"25yrvB9j87ZQQY73ZoB5XK","url":"https://github.com/Instadapp/avocado-contracts-public","type":"smart_contract","addedAt":"2024-05-24T12:45:57.654Z","revision":0,"description":"Avocado (excluding the helper folder within avo-contracts)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2NeFyeJEEaKCECucXsIImK","url":"https://github.com/Instadapp/fluid-contracts-public","type":"smart_contract","addedAt":"2024-05-24T12:46:26.790Z","revision":0,"description":"Fluid Liquidity Layer, Fluid Lending protocol, Fluid Vault protocol. Fluid Contracts (excluding periphery folder)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1GT7avGteyJiazlH3RInZr","url":"https://github.com/Instadapp/inst-governance","type":"smart_contract","addedAt":"2024-05-24T12:47:07.970Z","revision":0,"description":"Governance","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"Only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nAll folders and files labeled with the words “test”, “mock/mocks”, or “dummy” are out-of-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Avalanche","BSC","ETH","Optimism","Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-09-20T01:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7jHZEinQjaABm48Sct1BZs/3d224c5a05bff575e14b98970f939667/Instadapp.jpeg","maxBounty":500000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - high","smart_contract - critical","websites_and_applications - critical","websites_and_applications - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["L1","L2","Wallet"],"programOverview":"The Instadapp platform offers a comprehensive suite of tools for both users and developers to harness the full potential of DeFi. With products ranging from refinancing and flashloan strategies to lending platforms and smart wallet protocols, Instadapp aims to optimize DeFi interactions.\n\nThis bug bounty program covers the following protocols and services:\n\nInstadapp PRO (DeFi Smart Accounts)\n\nInstadapp PRO is a comprehensive platform for managing and utilizing DeFI, users can access the top lending protocols and maximize their gains by leveraging and refinancing between protocols. Instadapp Pro allows users to execute advanced swaps and other complex transactions. \n\nAvocado Smart Wallet\n\nAvocado is a next generation Account Abstraction wallet created by the Instadapp Team. Avocado abstracts networks, gas and addresses making it easier to interact with the growing and complex web3 world. Avocado features a unified USDC gas tank, mass payments, cross chain transaction, transaction previews, built in DEX and Bridging services and 2FA security.\n\nFluid \n\nFluid works as a multi-layered protocol with a unified liquidity layer that enables many protocols to be built on top:\n\n- Fluid Liquidity Layer: The base liquidity protocol for Fluid, all liquidity and protocols draw their liquidity from the liquidity layer.\n- Fluid Lending Protocol: foundational component designed to facilitate secure and highly efficient lending. You can think of it as the 'Deposit and Earn' of Fluid.  \n- Fluid Vault Protocol: The first protocol built on top of the Liquidity Layer, the vault protocol enables users to supply assets and borrow against them in a single-asset/single-debt vault similar to MakerDAO.\n\n\nFor more information about Instadapp, please visit https://instadapp.io/. \n\nThis bug bounty program is focused on their smart contracts and dapp and is focused on preventing the following impacts:\n\n- Deletion of user data\n- Theft of governance funds\n- Thefts and freezing of principal of any amount\n- Thefts and freezing of unclaimed yield of any amount","programType":["Smart Contract","Websites and Applications"],"project":"Instadapp","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract vulnerabilities, the reward is 10% of the directly affected funds, up to a maximum of USD 500,000. The calculation considers the funds at risk based on the bug report submission date and time. There is a minimum guaranteed reward of USD 25,000 to encourage reporting even for smaller valued critical bugs.\n\n\n__Reward Calculation for High Level Reports__\n\nFor high smart contract impacts, the reward is capped at $100,000 and is based on 50% of the value of the affected funds. The calculation considers the funds at risk based on the bug report submission date and time. There is a minimum guaranteed reward of USD 5,000 to encourage reporting even for smaller valued critical bugs.\n\n__Secondary/Market Attack on Fluid__\n\nFluid as a lending protocol utilizes different aspects of the blockchain which may indirectly affect the protocol. The following outline conditions for particular secondary attacks that are not directly on the Fluid contracts, but that have secondary or associated effects to the Fluid contracts may be considered for a reward:\n\n- The attack must directly impact Fluid i.e an attack which affects the broader market such as price manipulation but is not targeting Fluid would not qualify.\n\nExamples of secondary attacks would be:\n\n- Manipulation of a DEX or on Chain price oracle from a secondary source, which results in the immediate and total loss of funds of the Fluid protocol, where the attack is specifically targeting Fluid protocol.\n- Flash Loan based attack that would cause immediate and irreversible financial loss to Fluid protocol; where the attack is specifically targeting the Fluid protocol, this would exclude attacks which manipulate the price of a single token used on Fluid.\n\nPrior published audits are here for review, any noted vulnerability or bugs in previously completed audits are not eligible for a reward.\n\nDefi Smart Accounts (DSA)/Instadapp PRO\n- [Peckshield - Mar 16, 2021](https://github.com/Instadapp/dsa-contracts/blob/master/audits/v2_PeckShield_Mar_2021.pdf)\n- [Peckshield - Mar 18, 2020](https://github.com/Instadapp/dsa-contracts/blob/master/audits/v1_PeckShield_Mar_2020.pdf)\n- [Samczun Audit - Mar 2020](https://github.com/Instadapp/dsa-contracts/blob/master/audits/v1_samczsun_Mar_2020.md)\n\nAvocado\n- [Statemind - Sept 28, 2023](https://github.com/Instadapp/avocado-audits/blob/main/Statemind-Audit-Report-Avocado-v3.pdf)\n- [Peckshield - June 12, 2023](https://github.com/Instadapp/avocado-audits/blob/main/PeckShield-Audit-Report-Avocado-v3.pdf)\n\nFluid\n- [Statemind - Dec 29th, 2023](https://github.com/statemindio/public-audits/blob/main/Instadapp/2023-12-29_Instadapp_Fluid.pdf)\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n\n- Smart Contract - Critical\n- Smart Contract - High\n\nWhen calculating the USD value of total value locked (TVL) to determine funds at risk, outstanding borrows are excluded.\n\nTo be eligible for a reward, the vulnerability must exist in the deployed smart contract.\n\nBugs resulting in temporary freezing of funds are not eligible for a reward. \n\nPayouts are handled by the Instadapp team directly and are denominated in USD. However, payouts are done in stablecoins like, USDC, USDT and DAI at the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC, USDT, DAI","slug":"instadapp","tenPercentEconomicRule":false,"updatedDate":"2026-03-17T08:57:16.833Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"The Instadapp platform offers a comprehensive suite of tools for both users and developers to harness the full potential of DeFi. With products ranging from refinancing and flashloan strategies to lending platforms and smart wallet protocols, Instadapp aims to optimize DeFi interactions.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques\n  - Griefing involving gas fees alone\n  - DexLite Protocol: https://github.com/Instadapp/fluid-contracts-public/tree/main/contracts/protocols/dexLite","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":1026,"type":"smart_contract","severity":"high","title":"Miner-extractable value (MEV)"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":1027,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds (more than 10 Days)"},{"id":1028,"type":"websites_and_applications","severity":"high","title":"Spoofing content on the target application (Persistent)"},{"id":1029,"type":"websites_and_applications","severity":"high","title":"Users Confidential information disclosure such as Email"},{"id":1030,"type":"websites_and_applications","severity":"high","title":"Privilege escalation to access unauthorized functionalities"},{"id":1031,"type":"websites_and_applications","severity":"high","title":"Third-Party API keys leakage that demonstrates loss of funds or modification on the website"},{"id":1032,"type":"websites_and_applications","severity":"high","title":"Redirecting users to malicious websites (Open Redirect)"},{"id":1033,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":1034,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield (Connectors are out of scope from this)"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":1035,"type":"websites_and_applications","severity":"critical","title":"Ability to execute system commands"},{"id":1036,"type":"websites_and_applications","severity":"critical","title":"Extract Sensitive data/files from the server such as /etc/password"},{"id":1037,"type":"websites_and_applications","severity":"critical","title":"Bypassing Authentication"},{"id":1038,"type":"websites_and_applications","severity":"critical","title":"Signing transactions for other users"},{"id":1039,"type":"websites_and_applications","severity":"critical","title":"Redirection of user deposits and withdrawals"},{"id":1040,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover resulting in financial loss (applicable for subdomains with addresses published)"},{"id":1041,"type":"websites_and_applications","severity":"critical","title":"Wallet interaction modification resulting in financial loss"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":1042,"type":"websites_and_applications","severity":"critical","title":"Tampering with transactions submitted to the user’s wallet"},{"id":1043,"type":"websites_and_applications","severity":"critical","title":"Submitting malicious transactions to an already-connected wallet"}],"rewards":[{"id":43243,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":500000,"minReward":25000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43244,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":100000,"minReward":5000,"rewardModel":"range"},{"id":43245,"primacy":null,"severity":"critical","assetType":"websites_and_applications","maxReward":50000,"minReward":5000,"rewardModel":"range"},{"id":43246,"primacy":null,"severity":"high","assetType":"websites_and_applications","maxReward":10000,"minReward":5000,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"5xJ73ZyXtKQQPVRGkOHg2L","url":"https://github.com/wormhole-foundation/wormhole/tree/main/node","type":"blockchain_dlt","addedAt":"2022-04-04T13:13:32.158Z","revision":0,"description":"Guardian Nodes","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7hbvnMCUf0QThat3PSznAl","url":"https://github.com/wormhole-foundation/wormhole/tree/main/wormchain","type":"blockchain_dlt","addedAt":"2023-12-17T19:16:31.939Z","revision":0,"description":"Wormhole Gateway aka Wormchain","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1yZpRPgmxpIsD7R94LwfhK","url":"https://wormhole.com/docs/build/reference/contract-addresses","type":"smart_contract","addedAt":"2022-04-04T13:13:57.592Z","revision":0,"description":"Mainnet","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"15lZskZNdRHr2BRkLyVg16","url":"https://github.com/wormhole-foundation/wormhole/tree/main/ethereum","type":"smart_contract","addedAt":"2022-04-04T13:14:13.071Z","revision":0,"description":"Ethereum","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6ohex8lqEFUM6FnLN1CopP","url":"https://github.com/wormhole-foundation/wormhole/tree/main/solana","type":"smart_contract","addedAt":"2022-04-04T13:14:40.038Z","revision":0,"description":"Solana","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1ljL4kZzXP4cQMegkehoqN","url":"https://github.com/wormhole-foundation/wormhole/tree/main/cosmwasm","type":"smart_contract","addedAt":"2022-04-04T13:15:29.664Z","revision":0,"description":" CosmWasm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"21nGpPqgTGUtrm8hJuxB9g","url":"https://github.com/wormhole-foundation/wormhole/tree/main/algorand","type":"smart_contract","addedAt":"2022-09-26T23:11:27.479Z","revision":0,"description":"Algorand","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"17oT1ffcaJcOyrUlPSwVO4","url":"https://github.com/wormhole-foundation/wormhole/tree/main/aptos","type":"smart_contract","addedAt":"2022-09-26T23:11:41.829Z","revision":0,"description":"Aptos","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5Vbs1weSp9OYGDGVzMvrQ5","url":"https://github.com/wormhole-foundation/wormhole/tree/main/sui","type":"smart_contract","addedAt":"2023-05-05T04:26:33.803Z","revision":0,"description":"Sui","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"40iH19IxzYX3Ig4faFUhpn","url":"https://github.com/wormhole-foundation/wormhole/tree/main/near","type":"smart_contract","addedAt":"2023-12-17T19:16:57.066Z","revision":0,"description":"Near","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2BUsPc3whgrJXqRawcO95I","url":"https://github.com/wormhole-foundation/wormhole-circle-integration","type":"smart_contract","addedAt":"2023-02-28T18:36:52.330Z","revision":0,"description":"EVM, excluding the Circle Bridge","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2Dv2xmXvf67HSJKrLjBRJb","url":"https://github.com/wormhole-foundation/native-token-transfers","type":"smart_contract","addedAt":"2025-02-05T16:34:26.326Z","revision":0,"description":"Native Token Transfers","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"53UYtlK9FGUQObxSIYT51j","url":"https://github.com/wormhole-foundation/multigov/tree/main","type":"smart_contract","addedAt":"2025-03-12T03:44:50.570Z","revision":0,"description":"MultiGov","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"All Wormhole smart contracts can be found at https://github.com/wormhole-foundation. However, only those in the Assets in Scope table are considered in the bug bounty program's scope. In-scope items are those that are live on-chain or within an active Github release preparing for deployment.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Go","Move","Python","Rust","Solidity"],"launchDate":"2022-02-11T15:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/zjpjBpSpX6wiIdgfoLeKc/b7c1a836bbc7a4a850623ddee15f3158/wormhole-logo-full-color-rgb-2000px_72ppi__1_.png","maxBounty":1000000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - medium","blockchain_dlt - low","smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered in-scope, even if they affect something in the assets in the scope table.","productType":["Crosschain Liquidity"],"programOverview":"Wormhole is a generic cross-chain messaging protocol that allows smart contracts on various blockchains to communicate with each other. Messages are routed from chain to chain by a decentralised group of guardian nodes who sign attestations of the on-chain state.\n\nFor more information about Wormhole, please visit [https://wormhole.com/](https://wormhole.com/).\n\nThis bug bounty program is focused on preventing negative impacts on Wormhole and the Portal Token Bridge. It currently covers their smart contracts, guardian nodes, and Wormhole integrations with blockchains.\n\n__Submission Requirements__\n\nAll reports must include sufficient explanation and data to reproduce the bug easily, e.g., through a proof-of-concept code.\n\nWe require the bug reporter to comply with our KYC requirements before we pay for a bug report.\n\nThis includes the following:\n  - Wallet address where you’ll receive payment.\n  - Proof of address (either a redacted bank statement with your address or a recent utility bill with your name, address, and issuer of the bill).\n  - A copy of your passport will be required.\n  - W rewards are limited to those persons who are (a) not U.S. Person as defined in Rule 902(k) of Regulation S under the United States Securities Act of 1933, as amended (“Regulation S”) (b) is not domiciled in or has their principal place of business in the United States; (y) will conduct all transactions with the Tokens outside the United States and solely with non-US persons; and (z) is not acquiring the Tokens for the account or benefit of any U.S. Person and will not engage in any directed selling efforts in the United States.\n  - Any W to which you are entitled to receive as a reward will only be granted and delivered to you upon the execution by you of a Restricted Token Grant Agreement in the form required by Wormhole Foundation and subject to the terms and conditions set forth therein, including a lock-up on the W token as set forth therein.\n  - You shall be responsible for reporting and paying any current and future taxes that it may incur resulting from the grant or delivery of any W or cash compensation.\n  - If you report a critical bounty with a reward denominated in W, you may be entitled to receive the reward in USDC if you are unable to receive the reward in W.\n\nThese details will only be required upon determining that a bug report will be rewarded. They will remain strictly confidential among need-to-know individuals (basically, only individuals must verify KYC and process the payment).","programType":["Smart Contract","Blockchain/DLT"],"project":"Wormhole","projectType":["Blockchain","Infrastructure"],"rewardsBody":"Please note that for any valid Critical severity reports, the maximum reward will be up to $1,000,000 USD, paid in W token, with the following tiers: \n\n- __Tier 1:__ Ability to Extract the TVL of all chains: Up to $1,000,000 in W\n- __Tier 2:__ Ability to Extract the TVL of a single chain: Up to $500,000 in W \n- __Tier 3:__ Ability to permanently deny access to the TVL of one or many chains: Up to $250,000 in W \n\nAll rewards are decided on a case-by-case basis, taking into account the bug's exploitability, the feasibility of the exploit scenario, the impact it causes, and the likelihood of the vulnerability presenting itself, particularly if it is nondeterministic or some of the conditions are not present at the time.\n\nBecause of the Governor, rewards for critical vulnerabilities in the Wrapped Token Bridge are further capped at 10% of extractable value during a 24-hour period. The Governor (https://github.com/wormhole-foundation/wormhole/tree/main/node/pkg/governor) is designed to limit the value that can be transferred out of one chain over time. Rewards for vulnerabilities resulting in the perpetual locking of funds are further capped at the lesser of 1% of destroyable value or $250,000 in W (where perpetual can only apply to non-upgradeable smart contracts).\n\nValue is calculated based on the current market value and available liquidity for widely used tokens in the Portal Token Bridge, such as ETH and SOL. \n\nIn cases where the report achieves more than one of the above objectives, rewards will be tiered to the higher of the two objectives and will not be aggregated (e.g., if you can extract and brick a complete TVL for a chain, you will be awarded a bounty as if you could only extract the complete TVL for that chain).\n\nRewards for bugs in dependencies and third-party code are at the discretion of the Wormhole team and will be based on the impact demonstrated on Wormhole. If the dependency has its own bug bounty program, your reward for submitting this vulnerability to Wormhole will be lowered by the expected payout of that other program. If the vulnerability is in a connected blockchain rather than the Wormhole code, the locked and wrapped assets on that chain are not included in the impact calculation.\n\nVulnerabilities known to the Wormhole team at the time of reporting are ineligible for reward. This includes external audit reports, vulnerabilities in Wormhole's dependencies that have been disclosed publicly, and internal company communications. If necessary, the program will provide proof of prior knowledge about the issue. Reports that copy public vulnerability disclosures, or reports that highlight patch gaps between Wormhole's forked repositories and their upstream codebases, are not eligible for a reward.\n\nWormhole Foundation will maintain full discretion on vulnerability payouts. We encourage bug reporters to submit issues outside of the above-mentioned payout structure, though we want to be clear that we’ll exercise discretion on a case-by-case basis regarding whether an issue warrants a payout and what that ultimate payout would be.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"","slug":"wormhole","tenPercentEconomicRule":false,"updatedDate":"2026-03-17T08:25:35.684Z","impactsBody":"Bugs that are only triggerable against oneself and don’t affect other users, but are reasonable to be done on accident as an end user or application developer will be considered as no higher than low severity on a case-by-case basis. This excludes sending funds to unintended addresses which will not be rewarded.\n\nFor bugs related to a potential Governor bypass, this only applies to governed tokens (i.e. ungoverned tokens are deliberately ungoverned).\n\nNative Token Transfer (NTT) is an open, flexible, and composable framework for transferring tokens across blockchains without liquidity pools. Only the listed GitHub repository is in the scope of this bounty program. Any forks or modifications are out of scope. Furthermore, only tagged releases with version v1.x.x are considered in-scope. The severity of NTT-related findings will be dropped by a single category on the payout scale, such as a critical to a high or a medium to a low.\n\nMultiGov is an extension of the OpenZeppelin Governor contracts that allows token holders to maintain their voting rights after bridging their tokens to another chain. Only the listed GitHub repository is in the scope of this bounty program. Any forks or modifications are out of scope. Furthermore, the rewards for MultiGov related findings will be capped at $100,000 USD.\n\nAny NFT Bridge related reports are no-longer considered in-scope and will be closed.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Wormhole is a generic cross-chain messaging protocol that allows smart contracts on various blockchains to communicate with each other. Messages are routed from chain to chain by a decentralised group of guardian nodes who sign attestations of the on-chain state.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"The following vulnerabilities are excluded from the rewards for this bug bounty program:\n\n  - Vulnerabilities that have been exploited, leading to damage.     \n  - Network denial of service on Guardians is not eligible for bug bounty rewards.\n  - Wormhole is an open source project with open development. We welcome feedback and PRs on features that are in development. Code that has not been deployed in production is generally out-of-scope.\n  - Reports regarding bugs that the Wormhole project was previously aware of are not eligible for a reward.\n  - In-scope assets with a \"pre-release\" tag are exempt from the above-mentioned deployed requirement and are aimed at allowing early access for white-hat community contribution. Once the chain is deployed in the mainnet, the new scope is whatever is deployed on the chain, which is often what is present in the main branch. Rewards for “pre-release” candidates will be eligible within the same reward structure as mainnet contracts.\n\nThe following person(s) are ineligible to receive bug bounty payout rewards: Staff, Auditors, Contractors, persons possessing privileged information, and all associated parties.\n\n__Prohibited Activities__\n\n  - Any testing with mainnet or public testnets; all testing should be done on private nets.\n  - Public disclosure of a vulnerability before an embargo has been lifted. Wormhole follows the category 3 requirements for Immunefi Disclosure, requiring all public disclosure of valid bugs to be approved for publication.\n  - Any testing with third-party smart contracts or infrastructure and websites.\n  - Attempting phishing or other social engineering attacks against our employees and/or customers.\n  - Any denial of service attacks.\n  - Violating the privacy of any organization or individual.\n  - Automated testing of services that generate significant amounts of traffic.\n  - Any activity that violates any law or disrupts or compromises any data or property that is not yours.","customProhibitedActivities":[],"impacts":[{"id":5957,"type":"blockchain_dlt","severity":"medium","title":"Attacks that would be critical if a super minority of Guardians were malicious, excluding denial of service vulnerabilities."},{"id":5965,"type":"smart_contract","severity":"critical","title":"Exploits resulting in the locking, loss, or theft of user funds from the Portal Token Bridge (locking only applies to non-upgradeable smart contracts)"},{"id":5964,"type":"blockchain_dlt","severity":"low","title":"Unrestricted bypass of the Transfer Verifier (https://github.com/wormhole-foundation/wormhole/blob/main/whitepapers/0014_transfer_verifier.md)"},{"id":5345,"type":"blockchain_dlt","severity":"low","title":"Bugs that are unlikely to occur but would have a significant impact if so, e.g. race conditions"},{"id":5959,"type":"blockchain_dlt","severity":"critical","title":"Exploits resulting in the locking, loss, or theft of user funds from the Portal Token Bridge (locking only applies to non-upgradeable smart contracts)"},{"id":5958,"type":"blockchain_dlt","severity":"medium","title":"Bugs that allow forging signed messages from a super-minority of Guardians"},{"id":5963,"type":"blockchain_dlt","severity":"critical","title":"Unauthorized changes to protocol parameters through governance resulting in direct loss of funds (i.e. spoofing Governance actions)"},{"id":5962,"type":"blockchain_dlt","severity":"critical","title":"Theft of funds from exposure of production private keys of a quorum of Guardians"},{"id":5961,"type":"blockchain_dlt","severity":"high","title":"Unrestricted bypass of the Accountant (https://github.com/wormhole-foundation/wormhole/blob/main/whitepapers/0011_accountant.md)"},{"id":5960,"type":"blockchain_dlt","severity":"high","title":"Unrestricted bypass of rate limiters, including the Governor module (https://github.com/wormhole-foundation/wormhole/tree/main/node/pkg/governor])"},{"id":5346,"type":"blockchain_dlt","severity":"low","title":"Bugs that are not currently exploitable but may become exploitable in future stages of development. This could refer to a configuration setting change or a likely code change causing a bug. The WH team determines the feasibility and likelihood of this."},{"id":5347,"type":"blockchain_dlt","severity":"low","title":"Denial of Service attacks against the Guardian network (excluding volumetric attacks) that would result in an extended (24 hours) degradation of performance"},{"id":5353,"type":"smart_contract","severity":"low","title":"Bugs that are unlikely to occur but would have a significant impact if so, e.g. race conditions"},{"id":1840,"type":"smart_contract","severity":"low","title":"Bugs that are likely to occur in future stages of development but do not manifest themselves yet"},{"id":5355,"type":"smart_contract","severity":"low","title":"Denial-of-service attacks against the Guardian network (excluding volumetric attacks) temporarily degrade performance."},{"id":5336,"type":"blockchain_dlt","severity":"high","title":"Bugs that allow forging of wormhole messages (i.e. VAAs) or circumventing VAA verification logic in the smart contracts but are outside of the “critical” category. For example, it is possible to spoof a VAA without being able to control the sender's address."},{"id":1843,"type":"blockchain_dlt","severity":"high","title":"Bugs that are very capital-intensive to carry out but could be critical"},{"id":5337,"type":"blockchain_dlt","severity":"high","title":"Attacks that would be critical if a single Guardian were malicious."},{"id":5349,"type":"smart_contract","severity":"high","title":"Bugs that allow the forging of wormhole messages (e.g., VAAs) or circumventing VAA verification logic in smart contracts are outside of the “critical” category."},{"id":1848,"type":"smart_contract","severity":"high","title":"Bugs that are very capital-intensive to carry out but could be critical"},{"id":5350,"type":"smart_contract","severity":"high","title":"Attacks that would be critical if a minority of Guardians were malicious."},{"id":5341,"type":"blockchain_dlt","severity":"medium","title":"Impacts of critical or high severity but require a feasible amount of Guardian or user interaction to exploit."},{"id":1854,"type":"blockchain_dlt","severity":"medium","title":"Compromising a single guardian node"},{"id":1855,"type":"blockchain_dlt","severity":"medium","title":"Cryptographic implementation flaws and flaws in random number generation with limited impact"},{"id":5344,"type":"blockchain_dlt","severity":"medium","title":"Compromising a single guardian node"},{"id":1858,"type":"smart_contract","severity":"medium","title":"Exploit chains requiring user interaction"},{"id":1860,"type":"smart_contract","severity":"medium","title":"Cryptographic implementation flaws and flaws in random number generation with limited impact"},{"id":1861,"type":"smart_contract","severity":"medium","title":"Bugs that allow forging signed messages from a minority of Guardians"},{"id":5332,"type":"blockchain_dlt","severity":"critical","title":"Forging of wormhole messages (i.e. VAAs) or circumventing VAA verification logic"},{"id":5335,"type":"blockchain_dlt","severity":"critical","title":"Gaining control of multiple Guardian nodes by exploiting a vulnerability that leads to Remote Code Execution."},{"id":1870,"type":"blockchain_dlt","severity":"critical","title":"Any other vulnerabilities that lead to the impacts described in Tier 1-3"},{"id":1871,"type":"smart_contract","severity":"critical","title":"Forging of wormhole messages (i.e. VAAs) or circumventing VAA verification logic in the smart contracts"},{"id":1874,"type":"smart_contract","severity":"critical","title":"Determinism bugs that could lead to inconsistent bridge states"},{"id":1875,"type":"smart_contract","severity":"critical","title":"Governance manipulation"},{"id":5348,"type":"smart_contract","severity":"critical","title":"Exposure of production private keys and/or other extremely sensitive information."},{"id":1879,"type":"smart_contract","severity":"critical","title":"Any other vulnerabilities that lead to the impacts described in Tier 1-3"},{"id":5592,"type":"blockchain_dlt","severity":"low","title":"Attacks below Critical severity if a single Guardian were malicious"}],"rewards":[{"id":43235,"primacy":null,"severity":"critical","assetType":"blockchain_dlt","maxReward":1000000,"minReward":100000,"rewardModel":"range","rewardCalculationPercentage":0},{"id":43236,"primacy":null,"severity":"high","assetType":"blockchain_dlt","maxReward":100000,"minReward":10000,"rewardModel":"range"},{"id":43237,"primacy":null,"severity":"medium","assetType":"blockchain_dlt","maxReward":10000,"minReward":2000,"rewardModel":"range"},{"id":43238,"primacy":null,"severity":"low","assetType":"blockchain_dlt","maxReward":2000,"rewardModel":"up_to"},{"id":43239,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":1000000,"minReward":100000,"rewardModel":"range","rewardCalculationPercentage":0},{"id":43240,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":100000,"minReward":10000,"rewardModel":"range"},{"id":43241,"primacy":null,"severity":"medium","assetType":"smart_contract","maxReward":10000,"minReward":2000,"rewardModel":"range"},{"id":43242,"primacy":null,"severity":"low","assetType":"smart_contract","maxReward":2000,"rewardModel":"up_to"}],"audits":[]},{"assets":[{"id":"70fi1VYuvu1glXpb8P5IvM","url":"https://arbiscan.io/address/0x1df063280C4166AF9a725e3828b4dAC6c7113B08","type":"smart_contract","addedAt":"2024-07-19T13:48:16.298Z","revision":0,"description":"Arbitrum validatorAnnounce","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5XWRtjKQj3iUnGlRfLHwuu","url":"https://arbiscan.io/address/0x80Cebd56A65e46c474a1A101e89E76C4c51D179c","type":"smart_contract","addedAt":"2024-07-19T13:48:16.801Z","revision":0,"description":"Arbitrum proxyAdmin","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"jn1dz2ONwKGFUxe9qUmlz","url":"https://arbiscan.io/address/0x979Ca5202784112f4738403dBec5D0F3B9daabB9","type":"smart_contract","addedAt":"2024-07-19T13:48:17.351Z","revision":0,"description":"Arbitrum Mailbox proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6blzC9eZl3iwft3K5VdL5A","url":"https://arbiscan.io/address/0x4826ce713944d8b3eb98c73050bfc01e8fb6655a","type":"smart_contract","addedAt":"2024-07-19T13:48:17.885Z","revision":0,"description":"Arbitrum Mailbox implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5VjDLu6OVgOzFzHC9FxvFg","url":"https://arbiscan.io/address/0x9e8fFb1c26099e75Dd5D794030e2E9AA51471c25","type":"smart_contract","addedAt":"2024-07-19T13:48:18.352Z","revision":0,"description":"Arbitrum FallbackRoutingHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5CK3HmoSuUN6jPxx82zZca","url":"https://arbiscan.io/address/0x5C17DD50232f330c928ce661116517D20859b08f","type":"smart_contract","addedAt":"2024-07-19T13:48:18.739Z","revision":0,"description":"Arbitrum AggregationHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"NOpQZobh9HvuWmsWi88Pb","url":"https://arbiscan.io/address/0x9B5f440bBb64Fee337F37e03362b628711Ea09C7","type":"smart_contract","addedAt":"2024-07-19T13:48:19.180Z","revision":0,"description":"Arbitrum staticAggregationHookFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"79n749RsYugTMIKi1oKwgU","url":"https://arbiscan.io/address/0x6cA0B6D22da47f091B7613223cD4BB03a2d77918","type":"smart_contract","addedAt":"2024-07-19T13:48:19.708Z","revision":0,"description":"Arbitrum interchainGasPaymaster proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"42cd39hbBvEMYJGbdYUX4k","url":"https://arbiscan.io/address/0x3b6044acd6767f017e99318AA6Ef93b7B06A5a22","type":"smart_contract","addedAt":"2024-07-19T13:48:20.147Z","revision":0,"description":"Arbitrum interchainGasPaymaster implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2rAS4FYpEPU8UTZdeZz4bp","url":"https://arbiscan.io/address/0xD3805207b65d99C075ceA938Fa7c0587026a5DF5","type":"smart_contract","addedAt":"2024-07-19T13:48:20.583Z","revision":0,"description":"Arbitrum storageGasOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"D4pFZ28nHbtHZCLIhHIh4","url":"https://arbiscan.io/address/0x748040afB89B8FdBb992799808215419d36A0930","type":"smart_contract","addedAt":"2024-07-19T13:48:20.987Z","revision":0,"description":"Arbitrum merkleTreeHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2MKjKzIRJSZsfdidjnpoGa","url":"https://arbiscan.io/address/0xa7ECcdb9Be08178f896c26b7BbD8C3D4E844d9Ba","type":"smart_contract","addedAt":"2024-07-19T13:48:21.433Z","revision":0,"description":"Arbitrum pausableHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1eW3Qe1OGpWmSlJpYqJQMl","url":"https://arbiscan.io/address/0xd12C017529BE32c23150313F1E473B76e6B19773","type":"smart_contract","addedAt":"2024-07-19T13:48:21.820Z","revision":0,"description":"Arbitrum staticAggregationIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6MwG4KGoKHZvlNTkpVU8XE","url":"https://arbiscan.io/address/0xD4883084389fC1Eeb4dAfB2ADcFc36B711c310EB","type":"smart_contract","addedAt":"2024-07-19T13:48:22.347Z","revision":0,"description":"Arbitrum staticAggregationIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"UmPBBLxZtYzOP3pBmaLk8","url":"https://arbiscan.io/address/0x5d759B5CeEb1C3b0181bEc0F80fb04f820cc35D1","type":"smart_contract","addedAt":"2024-07-19T13:48:22.839Z","revision":0,"description":"Arbitrum domainRoutingIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3Ta5epGhhIyUz0lOr8BNh4","url":"https://arbiscan.io/address/0xa2931C37957f3079d3B21b877d56E1db930e02a5","type":"smart_contract","addedAt":"2024-07-19T13:48:23.348Z","revision":0,"description":"Arbitrum domainRoutingIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"TgcKekS9irn5EOat4tNqL","url":"https://arbiscan.io/address/0x3c330d4a2e2b8443afab8e326e64ab4251b7eae0","type":"smart_contract","addedAt":"2024-07-19T13:48:23.824Z","revision":0,"description":"Arbitrum staticMerkleRootMultisigIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5HOZcKbMBeRIcUHgIEycIQ","url":"https://arbiscan.io/address/0x3C330D4A2e2b8443AFaB8E326E64ab4251B7Eae0","type":"smart_contract","addedAt":"2024-07-19T13:48:24.306Z","revision":0,"description":"Arbitrum staticMerkleRootMultisigIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3hNP10mthfslqvPyNVuwoI","url":"https://arbiscan.io/address/0x29c02b9ad9483a1711a413d37b8126ec1a5eab0a","type":"smart_contract","addedAt":"2024-07-19T13:48:24.778Z","revision":0,"description":"Arbitrum staticMessageIdMultisigIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7dBOX7dVHleHEyjD60X6wW","url":"https://arbiscan.io/address/0x12Df53079d399a47e9E730df095b712B0FDFA791","type":"smart_contract","addedAt":"2024-07-19T13:48:25.608Z","revision":0,"description":"Arbitrum staticMessageIdMultisigIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4R6RERTF03ycgSNNi4yTjm","url":"https://arbiscan.io/address/0x1E38556b4fE553e6249448960875883990efcf34","type":"smart_contract","addedAt":"2024-07-19T13:48:26.122Z","revision":0,"description":"Arbitrum pausableIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7Foz8Snap8xpvlR5JnxfmW","url":"https://arbiscan.io/address/0xfa8bfcE55B3A0631dF38257615cEF7FCD3523A48","type":"smart_contract","addedAt":"2024-07-19T13:48:26.619Z","revision":0,"description":"Arbitrum interchainAccountIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2aLUswrfkdPCLBdO3aL5oV","url":"https://arbiscan.io/address/0xCD0CFFf6eFD943b4b81f2c15847730dbcD30e3aE","type":"smart_contract","addedAt":"2024-07-19T13:48:27.131Z","revision":0,"description":"Arbitrum interchainAccountRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"qoYAAlcXMl9cFenMj1mqR","url":"https://snowtrace.io/address/0x9Cad0eC82328CEE2386Ec14a12E81d070a27712f","type":"smart_contract","addedAt":"2024-07-19T13:48:27.783Z","revision":0,"description":"Avalanche validatorAnnounce","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"0wPvZr8N13YhrjWkSUzPH","url":"https://snowtrace.io/address/0xd7CF8c05fd81b8cA7CfF8E6C49B08a9D63265c9B","type":"smart_contract","addedAt":"2024-07-19T13:48:28.291Z","revision":0,"description":"Avalanche proxyAdmin","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5laeTbb96JLF98i1jGVotR","url":"https://snowtrace.io/address/0x35231d4c2D8B8ADcB5617A638A0c4548684c7C70","type":"smart_contract","addedAt":"2024-07-19T13:48:28.792Z","revision":0,"description":"Avalanche mailbox proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"76xXsCXgMc7sXKOjoz0AjT","url":"https://snowtrace.io/address/0xFf06aFcaABaDDd1fb08371f9ccA15D73D51FeBD6","type":"smart_contract","addedAt":"2024-07-19T13:48:29.242Z","revision":0,"description":"Avalanche mailbox implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3CwrWQQxH9F1HC52G3JxQv","url":"https://snowtrace.io/address/0x61D15D571D5f7A9eF0D1938f072f430bBF024747","type":"smart_contract","addedAt":"2024-07-19T13:48:29.759Z","revision":0,"description":"Avalanche FallbackRoutingHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"yPzttgj9OZtVSDEfRQwuN","url":"https://snowtrace.io/address/0x0165a22BA489F7DA37DAf6397781777D9FCB5708","type":"smart_contract","addedAt":"2024-07-19T13:48:30.331Z","revision":0,"description":"Avalanche AggregationHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"vgtXSVxeDHEfVLEiQHDZk","url":"https://snowtrace.io/address/0x3bF6Ac986C7Af9A9Ac356C0e99C0041EFd8D96e7","type":"smart_contract","addedAt":"2024-07-19T13:48:31.058Z","revision":0,"description":"Avalanche staticAggregationHookFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5oDP81KZ7sz8KJZTAcaGPy","url":"https://snowtrace.io/address/0x95519ba800BBd0d34eeAE026fEc620AD978176C0","type":"smart_contract","addedAt":"2024-07-19T13:48:31.545Z","revision":0,"description":"Avalanche interchainGasPaymaster proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5Lcmm0rxMEtRKvcpeQoBar","url":"https://snowtrace.io/address/0x0FE58030a50ef83A02185a1cCc74acFA47E3df1a","type":"smart_contract","addedAt":"2024-07-19T13:48:32.015Z","revision":0,"description":"Avalanche interchainGasPaymaster implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6IPymCFALtFY2BzCv1D0bC","url":"https://snowtrace.io/address/0x175821F30AdCAA4bbB72Ce98eF76C2E0De2C3f21","type":"smart_contract","addedAt":"2024-07-19T13:48:32.476Z","revision":0,"description":"Avalanche storageGasOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5x7BqBweq2rqTiWm0LsH1X","url":"https://snowtrace.io/address/0x84eea61D679F42D92145fA052C89900CBAccE95A","type":"smart_contract","addedAt":"2024-07-19T13:48:33.190Z","revision":0,"description":"Avalanche merkleTreeHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3Q3W2nO19NcAwDU0t58u1h","url":"https://snowtrace.io/address/0x239eB860770F1C48ABAC9bE9825d20e3E7c018df","type":"smart_contract","addedAt":"2024-07-19T13:48:33.690Z","revision":0,"description":"Avalanche pausableHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"grcM4vYROmfZdzF72LEPv","url":"https://snowtrace.io/address/0x28af28d96786Ed4bb13d67bF34d30Bc32F749932","type":"smart_contract","addedAt":"2024-07-19T13:48:34.167Z","revision":0,"description":"Avalanche staticAggregationIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5p1Po2TTZIWG1HeTqu3EGG","url":"https://snowtrace.io/address/0xa5E13796eB7d2EDCc88012c8cfF90D69B51FcF9f","type":"smart_contract","addedAt":"2024-07-19T13:48:34.720Z","revision":0,"description":"Avalanche staticAggregationIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4XjwdIEwrF32acx20bP0LE","url":"https://snowtrace.io/address/0x9f68F961ba2dF53b1cB3EbCC0b08e89790C6E2f6","type":"smart_contract","addedAt":"2024-07-19T13:48:35.165Z","revision":0,"description":"Avalanche domainRoutingIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"78ENjpCJSpb84tmcc8Jxat","url":"https://snowtrace.io/address/0x28F7907911C7E321c596686AE6D1F20516450037","type":"smart_contract","addedAt":"2024-07-19T13:48:35.736Z","revision":0,"description":"Avalanche domainRoutingIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7zJLcGiZn1dwVl2zIu34sK","url":"https://snowtrace.io/address/0x7B16D65B89b62968628547DFdb3c347B7bFdce9D","type":"smart_contract","addedAt":"2024-07-19T13:48:36.224Z","revision":0,"description":"Avalanche staticMerkleRootMultisigIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5jOF3huIlHxfqN9Cizg4qd","url":"https://snowtrace.io/address/0x896cF1D1B66cD211633eDd589fF158E8Cfaf9B54","type":"smart_contract","addedAt":"2024-07-19T13:48:36.721Z","revision":0,"description":"Avalanche staticMerkleRootMultisigIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6RjMdSfmumwKI2TtDidiwZ","url":"https://snowtrace.io/address/0x2233d1FD7CF0025a1b52923d4d612B297B52b223","type":"smart_contract","addedAt":"2024-07-19T13:48:37.229Z","revision":0,"description":"Avalanche staticMessageIdMultisigIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"704vp63753n6olkF4oXE5C","url":"https://snowtrace.io/address/0x8819D653DF5b1FC0DdB32189a2704E471AF8483c","type":"smart_contract","addedAt":"2024-07-19T13:48:37.660Z","revision":0,"description":"Avalanche staticMessageIdMultisigIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4ZKZfmhOW358Oh9Rt9EvCD","url":"https://snowtrace.io/address/0xd76080269C641e1adb786b72ae60Ddac3b6b8ed0","type":"smart_contract","addedAt":"2024-07-19T13:48:38.135Z","revision":0,"description":"Avalanche pausableIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6OI7gPjSWpSKrvi4CyD3bK","url":"https://snowtrace.io/address/0x786c26C1857032617c215f265509d6E44e44Bfe3","type":"smart_contract","addedAt":"2024-07-19T13:48:38.629Z","revision":0,"description":"Avalanche interchainAccountIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1mFcvN6udiuNn1u0wCvG1n","url":"https://snowtrace.io/address/0xA967A6CE0e73fAf672843DECaA372511996E8852","type":"smart_contract","addedAt":"2024-07-19T13:48:39.127Z","revision":0,"description":"Avalanche interchainAccountRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2KXBeIyuHUN2Ksxblft4TM","url":"https://basescan.org/address/0x182E8d7c5F1B06201b102123FC7dF0EaeB445a7B","type":"smart_contract","addedAt":"2024-07-19T13:48:39.562Z","revision":0,"description":"Base validatorAnnounce","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1Qw8JiV3MWjkat06c2XvJQ","url":"https://basescan.org/address/0x4Ed7d626f1E96cD1C0401607Bf70D95243E3dEd1","type":"smart_contract","addedAt":"2024-07-19T13:48:40.030Z","revision":0,"description":"Base proxyAdmin","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1dBFnCmfkFCjvrLvrP3Odn","url":"https://basescan.org/address/0xeA87ae93Fa0019a82A727bfd3eBd1cFCa8f64f1D","type":"smart_contract","addedAt":"2024-07-19T13:48:40.555Z","revision":0,"description":"Base mailbox proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5z5LgOsUOJuAkadNC3tvIk","url":"https://basescan.org/address/0x2f2afae1139ce54fefc03593fee8ab2adf4a85a7","type":"smart_contract","addedAt":"2024-07-19T13:48:41.023Z","revision":0,"description":"Base mailbox implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2JkfVbotlZTSflsORE9hNC","url":"https://basescan.org/address/0xc3F23848Ed2e04C0c6d41bd7804fa8f89F940B94","type":"smart_contract","addedAt":"2024-07-19T13:48:41.523Z","revision":0,"description":"Base interchainGasPaymaster","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6IaIjfv2GTHThgjHT9LmeK","url":"https://basescan.org/address/0xBF12ef4B9f307463D3FB59c3604F294dDCe287E2","type":"smart_contract","addedAt":"2024-07-19T13:48:42.006Z","revision":0,"description":"Base storageGasOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1LD31BYKmgt3I8OFziBFrF","url":"https://basescan.org/address/0x19dc38aeae620380430C200a6E990D5Af5480117","type":"smart_contract","addedAt":"2024-07-19T13:48:42.485Z","revision":0,"description":"Base merkleTreeHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3g5dVI5YekVnmSEf6SYp8n","url":"https://basescan.org/address/0x46fa3A5780e5B90Eaf34BDED554d5353B5ABE9E7","type":"smart_contract","addedAt":"2024-07-19T13:48:42.920Z","revision":0,"description":"Base pausableHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7qmQwa72uHaq7Qf6OAUuZu","url":"https://basescan.org/address/0x4Eb82Ee35b0a1c1d776E3a3B547f9A9bA6FCC9f2","type":"smart_contract","addedAt":"2024-07-19T13:48:43.360Z","revision":0,"description":"Base fallbackDomainRoutingHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5kAo6tOkLcWRC0W3ardyjC","url":"https://basescan.org/address/0x13f3d4B0Ee0a713430fded9E18f7fb6c91A6E41F","type":"smart_contract","addedAt":"2024-07-19T13:48:43.767Z","revision":0,"description":"Base aggregationHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6o9uRjaoiCA8o1k6yFcCq","url":"https://basescan.org/address/0x1052eF3419f26Bec74Ed7CEf4a4FA6812Bc09908","type":"smart_contract","addedAt":"2024-07-19T13:48:44.402Z","revision":0,"description":"Base staticAggregationHookFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"k0wzYoeJPuyu09JZgn3Ys","url":"https://basescan.org/address/0x80C8F6394c0FcF7bAB16ac08b85484361eCe5888","type":"smart_contract","addedAt":"2024-07-19T13:48:44.874Z","revision":0,"description":"Base domainRoutingIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3IGsiY5RuHYNcASwzsv5JV","url":"https://basescan.org/address/0x7E27456a839BFF31CA642c060a2b68414Cb6e503","type":"smart_contract","addedAt":"2024-07-19T13:48:45.318Z","revision":0,"description":"Base domainRoutingIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5pa3eedjOBgMkK4xHZOE3s","url":"https://basescan.org/address/0x77bE0b5aE400675063Ce2B2B0d692D9341f4b193","type":"smart_contract","addedAt":"2024-07-19T13:48:45.804Z","revision":0,"description":"Base staticAggregationIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1ACAq91WSk8lGbfGAr0nNy","url":"https://basescan.org/address/0xEb9FcFDC9EfDC17c1EC5E1dc085B98485da213D6","type":"smart_contract","addedAt":"2024-07-19T13:48:46.300Z","revision":0,"description":"Base staticAggregationIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3ACLXgrMN1cHiiZp15nr5o","url":"https://basescan.org/address/0x81E3978B895A85defBf6F4D134A6427c3beE0D8c","type":"smart_contract","addedAt":"2024-07-19T13:48:46.793Z","revision":0,"description":"Base staticMerkleRootMultisigIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3xdUPm08BgUfI5mM6TKuYC","url":"https://basescan.org/address/0x8b83fefd896fAa52057798f6426E9f0B080FCCcE","type":"smart_contract","addedAt":"2024-07-19T13:48:47.373Z","revision":0,"description":"Base staticMerkleRootMultisigIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4iQQicSQnf6nB2fRF4bp3t","url":"https://basescan.org/address/0x47baae89d8727f00d723ca7479acaced0f788c72","type":"smart_contract","addedAt":"2024-07-19T13:48:47.845Z","revision":0,"description":"Base staticMessageIdMultisigIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"68dLMO0xtyLqS1PhHAh7Lp","url":"https://basescan.org/address/0x8F7454AC98228f3504Bb91eA3D8Adafe6406110A","type":"smart_contract","addedAt":"2024-07-19T13:48:48.393Z","revision":0,"description":"Base staticMessageIdMultisigIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"WUq4qxlaAs8Rc5VwEUB6Y","url":"https://basescan.org/address/0x861908E6c8F992537F557da5Fb5876836036b347","type":"smart_contract","addedAt":"2024-07-19T13:48:48.876Z","revision":0,"description":"Base interchainAccountIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"M1pIXvMNjRzTrKD6pBAhQ","url":"https://basescan.org/address/0xa85F9e4fdA2FFF1c07f2726a630443af3faDF830","type":"smart_contract","addedAt":"2024-07-19T13:48:49.358Z","revision":0,"description":"Base interchainAccountRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3QROA0DKsUkgylbPopePlj","url":"https://bscscan.com/address/0x7024078130D9c2100fEA474DAD009C2d1703aCcd","type":"smart_contract","addedAt":"2024-07-19T13:48:49.849Z","revision":0,"description":"Binance validatorAnnounce","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1S3b0TzKRw1K5YeKCaFUOT","url":"https://bscscan.com/address/0x65993Af9D0D3a64ec77590db7ba362D6eB78eF70","type":"smart_contract","addedAt":"2024-07-19T13:48:50.348Z","revision":0,"description":"Binance proxyAdmin","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4DuEKOpmTwlHGOIa3xDwN8","url":"https://bscscan.com/address/0x2971b9Aec44bE4eb673DF1B88cDB57b96eefe8a4","type":"smart_contract","addedAt":"2024-07-19T13:48:50.851Z","revision":0,"description":"Binance Mailbox proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3X14KTZl6bHXusOlDcEjP7","url":"https://bscscan.com/address/0xbfa300164a04437d64afda390736e6dc45096da1","type":"smart_contract","addedAt":"2024-07-19T13:48:51.340Z","revision":0,"description":"Binance mailbox implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2pB50KVCxRBGEfXSFy5Pcb","url":"https://bscscan.com/address/0x78E25e7f84416e69b9339B0A6336EB6EFfF6b451","type":"smart_contract","addedAt":"2024-07-19T13:48:51.811Z","revision":0,"description":"Binance interchainGasPaymaster proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3Vs5KH3VgIF1Bl7IKvS5wC","url":"https://bscscan.com/address/0xa888931c61abc5255583bb28847d38eba2e83bd8","type":"smart_contract","addedAt":"2024-07-19T13:48:52.322Z","revision":0,"description":"Binance interchainGasPaymaster implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5JbfoUHjBc9S5gtegJwxOp","url":"https://bscscan.com/address/0x91d23D603d60445411C06e6443d81395593B7940","type":"smart_contract","addedAt":"2024-07-19T13:48:52.808Z","revision":0,"description":"Binance storageGasOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"32k8NjJx7l76kWPUPYfmuf","url":"https://bscscan.com/address/0xFDb9Cd5f9daAA2E4474019405A328a88E7484f26","type":"smart_contract","addedAt":"2024-07-19T13:48:53.296Z","revision":0,"description":"Binance merkleTreeHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"qngZV6ycKEB5tZkhrDsNE","url":"https://bscscan.com/address/0x7DBdAd1b4A922B65d37d7258a4227b6658344b7f","type":"smart_contract","addedAt":"2024-07-19T13:48:53.813Z","revision":0,"description":"Binance pausableHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7aes34G9cesQo6QQeIYUCK","url":"https://bscscan.com/address/0xe70E86a7D1e001D419D71F960Cb6CaD59b6A3dB6","type":"smart_contract","addedAt":"2024-07-19T13:48:54.322Z","revision":0,"description":"Binance aggregationHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"47JGDeTlKh1YIvHvV86GPk","url":"https://bscscan.com/address/0xe70E86a7D1e001D419D71F960Cb6CaD59b6A3dB6","type":"smart_contract","addedAt":"2024-07-19T13:48:54.845Z","revision":0,"description":"Binance staticAggregationHookFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7hncxkQgx6FPQpNt7gu7Ke","url":"https://bscscan.com/address/0xfA360ff588623A026BF19A1801F2A8F1f045fa33","type":"smart_contract","addedAt":"2024-07-19T13:48:55.268Z","revision":0,"description":"Binance staticAggregationIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3w0U9x3CuepA8uasBaSGj1","url":"https://bscscan.com/address/0x38B3878c4fb44d201DA924c4a04bae3EE728c065","type":"smart_contract","addedAt":"2024-07-19T13:48:55.714Z","revision":0,"description":"Binance staticAggregationIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"59EhONr8x5cg7oWP4mNgdi","url":"https://bscscan.com/address/0xBc3Af0D4930502Ff0f6a8416a7a184c7BFFe19E7","type":"smart_contract","addedAt":"2024-07-19T13:48:56.218Z","revision":0,"description":"Binance domainRoutingIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"261fZ2JbjbsMyPfcUyy5wC","url":"https://bscscan.com/address/0xe6Af5720d34213C805C08e2470aea979e3F72F75","type":"smart_contract","addedAt":"2024-07-19T13:48:56.710Z","revision":0,"description":"Binance domainRoutingIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5cpgP52whiSYEvcYOY0iwG","url":"https://bscscan.com/address/0x4B1d8352E35e3BDE36dF5ED2e73C24E35c4a96b7","type":"smart_contract","addedAt":"2024-07-19T13:48:57.208Z","revision":0,"description":"Binance staticMerkleRootMultisigIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6JutvWUtZRbDG2wConawcP","url":"https://bscscan.com/address/0xfADBc81Ca8A957F1Bf7c78bCc575b28DBDE042b6","type":"smart_contract","addedAt":"2024-07-19T13:48:57.717Z","revision":0,"description":"Binance staticMerkleRootMultisigIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5UfQ1Y0LB9lnajJaBn6XM3","url":"https://bscscan.com/address/0x226db065586e2ea9be54778d5a5de400e64f3311","type":"smart_contract","addedAt":"2024-07-19T13:48:58.204Z","revision":0,"description":"Binance staticMessageIdMultisigIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"473SxaGN8QrCt0UmCsw8Wd","url":"https://bscscan.com/address/0x69f2508e7bc89b4ff2da864dedafd560376decc5","type":"smart_contract","addedAt":"2024-07-19T13:48:58.664Z","revision":0,"description":"Binance staticMessageIdMultisigIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"74YKPNAfIIxyJcxX6QYlWS","url":"https://bscscan.com/address/0xB274Bbbc1df5f1d1763216A93d473fde6f5de043","type":"smart_contract","addedAt":"2024-07-19T13:48:59.178Z","revision":0,"description":"Binance interchainAccountIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1dME0wxM9WLIJPQifXymVm","url":"https://bscscan.com/address/0x4BBd67dC995572b40Dc6B3eB6CdE5185a5373868","type":"smart_contract","addedAt":"2024-07-19T13:48:59.677Z","revision":0,"description":"Binance interchainAccountRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6aoqVhjInwaPhbyBFt7wpn","url":"https://celoscan.io/address/0xCeF677b65FDaA6804d4403083bb12B8dB3991FE1","type":"smart_contract","addedAt":"2024-07-19T13:49:00.159Z","revision":0,"description":"Celo validatorAnnounce","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1vzEDRpGHNsZ9R8KW0kTWe","url":"https://celoscan.io/address/0x90f9a2E9eCe93516d65FdaB726a3c62F5960a1b9","type":"smart_contract","addedAt":"2024-07-19T13:49:00.740Z","revision":0,"description":"Celo proxyAdmin","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3mH7Kk6okWK7K1fOa8RhvP","url":"https://celoscan.io/address/0x50da3B3907A08a24fe4999F4Dcf337E8dC7954bb","type":"smart_contract","addedAt":"2024-07-19T13:49:01.247Z","revision":0,"description":"Celo mailbox proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"JmWRJS8P7P45ZJB0vxYYH","url":"https://celoscan.io/address/0x0564ecf87c9be194bbcdb8bc606132b163f76ded","type":"smart_contract","addedAt":"2024-07-19T13:49:01.743Z","revision":0,"description":"Celo mailbox implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"iAIdM69Ilel0EjtOLnETg","url":"https://celoscan.io/address/0x571f1435613381208477ac5d6974310d88AC7cB7","type":"smart_contract","addedAt":"2024-07-19T13:49:02.269Z","revision":0,"description":"Celo interchainGasPaymaster proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"667y9uKDrbULN5eLpV0w2U","url":"https://celoscan.io/address/0xD9A9966E7dA9a7f0032bF449FB12696a638E673C","type":"smart_contract","addedAt":"2024-07-19T13:49:02.752Z","revision":0,"description":"Celo storageGasOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"48f3YXlota6G1jbSxpJkTL","url":"https://celoscan.io/address/0xDC98a856fb9112894c2fE32267DA8bF35645FAF3","type":"smart_contract","addedAt":"2024-07-19T13:49:03.287Z","revision":0,"description":"Celo FallbackRoutingHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2baLVSSuaR8nMKv31ms2Xq","url":"https://celoscan.io/address/0xc65890329066FB20c339Bc5C22f1756e9D3a4fF5","type":"smart_contract","addedAt":"2024-07-19T13:49:03.753Z","revision":0,"description":"Celo AggregationHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3EqJ6muGQy2e9Wb7GHy2Dp","url":"https://celoscan.io/address/0xc3745652EFB8555A8b064A0EA78d295133d326D2","type":"smart_contract","addedAt":"2024-07-19T13:49:04.282Z","revision":0,"description":"Celo staticAggregationHookFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7MEY5lBg4fGcgaTEN1GzSo","url":"https://celoscan.io/address/0x04dB778f05854f26E67e0a66b740BBbE9070D366","type":"smart_contract","addedAt":"2024-07-19T13:49:04.717Z","revision":0,"description":"Celo MerkleTreeHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5YwTH1vWWc4bXqcFKJjLML","url":"https://celoscan.io/address/0x80672c5D9Fd26B235654C24adc1CFcDeb8d15115","type":"smart_contract","addedAt":"2024-07-19T13:49:05.133Z","revision":0,"description":"Celo PausableHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4zKVuxjDW8CuMtIhSilYVN","url":"https://celoscan.io/address/0x9bDE63104EE030d9De419EEd6bA7D14b86D6fE3f","type":"smart_contract","addedAt":"2024-07-19T13:49:05.659Z","revision":0,"description":"Celo multisigIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1WvpOUtV8Hr4jlcPODvKWk","url":"https://celoscan.io/address/0xc97D8e6f57b0d64971453dDc6EB8483fec9d163a,","type":"smart_contract","addedAt":"2024-07-19T13:49:06.072Z","revision":0,"description":"Celo create2Factory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6uAhcu999mzWdnIhoXitWX","url":"https://celoscan.io/address/0x99e8E56Dce3402D6E09A82718937fc1cA2A9491E","type":"smart_contract","addedAt":"2024-07-19T13:49:06.499Z","revision":0,"description":"Celo staticAggregationIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5E45hJMEcebOnLiwnI0PQb","url":"https://celoscan.io/address/0x1722dd970a1F56040712129f5Eeb76B003fd7500","type":"smart_contract","addedAt":"2024-07-19T13:49:07.072Z","revision":0,"description":"Celo staticAggregationIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"y7m2MhiwKCSx4h2xnNHA1","url":"https://celoscan.io/address/0xf18E32428dad0802C5D6F723cB80A6Da889777c4","type":"smart_contract","addedAt":"2024-07-19T13:49:07.746Z","revision":0,"description":"Celo domainRoutingIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3l2mAkxr8GNuhPWd3vWbIj","url":"https://celoscan.io/address/0x2A2c22B0a8615ad24839fA6Af302E896Af32d1a3","type":"smart_contract","addedAt":"2024-07-19T13:49:08.239Z","revision":0,"description":"Celo domainRoutingIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2kfAzOwpBryI274u4w7LHs","url":"https://celoscan.io/address/0x299a3bfeca0ebecb2114881da39c3c303c318cac","type":"smart_contract","addedAt":"2024-07-19T13:49:08.707Z","revision":0,"description":"Celo merkleRootMultisigIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"baZLlgYIHxDhdtUveIKB8","url":"https://celoscan.io/address/0x5a56fa10ce985a53eb831cb69ddc224e433f9a83","type":"smart_contract","addedAt":"2024-07-19T13:49:09.187Z","revision":0,"description":"Celo messageIdMultisigIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4ncx0kzJGWeyPqtsCYvzwN","url":"https://celoscan.io/address/0x4C96a1abc44dc846775CE702C9E9BE821D3b487c","type":"smart_contract","addedAt":"2024-07-19T13:49:09.704Z","revision":0,"description":"Celo staticMerkleRootMultisigIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"72BGLtQhAtlrLeVx3JTFxa","url":"https://celoscan.io/address/0xaB402f227e892Ef37C105bf06619c0fa106a1fB2","type":"smart_contract","addedAt":"2024-07-19T13:49:10.272Z","revision":0,"description":"Celo staticMessageIdMultisigIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3rWggcEwJXbRk9ck4RTmKJ","url":"https://celoscan.io/address/0x30a8DEc5318e2aAa9ad5b069fC606c4CfF6f5676","type":"smart_contract","addedAt":"2024-07-19T13:49:10.705Z","revision":0,"description":"Celo interchainAccountIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4Xr7raANIkWVSsiPpevWww","url":"https://celoscan.io/address/0x4ED23E3885e1651E62564F78817D91865beba575","type":"smart_contract","addedAt":"2024-07-19T13:49:11.123Z","revision":0,"description":"Celo interchainAccountRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6dmljGBS5c3aOL2q9l8NSF","url":"https://etherscan.io/address/0xCe74905e51497b4adD3639366708b821dcBcff96","type":"smart_contract","addedAt":"2024-07-19T13:49:11.663Z","revision":0,"description":"Ethereum validatorAnnounce","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3DrE07Kh1xUh10UJSo3kb5","url":"https://etherscan.io/address/0x75EE15Ee1B4A75Fa3e2fDF5DF3253c25599cc659","type":"smart_contract","addedAt":"2024-07-19T13:49:12.096Z","revision":0,"description":"Ethereum proxyAdmin","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4Dvg1S30OT7GU2vg6oumDd","url":"https://etherscan.io/address/0xc005dc82818d67AF737725bD4bf75435d065D239","type":"smart_contract","addedAt":"2024-07-19T13:49:12.523Z","revision":0,"description":"Ethereum mailbox proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1ki616wX1BUE1i1LhCNbON","url":"https://etherscan.io/address/0x7b4d881c122a5e61adcffb56a2e3ce9927d53455","type":"smart_contract","addedAt":"2024-07-19T13:49:13.009Z","revision":0,"description":"Ethereum mailbox implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"epuNoNhqSW9X2sVxDDCdV","url":"https://etherscan.io/address/0x9e6B1022bE9BBF5aFd152483DAD9b88911bC8611","type":"smart_contract","addedAt":"2024-07-19T13:49:13.440Z","revision":0,"description":"Ethereum interchainGasPaymaster proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3CAni6uEyZ2w1iczy9bZ5W","url":"https://etherscan.io/address/0x1008fabd07abd93a7d9bb81803a89cc3a834e1a9","type":"smart_contract","addedAt":"2024-07-19T13:49:13.861Z","revision":0,"description":"Ethereum interchainGasPaymaster implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2XCP1snrcArReUdMaUOU2J","url":"https://etherscan.io/address/0xc9a103990A8dB11b4f627bc5CD1D0c2685484Ec5","type":"smart_contract","addedAt":"2024-07-19T13:49:14.292Z","revision":0,"description":"Ethereum storageGasOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"625izZpW9NnhrYsobbppVU","url":"https://etherscan.io/address/0x48e6c30B97748d1e2e03bf3e9FbE3890ca5f8CCA","type":"smart_contract","addedAt":"2024-07-19T13:49:14.695Z","revision":0,"description":"Ethereum merkleTreeHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3tOvsmSi1VD1Itd26dP72H","url":"https://etherscan.io/address/0x571f1435613381208477ac5d6974310d88AC7cB7","type":"smart_contract","addedAt":"2024-07-19T13:49:15.179Z","revision":0,"description":"Ethereum fallbackRoutingHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2xo08ameNxjRQWjhJgntul","url":"https://etherscan.io/address/0xb87AC8EA4533AE017604E44470F7c1E550AC6F10","type":"smart_contract","addedAt":"2024-07-19T13:49:15.644Z","revision":0,"description":"Ethereum aggregationHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2wRXwN2kWfbJsqlqLm3r06","url":"https://etherscan.io/address/0x6D2555A8ba483CcF4409C39013F5e9a3285D3C9E","type":"smart_contract","addedAt":"2024-07-19T13:49:16.306Z","revision":0,"description":"Ethereum aggregationHookFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1qJgzsWy3kufpdyaqMMj1I","url":"https://etherscan.io/address/0x3A66Dc852e56d3748838b3C27CF381105b83705b","type":"smart_contract","addedAt":"2024-07-19T13:49:16.748Z","revision":0,"description":"Ethereum pausableHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"39DUzkFb8QjCPMDWABmurn","url":"https://etherscan.io/address/0xBA328338044e0C0AFd0591FB6E5e2F83C4e8F742","type":"smart_contract","addedAt":"2024-07-19T13:49:17.207Z","revision":0,"description":"Ethereum domainRoutingIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2ppfVpxC3N99qRpZtilGwV","url":"https://etherscan.io/address/0x28fA9552F19039b450498B0d8e5DEAe0d0aAc559","type":"smart_contract","addedAt":"2024-07-19T13:49:17.724Z","revision":0,"description":"Ethereum domainRoutingIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2mhXNqWjXq5RxXnz8PvkF2","url":"https://etherscan.io/address/0xDC98a856fb9112894c2fE32267DA8bF35645FAF3","type":"smart_contract","addedAt":"2024-07-19T13:49:18.227Z","revision":0,"description":"Ethereum pausableIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"48Id3mx3wrW8wtwYgYtIKI","url":"https://etherscan.io/address/0x5447cdC0f4B1Afd827BF9d2F6b6cE7668d5dc284","type":"smart_contract","addedAt":"2024-07-19T13:49:18.709Z","revision":0,"description":"Ethereum aggregationIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4iI9R9tyxt9FF0jWjHc5A9","url":"https://etherscan.io/address/0x46FA191Ad972D9674Ed752B69f9659A0d7b22846","type":"smart_contract","addedAt":"2024-07-19T13:49:19.235Z","revision":0,"description":"Ethereum aggregationIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5RLT4aInuP31ZCGW3hTQPH","url":"https://etherscan.io/address/0xdab0086ff7dac4aa1262c5a0c71dc8c8ef467ef9","type":"smart_contract","addedAt":"2024-07-19T13:49:19.695Z","revision":0,"description":"Ethereum staticMerkleRootMultisigIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1iRgONsPPPMwhBsy3CRKGl","url":"https://etherscan.io/address/0x47e8aF9e30C32Ab91060ED587894288786761B45","type":"smart_contract","addedAt":"2024-07-19T13:49:20.186Z","revision":0,"description":"Ethereum staticMerkleRootMultisigIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3QtOAS0uWerqPd2P8pMib7","url":"https://etherscan.io/address/0x9787c612fdd8fc9a16cfb4fd509eb126f1c54809","type":"smart_contract","addedAt":"2024-07-19T13:49:20.825Z","revision":0,"description":"Ethereum staticMessageIdMultisigIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1R2X5VUZy90bTf6B3iLvn9","url":"https://etherscan.io/address/0xfA21D9628ADce86531854C2B7ef00F07394B0B69","type":"smart_contract","addedAt":"2024-07-19T13:49:21.232Z","revision":0,"description":"Ethereum staticMessageIdMultisigIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5nKwAJvtI5wzU1hwkbiJtp","url":"https://etherscan.io/address/0x609707355a53d2aAb6366f48E2b607C599D26B29","type":"smart_contract","addedAt":"2024-07-19T13:49:21.945Z","revision":0,"description":"Ethereum interchainAccountIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"kzgvkKPA4KcNdVdAClm3K","url":"https://etherscan.io/address/0x8dBae9B1616c46A20591fE0006Bf015E28ca5cC9","type":"smart_contract","addedAt":"2024-07-19T13:49:22.375Z","revision":0,"description":"Ethereum interchainAccountRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"53EfVRLGtpsrkSwaqIyUNg","url":"https://gnosisscan.io/address/0x87ED6926abc9E38b9C7C19f835B41943b622663c","type":"smart_contract","addedAt":"2024-07-19T13:49:22.851Z","revision":0,"description":"Gnosis validatorAnnounce","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2JaRU9mJqfE3veEn3OqCOY","url":"https://gnosisscan.io/address/0x81a92A1a272cb09d7b4970b07548463dC7aE0cB7","type":"smart_contract","addedAt":"2024-07-19T13:49:23.274Z","revision":0,"description":"Gnosis proxyAdmin","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"aTuNFX0xc7UNHU8DKYr81","url":"https://gnosisscan.io/address/0xaD09d78f4c6b9dA2Ae82b1D34107802d380Bb74f","type":"smart_contract","addedAt":"2024-07-19T13:49:23.748Z","revision":0,"description":"Gnosis mailbox proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5d1iTRJBaXdBdQuPQs25Og","url":"https://gnosisscan.io/address/0x53642476e24e28c3218e8da44edebb4adb9de13e","type":"smart_contract","addedAt":"2024-07-19T13:49:24.230Z","revision":0,"description":"Gnosis mailbox implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1yY5nf9QrZaKhTkIyQQxwh","url":"https://gnosisscan.io/address/0xDd260B99d302f0A3fF885728c086f729c06f227","type":"smart_contract","addedAt":"2024-07-19T13:49:24.724Z","revision":0,"description":"Gnosis interchainGasPaymaster proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2XrN6rElGH6YTEXqMFMlpE","url":"https://gnosisscan.io/address/0xe7487b4df583c63d6841997ab56324d0a825e7f4","type":"smart_contract","addedAt":"2024-07-19T13:49:25.149Z","revision":0,"description":"Gnosis interchainGasPaymaster implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5ecxdfQM9Ymm75wn6k45Ak","url":"https://gnosisscan.io/address/0x5E01d8F34b629E3f92d69546bbc4142A7Adee7e9","type":"smart_contract","addedAt":"2024-07-19T13:49:25.699Z","revision":0,"description":"Gnosis storageGasOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"15M6qy1UrPMuuC1ugC4t0h","url":"https://gnosisscan.io/address/0x2684C6F89E901987E1FdB7649dC5Be0c57C61645","type":"smart_contract","addedAt":"2024-07-19T13:49:26.181Z","revision":0,"description":"Gnosis merkleTreeHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4MWYvvUTa4K3EYiRzjhdMu","url":"https://gnosisscan.io/address/0xf728C884De5275a608dEC222dACd0f2BF2E23AB6","type":"smart_contract","addedAt":"2024-07-19T13:49:26.651Z","revision":0,"description":"Gnosis pausableHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3BbZ1Rk8Kd1WCr5ZxzqDUn","url":"https://gnosisscan.io/address/0xdD1FA1C12496474c1dDC67a658Ba81437F818861","type":"smart_contract","addedAt":"2024-07-19T13:49:27.253Z","revision":0,"description":"Gnosis aggregationHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1Gkd2w4APAHAfiHbuNzfW4","url":"https://gnosisscan.io/address/0xbC8AA096dabDf4A0200BB9f8D4Cbb644C3D86d7B","type":"smart_contract","addedAt":"2024-07-19T13:49:27.714Z","revision":0,"description":"Gnosis aggregationHookFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5CI9PmvaMWYkmjlYCgYSsG","url":"https://gnosisscan.io/address/0x83873DB8B4982091D0781B4eDF108DCb98075C39","type":"smart_contract","addedAt":"2024-07-19T13:49:28.185Z","revision":0,"description":"Gnosis domianRoutingIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4HKaiHHnepfmXKk7MX4Oog","url":"https://gnosisscan.io/address/0xbB5Df000113e767dE11343A16f83De733e5bCC0F","type":"smart_contract","addedAt":"2024-07-19T13:49:28.758Z","revision":0,"description":"Gnosis domianRoutingIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"S51CMHOSEbyOwOIyNjBI9","url":"https://gnosisscan.io/address/0xe640167B9a283C8b4039fA33f3ac7be6e7E788c5","type":"smart_contract","addedAt":"2024-07-19T13:49:29.244Z","revision":0,"description":"Gnosis staticAggregationIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6gnTe73zPIEPcdBPwyn5MW","url":"https://gnosisscan.io/address/0x11EF91d17c5ad3330DbCa709a8841743d3Af6819","type":"smart_contract","addedAt":"2024-07-19T13:49:29.654Z","revision":0,"description":"Gnosis staticAggregationIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"61QNtm6Luz0UGeIlqKKwNU","url":"https://gnosisscan.io/address/0x1959e3b0a2d7f87508ae0d3499349cc4130f3995","type":"smart_contract","addedAt":"2024-07-19T13:49:30.129Z","revision":0,"description":"Gnosis staticMerkleRootMultisigIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2CI18MuQ7X8ilHfVwBG1Cj","url":"https://gnosisscan.io/address/0x8E273260EAd8B72A085B19346A676d355740e875","type":"smart_contract","addedAt":"2024-07-19T13:49:30.676Z","revision":0,"description":"Gnosis staticMerkleRootMultisigIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5wUFsgSHX6zxp9X0qfXIjP","url":"https://gnosisscan.io/address/0x5112d584a1c72fc250176b57aeba5ffbbb287d8f","type":"smart_contract","addedAt":"2024-07-19T13:49:31.135Z","revision":0,"description":"Gnosis staticMessageIdMultisigIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3ohSbcZToEZ8ysazvCfnHI","url":"https://gnosisscan.io/address/0x603f46cc520d2fc22957b81e206408590808F02F","type":"smart_contract","addedAt":"2024-07-19T13:49:31.555Z","revision":0,"description":"Gnosis staticMessageIdMultisigIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3R3wxPVrrS7IXxu5xKPzYv","url":"https://gnosisscan.io/address/0x5a56dff3D92D635372718f86e6dF09C1129CFf53","type":"smart_contract","addedAt":"2024-07-19T13:49:31.936Z","revision":0,"description":"Gnosis interchainAccountIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"10XUM7gDQAxXYgIby6BAdx","url":"https://gnosisscan.io/address/0x5E59EBAedeB691408EBAcF6C37218fa2cFcaC9f2","type":"smart_contract","addedAt":"2024-07-19T13:49:32.433Z","revision":0,"description":"Gnosis interchainAccountRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"12CGfKffGeS3vgptmZA04c","url":"https://moonscan.io/address/0x8c1001eBee6F25b31863A55EadfF149aF88B356F","type":"smart_contract","addedAt":"2024-07-19T13:49:33.044Z","revision":0,"description":"Moonbeam validatorAnnounce","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1HzRYuuPQXdGC7wuhRF91R","url":"https://moonscan.io/address/0x6A9cdA3dd1F593983BFd142Eb35e6ce4137bd5ce","type":"smart_contract","addedAt":"2024-07-19T13:49:33.454Z","revision":0,"description":"Moonbeam proxyAdmin","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7LE3gCmRp1HjeTBsBWobeE","url":"https://moonscan.io/address/0x8c1001eBee6F25b31863A55EadfF149aF88B356F","type":"smart_contract","addedAt":"2024-07-19T13:49:33.971Z","revision":0,"description":"Moonbeam mailbox proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6WWHqeCxK97Q0gRhUaqCB5","url":"https://moonscan.io/address/0xee064c4dd3d476676a40b7cab94ef651444175c0","type":"smart_contract","addedAt":"2024-07-19T13:49:34.402Z","revision":0,"description":"Moonbeam mailbox implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Quspw8dwsOzIiBVDXYYjO","url":"https://moonscan.io/address/0x14760E32C0746094cF14D97124865BC7F0F7368F","type":"smart_contract","addedAt":"2024-07-19T13:49:34.844Z","revision":0,"description":"Moonbeam interchainGasPaymaster proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4IWHeyQ1WJHFqwZ3OxptuM","url":"https://moonscan.io/address/0x89e8c8735f3c3956168bad6c31e95ece19caf507","type":"smart_contract","addedAt":"2024-07-19T13:49:35.308Z","revision":0,"description":"Moonbeam interchainGasPaymaster implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7EdLeLkxgeuuWyJp0SUlnV","url":"https://moonscan.io/address/0x6C2D6eA0969F7Aa0A850CCA88c7BFACa563B2361","type":"smart_contract","addedAt":"2024-07-19T13:49:35.715Z","revision":0,"description":"Moonbeam fallbackDomainRoutingHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6EEBP6HjSUYpUAU1Ww9DJt","url":"https://moonscan.io/address/0x87403b85f6f316e7ba91ba1fa6C3Fb7dD4095547","type":"smart_contract","addedAt":"2024-07-19T13:49:36.175Z","revision":0,"description":"Moonbeam merkleTreeHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7xrjDjx3BjV6mcrxcKEuW4","url":"https://moonscan.io/address/0xe28f2AEEB42ee83CAd068D9A9a449c8b868C137f","type":"smart_contract","addedAt":"2024-07-19T13:49:36.858Z","revision":0,"description":"Moonbeam pausableHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"36bbb89Ki4wJJLi6fsZlea","url":"https://moonscan.io/address/0x23cca255aE83F57F39EAf9D14fB9FdaDF22D5863","type":"smart_contract","addedAt":"2024-07-19T13:49:37.402Z","revision":0,"description":"Moonbeam staticAggregationHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4KvDBvYVMw5D7tr3wHTYec","url":"https://moonscan.io/address/0x59cC3E7A49DdC4893eB8754c7908f96072A7DbE8","type":"smart_contract","addedAt":"2024-07-19T13:49:37.823Z","revision":0,"description":"Moonbeam staticAggregationHookFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6ooS27Cfs1IRdxO4Hedl1m","url":"https://moonscan.io/address/0x7Faa23CEdA03364A79e05259e07D5E358E7400F7","type":"smart_contract","addedAt":"2024-07-19T13:49:38.243Z","revision":0,"description":"Moonbeam domainRoutingIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7fX5IvX5cW7eTsViIXIzAi","url":"https://moonscan.io/address/0x8061Af3A459093540d17823D651BC5E2A92669a7","type":"smart_contract","addedAt":"2024-07-19T13:49:38.729Z","revision":0,"description":"Moonbeam domainRoutingIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5GisPkGO0rEQKlWXtrNic4","url":"https://moonscan.io/address/0xDAAfa04d38d95f5B8418786AE0F7ee5B962ee92B","type":"smart_contract","addedAt":"2024-07-19T13:49:39.186Z","revision":0,"description":"Moonbeam staticAggregationIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3nnzb7QiXidiCsegODZxTy","url":"https://moonscan.io/address/0x40c6Abcb6A2CdC8882d4bEcaC47927005c7Bb8c2","type":"smart_contract","addedAt":"2024-07-19T13:49:39.657Z","revision":0,"description":"Moonbeam staticAggregationIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"153pji9wFsX7H60AwbLYIY","url":"https://moonscan.io/address/0xad582f480d5335418ababf65127ac9d8e044e139","type":"smart_contract","addedAt":"2024-07-19T13:49:40.113Z","revision":0,"description":"Moonbeam staticMerkleRootMultisigIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"XuXfIIkEfkBfgOhBGgpAM","url":"https://moonscan.io/address/0xE2f485bc031Feb5a4C41C1967bf028653d75f0C3","type":"smart_contract","addedAt":"2024-07-19T13:49:40.516Z","revision":0,"description":"Moonbeam staticMerkleRootMultisigIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3KC8F5mjzjOHjnltGcT1sR","url":"https://moonscan.io/address/0xca69e5a1542597d979a260db1164c174d83aedf3","type":"smart_contract","addedAt":"2024-07-19T13:49:40.948Z","revision":0,"description":"Moonbeam staticMessageIdMultisigIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3EX6pCUJFXfXbuQKz5hqwR","url":"https://moonscan.io/address/0x84Df48F8f241f11d0fA302d09d73030429Bd9C73","type":"smart_contract","addedAt":"2024-07-19T13:49:41.438Z","revision":0,"description":"Moonbeam staticMessageIdMultisigIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1HEofGuuZcE0TCcu8TmmVF","url":"https://moonscan.io/address/0x799eA6f430f5CA901b59335fFC2fA10531106009","type":"smart_contract","addedAt":"2024-07-19T13:49:41.919Z","revision":0,"description":"Moonbeam interchainAccountIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7yYW5kylNo1TKkjWLjowU5","url":"https://moonscan.io/address/0x6b142f596FFc761ac3fFaaC1ecaDe54f4EE09977","type":"smart_contract","addedAt":"2024-07-19T13:49:42.362Z","revision":0,"description":"Moonbeam interchainAccountRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2NqnPOn2Vu52GYiz6JJDBo","url":"https://optimistic.etherscan.io/address/0x30f5b08e01808643221528BB2f7953bf2830Ef38","type":"smart_contract","addedAt":"2024-07-19T13:49:42.904Z","revision":0,"description":"Optimism validatorAnnounce","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"qpNB2WMaHPxPyXaTBVtKy","url":"https://optimistic.etherscan.io/address/0xE047cb95FB3b7117989e911c6afb34771183fC35","type":"smart_contract","addedAt":"2024-07-19T13:49:43.342Z","revision":0,"description":"Optimism proxyAdmin","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4EIqG44A4nFZe2v929WRXX","url":"https://optimistic.etherscan.io/address/0xd4C1905BB1D26BC93DAC913e13CaCC278CdCC80D","type":"smart_contract","addedAt":"2024-07-19T13:49:43.805Z","revision":0,"description":"Optimism mailbox proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6VS4MtXc4cdKHrMmVCCKVP","url":"https://optimistic.etherscan.io/address/0xf00824861e4bfe5dfc769295a50006ba203bbc29","type":"smart_contract","addedAt":"2024-07-19T13:49:44.226Z","revision":0,"description":"Optimism mailbox implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3onOYX27EKCGmpQQYl1lIu","url":"https://optimistic.etherscan.io/address/0xD8A76C4D91fCbB7Cc8eA795DFDF870E48368995C","type":"smart_contract","addedAt":"2024-07-19T13:49:44.685Z","revision":0,"description":"Optimism interchainGasPaymaster proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7mrmbsc0jQdSyldO3KZT1N","url":"https://optimistic.etherscan.io/address/0x9b27988d926673fe99126df4eed42a4aae8bc01f","type":"smart_contract","addedAt":"2024-07-19T13:49:45.113Z","revision":0,"description":"Optimism interchainGasPaymaster implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3eOuojz8J44DqaiTZkJzfC","url":"https://optimistic.etherscan.io/address/0x27e88AeB8EA4B159d81df06355Ea3d20bEB1de38","type":"smart_contract","addedAt":"2024-07-19T13:49:45.571Z","revision":0,"description":"Optimism storageGasOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"KJom52IccjftoSW0aoeNm","url":"https://optimistic.etherscan.io/address/0xD4b132C6d4AA93A4247F1A91e1ED929c0572a43d","type":"smart_contract","addedAt":"2024-07-19T13:49:46.082Z","revision":0,"description":"Optimism fallbackDomainRoutingHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3NmrH2EyGge9p1JSfgxZAM","url":"https://optimistic.etherscan.io/address/0x4ccC6d8eB79f2a1EC9bcb0f211fef7907631F91f","type":"smart_contract","addedAt":"2024-07-19T13:49:46.539Z","revision":0,"description":"Optimism staticAggregationHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"277N8Tz3bYkgtnLncktCog","url":"https://optimistic.etherscan.io/address/0x15DEeAB8dECDe553bb0B1F9C00984cbcae1af3D7","type":"smart_contract","addedAt":"2024-07-19T13:49:47.054Z","revision":0,"description":"Optimism staticAggregationHookFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5wEa7G55BSwIq1FpwIuzse","url":"https://optimistic.etherscan.io/address/0x68eE9bec9B4dbB61f69D9D293Ae26a5AACb2e28f","type":"smart_contract","addedAt":"2024-07-19T13:49:47.482Z","revision":0,"description":"Optimism merkleTreeHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7vhIcYR5OI55U21iu8D9dt","url":"https://optimistic.etherscan.io/address/0xf753CA2269c8A7693ce1808b5709Fbf36a65D47A","type":"smart_contract","addedAt":"2024-07-19T13:49:47.931Z","revision":0,"description":"Optimism pausableHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"f2aE8W6aPjYjOdAHFqSh3","url":"https://optimistic.etherscan.io/address/0xDFfFCA9320E2c7530c61c4946B4c2376A1901dF2","type":"smart_contract","addedAt":"2024-07-19T13:49:48.362Z","revision":0,"description":"Optimism domainRoutingIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6K5c3ZmxLDvj70Ofc8d2un","url":"https://optimistic.etherscan.io/address/0xD2e905108c5e44dADA680274740f896Ea96Cf2Fb","type":"smart_contract","addedAt":"2024-07-19T13:49:48.793Z","revision":0,"description":"Optimism domainRoutingIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"39HXXGRRaz5jHp5wHyzaie","url":"https://optimistic.etherscan.io/address/0xdF6316DF574974110DCC94BB4E520B09Fe3CbEf9","type":"smart_contract","addedAt":"2024-07-19T13:49:49.248Z","revision":0,"description":"Optimism staticAggregationIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4j0J4bCvQVycNQlRZBYorJ","url":"https://optimistic.etherscan.io/address/0x7491843F3A5Ba24E0f17a22645bDa04A1Ae2c584","type":"smart_contract","addedAt":"2024-07-19T13:49:49.735Z","revision":0,"description":"Optimism staticAggregationIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1Eyl0WA7LpmXb1UkZg66GF","url":"https://optimistic.etherscan.io/address/0x34d07bbdd61608e6b62434e433a62c89326ab415","type":"smart_contract","addedAt":"2024-07-19T13:49:50.180Z","revision":0,"description":"Optimism staticMerkleRootMultisigIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7zpVmwKM2JooOjxLbsyAyG","url":"https://optimistic.etherscan.io/address/0xCA6Cb9Bc3cfF9E11003A06617cF934B684Bc78BC","type":"smart_contract","addedAt":"2024-07-19T13:49:50.612Z","revision":0,"description":"Optimism staticMerkleRootMultisigIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4VWpN4kHJXZSPNjjSdUfNy","url":"https://optimistic.etherscan.io/address/0x42ecc38aed2665075907a926320f6b9ee9969df8","type":"smart_contract","addedAt":"2024-07-19T13:49:51.208Z","revision":0,"description":"Optimism staticMessageIdMultisigIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"51Kr3gO27TevQRRooJHG7p","url":"https://optimistic.etherscan.io/address/0xAa4Be20E9957fE21602c74d7C3cF5CB1112EA9Ef","type":"smart_contract","addedAt":"2024-07-19T13:49:51.729Z","revision":0,"description":"Optimism staticMessageIdMultisigIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"27eU2V2BDHaJfhdHj9TnOE","url":"https://optimistic.etherscan.io/address/0x0389faCac114023C123E22F3E54394944cAbcb48","type":"smart_contract","addedAt":"2024-07-19T13:49:52.205Z","revision":0,"description":"Optimism interchainAccountIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"AiCZA6DekhMIv3QNPq4W0","url":"https://optimistic.etherscan.io/address/0x33Ef006E7083BB38E0AFe3C3979F4e9b84415bf1","type":"smart_contract","addedAt":"2024-07-19T13:49:52.656Z","revision":0,"description":"Optimism interchainAccountRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4la07TB2oB9Cle0Yk1mfq7","url":"https://polygonscan.com/address/0x454E1a1E1CA8B51506090f1b5399083658eA4Fc5","type":"smart_contract","addedAt":"2024-07-19T13:49:53.143Z","revision":0,"description":"Polygon validatorAnnounce","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3EF81n5Osgrj7TyRNYx70A","url":"https://polygonscan.com/address/0xC4F7590C5d30BE959225dC75640657954A86b980","type":"smart_contract","addedAt":"2024-07-19T13:49:53.628Z","revision":0,"description":"Polygon proxyAdmin","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2c7hQLDSPOKiIgRsnJ9A5r","url":"https://polygonscan.com/address/0x5d934f4e2f797775e53561bB72aca21ba36B96BB","type":"smart_contract","addedAt":"2024-07-19T13:49:54.077Z","revision":0,"description":"Polygon mailbox proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5cDwQKGCuhktkSa7AXPb8K","url":"https://polygonscan.com/address/0xa3ae1c7dbac1c9658708e6acd271bfb93d87f8a3","type":"smart_contract","addedAt":"2024-07-19T13:49:54.542Z","revision":0,"description":"Polygon mailbox implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4fsbTEJi7jTKQuvRuPkH4j","url":"https://polygonscan.com/address/0x0071740Bf129b05C4684abfbBeD248D80971cce2","type":"smart_contract","addedAt":"2024-07-19T13:49:55.015Z","revision":0,"description":"Polygon interchainGasPaymaster proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1ZjcXM4AhshVOxrIe5Rhnj","url":"https://polygonscan.com/address/0x3f317fe9d8e3d3b0476be25e4966355218d50a3c","type":"smart_contract","addedAt":"2024-07-19T13:49:55.469Z","revision":0,"description":"Polygon interchainGasPaymaster implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7KOtdzvba6Xx0Kh662aSAw","url":"https://polygonscan.com/address/0xA3a24EC5670F1F416AB9fD554FcE2f226AE9D7eB","type":"smart_contract","addedAt":"2024-07-19T13:49:55.909Z","revision":0,"description":"Polygon storageGasOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"62DXiUTH67fLWfRK9EzVXu","url":"https://polygonscan.com/address/0xca4cCe24E7e06241846F5EA0cda9947F0507C40C","type":"smart_contract","addedAt":"2024-07-19T13:49:56.394Z","revision":0,"description":"Polygon fallbackRoutingHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1p3vD8p9xgtFzmfH4L7Seh","url":"https://polygonscan.com/address/0x34dAb05650Cf590088bA18aF9d597f3e081bCc47","type":"smart_contract","addedAt":"2024-07-19T13:49:56.806Z","revision":0,"description":"Polygon aggregationHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5vQpNAvpkgtpsg8CG7IFft","url":"https://polygonscan.com/address/0xFeeB86e70e4a640cDd29636CCE19BD6fe8628135","type":"smart_contract","addedAt":"2024-07-19T13:49:57.257Z","revision":0,"description":"Polygon aggregationHookFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"301Zxl5OI7ufkGzbj0mQfl","url":"https://polygonscan.com/address/0x73FbD25c3e817DC4B4Cd9d00eff6D83dcde2DfF6","type":"smart_contract","addedAt":"2024-07-19T13:49:57.760Z","revision":0,"description":"Polygon merkleTreeHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"YMyjeCgmFicyLOmFsubtJ","url":"https://polygonscan.com/address/0x748040afB89B8FdBb992799808215419d36A0930","type":"smart_contract","addedAt":"2024-07-19T13:49:58.247Z","revision":0,"description":"Polygon pausableHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4MwzIQrWPR5Oz9im9UAnN8","url":"https://polygonscan.com/address/0xA3a24EC5670F1F416AB9fD554FcE2f226AE9D7eB","type":"smart_contract","addedAt":"2024-07-19T13:49:58.750Z","revision":0,"description":"Polygon domainRoutingIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3OnDy2E2SjvClcYZWgE0Iy","url":"https://polygonscan.com/address/0x0d0E816eE4557689d34fAd5885C53b9393C1D9fA","type":"smart_contract","addedAt":"2024-07-19T13:49:59.212Z","revision":0,"description":"Polygon domainRoutingIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5jybNoX7JpHVIfZr0HqswW","url":"https://polygonscan.com/address/0xe289bD204Dbb4F3aaFA27Dbe5751C71e101CFD80","type":"smart_contract","addedAt":"2024-07-19T13:49:59.679Z","revision":0,"description":"Polygon staticAggregationIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"51pKqUlWo7frtb59NYe5Bs","url":"https://polygonscan.com/address/0x81AdDD9Ca89105063DaDEBd5B4408551Ce850E22","type":"smart_contract","addedAt":"2024-07-19T13:50:00.073Z","revision":0,"description":"Polygon staticAggregationIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5UHpgYcU1HKFBSDc0iuomV","url":"https://polygonscan.com/address/0x0ba8c268b785f60f8225d68b819b6ce8660373c2","type":"smart_contract","addedAt":"2024-07-19T13:50:00.555Z","revision":0,"description":"Polygon staticMerkleRootMultisigIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"26xo7qmvrmENK8xhLDXWKP","url":"https://polygonscan.com/address/0xa9E0E18E78b098c2DE36c42E4DDEA13ce214c592","type":"smart_contract","addedAt":"2024-07-19T13:50:01.208Z","revision":0,"description":"Polygon staticMerkleRootMultisigIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"10wLz2s8QUojs7xbO4yxPr","url":"https://polygonscan.com/address/0x9a177e4ec3a6de825763c34ff431bd9018d4b4c1","type":"smart_contract","addedAt":"2024-07-19T13:50:01.896Z","revision":0,"description":"Polygon staticMessageIdMultisigIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3ENSBkLJaBu63mObOOd7eo","url":"https://polygonscan.com/address/0xEa5Be2AD66BB1BA321B7aCf0A079fBE304B09Ca0","type":"smart_contract","addedAt":"2024-07-19T13:50:02.438Z","revision":0,"description":"Polygon staticMessageIdMultisigIsmFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3wJtqgqL2z7q4lnZVjvoxd","url":"https://polygonscan.com/address/0x90384bC552e3C48af51Ef7D9473A9bF87431f5c7","type":"smart_contract","addedAt":"2024-07-19T13:50:02.924Z","revision":0,"description":"Polygon interchainAccountIsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7vfcm5xNJe4WvY8UdMxZmR","url":"https://polygonscan.com/address/0x5e80f3474825B61183c0F0f0726796F589082420","type":"smart_contract","addedAt":"2024-07-19T13:50:03.432Z","revision":0,"description":"Polygon interchainAccountRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7H1IAXXBFWLGjCOcCn0snD","url":"https://www.usenexus.org/","type":"websites_and_applications","addedAt":"2024-07-19T13:50:05.261Z","revision":0,"description":"warp route frontend","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3chEH0OLDxChskP2khAswC","url":"https://www.hyperlane.xyz/","type":"websites_and_applications","addedAt":"2024-07-19T13:50:05.797Z","revision":0,"description":"Main Web App","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nThough only the proxy contracts are listed as in-scope, current implementation and any further updates to the implementation contracts are considered in scope. When reporting a bug, please make sure to select the relevant proxy smart contract as the target. \n\nIf an impact can be caused to any other asset managed by Hyperlane that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project. The vulnerability will then be evaluated by Hyperlane core contributors in good faith to determine where it would lie on the vulnerability scale.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","BSC","Celo","ETH","Gnosis","Moonbeam","Optimism","Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["NextJS","Solidity"],"launchDate":"2023-01-10T21:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/32dUEjoP7WozWkfwxWEhK2/92b2a5020a729f64f689dfa47af55717/Hyperlane_logo.jpeg","maxBounty":2500000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - low","websites_and_applications - medium","websites_and_applications - high","smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Services"],"programOverview":"Hyperlane is the modular interoperability platform, empowering developers to build interchain applications, apps that can easily and securely communicate between blockchains. \n\nFor more information about Hyperlane, please visit [https://www.hyperlane.xyz/](https://www.hyperlane.xyz/).","programType":["Smart Contract","Websites and Applications"],"project":"Hyperlane","projectType":["Blockchain","Infrastructure"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Critical and High Smart Contract bug reports require a PoC to be eligible for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nCritical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of __USD 20 000__. High smart contract vulnerabilities are capped at 10% of economic damage as well, with a minimum reward of __USD 10 000__.\n\nHyperlane requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. The information needed are Name and Identity Proof (Passport, / Driving License / National ID). The collection of this information will be done by the project team.\n\nPayouts are handled by the __Hyperlane__ team directly and are denominated in USD. However, payouts are done in __USDC__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"hyperlane","tenPercentEconomicRule":false,"updatedDate":"2026-03-17T08:23:24.106Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Hyperlane is the modular interoperability platform, empowering developers to build interchain applications, apps that can easily and securely communicate between blockchains.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"The following vulnerabilities are excluded from the rewards for this bug bounty program:\n\n- Attacks requiring access to privileged addresses (governance, strategist)\n- Vulnerabilities in components that exist in the codebase but are demonstrably unused or not integrated with production systems will be classified as invalid.\n- Throttling or suppression of operations without loss of user and / or protocol funds\n- Best practice critiques\n- ‘Contract DDoS’","customProhibitedActivities":[],"impacts":[{"id":3646,"type":"smart_contract","severity":"low","title":"Smart contract fails to deliver promised returns, but doesn’t lose value"},{"id":3647,"type":"smart_contract","severity":"low","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":3648,"type":"smart_contract","severity":"low","title":"Theft of gas"},{"id":3649,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction such as iframing leading to modifying the backend/browser state (demonstrate impact with PoC)"},{"id":3650,"type":"websites_and_applications","severity":"low","title":"Any impact involving a publicly released CVE without a working PoC"},{"id":3651,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links such as social media handles, etc."},{"id":3652,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as locking up the victim from login, cookie bombing, etc."},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":3653,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 60 minutes"},{"id":3654,"type":"smart_contract","severity":"high","title":"Temporary freezing NFTs for at least 60 minutes"},{"id":3655,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc."},{"id":3656,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as email or password of the victim, etc."},{"id":3657,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information such as email address, phone number, physical address, etc."},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":3658,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":3659,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as changing the first/last name of user, or en/disabling notification"},{"id":3660,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without Javascript (Reflected) such as reflected HTML injection or loading external site data"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":3661,"type":"websites_and_applications","severity":"medium","title":"Subdomain takeover without already-connected wallet interaction"},{"id":3662,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":3663,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":3664,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":3665,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of interchain assets, whether fungible or not"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":3666,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and blockchain keys(this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":38,"type":"websites_and_applications","severity":"critical","title":"Taking down the NFT URI"},{"id":3667,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc."},{"id":3668,"type":"websites_and_applications","severity":"critical","title":"Changing the NFT metadata"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":3669,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions"},{"id":44,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user NFTs"},{"id":3670,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through NFT metadata"}],"rewards":[{"id":43227,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":2500000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43228,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":200000,"minReward":10000,"rewardModel":"range"},{"id":43229,"primacy":null,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":43230,"primacy":null,"severity":"low","assetType":"smart_contract","fixedReward":2000,"rewardModel":"fixed"},{"id":43231,"primacy":null,"severity":"critical","assetType":"websites_and_applications","fixedReward":20000,"rewardModel":"fixed"},{"id":43232,"primacy":null,"severity":"high","assetType":"websites_and_applications","fixedReward":10000,"rewardModel":"fixed"},{"id":43233,"primacy":null,"severity":"medium","assetType":"websites_and_applications","fixedReward":2000,"rewardModel":"fixed"},{"id":43234,"primacy":null,"severity":"low","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"db_6e61022d-fd93-4f9e-9b57-b53ed0a311c0","url":"https://arbiscan.io/address/0x74bbbb0e7f0bad6938509dd4b556a39a4db1f2cd","type":"smart_contract","addedAt":"2026-03-13T09:13:46.362Z","revision":0,"description":"Core OLP Vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_4bafb12e-d82d-41b4-bf94-3229e29b6138","url":"https://arbiscan.io/address/0x5e91b40467fb8902c46a7b6cb90482363188d645","type":"smart_contract","addedAt":"2026-03-13T09:13:57.284Z","revision":0,"description":"Variational Protocol Treasury","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_505ec884-f2a0-4da5-9be6-031aad876017","url":"https://arbiscan.io/address/0x0F820B9afC270d658a9fD7D16B1Bdc45b70f074C","type":"smart_contract","addedAt":"2026-03-13T09:14:06.889Z","revision":0,"description":"Settlement Pool Factory Contract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_7373bcad-d717-4960-8e68-c74dfbe3be83","url":"https://omni.variational.io/","type":"websites_and_applications","addedAt":"2026-03-13T09:14:27.155Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99191","url":"https://www.variational.io/","type":"smart_contract","addedAt":"2026-03-13T09:20:13.451Z","revision":0,"description":"Primacy of Impact Critical","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"99192","url":"https://www.variational.io/","type":"websites_and_applications","addedAt":"2026-03-13T09:25:04.740Z","revision":0,"description":"Primacy of Impact Critical","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Essential","Managed Triage: Signal Booster"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":[],"launchDate":"2026-03-16T16:30:00.000Z","logo":"https://qn5bmgziiocgawpp.public.blob.vercel-storage.com/program-logos/phuongn%40immunefi.com-mbfwfHAlj7ZfZxAFQmzTK.png","maxBounty":100000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":[],"programOverview":"Variational Omni is designed to be a simple platform for day traders to access perps across a massive universe of underlyings.\n\nOmni offers seamless trading of leveraged, permissionless perps. Traders have the ability to take long or short positions on nearly 500 assets, many of which have no other perp listings.\n\nThe Omni app is built on top of the Variational protocol, which is infrastructure for the peer-to-peer trading, clearing, and settlement of perpetuals and generalized derivatives. Variational automates all aspects of the trade end-to-end for safe bilateral trading of options, futures, perpetuals, and more. Omni is the first application built on top of this protocol, with many more (such as Pro) coming in the future.\n\nVariational provides rewards in USDC on Arbitrum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\nVariational’s codebase can be found at [https://github.com/variational-research](https://github.com/variational-research). \n\nDocumentation and further resources can be found on [https://docs.variational.io/](https://docs.variational.io/).\n\n#### KYC Requirement \n\nVariational will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n* Full name   \n* Date of birth  \n* Proof of address (either a redacted bank statement with address or a recent utility bill)  \n* Copy of Passport or other Government issued ID  \n* Photo of self with passport and holding piece of paper with username/handle and date\n\n#### Eligibility Criteria \n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n\n* On OFACs SDN list and [restricted persons list](https://docs.variational.io/legal/restricted-persons)\n* Official contributor, both past or present  \n* Employees and/or individuals closely associated with the project   \n* Security auditors that directly or indirectly participated in the audit review\n\n#### Responsible Publication\n\nVariational adheres to **Category 3: Approval Required**. This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n#### Primacy of Impact vs Primacy of Rules\n\nVariational adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page. \n\nVariational adheres to the Primacy of Impact for the following impacts:\n\n* Smart Contract  —  Critical \\- Direct theft of funds  \n* Website & Application  —  Critical \\- Direct theft of funds  \n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. \n\nFor more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact) \n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n#### Proof of Concept (PoC) Requirements\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n#### Previous Audits. \n\nVariational’s completed audit reports can be found at [https://docs.variational.io/technical-documentation/audits](https://docs.variational.io/technical-documentation/security-and-audits). Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.","programType":["Smart Contract","Websites and Applications"],"project":"Variational","projectType":[],"rewardsBody":"#### Reward Calculation for Critical Level Reports\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 100,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 10,000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\nFor critical web/apps bugs, reports will be rewarded with USD 50,000, only if the impact leads to:\n\n* A loss of funds involving an attack that does not require any user action  \n* Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of USD 10,000.\n\n#### Repeatable Attack Limitations\n\n* If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. \n\n* The amount of funds at risk will be calculated with the impact of the first attack being at **100%** and then a reduction of **25%** from the amount of the first attack for every \\[**300 blocks\\]** the attack needs for subsequent attacks from the first attack, rounded down.\n\n#### \n\n#### Reward Calculation for High Level Reports\n\nHigh impact concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 3,500 - USD 25,000 with the reward calculated based on **100%** of the funds at risk, though capped at the maximum high reward. \n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. \n\n#### **Reward Payment Terms**\n\nPayouts are handled by the Variational team directly and are denominated in USD. However, payments are done in USDC on Arbitrum.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"variational","tenPercentEconomicRule":false,"updatedDate":"2026-03-17T07:32:57.475Z","impactsBody":null,"websiteUrl":"https://www.variational.io/","githubUrl":"https://github.com/variational-research","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Variational Omni is designed to be a simple platform for day traders to access perps across a massive universe of underlyings.\nOmni offers seamless trading of leveraged, permissionless perps. Traders have the ability to take long or short positions on nearly 500 assets, many of which have no other perp listings.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"**Websites and Apps**\n\n* Theoretical impacts without any proof or demonstration  \n* Impacts involving attacks requiring physical access to the victim device  \n* Impacts involving attacks requiring access to the local network of the victim  \n* Reflected plain text injection (e.g. url parameters, path, etc.)  \n* This does not exclude reflected HTML injection with or without JavaScript  \n* This does not exclude persistent plain text injection  \n* Any impacts involving self-XSS  \n* Captcha bypass using OCR without impact demonstration  \n* CSRF with no state modifying security impact (e.g. logout CSRF)  \n* Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact  \n* Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces  \n* Impacts causing only the enumeration or confirmation of the existence of users or tenants  \n* Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows  \n* Lack of SSL/TLS best practices  \n* Impacts that only require DDoS  \n* UX and UI impacts that do not materially disrupt use of the platform  \n* Impacts primarily caused by browser/plugin defects  \n* Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)  \n* Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)  \n* SPF/DMARC misconfigured records)  \n* Missing HTTP Headers without demonstrated impact  \n* Automated scanner reports without demonstrated impact  \n* UI/UX best practice recommendations  \n* Non-future-proof NFT rendering","customProhibitedActivities":[],"impacts":[{"id":5938,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 24 hours"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":39,"type":"websites_and_applications","severity":"critical","title":"Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:\n- Changing registration information\n- Commenting\n- Voting\n- Making trades\n- Withdrawals, etc."},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":43,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:\n- Modifying transaction arguments or parameters\n- Substituting contract addresses\n- Submitting malicious transactions"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"},{"id":46,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:\n- HTML injection without JavaScript\n- Replacing existing text with arbitrary text\n- Arbitrary file uploads, etc."},{"id":47,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Email\n- Password of the victim etc."},{"id":48,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:\n- Email address\n- Phone number\n- Physical address, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":50,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Changing the first/last name of user\n- Enabling/disabling notifications"},{"id":51,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as:\n- Reflected HTML Injection\n- Loading external site data"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":53,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction, such as:\n- Iframing leading to modifying the backend/browser state (must demonstrate impact with PoC)"},{"id":54,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links, such as:\n- Social media handles, etc."},{"id":55,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as:\n- Locking up the victim from login\n- Cookie bombing, etc."}],"rewards":[{"id":43220,"primacy":"primacy_of_impact","severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43221,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":25000,"minReward":3500,"rewardModel":"range"},{"id":43222,"primacy":null,"severity":"medium","assetType":"smart_contract","fixedReward":3500,"rewardModel":"fixed"},{"id":43223,"primacy":"primacy_of_impact","severity":"critical","assetType":"websites_and_applications","maxReward":50000,"minReward":10000,"rewardModel":"range"},{"id":43224,"primacy":null,"severity":"high","assetType":"websites_and_applications","fixedReward":10000,"rewardModel":"fixed"},{"id":43225,"primacy":null,"severity":"medium","assetType":"websites_and_applications","fixedReward":2000,"rewardModel":"fixed"},{"id":43226,"primacy":null,"severity":"low","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[{"id":"db_e5e310ed-d1e1-40ec-b23b-14b050e5f91e","url":"https://docs.variational.io/technical-documentation/security-and-audits","auditor":"All audits","date":"2026-03-13T00:00:00.000Z"}]},{"assets":[{"id":"99233","url":"https://github.com/sapiencexyz/sapience/tree/main/packages/protocol","type":"smart_contract","addedAt":"2026-03-16T16:47:08.423Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99234","url":"https://github.com/sapiencexyz/sapience/tree/main/packages/protocol","type":"smart_contract","addedAt":"2026-03-16T16:47:38.623Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99235","url":"https://github.com/sapiencexyz/sapience/tree/main/packages/protocol","type":"smart_contract","addedAt":"2026-03-16T16:48:09.336Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99236","url":"https://github.com/sapiencexyz/sapience/tree/main/packages/protocol","type":"smart_contract","addedAt":"2026-03-16T16:49:18.457Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99237","url":"https://github.com/sapiencexyz/sapience/tree/main/packages/protocol","type":"smart_contract","addedAt":"2026-03-16T17:00:10.837Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99238","url":"https://github.com/sapiencexyz/sapience/tree/main/packages/protocol","type":"smart_contract","addedAt":"2026-03-16T17:07:56.263Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99239","url":"https://github.com/sapiencexyz/sapience/tree/main/packages/protocol","type":"smart_contract","addedAt":"2026-03-16T17:08:23.854Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99240","url":"https://github.com/sapiencexyz/sapience/tree/main/packages/protocol","type":"smart_contract","addedAt":"2026-03-16T17:10:14.986Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99241","url":"https://github.com/sapiencexyz/sapience/tree/main/packages/protocol","type":"smart_contract","addedAt":"2026-03-16T17:10:58.121Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99259","url":"https://github.com/sapiencexyz/sapience/tree/main/packages/protocol","type":"smart_contract","addedAt":"2026-03-16T20:02:04.850Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":[],"launchDate":"2025-04-23T11:11:00.000Z","logo":"https://qn5bmgziiocgawpp.public.blob.vercel-storage.com/92527-TUrZ8sJlg7AYgYq5Lrmli.png","maxBounty":10000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - low","smart_contract - medium","smart_contract - high","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":[],"programOverview":"Foil is a decentralized protocol for peer-to-peer trading of exposure to onchain resources like gas and blobspace. Using the Foil Protocol, users may supply ETH and offer to buy or sell exposure to a given period's average gas or blobs market at a price expressed via a Uniswap V3 position. When the period ends, position values are automatically fixed at the true average price.\n\nFor more information about Foil, please visit [https://www.foil.xyz/](https://www.foil.xyz/).\n\nFoil provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the **Rewards by Threat Level** section.\n\nSapience is a prediction market built on top Foil protocol smart contracts. The website and the app can be found on [https://www.sapience.xyz/](https://www.sapience.xyz/).  \n\n__KYC Requirement__\n\nFoil will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n\n__Responsible Publication__\n\nFoil adheres to  **Category 3: Approval Required** . This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nFoil adheres to the Primacy of Impact for the following impacts:\n\n- Website & Application  —  Critical\n- Smart Contract  —  Critical\n- Smart Contract  —  High\n- Smart Contract  —  Medium\n- Smart Contract  —  Low\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. \n\nFor more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact) \n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n\n__Previous Audits__\n\nFoil’s completed audit reports can be found at https://docs.foil.xyz/audit_reports. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.","programType":["Smart Contract"],"project":"Sapience","projectType":[],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.3. (https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n**Reward Calculation for Critical Level Reports**\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD $10,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD $5,100 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\nFor critical smart contract bugs on testnet assets, the reward is paid as a flat amount of $1,000. This is because there are no actual funds at risk on the testnet, hence limits objective calculation.\n\n**Repeatable Attack Limitations**\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the affected component. The reward amount will depend on the severity of the impact and the funds at risk.\n\nFor critical repeatable attacks on smart contracts that cannot be upgraded or paused, the cumulative impact of the repeatable attacks will be considered for a reward. This warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward.\n\n**Reward Calculation for High Level Reports**\nHigh vulnerabilities concerning theft or permanent freezing of unclaimed yield are rewarded within a range of $2,600 to $5,000 depending on the funds at risk, capped at the maximum high reward.\n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24 hours that funds are temporarily frozen, up to the maximum high reward cap.\n\n**Reward Payment Terms**\nPayouts are handled by the Sapience team directly and are denominated in USD. Payments are made in USDC on Ethereum L1.\n\nThe net reward amount is calculated based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"","slug":"sapience","tenPercentEconomicRule":false,"updatedDate":"2026-03-16T20:02:04.939Z","impactsBody":null,"websiteUrl":"https://www.sapience.xyz/","githubUrl":"https://github.com/sapiencexyz","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Sapience is a fully onchain, open-source prediction market protocol powered by USDe. Its RFQ-based design enables deep liquidity, bespoke parlays, and composable vaults, transforming collective intelligence into actionable signals for the DeFi ecosystem. This program covers smart contract vulnerabilities only. For web/app and off-chain disclosures, see our bug bounty program in our docs: https://docs.sapience.xyz/user-guide/other-resources/bugbounty.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"1. All data stored in the Sapience database is intentionally public. Reports regarding exposure of database contents will not be considered valid findings.\n\n2. DoS attacks due to a lack of rate limiting, improper handling of large HTTP request data, or exhaustion of server resources via high query volume are not eligible for rewards and are considered out of scope.","customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"}],"rewards":[{"id":43125,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":10000,"minReward":5000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43126,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":5000,"rewardModel":"up_to"},{"id":43127,"primacy":null,"severity":"medium","assetType":"smart_contract","maxReward":2500,"rewardModel":"up_to"},{"id":43128,"primacy":null,"severity":"low","assetType":"smart_contract","maxReward":1000,"rewardModel":"up_to"}],"audits":[]},{"assets":[{"id":"5NGGzVIOCUuK3rqdxM9MjR","url":"https://github.com/whyrusleeping/cbor-gen","type":"blockchain_dlt","addedAt":"2024-04-26T14:19:19.461Z","revision":0,"description":"Some basic utilities to generate fast path cbor codecs for your types.","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3HsVjbfq3THHxAExybWoGl","url":"https://github.com/filecoin-project/boost","type":"blockchain_dlt","addedAt":"2024-04-26T14:12:55.644Z","revision":0,"description":"Boost is a tool for Filecoin storage providers to manage data storage and retrievals on Filecoin.","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"54pF0AVJHohWzph4jmIOsh","url":"https://github.com/ipfs/go-graphsync","type":"blockchain_dlt","addedAt":"2024-04-26T14:13:10.675Z","revision":0,"description":"An implementation of the graphsync protocol in go!","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3gPYRQ7PQPpPxzMwjlZ4qq","url":"https://github.com/filecoin-project/lotus/tree/master/miner","type":"blockchain_dlt","addedAt":"2024-04-26T14:13:26.353Z","revision":0,"description":"Lotus miner node","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"IKbyqh0uacO6EmVydA97w","url":"https://github.com/filecoin-project/rust-fil-proofs-ffi","type":"blockchain_dlt","addedAt":"2024-04-26T14:13:41.802Z","revision":0,"description":"Filecoin Proofs","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5L0qYnzemUgWJRtdZtyohA","url":"https://github.com/filecoin-project/rust-filecoin-proofs-api","type":"blockchain_dlt","addedAt":"2024-04-26T14:13:59.645Z","revision":0,"description":"Filecoin Proofs API","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1jfli9NqgkZzq4yW5vKWrU","url":"https://github.com/filecoin-project/rust-fil-proofs","type":"blockchain_dlt","addedAt":"2024-04-26T14:14:15.645Z","revision":0,"description":"Filecoin Proofs in Rust","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7ucegSwX3N2N4kn1yWkICJ","url":"https://github.com/filecoin-project/bellperson","type":"blockchain_dlt","addedAt":"2024-04-26T14:14:37.017Z","revision":0,"description":"zk-SNARK library","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3Y14nLNEp32WwUWv85iciy","url":"https://github.com/filecoin-project/merkletree","type":"blockchain_dlt","addedAt":"2024-04-26T14:14:53.205Z","revision":0,"description":"merkle is a lightweight Rust implementation of a Merkle tree.","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"51S2rKm6rt5pJZEgETbs11","url":"https://github.com/lurk-lab/neptune","type":"blockchain_dlt","addedAt":"2024-04-26T14:15:08.673Z","revision":0,"description":"Rust Poseidon implementation.","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2obiqOPNkkvkEMD9Up6qdr","url":"https://github.com/lurk-lab/neptune-triton","type":"blockchain_dlt","addedAt":"2024-04-26T14:15:25.401Z","revision":0,"description":"Futhark implementation of neptune-compatible Poseidon.","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7ae9Rkr94a6znAl2i3jG6t","url":"https://github.com/filecoin-project/paired","type":"blockchain_dlt","addedAt":"2024-04-26T14:15:41.140Z","revision":0,"description":"Crate for using pairing-friendly elliptic curves.","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3WDM00cvpHsDSLnuakDXwl","url":"https://github.com/filecoin-project/go-address","type":"blockchain_dlt","addedAt":"2024-04-26T14:15:56.173Z","revision":0,"description":"The Filecoin address type, used for identifying actors on the Filecoin network, in various formats.","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4gsjADyYEKf1JbQu83GRiu","url":"https://github.com/filecoin-project/go-amt-ipld","type":"blockchain_dlt","addedAt":"2024-04-26T14:16:13.077Z","revision":0,"description":"Implementation of an array mapped trie using go and ipld","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5x6mP2lb0IXNuvop3JPtJc","url":"https://github.com/filecoin-project/go-bitfield","type":"blockchain_dlt","addedAt":"2024-04-26T14:16:29.513Z","revision":0,"description":"Features iterator based primitives that scale with number of runs instead of number of bits.","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5oo5fSJL1aE7jfHh8Unifa","url":"https://github.com/filecoin-project/go-cbor-util","type":"blockchain_dlt","addedAt":"2024-04-26T14:16:43.785Z","revision":0,"description":"CBOR utilities for reading and writing objects to CBOR representation, optimizing for fast path serialization/deserialization generated by cbor-gen","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"WAyByUSsYpsZY4ZSrXjKi","url":"https://github.com/filecoin-project/go-crypto","type":"blockchain_dlt","addedAt":"2024-04-26T14:17:02.874Z","revision":0,"description":"Crypto utility functions used in Filecoin","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"u1VlbwEsEUFkAP0pp1tBt","url":"https://github.com/filecoin-project/go-data-transfer","type":"blockchain_dlt","addedAt":"2024-04-26T14:17:18.558Z","revision":0,"description":"A go module to perform data transfers over ipfs/go-graphsync","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"248GNBHlZJ7v0E4VIELNz8","url":"https://github.com/filecoin-project/go-fil-commcid","type":"blockchain_dlt","addedAt":"2024-04-26T14:17:34.200Z","revision":0,"description":"Conversion Utilities Between CID and Piece/Data/Replica Commitments","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5Huue7KL2RYhIkdo68GT8v","url":"https://github.com/filecoin-project/go-padreader","type":"blockchain_dlt","addedAt":"2024-04-26T14:17:48.961Z","revision":0,"description":"Tools for mapping between bit-padded and not-bit-padded byte streams","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7kESFshZ9panOp0eaC9mc4","url":"https://github.com/filecoin-project/go-sectorbuilder","type":"blockchain_dlt","addedAt":"2024-04-26T14:18:04.020Z","revision":0,"description":"An abstraction used to manage a storage miner's sectors","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7aw49IkZXf4VzOVqTtxzR0","url":"https://github.com/filecoin-project/go-statemachine","type":"blockchain_dlt","addedAt":"2024-04-26T14:18:18.385Z","revision":0,"description":"A generic state machine","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7dJvSLicIycrB8Vr9R2ccw","url":"https://github.com/filecoin-project/go-statestore","type":"blockchain_dlt","addedAt":"2024-04-26T14:18:33.589Z","revision":0,"description":"A general-purpose key-value store for CBOR-encodable data","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"722lDzYttSJiESLKqEg9Q0","url":"https://github.com/ipfs/go-hamt-ipld","type":"blockchain_dlt","addedAt":"2024-04-26T14:18:48.251Z","revision":0,"description":"This package is a reference implementation of the IPLD HAMT used in the Filecoin blockchain","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3FhPvFE1TJEfKqAP0la8Dv","url":"https://github.com/ipfs/go-ipld-cbor","type":"blockchain_dlt","addedAt":"2024-04-26T14:19:04.705Z","revision":0,"description":"An implementation of a cbor encoded merkledag object.","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7iCR4Cluz9kph9nF8WaNHL","url":"https://github.com/filecoin-project/lotus","type":"blockchain_dlt","addedAt":"2024-04-26T14:12:39.444Z","revision":0,"description":"Lotus is the reference node implementation for the Filecoin network","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3SYpmknsqSyRQeMILZj0Zz","url":"https://github.com/filecoin-project/builtin-actors","type":"blockchain_dlt","addedAt":"2024-04-26T14:12:19.834Z","revision":0,"description":"Built-in Filecoin actors - written in Rust, Wasm-compiled built-in actors (smart contracts, in Filecoin lingo) that are used by all Filecoin clients","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7ql7L0KqRNvOfVRHsfxkpc","url":"https://github.com/filecoin-project/ref-fvm","type":"blockchain_dlt","addedAt":"2024-04-26T14:12:01.787Z","revision":0,"description":"FVM reference implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5kX0Wo3ZoZ5DHmd1O4biBi","url":"https://github.com/filecoin-project/go-f3","type":"blockchain_dlt","addedAt":"2025-05-13T08:39:09.105Z","revision":0,"description":"Golang implementation of Fast Finality for Filecoin (F3)","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"Only those listed in the Assets in Scope table are considered to be in scope of the Bug Bounty Program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Filecoin"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Go","Rust"],"launchDate":"2023-04-14T20:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3qI8wK3cAr9keSN6QLBCSE/6d1ca48363a4450ae1516814cc548c07/filecoin-logo.svg","maxBounty":150000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - medium","blockchain_dlt - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are considered out-of-scope and ineligible for payout.","productType":["L1"],"programOverview":"Filecoin is a decentralized storage network designed to store humanity's most important data. As such, security is of paramount importance to us.\n\nFor more information about Filecoin, please visit https://filecoin.io. For more information about the FVM, visit https://fvm.dev.\n\nFor Whitehats: It is highly recommended that you review the details of this program in full. Although many Bug Bounty programs have standard terms and conditions, each also has their own unique details that are critical to your success.  \n\nPrior to submitting a report please review the Immunefi Bug Report Template and Best Practices. \n\n__Note:__ The program is subject to all terms and conditions of this Bug Bounty Policy (”Policy”), and all submissions to this Program are governed by this Policy. \n\nBy submitting a vulnerability through this Program you are agreeing to the Policy.   \n\nFilecoin provides rewards in USD/USDC at the Filecoin Foundation’s sole discretion.For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__Payouts and Payout Requirements__\n\nThe Filecoin Security Team, which consists of core developers and contributors, evaluates the significance of reported vulnerabilities and the appropriate bounty award, if any, in its sole discretion. The Filecoin Security Team may also at its sole discretion increase the award, within the ranges above, for vulnerability reports that include quality written descriptions, test code, scripts and detailed instructions, and well-documented fixes.\n\nCurrent and former members of the Filecoin core development team, and current and former employees, contractors and others who have been paid by Protocol Labs or the Filecoin Foundation to work on the Filecoin project, indirectly or directly, are not eligible for bug bounty rewards.\n\nPayouts are handled by the Filecoin Foundation directly and are denominated in USD/USDC at the Filecoin Foundation’s sole discretion. Payouts will be distributed according to the terms set out in this Policy at the time of report submission.\n\nFor the purposes of determining report validity, this is a Primacy of Rules program. Learn more about this principle here: [Best Practice - Primacy of Impact vs Primacy of Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nIn the event that a bounty award is assigned, the Filecoin Foundation will generate an invoice. Invoices will generally be paid on a net 30 basis, after the \nFilecoin Foundation has received all necessary information from the researcher, such as wallet details and KYC information. Any taxes and other costs associated with award acceptance are the sole responsibility of the award recipient. The researcher is responsible for resolving any local restrictions or requirements related to the award under the reporter’s local laws.\n\n\n__KYC Requirement__ \n\nFilecoin will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Country of residence\n- For US citizens: W9, W8BEN, or W8BENE forms, and any other forms reasonably requested by the Filecoin Foundation\n\nNote: KYC information is required only following confirmation of the validity of a bug report and bounty amount is decided, if any. \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nFilecoin adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page. \n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the[ Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n__Report Quality__\n\nReports must be thorough and contain enough information that Filecoin Security Team can easily duplicate any findings. If specially-crafted files are required they should be submitted as attachments. Screenshots are encouraged while videos are discouraged, unless necessary. Submissions should not consist solely of a video.\n\nReports are welcome for issues that cannot be proven but still suggest a serious impact. Filecoin trusts researchers to make that determination and we will assist in clarifying impact and adjusting the severity as needed. It is encouraged to report a vulnerability early while Filecoin will help to determine the impact rather than waiting days or weeks to create a proof. \n\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n__Description of known issue/repository__\n\nAll issues, PRs and code comments that are already mentioned and listed in the In-Scope Assets - Related Impact-in-Scope: Issues created in the following repos:\n- https://github.com/filecoin-project/ \n- https://github.com/ipfs/ \n- https://github.com/whyrusleeping/cbor-gen\n- https://github.com/lurklab/neptune/ \n- https://github.com/lurklab/trition\n\n\n\n__Previous Audits__\n\nFilecoins’s completed audit reports can be found in Spec at https://spec.filecoin.io/. Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Filecoin has satisfied the requirements for the[ Immunefi Standard Badge.](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209)\n\n__Dev Environments and Documentation__\n\nFilecoin has included dev documentation and/or instructions to help in reviewing code and exploring for bugs:\n- [Filecoin virtual machine -  Docs](https://docs.filecoin.io/smart-contracts/fundamentals/the-fvm)\n- [Introduction to Filecoin](https://docs.filecoin.io/basics/what-is-filecoin)\n- [FVM website](https://fvm.filecoin.io/)\n- [Local Devnet](https://lotus.filecoin.io/lotus/developers/local-network/)\n- [FEVM Hardhat kit](https://github.com/filecoin-project/FEVM-Hardhat-Kit)\n- [FVM Hackathon Cheat Sheet](https://github.com/filecoin-project/awesome-filecoin/blob/main/fvm.md)\n- [Lotus Docs](https://lotus.filecoin.io/)\n- [Boost Docs](https://boost.filecoin.io/)\n- [Filecoin Calibration Testnet](https://docs.filecoin.io/networks/calibration)\n- [FVM Implementation FIP](https://github.com/filecoin-project/FIPs/blob/master/FIPS/fip-0030.md)","programType":["Blockchain/DLT"],"project":"Filecoin","projectType":["Blockchain"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the[ Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\n__Reward Calculation for Critical Level Reports__\n\nFor critical Blockchain/DLT bugs, the reward amount is 10% of the funds directly affected, capped at the maximum critical reward $150,000 . However, a minimum reward of USD $100,000 is to be rewarded in order to incentivize security researchers against withholding on a bug report.\n\nAll rewards for this Program are scaled based on a set of criteria, taking into account factors like: ease of exploitation of the bug, impact of the bug, likelihood of the vulnerability (particularly for bug reports where the vulnerability would require multiple conditions to be met), and report quality.\n\nReported security vulnerabilities will be eligible for a bounty amount based on severity, calculated based on its impact and likelihood using the OWASP Risk Rating model (https://owasp.org/www-community/OWASP_Risk_Rating_Methodology).","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"filecoin","tenPercentEconomicRule":false,"updatedDate":"2026-03-16T11:57:42.546Z","impactsBody":null,"websiteUrl":"https://filecoin.io","githubUrl":"https://github.com/filecoin-project","eligibilityCriteria":["no_ofac_sdn","no_auditor","no_employee"],"responsiblePublicationCategory":"category_1","description":"Filecoin is a decentralized storage network designed to store humanity's most important data. We invite security researchers to participate in our bug bounty program and help us secure the broader Filecoin ecosystem.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"All submissions must include a working proof of concept demonstrated against a running local devnet. Use the Filecoin Audit Kit (https://github.com/FilecoinFoundationWeb/filecoin-audit-kit) to set up your environment it provides one-command devnet setups for Lotus (setup.sh) and Boost (setup-boost.sh).\n\nThe following are out of scope and will be closed without review:\n\n1. Unit tests (_test.go, #[test], or equivalent) as the sole PoC unit tests do not exercise consensus, networking, or state sync, which are the layers where exploitability must be proven\n2. Fuzzer crash outputs without a devnet reproduction showing the crash is reachable from an external input on a running node\n3. Static analysis or linter findings without demonstrated exploitability on a devnet\n4. Theoretical writeups without runnable exploit code\n5. Screenshots or video recordings as sole evidence (acceptable as supplements, not replacements)\n6. AI/LLM-generated reports not validated by the researcher against a running devnet\n\nA valid submission must include: the Audit Kit setup and version used, any source modifications as diffs, runnable exploit code, execution output, and impact evidence (crash logs, state diffs, or chain behavior). See the PoC Submission Requirements for the full expected structure.","customProhibitedActivities":[],"impacts":[{"id":2,"type":"blockchain_dlt","severity":"critical","title":"Unintended permanent chain split requiring hard fork (network partition requiring hard fork)"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":4,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":2562,"type":"blockchain_dlt","severity":"low","title":"DoS of greater than 10% but less than 30% of validator or miner nodes and does not shut down the network"},{"id":2563,"type":"blockchain_dlt","severity":"low","title":"Underpricing transaction fees relative to computation time"},{"id":2564,"type":"blockchain_dlt","severity":"low","title":"Contract on the platform fails to deliver promised returns, but doesn’t lose values"},{"id":2565,"type":"blockchain_dlt","severity":"low","title":"EVM instruction fails to execute when provided with concrete parameters"},{"id":2566,"type":"blockchain_dlt","severity":"high","title":"Unintended chain split (Network partition) with localized impacts (which would require hard fork but doesn’t affect the chain as whole)"},{"id":2567,"type":"blockchain_dlt","severity":"high","title":"Transient consensus failures (Temporary halt in transactions leading to consensus failure)"},{"id":2568,"type":"blockchain_dlt","severity":"high","title":"Protocol-level bug preventing contracts from using their funds"},{"id":2569,"type":"blockchain_dlt","severity":"high","title":"Protocol-level bug causing the inability for developers to deploy new smart contracts"},{"id":2570,"type":"blockchain_dlt","severity":"high","title":"Protocol-level bug rendering a single contract unusable after the exploit (i.e. contract bricked)"},{"id":2572,"type":"blockchain_dlt","severity":"medium","title":"High compute consumption by validator/mining nodes"},{"id":2573,"type":"blockchain_dlt","severity":"medium","title":"DoS of greater than 30% of validator or miner nodes and does not shut down the network"},{"id":2574,"type":"blockchain_dlt","severity":"medium","title":"EVM instruction fails to execute, in a general way"},{"id":2575,"type":"blockchain_dlt","severity":"medium","title":"Inability to deploy a contract under a specific circumstances"},{"id":2576,"type":"blockchain_dlt","severity":"critical","title":"Total Chain halt"},{"id":2577,"type":"blockchain_dlt","severity":"critical","title":"Protocol-level bug that causes a general breakage of all contracts deployed on the chain"},{"id":2578,"type":"blockchain_dlt","severity":"critical","title":"Protocol-level bug that enables tricking contracts into sending funds to arbitrary addresses"},{"id":5559,"type":"blockchain_dlt","severity":"high","title":"Inability to propagate new transactions (limited to fraction of the network)"}],"rewards":[{"id":43042,"primacy":null,"severity":"critical","assetType":"blockchain_dlt","maxReward":150000,"minReward":100000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":43043,"primacy":null,"severity":"high","assetType":"blockchain_dlt","maxReward":100000,"minReward":10000,"rewardModel":"range"},{"id":43044,"primacy":null,"severity":"medium","assetType":"blockchain_dlt","maxReward":10000,"minReward":2000,"rewardModel":"range"},{"id":43045,"primacy":null,"severity":"low","assetType":"blockchain_dlt","maxReward":2000,"minReward":1000,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"4I3Xs76vaBmrAdpNRwmuGL","url":"https://github.com/pancakeswap/infinity-universal-router","type":"smart_contract","addedAt":"2025-10-30T08:15:59.395Z","revision":0,"description":"Pancakeswap Infinity Router","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5Mybwl38SoAMbIs1Hvn05p","url":"https://github.com/pancakeswap/pancake-v3-contracts","type":"smart_contract","addedAt":"2025-10-30T08:15:59.430Z","revision":0,"description":"Pancakeswap V3","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6HwLEqOpgtsbhpXStHqlEd","url":"https://github.com/pancakeswap/infinity-core","type":"smart_contract","addedAt":"2025-10-30T08:15:59.567Z","revision":0,"description":"Pancakeswap Infinity Core","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7h98Bj3XvQGzq7ZDeiJ28W","url":"https://github.com/pancakeswap/infinity-periphery","type":"smart_contract","addedAt":"2025-10-30T08:15:59.572Z","revision":0,"description":"Pancakeswap Infinity Periphery","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"VQW86j81JaGjf4Q4H6BJk","url":"https://github.com/pancakeswap/pancake-swap-periphery","type":"smart_contract","addedAt":"2025-10-30T08:15:59.391Z","revision":0,"description":"Pancakeswap V2 Periphery ","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"gqfHES9sbEHfoWg3bvomY","url":"https://pancakeswap.finance/","type":"websites_and_applications","addedAt":"2022-02-17T14:03:35.740Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"Please note that for Website/App, only [https://pancakeswap.finance](https://pancakeswap.finance) is in scope. Other subdomains are not in scope.\n\nOFT related contracts are not in the scope of this program, unless the logic is specific to PancakeSwap’s implementation.\n\nIf you have found an issue with OFT related contracts, please report it to [https://immunefi.com/bounty/layerzero/](https://immunefi.com/bounty/layerzero/).","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["BSC"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-03-28T07:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2xJOw4FpKeRGxyQOV0RG0G/58c413a9b3969ddbd605bea881c02e72/Pancakeswap-logo.jpg","maxBounty":1000000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - high","smart_contract - critical","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["AMM","DEX"],"programOverview":"PancakeSwap is a decentralized exchange running on Binance Smart Chain and other multiple chains, with lots of other features that let you earn and win tokens. It's fast, cheap, and anyone can use it. It's also got pancakes and rabbits.\n\nThe exchange is an automated market maker (“AMM”) that allows tokens to be exchanged on the Binance Smart Chain and other multiple chains. On top of that, you can earn CAKE with yield farms, earn CAKE with Staking, and earn even more tokens with Syrup pools. \n\nThe PancakeSwap bug bounty program is focused around its smart contracts,\nwebsites, and apps with a primary interest in the prevention of loss of user\nfunds, either by direct draining of locked funds or social engineering attacks by redirecting users or forcing them to sign a transaction. Priority and focus is placed on issues that can result in irreversible financial loss.","programType":["Smart Contract","Websites and Applications"],"project":"PancakeSwap","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on\nthe [Immunefi Vulnerability Severity Classification System 2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nSmart Contract rewards are classified by __Group 1__ and __Group 2__. \n\n__Group 1__ consists of the core swap and reward components such as:\n\nAMM: Pancakeswap V2, V3, Stableswap and related periphery contracts\nStaking: Masterchef V2, V3, Smart Chef (Syrup pools), Cake Pool\n\n__Group 2__ consists of other contracts not mentioned in group 1.\n\nGroup 1 rewards are notated in the rewards table by the higher ranges listed by severity level, while Group 2 rewards are notated by the lower ranges listed by severity level.\n\nAll bug reports must include a Proof of Concept demonstrating how the vulnerability can be exploited to be eligible for a reward. \n\nThe final reward amount for critical vulnerabilities is capped at 5% of the funds at risk based on the vulnerability reported.\n\nCritical smart contract vulnerability payouts for Group 1 are a minimum of __USD $50,000__, or 5% of the value at risk at the time of report submission, with a hard cap of __USD $1,000,000__, whichever is larger. Value at risk should be calculated primarily (though not exclusively) based on concrete and demonstrable funds at risk. Any supplementary reward beyond the minimum __USD $50,000__ or 5% of value at risk is at the discretion of the team.\n\nCritical smart contract vulnerability payouts for Group 2 are a minimum of __USD $20,000__, or 5% of the value at risk at the time of report submission, with a hard cap of __USD $100,000__, whichever is larger. Value at risk should be calculated primarily (though not exclusively) based on concrete and demonstrable funds at risk. Any supplementary reward beyond the minimum __USD $20,000__ or 5% of value at risk is at the discretion of the team.\n\nAll non-critical rewards for the project bug bounty program are scaled based on an internally established team criteria, taking into account the exploitability of the bug, the impact it causes, and the likelihood of the vulnerability presenting itself, which is especially factored in with bug reports requiring multiple conditions to be met that are currently not in-place. Rewards will be provided at the determined fair value by the team depending on these conditions, assuming that the bug report is in-scope of the bug bounty program.\n\nThis program follows the policy where a report is eligible for bounty only if a fix is implemented.\n\nXSS reports are restricted to those that have an impact of prompting a user to  sign a transaction or a redirect.\n\nAll payouts are done by the **PancakeSwap** team and are pegged to the **USD** values set here and are payable in **CAKE** or **USDT**.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"CAKE or USDT","slug":"pancakeswap","tenPercentEconomicRule":false,"updatedDate":"2026-03-16T07:28:57.930Z","impactsBody":null,"websiteUrl":"https://pancakeswap.finance/","githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"PancakeSwap is a decentralized exchange running on Binance Smart Chain and other multiple chains, with lots of other features that let you earn and win tokens. It's fast, cheap, and anyone can use it. It's also got pancakes and rabbits.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques\n- Internal SSRF\n- Path Traversal\n- SPF/DKIM/DMARC Configuration Problems\n- Clickjacking \n- Attacks requiring privileged access from within the organization","customProhibitedActivities":[],"impacts":[{"id":233,"type":"smart_contract","severity":"high","title":"Complete theft of unclaimed yield (dependent on the value at stake)"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":234,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds (dependent on the value at stake and duration of freeze)"},{"id":235,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield (dependent on the value at stake and duration of freeze)"},{"id":236,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc."},{"id":237,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as email or password of the victim, etc."},{"id":238,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information such as email address, phone number, physical address, etc."},{"id":239,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as changing the first/last name of user, or en/disabling notification"},{"id":240,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without Javascript (Reflected) such as reflected HTML injection or loading external site data"},{"id":241,"type":"websites_and_applications","severity":"medium","title":"Subdomain takeover without already-connected wallet interaction"},{"id":244,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":245,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield (dependent on the value at stake)"},{"id":246,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds (dependent on the value at stake)"},{"id":247,"type":"smart_contract","severity":"critical","title":"Protocol Insolvency (dependent of the shortfall in value)"},{"id":248,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and blockchain keys(this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":249,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc."},{"id":250,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions"}],"rewards":[{"id":42998,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":1000000,"rewardModel":"up_to","rewardCalculationPercentage":5},{"id":42999,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":20000,"rewardModel":"up_to"},{"id":43000,"primacy":null,"severity":"critical","assetType":"websites_and_applications","maxReward":7500,"rewardModel":"up_to"},{"id":43001,"primacy":null,"severity":"high","assetType":"websites_and_applications","maxReward":4000,"rewardModel":"up_to"},{"id":43002,"primacy":null,"severity":"medium","assetType":"websites_and_applications","maxReward":1500,"rewardModel":"up_to"}],"audits":[]},{"assets":[{"id":"1dYkC8sIB8lNC64xiJ9654","url":"https://mainnet.boba.network","type":"websites_and_applications","addedAt":"2024-08-14T09:31:21.880Z","revision":0,"description":"Mainnet RPC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2ono3wv4gAACXJFYQhsBm8","url":"https://etherscan.io/address/0x2dE73Bd1660Fbf4D521a52Ec2a91CCc106113801","type":"smart_contract","addedAt":"2024-08-14T08:24:49.763Z","revision":0,"description":"Proxy_LightBridge","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3BMLoUBjqC0uoezrCdNgvx","url":"https://arbiscan.io/address/0x2dE73Bd1660Fbf4D521a52Ec2a91CCc106113801","type":"smart_contract","addedAt":"2024-08-14T09:31:00.642Z","revision":0,"description":"Proxy__LightBridge (Arb)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4KRYNAni0FwyNmAUb4hL1L","url":"https://optimistic.etherscan.io/address/0x2dE73Bd1660Fbf4D521a52Ec2a91CCc106113801","type":"smart_contract","addedAt":"2024-08-14T09:30:45.907Z","revision":0,"description":"Proxy__LightBridge (Op)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4fyNLY3rtehYuskuzmslUQ","url":"https://bobascan.com/address/0x670b130112C6f03E17192e63c67866e67D77c3ee","type":"smart_contract","addedAt":"2024-08-14T09:30:23.193Z","revision":0,"description":"Proxy__LightBridge","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5dRh1FmBNX9Xt1DRLvMArV","url":"https://gateway.boba.network","type":"websites_and_applications","addedAt":"2024-08-14T09:31:34.448Z","revision":0,"description":"Gateway","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5ylUdfeIvqvXwZILmX1wv7","url":"https://bobascan.com/address/0x0dfFd3Efe9c3237Ad7bf94252296272c96237FF5","type":"smart_contract","addedAt":"2024-08-14T09:28:25.191Z","revision":0,"description":"Proxy__LightBridge","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"m67uno6rhw4CvUrKvTNr3","url":"wss://ws.mainnet.boba.network/","type":"websites_and_applications","addedAt":"2024-08-14T09:38:44.910Z","revision":0,"description":"Websocket","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"All smart contracts of Boba Network can be found at https://github.com/bobanetwork/boba Boba-Eth - Core Rollup contracts (https://github.com/bobanetwork/boba)\nHowever, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nThough only the proxy contracts are listed as in-scope, current implementation and any further updates to the implementation contracts are considered in scope. When reporting a bug, please make sure to select the relevant proxy smart contract as the target. \n\nIf an impact can be caused to any other asset managed by Boba Network that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project. This only applies to Critical and High impacts.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Avalanche","BSC","ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Go","JavaScript","Solidity"],"launchDate":"2023-01-13T21:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2wV1YzHxDN4EUqz1RJuw6E/a8d877797715ffa2e502bd56e411899b/Boba_Network_logo.jpeg","maxBounty":100000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Bridge","L2","Staking"],"programOverview":"Boba Network is a blockchain Layer-2 scaling solution and Hybrid Compute platform offering lightning fast transactions and fees up to 100x less than Layer-1.\n\nBoba Network’s Hybrid Compute technology brings the power of Web2 on-chain for the first time, allowing smart contracts to call any external Web2 API to execute complex algorithms such as machine learning classifiers, pull in real-world or enterprise data in a single atomic transaction, or sync with the latest state of a gaming engine. Leveraging off-chain compute and real-world data, developers and creators can offer an enriched experience unlike anything else on the market today.\n\nBoba Network is delivering a faster, cheaper, and smarter experience for blockchain’s next billion users.\n\nFor more information about Boba Network, please visit [https://boba.network/](https://boba.network/).  \n\nFor testing any exploits involving cross-domain transactions, it is recommended to work with Boba’s local devnet stack [https://github.com/bobanetwork/boba/blob/develop/.circleci/config.yml#L1332](https://github.com/bobanetwork/boba/blob/develop/.circleci/config.yml#L1332)  (for Boba-Eth) \nNote: Boba now operates on the Anchorage stack, a derivative of the op-stack.  Find more about the op-stack specs here: [https://github.com/bobanetwork/boba?tab=readme-ov-file#specification](https://github.com/bobanetwork/boba?tab=readme-ov-file#specification)\n\n__KYC Requirement__ \n\nBoba Network will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n\n__Proof of Concept (PoC) Requirements__\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n\n__Immunefi Standard Badge__\nBy adhering to Immunefi’s best practice recommendations, Boba Network has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","programType":["Websites and Applications","Smart Contract"],"project":"Boba Network","projectType":["Blockchain","Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the  [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). \n\nAll web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. All High and Critical Blockchain/DLT/Smart Contract bug reports require a PoC to be eligible for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nCritical blockchain vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of __USD 10 000__. \n\nCritical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of __USD 10 000__. \n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 100 000. However, a minimum reward of __USD 10 000__ is to be rewarded in order to incentivize security researchers against withholding on a bug report.\n\nFor web/app bugs, reports will be rewarded within a range of __USD 1 000 - 3 000__ depending on severity levels and will be rewarded according to the Impact in Scope table.  \n\n\nThe following vulnerabilities are not eligible for a reward:\n\n- Contracts are upgradable. \n- The fact that fraud proofs are not yet running. \n- A bug in Lib_MerkleTrie.sol which will prevent withdrawals from succeeding in some cases. There is a workaround for this, by modifying the proof to add an extra element. \n- A bug in Lib_ResolvedDelegateProxy.sol which could result in a storage slot key collision overwriting the address of the implementation. This bug is dependent on the layout of the implementation contract, and Boba is not affected. \n- The user cannot commit to a L1 gas price, the OVM_GasPriceOracle is owned by a key controlled by Boba and is responsible for setting the L1 gas price.\n- There appears to be an obvious bug which would allow an attacker to withdraw a fake ERC20 token from L2 in exchange for a real ERC20 (such as WBTC) token on L1. There is no check in the L2StandardBridge, however the withdrawal is prevented from finalizing by a check in the L1StandardBridge. Naturally if you do find a way to circumvent Boba Network’s protections, then you would be rewarded.\n- All vulnerabilities mentioned in https://github.com/bobanetwork/boba_legacy/tree/develop/boba_audits \n\nBoba Network requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward for critical and high threat levels. The information needed is proof of your identity. The collection of this information will be done by the Boba Foundation.\n\nPayouts are handled by the __Boba Foundation__ and are denominated in USD. However, payouts are done in __USDC__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"bobanetwork","tenPercentEconomicRule":false,"updatedDate":"2026-03-15T21:31:23.434Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Boba Network is a blockchain Layer-2 scaling solution and Hybrid Compute platform offering lightning fast transactions and fees up to 100x less than Layer-1.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques\n- All content on the Ecosystem pages of website (community driven) [https://boba.network/dapps/](https://boba.network/dapps/)\n- Failed-disbursement bookkeeping collisions or overwrites that only impact privileged retry or manual recovery flows, without enabling unauthorized fund access or permanent loss of funds.","customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":3741,"type":"smart_contract","severity":"low","title":"Smart contract fails to deliver promised returns, but doesn’t lose value"},{"id":3742,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction such as iframing leading to modifying the backend/browser state (demonstrate impact with PoC)"},{"id":3743,"type":"websites_and_applications","severity":"low","title":"Any impact involving a publicly released CVE without a working PoC"},{"id":3744,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links such as social media handles, etc."},{"id":3745,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as locking up the victim from login, cookie bombing, etc."},{"id":3747,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for any amount of time"},{"id":3748,"type":"smart_contract","severity":"high","title":"Temporary freezing of NFTs originally developed by Boba Network for any amount of time"},{"id":3749,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc."},{"id":3750,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as email or password of the victim, etc."},{"id":3751,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information such as email address, phone number, physical address, etc."},{"id":3756,"type":"smart_contract","severity":"medium","title":"Protocol failure caused by block stuffing"},{"id":3757,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as changing the first/last name of user, or en/disabling notification"},{"id":3758,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without Javascript (Reflected) such as reflected HTML injection or loading external site data"},{"id":3759,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":3760,"type":"smart_contract","severity":"critical","title":"Direct theft of user NFTs originally developed by Boba Network, whether at-rest or in-motion, other than unclaimed royalties"},{"id":3761,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs originally developed by Boba Network"},{"id":3762,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs originally developed by Boba Network"},{"id":3763,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content) for NFTs originally developed by Boba Network"},{"id":3764,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and blockchain keys(this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":3765,"type":"websites_and_applications","severity":"critical","title":"Taking down the NFT URI for NFTs originally developed by Boba Network"},{"id":3766,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc."},{"id":3767,"type":"websites_and_applications","severity":"critical","title":"Changing the NFT metadata for NFTs originally developed by Boba Network"},{"id":3768,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions"},{"id":3769,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user NFTs for NFTs originally developed by Boba Network"}],"rewards":[{"id":42974,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":42975,"primacy":null,"severity":"high","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":42976,"primacy":null,"severity":"medium","assetType":"smart_contract","fixedReward":3000,"rewardModel":"fixed"},{"id":42977,"primacy":null,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":42978,"primacy":null,"severity":"critical","assetType":"websites_and_applications","fixedReward":3000,"rewardModel":"fixed"},{"id":42979,"primacy":null,"severity":"high","assetType":"websites_and_applications","fixedReward":2000,"rewardModel":"fixed"},{"id":42980,"primacy":null,"severity":"medium","assetType":"websites_and_applications","fixedReward":1500,"rewardModel":"fixed"},{"id":42981,"primacy":null,"severity":"low","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"1Mup8pvSb4mJNMIzzqspvM","url":"https://github.com/stacks-sbtc/sbtc/tree/main/signer/src","type":"blockchain_dlt","addedAt":"2025-04-30T05:35:20.507Z","revision":0,"description":"sBTC signer implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1i3ZFwpjYVTIZUZlAt3SEX","url":"https://github.com/stacks-sbtc/sbtc/tree/main/emily/src","type":"blockchain_dlt","addedAt":"2025-04-30T05:35:35.740Z","revision":0,"description":"sBTC Emily implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1wf5EgCM3ZemiZtx4wya65","url":"https://github.com/stacks-sbtc/sbtc/tree/main/contracts","type":"smart_contract","addedAt":"2025-04-30T05:34:35.039Z","revision":0,"description":"sBTC contracts","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"21yykxBnBDpN6Q8HuV5TV2","url":"https://github.com/stacks-network/stacks-core/tree/master/stacks-common","type":"blockchain_dlt","addedAt":"2022-05-10T15:55:23.581Z","revision":0,"description":"Main Stacks blockchain repository","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2Tjx6oRgJXz0BYkDfJtSu","url":"https://github.com/stacks-network/stacks-core/tree/master/stacks-node/src","type":"blockchain_dlt","addedAt":"2025-09-16T16:50:35.856Z","revision":0,"description":"Node implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"37fKz5pvitrjowoaqe7MrN","url":"https://github.com/stacks-network/stacks-core/tree/master/stackslib","type":"blockchain_dlt","addedAt":"2024-04-15T11:55:27.506Z","revision":0,"description":"Blockchain shared libraries","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3BygY3ZGnYEdOHHW9dXU1S","url":"https://github.com/stacks-network/stacks-core/blob/master/stackslib/src/chainstate/stacks/boot/costs.clar","type":"smart_contract","addedAt":"2022-05-10T15:55:21.514Z","revision":0,"description":"Costs contract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"bUooaKIGszVwaxPSCOa1g","url":"https://github.com/stacks-network/stacks-core/blob/master/stackslib/src/chainstate/stacks/boot/lockup.clar","type":"smart_contract","addedAt":"2022-05-10T15:55:20.388Z","revision":0,"description":"Lockup contract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"cOg6GDCBuTBMg879ePnHa","url":"https://github.com/stacks-network/stacks-core/blob/master/stackslib/src/chainstate/stacks/boot/pox-4.clar","type":"smart_contract","addedAt":"2022-05-10T15:55:19.323Z","revision":0,"description":"POX contract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"hpu4keYNL2n2NsQzg1ybl","url":"https://github.com/stacks-sbtc/sbtc/tree/main/sbtc/src","type":"blockchain_dlt","addedAt":"2025-04-30T05:35:05.730Z","revision":0,"description":"sBTC signer implementation","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"All smart contracts of Stacks can be found at [https://github.com/stacks-network/stacks-blockchain/blob/master/src/chainstate/stacks/boot](https://github.com/stacks-network/stacks-blockchain/blob/master/src/chainstate/stacks/boot).  However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nThough the Node implementation asset has “testnet” in the folder name, it is not a testnet node and is within the scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Stacks","Bitcoin"],"endDate":null,"evaluationEndDate":null,"features":["Arbitration"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Rust","Bitcoin Script","Clarity"],"launchDate":"2022-03-31T19:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7rDt9WPKt1aTDNVmrLDaZ9/e8474a103962162a8e704ac863984684/stacks__1_.png","maxBounty":250000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["blockchain_dlt - critical","smart_contract - critical","blockchain_dlt - high","blockchain_dlt - medium","blockchain_dlt - low","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"Stacks","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__Blockchain__\n\n__Critical__\n  - Network not being able to confirm new transactions (Total network shutdown)\n  - Trigger a deep fork without spending the requisite BTC.\n  - Direct loss of funds other than permanent or temporary freezing\n  - Chain split due to different nodes processing the same block or transaction with different results\n  - Invalid transaction confirmed (such as with an incorrect nonce)\n\n__High__\n  - Unintended chain split (Network partition)\n  - Transient consensus failures\n  - Remotely-exploitable denial of service in a node\n  - Remotely-exploitable memory or disk access, restricted to the Stacks Blockchain RPC/P2P ports\n\n__Medium__\n  - DoS of greater than 30% of miners and does not shut down the network\n\n__Low__\n  - DoS of greater than 10% but less than 30% of miners and does not shut down the network\n  - Underpricing transaction fees relative to computation time\n\n__Smart Contracts__\n\n__Critical__\n  - Loss of user funds by permanent freezing or theft\n  - Loss of governance funds (limited to `.cost-vote`)\n  - Governance vote manipulation\n\n__High__\n  - Theft of unclaimed reward\n  - Permanent freezing of unclaimed reward\n\n__Medium__\n  - Block stuffing without fund transfers blocked\n  - Block stuffing the Stacks chain such that smart contract calls can be blocked, but without paying the requisite higher transaction fees\n\n__Low__\n  - Smart contract fails to deliver promised returns, but doesn’t lose value\n  - A smart contract has certain operations underpriced or overpriced in ways that we don’t know about (i.e. that we don’t have open issues for).","productType":["L1"],"programOverview":"Stacks is a Bitcoin layer for smart contracts; it enables smart contracts and decentralized applications to use Bitcoin as an asset and settle transactions on the Bitcoin blockchain. Stacks is secured by the entire hash power of Bitcoin, giving it Bitcoin finality.\n\nsBTC is a 1:1 Bitcoin-backed asset, enabling users to put their BTC to work in DeFi, dApps, and other applications. It leverages Stacks’ programmability and Bitcoin finality to enable a new Bitcoin economy.\n\nFor more information about Stacks and sBTC, please visit [https://stacks.org/](https://stacks.org/), [https://www.stacks.co/](https://www.stacks.co/) and [https://www.stacks.co/sbtc](https://www.stacks.co/sbtc)\n\nWe at the Stacks Foundation maintain essential components of the Stacks blockchain infrastructure, including sBTC. Our security team prioritizes the following attack vectors:\n\n  - Theft of funds\n  - Permanent freezing of funds\n  - Total network shutdown or unauthenticated denial-of-service vectors\n  - Chain split or deep fork vectors\n  - Invalid transactions processing successfully or confirming\n  - Consensus failures\n  - Remotely exploitable weaknesses (as triggered through standard Stacks     - RPC and P2P ports only)\n  - (In smart contracts) Vote manipulation\n  - (In smart contracts) Block stuffing attacks\n  - (In smart contracts) Theft or loss of unclaimed rewards","programType":["Smart Contract","Blockchain/DLT"],"project":"Stacks","projectType":["Blockchain"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for each category, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. If there is any discrepancy with the classification in the Impacts in Scope section, the classification in the Impacts in Scope section will hold true.\n\n__Blockchain, Smart Contracts or sBTC__\n\n- Critical: USD 25 000 up to USD 250 000\n- High: USD 5 000 up to USD 25 000\n- Medium: USD 5 000\n- Low: USD 1 000\n- Informational: Only in exceptional circumstances and solely at our discretion\n\nPlease note that Critical finding bounties are capped at 10% of the damage resulting from the finding. This mostly takes into account technical and financial damage but also includes the “human” impact, including reputational risk. We will guarantee a minimum payout of $25,000 USD for all valid Critical findings.\n\n__For sBTC:__\n\n- Non-Criticals which can be objectively determined to only be able to affect <1% of users may be downgraded by 1 severity.\n- Non-Critical impacts that are dependent on execution to have a malicious signer involved, may be downgraded by 1 severity level.\n- Non-Critical impacts on availability (e.g., denial of services) that are dependent on execution to have a malicious signer involved, may be downgraded by 1 or more severity levels.\n- Vulnerabilities related to WSTS will only be considered in scope if they can be exploited in sBTC.\n\n\n__We agree to:__\n\n  - Respond meaningfully to all reported issues in a timely manner.\n  - Not pursue legal action against or “counter-hack” any researchers acting in good faith and abiding by this program’s rules.\n  - Consider theoretical attacks and findings without proof-of-concept code as long as technically meaningful, evidence-based arguments are provided.\n\n__You must:__\n\n  - Undergo full KYC. We are based in the Cayman Islands and abide by strict AML law, including OFAC controls/sanctions and onchain wallet address screening.\n  - Not be based or test from an OFAC-sanctioned country or region or (be a sanctioned individual or organization) as defined here: [https://ofac.treasury.gov/sanctions-programs-and-country-information](https://ofac.treasury.gov/sanctions-programs-and-country-information)\n  - Report all bugs using this template. __All fields are required unless otherwise marked__.\n    - Executive summary of issue: \n    - Finding details: \n    - Repository, file, and line of code where finding is found:  \n    - Steps to replicate: \n    - Proof-of-concept exploitation code: \n    - Screenshots or video of finding being exploited using the PoC you have provided:  \n    - Impact of finding (short term): \n    - Impact of finding (long term): \n    - Mitigation suggestions (short term):\n    - Mitigation suggestions (long term): \n    - (Optional) Suggested patch:\n    - (Optional) Any useful links or resources:\n    - (Optional) Do you want a shout-out on our Security Wall of Fame? \n    - (Optional, if approved) Do you want a cybersecurity-themed NFT sent to your Stacks wallet?\n  - Use a private testnet. Testing on mainnet or public testnets is forbidden.\n\nPayouts are handled by the _Stacks Endowment team_ directly and are denominated in _USD_. However, payments will be made in the _USD_ equivalent in the _Stacks_ token (STX).","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"STX","slug":"stacks","tenPercentEconomicRule":false,"updatedDate":"2026-03-13T08:46:48.508Z","impactsBody":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__Please note that all variants of remote denial-of-service attacks will automatically have their impact set to “Low”, regardless of any further downstream impact.__\n\n__Blockchain__\n\n**Critical:**\n- Any network to shut down or otherwise not confirm new valid transactions for multiple blocks\n- Any triggering of a deep fork of 10 or more blocks without spending the requisite Bitcoin\n- Any direct loss of funds other than through any form of freezing\n- Any chain split caused by different nodes processing the same block or transaction and yielding different results\n- Any confirmation of an invalid transaction, such as with an incorrect nonce\n\n**High:**\n- Any unintended chain split or network partition\n- Any remotely-exploitable memory access, disk access, or persistent code execution\n- Attacks are restricted to the Stacks blockchain RPC/P2P ports\n\n**Medium:**\n- Any transient consensus failures\n\n**Low:**\n- Any remotely-exploitable denial of service in a node\n- Any network denial of service impacting more than 10% of miners that does not shut down the network \n\n__Smart Contracts__\n\n**Critical:**\n- Any loss of user funds by permanent freezing or theft\n- Any loss of governance funds (limited to `.cost-vote`)\n- Any governance vote manipulation\n\n**High:**\n- Any theft of an unclaimed reward\n- Any permanent freezing of an unclaimed reward\n\n**Medium:**\n- Any block stuffing without fund transfers being blocked\n- Any block stuffing such that smart contract calls can be blocked but without paying any requisite higher transaction fees\n\n**Low:**\n- Any in-scope smart contract fails to deliver promised returns, but doesn’t lose value\n- Any underpricing or overpricing of smart contract operations\n\nPlease review open PRs before your submission as all duplicate attacks are considered “Out of Scope” as per below.\n\n__sBTC__\n\n**Critical:**\n- Direct loss of funds\n- Permanent freezing of funds\n\n**High:**\n- sBTC not being able to confirm new transactions (total sBTC shutdown)\n\n**Medium:**\n- A bug in the respective layer 1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk\n- Shutdown of greater than or equal to 30% of sBTC signers without brute force actions, but does not shut down the network\n- Temporarily freezing sBTC transactions\n- API crash preventing correct processing of sBTC deposits/withdrawals\n\n**Low:**\n- Modification of transaction fees outside of design parameters\n- Shutdown of greater than 10% or equal to but less than 30% of sBTC signers without brute force actions, but does not shut down the network\n\nPlease review open PRs before your submission as all duplicate attacks are considered “Out of Scope” as per below.","websiteUrl":"https://stacks.co","githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Stacks is a Bitcoin layer for smart contracts; it enables smart contracts and decentralized applications to use Bitcoin as an asset and settle transactions on the Bitcoin blockchain. Stacks is secured by the entire hash power of Bitcoin, giving it Bitcoin finality.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Any attacks on 3rd party services, including but not limited to AWS or Datadog.\n  - Any sub-optimal default configuration changes.\n\n  - Any phishing, social engineering, or related attacks against the Stacks ecosystem or any members or customers thereof.\n  - Any attempt of phishing or other social engineering attacks against any Stacks ecosystem member. \n  - Any reporting of findings that are already public or known to us, including but not limited to: open Github PRs and issues; previous findings reported by other researchers; findings discovered during currently-active third-party security assessments; and duplicated results of concluded assessments as posted here: [https://stacks.org/audits](https://stacks.org/audits). Novel methods of attack leading to an already-documented impact are allowed.\n  - Any testing of third-party components. \n    - If it’s not listed as in-scope, it’s safe to assume you shouldn’t be testing or relying on it. \n    - If you disagree, feel free to explain why in your submission but DO NOT continue testing with our explicit written approval.\n  - (If applicable to funds) Any actual theft or freeze of funds.\n  - Any findings requiring access to or the cooperation of a Bitcoin miner.\n  - Any theoretical attacks without substantial evidence and supporting documentation.\n\n  - __Any failure to provide any information requested in the above reporting template__.\n  - __Any failure to use the given public GPG key to encrypt sensitive information__.\n  - Any negative or hostile behavior towards the Stacks ecosystem or members thereof, including but not limited to abuse of the ImmuneFi mediation process, initiation of direct contact with any Stacks ecosystem member via any communications method outside of ImmuneFi, and any form of coercion, harassment, threats, intimidation, stalking, or extortion. \n    - This also includes repeatedly asking for multiple status updates - we promise we have eyes on your report.\n  - Any automated scanner findings or fuzz test results without an associated functional proof-of-concept.\n  - Any testing on mainnet or public testnet\n  - Any active exploitation of a reported vulnerability beyond the absolute minimum required to prove the validity of your proof-of-concept code.\n    - You must not attack any other users under any circumstances. Test on your own addresses or contracts.\n  - Any public disclosure of a reported issue, including via CVE number assignment.\n  - Any failure to abide by any rules, requirements, or obligations as detailed above.","customProhibitedActivities":[],"impacts":[{"id":2270,"type":"blockchain_dlt","severity":"low","title":"Any remotely-exploitable denial of service in a node"},{"id":2271,"type":"blockchain_dlt","severity":"low","title":"Any network denial of service impacting more than 10% of miners that does not shut down the network"},{"id":2272,"type":"smart_contract","severity":"low","title":"Any in-scope smart contract fails to deliver promised returns, but doesn’t lose value"},{"id":2273,"type":"smart_contract","severity":"low","title":"Any underpricing or overpricing of smart contract operations"},{"id":2274,"type":"blockchain_dlt","severity":"high","title":"Any unintended chain split or network partition"},{"id":2275,"type":"blockchain_dlt","severity":"high","title":"Any remotely-exploitable memory access, disk access, or persistent code execution. Attacks are restricted to the Stacks blockchain RPC/P2P ports"},{"id":2276,"type":"smart_contract","severity":"high","title":"Any theft of an unclaimed reward"},{"id":2277,"type":"smart_contract","severity":"high","title":"Any permanent freezing of an unclaimed reward"},{"id":2278,"type":"blockchain_dlt","severity":"medium","title":"Any transient consensus failures"},{"id":2279,"type":"smart_contract","severity":"medium","title":"Any block stuffing without fund transfers being blocked"},{"id":2281,"type":"blockchain_dlt","severity":"critical","title":"Any network to shut down or otherwise not confirm new valid transactions for multiple blocks"},{"id":2282,"type":"blockchain_dlt","severity":"critical","title":"Any triggering of a deep fork of 10 or more blocks without spending the requisite Bitcoin"},{"id":2283,"type":"blockchain_dlt","severity":"critical","title":"Any causing the direct loss of funds other than through any form of freezing"},{"id":2284,"type":"blockchain_dlt","severity":"critical","title":"Any chain split caused by different nodes processing the same block or transaction and yielding different results"},{"id":2285,"type":"blockchain_dlt","severity":"critical","title":"Any confirmation of an invalid transaction, such as with an incorrect nonce"},{"id":2286,"type":"smart_contract","severity":"critical","title":"Any loss of user funds by permanent freezing or theft"},{"id":2287,"type":"smart_contract","severity":"critical","title":"Any loss of governance funds (limited to `.cost-vote`)"},{"id":2288,"type":"smart_contract","severity":"critical","title":"Any governance vote manipulation"},{"id":5513,"type":"blockchain_dlt","severity":"high","title":"Attacks are restricted to the Stacks blockchain RPC/P2P ports"},{"id":5514,"type":"smart_contract","severity":"medium","title":"Any block stuffing such that smart contract calls can be blocked, but without paying any requisite higher transaction fees"}],"rewards":[{"id":42811,"primacy":null,"severity":"critical","assetType":"blockchain_dlt","maxReward":250000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":42812,"primacy":null,"severity":"high","assetType":"blockchain_dlt","maxReward":25000,"rewardModel":"up_to"},{"id":42813,"primacy":null,"severity":"medium","assetType":"blockchain_dlt","maxReward":5000,"rewardModel":"up_to"},{"id":42814,"primacy":null,"severity":"low","assetType":"blockchain_dlt","fixedReward":1000,"rewardModel":"fixed"},{"id":42815,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":250000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":42816,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":25000,"rewardModel":"up_to"},{"id":42817,"primacy":null,"severity":"medium","assetType":"smart_contract","maxReward":5000,"rewardModel":"up_to"},{"id":42818,"primacy":null,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"18fcj6wUfkewAWTnDTnbgL","url":"https://moonbeam.foundation/","type":"websites_and_applications","addedAt":"2022-05-13T15:12:48.720Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2r4sLsZ2ZPAVt2R2uYiBay","url":"https://github.com/moonbeam-foundation/frontier","type":"blockchain_dlt","addedAt":"2022-05-10T16:32:28.772Z","revision":0,"description":"Frontier","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"47eAU3xGqtRd2VDuqCdAJ4","url":"https://moonbeam.network/","type":"websites_and_applications","addedAt":"2022-05-13T15:12:47.720Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5Uv4I8GXpfWeu9SX6b5Jhz","url":"https://github.com/moonbeam-foundation/moonbeam","type":"blockchain_dlt","addedAt":"2022-04-20T20:26:13.722Z","revision":0,"description":"Blockchain - Moonbeam","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5WiZhG7t40ZWeGaBIpt4gH","url":"https://apps.moonbeam.network","type":"websites_and_applications","addedAt":"2022-05-13T15:12:45.523Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5a6j1lsZIoVIBD7y8s8Hvi","url":"https://github.com/ethereum-lists/chains/blob/master/_data/chains/eip155-1287.json","type":"blockchain_dlt","addedAt":"2022-05-10T16:32:31.996Z","revision":0,"description":"RPC Infrastructure (Moonbeam)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"65Tfnm7Cosm5DgkpySB8FH","url":"https://github.com/ethereum-lists/chains/blob/master/_data/chains/eip155-1285.json","type":"blockchain_dlt","addedAt":"2022-05-10T16:32:29.796Z","revision":0,"description":"RPC Infrastructure (Moonriver)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6nPGNlOS5QZdKVQea72lBd","url":"https://github.com/ethereum-lists/chains/blob/master/_data/chains/eip155-1287.json","type":"blockchain_dlt","addedAt":"2022-05-10T16:32:30.878Z","revision":0,"description":"RPC Infrastructure (Moonbase Alpha)","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"The Moonriver parachain on Kusama and the Moonbeam parachain on Polkadot \n\nAll source code of Moonbeam can be found at [https://github.com/moonbeam-foundation/](https://github.com/moonbeam-foundation/). However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Polkadot"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Rust"],"launchDate":"2021-12-16T18:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4US5CNdpvCjBHHpUbUip3m/7de4ab736d271da97aa27415585755f4/Moonbeam_Icon_White_2x.png","maxBounty":5000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low","blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - medium","blockchain_dlt - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__Blockchain/DLT__\n\n__Critical__\n  - An attack triggering the network not being able to confirm new transactions (Total network shutdown)\n  - An attack causing an unintended permanent chain split requiring hard fork (Network partition requiring hard fork)\n  - An attack causing direct loss of funds\n  - An attack causing permanent freezing of funds (fix requires hardfork)\n  - An attack causing the minting/creation of network utility tokens (MOVR/GLMR) outside of the normal, on-chain inflation mechanism\n\n__High__\n  - An attack causing an unintended chain split (Network partition)\n  - An attack causing transient consensus failures that recover without manual intervention\n  - Vulnerabilities in the CI/CD framework `(github/moonbeam-foundation)` leading to unauthorized code execution or code injection into production systems via the in-scope repositories\n\n__Medium__\n  - An attack causing high compute consumption by collator nodes leading to measurable economic cost\n  - Vulnerabilities in thin clients that could lead to security breaches or compromise of user data and that  cannot be exploited against full nodes\n  - A denial of Service (DoS) which attacks a single node and  affects more than 30% of collator nodes, causing lasting and provable economic impact on the network without shutting it down.\n  - An attack causing an RPC API crash that leads to measurable economic impact\n  - A bug in layer 1 blockchain code resulting in unintended smart contract behavior (no concrete funds at risk)\n\n__Low__\n  - An exploit allowing transactions to be processed with fees disproportionately low relative to computation time, leading to network abuse or economic imbalance.\n\n__Websites and Applications__\n\n__Critical__\n\n - Ability to execute system commands\n - Extraction of sensitive data/files from the server such as /etc/passwd\n - Signing transactions for other users\n - Redirection of user deposits and withdrawals\n - Subdomain takeover resulting in financial loss (applicable for subdomains with addresses published)\n - Wallet interaction modification resulting in financial loss\n - Direct theft of user funds \n - Tampering with transactions submitted to the user’s wallet\n - Submitting malicious transactions to an already-connected wallet\n\n__High__\n\n - Persistent content spoofing on the target application that demonstrates a clear potential for economic loss or user deception leading to financial harm\n - Disclosure of users' confidential information, such as email addresses, phone numbers, or other personally identifiable information (PII)\n - Privilege escalation to access unauthorized functionalities\n - A bug exploit that takes down the application or website for an extended period (e.g., more than 24 hours), causing significant disruption or financial loss.\n\n__Medium__\n\n - Cross-Site Request Forgery (CSRF) vulnerabilities allowing unauthorized changes to other users' details without direct financial impact\n - Leakage of third-party API keys that could lead to loss of funds or unauthorized modifications on the website\n - Open Redirect vulnerabilities that can be exploited to redirect users to malicious websites, facilitating phishing attacks or malware distribution.\n\n__Low__\n\n  - Clickjacking attacks that frame sensitive pages, potentially leading to unauthorized transactions or financial loss.\n  - Any impact involving a publicly released CVE without a working PoC\n\nIn case of discrepancy between [Immunefi Vulnerability Severity Classification System V2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2/) and Moonbeam classification above, Moonbeam classification will be followed.","productType":["L1"],"programOverview":"Moonbeam is an Ethereum-compatible smart contract platform on the Polkadot network that makes it easy to build natively interoperable applications. This Ethereum compatibility allows developers to deploy existing Solidity smart contracts and DApp frontends to Moonbeam with minimal changes. As a parachain on the Polkadot network, Moonbeam benefits from the shared security of the Polkadot relay chain and integrations with other chains that are connected to Polkadot. \n\nFor more information about Moonbeam Network, please visit [https://moonbeam.network/](https://moonbeam.network/).   \n\nThis bug bounty program is focused on their Moonriver and Moonbeam parachains (deployed to Kusama and Polkadot respectively) and dApps and is focused on preventing:\n\n  - An attack triggering the network not being able to confirm new transactions (Total network shutdown)\n  - An attack causing an unintended permanent chain split requiring hard fork (Network partition requiring hard fork)\n  - An attack causing direct loss of funds\n  - An attack causing permanent freezing of funds (fix requires hardfork)\n  - An attack causing the minting/creation of network utility tokens (MOVR/GLMR) outside of the normal, on-chain inflation mechanism\n  - Ability to execute system commands\n  - Extraction of sensitive data/files from the server such as /etc/passwd\n  - Signing transactions for other users\n  - Redirection of user deposits and withdrawals\n  - Subdomain takeover resulting in financial loss (applicable for subdomains with addresses published)\n  - Wallet interaction modification resulting in financial loss\n  - Direct theft of user funds \n  - Tampering with transactions submitted to the user’s wallet\n  - Submitting malicious transactions to an already-connected wallet","programType":["Websites and Applications","Blockchain/DLT"],"project":"Moonbeam Network","projectType":["Blockchain"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nAll  bug reports must come with a detailed PoC demonstrating the exploit in a real-world scenario; and written instructions to reproduce, in order to be considered for a reward. Theoretical vulnerabilities without a working POC will not be accepted. \n\nFor **Critical vulnerabilities** , rewards are based on how much value is realistically at risk and how quickly that risk can be realized. We first calculate the **base risk ratio**:\n\nFunds at Risk ÷ (Moonbeam market cap + Moonriver market cap) \n\nusing market caps  on the day of the report.\n\nBecause some vulnerabilities can only cause damage gradually over time, the base risk ratio is then scaled down based on how long it would take to actually realize that impact.\n\nTo do this, we divide the base risk ratio by the number of two-day periods required to exploit the issue:\n\n* Impact achievable within 2 days → no reduction\n* Impact achievable within 4 days → divide risk by 2\n* Impact achievable within 6 days → divide risk by 3\n* and so on\n\nOnly full two-day periods are counted, and the minimum assumed time is 2 days.\n\nThis  can be expressed as:\n\nRisk Ratio Over Time = (Funds at Risk / ( Moonbeam Market Cap + Moonriver Market Cap))  / (  D/2)\n\nThe final, risk ratio over time is then used to determine the payout:\n\n  - If the ratio is at or below 0.5, the payout is calculated linearly between 1000$ and 2000$.\n  - If the  ratio is above 0.5, the payout is calculated linearly between $2K and $5K; with a maximum cap of $5K\n\nThis results in the following payout graph:\n![MoonbeamNewGraph](https://imgur.com/a/6AI5wAu)\n\nNote that a bug reported for one of either the Moonbeam or Moonriver networks that applies to both will be treated as a single report and paid only once. \n\nThe Moonbeam Foundation requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. The information needed is an ID scan along with a selfie to verify identity. \n\nPayouts are handled by the __Moonbeam Foundation__ team directly and are denominated in USD. However, payouts are done in __USDT__ or __USDC__.\n\nThe Moonriver parachain on Kusama and the Moonbeam parachain on Polkadot (estimated launch in Jan 2022) are both included in the assets-in-scope. \n\nAll source code of Moonbeam can be found at [https://github.com/PureStake/](https://github.com/PureStake/). However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC, USDT","slug":"moonbeamnetwork","tenPercentEconomicRule":true,"updatedDate":"2026-03-12T22:49:33.088Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Moonbeam is an Ethereum-compatible smart contract platform on the Polkadot network that makes it easy to build natively interoperable applications. This Ethereum compatibility allows developers to deploy existing Solidity smart contracts and DApp frontends to Moonbeam with minimal changes. As a parachain on the Polkadot network, Moonbeam benefits from the shared security of the Polkadot relay chain and integrations with other chains that are connected to Polkadot.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"The following vulnerabilities are **explicitly** excluded from the rewards for this bug bounty program:\n\n- Attacks that the reporter has already exploited themselves, leading to damage\n- Attacks requiring access to leaked keys/credentials\n- Attacks requiring access to privileged addresses (governance, strategist)\n- Attacks relying in whole or in part on  social engineering, deception or phishing attacks\n- Vulnerabilities in third-party dependencies not under Moonbeam Foundation's control, especially when no known fix exists at the time of the report. Such vulnerabilities should be reported to the respective third-party organizations responsible for the code. If we cannot fix the vulnerability, we will not pay a bounty.\n- Bugs or vulnerabilities in external services or platforms that Moonbeam Network uses but does not control.\n- Broken link hijacking is out of scope \n- Non-Production Code: Any code present in the in-scope repositories that has not yet been deployed to the production Moonbeam or Moonriver networks is out of scope.\n- Theoretical Vulnerabilities: Vulnerabilities that are purely theoretical without practical exploitability. This includes exploits requiring unrealistic scenarios, assumptions, or clear human error.\n- Excessive Investment Attacks: Attacks that require an impractically high investment beyond reasonable means (e.g., requiring more than $100 million USD to execute).\n- User Negligence: Issues that arise solely from user misconfiguration or negligence, where exploitation is possible only if users ignore standard security practices.\n- Low-Impact DoS Attacks: Denial-of-Service (DoS) attacks that are temporary and do not result in significant disruption or measurable financial loss.\n- Best Practice Suggestions: Code optimizations, style guidelines, or recommendations that do not have a direct security impact.\n- Cosmetic Issues: Aesthetic issues, including typos, branding inconsistencies, or minor UI glitches that do not lead to security vulnerabilities or exploitation.\n\n__Smart Contracts and Blockchain__\n\n- All smart contracts deployed on Moonbeam or Moonriver\n- Third-Party Oracle Data: Issues arising from incorrect data supplied by third-party oracles\n- Basic economic governance attacks (e.g. 51% attack)\n- Attacks relying on developers committing errors due to how Moonbeam’s EVM implementation differs from the standard EVM implementation\n- Liquidity Issues: Vulnerabilities or attacks that exploit a lack of liquidity.\n- Best Practice Critiques: Suggestions for improvements that do not address specific security vulnerabilities.\n- Sybil Attacks: Attacks involving the creation of multiple fake identities to gain disproportionate influence.\n- Centralization Risks: Risks associated with centralization that do not involve a specific vulnerability.\n- Any bugs or exploits in third party wallets\n\n__Websites and Apps__\n\n- Theoretical Vulnerabilities: Issues without a working proof of concept or demonstration of impact.\n- Content Spoofing/Text Injection: Content spoofing or text injection issues that do not lead to further exploitation.\n- Self-XSS: Cross-Site Scripting attacks that require the victim to self-execute malicious code.\n- Captcha Bypass via OCR: Automated Captcha solving using Optical Character Recognition without direct security impact.\n- Non-Impactful CSRF: Cross-Site Request Forgery vulnerabilities that do not lead to significant security impact (e.g., logout CSRF, changing user preferences).\n- Missing Security Headers: Absence of HTTP security headers or cookie flags that do not lead to an exploitable vulnerability.\n- Server Information Disclosure: Disclosure of server information like IPs, server names, or stack traces that do not reveal sensitive data.\n- User Enumeration: Ability to enumerate or confirm the existence of users or tenants without further impact.\n- Unlikely User Actions: Vulnerabilities that require unrealistic or unlikely actions by the user.\n- Open Redirects: URL redirects unless they can be combined with another vulnerability to escalate the impact.\n- SSL/TLS Best Practices: Recommendations for SSL/TLS improvements without a direct security impact.\n- Low-Impact DDoS: Denial-of-Service vulnerabilities that do not cause significant disruption or financial loss.\n- Internal Privileged Access: Attacks requiring privileged access from within the organization.\n- Email SPF Records: Issues related to SPF, DKIM, or DMARC records for email domains without direct security impact.\n- Feature Requests: Suggestions for new features or enhancements.\n- Best Practice Suggestions: Recommendations for best practices without identifying specific vulnerabilities.","customProhibitedActivities":[],"impacts":[{"id":1465,"type":"blockchain_dlt","severity":"low","title":"DoS of greater than 10% but less than 30% of validator or miner nodes and does not shut down the network"},{"id":1466,"type":"blockchain_dlt","severity":"low","title":"An exploit underpricing transaction fees relative to computation time"},{"id":1467,"type":"websites_and_applications","severity":"low","title":"Framing sensitive pages leading to financial loss (ClickJacking)"},{"id":1468,"type":"websites_and_applications","severity":"low","title":"Any impact involving a publicly released CVE without a working PoC"},{"id":1469,"type":"blockchain_dlt","severity":"high","title":"An attack causing an unintended chain split (Network partition)"},{"id":1470,"type":"blockchain_dlt","severity":"high","title":"An attack causing transient consensus failures; which recover without manual intervention"},{"id":1471,"type":"websites_and_applications","severity":"high","title":"Spoofing content on the target application (Persistent)"},{"id":1472,"type":"websites_and_applications","severity":"high","title":"Users Confidential information disclosure such as Email"},{"id":1473,"type":"websites_and_applications","severity":"high","title":"Privilege escalation to access unauthorized functionalities"},{"id":1474,"type":"websites_and_applications","severity":"high","title":"Taking down the application/website"},{"id":1475,"type":"blockchain_dlt","severity":"medium","title":"An attack causing high compute consumption by validator/mining nodes"},{"id":1476,"type":"blockchain_dlt","severity":"medium","title":"Attacks that are limited to thin clients and cannot be exploited against full nodes"},{"id":1477,"type":"blockchain_dlt","severity":"medium","title":"DoS of greater than 30% of validator or miner nodes and does not shut down the network"},{"id":1479,"type":"websites_and_applications","severity":"medium","title":"Changing details of other users without direct financial impact (CSRF)"},{"id":1480,"type":"websites_and_applications","severity":"medium","title":"Third-Party API keys leakage that demonstrates loss of funds or modification on the website"},{"id":1481,"type":"blockchain_dlt","severity":"medium","title":"A bug in layer 1 blockchain code resulting in unintended smart contract behavior (no concrete funds at risk)"},{"id":1482,"type":"blockchain_dlt","severity":"critical","title":"An attack triggering the network not being able to confirm new transactions (Total network shutdown)"},{"id":1483,"type":"blockchain_dlt","severity":"critical","title":"An attack causing an unintended permanent chain split requiring hard fork (Network partition requiring hard fork)"},{"id":1484,"type":"blockchain_dlt","severity":"critical","title":"An attack causing direct loss of funds"},{"id":1485,"type":"blockchain_dlt","severity":"critical","title":"An attack causing permanent freezing of funds (fix requires hardfork)"},{"id":1486,"type":"blockchain_dlt","severity":"critical","title":"An attack causing the minting/creation of network utility tokens (MOVR/GLMR) outside of the normal, on-chain inflation mechanism"},{"id":5862,"type":"blockchain_dlt","severity":"low","title":"An  attack causing an RPC API crash  on a tracing node"},{"id":5863,"type":"blockchain_dlt","severity":"medium","title":"An attack causing an RPC API crash on a  regular node"},{"id":5828,"type":"websites_and_applications","severity":"high","title":"Submitting malicious transactions to an already-connected wallet"},{"id":5829,"type":"websites_and_applications","severity":"high","title":"Tampering with transactions submitted to the user’s wallet"},{"id":5830,"type":"websites_and_applications","severity":"high","title":"Direct theft of user funds"},{"id":5831,"type":"websites_and_applications","severity":"high","title":"Wallet interaction modification resulting in financial loss"},{"id":5832,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover resulting in financial loss (applicable for subdomains with addresses published)"},{"id":5833,"type":"websites_and_applications","severity":"high","title":"Redirection of user deposits and withdrawals"},{"id":5834,"type":"websites_and_applications","severity":"high","title":"Signing transactions for other users"},{"id":5835,"type":"websites_and_applications","severity":"high","title":"Extraction of sensitive data/files from the server such as /etc/passwd"},{"id":5836,"type":"websites_and_applications","severity":"high","title":"Ability to execute system commands"},{"id":5936,"type":"blockchain_dlt","severity":"low","title":"Attacks affecting funds flowing through XCM (Cross Chain Messaging)"}],"rewards":[{"id":42804,"primacy":null,"severity":"critical","assetType":"blockchain_dlt","maxReward":5000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":42805,"primacy":null,"severity":"high","assetType":"blockchain_dlt","maxReward":3000,"rewardModel":"up_to"},{"id":42806,"primacy":null,"severity":"medium","assetType":"blockchain_dlt","maxReward":2000,"rewardModel":"up_to"},{"id":42807,"primacy":null,"severity":"low","assetType":"blockchain_dlt","maxReward":1000,"rewardModel":"up_to"},{"id":42808,"primacy":null,"severity":"high","assetType":"websites_and_applications","maxReward":2000,"rewardModel":"up_to"},{"id":42809,"primacy":null,"severity":"medium","assetType":"websites_and_applications","fixedReward":1500,"rewardModel":"fixed"},{"id":42810,"primacy":null,"severity":"low","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"18RiGArabEsNRGz8GSwF5P","url":"https://etherscan.io/address/0x65Fbae61ad2C8836fFbFB502A0dA41b0789D9Fc6","type":"smart_contract","addedAt":"2023-04-27T22:22:07.464Z","revision":0,"description":"Bank","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1Go1ORLFdmZNOueEzzpT9V","url":"https://polygonscan.com/address/0x09959798B95d00a3183d20FaC298E4594E599eab","type":"smart_contract","addedAt":"2023-06-20T23:59:18.309Z","revision":0,"description":"tBTC v2 Polygon gateway contract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1MSd16TaBxgV9QcMQvLqFD","url":"https://etherscan.io/address/0x2111A49ebb717959059693a3698872a0aE9866b9","type":"smart_contract","addedAt":"2025-07-17T22:02:04.429Z","revision":0,"description":"L1 bridge address(Starknet)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1MzB6IDx9pf8ub0t0VNI6N","url":"https://etherscan.io/address/0x46d52E41C2F300BC82217Ce22b920c34995204eb","type":"smart_contract","addedAt":"2023-04-27T22:23:30.901Z","revision":0,"description":"WalletRegistry","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1jSKm4wJsEYXSLXPBsaxs7","url":"https://starkscan.co/contract/0x067eb1988556edd7543a3c9ee24cc078be35fd49f0b7f264cc0434aeb6dfb09e","type":"smart_contract","addedAt":"2025-07-17T22:02:37.381Z","revision":0,"description":"L2 bridge address (Starknet)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1rA7aoNHzFyLRpfgxlby3E","url":"https://optimistic.etherscan.io/address/0x1293a54e160D1cd7075487898d65266081A15458","type":"smart_contract","addedAt":"2023-06-20T23:59:59.468Z","revision":0,"description":"tBTC v2 Optimism gateway contract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1rB0IByuwz7x6QvEC25igz","url":"https://basescan.org/address/0xe931F1Ac6B00400E1dAD153E184afeE164d2D88B","type":"smart_contract","addedAt":"2025-10-20T06:10:15.047Z","revision":0,"description":"L2BTCRedeemerProxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2C6xwzHehwjj0eyEQFzAsc","url":"https://polygonscan.com/address/0x236aa50979D5f3De3Bd1Eeb40E81137F22ab794b","type":"smart_contract","addedAt":"2023-06-20T23:58:55.582Z","revision":0,"description":"tBTC v2 token on Polygon","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2ERGCmnqvspFBwDHkep0r0","url":"https://etherscan.io/address/0x836cdFE63fe2d63f8Bdb69b96f6097F36635896E","type":"smart_contract","addedAt":"2023-04-27T22:23:18.097Z","revision":0,"description":"LightRelay","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2Mdi9gvCGSN4FNNN193cCq","url":"https://arbiscan.io/address/0x1293a54e160D1cd7075487898d65266081A15458","type":"smart_contract","addedAt":"2023-06-21T00:00:41.461Z","revision":0,"description":" tBTC v2 Arbitrum gateway contract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2QwYTZe5bVdzZWlJe7PIn9","url":"https://etherscan.io/address/0xd101f2b25bcbf992bdf55db67c104fe7646f5447","type":"smart_contract","addedAt":"2023-04-27T22:20:56.001Z","revision":0,"description":"TokenholderGovernor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2SUbaHFPMKaF9z9Pgi5HX1","url":"https://etherscan.io/address/0x5e4861a80B55f035D899f66772117F00FA0E8e7B","type":"smart_contract","addedAt":"2023-04-27T22:22:20.971Z","revision":0,"description":"Bridge","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2VfvQPiv3Pr3lpKp5WOHQv","url":"https://etherscan.io/address/0xC9031f76006da0BD4bFa9E02aDf0d448dB3BC155","type":"smart_contract","addedAt":"2025-07-17T22:03:26.152Z","revision":0,"description":"StarknetBitcoinDepositor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2hrthrnK5BO0cTFTG26aVb","url":"https://arbiscan.io/address/0xd7Cd996a47b3293d4FEc2dBcF49692370334d9b7","type":"smart_contract","addedAt":"2025-10-20T06:10:15.059Z","revision":0,"description":"L2BTCRedeemerProxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2nvvPnesdcy5W9eaD22Pwf","url":"https://etherscan.io/address/0xcF29Ff894674775841F60Aa2a3c373DE27A8df2b","type":"smart_contract","addedAt":"2023-04-27T22:26:45.588Z","revision":0,"description":"MaintainerProxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"34HT2J84Q26Zx9yhRzny6V","url":"https://etherscan.io/address/0xa544b70dC6af906862f68eb8e68c27bb7150e672","type":"smart_contract","addedAt":"2023-04-27T22:26:30.610Z","revision":0,"description":"DonationVault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3Cd6NmrR2LMT8mOVbx6Mvu","url":"https://suiscan.xyz/mainnet/coin/0x77045f1b9f811a7a8fb9ebd085b5b0c55c5cb0d1520ff55f7037f89b5da9f5f1","type":"smart_contract","addedAt":"2025-07-17T08:27:43.375Z","revision":0,"description":"Sui package ID","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3D1TLnHFfmk0DAvewaeisu","url":"https://etherscan.io/address/0xfbae130e06bbc8ca198861beecae6e2b830398fb","type":"smart_contract","addedAt":"2023-04-27T22:23:43.846Z","revision":0,"description":"WalletRegistry","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3M8lrqqo9yE7US158muWVV","url":"https://etherscan.io/address/0x0125c8977a02b2Fa3970b1ED9AF02f5Bedd4eF27","type":"smart_contract","addedAt":"2023-04-27T22:23:56.242Z","revision":0,"description":"EcdsaDkgValidator","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3mp77SHNakwl8ZIKSNBilG","url":"https://starkscan.co/contract/0x067eb1988556edd7543a3c9ee24cc078be35fd49f0b7f264cc0434aeb6dfb09e","type":"smart_contract","addedAt":"2025-07-17T08:27:41.832Z","revision":0,"description":"L2 bridge address (Starknet)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3nzwOEe4NBIWsyqvnrN9xB","url":"https://etherscan.io/address/0xb810AbD43d8FCFD812d6FEB14fefc236E92a341A","type":"smart_contract","addedAt":"2025-07-17T08:27:41.825Z","revision":0,"description":"L1 bitcoinDepositor (Sui)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3p9Xq60rCSF99kaTlHersa","url":"https://etherscan.io/address/0x18084fbA666a33d37592fA2633fD49a74DD93a88","type":"smart_contract","addedAt":"2023-04-27T22:25:49.974Z","revision":0,"description":"TBTC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"40lszs9ONoXIOTtQtdjPfV","url":"https://arbiscan.io/address/0x6c84a8f1c29108f47a79964b5fe888d4f4d0de40/","type":"smart_contract","addedAt":"2023-06-21T00:00:21.812Z","revision":0,"description":" tBTC v2 token on Arbitrum","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4BxoiKQBKYHMgfYSKGBKmf","url":"https://etherscan.io/address/0x75A6e4A7C8fAa162192FAD6C1F7A6d48992c619A","type":"smart_contract","addedAt":"2024-09-27T10:36:29.518Z","revision":0,"description":"L1BitcoinDepositor (Arbitrum)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4MzQFCGShtu9xI40jRockV","url":"https://etherscan.io/address/0x2111A49ebb717959059693a3698872a0aE9866b9","type":"smart_contract","addedAt":"2025-07-17T08:27:41.857Z","revision":0,"description":"L1 bridge address(Starknet)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4RZJ2WZ1rBTUwvmCNdBwY3","url":"https://etherscan.io/address/0xC9031f76006da0BD4bFa9E02aDf0d448dB3BC155","type":"smart_contract","addedAt":"2025-07-17T08:27:41.834Z","revision":0,"description":"StarknetBitcoinDepositor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4WDIlc9zWJPIhUYNJ4hdCD","url":"https://github.com/threshold-network/tbtc-v2/tree/main/cross-chain/bob/contracts","type":"smart_contract","addedAt":"2025-10-24T08:52:08.307Z","revision":0,"description":"BOB contracts codebase","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4Y5EjefOntnI6GmMeN8hHJ","url":"https://etherscan.io/address/0xea7ca290c7811d1cc2e79f8d706bd05d8280bd37","type":"smart_contract","addedAt":"2023-04-27T22:21:12.811Z","revision":0,"description":"CumulativeMerkleDrop","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4ZBRneCrWxZE31ZRv6iSOv","url":"https://starkscan.co/contract/0x04daa17763b286d1e59b97c283c0b8c949994c361e426a28f743c67bdfe9a32f","type":"smart_contract","addedAt":"2025-07-17T08:27:41.881Z","revision":0,"description":"tBTC token on StarkNet","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4hx16HPG9RYmIon1TeImo9","url":"https://basescan.org/address/0x236aa50979d5f3de3bd1eeb40e81137f22ab794b","type":"smart_contract","addedAt":"2023-09-17T17:22:09.308Z","revision":0,"description":"tBTC v2 token on Base","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4k6f2BsJrj67txWA8oT2vS","url":"https://suiscan.xyz/mainnet/coin/0x77045f1b9f811a7a8fb9ebd085b5b0c55c5cb0d1520ff55f7037f89b5da9f5f1::TBTC::TBTC/txs","type":"smart_contract","addedAt":"2025-07-17T08:27:41.836Z","revision":0,"description":"tBTC token on Sui","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4tGfi7ReLQmQfoP04TM2t3","url":"https://solscan.io/account/Gj93RRt6QB7FjmyokAD5rcMAku7pq3Fk2Aa8y6nNbwsV","type":"smart_contract","addedAt":"2023-09-17T17:22:47.936Z","revision":0,"description":"tBTC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5Ju0Szh1iWCeiiN5Rac11L","url":"https://etherscan.io/address/0x5D4d83aaB53B7E7cA915AEB2d4d3f4e03823DbDe","type":"smart_contract","addedAt":"2025-10-20T06:10:15.044Z","revision":0,"description":"L1BTCRedeemerProxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5YNiOWtffg0T7eir9JKJii","url":"https://etherscan.io/address/0x6aed6cC30D1b2770771052555d257Da86eD47fe8","type":"smart_contract","addedAt":"2023-04-27T22:25:34.435Z","revision":0,"description":"WalletRegistryGovernance","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5gafjL2BjtDKVanmp0nNAX","url":"https://github.com/keep-network/tbtc-v2/tree/main/typescript","type":"smart_contract","addedAt":"2024-04-01T10:08:49.839Z","revision":0,"description":"tBTC SDK - typescript library","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5z7785QHXL12nEb4Rz9jly","url":"https://etherscan.io/address/0xCdF7028ceAB81fA0C6971208e83fa7872994beE5","type":"smart_contract","addedAt":"2023-04-27T22:20:15.099Z","revision":0,"description":"T","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"61hKZMnEuiJNXXFIaowiLR","url":"https://etherscan.io/address/0x9C070027cdC9dc8F82416B2e5314E11DFb4FE3CD","type":"smart_contract","addedAt":"2023-04-27T22:22:50.197Z","revision":0,"description":"TBTCVault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"68sQOJqEy5AOg0rTQeupBT","url":"https://etherscan.io/address/0x8adF3f35dBE4026112bCFc078872bcb967732Ea8","type":"smart_contract","addedAt":"2023-04-27T22:25:19.989Z","revision":0,"description":"ReimbursementPool","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6L3P4lafUrO9wbHLiSF6mj","url":"https://etherscan.io/address/0x0184739C32edc3471D3e4860c8E39a5f3Ff85A45","type":"smart_contract","addedAt":"2025-12-17T12:07:07.733Z","revision":0,"description":"T Staking rebates for tBTC ","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6UpOczTDqfu6huiVHSoH9i","url":"https://etherscan.io/address/0xB8dF0A949aC45ff8f401553A1dcb742Feb38E6D3","type":"smart_contract","addedAt":"2024-04-01T10:09:54.478Z","revision":0,"description":"RedemptionWatchtower","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6edyjcFeMDXvUYx5LDxKCW","url":"https://basescan.org/address/0x09959798b95d00a3183d20fac298e4594e599eab","type":"smart_contract","addedAt":"2023-09-17T17:22:26.355Z","revision":0,"description":"tBTC v2 Base gateway contract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6pifDzIREgOk5GXAH0c2yY","url":"https://www.threshold.network/","type":"websites_and_applications","addedAt":"2025-11-27T22:56:25.494Z","revision":0,"description":"threshold network website","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6siLdoxWeAWii3xj2qN357","url":"https://etherscan.io/address/0x30019D85a86ABD3cDA1167F4C052690c32FBDEc2","type":"smart_contract","addedAt":"2024-04-01T10:09:39.481Z","revision":0,"description":"WalletProposalValidator","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6tPXGHQmGRyVSHTy8Xb3QE","url":"https://solscan.io/account/87MEvHZCXE3ML5rrmh5uX1FbShHmRXXS32xJDGbQ7h5t","type":"smart_contract","addedAt":"2023-09-17T17:23:06.027Z","revision":0,"description":"Wormhole gateway ","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7CU1BuG0DXINXUGlKtSoQy","url":"https://etherscan.io/address/0x8d014903bf7867260584d714e11809fea5293234","type":"smart_contract","addedAt":"2023-04-27T22:22:35.727Z","revision":0,"description":"Bridge","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"HBWPSjJ9vsLye9avuM9xE","url":"https://etherscan.io/address/0xc2731fb2823af3Efc2694c9bC86F444d5c5bb4Dc","type":"smart_contract","addedAt":"2024-06-07T10:32:40.312Z","revision":0,"description":"SortitionPool","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"KqfrlNPLQwLV3LSIfrXXa","url":"https://explorer.gobob.xyz/address/0x36Ee23c94523A05981baaEEaea4BA97cDDe21f6a?tab=read_proxy","type":"smart_contract","addedAt":"2025-10-24T08:52:08.295Z","revision":0,"description":"BurnFromMintTokenPoolUpgradeable","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"UjJzpekQCpItFoCMn6oq8","url":"https://arbiscan.io/address/0x1C8d7b744b474c080faADd5BF9AD965Be4258F9e","type":"smart_contract","addedAt":"2024-09-27T10:36:11.241Z","revision":0,"description":"L2BitcoinDepositor (Arbitrum)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Y5uaflNFYazHhM1TMolM0","url":"https://etherscan.io/address/0x03E342731c08FDDc34cFb43E91cB3a7e424ee0F6#readProxyContract","type":"smart_contract","addedAt":"2025-10-24T08:52:08.300Z","revision":0,"description":"LockReleaseTokenPoolUpgradeable","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"YpSGRPaF6HZaAp34aNllu","url":"https://optimistic.etherscan.io/address/0x6c84a8f1c29108F47a79964b5Fe888D4f4D0dE40","type":"smart_contract","addedAt":"2023-06-20T23:59:40.834Z","revision":0,"description":"tBTC v2 token on Optimism","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"ndNSdf8ceq72uhLscotmx","url":"https://etherscan.io/address/0xA94DD662E2A247493fACCeab9f2459AAF90778Ee","type":"smart_contract","addedAt":"2023-04-27T22:26:18.302Z","revision":0,"description":"BridgeGovernance","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"qjb1k9aDUtBM3DXuUKVLH","url":"https://starkscan.co/contract/0x04daa17763b286d1e59b97c283c0b8c949994c361e426a28f743c67bdfe9a32f","type":"smart_contract","addedAt":"2025-07-17T22:03:04.878Z","revision":0,"description":"tBTC token on StarkNet","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"Impacts only apply to assets in active use by the project like contracts on mainnet or web/app assets used in production. Any impact that applies to assets not in active use, like test or mock files, are out-of-scope of the bug bounty program unless explicitly mentioned as in-scope.\n\nAll reports must be submitted in English.\n\n__Smart Contracts__ \n\n- __Smart Contracts - PoC__, Smart Contract bug reports are to include a runnable Proof of Concept (PoC) in order to prove impact.  \n- For more information on PoCs please visit:[ Proof of Concept (PoC) Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n- All smart contracts of Threshold Network can be found at:\n   - [https://github.com/threshold-network](https://github.com/threshold-network)\n   - [https://github.com/nucypher](https://github.com/nucypher)\n   - [https://github.com/keep-network ](https://github.com/keep-network)\n\n__Web/App__ \n\n- __Web/App__ - Bug reports are to include a runnable Proof of Concept (PoC) in order to prove impact. \n- All web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. All PoC content must adhere to the [PoC guidelines and rules of Immunefi.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules) In the event that a PoC requires an attack on a web/app asset provided, they must still adhere to the rules provided, otherwise eligibility for a reward may be revoked. \n- For more information on PoCs please visit: [Proof of Concept (PoC) Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n- All codes of Threshold Network can be found at:  [https://github.com/threshold-network/token-dashboard](https://github.com/threshold-network/token-dashboard)\n\nWhitehats are highly encouraged to review any potential subdomains and what specific port(s) are in scope. Even though the domain may be the same, different ports may point to different assets.  \n\n__Dev Environment and Documentation__\n\nThreshold Network has included dev documentation and/or instructions to help in reviewing code and exploring for bugs:\n\n- https://docs.threshold.network/resources/contract-addresses/sepolia-testnet\n- https://docs.threshold.network/staking-and-running-a-node/goerli-testnet-staking\n- https://docs.threshold.network/app-development/tbtc-v2/tbtc-sdk\n- [https://github.com/keep-network/tbtc-v2#installation](https://github.com/keep-network/tbtc-v2#installation)\n- [https://github.com/keep-network/keep-core/tree/main/solidity/ecdsa#build](https://github.com/keep-network/keep-core/tree/main/solidity/ecdsa#build)\n- [https://github.com/threshold-network/solidity-contracts#build-test-and-deploy](https://github.com/threshold-network/solidity-contracts#build-test-and-deploy)\n\n__Impacts to other assets__\n\nFor the purposes of determining report validity, this is a Primacy of Rules program. However, hackers are encouraged to submit issues outside of the outlined Impacts and Assets in Scope. \n\nIf whitehats can demonstrate a critical impact on code in production for an asset not in scope, Threshold Network encourages you to submit your bug report and it will be assessed on a case-by-case basis.\n\n__Impacts in Scope__\n\nImpacts are based on the [Immunefi Vulnerability Severity Classification System V2.3.](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\nAt Immunefi, we classify bugs on a simplified 4-level scale:\n- Critical\n- High\n- Medium\n- Low","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","ETH","Optimism","Polygon","Solana","Base","Starknet","SUI"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["JavaScript","Solidity"],"launchDate":"2023-04-28T09:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5sXJAYkgjf0BtH2uarlVA3/1f1993cf792814921c5c289b57004768/token-symbol-purple.svg","maxBounty":150000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["Crosschain Liquidity","Currency","Staking","Synthetic Assets"],"programOverview":"Threshold is the first ever on-chain merge between two existing networks and communities, Keep and NuCypher. The Threshold Network provides a suite of threshold cryptography products that power user sovereignty on the public blockchain. Threshold cryptography distributes sensitive operations across multiple independent entities, like nodes in a network. A successful operation requires a threshold or a minimum number of entities to cooperate. This simple idea increases security and availability and reduces reliance on trusted parties.Threshold is governed by a DAO whose parts hold separate responsibilities that are embedded in the governance structure. The Threshold DAO has two primary bodies: the Tokenholder DAO (based on the Governor Bravo governance model) and the Elected Council. The goal of this two-pronged structure is to enhance representation while ensuring accountability. Each governance body holds the other accountable, similar to the system of checks and balances found in most constitutional governments. \n\nFor more information about Threshold Network, please visit [https://threshold.network/  ](https://threshold.network/)\n\n__For Whitehats:__ It is highly recommended that you review the details of this program in full. Although many Bug Bounty programs have standard terms and conditions, each also has their own unique details that are critical to your success.  \n\nPrior to submitting a report please review the [Immunefi Bug Report Template and Best Practices. ](https://immunefisupport.zendesk.com/hc/en-us/articles/12435277406481-Bug-Report-Template)","programType":["Smart Contract","Websites and Applications"],"project":"Threshold Network","projectType":["Blockchain","Defi"],"rewardsBody":"Please review how rewards are distributed based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/) This is a simplified 4-level scale system with separate scales for Smart Contracts and Websites/Apps.\n\nRewards for critical smart contract bug reports will be further capped at 10% of direct funds at risk if the bug discovered is exploited. However, there is a minimum reward of USD 10 000 and a max program cap of USD 150 000.\n\nRewards for low smart contract bug reports will be discretionary and according to the report (and PoC) quality and effort. Low criticality involves those impacts where the contract fails to deliver promised returns, but doesn't lose value. There is a max cap of USD 1 000.\n\nCritical web/app vulnerabilities are eligible for a two-tier reward structure: Critical issues that result in provable financial loss are rewarded with $3,000, while all other Critical web/app vulnerabilities receive a $1,000 reward.\n\nReward Cap for T Staking Contract Findings: Findings related to the T staking contract are eligible for rewards but will be capped at a maximum of USD 100 000 per vulnerability, irrespective of severity classification, in the case only T is impacted.\n\n\n__Payouts and Payout Requirements__\n\nPayouts are handled by the Threshold DAO team directly and are denominated in USD. However, payouts are made in T. [(https://www.coingecko.com/en/coins/threshold-network-token#markets).](https://www.coingecko.com/en/coins/threshold-network-token#markets) \n\nThe calculation of the net amount rewarded is based on the average price between high and low for the day of the report submission as published on [CoinMarketCap.com](https://coinmarketcap.com/) Historical Data ([https://coinmarketcap.com/currencies/threshold/historical-data/](https://coinmarketcap.com/currencies/threshold/historical-data/)) for the T token. No adjustments are made based on liquidity availability. For avoidance of doubt, if the reward amount is USD 5 000 and the average price at the time of the bug report submission is USD 1.75 per token, then the reward will be 2857.142857 units of that token.\n\nThreshold Network commits to honoring payouts according to the terms set out in this program at the time of report submission, and to treat this program as the agreement and source of truth concerning bug reports and responsible disclosures.\n\nFor the purposes of determining report validity, this is a Primacy of Rules program. \n\nLearn more about report validity best practices here: [Best Practice - Primacy of Impact vs Primacy of Rules. ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nThreshold Network would like to notify whitehats that payouts concerning high and critical reports may exceed the SLA established by Immunefi. These larger payouts could be delayed by a few hours or days, depending on the amount, to allow our governance process to fund the required payment, which can take up to 14 days. Threshold Network will inform the whitehat whenever this is the case, within the SLA timeframe, to manage expectations and provide clarity.\n\n__KYC Requirements:__\n\nThreshold Network does not have a Know Your Customer (KYC) requirement for bug bounty payouts.\n\n\n__Audit Discoveries and Known Issues:__\n\nBug reports covering previously-discovered bugs are not eligible for any reward through the bug bounty program. If a bug report covers a known issue, it may be rejected together with proof of the issue being known before escalation of the bug report via Immunefi. \n\nPrevious audits and known issues can be found at:\n- [https://leastauthority.com/blog/audits/audit-of-keep-network-tbtc-bridge-v2/](https://leastauthority.com/blog/audits/audit-of-keep-network-tbtc-bridge-v2/) - tBTC Bridge\n- [https://www.certik.com/projects/threshold-network](https://www.certik.com/projects/threshold-network)\n- [https://chainsecurity.com/security-audit/threshold-network/](https://chainsecurity.com/security-audit/threshold-network/)\n- [https://github.com/Thesis-Defense/Security-Audit-Reports/blob/main/PDFs/240411_Thesis_Defense-Threshold_tBTC_Base_Smart_Contracts_Security_Audit_Report.pdf](https://github.com/Thesis-Defense/Security-Audit-Reports/blob/main/PDFs/240411_Thesis_Defense-Threshold_tBTC_Base_Smart_Contracts_Security_Audit_Report.pdf) - Base Smart Contracts\n- [StarkNet Smart Contracts Audit](https://drive.google.com/file/d/1v3_EieK-Z3VffMkireF0TIsjUL0V7qHm/view?usp=sharing)\n- [Sui Smart Contracts Audit](https://drive.google.com/file/d/1dWJIpHeLqPhkiGFR-F89FMgJjZv2GOnV/view?usp=sharing)\n- [https://github.com/threshold-network/token-dashboard/issues](https://github.com/threshold-network/token-dashboard/issues)\n- [https://github.com/threshold-network/solidity-contracts/issues](https://github.com/threshold-network/solidity-contracts/issues)\n- [https://github.com/keep-network/tbtc-v2/issues](https://github.com/keep-network/tbtc-v2/issues) (refers to known issues related to tBTC v2 contracts)\n- [https://drive.google.com/file/d/1v3_EieK-Z3VffMkireF0TIsjUL0V7qHm/view?usp=sharing](https://drive.google.com/file/d/1v3_EieK-Z3VffMkireF0TIsjUL0V7qHm/view?usp=sharing) (StarkNet Smart Contracts Audit)\n-[https://drive.google.com/file/d/1dWJIpHeLqPhkiGFR-F89FMgJjZv2GOnV/view?usp=sharing](https://drive.google.com/file/d/1dWJIpHeLqPhkiGFR-F89FMgJjZv2GOnV/view?usp=sharing) (Sui Smart Contracts Audit)","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"T","slug":"thresholdnetwork","tenPercentEconomicRule":false,"updatedDate":"2026-03-12T09:49:22.681Z","impactsBody":"1. In cases of bug reports where the attack vector involves a Guardian or Guardians, the security researcher must deterministically demonstrate that they are able to bypass the Guardians system entirely. If they are not able to, the Threshold Network team reserves the right to downgrade or reject bug reports where this is not demonstrated.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_2","description":"**Threshold Network powers tBTC, the Bitcoin standard in finance and the most decentralized 1:1 tokenized BTC, enabling Bitcoin liquidity to flow seamlessly across chains without compromising on settlement finality.**\nBuilt on threshold cryptography and secured by a rotating network of independent node operators, tBTC distributes control of BTC so that no single entity can act unilaterally on funds. This architecture embodies Bitcoin’s core values : **trust-minimized, permissionless, and censorship-resistant**, while maintaining a direct settlement path back to native Bitcoin.\nBy bridging BTC into DeFi through a system designed to **favor math over trust**, tBTC establishes the foundation for secure, decentralized Bitcoin utility across multiple ecosystems. This infrastructure enables tBTC to power lending, trading, and yield across major DeFi networks.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Attacks that interact with either KEEP or NU legacy contracts\n- Vulnerabilities requiring unlikely user actions\n- Reports whose impact depends primarily on speculative market behavior—including token price movements, liquidity shifts, arbitrage opportunities, or reputational effects—will not be considered valid vulnerabilities unless the researcher demonstrates a direct and deterministic protocol-level impact.","customProhibitedActivities":[],"impacts":[{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":4199,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for more than 1 week"},{"id":4200,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as: HTML injection without Javascript, Replacing existing text with arbitrary text, Arbitrary file uploads, etc."},{"id":4201,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: Email or password of the victim, etc."},{"id":4202,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without Javascript (Reflected) such as: Reflected HTML injection, Loading external site data"},{"id":4203,"type":"websites_and_applications","severity":"medium","title":"Taking down the application/website"},{"id":4204,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as: database passwords, blockchain keys, etc (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":4205,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as: Changing registration information, Commenting, Voting, Making trades, Withdrawals, etc."},{"id":4206,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet such as: Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions"}],"rewards":[{"id":42792,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":150000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":42793,"primacy":null,"severity":"high","assetType":"smart_contract","fixedReward":10000,"rewardModel":"fixed"},{"id":42794,"primacy":null,"severity":"medium","assetType":"smart_contract","fixedReward":2000,"rewardModel":"fixed"},{"id":42795,"primacy":null,"severity":"critical","assetType":"websites_and_applications","maxReward":3000,"minReward":1000,"rewardModel":"range"},{"id":42796,"primacy":null,"severity":"high","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"},{"id":42797,"primacy":null,"severity":"medium","assetType":"websites_and_applications","fixedReward":300,"rewardModel":"fixed"}],"audits":[{"id":"1GXCBdFHrjQFFTVUNhnO5e","url":"https://drive.google.com/file/d/1QK1jnaoqdtoeyqTD7xz93sSk1BwerFwe/view?usp=sharing","auditor":"Defense by Thesis","date":"2025-11-26T00:00:00.000Z"},{"id":"5uhEEAMqHorUC4twqBLXe2","url":"https://drive.google.com/file/d/1ZGOGCHcGo6r2Plkk1wHvdoWllfqQOl4T/view?usp=sharing","auditor":"Defense by Thesis","date":"2025-09-15T00:00:00.000Z"},{"id":"1Q0jYGhN1ZzAjm2vHuM1ZO","url":"https://drive.google.com/file/d/1ymBpfc9vihOVA-XccqhpeitnZS208O5u/view","auditor":"Thesis Defense","date":"2025-09-24T00:00:00.000Z"},{"id":"3WbwmD6efpH6P8zvJhRaLL","url":"https://drive.google.com/file/d/1RW4Bb3Rd_HdOU8pVxLpIRXCXDYKubeIp/view?usp=sharing","auditor":"Defense by Thesis","date":"2025-10-30T00:00:00.000Z"},{"id":"4Hy1dzpyIIDV96Z26ZUr9l","url":"https://drive.google.com/file/d/1Sxc5qx69qQtqdy7AtscoAHyGaSyqyYJM/view?usp=sharing","auditor":"Certora","date":"2025-09-07T00:00:00.000Z"},{"id":"4xnnTYYGa6kzzkzyy9uare","url":"https://drive.google.com/file/d/1rbVYly_VuW6LdAwhpbgxO8DpNiBn-6Vk/view?usp=sharing","auditor":"MixBytes() ","date":"2025-09-07T00:00:00.000Z"},{"id":"1262","url":"https://drive.google.com/file/d/1oQJO-fW4ZUUS_DQovOtaB9CB7U6YT0AP/view?usp=sharing","auditor":"Thesis Defense","date":"2025-11-04T00:00:00.000Z"}]},{"assets":[{"id":"db_181b1c5e-890a-4b3b-8398-5066a6110597","url":"https://github.com/Folks-Finance/folks-staking-contracts/blob/main/src/Staking.sol","type":"smart_contract","addedAt":"2026-03-11T07:47:09.489Z","revision":0,"description":"Staking.sol","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_8ed439b7-a788-482d-9ec3-a2fdabc3fbd3","url":"https://github.com/Folks-Finance/folks-staking-contracts/blob/main/src/interfaces/IStakingV1.sol","type":"smart_contract","addedAt":"2026-03-11T07:47:26.333Z","revision":0,"description":"IStakingV1.sol","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_b529ea66-1ba9-43c9-b79e-ea02e6e964b6","url":"https://github.com/Folks-Finance/folks-staking-contracts/blob/main/src/interfaces/IMigratorV1.sol","type":"smart_contract","addedAt":"2026-03-11T07:47:51.017Z","revision":0,"description":"IMigratorV1.sol","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"**Insight Reporting**\n\nInsight reports may be reported to this program and require a PoC. Insights are rewarded according to [Immunefi’s Standardized Competition Reward Terms.](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms)\n\n**Dispute Resolution**\n\nIf there is any dispute over bug reports between projects and security researchers, Immunefi has final say on validity and severity based on the terms of this program.\n\n**Responsible Publication Policy**\n\n- Immunefi will publish bug reports, earnings, and a leaderboard for this Audit Competition.\n- Security Researchers may publish their bug reports as well, but only after Immunefi has published the valid bug reports as part of the competition results.\n\n**Eligibility Criteria**\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in an audit review of the code in scope (Such auditors may still participate in this program only if they receive project permission)","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"### **$25,000 USD** in rewards is available for finding bugs on Folks Finance's Staking Contracts. \n\nFor more information about the project, please visit about [Folks Finance](https://folks.finance)\n\n- KYC is not required.\n\n- Flat Reward Pool\n\n**MANAGED TRIAGE IS NOT PERFORMED DURING THIS COMPETITION. FOLKS FINANCE TEAM IS RESPONSIBLE FOR TRIAGING, EVLUATING, CONFIRMING & CLOSING REPORTS. DISPUTES ARE HANDLED BY IMMUNEFI TEAM.**\n\n**Proof of Concept (PoC) Requirements**\n\n- A **runnable PoC**, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n- Any technical questions and support requests can be asked directly to Folks Finance team or Immunefi in the [#folks-finance-staking-contracts-audit-competition](https://discord.com/channels/787092485969150012/1427261722120421376) discord channel.","boostedIntroStartingIn":"### **$25,000 USD** in rewards is available for finding bugs on Folks Finance's Staking Contracts. \n\nFor more information about the project, please visit about [Folks Finance](https://folks.finance)\n\nAny technical questions and support requests can be asked directly to Folks Finance team or Immunefi in the [#folks-finance-staking-contracts-audit-competition](https://discord.com/channels/787092485969150012/1427261722120421376) discord channel. \n\n**MANAGED TRIAGE IS NOT PERFORMED DURING THIS COMPETITION. FOLKS FINANCE TEAM IS RESPONSIBLE FOR TRIAGING, EVLUATING, CONFIRMING & CLOSING REPORTS. DISPUTES ARE HANDLED BY IMMUNEFI TEAM.**\n\nWhen the Audit Competition ends, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nA few days after the launch, Immunefi will publish Folks Finance's technical walkthrough on our official [YouTube channel](https://www.youtube.com/@immunefi).\n\n**A runnable PoC is required**. For more information, please read [Immunefi Proof of Concept (PoC) Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules?utm_source=immunefi)\n\nInsight reports can be submitted. Read our [Insight validity rules](https://immunefisupport.zendesk.com/hc/en-us/articles/34179768760337-Insight-Severity-Level)","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Algorand"],"endDate":"2026-03-17T15:00:00.000Z","evaluationEndDate":"2026-04-14T15:00:00.000Z","features":["Boost","Vault"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2026-03-11T15:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5mX1G6Exm4R5kKfzK9oqcp/5e96776a0c3a91f9e51f2e543fff76e5/folks_finance.png","maxBounty":25000,"outOfScopeAndRules":"To be determined","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":[],"programOverview":"Folks Finance is a leading DeFi platform providing innovative tools for lending, borrowing, trading and managing digital assets, all in one place.\n\nThe Folks Staking Contracts is a fixed-APR ERC-20 staking protocol with linear unlock, migration support, and on-chain reward reservation guarantees.\n\nFor more information about Folks Finance and their existing products, please visit https://folks.finance.","programType":["Smart Contract"],"project":"Audit Comp | Folks Finance: Staking Contracts","projectType":["Infrastructure"],"rewardsBody":"Rewards are distributed among SRs according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms) and includes All Star Pool and Podium Pool reserved for [All Star Program](https://immunefi.com/allstars/) participants. \n\nRewards are denominated in USD and distributed in USDC on Ethereum.\n\nFlat Rewards:\nThe reward pool is **$25,000 USD** if any bug is found. That means that even if 1 Low severity bug is found, the whole reward pool is unlocked and has to be fully distributed between security researchers. \n\nIf not a single bug is found (Insights do not count as bugs) the reward pool is **$3,750 USD**.\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid and unlock the corresponding reward pool.\n\n**Proof of Concept (PoC) Requirements**\nA **runnable PoC**, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)","rewardsPool":25000,"primaryPool":17500,"allStarsPool":5000,"podiumPool":2500,"rewardsToken":"USDC","slug":"audit-comp-folks-finance-staking-contracts","tenPercentEconomicRule":false,"updatedDate":"2026-03-11T15:00:43.970Z","impactsBody":"**Build Commands, Test Commands, and How to Run Them** \nSee https://github.com/Folks-Finance/folks-staking-contracts?tab=readme-ov-file#usage.\n\n**Asset Accuracy Assurance**\nBugs found on assets incorrectly listed in-scope are valid.\n\n**Code Freeze Assurance**\nCode of the assets in scope is frozen while the program is live.\n\n**Duplicate submissions of bugs are valid. Duplicate submissions of Insights are invalid.**\n\nThe project commits to keeping private all info related to bug findings until this program is over. This means the project will not leak info about any bug findings or planned bug fixes, including bug findings found independently by the project or from concurrent private audits.\n\n**Public Disclosure of Known Issues**\n\nThese aren’t necessarily “issues”, some are design decisions and tradeoffs:\n- Not checking zero address\n- StakeParams slippage is one directional by design\n- User will have to use new account if they reach staking limit\n- Not deleting “UserStake” state after everything has been withdrawn\n- Not deleting “StakingPeriod” state after deactivating \n- Updates to a “StakingPeriod” only impact new stakes by design\n- We allow stake with 0 rewards\n- We allow withdrawal of 0 amount\n- We intentionally don’t allow a partial stake amount if the entire amount would cause cap to be exceed\n- Operational risk of migration\n- MIGRATOR_ROLE persists for user after migration\n- State “migrationPermits” may contain migrator which had its MIGRATOR_ROLE later revoked\n- After migration, the indexes of the “userStakes” are shuffled. This could lead to a user referencing an outdated index.\n- Paused contract only prevents new stakes\n- “UserStake.aprBps” is for informational purposes \n- The function “stakeWithPermit” silently ignores permit failure\n- Reward and accrual calculations round down\n- Intentional to not decrease “capUsed” on withdrawal / migration\n     - Staking contract designed for ERC20 which doesn't have any fee on transfer or rebasing logic\n\n\n**Private Known Issues Reward Policy**\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n---\n\n\n**Where might Security Researchers confuse out-of-scope code to be in-scope?**\n\nThe MigratorV1 contract is out of scope - it’s included for testing. In addition, the potential new version of the Staking which we would migrate to, is also out of scope. \n\n\n**Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?**\n\nAn attacker being able to manipulate their rewards/stake in order to steal FOLKS from other stakers. Flows to look at should include migration. \n\n**What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?**\n\nERC20 which doesn’t have any fee on transfer or rebasing logic. \n\n**What emergency actions may you want to use as a reason to downgrade an otherwise valid bug report?**\n\nAbility to pause contract with PAUSER_ROLE and migrate to new Staking contract with MIGRATOR_ROLE. \n\n**What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?**\n\nDefault admin, manager, pauser, migrator. \n\n**Which chains and/or networks will the code in scope be deployed to?**\n\nBNB Chain\n\n**What external dependencies are there?**\n\nFOLKS Token https://bscscan.com/address/0xFF7F8F301F7A706E3CfD3D2275f5dc0b9EE8009B  \n\n**Are there any unusual points about your protocol that may confuse Security Researchers?**\n\nWhen the staking period ends, both principal and reward unlock linearly over a separate unlock duration, allowing partial withdrawals at any point.\n\n**What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)**\n\nhttps://github.com/Folks-Finance/folks-staking-contracts?tab=readme-ov-file#staking-contract","websiteUrl":"https://folks.finance","githubUrl":"https://github.com/Folks-Finance/algorand-ntt-contracts","eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Folks Finance is a leading DeFi platform providing innovative tools for lending, borrowing, trading and managing digital assets, all in one place.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":5923,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 24 hour"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":5924,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds for at least 1 hour"}],"rewards":[{"level":"critical","payout":"Portion of Reward Pool","assetType":"smart_contract","pocRequired":false},{"level":"high","payout":"Portion of Reward Pool","assetType":"smart_contract","pocRequired":false},{"level":"medium","payout":"Portion of Reward Pool","assetType":"smart_contract","pocRequired":false},{"level":"low","payout":"Portion of Reward Pool","assetType":"smart_contract","pocRequired":false}],"audits":[]},{"assets":[{"id":"7jugVReRH368ihgXk5t6Et","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/include/xrpl/json/json_value.h","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:40.606Z","revision":0,"description":"json_value","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"63y8ZwWdoUdrmUJ6MFL2fV","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/include/xrpl/ledger/ApplyView.h","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:41.070Z","revision":0,"description":"Apply View","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"68GuaT22mceJSu10cRWhmT","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/include/xrpl/ledger/View.h","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:41.513Z","revision":0,"description":"View","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"28PyHx53smEuBeXkcvT2gN","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/include/xrpl/protocol/Asset.h","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:42.007Z","revision":0,"description":"Asset","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6n1apKXMfZTKcaEg7bmrxK","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/include/xrpl/protocol/Indexes.h","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:42.398Z","revision":0,"description":"Indexes","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"UoTUFccM5ktABEhTJHxX4","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/include/xrpl/protocol/LedgerFormats.h","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:42.763Z","revision":0,"description":"Ledger Formats","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2BeAuns6CXm4CefersAjzr","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/include/xrpl/protocol/Protocol.h","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:43.169Z","revision":0,"description":"Protocol","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2HCPVLRf4atTNjEHJJpM72","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/include/xrpl/protocol/SField.h","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:43.581Z","revision":0,"description":"S Field","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4BMbDLiYaSCDVaNSYOMgNc","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/include/xrpl/protocol/STAmount.h","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:43.992Z","revision":0,"description":"ST Amount","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"yby079S1oQGYHSzJ3PGVE","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/include/xrpl/protocol/STObject.h","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:44.424Z","revision":0,"description":"ST Object","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1KmWsYraImfbWeAbviZfsJ","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/include/xrpl/protocol/STTx.h","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:44.859Z","revision":0,"description":"ST Tx","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3PEh75Jb7BhOIrSTxHn68G","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/include/xrpl/protocol/TxFlags.h","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:45.291Z","revision":0,"description":"Tx Flags","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4fENbJDd91VtVANHnaBVHJ","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/include/xrpl/protocol/detail/features.macro","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:45.711Z","revision":0,"description":"features","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3AdmBDR7vRbYNsPjWdlw3","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/include/xrpl/protocol/detail/ledger_entries.macro","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:46.145Z","revision":0,"description":"ledger_entries","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4meHKKa7vJt4wS6mhiu9uc","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/include/xrpl/protocol/detail/sfields.macro","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:46.565Z","revision":0,"description":"sfields","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7x7lDW6BEnBIhqcolNy6qa","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/include/xrpl/protocol/detail/transactions.macro","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:46.935Z","revision":0,"description":"transactions","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7JWjptVKcnDwxyRceKShye","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/include/xrpl/protocol/jss.h","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:47.385Z","revision":0,"description":"jss","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7ICdW3q0gH3Spc3K4pf4bx","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/libxrpl/basics/Number.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:47.834Z","revision":0,"description":"Number","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2Zc5vxy90QqFPxRkCcgS72","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/libxrpl/json/json_value.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:48.202Z","revision":0,"description":"json_value","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2OjzVBgA6QR731oQTq3288","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/libxrpl/ledger/ApplyView.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:48.620Z","revision":0,"description":"Apply View","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6xdjPwJtHACGnVrvZKnzl4","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/libxrpl/ledger/View.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:49.058Z","revision":0,"description":"View","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5HncPmoDOnu5h8fsJcFefz","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/libxrpl/protocol/Indexes.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:49.511Z","revision":0,"description":"Indexes","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6x5Y1deDXonPCaZETNMzFh","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/libxrpl/protocol/InnerObjectFormats.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:49.971Z","revision":0,"description":"Inner Object Formats","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4GFRdtLti3Z5fJczwxyBen","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/libxrpl/protocol/STAmount.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:50.374Z","revision":0,"description":"ST Amount","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1TA1cSxhzjuhqjiCO18AhG","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/libxrpl/protocol/STObject.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:50.792Z","revision":0,"description":"ST Object","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"14K854U2NqJjPT3Ol5nTTd","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/libxrpl/protocol/STTx.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:51.167Z","revision":0,"description":"ST Tx","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3hx5bTHRxWWpQSco4cLUH7","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/ledger/detail/OpenLedger.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:51.559Z","revision":0,"description":"Open Ledger","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5xeZnHf4rmjE6lKOYrESOY","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/main/Main.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:51.993Z","revision":0,"description":"Main","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3L3NJ7MOryStdZxCCbjevq","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/misc/LendingHelpers.h","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:52.430Z","revision":0,"description":"Lending Helpers","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7rPHFaTVOfez6CcytzUpLz","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/misc/NetworkOPs.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:52.841Z","revision":0,"description":"Network O Ps","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4bIica1YvFz7yKpG9g5bZm","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/misc/detail/LendingHelpers.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:53.277Z","revision":0,"description":"Lending Helpers","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2O4coseFiIWXUXkHi9rdSy","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/Batch.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:53.713Z","revision":0,"description":"Batch","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1zRxKWHbecGBdis6H8DG0M","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/Change.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:54.094Z","revision":0,"description":"Change","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"44rPrS2ycbRsrm8uDJy10B","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/InvariantCheck.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:54.452Z","revision":0,"description":"Invariant Check","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4Y1cwmv7OeU1yDVNqiDU7e","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/InvariantCheck.h","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:54.849Z","revision":0,"description":"Invariant Check","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"383EJR6Tj5EKiUcBghtjIh","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/LoanBrokerCoverClawback.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:55.231Z","revision":0,"description":"Loan Broker Cover Clawback","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5au1xhpyZs0tdgDSd7VkMD","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/LoanBrokerCoverClawback.h","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:55.588Z","revision":0,"description":"Loan Broker Cover Clawback","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4LPMi6c3V5kEoTHQ8dF2xn","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/LoanBrokerCoverDeposit.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:55.964Z","revision":0,"description":"Loan Broker Cover Deposit","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1KDZDUtAAj3rkIiG2fFnu5","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/LoanBrokerCoverDeposit.h","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:56.428Z","revision":0,"description":"Loan Broker Cover Deposit","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"54OlayZZsCt92YawTZ8a4P","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/LoanBrokerCoverWithdraw.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:57.127Z","revision":0,"description":"Loan Broker Cover Withdraw","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"46kMoFW3liYMZHDMfg8DGN","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/LoanBrokerCoverWithdraw.h","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:57.557Z","revision":0,"description":"Loan Broker Cover Withdraw","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4HJda6EYzrYHhlNjoBHY7C","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/LoanBrokerDelete.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:57.966Z","revision":0,"description":"Loan Broker Delete","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5TqBu9RMmCHztXK44dZ1Yp","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/LoanBrokerDelete.h","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:58.366Z","revision":0,"description":"Loan Broker Delete","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"22qAjhEKJIMy3jEfgrcY6c","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/LoanBrokerSet.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:58.732Z","revision":0,"description":"Loan Broker Set","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"321ZeVRE7exOQ54mvPp3pi","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/LoanBrokerSet.h","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:59.168Z","revision":0,"description":"Loan Broker Set","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5rLr9WmavkH9o6X3oVyESy","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/LoanDelete.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T17:59:59.635Z","revision":0,"description":"Loan Delete","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"75XLIPYMgdRj6UtfYuh3B8","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/LoanDelete.h","type":"blockchain_dlt","addedAt":"2025-10-27T18:00:00.021Z","revision":0,"description":"Loan Delete","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2WPqrMAn3nv2MAec05yuuj","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/LoanManage.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T18:00:00.417Z","revision":0,"description":"Loan Manage","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7Ji2UpB7er0MB0qoCtTqTE","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/LoanManage.h","type":"blockchain_dlt","addedAt":"2025-10-27T18:00:01.047Z","revision":0,"description":"Loan Manage","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3P5l21grbPjwHUkqP5OII8","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/LoanPay.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T18:00:01.553Z","revision":0,"description":"Loan Pay","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2lyDeekkodJKEF0Gpwr5hF","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/LoanPay.h","type":"blockchain_dlt","addedAt":"2025-10-27T18:00:03.006Z","revision":0,"description":"Loan Pay","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1zPIANF5VV2G7HoM4J00kn","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/LoanSet.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T18:00:03.853Z","revision":0,"description":"Loan Set","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7J2xp8yzV24DZZ6mt0Hb0o","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/LoanSet.h","type":"blockchain_dlt","addedAt":"2025-10-27T18:00:04.918Z","revision":0,"description":"Loan Set","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5YS0GpHp0BHJgpjXj9ATTv","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/Payment.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T18:00:05.422Z","revision":0,"description":"Payment","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3CJoyJQAy6W9yEsXfM143K","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/Payment.h","type":"blockchain_dlt","addedAt":"2025-10-27T18:00:05.791Z","revision":0,"description":"Payment","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"31NzUMTmXSaiDw9ANDFWs7","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/SetTrust.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T18:00:06.220Z","revision":0,"description":"Set Trust","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7gZQcZ3dSfQkrhUo3xFwNQ","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/Transactor.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T18:00:06.657Z","revision":0,"description":"Transactor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5JGjEHqnwSoqkV9vNPUgx8","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/Transactor.h","type":"blockchain_dlt","addedAt":"2025-10-27T18:00:07.135Z","revision":0,"description":"Transactor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"J8ivBU2YoOLUBukPJW5D4","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/VaultCreate.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T18:00:07.728Z","revision":0,"description":"Vault Create","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6zQnRdEJh1rLaF3RcVau8X","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/VaultSet.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T18:00:08.134Z","revision":0,"description":"Vault Set","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1XV2VG59eDT76gJ8XckdKr","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/VaultWithdraw.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T18:00:08.535Z","revision":0,"description":"Vault Withdraw","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5lU72CJdpWi4S6JPlb8Gu4","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/apply.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T18:00:08.909Z","revision":0,"description":"apply","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"dv8Ct1kCijA36WQvOhUl4","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/overlay/detail/PeerImp.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T18:00:09.327Z","revision":0,"description":"Peer Imp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3vl6xA6xe4vPaOOYqkXS0B","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/rpc/detail/RPCCall.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T18:00:09.751Z","revision":0,"description":"RPC Call","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1BchCdlxHoO44mvhgSaeoi","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/rpc/detail/TransactionSign.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T18:00:10.265Z","revision":0,"description":"Transaction Sign","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"15tmiSTEkhom5QPQLUFbPY","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/rpc/handlers/AccountInfo.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T18:00:10.658Z","revision":0,"description":"Account Info","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4esvPs3SdHLpQtHYgMpLN1","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/rpc/handlers/LedgerEntry.cpp","type":"blockchain_dlt","addedAt":"2025-10-27T18:00:11.102Z","revision":0,"description":"Ledger Entry","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5gPZcdCMbpyBXzC6tW7cQn","url":"https://github.com/immunefi-team/attackathon-xrpl-lending-protocol/blob/main/src/xrpld/app/tx/detail/VaultDeposit.cpp","type":"blockchain_dlt","addedAt":"2025-11-06T12:49:19.002Z","revision":0,"description":"Vault Deposit","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"__Insight Reporting__\n\nInsight reports may be reported to this program and require a PoC. Insights are rewarded according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms).\n\n__Dispute Resolution__\n\nIf there is any dispute over bug reports between projects and security researchers, Immunefi has final say on validity and severity based on the terms of this program.\n\n__Asset Accuracy Assurance__\n\n- Bugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Reward Policy__\n\n- Private known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n__Primacy of Impact vs Primacy of Rules__\n\n- Ripple/ XRPL adheres to the Primacy of Rules, which means that the whole Attackathon program is run strictly under the terms and conditions stated within this page.\n\n__KYC Requirement__\n\nRipple/ XRPL requires Immunefi, through its partner Onfido, to collect and assess SRs’s KYC information to pay for bug submissions. The following information will be required:\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\nSecurity researchers are required to submit KYC within 14 days of KYC being requested, else their rewards may be forfeited. Immunefi may make exceptions due to extenuating circumstances.\n\n__Responsible Publication__\n\n- Whitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n   - Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\n- Immunefi may publish bug reports submitted to this Audit Competition and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\n- When there is uncertainty about how feasible an attack is Immunefi will use our feasibility limitation standards to determine the severity of the report.\n\n__Immunefi Standard Badge__\n\n- By adhering to Immunefi’s best practice recommendations, Ripple/ XRPL has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"### **Thank You to All Participating Security Researchers!**\n\nThe Attackathon has now concluded and is currently in the evaluation phase. During this period, all submitted reports are being carefully reviewed by the Immunefi triage team and the project team.","boostedIntroFinished":"### Thank You to All Participating Security Researchers!\n\nYour valuable contributions played a crucial role in identifying and resolving critical vulnerabilities, helping to strengthen and secure the platform for all users.","boostedIntroLive":"### A Flat **$200,000 USD** reward pool for finding bugs on XRPL Lending Protocol.\n\nYou can ask technical questions to the XRPL's Team directly in the #xrpl-attackathon channel in [Immunefi's Discord](https://discord.com/invite/immunefi).\n\nWhen the XRPL Lending Protocol Attackathon ends, Immunefi will publish a leaderboard and Attackathon findings report.","boostedIntroStartingIn":"### A Flat **$200,000 USD** reward pool for finding bugs on XRPL Lending Protocol.\n\nOctober 13th, the Attackathon Education Period begins for XRPL Lending Protocol — launching the ‘XRPL Lending Protocol Academy’, and opening direct access to the XRPL’s team for ongoing technical Q&A on [Immunefi's Discord](https://discord.com/invite/immunefi) in the “xrpl-attackathon\" channel.","boostedLeaderboard":[{"high":3,"name":"f4lc0n","aspRank":1,"critical":6,"earnings":32428,"insights":4,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":39228,"totalValidBugs":12,"aspPoolEarnings":0,"podiumPoolEarnings":6800},{"high":2,"name":"jovi","aspRank":4,"critical":2,"earnings":8931,"insights":4,"mediumLow":2,"allStarTier":"ASSOCIATE (ACTIVE)","totalEarnings":22265,"totalValidBugs":6,"aspPoolEarnings":13333,"podiumPoolEarnings":0},{"high":1,"name":"v_c0d35","aspRank":2,"critical":2,"earnings":15225,"insights":1,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":21825,"totalValidBugs":6,"aspPoolEarnings":0,"podiumPoolEarnings":6600},{"high":1,"name":"Blobism","aspRank":7,"critical":1,"earnings":7069,"insights":0,"mediumLow":1,"allStarTier":"ASSOCIATE (ACTIVE)","totalEarnings":20402,"totalValidBugs":3,"aspPoolEarnings":13333,"podiumPoolEarnings":0},{"high":4,"name":"ZeroTrust","aspRank":3,"critical":1,"earnings":9736,"insights":2,"mediumLow":5,"allStarTier":"Non-ASP","totalEarnings":16336,"totalValidBugs":10,"aspPoolEarnings":0,"podiumPoolEarnings":6600},{"high":2,"name":"pks271","aspRank":13,"critical":0,"earnings":2475,"insights":0,"mediumLow":1,"allStarTier":"ASSOCIATE (ACTIVE)","totalEarnings":15808,"totalValidBugs":3,"aspPoolEarnings":13333,"podiumPoolEarnings":0},{"high":1,"name":"Orionn","aspRank":5,"critical":1,"earnings":8013,"insights":2,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":8013,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"TheWeb3Mechanic","aspRank":6,"critical":1,"earnings":7299,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":7299,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"pirex","aspRank":8,"critical":1,"earnings":6614,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":6614,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"uint256vieet","aspRank":9,"critical":1,"earnings":6614,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":6614,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"niffylord","aspRank":10,"critical":1,"earnings":3382,"insights":2,"mediumLow":5,"allStarTier":"Non-ASP","totalEarnings":3382,"totalValidBugs":8,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":3,"name":"mohamedFahmy","aspRank":11,"critical":2,"earnings":3126,"insights":1,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":3126,"totalValidBugs":8,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Josh4324","aspRank":12,"critical":1,"earnings":2960,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":2960,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"OxSCSamurai","aspRank":14,"critical":0,"earnings":2204,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":2204,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Tomioka","aspRank":15,"critical":0,"earnings":2013,"insights":0,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":2013,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Oxb4b","aspRank":17,"critical":0,"earnings":2006,"insights":2,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":2006,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"adeolu","aspRank":16,"critical":0,"earnings":1832,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":1832,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"coinsspor","aspRank":18,"critical":0,"earnings":1653,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":1653,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"OxPrince","aspRank":25,"critical":0,"earnings":1327,"insights":4,"mediumLow":4,"allStarTier":"Non-ASP","totalEarnings":1327,"totalValidBugs":5,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"blockace","aspRank":19,"critical":0,"earnings":1101,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":1101,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"solidityhaxor","aspRank":20,"critical":1,"earnings":974,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":974,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Ediblecodfish","aspRank":23,"critical":0,"earnings":969,"insights":1,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":969,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"deltasec","aspRank":21,"critical":0,"earnings":953,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":953,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"OadeHack","aspRank":22,"critical":0,"earnings":918,"insights":0,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":918,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"zbugs","aspRank":24,"critical":0,"earnings":818,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":818,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"XDZIBECX","aspRank":52,"critical":0,"earnings":794,"insights":3,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":794,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Almanax","aspRank":26,"critical":0,"earnings":735,"insights":0,"mediumLow":4,"allStarTier":"Non-ASP","totalEarnings":735,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"dldLambda","aspRank":27,"critical":0,"earnings":735,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":735,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Youwish","aspRank":28,"critical":0,"earnings":678,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":678,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"bbl4de","aspRank":29,"critical":0,"earnings":669,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":669,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Crayfish","aspRank":39,"critical":0,"earnings":599,"insights":1,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":599,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"Ailenia","aspRank":30,"critical":0,"earnings":542,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":542,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"spongebob","aspRank":32,"critical":1,"earnings":454,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":454,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"jahan","aspRank":47,"critical":0,"earnings":441,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":441,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"joescor2","aspRank":53,"critical":0,"earnings":441,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":441,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"gnoks","aspRank":33,"critical":1,"earnings":428,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":428,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Mahmud","aspRank":31,"critical":2,"earnings":379,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":379,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"fnmain","aspRank":34,"critical":0,"earnings":273,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":273,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"magtentic","aspRank":48,"critical":0,"earnings":265,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":265,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Psyone","aspRank":51,"critical":0,"earnings":265,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":265,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Paludo0x","aspRank":35,"critical":0,"earnings":223,"insights":0,"mediumLow":1,"allStarTier":"SENIOR (ACTIVE)","totalEarnings":223,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"vivekd","aspRank":36,"critical":0,"earnings":190,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":190,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Carrot","aspRank":37,"critical":0,"earnings":188,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":188,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"tinnohofficial","aspRank":38,"critical":0,"earnings":184,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":184,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Codexstar","aspRank":40,"critical":1,"earnings":156,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":156,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"hecker_trieu_tien","aspRank":41,"critical":1,"earnings":156,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":156,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"humanitia","aspRank":43,"critical":0,"earnings":148,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":148,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"yesofcourse","aspRank":42,"critical":0,"earnings":134,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":134,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Mikeyxyz","aspRank":49,"critical":0,"earnings":88,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":88,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"failsafe_intern","aspRank":50,"critical":0,"earnings":88,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":88,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Bl0ckr3v","aspRank":54,"critical":0,"earnings":88,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":88,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"copperscrewer","aspRank":44,"critical":0,"earnings":9,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":9,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"luncy","aspRank":45,"critical":0,"earnings":9,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":9,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Davidzijia","aspRank":46,"critical":0,"earnings":3,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":3,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0}],"boostedSummaryReport":null,"ecosystem":[],"endDate":"2025-11-24T14:00:00.000Z","evaluationEndDate":"2026-02-23T14:00:00.000Z","features":["Attackathon","Vault","Managed Triage: Signal Booster"],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":true,"language":["C/C++"],"launchDate":"2025-10-27T14:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4iQ7O52KuNSnBE1aY3Zehg/bd3aef31fe459b3f65ccd652fab3730d/XRPL_-_Black500.png","maxBounty":200000,"outOfScopeAndRules":"To be determined","pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - medium","blockchain_dlt - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":[],"programOverview":"The XRP Ledger (XRPL) is a decentralized layer 1 blockchain renowned for its decade-long reliability and stability in tokenizing and exchanging crypto-native and real-world assets.\n\nThe XLS-66 specification introduces the XRP Ledger-native Lending Protocol, which facilitates straightforward, on-chain, uncollateralised fixed-term loans with pre-set interest terms. Loan liquidity is sourced from pooled funds, while the design relies on off-chain underwriting and risk management to assess borrowers’ creditworthiness.\n\nFor more information about the XRPL, please visit [https://xrpl.org/](https://xrpl.org/)\n\nFor more information about Ripple, please visit [https://ripple.com/](https://ripple.com/)","programType":["Blockchain/DLT"],"project":"Attackathon | XRPL Lending Protocol","projectType":["Blockchain"],"rewardsBody":"__Reward Terms__\n\nRewards are distributed among SRs according to Immunefi’s [Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms) and includes All Star Pool and Podium Pool reserved for [All Star Program](https://immunefi.com/allstars/) participants.\n\nRewards are denominated in USD and distributed in **RLUSD** on Ethereum.\n\n__Flat Rewards__\n\nThe reward pool is **$200,000 USD** if any bug is found. That means that even if 1 Low severity bug is found, the whole reward pool is unlocked and will be fully distributed between security researchers. \n\nIf not a single bug is found (Insights do not count as bugs) the reward pool is $30,000 USD. \n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid and unlock the corresponding reward pool.\n\nCode of the assets in scope is frozen while the program is live.\n\nDuplicate submissions of bugs are valid. Duplicate submissions of Insights are invalid.\n\nThe project commits to keeping private all info related to bug findings until this program is over. This means the project will not leak info about any bug findings or planned bug fixes, including bug findings found independently by the project or from concurrent private audits.\n\n__Insight Rewards Payment Terms__\n\n*Insight Rewards*: Portion of the Rewards Pool\n\nThe \"Insight\" severity was introduced on Audit Competitions & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/34179768760337-Insight-Severity-Level)\n\n**Duplicates of Insight reports are not eligible for a reward.**\n\n__Proof of Concept (PoC) Requirements__\n\n**A runnable PoC is required**. For more information, please read [Immunefi Proof of Concept (PoC) Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules?utm_source=immunefi)","rewardsPool":200000,"primaryPool":140000,"allStarsPool":40000,"podiumPool":20000,"rewardsToken":"RLUSD","slug":"xrpl-ripple-attackathon","tenPercentEconomicRule":false,"updatedDate":"2026-03-10T17:28:10.618Z","impactsBody":"**Build commands, Test commands, and instructions on how to run them:**\n\nBuild instructions: [https://github.com/XRPLF/rippled/blob/develop/BUILD.md](https://github.com/XRPLF/rippled/blob/develop/BUILD.md)\n\nTest environments:\n- Public server: [lend.devnet.rippletest.net](http://lend.devnet.rippletest.net)\n- Public server faucet: [lend-faucet.devnet.rippletest.net](lend-faucet.devnet.rippletest.net)\n    - curl -X POST https://lend-faucet.devnet.rippletest.net/accounts\n    - How XRPL faucets work: https://xrpl.org/resources/dev-tools/xrp-faucets\n\n\n**Previous Audits**\n\nRipple’s completed audit reports for Single Asset Vault, MPT, Credentials, Permissioned Domainscan be found at [http://opensource.ripple.com](http://opensource.ripple.com). Unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n[Single Asset Vault Audit](https://www.halborn.com/audits/ripple/ripple---single-asset-vault---smart-contract-assessment-d39437)\n\n**Public Disclosure of Known Issues**\n\nBug reports for publicly disclosed bugs are not eligible for a reward. \n\n- VaultWithdraw throws \"tecINVARIANT_FAILED\" when fee matches withdraw amount is being fixed in https://github.com/XRPLF/rippled/pull/5876/\n- Submitting `LoanBrokerCoverDeposit` with just the base reserve throws \"telFAILED_PROCESSING\"\n- sign_for error - multi-signing\n    - Conditions\n        - Borrower has multi-signing enabled with two signers.\n        - Lender creates LoanSet transaction, populates Counterparty with borrowers account and signs it.\n        - Signers individually signs the already signed transaction in #2.\n        - CounterpartySignature is populated by sorting two Signer objects based on the Account field as we do for multi-sign transactions.\n    - However, when submitting this transaction, I get: fails local checks: Counterparty: Invalid signature on account\n\n**Is this an upgrade of an existing system? If so, which? And what are the main differences?**\n\n- No upgrade. SAV and Lending protocol are V1\n\n**Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?**\n\nPrioritize anything that has to do with the security of the funds. The security of funds can be compromised through the following vectors: \n\n*Lending Protocol:*\n- Liquidation Logic: Find ways to trigger unfair liquidations or prevent liquidations from happening\n- Interest Rate Calculation: Discover bugs that lead to incorrect interest accrual, either for the lender or borrower\n- Clawback and Deepfreeze: test if asset freezing and clawback can be circumvented in lending protocol\n- Administrative attacks: Mess with the protocol's records and internal numbers to break its rules, causing a mismatch between funds and shares.\n\n*SAV:*\n- Share Redemption/Minting: Exploit the mechanism for issuing or redeeming MPT tokens to unfairly gain or drain assets\n- Deposit/Withdrawal Logic: Uncover edge cases that allow a user to withdraw more assets than they deposited or are entitled to\n- Reward Distribution: Discover flaws in how LPs are calculated and distributed \n- FLC Exploit: Manipulate the First Loss Capital mechanism to unfairly shift losses, avoid liability, or directly drain funds from the pool\n\n*Interaction of SAV & Lending Protocol with compliance primitives:* \n- Access Control: Bypass administrative controls or privileged functions (The lending protocol supports permissioned access both on the borrower and lender side, via on-chain primitives such as permissioned domains, credentials - we wnat to make sure the protocol can work with these without security tradeoffs) \n\n**Which chains and/or networks will the code in scope be deployed to?**\n\n- XRP Ledger\n\n**What external dependencies are there?**\n\nWe are targeting institutions with this protocol, which means that the collateral is not onchain. They might want to keep the collateral with crypto custodians like Bitgo for example. This does not directly affect the code, but the researchers should take into account that part of the loan lifecycle will be manually coordinated. \n\n**Are there any unusual points about your protocol that may confuse Security Researchers?**\n\nNot unusual, but it's something to remember: there are no smart contracts or hooks on the XRPL.\n\n**What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)**\n\n- https://immunefi.com/audit-competition/xrpl-ripple/resources","websiteUrl":"https://xrpl.org/","githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":null,"description":"The XRP Ledger (XRPL) is a decentralized layer 1 blockchain renowned for its decade-long reliability and stability in tokenizing and exchanging crypto-native and real-world assets.\n\nThe XLS-66 specification introduces the XRP Ledger-native Lending Protocol, which facilitates straightforward, on-chain, uncollateralised fixed-term loans with pre-set interest terms. Loan liquidity is sourced from pooled funds, while the design relies on off-chain underwriting and risk management to assess borrowers’ creditworthiness.","knownIssues":[{"id":1193,"link":"https://github.com/XRPLF/rippled/pull/5270","description":"sign_for error - multi-signing: Conditions - 1) Borrower has multi-signing enabled with two signers. 2) Lender creates LoanSet transaction, populates Counterparty with borrowers account and signs it. 3) Signers individually signs the already signed transaction in #2. 4) CounterpartySignature is populated by sorting two Signer objects based on the Account field as we do for multi-sign transactions. - However, when submitting this transaction, I get: fails local checks: Counterparty: Invalid signature on account","lastUpdatedAt":"2025-10-10T00:00:00.000Z","relatedImpactInScope":"blockchain_dlt"},{"id":1192,"link":"https://github.com/XRPLF/rippled/pull/5270","description":"Submitting `LoanBrokerCoverDeposit` with just the base reserve throws \"telFAILED_PROCESSING\"","lastUpdatedAt":"2025-10-10T00:00:00.000Z","relatedImpactInScope":"blockchain_dlt"},{"id":1191,"link":"https://github.com/XRPLF/rippled/pull/5876/","description":"VaultWithdraw throws \"tecINVARIANT_FAILED\" when fee matches withdraw amount is being fixed in","lastUpdatedAt":"2025-10-10T00:00:00.000Z","relatedImpactInScope":"blockchain_dlt"}],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":5779,"type":"blockchain_dlt","severity":"critical","title":"Drainage and/or stealing of funds from ledger objects (vault, first loss capital)"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":5780,"type":"blockchain_dlt","severity":"critical","title":"Modification of the loan setting resulting in unfair distribution and/or gaming of funds"},{"id":5781,"type":"blockchain_dlt","severity":"critical","title":"Gaming of vault and protocol setting using different types of tokens available on XRPL (IOUs, MPTs etc)"},{"id":5778,"type":"blockchain_dlt","severity":"high","title":"Modification of fees outside of design parameters (hacker modifies late payment fee, repayment fee, management fee)"},{"id":5782,"type":"blockchain_dlt","severity":"high","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":5783,"type":"blockchain_dlt","severity":"high","title":"Theft of unclaimed yield"},{"id":5784,"type":"blockchain_dlt","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":5785,"type":"blockchain_dlt","severity":"medium","title":"A bug in the respective layer 0/1/2 network code that results in unintended primitive behavior with no concrete funds at direct risk."},{"id":5786,"type":"blockchain_dlt","severity":"low","title":"Impacts caused by griefing with no economic damage to any user on the network"}],"rewards":[{"level":"critical","payout":"Portion of Reward Pool","assetType":"blockchain_dlt","pocRequired":false},{"level":"high","payout":"Portion of Reward Pool","assetType":"blockchain_dlt","pocRequired":false},{"level":"medium","payout":"Portion of Reward Pool","assetType":"blockchain_dlt","pocRequired":false},{"level":"low","payout":"Portion of Reward Pool","assetType":"blockchain_dlt","pocRequired":false}],"audits":[{"id":"2bN3IQRmG2uZ93SjC3BNhH","url":"http://opensource.ripple.com","auditor":"All Ripple Audit Reports","date":"2025-10-07T00:00:00.000Z"},{"id":"ri73Rw075bPixk2jSLcbN","url":"https://www.halborn.com/audits/ripple/ripple---single-asset-vault---smart-contract-assessment-d39437","auditor":"Single Asset Vault Audit by Halborn","date":"2025-06-27T00:00:00.000Z"}]},{"assets":[{"id":"7dvyIqMe1AnZBftHYD8yUx","url":"https://etherscan.io/address/0xC874b064f465bdD6411D45734b56fac750Cda29A","type":"smart_contract","addedAt":"2022-05-24T15:25:50.833Z","revision":0,"description":"Pool","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"62UrtC5GZ8sgNEtdWW9OCO","url":"https://etherscan.io/address/0x2296e122c1a20Fca3CAc3371357BdAd3be0dF079","type":"smart_contract","addedAt":"2022-05-24T15:26:08.556Z","revision":0,"description":"PoolEscrow","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2wrAeU1HHlq7TmjeG5v4dU","url":"https://etherscan.io/address/0x002932e11E95DC84C17ed5f94a0439645D8a97BC","type":"smart_contract","addedAt":"2022-05-24T15:26:20.795Z","revision":0,"description":"PoolValidators","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3Oh9YJ9iYhGYIR0q5470ut","url":"https://etherscan.io/address/0xFe2e637202056d30016725477c5da089Ab0A043A","type":"smart_contract","addedAt":"2022-05-24T15:26:35.971Z","revision":0,"description":"StakedEthToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1KHHImkOXm4hSYJX77OzVD","url":"https://etherscan.io/address/0x20BC832ca081b91433ff6c17f85701B6e92486c5","type":"smart_contract","addedAt":"2022-05-24T15:26:56.101Z","revision":0,"description":"RewardEthToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1TQG7lHo583jWkhrbLW1XS","url":"https://etherscan.io/address/0x48C3399719B582dD63eB5AADf12A40B4C3f52FA2","type":"smart_contract","addedAt":"2022-05-24T15:27:10.365Z","revision":0,"description":"StakeWiseToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4sKClCFhpl8GsqzCXtkdn0","url":"https://etherscan.io/address/0x8a887282E67ff41d36C0b7537eAB035291461AcD","type":"smart_contract","addedAt":"2022-05-24T15:27:26.542Z","revision":0,"description":"Oracles","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"0dEpSvBt997gKmk1GMkf2","url":"https://etherscan.io/address/0xaE678D2A911400a55e06f4A1F0C0B363F3eE2e42","type":"smart_contract","addedAt":"2022-05-24T15:27:41.463Z","revision":0,"description":"VestingEscrow","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"OYFfkajF7tyQHBNrBJnXc","url":"https://etherscan.io/address/0x7B910cc3D4B42FEFF056218bD56d7700E4ea7dD5","type":"smart_contract","addedAt":"2022-05-24T15:27:57.227Z","revision":0,"description":"VestingEscrowFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6o3R7foItq6Mocn4ZGcujJ","url":"https://etherscan.io/address/0xA3F21010e8b9a3930996C8849Df38f9Ca3647c20","type":"smart_contract","addedAt":"2022-05-24T15:28:13.896Z","revision":0,"description":"MerkleDistributor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5DR0NBqbNPZyArG13A9Paz","url":"https://etherscan.io/address/0xC486c10e3611565F5b38b50ad68277b11C889623","type":"smart_contract","addedAt":"2022-05-24T15:28:27.321Z","revision":0,"description":"Roles","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5wz8eZAA66JdvhfhqkUGI1","url":"https://etherscan.io/address/0x3EB0175dcD67d3AB139aA03165e24AA2188A4C22","type":"smart_contract","addedAt":"2022-05-24T15:28:42.241Z","revision":0,"description":"Proxy Admin","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6l8wM7POrHP08KNaryBdMk","url":"https://etherscan.io/address/0x144a98cb1CdBb23610501fE6108858D9B7D24934","type":"smart_contract","addedAt":"2022-05-24T15:28:58.357Z","revision":0,"description":"Gnosis Safe","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4ySEI3tYBSiXoGugVR3VHg","url":"https://etherscan.io/address/0xb5cf5363c3e766e64b37b2fb9554bfe8d48ed1a0","type":"smart_contract","addedAt":"2022-05-31T16:47:21.950Z","revision":0,"description":"DAO Module","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6utfIGo10zyxcM4x5JZif9","url":"https://app.stakewise.io/","type":"websites_and_applications","addedAt":"2022-05-24T15:29:12.395Z","revision":0,"description":"Web/App","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"In addition, all implementation contracts linked to the proxies listed in the assets in scope are also considered as in-scope of this program. \n\nHowever, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nIf an impact can be caused to any other asset managed by StakeWise that isn’t on this table but for which the impact is in the Impacts in Scope section, you are encouraged to submit it for the consideration of the project.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH","xDAI / Gnosis Chain"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["JavaScript"],"launchDate":"2022-05-31T17:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6pcegtZ9EgRSp41tiAroSX/e146d81a9b7bea7994de08885d5fd2b7/StakeWise_Logo.jpg","maxBounty":200000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","websites_and_applications - critical","websites_and_applications - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["Staking","Yield Aggregator"],"programOverview":"StakeWise is a protocol for liquid staking on Ethereum and Gnosis Chain. By staking their assets through StakeWise, users receive staked ETH and staked GNO tokens that represent their deposit and earnings, and can be swapped back into ETH and GNO via liquidity pools or deposited into DeFi protocols for extra yield. The protocol is run by the StakeWise DAO, which decides on the deployment of StakeWise DAO Treasury, the distribution of ETH and GNO across node operators, and choice of various smart contract parameters.\n\nFor more information about StakeWise, please visit [https://stakewise.io/](https://stakewise.io/).","programType":["Smart Contract","Websites and Applications"],"project":"StakeWise Mainnet","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. In addition, all bug reports must also come with a suggestion for a fix in order to be considered for a reward. \n\nKnown issues highlighted in their previous audits here are considered out of scope of this program:\n  - [https://github.com/stakewise/contracts/tree/master/audits](https://github.com/stakewise/contracts/tree/master/audits) \n\nPayouts are handled by the __StakeWise__ team directly and are denominated in USD. Payouts are done in __SWISE__ or __USDC__, at the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"SWISE or USDC","slug":"stakewise","tenPercentEconomicRule":false,"updatedDate":"2026-03-10T15:26:41.820Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"StakeWise is a protocol for liquid staking on Ethereum and Gnosis Chain. By staking their assets through StakeWise, users receive staked ETH and staked GNO tokens that represent their deposit and earnings, and can be swapped back into ETH and GNO via liquidity pools or deposited into DeFi protocols for extra yield.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":2737,"type":"smart_contract","severity":"high","title":"Freezing of unclaimed yield for at least 1 week"},{"id":2738,"type":"smart_contract","severity":"high","title":"Freezing of other funds for at least 1 week"},{"id":2739,"type":"websites_and_applications","severity":"high","title":"Theft of unclaimed yield"},{"id":2740,"type":"websites_and_applications","severity":"high","title":"Freezing of unclaimed yield for at least 1 week"},{"id":2741,"type":"websites_and_applications","severity":"high","title":"Freezing of other funds for at least 1 week"},{"id":2742,"type":"smart_contract","severity":"critical","title":"Loss of users funds"},{"id":2743,"type":"smart_contract","severity":"critical","title":"Loss of Treasury Funds"},{"id":2744,"type":"smart_contract","severity":"critical","title":"Theft of unclaimed yield"},{"id":2745,"type":"websites_and_applications","severity":"critical","title":"Loss of user funds"},{"id":2746,"type":"websites_and_applications","severity":"critical","title":"Loss of Treasury funds"}],"rewards":[{"id":42586,"primacy":null,"severity":"critical","assetType":"smart_contract","fixedReward":200000,"rewardModel":"fixed","rewardCalculationPercentage":0},{"id":42587,"primacy":null,"severity":"high","assetType":"smart_contract","fixedReward":50000,"rewardModel":"fixed"},{"id":42588,"primacy":null,"severity":"critical","assetType":"websites_and_applications","fixedReward":200000,"rewardModel":"fixed"},{"id":42589,"primacy":null,"severity":"high","assetType":"websites_and_applications","fixedReward":50000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"4RAGpSxdZcnoQHIcZnCFoG","url":"https://etherscan.io/address/0xba0e352AB5c13861C26e4E773e7a833C3A223FE6","type":"smart_contract","addedAt":"2025-12-30T09:09:53.895Z","revision":0,"description":"Curve OETH+WETH (AMO) Strategy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"25FgO4VDRTdJKcoOnWWXy9","url":"https://etherscan.io/address/0x3643cafA6eF3dd7Fcc2ADaD1cabf708075AFFf6e","type":"smart_contract","addedAt":"2025-12-30T09:09:53.892Z","revision":0,"description":"Morpho OUSD v2 Strategy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1ujdFz2RlqUJUtMRIgw1Lc","url":"https://etherscan.io/address/0x26a02ec47ACC2A3442b757F45E0A82B8e993Ce11","type":"smart_contract","addedAt":"2025-12-30T09:09:53.913Z","revision":0,"description":"Curve USDC AMO Strategy ","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1EFKBjhSBsNmhJ9wRDEyG1","url":"https://etherscan.io/address/0x85b78aca6deae198fbf201c82daf6ca21942acc6#code","type":"smart_contract","addedAt":"2024-11-15T12:54:34.780Z","revision":0,"description":"ARM (stETH/WETH)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1onoJioBhEowmWTs8pXjBm","url":"https://basescan.org/address/0xF611cC500eEE7E4e4763A05FE623E2363c86d2Af","type":"smart_contract","addedAt":"2024-11-15T12:56:18.725Z","revision":0,"description":"AerodromeAMOStrategyProxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2GIC5GHuzSgttXqWwg6NT3","url":"https://sonicscan.org/address/0x31a91336414d3b955e494e7d485a6b06b55fc8fb#code","type":"smart_contract","addedAt":"2025-03-06T06:48:44.500Z","revision":0,"description":"Origin Timelock","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3E5FfMOmZpS4Wc3mJdnV9n","url":"https://etherscan.io/address/0xe75d77b1865ae93c7eaa3040b038d7aa7bc02f70","type":"smart_contract","addedAt":"2022-02-12T09:28:28.732Z","revision":0,"description":"Vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3J2MlNDdNTk1g17pBqWoRX","url":"https://immunefi.com","type":"smart_contract","addedAt":"2023-10-05T15:27:59.058Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"3otqoHXZaeXsYGdUlOK9fS","url":"https://sonicscan.org/address/0xb1e25689D55734FD3ffFc939c4C3Eb52DFf8A794#code","type":"smart_contract","addedAt":"2025-03-06T06:41:29.637Z","revision":0,"description":"Origin Sonic","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3rlCPsfrwJ0cp90wI7YNZN","url":"https://etherscan.io/address/0xaF04828Ed923216c77dC22a2fc8E077FDaDAA87d","type":"smart_contract","addedAt":"2025-11-04T14:59:53.438Z","revision":0,"description":"CompoundingStakingSSVStrategyProxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"42bL1xMz1ZyunjGHQlVMOy","url":"https://etherscan.io/address/0x7609c88e5880e934dd3a75bcfef44e31b1badb8b#code","type":"smart_contract","addedAt":"2024-06-04T08:02:45.738Z","revision":0,"description":"OGN rewards","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4DMD2RcpsKSDoq8Rbv0Lb4","url":"https://etherscan.io/address/0x63898b3b6ef3d39332082178656e9862bee45c57","type":"smart_contract","addedAt":"2024-06-04T08:01:43.039Z","revision":0,"description":"xOGN","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4L7FpJeSR5va1IkzmCtAPK","url":"https://etherscan.io/address/0x501804B374EF06fa9C427476147ac09F1551B9A0","type":"smart_contract","addedAt":"2022-02-12T09:32:20.949Z","revision":0,"description":"OGN Staking","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4a6UXPTyToNNKXVax9dh66","url":"https://immunefi.com","type":"websites_and_applications","addedAt":"2023-10-05T15:28:00.646Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"4vZ2mDqhRZDRZxZL29oMq1","url":"https://sonicscan.org/address/0xa3c0eCA00D2B76b4d1F170b0AB3FdeA16C180186#code","type":"smart_contract","addedAt":"2025-03-06T06:48:08.390Z","revision":0,"description":"Origin Sonic Vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5bghQz7gn5u2YcRn80uoVd","url":"https://basescan.org/address/0x80c864704DD06C3693ed5179190786EE38ACf835","type":"smart_contract","addedAt":"2024-11-15T12:56:03.831Z","revision":0,"description":"BridgedWOETHStrategy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5cQzI3nx3Vn5Y2MZnrGTfA","url":"https://sonicscan.org/address/0x596B0401479f6DfE1cAF8c12838311FeE742B95c#code","type":"smart_contract","addedAt":"2025-03-06T06:48:27.900Z","revision":0,"description":"Sonic Staking Strategy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5xvdatsC4cqGtVXyTh7n5K","url":"https://etherscan.io/address/0xDcEe70654261AF21C44c093C300eD3Bb97b78192","type":"smart_contract","addedAt":"2023-05-09T15:43:46.493Z","revision":0,"description":"wOETH Token","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6LVu8PO3OI20J9yudKuSkI","url":"https://basescan.org/address/0xf817cb3092179083c48c014688d98b72fb61464f","type":"smart_contract","addedAt":"2024-11-15T12:56:37.038Z","revision":0,"description":"Timelock","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6bRXabqFdYjImesChgOv9F","url":"https://sonicscan.org/address/0x9F0dF7799f6FDAd409300080cfF680f5A23df4b1#code","type":"smart_contract","addedAt":"2025-03-06T06:47:49.582Z","revision":0,"description":"Wrapped Origin Sonic","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6sbeXi5HZhiyh6jMzmgexr","url":"https://etherscan.io/address/0x1D3Fbd4d129Ddd2372EA85c5Fa00b2682081c9EC","type":"smart_contract","addedAt":"2022-02-12T09:31:00.178Z","revision":0,"description":"Governor / Timelock","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6whGnZwizA6gYqLnRBhr4N","url":"https://basescan.org/address/0xdbfefd2e8460a6ee4955a68582f85708baea60a3#code","type":"smart_contract","addedAt":"2024-11-15T12:55:08.783Z","revision":0,"description":"SuperOETHb Token","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6xsXNp9ePRFYzozIW83qpD","url":"https://etherscan.io/address/0xEDf495F92c2eBdEE8B797E9C503aA7A3302A9c88","type":"smart_contract","addedAt":"2025-11-04T15:00:14.744Z","revision":0,"description":"CompoundingStakingStrategyView","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6zQwNer4SzbXjwttM3msNW","url":"https://etherscan.io/address/0xc4444C5D9e7C1a5A0a01c5E4b11692d589DcAF22","type":"smart_contract","addedAt":"2025-11-04T15:00:29.441Z","revision":0,"description":"BeaconProofs","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7LF7jR70pGycDPCR3ZPMRx","url":"https://basescan.org/address/0xdbfefd2e8460a6ee4955a68582f85708baea60a3#code","type":"smart_contract","addedAt":"2024-11-15T12:55:23.013Z","revision":0,"description":"Wrapped SuperOETHb","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7eQtVlBUgI2Qc7qCYo9cqH","url":"https://etherscan.io/address/0x95c347d6214614a780847b8aaf4f96eb84f4da6d","type":"smart_contract","addedAt":"2024-06-04T08:02:11.221Z","revision":0,"description":"Migrator","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"BjCXQnbwKSuyj84STj99U","url":"https://etherscan.io/address/0x39254033945AA2E4809Cc2977E7087BEE48bd7Ab","type":"smart_contract","addedAt":"2023-05-09T15:44:07.134Z","revision":0,"description":"OETH Vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"ITwfffiXhDUtiX8fdQaYj","url":"https://sonicscan.org/address/0x5b72992e9CDe8C07CE7C8217eB014EC7fD281f03#code","type":"smart_contract","addedAt":"2025-03-06T06:49:01.710Z","revision":0,"description":"Origin Sonic Dripper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"YohPfAcEEMQAVhmAuLqOS","url":"https://app.originprotocol.com","type":"websites_and_applications","addedAt":"2022-02-12T09:33:13.700Z","revision":0,"description":"Website","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"ox38hMUV4qMzBkGNsNs7F","url":"https://etherscan.io/address/0x2A8e1E676Ec238d8A992307B495b45B3fEAa5e86","type":"smart_contract","addedAt":"2022-02-12T09:27:59.409Z","revision":0,"description":"OUSD","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"rtYpTsAgo9bVbVcWoIMAK","url":"https://basescan.org/address/0x98a0cbef61bd2d21435f433be4cd42b56b38cc93","type":"smart_contract","addedAt":"2024-11-15T12:55:44.111Z","revision":0,"description":"SuperOETHb Vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99102","url":"https://etherscan.io/address/0xB1d624fc40824683e2bFBEfd19eB208DbBE00866","type":"smart_contract","addedAt":"2026-02-23T09:47:36.567Z","revision":0,"description":"OUSD Morpho V2 CrossChain Master Strategy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99103","url":"https://basescan.org/address/0xB1d624fc40824683e2bFBEfd19eB208DbBE00866","type":"smart_contract","addedAt":"2026-02-23T09:47:36.567Z","revision":0,"description":"OUSD Morpho V2 CrossChain Remote Strategy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99156","url":"https://etherscan.io/address/0xf9E04C36CC7e6065cBBcc972613e8Dd75D6B5967#code","type":"smart_contract","addedAt":"2026-03-10T11:11:04.659Z","revision":0,"description":"Supernova AMO Strategy ","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"In addition, the current implementation contracts of all the listed proxy contracts are in scope. \n\nAll smart contracts of Origin Dollar can be found at [https://github.com/OriginProtocol/origin-dollar/tree/master/contracts/contracts](https://github.com/OriginProtocol/origin-dollar/tree/master/contracts/contracts). However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":["Safe Harbor Documents Signed","Arbitration"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["JavaScript","Solidity","Typescript"],"launchDate":"2021-11-22T07:15:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/V5uJkzVDim5cy4syFWXHn/081f82c419fd83a700d15a8c80e46eb6/ognresized.png","maxBounty":1000000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","websites_and_applications - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the following types:\n\n__Smart Contracts and Blockchain__ \n\n  - Re-entrancy\n  - Logic errors\n    - including user authentication errors\n  - Solidity/EVM details not considered\n    - including integer over-/under-flow\n    - including unhandled exceptions\n  - Trusting trust/dependency vulnerabilities\n    - including composability vulnerabilities\n  - Oracle failure/manipulation\n  - Novel governance attacks\n  - Economic/financial attacks\n   - including flash loan attacks\n  - Cryptography problems\n    - Signature malleability\n    - Susceptibility to replay attacks\n    - Weak randomness\n    - Weak encryption\n  - Missing access controls / unprotected internal or debugging interfaces\n\n__Websites and Apps__\n\n  - Remote Code Execution\n  - Trusting trust/dependency vulnerabilities\n  - Vertical Privilege Escalation\n  - XML External Entities Injection\n  - SQL Injection\n  - LFI/RFI\n  - Horizontal Privilege Escalation\n  - Stored XSS\n  - Reflective XSS with impact\n  - CSRF with impact\n  - Direct object reference\n  - Internal SSRF\n  - Session fixation\n  - Insecure Deserialization\n  - DOM XSS\n  - SSL misconfigurations\n  - SSL/TLS issues (weak crypto, improper setup)\n  - URL redirect\n  - Clickjacking (must be accompanied with PoC)\n  - Misleading Unicode text (e.g. using right to left override characters)","productType":["Stablecoin"],"programOverview":"Origin Protocol is a suite of complimentary DeFi products designed to increase economic opportunity for all. These permissionless and composable smart contracts provide superior user experiences across DeFi in a groundbreaking multichain yield ecosystem.\n\nOrigin Dollar (OUSD) is a new, fully backed stablecoin that was initially launched in September 2020 on the Ethereum network. Its design is superior to existing stablecoins because OUSD captures competitive yields while being passively held in wallets.\n\nFor more information about Origin Dollar, please visit [https://www.ousd.com/](https://www.ousd.com/).  \n\nThis bug bounty program is focused on their smart contracts and app and is focused on preventing:\n\n  - Loss of funds\n  - Loss of more than 10% of yield\n  - Freezing of funds that cannot be undone by admin actions\n  - Ability for an unauthorized user to use admin actions\n  - Governance process failures\n  - Redirected funds by address modification\n  - Shell access on server\n  - Injection of text\n  - Ability to have other users run arbitrary code on the site\n\n__Primacy of Impact vs Primacy of Rules__\n\nOrigin Protocol adheres to the Primacy of Impact for the following severity levels:\n  - Smart Contract: Critical\n\nIf a category’s severity level is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program as long as it involves an impact under that respective severity level. When submitting a report, just select the Primacy of Impact asset placeholder. If the team behind this project has multiple projects, those other projects are not covered under the Primacy of Impact of this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nNon-deployed contracts on Github are not covered under the Primacy of Impact. \n\nAll other severity levels not listed here are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program.","programType":["Smart Contract","Websites and Applications"],"project":"Origin Protocol","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. \n\nAll Smart Contract and Web/app bug reports must come with a PoC in order to be considered for a reward.\n\nThe known issues listed below are considered out of scope: \n\n  - All issues found in their past audits here: [https://docs.ousd.com/security-and-risks/audits](https://docs.ousd.com/security-and-risks/audits)\n\n  - OUSD does not guarantee which stablecoins will make up the backing stablecoins nor the value of those backing stable coins. Attacks which only change the mix of stablecoins, but do not reduce the total number of stablecoins held are excluded.\n\n  - Reductions in the number of backing stablecoins due to governance or strategist actions that move coins into or out of strategies, where the reduction comes from the normal fees of the underlying strategy or the price difference of stablecoins being moved in or out are excluded.\n\n  - Rounding in the flipper contract is intentional.\n  - Anything airdrop related in the old OGN staking contract at 0x501804B374EF06fa9C427476147ac09F1551B9A0\n\nCritical vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum of __USD 50 000__ for Critical bug reports on smart contracts. \n\nPayouts are handled by the __Origin Protocol__ team directly and are denominated in USD. However, payouts are done in __OUSD__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"OUSD","slug":"originprotocol","tenPercentEconomicRule":true,"updatedDate":"2026-03-10T11:11:05.001Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Origin Protocol is a suite of complimentary DeFi products designed to increase economic opportunity for all. These permissionless and composable smart contracts provide superior user experiences across DeFi in a groundbreaking multichain yield ecosystem.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":1351,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":1352,"type":"websites_and_applications","severity":"critical","title":"Ability to execute system commands"},{"id":1354,"type":"websites_and_applications","severity":"critical","title":"Signing transactions for other users"},{"id":1355,"type":"websites_and_applications","severity":"critical","title":"Redirection of user deposits and withdrawals"},{"id":1356,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover resulting in financial loss (applicable for subdomains with addresses published)"},{"id":1357,"type":"websites_and_applications","severity":"critical","title":"Wallet interaction modification resulting in financial loss"},{"id":1358,"type":"websites_and_applications","severity":"critical","title":"Tampering with transactions submitted to the user’s wallet"},{"id":1359,"type":"websites_and_applications","severity":"critical","title":"Submitting malicious transactions to an already-connected wallet"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"}],"rewards":[{"id":26852,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":1000000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":26853,"primacy":null,"severity":"high","assetType":"smart_contract","fixedReward":15000,"rewardModel":"fixed"},{"id":26854,"primacy":null,"severity":"critical","assetType":"websites_and_applications","fixedReward":25000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"4pJg357jFNmERIaRoX2rna","url":"https://etherscan.io/address/0xef3b80e70bb1874174a022bd616bbec71515f33b","type":"smart_contract","addedAt":"2025-12-17T12:08:45.925Z","revision":0,"description":"AliceV2PositionParser","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7IfFu9Sl5Yy9F4jU6qBkeg","url":"https://etherscan.io/address/0xa2868b1b0fc224b105c7be46d31aeec0c843d74d","type":"smart_contract","addedAt":"2025-12-17T12:08:45.933Z","revision":0,"description":"AliceV2PositionLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7zlGD3FoVFCepcHAbahCWs","url":"https://etherscan.io/address/0x901cc21db61dea32e112e06ae0164de3a1acd248","type":"smart_contract","addedAt":"2025-12-17T12:08:45.915Z","revision":0,"description":"BebopBlendAdapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"0BiYVMrhTcZlY3BXtMXLY","url":"https://etherscan.io/address/0x49affbe9326f2a5e5bf91dd77152a7b04601b2f4","type":"smart_contract","addedAt":"2024-11-20T07:51:24.929Z","revision":0,"description":"ZeroExV4Adapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"0X3iZPzzrelsuvJ60rcVT","url":"https://etherscan.io/address/0x96ef0f7c10505460fa39c57a037a5ec2520b8b25","type":"smart_contract","addedAt":"2024-11-20T07:53:16.514Z","revision":0,"description":"NoDepegOnRedeemSharesForSpecificAssetsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"0oAw0kSMPuIwrgM8JCLWy","url":"https://basescan.org/address/0x9691a35ca238ac01de7413493fa434eb90bc28a9","type":"smart_contract","addedAt":"2025-03-31T06:48:39.812Z","revision":0,"description":"UnpermissionedActionsWrapper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"10VO4GviM3vCA2jigxB1Ie","url":"https://etherscan.io/address/0xaf0dffac1ce85c3fce4c2bf50073251f615eefc4","type":"smart_contract","addedAt":"2022-12-06T18:14:04.189Z","revision":0,"description":"FeeManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"11C3aLo7z8mbKtQqgpdtvJ","url":"https://arbiscan.io/address/0xf9315b421904eadf2f8fce776958c147ee9bc880","type":"smart_contract","addedAt":"2024-11-20T05:48:17.919Z","revision":0,"description":"GlobalConfigProxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"12Xnka9zBnKzrIrNghlVPf","url":"https://arbiscan.io/address/0xc6ece1bff7a7b16def7e2a6956b7c75189240671","type":"smart_contract","addedAt":"2024-11-20T05:27:21.968Z","revision":0,"description":"UniswapV3LiquidityPositionParser","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1401YITL6qYTUiLP2WoiRp","url":"https://arbiscan.io/address/0xb49f8c0ce9df900e024dab48952bb8a8992c1795","type":"smart_contract","addedAt":"2024-11-28T16:21:25.801Z","revision":0,"description":"DispatcherOwnedBeaconFactory (AaveV3FlashLoanAssetManagerLib)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"14HfHwRtK2bzhceE96PTyO","url":"https://basescan.org/address/0xbc3c160287e0ea7ce4c1a0312cc02b94e4e03bff","type":"smart_contract","addedAt":"2025-03-31T06:48:29.605Z","revision":0,"description":"ManagementFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"15jvEKxg8FGLAg4Ez2GOU3","url":"https://etherscan.io/address/0x06b13918e988d1314da1a9da4c0cde5fe994364a","type":"smart_contract","addedAt":"2022-12-06T18:12:56.195Z","revision":0,"description":"ExitRateBurnFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"16gTpnJ3XVRaobKIe6XFTt","url":"https://etherscan.io/address/0xd7b0610db501b15bfb9b7ddad8b3869de262a327","type":"smart_contract","addedAt":"2022-12-06T18:25:32.748Z","revision":0,"description":"ValueInterpreter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"170qMdnpvgL28ARIXtFY92","url":"https://arbiscan.io/address/0xc2f737aeece89d8db98a7d82bfed40d09e381ed5","type":"smart_contract","addedAt":"2024-11-20T05:31:59.395Z","revision":0,"description":"OneInchV5Adapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"18sQY92U82Y2spKg452nQU","url":"https://basescan.org/address/0x211b9327c66f621c0b7248bfa6828ea8644f1f7c","type":"smart_contract","addedAt":"2025-03-31T06:48:13.088Z","revision":0,"description":"AaveV3DebtPositionParser","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"18w2E2vCNgRG9E9J957FWP","url":"https://basescan.org/address/0xc16db2e93492e3ea512edc90787538652ec5c099","type":"smart_contract","addedAt":"2025-03-31T06:48:11.849Z","revision":0,"description":"AaveV3Adapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"19OuQ7inmQ3fdOhbwKaI9Z","url":"https://basescan.org/address/0x097c44da5e720641a60c2c438c0c921d28968a00","type":"smart_contract","addedAt":"2025-03-31T06:48:24.769Z","revision":0,"description":"ExternalPositionFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"19i9sTrsLWTAP0YV6TUlx7","url":"https://polygonscan.com/address/0xc393aab83371350e6c002b1c2db75c4f6b56308c","type":"smart_contract","addedAt":"2024-11-28T16:19:50.909Z","revision":0,"description":"DispatcherOwnedBeaconFactory (AaveV3FlashLoanAssetManagerLib)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1DbSH5j8PczJmPVixwtjwi","url":"https://polygonscan.com/address/0x2e25271297537b8124b8f883a92ffd95c4032733","type":"smart_contract","addedAt":"2022-12-06T18:43:11.786Z","revision":0,"description":"Dispatcher","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1GFbJIihj6rYrECKDwRIKG","url":"https://polygonscan.com/address/0x45be6669cc53fb2f6ae7f5e302482e30113888fb","type":"smart_contract","addedAt":"2025-01-13T08:37:57.470Z","revision":0,"description":"DisallowedAdapterIncomingAssetsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1HEWuNmQgRlngcAokrN3r5","url":"https://arbiscan.io/address/0x38673bace2ae5e90d4936d0d90b58a3577795205","type":"smart_contract","addedAt":"2024-11-20T06:01:11.376Z","revision":0,"description":"AllowedExternalPositionTypesPerManagerPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1LnSfA7UxMbnKJ6Eh9OeEr","url":"https://polygonscan.com/address/0x0069111def5258f692d88bde2116c9c211cf8b04","type":"smart_contract","addedAt":"2024-11-20T07:45:03.125Z","revision":0,"description":"NoDepegOnRedeemSharesForSpecificAssetsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1MZEtRczVpqW0WJNfJMcLf","url":"https://polygonscan.com/address/0xb8e6eda0ce8fddd21f0b0268a43a57b9296e23d5","type":"smart_contract","addedAt":"2023-08-11T22:56:44.465Z","revision":0,"description":"ProtocolFeeTracker","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1ObajBmO8fLnashA6ndWRG","url":"https://basescan.org/address/0x6160aec94d7cc74ec9bea2eef431460c7b719c39","type":"smart_contract","addedAt":"2025-03-31T06:48:34.354Z","revision":0,"description":"ParaSwapV6Adapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1PQe8XDhjYY2w83MSgOYhB","url":"https://etherscan.io/address/0x5a1c0e89133c4cd844a8b345370565f1368a79a8","type":"smart_contract","addedAt":"2024-11-20T07:51:56.114Z","revision":0,"description":"ThreeOneThirdAdapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1PuuuGHXaxRPwWSwLJbcTm","url":"https://polygonscan.com/address/0xcdf038dd3b66506d2e5378aee185b2f0084b7a33","type":"smart_contract","addedAt":"2022-12-06T18:45:38.517Z","revision":0,"description":"FundValueCalculator","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1TU6xXjGCy7jHwYC2L8DL9","url":"https://etherscan.io/address/0x4f1c53f096533c04d8157efb6bca3eb22ddc6360","type":"smart_contract","addedAt":"2022-12-06T18:14:38.113Z","revision":0,"description":"FundDeployer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1VAAqeQOEjkpLFfPwSa26r","url":"https://etherscan.io/address/0x5e216f370e3555feb9a0575a57ada732a9e50386","type":"smart_contract","addedAt":"2025-01-13T08:36:39.345Z","revision":0,"description":"DisallowedAdapterIncomingAssetsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1VGWyGkgXD0p8I5SFmyv1d","url":"https://etherscan.io/address/0x1e3da40f999cf47091f869ebac477d84b0827cf4","type":"smart_contract","addedAt":"2022-12-06T18:13:48.781Z","revision":0,"description":"ExternalPositionManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1VZZYgBrI0FgyEKVLiEubq","url":"https://basescan.org/address/0x7b6ad882fa39d45667df997c19afb4e1b225606f","type":"smart_contract","addedAt":"2025-03-31T06:48:22.568Z","revision":0,"description":"ERC4626Adapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1XCqSRTTufGE8UqKjUPaeY","url":"https://arbiscan.io/address/0xa2b4c827de13d4e9801ea1ca837524a1a148dec3","type":"smart_contract","addedAt":"2024-11-20T05:51:21.305Z","revision":0,"description":"FundDeployer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1XtXzqADA8wnh5SPXvTtQg","url":"https://arbiscan.io/address/0x137ac14e27de154e6a0a260570259f8cef436ba4","type":"smart_contract","addedAt":"2025-02-18T11:14:31.511Z","revision":0,"description":"SingleAssetRedemptionQueueLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1dMF4qRRimvaIZ8sYkws73","url":"https://etherscan.io/address/0x73cb96137cb5455e77275a6ab3411d0d52d545a9","type":"smart_contract","addedAt":"2022-12-06T18:07:04.613Z","revision":0,"description":"ArbitraryLoanPositionLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1dnRI8l4Avvu8lEioq5EgS","url":"https://basescan.org/address/0x44ddf1831fb1f9cd62bd07b4c351c826751594a6","type":"smart_contract","addedAt":"2025-03-31T06:48:36.880Z","revision":0,"description":"ProtocolFeeTracker","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1eiMcd7e84rMNdFp8xCd8W","url":"https://etherscan.io/address/0x7f1b68d5ed183cda6788a66520506eaf3544001c","type":"smart_contract","addedAt":"2025-04-17T09:01:25.369Z","revision":0,"description":"StaderStakingAdapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1hRRchWPRKzeMcd35ZkHbD","url":"https://basescan.org/address/0x6bf54dc336bacddf2478728b5f7fdec4451a684f","type":"smart_contract","addedAt":"2025-03-31T06:48:38.525Z","revision":0,"description":"SingleAssetRedemptionQueueLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1ifwVLKinKR9hBHbGc9Qcv","url":"https://etherscan.io/address/0x31103db5639ad1d5351b83409fdf7e575e26774b","type":"smart_contract","addedAt":"2024-11-18T09:51:23.296Z","revision":0,"description":"EtherFiEthPriceFeed","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1jzYTeTTXZwc0RU7s2J99M","url":"https://basescan.org/address/0xceb47861043a70f8520d761e2ccf42edcc941512","type":"smart_contract","addedAt":"2025-03-31T06:48:12.266Z","revision":0,"description":"AaveV3ATokenListOwner","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1kWcBi4v1vvYRyNCEQc6Rs","url":"https://etherscan.io/address/0x3a09d11c20aa1ad38c77b4f426901d3427f73fbe","type":"smart_contract","addedAt":"2022-12-06T18:13:13.847Z","revision":0,"description":"ExitRateDirectFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1l2iQVQT5I1wIIjVIhrwhF","url":"https://polygonscan.com/address/0x3e44a8be6ba3175b7659b66a4ef35a48db755e6e","type":"smart_contract","addedAt":"2023-08-11T22:57:58.589Z","revision":0,"description":"UniswapV3LiquidityPositionLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1o9TJBrNqflmqaz32Jk6mo","url":"https://arbiscan.io/address/0xc438e48f5d2f99eb4a2b9865f8cccfc9915f227a","type":"smart_contract","addedAt":"2024-09-13T12:03:18.020Z","revision":0,"description":"UintListRegistry","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1qyLMTguFsx40n89ScX9H5","url":"https://arbiscan.io/address/0xd2fa8f6706241dfdf8069d05e1d6f6c4a439aa86","type":"smart_contract","addedAt":"2024-11-20T05:33:16.918Z","revision":0,"description":"ManagementFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1r3mFHormb2QXCslL2xC5u","url":"https://etherscan.io/address/0x47fb78995d945d501f6f9bad343d7ce7d3db54ab","type":"smart_contract","addedAt":"2022-12-06T18:04:42.478Z","revision":0,"description":"AllowedExternalPositionTypesPerManagerPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1tb39iqsqVKQDg6TQn0f3z","url":"https://arbiscan.io/address/0x2c6bef68dabf0494bb5f727e63c8fb54f7d2c287","type":"smart_contract","addedAt":"2024-11-20T06:04:29.644Z","revision":0,"description":"AddressListRegistry","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1xyXiaf7wZKhgYba30J3Cg","url":"https://etherscan.io/address/0x4619b0394f09ef964407dedce4ca19ad012bca20","type":"smart_contract","addedAt":"2022-12-06T18:10:16.528Z","revision":0,"description":"ConvexVotingPositionParser","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"23EZ1GJDmBHTy844YucYNd","url":"https://polygonscan.com/address/0x124fda4b626cda9481948a86a5f8f510d8a22f4a","type":"smart_contract","addedAt":"2025-03-21T10:58:31.207Z","revision":0,"description":"PeggedRateDeviationAggregatorFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"23ekciNYw0lXPKaK47MF3G","url":"https://polygonscan.com/address/0x12534065db54c01a73857febc6a0a9225b53309c","type":"smart_contract","addedAt":"2024-11-28T16:19:31.472Z","revision":0,"description":"AaveV3FlashLoanAssetManagerLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"23kTN4q9Zz5vgigG23hLGU","url":"https://basescan.org/address/0xa76bc052a4d200d851c27312b32c35502824e8e1","type":"smart_contract","addedAt":"2025-03-31T06:48:40.310Z","revision":0,"description":"ValueInterpreter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"23plhBrPcjhdOzX65BAgLH","url":"https://basescan.org/address/0x305357dbb4f4a65601751eb25d275ad071466cd2","type":"smart_contract","addedAt":"2025-03-31T06:48:39.397Z","revision":0,"description":"UintListRegistry","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"25Tm3jUkwoXm2p6TmyZPw3","url":"https://polygonscan.com/address/0x42637a6fe8dD32448be441a10782b4E29bFeA3DE","type":"smart_contract","addedAt":"2024-11-20T07:41:19.848Z","revision":0,"description":"SharePriceThrottledAssetManagerFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"25hTKMwj7Esv3HvKjdpTkq","url":"https://polygonscan.com/address/0xeffb0467247b01e944203246694afb64d4af69ce","type":"smart_contract","addedAt":"2024-11-20T07:50:04.586Z","revision":0,"description":"AaveV3ATokenListOwner","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"25ujQn1vnal1Yy5Ubp33o6","url":"https://polygonscan.com/address/0xce663e0ae43f5bf213207a6f0a16dad7c8f1448a","type":"smart_contract","addedAt":"2024-11-20T06:19:40.844Z","revision":0,"description":"ZeroExV4Adapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"26IO5zHCerrqsZfStB59YX","url":"https://basescan.org/address/0x6d3505a9fece30cc15514cedc7ae664ab39b2035","type":"smart_contract","addedAt":"2025-03-31T06:48:15.541Z","revision":0,"description":"AllowedAdaptersPerManagerPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"26kaKNX8yxpnl0XyUXR84o","url":"https://etherscan.io/address/0x12fa6805a1ff2d21318dcbcf677712bde8a033e1","type":"smart_contract","addedAt":"2022-12-06T18:10:01.084Z","revision":0,"description":"ConvexVotingPositionLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"291I3zW3r1vrsnx86oLLLo","url":"https://etherscan.io/address/0xCa289456c31392074a804A7Db0AAc918fB36cf36","type":"smart_contract","addedAt":"2024-11-20T07:53:29.081Z","revision":0,"description":"NonStandardPrecisionSimulatedAggregator","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"29G5QPd57IcFVmaem03veW","url":"https://arbiscan.io/address/0xd38c8c77b250d80e743013c4019d02f6cc85b80e","type":"smart_contract","addedAt":"2024-11-28T16:20:50.325Z","revision":0,"description":"AaveV3FlashLoanAssetManagerLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2AO22TzKx62Y57BuCWcDlk","url":"https://etherscan.io/address/0x64Fa106DD89F21d6e687EEbE9384637F7d54f707","type":"smart_contract","addedAt":"2024-11-18T09:50:52.579Z","revision":0,"description":"ERC4626Adapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2BfPCr7a6rZut9DHTK2oRH","url":"https://etherscan.io/address/0x720ef97bf835699fcf07591952cd2b132d63a6c0","type":"smart_contract","addedAt":"2022-12-06T18:03:51.671Z","revision":0,"description":"AllowedAdaptersPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2C2wPZDSFn9VYipDJ6gUiy","url":"https://polygonscan.com/address/0x1648cc031a1b6d60b5585ae21dae507a69d2b17b","type":"smart_contract","addedAt":"2023-08-11T22:58:38.639Z","revision":0,"description":"UnpermissionedActionsWrapper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2CYU3gPrFbQ91vua5MkVLd","url":"https://basescan.org/address/0x2eca3a9b9218dd8972699f14f409e5a60caa4fbd","type":"smart_contract","addedAt":"2025-04-09T10:55:31.445Z","revision":0,"description":"EnzymeV4VaultAdapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2FyEWcGkv2pZENTzIywNT3","url":"https://arbiscan.io/address/0x53a124c9201f0d00470cd4245946d2bbb98210ba","type":"smart_contract","addedAt":"2024-11-20T05:32:58.335Z","revision":0,"description":"MinAssetBalancesPostRedemptionPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2HPOviz1XM77hr6wWoDlw8","url":"https://etherscan.io/address/0x7c728cd0cfa92401e01a4849a01b57ee53f5b2b9","type":"smart_contract","addedAt":"2022-12-06T18:15:07.277Z","revision":0,"description":"FundValueCalculatorRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2HbJrFtWgq79KbAL0gUi2s","url":"https://polygonscan.com/address/0xd723241915bb1d3ac829cdef656ffdbb87ca0cf1","type":"smart_contract","addedAt":"2025-04-09T10:54:06.495Z","revision":0,"description":"EnzymeVaultPriceFeed","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2Hg8PvAv9n11tYauThUGsj","url":"https://etherscan.io/address/0x9cfb64D91Ce4eB821fF8EdC1C2fdA2E89E256707","type":"smart_contract","addedAt":"2024-11-18T09:42:27.952Z","revision":0,"description":"AaveV3Adapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2J4Vq9Ehr3n9LDlbJvvB0M","url":"https://polygonscan.com/address/0x3072cd10447605b66da7641f74cf5372eaace31a","type":"smart_contract","addedAt":"2024-11-20T07:49:35.138Z","revision":0,"description":"AaveV3DebtPositionLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2JgFzqTPFBtKxE2ZL2Ms5d","url":"https://etherscan.io/address/0x86533352BDd201c89f184f7ebbFeBea3E31c8Bb3","type":"smart_contract","addedAt":"2024-11-20T07:54:04.164Z","revision":0,"description":"PeggedDerivativesPriceFeed","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2K2B89f9SSmOr1hJJAKHyf","url":"https://etherscan.io/address/0x6ffd6fc068e7b365af18da4fdc39d3289159407b","type":"smart_contract","addedAt":"2022-12-06T18:23:03.721Z","revision":0,"description":"UintListRegistry","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2KvTujkOyDnSQZtGd5e3p2","url":"https://basescan.org/address/0x466c05433fa5a417c290e7eeed729dba9e1280e3","type":"smart_contract","addedAt":"2025-03-31T06:48:38.951Z","revision":0,"description":"TransferAssetsAdapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2Lr71vw3Cg6cJNDrG9XMhE","url":"https://basescan.org/address/0x6889790fb10a03bbf9dc86f1bed3219b509f5367","type":"smart_contract","addedAt":"2025-03-31T06:48:23.019Z","revision":0,"description":"ERC4626PriceFeed","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2PWbOFZqPaKYRtv5GHMh5V","url":"https://arbiscan.io/address/0xbd35b273453eb3a977f2757f92b20e8c0b33c0b2","type":"smart_contract","addedAt":"2024-11-20T05:53:28.860Z","revision":0,"description":"EntranceRateDirectFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2R5TAWeVkIsutU6i8UvXa1","url":"https://arbiscan.io/address/0xea0f3cc847c8e388bd2f7adac130b64b6754f5e2","type":"smart_contract","addedAt":"2024-11-20T05:28:21.763Z","revision":0,"description":"UniswapV3Adapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2UfVNr3vQvKd5MqKjIEuAg","url":"https://basescan.org/address/0xd5a58dce0278d58c23a2682763073472a8e85d57","type":"smart_contract","addedAt":"2025-03-31T06:48:18.579Z","revision":0,"description":"AllowedSharesTransferRecipientsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2VAwqvHIj7LHzH9NDmvdPr","url":"https://polygonscan.com/address/0xed05786ef7b5e5bf909512f0ad46eb8f22cdc4ca","type":"smart_contract","addedAt":"2022-12-06T18:46:09.727Z","revision":0,"description":"GasRelayPaymasterFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2WVrL9tFDzmQzHtNxlUWi2","url":"https://polygonscan.com/address/0x5a8ee0850d22ffef4169dbd348c1b0d7d5f5546f","type":"smart_contract","addedAt":"2023-08-11T22:55:09.704Z","revision":0,"description":"PolicyManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2YRUdJxdet98bTWU5RJbfG","url":"https://arbiscan.io/address/0x1b905b0ab56c82b3e5d3f2e600a07b8e54748977","type":"smart_contract","addedAt":"2025-04-09T10:54:44.710Z","revision":0,"description":"EnzymeVaultPriceFeed","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2btOj9ahRQi21BCLYejRzE","url":"https://etherscan.io/address/0x131c220c18874e32ABbe945eb8AA998B84f63625","type":"smart_contract","addedAt":"2022-12-06T18:15:36.926Z","revision":0,"description":"GasRelayPaymasterLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2dR7HxjbjL3UfwS24U18H3","url":"https://polygonscan.com/address/0x735615beb04bfd3665f06541ea00af1860c4354f","type":"smart_contract","addedAt":"2025-04-17T09:03:13.645Z","revision":0,"description":"ManualValueOracleFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2eA7K5XJUjSHs6iact7Oh7","url":"https://arbiscan.io/address/0x6aab72ede0255f3dd0e1ce568248a63aa3df2320","type":"smart_contract","addedAt":"2024-11-20T05:27:00.569Z","revision":0,"description":"UnpermissionedActionsWrapper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2eCtoxqIQFObYjnn4gOnBc","url":"https://arbiscan.io/address/0x3c441b696bd451d0ba95ebb73cf1b23c20873e14","type":"smart_contract","addedAt":"2024-11-20T06:00:42.652Z","revision":0,"description":"AllowedExternalPositionTypesPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2jjMfRaJcIindoXAk9YqRj","url":"https://basescan.org/address/0x2701ff78e93091b1285289a611838dd52fc07f4e","type":"smart_contract","addedAt":"2025-03-31T06:48:13.497Z","revision":0,"description":"AaveV3FlashLoanAssetManagerFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2lPD2uTrA9yApiHYMUEvTt","url":"https://basescan.org/address/0x3ef57e315b0d92e158fa95ca3002ace28c5b8c0a","type":"smart_contract","addedAt":"2025-03-31T06:48:16.845Z","revision":0,"description":"AllowedDepositRecipientsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2mGQPpSRajpYfZpQtADg70","url":"https://arbiscan.io/address/0xd10b34e0570dfdfefcdd611476d9a71b3af7de2c","type":"smart_contract","addedAt":"2025-09-09T07:40:53.644Z","revision":0,"description":"GMXV2LeverageTradingPositionLibManagedAssets","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2mdqCJtW9Q6y3oflZ3inii","url":"https://polygonscan.com/address/0xc5c7f7c6e5e2db074d96b440d30d7aab2c99b848","type":"smart_contract","addedAt":"2022-12-06T18:44:19.406Z","revision":0,"description":"ExitRateDirectFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2mznihYQrRkdF0JZ9994Qu","url":"https://arbiscan.io/address/0xe8db4924569a3c61aadfb721bbb009e3127196bd","type":"smart_contract","addedAt":"2024-11-28T16:22:02.346Z","revision":0,"description":"TransferAssetsAdapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2n04bii01I2YAoYJtRDFRT","url":"https://polygonscan.com/address/0x01460ba35cb6f847d65c5eee124e7e9e10055f16","type":"smart_contract","addedAt":"2022-12-06T18:43:28.865Z","revision":0,"description":"EntranceRateBurnFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2n3WRGEhu4GsNkGsuksTkG","url":"https://polygonscan.com/address/0x7a68d541af898c14fbd5ecbda3b402b18d8c17d4","type":"smart_contract","addedAt":"2024-11-20T07:45:25.209Z","revision":0,"description":"GatedRedemptionQueueSharesWrapperFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2n524hXRdMZ5WcqaxR5p3Q","url":"https://etherscan.io/address/0x747beaee139fba4a89fa71bebb5f21231530292b","type":"smart_contract","addedAt":"2022-12-06T18:20:02.667Z","revision":0,"description":"OnlyUntrackDustOrPricelessAssetsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2ojN5uSTadE6dsIDTqwgOH","url":"https://arbiscan.io/address/0x78c89968b121e64fa559f3b4ed1b35222a42c059","type":"smart_contract","addedAt":"2025-03-21T11:07:20.364Z","revision":0,"description":"SingleAssetDepositQueueFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2pmtAZH3qtMwcCwxnZtznM","url":"https://basescan.org/address/0x6060295a989bf8d1e74dc75273b3ab2a02b0c0e1","type":"smart_contract","addedAt":"2025-03-31T06:48:24.361Z","revision":0,"description":"ExitRateDirectFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2pwxuY6h3P7gBdttRkDlRM","url":"https://arbiscan.io/address/0xe1a147b3fb8a7be78bf3a061f176bc718d897695","type":"smart_contract","addedAt":"2024-11-18T10:06:09.387Z","revision":0,"description":"VaultLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2q4ZvUl2gDDBdUQSepsmox","url":"https://etherscan.io/address/0xe0309Fa2412B811a0BD40A73297093707259217f#code","type":"smart_contract","addedAt":"2024-11-28T16:19:11.014Z","revision":0,"description":"TransferAssetsAdapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2rY7M2gaYTcitZLDgx1lkJ","url":"https://arbiscan.io/address/0x55df97aca98c2a708721f28ea1ca42a2be7ff934","type":"smart_contract","addedAt":"2024-11-20T05:40:53.054Z","revision":0,"description":"IntegrationManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2tYuwBCibRMPdYRPxhSUld","url":"https://basescan.org/address/0x31af0ed80bc630522035c114972c3bec574cee60","type":"smart_contract","addedAt":"2025-03-31T06:48:17.296Z","revision":0,"description":"AllowedExternalPositionTypesPerManagerPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2vMpq1UDZhXllDTalOJUFa","url":"https://etherscan.io/address/0xd6e8b30214ef909421eb1d20e5b281777810004a","type":"smart_contract","addedAt":"2024-11-28T16:18:06.680Z","revision":0,"description":"DispatcherOwnedBeaconFactory (AaveV3FlashLoanAssetManagerLib)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2wMWLu3tRhJyddtar07iTJ","url":"https://polygonscan.com/address/0xBfA1027Ef1da99C17358CB4719A2297D67fCC5b1","type":"smart_contract","addedAt":"2024-11-20T07:43:42.859Z","revision":0,"description":"PeggedDerivativesPriceFeed","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2wnp5vNlCDlUvoIlXOy2C7","url":"https://polygonscan.com/address/0xe11f3f7ac24a0839b3a3b13bd7eb5bc5e65e2483","type":"smart_contract","addedAt":"2023-08-11T22:57:37.522Z","revision":0,"description":"UniswapV3Adapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2wwPEB8eUuXsVg1YipfzBe","url":"https://basescan.org/address/0x7a5125491025cf44380b6d95ec385ddd37455c22","type":"smart_contract","addedAt":"2025-06-05T08:09:52.225Z","revision":0,"description":"SharePriceThrottledAssetManagerLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2xIoj6E4OTKu3BpJVtxk5L","url":"https://polygonscan.com/address/0xcbbD50255Cf49797BaDB28cE625a4ea217C67A64","type":"smart_contract","addedAt":"2022-12-06T18:46:46.181Z","revision":0,"description":"GlobalConfigLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2xLObcsERYFQhVGVdrBmZ2","url":"https://polygonscan.com/address/0xddd7432671f5adc1c82c7c875624c1b0bc461deb","type":"smart_contract","addedAt":"2022-12-06T18:45:07.191Z","revision":0,"description":"FeeManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2xaW50LpMEWz0KM4XUPjFy","url":"https://etherscan.io/address/0x966ec191ed9e026cb6f7e22bb2a284bad6a2838d","type":"smart_contract","addedAt":"2022-12-06T18:19:47.496Z","revision":0,"description":"OnlyRemoveDustExternalPositionPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2xeRzPRi8IrC4oeRqmdNzO","url":"https://arbiscan.io/address/0xd0c6b9801fc1e70945f11b3f93340dcc7507fd7c","type":"smart_contract","addedAt":"2024-11-20T06:05:26.608Z","revision":0,"description":"AaveV3Adapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"301nhoA36frMJ9DbvHOpVn","url":"https://arbiscan.io/address/0xbde1e8c4a061cd28f4871860ddf22200b85ee9ec","type":"smart_contract","addedAt":"2024-11-20T05:29:40.754Z","revision":0,"description":"PolicyManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3020Ggj3EYbk4kPBUQhXl0","url":"https://arbiscan.io/address/0x542812a43334634213877fbfde33ecbef5234c9d","type":"smart_contract","addedAt":"2024-11-20T05:32:43.325Z","revision":0,"description":"MinMaxInvestmentPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"311t7XdfO3P28G3j4dbRr1","url":"https://arbiscan.io/address/0x19abba4ab3134c64abdd17a9073d1ec83663f036","type":"smart_contract","addedAt":"2024-11-20T06:00:29.795Z","revision":0,"description":"AllowedRedeemersForSpecificAssetsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"32daVPiBalGGNoYYjeprzK","url":"https://etherscan.io/address/0x00f64bd22a69f429632e1469c9c812e9f70e4f11","type":"smart_contract","addedAt":"2025-03-21T10:56:14.476Z","revision":0,"description":"ERC4626RateAggregatorFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"35i4LLKWLnCwZMl1uUIhHm","url":"https://etherscan.io/address/0xCFe249a7AE4619980eeA1A2d83a26a5E7281EbB0","type":"smart_contract","addedAt":"2024-11-18T09:42:17.252Z","revision":0,"description":"AaveV3ATokenListOwner","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3APxUyfleARwDSHbxlVd1U","url":"https://polygonscan.com/address/0x9f99E9Bcb69C58E9889BDd6B88C1D3059a122195","type":"smart_contract","addedAt":"2024-11-20T07:48:26.821Z","revision":0,"description":"AllowedRedeemersForSpecificAssetsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3EqVuD3MCKDPDuH0ihycr5","url":"https://arbiscan.io/address/0xd44256acea2193d4a50a9ad879a531666729962c","type":"smart_contract","addedAt":"2024-11-20T05:52:12.083Z","revision":0,"description":"ExternalPositionFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3IQPVUxRhjvFyo4ngmZwYe","url":"https://arbiscan.io/address/0xea609eeb38d1ee8e8719597d47cc9276df9f8707","type":"smart_contract","addedAt":"2024-11-20T05:51:05.357Z","revision":0,"description":"FundValueCalculator","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3K0v3rXE9dLv59qMW0qK63","url":"https://etherscan.io/address/0xcfab4fcbfe059d5c1840d9dc285a9bfa0f96a118","type":"smart_contract","addedAt":"2022-12-06T18:24:56.744Z","revision":0,"description":"UnpermissionedActionsWrapper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3M8DJVUNCxNtR9H0ogda5D","url":"https://basescan.org/address/0x27d5746b4fa825bfac62954bc561937ca90adc2b","type":"smart_contract","addedAt":"2025-03-31T06:48:36.058Z","revision":0,"description":"ProtocolFeeReserveLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3OJYbDFuwzb9tqPOe8FFpE","url":"https://etherscan.io/address/0x5cf43f5f8c1648db23948e3814d0099c408201a4","type":"smart_contract","addedAt":"2024-12-17T16:47:32.249Z","revision":0,"description":"StaderWithdrawalsPositionLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3PDLWVHgiF5CRacgptkQBs","url":"https://basescan.org/address/0xf34cd6612dbfaf771cb961934855870afa384422","type":"smart_contract","addedAt":"2025-03-31T06:48:19.857Z","revision":0,"description":"CumulativeSlippageTolerancePolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3PjtPrAc0Eg8QimUT0Moph","url":"https://etherscan.io/address/0x23805fed4b73a7b77c28f2823733736951c49d6c","type":"smart_contract","addedAt":"2022-12-06T18:24:40.582Z","revision":0,"description":"UniswapV3LiquidityPositionParser","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3Rk8PsIRWBXHNSJ0kBfa1w","url":"https://basescan.org/address/0x798b093d7a37418d3f68f9f22264508462be450f","type":"smart_contract","addedAt":"2025-03-31T06:48:23.948Z","revision":0,"description":"ExitRateBurnFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3Ue1io3qBR6qMFP04B5E7K","url":"https://etherscan.io/address/0x5611df74a77efd198de5fc7f83a482dcfe0c7a7a","type":"smart_contract","addedAt":"2022-12-06T18:16:26.370Z","revision":0,"description":"GlobalConfigProxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3VpIc4lD1BlyyRe9IZjuAV","url":"https://polygonscan.com/address/0x8ac04e34d9c1d0bd5a440157538cc6fbb0dbbc9a","type":"smart_contract","addedAt":"2023-08-11T22:53:16.030Z","revision":0,"description":"MinMaxInvestmentPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3XN2mrAky8OFl9pKLmkkQy","url":"https://etherscan.io/address/0xfc8ed755c52782fa1a4ba9193b566e775701e511","type":"smart_contract","addedAt":"2022-12-06T18:21:57.623Z","revision":0,"description":"SharesSplitterFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3b9kTEHKq19nAWhW4a4LWI","url":"https://arbiscan.io/address/0x8da28441a4c594fd2fac72726c1412d8cf9e4a19","type":"smart_contract","addedAt":"2024-11-20T05:54:01.553Z","revision":0,"description":"Dispatcher","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3ela7byFWQ3R2kbcvI2M2i","url":"https://basescan.org/address/0x65d2058e86a169e8df2e052ce37c856dc47e6bdf","type":"smart_contract","addedAt":"2025-03-31T06:48:15.114Z","revision":0,"description":"AllowedAdapterIncomingAssetsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3ijQ1kHBTZNQX47lHzUgA9","url":"https://etherscan.io/address/0x846bbe1925047023651de7ec289f329c24ded3a8","type":"smart_contract","addedAt":"2022-12-06T18:15:21.604Z","revision":0,"description":"GasRelayPaymasterFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3j8C5As89NfOWmdmnOu19I","url":"https://polygonscan.com/address/0x88c9a11c7bb8bc274388d0db864ab87c14fb78b8","type":"smart_contract","addedAt":"2022-12-06T18:43:46.282Z","revision":0,"description":"EntranceRateDirectFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3otBOnaF4tz49HamTKSMeb","url":"https://etherscan.io/address/0xb3ec98d4a608577289e442474832b7f69540e169","type":"smart_contract","addedAt":"2025-03-21T10:56:34.968Z","revision":0,"description":"ParaSwapV6Adapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3t5SsVDFelhPw7qXVzodF3","url":"https://basescan.org/address/0x578e6b8104ae0409821f5cdb531f86080d968f49","type":"smart_contract","addedAt":"2025-03-31T06:48:34.775Z","revision":0,"description":"PeggedRateDeviationAggregatorFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3tQFjrhMguBUi1GdUWEPEs","url":"https://arbiscan.io/address/0x211e54a2f1e83cabc9d1211a1df0759b7193201a","type":"smart_contract","addedAt":"2024-11-20T05:48:32.053Z","revision":0,"description":"GlobalConfigLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3v4EvkH5hWSDVVCmNUHkl9","url":"https://polygonscan.com/address/0xe8a5dadff7dbd09f3b2abbb09643ba67f1860131","type":"smart_contract","addedAt":"2022-12-06T18:39:22.636Z","revision":0,"description":"ArbitraryLoanPositionParser","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3xPOdg1nhkteLtS2w7bNQI","url":"https://etherscan.io/address/0x501083be98ebb2d75be75459accc5c5922c07f28","type":"smart_contract","addedAt":"2024-11-18T09:54:09.117Z","revision":0,"description":"LidoWithdrawalsPositionParser","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3zPDFRjGWR0NHEsnEej7Lg","url":"https://arbiscan.io/address/0xd68543ec57ba6aa5c546d23dde7dbbc3b6d0222d","type":"smart_contract","addedAt":"2025-03-21T11:05:26.072Z","revision":0,"description":"ParaSwapV6Adapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"423E1lFEZY99QqujMPLxXM","url":"https://arbiscan.io/address/0x487f6a8a93c2be5a296ead2c3fbc3fceed4ac599","type":"smart_contract","addedAt":"2024-11-20T05:54:50.410Z","revision":0,"description":"CumulativeSlippageTolerancePolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"42TlfbCKF2X3yUukvCWbKr","url":"https://polygonscan.com/address/0xd33e75e1ae3185aa72d4365e1022ef23cd71233a","type":"smart_contract","addedAt":"2025-03-21T11:00:15.044Z","revision":0,"description":"SingleAssetDepositQueueLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"42yUG9Akqlm5wrLa42a1Y1","url":"https://etherscan.io/address/0x2f0e55830a173d845a886fd574f01a039a07fc37","type":"smart_contract","addedAt":"2022-12-06T18:03:20.179Z","revision":0,"description":"AllowedAdapterIncomingAssetsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"43AWvzBEzRG2Ljdg1k3QJA","url":"https://etherscan.io/address/0x6682e70860d48a039f52daccda917250349a3fb3","type":"smart_contract","addedAt":"2022-12-06T18:16:10.348Z","revision":0,"description":"GlobalConfigLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"44smZqKkxEwGcvmlPpUYDO","url":"https://etherscan.io/address/0x823ca839da344da59d517b84ce3bab9ffc9f54ee","type":"smart_contract","addedAt":"2022-12-06T18:04:11.626Z","revision":0,"description":"AllowedAssetsForRedemptionPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"45ferWFh9si8skKjFpch2a","url":"https://polygonscan.com/address/0xB13f73c5E333fb760a5BED668b1ff04432CAdab0","type":"smart_contract","addedAt":"2024-11-20T07:46:01.602Z","revision":0,"description":"ERC4626PriceFeed","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"47D2bfrr70wRQyJOP4knnQ","url":"https://polygonscan.com/address/0x92fcde09790671cf085864182b9670c77da0884b","type":"smart_contract","addedAt":"2023-08-11T22:52:13.732Z","revision":0,"description":"IntegrationManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"49Z9Bw5wgYWFYVSfIZWEBX","url":"https://etherscan.io/address/0xe959c0eef487f7ee098ad10998d9dfcf4fa1d1af","type":"smart_contract","addedAt":"2022-12-06T18:07:19.982Z","revision":0,"description":"ArbitraryLoanPositionParser","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4AUTBKwsDXIoWHOThMlO6C","url":"https://basescan.org/address/0x42232ff4f38639ed942e0c76723e76e1a0588899","type":"smart_contract","addedAt":"2025-03-31T06:48:14.531Z","revision":0,"description":"AddressListRegistry","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4CC78rGLMTqqlWJDhxc0gV","url":"https://basescan.org/address/0xe7bf2797190fe8c8cf1618bcc348a2ece2bacef4","type":"smart_contract","addedAt":"2025-03-31T06:48:18.166Z","revision":0,"description":"AllowedRedeemersForSpecificAssetsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4DproFsgkmD4QeCMjMwAt1","url":"https://etherscan.io/address/0x0edbb060a8f00f5967eecfc87c8559fa65501a3d","type":"smart_contract","addedAt":"2025-04-17T09:00:23.554Z","revision":0,"description":"ManualValueOracleFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4GJd9Vk6lHo4T0azrsIeeO","url":"https://arbiscan.io/address/0xa8c3b04a800c08ae010b56ac1c1ad7033d980b0f","type":"smart_contract","addedAt":"2024-11-20T05:32:24.341Z","revision":0,"description":"MinSharesSupplyFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4IcX7GwRLYVfONhBfgonVy","url":"https://arbiscan.io/address/0x3868c0fc34b6ece124c6ab122f6f29e978be6661","type":"smart_contract","addedAt":"2024-11-20T05:55:06.739Z","revision":0,"description":"ComptrollerLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4J9yfeYP5qQ7ht6ceWW9HK","url":"https://arbiscan.io/address/0x969ea85f65677daa9552b8530a47511286894a5a","type":"smart_contract","addedAt":"2025-03-21T11:07:35.053Z","revision":0,"description":"SingleAssetDepositQueueLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4Kac1H29mjRP9HWSEhN5yh","url":"https://arbiscan.io/address/0xe922362aa3426bd683b63a8e5d13903a9cfc4cbb","type":"smart_contract","addedAt":"2024-11-20T05:49:17.012Z","revision":0,"description":"GasRelayPaymasterFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4MwF5WDEwG3eRf48UhKOiZ","url":"https://arbiscan.io/address/0xeb036c294e54cc5047ab526c204752d056cc1952","type":"smart_contract","addedAt":"2024-11-20T06:02:43.734Z","revision":0,"description":"AllowedAdaptersPerManagerPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4NNXvfhLhDFT8WNhKCV9E7","url":"https://github.com/enzymefinance/protocol","type":"smart_contract","addedAt":"2022-12-07T04:11:25.373Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4No8ljXVfeVwOPCR5BoQkm","url":"https://arbiscan.io/address/0x91476db2128b324966ef0843b25d6df1bc8676c6","type":"smart_contract","addedAt":"2024-11-20T06:04:44.429Z","revision":0,"description":"AaveV3DebtPositionParser","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4Omje0d1Oh9XcTELqqhqQX","url":"https://basescan.org/address/0x0af17b9abe72d68ca78aa9ea1efc2def0ed1dd8a","type":"smart_contract","addedAt":"2025-03-31T06:48:30.054Z","revision":0,"description":"MinAssetBalancesPostRedemptionPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4P6boY0SLIEYm8UcJRAh3z","url":"https://etherscan.io/address/0xbc9da8edde80ffb1294852d23ee1b385ea2d4929","type":"smart_contract","addedAt":"2022-12-06T18:19:31.211Z","revision":0,"description":"MinSharesSupplyFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4RSm4GhGKCLZF221Fd9pm5","url":"https://arbiscan.io/address/0x9eb802e7696c9951fdcba90699e5000d7a39205c","type":"smart_contract","addedAt":"2024-11-20T05:29:11.039Z","revision":0,"description":"ProtocolFeeReserveProxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4U9yttdkyMfH5yADYMBa8l","url":"https://etherscan.io/address/0xfb8df7d5e320020cd8047226b81cf6d68f3e3c19","type":"smart_contract","addedAt":"2022-12-06T18:12:39.390Z","revision":0,"description":"EntranceRateDirectFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4bICy2f2iujTxY64OT5Nfe","url":"https://etherscan.io/address/0xFdE8c198BeF60D026332a671F64c34D65C60C935","type":"smart_contract","addedAt":"2024-11-20T07:55:11.155Z","revision":0,"description":"SharePriceThrottledAssetManagerLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4fck5UUOv53OIJqpDcvMxF","url":"https://etherscan.io/address/0x66aA5b2FdFB453F8A27f9BD1d9124947Ef3886BB","type":"smart_contract","addedAt":"2024-11-18T09:51:07.329Z","revision":0,"description":"ERC4626PriceFeed","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4gv5IgGKfcGyltgAtsitk7","url":"https://polygonscan.com/address/0xf0bfee2a93b0a1f9c5f6c1d731a6cf1308d68b2d","type":"smart_contract","addedAt":"2023-08-11T22:56:27.287Z","revision":0,"description":"ProtocolFeeReserveProxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4i6o3wdFbfSQlw6IQ6DpvT","url":"https://polygonscan.com/address/0x4218783ae10bd1841e6664cf048ac295d8d27a4a","type":"smart_contract","addedAt":"2022-12-06T18:36:38.313Z","revision":0,"description":"AllowedAdaptersPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4jVEofCKM1jVtE8FhM0XYY","url":"https://basescan.org/address/0x66b3962f669c0700f92c5e0692b8600f911d9ace","type":"smart_contract","addedAt":"2025-03-31T06:48:28.381Z","revision":0,"description":"GlobalConfigLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4jn5uA15vol2vbRfeVDe8M","url":"https://polygonscan.com/address/0xe1853502e2ea2b7c14c5e89169c63065f5a459ff","type":"smart_contract","addedAt":"2022-12-06T18:37:15.148Z","revision":0,"description":"AllowedDepositRecipientsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4kDzy9RsaD2FvevxwedlTf","url":"https://basescan.org/address/0xe32792c67d797784ced56f266e92a6611fe5e973","type":"smart_contract","addedAt":"2025-04-09T10:55:18.823Z","revision":0,"description":"EnzymeVaultPriceFeed","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4leYPlJASeHazQrurMJRnf","url":"https://polygonscan.com/address/0x51b47d3dbef6ff6e1fd7a5054ff75d19e07d7f56","type":"smart_contract","addedAt":"2025-04-09T10:54:23.771Z","revision":0,"description":"EnzymeV4VaultAdapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4tV6PXMhtv3Ikt6UasTOeS","url":"https://arbiscan.io/address/0xd12e5973a04dabe5bbc2d05b2598310217bd2640","type":"smart_contract","addedAt":"2025-02-11T19:15:00.311Z","revision":0,"description":"ConvertedQuoteAggregatorFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4upFOzASB8iBINY0FFxebH","url":"https://etherscan.io/address/0x03f7f3b8da875881206655d8099b9dacf721f1ef","type":"smart_contract","addedAt":"2024-11-18T09:50:06.601Z","revision":0,"description":"ComptrollerLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4uxQF7ZH05Bi5u43rHmZ5Y","url":"https://etherscan.io/address/0xebdadfc929c357d12281118828aea556db5be30c","type":"smart_contract","addedAt":"2022-12-06T18:19:14.862Z","revision":0,"description":"MinMaxInvestmentPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4vRdSeO9n8XakgeCRbNP7U","url":"https://polygonscan.com/address/0xb6367cd4b67c44e963ae81e9c1757a1c08ede28c","type":"smart_contract","addedAt":"2022-12-06T18:37:31.007Z","revision":0,"description":"AllowedExternalPositionTypesPerManagerPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4wrUxqWe1Z0BoWdOXLaGhq","url":"https://etherscan.io/address/0xE971375e3E8af54232F9B7c88cCE143EDf95C272#code","type":"smart_contract","addedAt":"2024-11-18T09:52:19.508Z","revision":0,"description":"GatedRedemptionQueueSharesWrapperLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4zPPdyvpgrWeS9Be25Kz7o","url":"https://arbiscan.io/address/0x671ed11497e8fe5c98ed45e699639cf081ee0a5f","type":"smart_contract","addedAt":"2025-04-17T09:05:05.144Z","revision":0,"description":"ManualValueOracleFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4zThL61KorL9zNaSNNQe1V","url":"https://basescan.org/address/0xf9ae950b4bb08cb0b239cb3c0c47753ef7df1302","type":"smart_contract","addedAt":"2025-03-31T06:48:20.745Z","revision":0,"description":"DisallowedAdapterIncomingAssetsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4zgXMDEn3ZB0KBj3GkiGES","url":"https://basescan.org/address/0x3d627701ce55894509c59e5cb3e3cc337f3715aa","type":"smart_contract","addedAt":"2025-03-31T06:48:15.947Z","revision":0,"description":"AllowedAdaptersPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"53hPb0Xb6nkOJAQd1Zjbii","url":"https://polygonscan.com/address/0x97f13b3040a565be791d331b0edd4b1b58dbd843","type":"smart_contract","addedAt":"2023-08-11T22:52:30.691Z","revision":0,"description":"ManagementFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"54x6pvOgaIxWAXAplKdkGw","url":"https://basescan.org/address/0xafcfa6e8689a7a5469c6bda351c507cd0108423a","type":"smart_contract","addedAt":"2025-03-31T06:48:27.950Z","revision":0,"description":"GasRelayPaymasterLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"565uAe6eJEvzMleMSEHvrv","url":"https://arbiscan.io/address/0xb658a26ec9638051a42160bb02319fed12299b25","type":"smart_contract","addedAt":"2025-02-18T11:14:50.273Z","revision":0,"description":"SingleAssetRedemptionQueueFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"56XZ6HbXI1rPyXY9fJvZhD","url":"https://etherscan.io/address/0x0883BA10F44217B97bDE11900e197738a7dF911B","type":"smart_contract","addedAt":"2024-11-20T07:54:59.816Z","revision":0,"description":"SharePriceThrottledAssetManagerFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"59B1eegSYaRBSBFRXJKuLO","url":"https://polygonscan.com/address/0x30ed4e3cf5e1faf6fc9776d256d535f3470bb710","type":"smart_contract","addedAt":"2022-12-06T18:36:20.913Z","revision":0,"description":"AllowedAdaptersPerManagerPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"59ERlUtUUq57DfDz3smyRp","url":"https://arbiscan.io/address/0x54325c3dc5ad60305a70bc565be7a9ce71224a76","type":"smart_contract","addedAt":"2024-11-20T06:02:59.984Z","revision":0,"description":"AllowedAdapterIncomingAssetsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5AnBExF0z6STKfJKeqEOqZ","url":"https://polygonscan.com/address/0x03acc0a48e0d6d24756481ff60b34af8f5def881","type":"smart_contract","addedAt":"2024-11-20T07:48:58.358Z","revision":0,"description":"AaveV3DebtPositionParser","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5CIC1iNP8WQiaGeoffk8xM","url":"https://polygonscan.com/address/0x420811f86787ae5f4070dcf85c74d8a5a2aaad5b","type":"smart_contract","addedAt":"2023-08-11T22:56:12.319Z","revision":0,"description":"ProtocolFeeReserveLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5DLlOAdKCZeDQ7MNksNRLy","url":"https://polygonscan.com/address/0x3b5730f5ff329ac41d206eba1a2aa12d356791e8","type":"smart_contract","addedAt":"2025-03-21T10:57:52.529Z","revision":0,"description":"ERC4626RateAggregatorFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5DvOd5NL4Vsn2a2b1weiCY","url":"https://etherscan.io/address/0x9938B14A25a4910531d5cBdf3c41510b19aaF016","type":"smart_contract","addedAt":"2024-11-20T07:56:36.111Z","revision":0,"description":"StaderSDPriceFeed","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5E5EkctV31QNwDYBI4n9Bj","url":"https://etherscan.io/address/0x20a2d4765be139475c34db7b7d856dcf25092c26","type":"smart_contract","addedAt":"2022-12-06T18:24:24.067Z","revision":0,"description":"UniswapV3LiquidityPositionLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5ENbIJ4IvCVLN0LRYzvYKl","url":"https://etherscan.io/address/0x9579f735d0c93b5eef064fe312ca3509bd695206","type":"smart_contract","addedAt":"2022-12-06T18:25:13.479Z","revision":0,"description":"UsdEthSimulatedAggregator","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5F1dntbNaICBwGH9vQ8Jpg","url":"https://polygonscan.com/address/0x9932120518b25E35D4653A8b8D316c58c8b6d7c9#code","type":"smart_contract","addedAt":"2024-11-20T07:45:35.754Z","revision":0,"description":"GatedRedemptionQueueSharesWrapperLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5GK9A57b2jIXaODNbXHb8m","url":"https://etherscan.io/address/0x4eb4c7babfb5d54ab4857265b482fb6512d22dff","type":"smart_contract","addedAt":"2022-12-06T18:03:09.084Z","revision":0,"description":"AddressListRegistry","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5HJNmM1KxcTHfw5XUYPvJd","url":"https://polygonscan.com/address/0x3338ef8a1a288c3b3b71708e85c7809b46c06776","type":"smart_contract","addedAt":"2023-08-11T22:58:14.456Z","revision":0,"description":"UniswapV3LiquidityPositionParser","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5HZyKu7yYNPT05wgcJfTKN","url":"https://basescan.org/address/0x65b8f1f82ce8a6b72db0937c522a52af5693d4d3","type":"smart_contract","addedAt":"2025-03-31T06:48:28.789Z","revision":0,"description":"GlobalConfigProxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5KoXgnAsWNCM9KjSGDDgSr","url":"https://etherscan.io/address/0xb7460593bd222e24a2bf4393aa6416bd373995e0","type":"smart_contract","addedAt":"2022-12-06T18:21:25.228Z","revision":0,"description":"ProtocolFeeReserveProxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5L1MnOdsCl5w0b6ofFberF","url":"https://etherscan.io/address/0xd5004c5d3017862839e83981b110f27ee7b36eaa","type":"smart_contract","addedAt":"2025-04-04T09:04:59.406Z","revision":0,"description":"SmarDexUsdnNativeRateUsdAggregator","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5LMivepG2EHjDdInljXP0R","url":"https://etherscan.io/address/0xc3dc853dd716bd5754f421ef94fdcbac3902ab32","type":"smart_contract","addedAt":"2022-12-06T18:11:59.311Z","revision":0,"description":"Dispatcher","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5LzKZtMobCIx3sBsplwsij","url":"https://polygonscan.com/address/0xc192fd3b13549ad5bc3c0a0118a29556d0cdd482","type":"smart_contract","addedAt":"2022-12-06T18:36:05.082Z","revision":0,"description":"AllowedAdapterIncomingAssetsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5QsKOn561X0pyVvj9UIpze","url":"https://basescan.org/address/0x092523489a789b0984adf41e83371eb1e3c49d63","type":"smart_contract","addedAt":"2025-03-31T06:48:37.728Z","revision":0,"description":"SingleAssetDepositQueueLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5S5JMBf0nCIr5zY4iLFR3E","url":"https://arbiscan.io/address/0xa482f4ab637cd5ca00084d511b3ca9aa8d8f475e","type":"smart_contract","addedAt":"2024-11-20T05:31:30.281Z","revision":0,"description":"OnlyUntrackDustOrPricelessAssetsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5TV8JAC6iccemUNm0MGZ7","url":"https://basescan.org/address/0xd5e0144464ec160ed2b4ce27f734a975bad2d938","type":"smart_contract","addedAt":"2025-03-31T06:48:22.147Z","revision":0,"description":"EntranceRateDirectFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5UboYKfw3QjEMpQf4vsug3","url":"https://etherscan.io/address/0x31329024f1a3e4a4b3336e0b1dfa74cc3fec633e","type":"smart_contract","addedAt":"2022-12-06T18:17:16.879Z","revision":0,"description":"IntegrationManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5UnF3fai5ydYrYDPPjQhUW","url":"https://basescan.org/address/0x33d9d62a9155e96202378b80078bf73d4f1317a9","type":"smart_contract","addedAt":"2025-03-31T06:48:32.228Z","revision":0,"description":"NoDepegOnRedeemSharesForSpecificAssetsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5V1y0RTYndGRlgYGNVmjgi","url":"https://arbiscan.io/address/0xad404ceabad39d4b22bf2e1265a161ac44620825","type":"smart_contract","addedAt":"2024-11-20T05:32:11.348Z","revision":0,"description":"NoDepegOnRedeemSharesForSpecificAssetsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5VJWcQLesKnIFKyCcrAxk6","url":"https://arbiscan.io/address/0x42a8aee7d9cd8dfcac4b1881426f91aa813ece50","type":"smart_contract","addedAt":"2025-09-09T07:40:53.637Z","revision":0,"description":"GMXV2LeverageTradingPositionLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5VuqgwrW1G8fxBhggtLxQv","url":"https://etherscan.io/address/0x7f2a48122bbd3ffba33ed9d1f5cfabede7caab34","type":"smart_contract","addedAt":"2022-12-06T18:07:38.438Z","revision":0,"description":"ArbitraryLoanTotalNominalDeltaOracleModule","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5XxnOCAeqayf1I8OKchy1u","url":"https://polygonscan.com/address/0x79567acc4c54c23f5f449c1fbc1b54ac615df87d","type":"smart_contract","addedAt":"2024-11-20T07:46:12.994Z","revision":0,"description":"ERC4626Adapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5YS6QetEws2RbuzkINWZe0","url":"https://etherscan.io/address/0xfedc73464dfd156d30f6524654a5d56e766da0c3","type":"smart_contract","addedAt":"2022-12-06T18:20:33.972Z","revision":0,"description":"PerformanceFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5YrKh3jhvgo2LgdfHt4yF0","url":"https://etherscan.io/address/0x9e076e7d35a3b881ab9e3da958431630fdfa756f","type":"smart_contract","addedAt":"2022-12-06T18:05:56.321Z","revision":0,"description":"AllowedExternalPositionTypesPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5ZEQ3NDWOPvwvYNFvVOW4t","url":"https://etherscan.io/address/0x40108b712f0d8051ac5af7f155e63de73f5fdd27","type":"smart_contract","addedAt":"2024-11-18T09:42:51.237Z","revision":0,"description":"AaveV3DebtPositionParser","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5e6ANPAErTMTyWFs9RnJh3","url":"https://basescan.org/address/0xd79fcd6eb56115f9757ec4c90fc2c5d143f83c16","type":"smart_contract","addedAt":"2025-03-31T06:48:21.190Z","revision":0,"description":"Dispatcher","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5eA7yB1W65zEaRMSI2nzsk","url":"https://etherscan.io/address/0x2a07500d96f324d615bd545b921faefdd97c5ad3","type":"smart_contract","addedAt":"2025-04-09T10:53:01.512Z","revision":0,"description":"EnzymeVaultPriceFeed","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5h2yVvjqvSyfkDPPOrUXyn","url":"https://arbiscan.io/address/0x166ada85f6a398ba01d2b97022770cc6bd9d2ea2","type":"smart_contract","addedAt":"2024-11-20T06:02:11.515Z","revision":0,"description":"AllowedAssetsForRedemptionPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5hNM4yD8iKDz2vYinuGlP5","url":"https://arbiscan.io/address/0xc63ddc23ac51b87a163a0f1458022954a3ac9293","type":"smart_contract","addedAt":"2025-09-09T07:40:53.647Z","revision":0,"description":"GMXV2LeverageTradingPositionParser","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5lDlymb8LvHQs7nlpF5pMN","url":"https://basescan.org/address/0x0637460015fdb07bc7e4cf58dc52f8159272c7e0","type":"smart_contract","addedAt":"2025-03-31T06:48:16.392Z","revision":0,"description":"AllowedAssetsForRedemptionPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5q5KgctkP2rf3rJ7Y3kBLX","url":"https://arbiscan.io/address/0xc7bde79a2a02fa20f18f7c3ffefdd3f6ef3790d8","type":"smart_contract","addedAt":"2025-04-09T10:54:58.481Z","revision":0,"description":"EnzymeV4VaultAdapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5rKVUAF2zCFQdhGacSVFBN","url":"https://basescan.org/address/0xe7e6db86b10e2cf1f409eb635998de81c841330f","type":"smart_contract","addedAt":"2025-03-31T06:48:25.196Z","revision":0,"description":"ExternalPositionManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5szqHMzdRaTmQEGMlaRBx2","url":"https://etherscan.io/address/0xaefe3260dcbcfaa2a4b927a6494057837e6dd902","type":"smart_contract","addedAt":"2024-12-17T16:47:50.281Z","revision":0,"description":"StaderWithdrawalsPositionParser","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5uTwUhWaa5BK1lEQKd70iV","url":"https://polygonscan.com/address/0x067eeea753aba0ddecca0b80bbb8b7572bf6580d","type":"smart_contract","addedAt":"2022-12-06T18:44:35.024Z","revision":0,"description":"ExternalPositionFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5wWrktHjbZQi9kGqBCM2X","url":"https://basescan.org/address/0x5d8703b4a08fd3f698bafd5389fa25463fb383dd","type":"smart_contract","addedAt":"2025-03-31T06:48:29.178Z","revision":0,"description":"IntegrationManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5x8tsCoP8RlZcgEMJdplGU","url":"https://polygonscan.com/address/0x5a739da3099fd4fc954bd764099fc000da76d8e7","type":"smart_contract","addedAt":"2022-12-06T18:37:46.413Z","revision":0,"description":"AllowedExternalPositionTypesPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5yjsZpyqVOL3KWekYLiegL","url":"https://arbiscan.io/address/0x1768b813d17f82a8d70bd8b80a8c8c1562878337","type":"smart_contract","addedAt":"2024-11-20T06:02:27.454Z","revision":0,"description":"AllowedAdaptersPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6275jZRKO7SFCT9cBOTrT","url":"https://polygonscan.com/address/0x1112a89180fc465b648866b98f0e54237b07eaee#code","type":"smart_contract","addedAt":"2024-11-20T07:37:39.385Z","revision":0,"description":"ThreeOneThirdAdapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"63AOvs7MTNNOSr7IMgWLUF","url":"https://basescan.org/address/0xa9928195a36ef1c238b1b8b5912b9fbce7554f73","type":"smart_contract","addedAt":"2025-03-31T06:48:25.633Z","revision":0,"description":"FeeManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"64n95WhbfbJBr3X21HsT9i","url":"https://polygonscan.com/address/0x52e83a4c9a123500e8324b9f489a681ffda92a17#code","type":"smart_contract","addedAt":"2024-11-28T16:20:27.827Z","revision":0,"description":"TransferAssetsAdapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"659O8WRofrKLle5uyYrC0M","url":"https://arbiscan.io/address/0xb5ef1f5e549ad46603bec9011b99a96a6cfd993e","type":"smart_contract","addedAt":"2024-11-20T05:59:50.140Z","revision":0,"description":"AllowedSharesTransferRecipientsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"65KGPwhq3SMdmGoQwbj8ur","url":"https://polygonscan.com/address/0xddb8ebe5361ca93614e5efb34049e842912e1612","type":"smart_contract","addedAt":"2022-12-06T18:47:45.327Z","revision":0,"description":"VaultLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"67Ppjmvsb6QTfBtOcE6nbd","url":"https://polygonscan.com/address/0x5ae15bf655a8f42b9c7d93e64f4476ec1da248f8","type":"smart_contract","addedAt":"2022-12-06T18:35:49.060Z","revision":0,"description":"AddressListRegistry","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6D2UKNFaZMt9eaH55M1aa","url":"https://polygonscan.com/address/0x66de7e286aae66f7f3daf693c22d16eea48a0f45","type":"smart_contract","addedAt":"2023-08-11T22:59:11.300Z","revision":0,"description":"ValueInterpreter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6DtKh7WjopvtxxoCtIKxwk","url":"https://polygonscan.com/address/0x51e75b5e0eef2d40b4d70c5daa2666e1ea30f0bd","type":"smart_contract","addedAt":"2023-08-11T22:58:54.655Z","revision":0,"description":"UsdEthSimulatedAggregator","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6GBJEVj5IdUbZapgqKx2OE","url":"https://polygonscan.com/address/0x1a0e3326795a77903e2a11790bd702ebb29b8944","type":"smart_contract","addedAt":"2023-08-11T22:57:01.095Z","revision":0,"description":"SharesSplitterFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6JlEgxfHmCRpKOQ3KfLwOA","url":"https://polygonscan.com/address/0x2baa64f0ce9c2e60e91127fc3f40a72529e82c87","type":"smart_contract","addedAt":"2022-12-06T18:42:55.672Z","revision":0,"description":"DepositWrapper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6KUEHBEIYFRFfb0jC3FPN6","url":"https://polygonscan.com/address/0x71b8254f608a73162445655ff2f07ccb1586b3b6","type":"smart_contract","addedAt":"2022-12-06T18:36:56.381Z","revision":0,"description":"AllowedAssetsForRedemptionPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6LBgdDPmwypidtzb94Iezb","url":"https://polygonscan.com/address/0x9f856372f7bd844dac0254c7859b117259b5c9d2","type":"smart_contract","addedAt":"2023-08-11T22:54:14.680Z","revision":0,"description":"OnlyUntrackDustOrPricelessAssetsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6LQRa6OPtBAWb8M4kwRiR2","url":"https://polygonscan.com/address/0xf19652f82eeacc4ec2c4284a3632c0e27d76857d","type":"smart_contract","addedAt":"2025-02-11T19:14:36.645Z","revision":0,"description":"ConvertedQuoteAggregatorFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6M8BiWAyUHWNEbcs1ogGxh","url":"https://arbiscan.io/address/0x8bdb929f16c2ce833c3c3176ba5c607e20949010","type":"smart_contract","addedAt":"2024-11-20T05:52:44.994Z","revision":0,"description":"ExitRateBurnFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6MpELy0P0SgYhyM0WAlYMk","url":"https://etherscan.io/address/0x0012B7C26b8C081a29A61cD52526cF6305367968","type":"smart_contract","addedAt":"2024-11-20T07:55:27.721Z","revision":0,"description":"SingleAssetRedemptionQueueLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6SdO8DPSBFXrM57dhZ7eQ7","url":"https://etherscan.io/address/0xd71894348d0b068af066a6f7b093809a8ad10d98","type":"smart_contract","addedAt":"2025-03-21T10:56:54.159Z","revision":0,"description":"PeggedRateDeviationAggregatorFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6SlVtAENwal6k3Opjc6RT5","url":"https://etherscan.io/address/0xa66baaa0ccb6468c5a2cb61f5d672c7ba0440ee1","type":"smart_contract","addedAt":"2022-12-06T18:04:26.992Z","revision":0,"description":"AllowedDepositRecipientsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6UgBA5SWz6CDYtZsPTT0oJ","url":"https://arbiscan.io/address/0x9a61b0c7307d45e67357e0d5a0d35bca5ce96755","type":"smart_contract","addedAt":"2025-03-21T11:05:04.045Z","revision":0,"description":"ERC4626RateAggregatorFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6VVab4v4KGNwvudP50BQr","url":"https://etherscan.io/address/0xed6a08e05cb4260388dc7cc60bc5fefccfab2793","type":"smart_contract","addedAt":"2022-12-06T18:24:08.299Z","revision":0,"description":"UniswapV3Adapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6Zf6ynbrjGArgKeXMVZDhd","url":"https://etherscan.io/address/0xa4507d51c5270ff91229b76300ff90774384d144","type":"smart_contract","addedAt":"2022-12-06T18:03:35.737Z","revision":0,"description":"AllowedAdaptersPerManagerPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6au0bjvGNlP0m7p1ZIjqok","url":"https://arbiscan.io/address/0xde0c43b8cb1cacdec773ef55fcbfbcbe009891f1","type":"smart_contract","addedAt":"2024-11-20T06:01:25.792Z","revision":0,"description":"AllowedDepositRecipientsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6bQWGmmizqQ0tVYhPxttbf","url":"https://basescan.org/address/0x89898c38d584166a8ed5c10cbd0ce7f4b0058c6c","type":"smart_contract","addedAt":"2025-03-31T06:48:13.916Z","revision":0,"description":"AaveV3FlashLoanAssetManagerLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6g9TKr23xtLsgf0ftquwmE","url":"https://basescan.org/address/0xbb274df654f71827cca120e0b916aec1f2ceaaeb","type":"smart_contract","addedAt":"2025-03-31T06:48:26.041Z","revision":0,"description":"FundDeployer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6heJIEuOYhaFrc8pX2ZtcH","url":"https://basescan.org/address/0x072d99cf2a75aadf605b9970ccba0352e7c4947c","type":"smart_contract","addedAt":"2025-03-31T06:48:35.213Z","revision":0,"description":"PerformanceFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6kvat1UxBvLPRH4JzZJGvq","url":"https://polygonscan.com/address/0xc0f49507c125a000e02ab58c22be9764e2abab99","type":"smart_contract","addedAt":"2023-08-11T22:54:00.126Z","revision":0,"description":"OnlyRemoveDustExternalPositionPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6l6eroKqSAFrBwB3fh7eG2","url":"https://basescan.org/address/0xb17403bcbccc3b74fa7491e38913dd36f1b9f402","type":"smart_contract","addedAt":"2025-03-31T06:48:27.029Z","revision":0,"description":"FundValueCalculatorRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6mTjNRET4s8J2gelUxmz3J","url":"https://polygonscan.com/address/0x0bbb9635d12a9c022b647f379224d88874d37879","type":"smart_contract","addedAt":"2022-12-06T18:44:02.560Z","revision":0,"description":"ExitRateBurnFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6mk9lKRb9bQ6xoFP1SvYCN","url":"https://polygonscan.com/address/0x9301b377f646b38e31681cc5c35f364385e4121d","type":"smart_contract","addedAt":"2022-12-06T18:39:38.746Z","revision":0,"description":"ArbitraryLoanTotalNominalDeltaOracleModule","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6mus8iGPefp7TAZnGTMe4Y","url":"https://basescan.org/address/0x633D9dEB8FE276000fB31B4255e5ad83D96ede25","type":"smart_contract","addedAt":"2025-03-31T06:48:37.301Z","revision":0,"description":"SingleAssetDepositQueueFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6n3gNvZW7qbtDHkNVQEEI2","url":"https://polygonscan.com/address/0x1332367c181f1157f751b160187dcaa219706bf2","type":"smart_contract","addedAt":"2022-12-06T18:41:52.066Z","revision":0,"description":"CumulativeSlippageTolerancePolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6nGT7yr4d0VDk0L1jaTXeJ","url":"https://arbiscan.io/address/0x75f276d7a279cb0fb89ad29cc9f1fe03219c6e65","type":"smart_contract","addedAt":"2024-11-20T06:05:08.452Z","revision":0,"description":"AaveV3DebtPositionLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6nIOmtcOKJ4ijDCQgZygDN","url":"https://basescan.org/address/0xa32d9085c8c56515a1a03648b5c417badbe7732d","type":"smart_contract","addedAt":"2025-03-31T06:48:30.920Z","revision":0,"description":"MinSharesSupplyFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6ovfGJAWy9IAlWiSGOSPtv","url":"https://arbiscan.io/address/0xe4453105be9e579896a3ed73df9a1e285c8c95c2","type":"smart_contract","addedAt":"2024-11-20T05:31:44.332Z","revision":0,"description":"OnlyRemoveDustExternalPositionPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6qpE7e8HR9Vm9xAqu5twF2","url":"https://polygonscan.com/address/0x905448cb27f51d9a663fb18d57d76c49d19be837","type":"smart_contract","addedAt":"2022-12-06T18:47:05.268Z","revision":0,"description":"GlobalConfigProxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6s2xSNJW3wH0bfgOQMDSN7","url":"https://etherscan.io/address/0x2b4fdcba08e5961c6a129b9fe13ecd10cdc249ce","type":"smart_contract","addedAt":"2025-04-09T10:53:19.504Z","revision":0,"description":"EnzymeV4VaultAdapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6sdYzDcugxqnxS2FgGV9f3","url":"https://basescan.org/address/0x5fe2db5abbb9fd2f840a51916abbda451151e56f","type":"smart_contract","addedAt":"2025-03-31T06:48:12.678Z","revision":0,"description":"AaveV3DebtPositionLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6vaI4whOl8hwhOos5k9iXk","url":"https://basescan.org/address/0x944d01bf533ed041d9947826429f086bf56c5856","type":"smart_contract","addedAt":"2025-03-31T06:48:40.730Z","revision":0,"description":"VaultLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6xsDur0japWvRWqCg7Jyi3","url":"https://etherscan.io/address/0x58c0a2a546b3903fa68a53e34ee0c8a02aabfad0","type":"smart_contract","addedAt":"2022-12-06T18:19:00.146Z","revision":0,"description":"MinAssetBalancesPostRedemptionPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6yoHe8OlIlTpvjzFpiPbMO","url":"https://basescan.org/address/0x785f1779ae48bfa8f8d89ce140c62a603c104f36","type":"smart_contract","addedAt":"2025-03-31T06:48:38.140Z","revision":0,"description":"SingleAssetRedemptionQueueFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6zvvfDFEFrCG3am1sxv1Nf","url":"https://etherscan.io/address/0xadf5a8db090627b153ef0c5726ccfdc1c7aed7bd","type":"smart_contract","addedAt":"2022-12-06T18:20:53.807Z","revision":0,"description":"PolicyManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"71PzbqMtf3cSBbHMxFYUK0","url":"https://etherscan.io/address/0x65bbad6545b7ac9c30fb0f07e64e25106bf05eec","type":"smart_contract","addedAt":"2022-12-06T18:11:44.341Z","revision":0,"description":"DepositWrapper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"73SPNmKC8OcowXZfytJj1q","url":"https://etherscan.io/address/0xe9cfe0f99b8a01fd80f110da4d8f08f6bf3dd6a6","type":"smart_contract","addedAt":"2022-12-06T17:16:45.621Z","revision":0,"description":"AavePriceFeed","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"75DpnU3QlpAtsiv572WRKi","url":"https://basescan.org/address/0xe14a2297328c4bd3e30c365653bb4fdb3514ebac","type":"smart_contract","addedAt":"2025-03-31T06:48:19.440Z","revision":0,"description":"ConvertedQuoteAggregatorFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"75bmul3cEEXKyTVhiVmBar","url":"https://arbiscan.io/address/0x90b53aefdbd2ba3573d965d2d98951f2aa00507d","type":"smart_contract","addedAt":"2024-11-20T05:51:55.939Z","revision":0,"description":"ExternalPositionManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"77B3dvnEIEvbY91VxzKMnf","url":"https://polygonscan.com/address/0x4c8026a88f1da2d299c539b8c070c1c44372d53c","type":"smart_contract","addedAt":"2025-03-21T10:58:13.367Z","revision":0,"description":"ParaSwapV6Adapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"77acTV1fpgX0FnWjGpMN9l","url":"https://etherscan.io/address/0xe77ba2e88aae1543839ec6ee0a0f847391205610","type":"smart_contract","addedAt":"2024-11-28T16:18:32.637Z","revision":0,"description":"PendleV2Adapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"77mHsDZkI6rbkCpWCuJR3d","url":"https://etherscan.io/address/0x0aacb782205dde9eff4862ace9849dce1ca3409f","type":"smart_contract","addedAt":"2022-12-06T18:13:33.128Z","revision":0,"description":"ExternalPositionFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"780cBZAshH6SYH8CH3RCah","url":"https://polygonscan.com/address/0xe54065F5B303c2843C769fb232B95bb893cf0B87","type":"smart_contract","addedAt":"2024-11-20T07:38:26.021Z","revision":0,"description":"SingleAssetRedemptionQueueLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"78AXhBRllYnFA2732QGvAO","url":"https://polygonscan.com/address/0xf5fc0e36c85552e44354132d188c33d9361eb441","type":"smart_contract","addedAt":"2022-12-06T18:39:56.727Z","revision":0,"description":"ComptrollerLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"79hT781KEj97pWeGTzWVOw","url":"https://polygonscan.com/address/0x3b6913a8ed4595919a6b4a9022208cede20194bd","type":"smart_contract","addedAt":"2022-12-06T18:38:03.591Z","revision":0,"description":"AllowedSharesTransferRecipientsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7EPGQMgQwBWPXliQ7OKMal","url":"https://etherscan.io/address/0xfE84D5209054254389C9D6a754B821f3a297D56a","type":"smart_contract","addedAt":"2024-11-20T07:56:23.615Z","revision":0,"description":"SingleAssetRedemptionQueueFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7EdzxTFGortQ1qXCY4NiHp","url":"https://polygonscan.com/address/0xa825861dd852a9aae44612228bf72e9b14048017","type":"smart_contract","addedAt":"2025-03-21T10:59:37.178Z","revision":0,"description":"SingleAssetDepositQueueFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7EljQCJvSRMUgI7ouU1ex1","url":"https://etherscan.io/address/0xEd4AA74490843E7ad64B445eF18CecE8A0562433","type":"smart_contract","addedAt":"2024-11-18T09:44:50.168Z","revision":0,"description":"AllowedRedeemersForSpecificAssetsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7FrM2PWF5cD7qw07hQfE5m","url":"https://arbiscan.io/address/0x2e58f80cea88f0787cadf1bb30acc23d8ac81982","type":"smart_contract","addedAt":"2024-11-20T05:50:38.384Z","revision":0,"description":"FundValueCalculatorRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7HK2LCkMuAklg9R5jghbFY","url":"https://arbiscan.io/address/0x2c46503d4a0313c7161a5593b6865baa194b466f","type":"smart_contract","addedAt":"2024-11-20T05:51:43.106Z","revision":0,"description":"FeeManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7HXHZRBJxGfdaQHO4NeIK1","url":"https://etherscan.io/address/0xebe37e43bc6b3aacfe318d6906fc80c4a2a7505a","type":"smart_contract","addedAt":"2022-12-06T18:06:11.803Z","revision":0,"description":"AllowedSharesTransferRecipientsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7KpTlfp5ezuLv3xNLrP76b","url":"https://polygonscan.com/address/0x3116cab784d30a07ff1bb370222290160a9eba1f","type":"smart_contract","addedAt":"2022-12-06T18:35:33.365Z","revision":0,"description":"AavePriceFeed","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7KsDqnSSiBsj14h1drCo63","url":"https://polygonscan.com/address/0x190e7045CAEB09459bBa12BcEd1d133E10D63715","type":"smart_contract","addedAt":"2022-12-06T18:46:25.854Z","revision":0,"description":"GasRelayPaymasterLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7cGJO0BR8fAWwx7WaIotVp","url":"https://basescan.org/address/0x5b69553fbea09a4e7585b02221b9884f5bd2af40","type":"smart_contract","addedAt":"2025-03-31T06:48:20.258Z","revision":0,"description":"DepositWrapper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7ddzB8ZrqNj8kwx2nHL87p","url":"https://etherscan.io/address/0xe97980f1d43c4cd4f1eef0277a2dea7ddbc2cd13","type":"smart_contract","addedAt":"2022-12-06T18:21:41.660Z","revision":0,"description":"ProtocolFeeTracker","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7gGnATsVCiYoQii8NJqaKK","url":"https://polygonscan.com/address/0x4b6b342bA8BB29E2D1b542532E6b7bE1cAE026b9","type":"smart_contract","addedAt":"2024-11-20T07:38:11.035Z","revision":0,"description":"SingleAssetRedemptionQueueFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7jotbAZMLBVxjxAmVrS9wI","url":"https://etherscan.io/address/0x8aa6f11fef40eb24c2f77de538f40ac8a9ec9f0d","type":"smart_contract","addedAt":"2024-11-28T16:17:44.925Z","revision":0,"description":"AaveV3FlashLoanAssetManagerLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7lD2sPMtdWsHInqKftYI0w","url":"https://arbiscan.io/address/0x575af64231a91b3a954d5e45a57187ace6549c81","type":"smart_contract","addedAt":"2024-11-20T06:05:38.294Z","revision":0,"description":"AaveV3ATokenListOwner","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7lMKfOJIy7JttWtQSPGiiQ","url":"https://etherscan.io/address/0x92829c41115311ca43d5c9f722f0e9e7b9fcd30a","type":"smart_contract","addedAt":"2024-11-18T09:46:41.680Z","revision":0,"description":"ChainlinkLikeWstethPriceFeed","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7lt3ERTrd7eB15VWcxIKDK","url":"https://polygonscan.com/address/0xd70389a7d6171e1dba6c3df4db7331811fd93f08","type":"smart_contract","addedAt":"2022-12-06T18:45:53.536Z","revision":0,"description":"FundValueCalculatorRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7opnUkxmQUvxr8gvBNYQu3","url":"https://etherscan.io/address/0xfaf2c3db614e9d38fe05edc634848be7ff0542b9","type":"smart_contract","addedAt":"2022-12-06T18:18:08.730Z","revision":0,"description":"ManagementFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7pD1WPRLaiMOIEH5BRZExE","url":"https://polygonscan.com/address/0x9d940beaa6e3cfb441d49787fdf1db18d7f8251e","type":"smart_contract","addedAt":"2023-08-11T22:52:51.841Z","revision":0,"description":"MinAssetBalancesPostRedemptionPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7pyHrHaMqClztFFeibqzcA","url":"https://etherscan.io/address/0xa511ecea62f360e983829e408fc753adcadcdeae","type":"smart_contract","addedAt":"2024-11-18T09:53:55.459Z","revision":0,"description":"LidoWithdrawalsPositionLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7qqy2E0FMfLZLqlN0P1Vjq","url":"https://etherscan.io/address/0x8f1e6f61323bf64a47ffbfca99e9e2bd4f982c07","type":"smart_contract","addedAt":"2025-02-11T19:14:11.926Z","revision":0,"description":"ConvertedQuoteAggregatorFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7rTc0CFFjujMny0UZshwA0","url":"https://basescan.org/address/0x7d1a8314c6a56a8312053bfd5a3b9e4c768e8d24","type":"smart_contract","addedAt":"2025-03-31T06:48:35.638Z","revision":0,"description":"PolicyManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7szTpR3vE4HuMu352waQis","url":"https://arbiscan.io/address/0x9e0f80bc5a688e93d6c57efcfdd4564f70975e8b","type":"smart_contract","addedAt":"2024-11-20T05:31:03.783Z","revision":0,"description":"PerformanceFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7vvkZHrqO8BBH6N2y0gzYd","url":"https://etherscan.io/address/0x891dee0483ebaa922e274ddd2ebbaa2d33468a38","type":"smart_contract","addedAt":"2022-12-06T18:25:47.304Z","revision":0,"description":"VaultLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7yv88cITabSLQPTuQ72de4","url":"https://arbiscan.io/address/0x5a1c0e89133c4cd844a8b345370565f1368a79a8","type":"smart_contract","addedAt":"2025-04-17T09:08:32.062Z","revision":0,"description":"ThreeOneThirdAdapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7zLnCRZ2GyjrLs0tIWuGow","url":"https://basescan.org/address/0x6913bc793d486f8f80a9dc31a8fa2bf8bf09f866","type":"smart_contract","addedAt":"2025-03-31T06:48:23.464Z","revision":0,"description":"ERC4626RateAggregatorFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7zb0BclnnOAbuRqYaG65ns","url":"https://etherscan.io/address/0xcdec5bbecc6d2c004d5378a63a3c484c2643ed9d","type":"smart_contract","addedAt":"2022-12-06T18:12:16.674Z","revision":0,"description":"EntranceRateBurnFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7zzu6SoTVDl9rRyVAGcRBP","url":"https://arbiscan.io/address/0x250530db7ee6a10e0126288ace48a7bb54bd4adc","type":"smart_contract","addedAt":"2024-09-13T12:03:18.578Z","revision":0,"description":"UniswapV3LiquidityPositionLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"8ll7Gtgs3mL41Y1oQnLOZ","url":"https://etherscan.io/address/0x3a49d5aec385ac1bde99f305316b945c5ee71312","type":"smart_contract","addedAt":"2022-12-06T18:10:33.637Z","revision":0,"description":"CumulativeSlippageTolerancePolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"BJzUMO2ecRbvLFcdbd94O","url":"https://polygonscan.com/address/0xb3b21dfa60b399ad00587b845aef7476a1659e9f","type":"smart_contract","addedAt":"2024-11-20T07:49:49.171Z","revision":0,"description":"AaveV3Adapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Bi4QLVFi5TNFFtNGHlicW","url":"https://polygonscan.com/address/0x9513b3a49fc9ae8b76942c94fb6f660c41fd7f47","type":"smart_contract","addedAt":"2022-12-06T18:44:51.043Z","revision":0,"description":"ExternalPositionManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"DfAICzpeINLOIPC59fuh9","url":"https://polygonscan.com/address/0x2f4a9c0256e4f8e8d65733da1aeb4871f923b457","type":"smart_contract","addedAt":"2024-11-20T07:44:50.840Z","revision":0,"description":"OneInchV5Adapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"EpViwMwBRa7629rls7mWq","url":"https://etherscan.io/address/0xa0ed89af63367ddc8e1dd6b992f20d1214ccb51c","type":"smart_contract","addedAt":"2022-12-06T18:21:08.978Z","revision":0,"description":"ProtocolFeeReserveLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"FPgx8zlqgMkzHCFIFbakg","url":"https://polygonscan.com/address/0x6ddd871c1607348ebb5be250f882255390166519","type":"smart_contract","addedAt":"2023-08-11T22:57:20.546Z","revision":0,"description":"UintListRegistry","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"GSemI6DhGGRhrYk0FXaFv","url":"https://basescan.org/address/0xe34a4944a916330f54fd06508b674219c00725e2","type":"smart_contract","addedAt":"2025-03-31T06:48:21.633Z","revision":0,"description":"EntranceRateBurnFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"GXNpbs5DmLGnLh2EayN8J","url":"https://polygonscan.com/address/0x188d356caf78bc6694aee5969fde99a9d612284f","type":"smart_contract","addedAt":"2022-12-06T18:45:22.377Z","revision":0,"description":"FundDeployer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"IMnkYEdKnKWa1iLBXnatS","url":"https://etherscan.io/address/0x70C19A1132d16f4227DF23D5a9DB57B8775AB805","type":"smart_contract","addedAt":"2024-11-18T09:52:39.456Z","revision":0,"description":"GatedRedemptionQueueSharesWrapperFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"KW7UdMqWssdSU8RUdgvxM","url":"https://polygonscan.com/address/0xeb45b91d582ae383e750a1626a97f854a9df19a3","type":"smart_contract","addedAt":"2023-08-11T22:53:37.462Z","revision":0,"description":"MinSharesSupplyFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Lfcr53imaZTEXwacWpHIc","url":"https://basescan.org/address/0x67132b2d9b31ffcab67c9216f3fa937b259673b8","type":"smart_contract","addedAt":"2025-03-31T06:48:18.979Z","revision":0,"description":"ComptrollerLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"MFQWWO5jXQsXMQryfh1kI","url":"https://arbiscan.io/address/0x9ab4e80bfb2d6ad0b52fa22e8fe3d9fd3846bbb4","type":"smart_contract","addedAt":"2024-11-20T05:48:45.160Z","revision":0,"description":"GasRelayPaymasterLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"OCew9oYhgycLqueSQDvAl","url":"https://arbiscan.io/address/0x642986a6bc5ec518cfb97d8afa5a7fa8477d3cf5","type":"smart_contract","addedAt":"2024-11-20T05:29:26.321Z","revision":0,"description":"ProtocolFeeReserveLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"WXJoyV2IxlRWkLjjhtkNe","url":"https://basescan.org/address/0x3e96363dedc1b5b2dc628399466f7d194cb97706","type":"smart_contract","addedAt":"2025-03-31T06:48:33.066Z","revision":0,"description":"OnlyRemoveDustExternalPositionPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"XahPAuGmpWkZmcYg2pRPQ","url":"https://etherscan.io/address/0xe72bb3a93ad2409055d5813bb8ae483533bd0438","type":"smart_contract","addedAt":"2024-11-18T09:42:42.309Z","revision":0,"description":"AaveV3DebtPositionLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"YqJjafl7ZH97rx2sSX59c","url":"https://basescan.org/address/0xb120f5de3c5afd8ddefc938f46a5821980e35d66","type":"smart_contract","addedAt":"2025-06-05T08:09:33.679Z","revision":0,"description":"SharePriceThrottledAssetManagerFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"a156chXlKa3IbRWvTrMFk","url":"https://etherscan.io/address/0x6C62b8F7b2fd1c60fFD3Afc1A2B15d4318745677","type":"smart_contract","addedAt":"2024-11-20T07:53:42.000Z","revision":0,"description":"OneInchV5Adapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"aMQBnKuJ3Mwz7KGEfLtnm","url":"https://arbiscan.io/address/0x5c9348fbedb75c39f0e84396618accab6c01f847","type":"smart_contract","addedAt":"2024-11-20T05:54:24.040Z","revision":0,"description":"DisallowedAdapterIncomingAssetsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"achPKqcMjzY4cOj1hIXeZ","url":"https://basescan.org/address/0xc6780e244fd22f21f019fec4b802019d17bd558d","type":"smart_contract","addedAt":"2025-03-31T06:48:27.443Z","revision":0,"description":"GasRelayPaymasterFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"esXgWqbhftWXNUdBhErgQ","url":"https://polygonscan.com/address/0x65D9202b5494450310c43b6B47942305859a349c","type":"smart_contract","addedAt":"2024-11-20T07:41:46.365Z","revision":0,"description":"SharePriceThrottledAssetManagerLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"euCvs7hvd2tDnvxbVLYEK","url":"https://arbiscan.io/address/0xdd5f18a52a63ececf502a165a459d33be5c0a06c","type":"smart_contract","addedAt":"2024-11-20T05:26:41.614Z","revision":0,"description":"ValueInterpreter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"f8g9plBLv55A0tIqJX7f0","url":"https://arbiscan.io/address/0xe71227d6d846e0fb3367d020683327031c4c4a3d","type":"smart_contract","addedAt":"2024-11-20T05:28:53.327Z","revision":0,"description":"ProtocolFeeTracker","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"fbMkzjhGDahO59XYIl9sQ","url":"https://basescan.org/address/0x410f5bc40668b729675dacb48a3467861bb36c50","type":"smart_contract","addedAt":"2025-03-31T06:48:36.459Z","revision":0,"description":"ProtocolFeeReserveProxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"fuSoh94v0sHEodSQYWApH","url":"https://basescan.org/address/0xe16990bcfc59ec6cc00fa1e20707871ae22fd6f7","type":"smart_contract","addedAt":"2025-03-31T06:48:30.491Z","revision":0,"description":"MinMaxInvestmentPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"gSjLZxkOtQJ67SMmzP0BG","url":"https://polygonscan.com/address/0xbc63afe28c66a6279bd3a55a4d0d3ab61f479bdf","type":"smart_contract","addedAt":"2023-08-11T22:54:48.810Z","revision":0,"description":"PerformanceFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"h6EvvLH3yaGaSKW48I3Ev","url":"https://arbiscan.io/address/0x1967681053f12e025dedcb04618abd7cd8871914","type":"smart_contract","addedAt":"2025-03-21T11:05:43.120Z","revision":0,"description":"PeggedRateDeviationAggregatorFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"nAJDRxdly6fxt3h6cfk8N","url":"https://basescan.org/address/0xa6ce7302e02ae60a496ca9fe9d051c6a627ddc48","type":"smart_contract","addedAt":"2025-03-31T06:48:17.727Z","revision":0,"description":"AllowedExternalPositionTypesPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"oFDf87HZlIVSzSbDluU1t","url":"https://basescan.org/address/0xb6257a6c3aef640a7d09e3dd009a29308d2a321a","type":"smart_contract","addedAt":"2025-03-31T06:48:26.462Z","revision":0,"description":"FundValueCalculator","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"r51rVAG1OkWOuLLiol7gQ","url":"https://arbiscan.io/address/0x6180b98d85afbd904016c7ea08eb41cba77a1c08","type":"smart_contract","addedAt":"2024-11-20T05:53:48.326Z","revision":0,"description":"EntranceRateBurnFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"sOIaNKGEDFne3mipWMfNY","url":"https://etherscan.io/address/0x490e64e0690b4aa481fb02255aed3d052bad7bf1","type":"smart_contract","addedAt":"2022-12-06T18:14:52.477Z","revision":0,"description":"FundValueCalculator","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"tpd5oXJ2sr55ADUQjzBKd","url":"https://arbiscan.io/address/0x41d82e0512d77508ad486d6800059f3d936910db","type":"smart_contract","addedAt":"2024-11-20T05:54:35.606Z","revision":0,"description":"DepositWrapper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"uakLveB2iLdiKstdjNtnh","url":"https://basescan.org/address/0x7f0e594275ccb17c26a61b35e2d5bd88772fc8a0","type":"smart_contract","addedAt":"2025-03-31T06:48:33.484Z","revision":0,"description":"OnlyUntrackDustOrPricelessAssetsPolicy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"wbfnyRwLY5w7pbufxfo1v","url":"https://polygonscan.com/address/0xf45071Ea30AfA81BE89430f3d0f334E98aF206D3","type":"smart_contract","addedAt":"2022-12-06T18:38:36.893Z","revision":0,"description":"ArbitraryLoanPositionLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"yOi7MyMi9NHD3YPZuOJeL","url":"https://arbiscan.io/address/0x769c732a17f6e72d7ba0fe79ad01a31b27bbcb3d","type":"smart_contract","addedAt":"2024-11-20T05:52:29.176Z","revision":0,"description":"ExitRateDirectFee","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"zp2PLD27v7OSRIRo9izMN","url":"https://basescan.org/address/0xea8f3990fc7357e1835cbe75dcf04d20391a06f9","type":"smart_contract","addedAt":"2025-03-31T06:48:32.632Z","revision":0,"description":"OneInchV5Adapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99154","url":"https://basescan.org/address/0x7d38dcb69116a73ab20aff04b41c22db37b431ad","type":"smart_contract","addedAt":"2026-03-10T08:12:48.827Z","revision":0,"description":"SharesSplitterFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99155","url":"https://arbiscan.io/address/0x61fc8fa186cb14e2fd19a9650e31ab4dcc60a95a","type":"smart_contract","addedAt":"2026-03-10T08:12:48.827Z","revision":0,"description":"SharesSplitterFactory","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"Any prior bugs that have been found in audits or \"extensive QA\" (see Documentation) are ineligible for the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH","Polygon"],"endDate":null,"evaluationEndDate":null,"features":["Managed Triage: Time Saver","Safe Harbor Documents Signed","Subscription Plan: Essential"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-03-29T07:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4a7y72EOvOMZWlUx3h2ZNi/7877774da8145f9d7cbd85f902d7198a/Enzymefinance-logo.jpg","maxBounty":200000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Asset Management"],"programOverview":"Enzyme Finance, formerly known as Melon Protocol, is an Ethereum-based protocol\nfor decentralized on-chain asset management. It is a protocol for people or\nentities to manage their wealth & the wealth of others within a customizable\nand safe environment. Enzyme empowers anyone to set up, manage and invest in\ncustomized on-chain investment vehicles.\n\nMore information about Enzyme Finance can be found in their [docs](https://docs.enzyme.finance/) and also here in the additional [V4 docs](https://avantgarde-finance.gitbook.io/enzyme-protocol-v4-sulu-general-spec/). See especially the [Known Risks & Mitigations](https://specs.enzyme.finance/topics/known-risks-and-mitigations).\n\nThis bug bounty program is focused around the Enzyme Finance smart contracts\nand is primarily concerned with the loss of user funds.","programType":["Smart Contract"],"project":"Enzyme Blue","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on\nthe [Immunefi Vulnerability Severity Classification System](/severity-system/). This is a simplified 5-level scale encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nThe final reward amount for critical smart contract vulnerabilities is capped at 10% of the funds at risk based on the vulnerability reported.\n\nAll bug reports must come with a PoC. If a bug report does not have a PoC it will be rejected with instructions to provide a PoC\n\nAll payouts are done by the **Enzyme Finance** team directly and are\ndenominated in **USD**. Payouts are done in **USDC** up to USD $200,000.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"enzymefinance","tenPercentEconomicRule":false,"updatedDate":"2026-03-10T08:12:50.141Z","impactsBody":"These accepted impacts are then based on the severity classification system of this bug bounty program. When submitting a bug report, please select the severity level you feel best corresponds to the severity classification system as long as the impact itself is one of the listed items.","websiteUrl":null,"githubUrl":"https://github.com/enzymefinance/protocol","eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Blue by Enzyme Finance is an Ethereum-based protocol for decentralized on-chain asset management. It is a protocol for people or entities to manage their wealth & the wealth of others within a customizable and safe environment. Enzyme empowers anyone to set up, manage and invest in customized on-chain investment vehicles.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"}],"rewards":[{"id":29702,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":200000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":29703,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":20000,"minReward":5000,"rewardModel":"range"},{"id":29704,"primacy":null,"severity":"medium","assetType":"smart_contract","maxReward":5000,"minReward":1000,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"45OaMn2PrY3GPpWfsqAowc","url":"https://etherscan.io/address/0x4F4495243837681061C4743b74B3eEdf548D56A5","type":"smart_contract","addedAt":"2022-05-10T16:03:44.312Z","revision":0,"description":"Ethereum Axelar Gateway contract address Proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1yR2zlol6WV8nZyFdY65Gq","url":"https://snowtrace.io/address/0x5029C0EFf6C34351a0CEc334542cDb22c7928f78","type":"smart_contract","addedAt":"2022-05-10T16:03:48.667Z","revision":0,"description":"Avalanche Axelar Gateway contract address Proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4y2yLa3l6zdxo1pqUDhvdq","url":"https://snowtrace.io/address/0xfaB550568C688d5D8A52C7d794cb93Edc26eC0eC","type":"smart_contract","addedAt":"2022-05-10T16:03:49.666Z","revision":0,"description":"Avalanche axlUSDC token address","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4gPw11oKENP6XO8OWLsdal","url":"https://bscscan.com/address/0x304acf330bbE08d1e512eefaa92F6a57871fD895","type":"smart_contract","addedAt":"2022-08-24T20:03:32.301Z","revision":0,"description":"Binance Axelar Gateway contract address Proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1gl0QHECamXbsVxFPvPvxr","url":"https://bscscan.com/address/0x4268B8F0B87b6Eae5d897996E6b845ddbD99Adf3","type":"smart_contract","addedAt":"2022-08-24T20:04:29.373Z","revision":0,"description":"Binance  axlUSDC token address","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7cNzgU1h9yYtvjcZNFUNmk","url":"https://aurorascan.dev/address/0x304acf330bbE08d1e512eefaa92F6a57871fD895#code","type":"smart_contract","addedAt":"2022-05-10T16:03:52.777Z","revision":0,"description":"Aurora Axelar Gateway contract address Proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"388AgWjn34mGCBLehQE7ip","url":"https://ftmscan.com/address/0x5e3C572A97D898Fe359a2Cea31c7D46ba5386895","type":"smart_contract","addedAt":"2022-05-10T16:03:56.007Z","revision":0,"description":"Fantom Axelar Gateway contract address Proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"kYlusoNmwrZmls3QqnB0u","url":"https://ftmscan.com/address/0x1B6382DBDEa11d97f24495C9A90b7c88469134a4","type":"smart_contract","addedAt":"2022-05-10T16:03:53.759Z","revision":0,"description":"Fantom axlUSDC token address","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"tXMPNU5J8oFOg3VV3zw9G","url":"https://polygonscan.com/address/0x6f015F16De9fC8791b234eF68D486d2bF203FBA8","type":"smart_contract","addedAt":"2022-05-10T16:03:57.080Z","revision":0,"description":"Polygon Axelar Gateway contract address Proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"IXnBG9gAiOUsEK9ZZW9V8","url":"https://polygonscan.com/address/0x750e4C4984a9e0f12978eA6742Bc1c5D248f40ed","type":"smart_contract","addedAt":"2022-05-10T16:03:58.220Z","revision":0,"description":"Polygon axlUSDC token address","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2WV03x7BB4SYHWLoU7kvHd","url":"https://moonbeam.moonscan.io/address/0x4F4495243837681061C4743b74B3eEdf548D56A5#code","type":"smart_contract","addedAt":"2022-05-10T16:04:01.673Z","revision":0,"description":"Moonbeam Axelar Gateway contract address Proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"46Z3f17n5xREw7SwfOHtar","url":"https://moonbeam.moonscan.io/address/0xCa01a1D0993565291051daFF390892518ACfAD3A","type":"smart_contract","addedAt":"2022-05-10T16:04:02.691Z","revision":0,"description":"Moonbeam axlUSDC token address","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4zBKdOAjbRrpkgeoHdb61l","url":"https://etherscan.io/address/0xB5FB4BE02232B1bBA4dC8f81dc24C26980dE9e3C","type":"smart_contract","addedAt":"2024-01-23T13:54:26.208Z","revision":0,"description":"Interchain Token Service contract address (all chains)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1nAbxArc1I6rwKVmkyAZrs","url":"https://etherscan.io/address/0x83a93500d23Fbc3e82B410aD07A6a9F7A0670D66","type":"smart_contract","addedAt":"2024-01-23T13:54:43.596Z","revision":0,"description":"Interchain Token Factory contract address proxy (all chains)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"34TSJJREhpda5OPQV8dTEY","url":"https://etherscan.io/token/0x467719aD09025FcC6cF6F8311755809d45a5E5f3","type":"smart_contract","addedAt":"2024-01-23T13:54:59.105Z","revision":0,"description":"AXL token address","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"54IZ8Pf3bSQBPyychNSAVy","url":"https://github.com/axelarnetwork/axelar-core","type":"blockchain_dlt","addedAt":"2022-05-13T13:16:31.713Z","revision":0,"description":"Infrastructure -  Axelar core protocol","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4r6IUkjV73xrtdaZwLSz6H","url":"https://github.com/axelarnetwork/tofnd","type":"blockchain_dlt","addedAt":"2022-05-13T13:30:22.849Z","revision":0,"description":"Infrastructure -  Axelar signer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1DyuKxCMir2PRILsid5Xgk","url":"https://github.com/axelarnetwork/tofn/blob/main/src/ecdsa/mod.rs","type":"blockchain_dlt","addedAt":"2022-05-13T13:30:41.740Z","revision":0,"description":"Axelarcrypto library","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"DgTl5B5PYqDdFucLVPckg","url":"https://github.com/axelarnetwork/interchain-token-service","type":"smart_contract","addedAt":"2024-01-23T13:55:31.415Z","revision":0,"description":"Interchain Token Service","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7HHtbb7TBrTtvkV7GT5Mfa","url":"https://github.com/axelarnetwork/axelar-cgp-solidity","type":"smart_contract","addedAt":"2024-01-24T08:01:11.552Z","revision":0,"description":"Infrastructure - Axelar EVM Gateway","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1fhfM87uAM3iZtLIu4laOj","url":"https://github.com/axelarnetwork/axelar-gmp-sdk-solidity","type":"smart_contract","addedAt":"2024-01-23T13:55:48.281Z","revision":0,"description":"Infrastructure - GMP SDK","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"rw0dltfOgBsc5ccqqEEJD","url":"https://github.com/axelarnetwork/axelar-gmp-sdk-solidity/blob/main/contracts/governance/InterchainGovernance.sol","type":"smart_contract","addedAt":"2024-01-23T13:56:28.591Z","revision":0,"description":"Interchain Governance Contract","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"Only those contracts from the repos in the Assets in Scope table are considered as in-scope of the bug bounty program. In tofn, the only thing in scope is src/ecdsa/mod.rs and it’s project dependencies, excluding third-party dependencies. Only tofnd pieces relating to the mod.rs file in tofn is in scope. \n\nImpacts stemming from off-chain components, such as relayers and vald, are out of scope. We still encourage reporting these. They’ll be accepted at the discretion of the project.\n\nThough only the proxy contracts are listed as in-scope, current implementation and any further updates to the implementation contracts are considered in scope. When reporting a bug, please make sure to select the relevant proxy smart contract as the target.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","Avalanche","BSC","Base","Blast","Celo","Centrifuge","ETH","Fantom","Filecoin","Fraxtal","Kava","Linea","Mantle","Moonbeam","Optimism","Polygon","Scroll"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Go","Rust","Solidity"],"launchDate":"2022-03-11T03:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/50nSUkPKWY77vhNfAtPIXc/4200a486fe40455e51f74d3bd242d735/Axelar_Logo_Symbol_Black_3x.png","maxBounty":500000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical","blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - medium","blockchain_dlt - low","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"OtherNonEVML1","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table. Any Critical impact needs to demonstrate a loss of funds of over or equal to $500K to be eligible. Due to the complexity of the system, not all possible concerns have been described. Impacts causing severe issues not listed below might be eligible for a bounty at the full discretion of the team.\n\n__Blockchain/DLT__\n\n__Critical__\n  - Network not being able to confirm new transactions (Total network shutdown)\n  - Unintended permanent chain split requiring hard fork (Network partition requiring hard fork)\n  - Direct loss of funds\n  - Permanent freezing of funds (fix requires hardfork)\n  - Any governance voting result manipulation\n  - Non-determinism in the network and consensus failure\n  - Cryptographic vulnerabilities\n  - Vulnerabilities related to validator voting manipulation on external chain events\n\n__High__\n  - Unintended chain split (Network partition)\n  - Transient consensus failures\n  - Privilege escalation\n  - Theft or freezing of inflation rewards\n\n__Medium__\n  - High compute consumption by validator/mining nodes\n  - Attacks against thin clients\n  - DoS of greater than 30% of validator or miner nodes and does not shut down the network\n  - Miner-extractable value (MEV)\n\n__Low__\n  - DoS of greater than 10% but less than 30% of validator or miner nodes and does not shut down the network\n  - Underpricing transaction fees relative to computation time\n\n__Smart Contracts__\n\n__Critical__\n  - Direct theft of any user funds, whether at-rest or in-motion\n  - Permanent freezing of funds\n  - Insolvency\n  - Unauthorized mint/burn/transfer of wrapped assets\n  - Privilege escalation\n\n__High__\n  - Temporary freezing of funds for a minimum of 1 hour\n\n__Medium__\n  - Smart contract unable to operate due to lack of funds \n  - Block stuffing for profit\n  - Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)\n  - Theft of gas\n  - Unbounded gas consumption \n\n__Low__\n  - Smart contract fails to deliver promised returns, but doesn’t lose value\n\nIn case of discrepancy between [Immunefi Vulnerability Severity Classification System V2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2/) and Axelar Network’s classification above, Axelar Network’s classification will be followed.","productType":["Bridge","Crosschain Liquidity","DAO"],"programOverview":"Axelar Network is a decentralized interoperability network connecting all blockchains, assets and apps through a universal set of protocols and APIs.\n\nFor more information about Axelar Network, please visit [https://axelar.network/](https://axelar.network/).","programType":["Blockchain/DLT","Smart Contract"],"project":"Axelar Network","projectType":["Blockchain","Defi","Infrastructure"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll Critical Blockchain/DLT and Smart Contract bug reports require a PoC to be eligible for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nIn addition to Immunefi’s Vulnerability Severity Classification System, Axelar Network classifies the following vulnerabilities as follows. In case of discrepancy, the one below will be followed.\n\nCritical\n  - Loss of funds of over or equal to $500,000\n\nHigh\n  - Vulnerabilities that result in loss of funds of less than $500,000\n\nMedium\n  - Vulnerabilities that result in loss of funds of less than $50,000\n\nLow\n  - Vulnerabilities that result in loss of funds of less than $10,000\n\nAny vulnerabilities discussed within the github issues below are considered vulnerabilities already known to Axelar, and will not be eligible for a reward:\n\n  - [https://github.com/axelarnetwork/axelar-core/issues](https://github.com/axelarnetwork/axelar-core/issues) \n  - [https://github.com/axelarnetwork/axelar-cgp-solidity/issues \n](https://github.com/axelarnetwork/axelar-cgp-solidity/issues) \n  - [https://github.com/axelarnetwork/tofnd/issues](https://github.com/axelarnetwork/tofnd/issues)\n  - [https://github.com/axelarnetwork/tofn/issues](https://github.com/axelarnetwork/tofn/issues)\n\nCritical blockchain/ smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. There is no minimum reward for Critical smart contract vulnerabilities.  \n\nBug reports that are classified as High will be rewarded USD 10 000 and up to USD 50 000 at the Axelar team’s discretion. High impact rewards for the project bug bounty program are scaled based on an internally established team criteria, taking into account the exploitability of the bug, the impact it causes, and the likelihood of the vulnerability presenting itself, which is especially factored in with bug reports requiring multiple conditions to be met that are currently not in-place. However, there is a minimum reward of USD 10 000 for High severity level, rewards will be provided at the determined fair value by the team depending on these conditions, assuming that the bug report is in-scope of the bug bounty program. Only impacts that cause a loss of funds of over or equal to $500K are considered as Critical \n\nAxelar Network requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. We use a service provider, Jumio, to collect this information and will send you a link to the KYC application if your report is deemed eligible for bounties. The information needed is\n\n  - A piece of government issued photo ID such as passport or driver’s license\n  - A live webcam facial recognition scan to match biometrics with submitted photo ID\n\nThe collection of this information will be done by the project team.\n\nPayouts are handled by the __Axelar Network__ team directly and are denominated in USD. However, payouts are done in __USDC__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"axelarnetwork","tenPercentEconomicRule":false,"updatedDate":"2026-03-09T16:33:38.465Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Axelar Network is a decentralized interoperability network connecting all blockchains, assets and apps through a universal set of protocols and APIs.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"The following vulnerabilities are excluded from the rewards for this bug bounty program:\n\n  - Third party dependencies, especially Cosmos SDK dependencies\n  - In the tofn repository, the only thing in scope is src/ecdsa/mod.rs and it’s project dependencies, excluding third-party dependencies\n  - In the tofnd repository, the only thing in scope is parts related to src/ecdsa/mod.rs in tofn repository\n  - Off-chain components, such as relayer, and vald, are out of scope. Any reports related to these will only be accepted at the discretion of the project.\n  - Vulnerabilities in forks of third-party dependencies are OUT OF SCOPE. Please report such vulnerabilities directly to the maintainers of the upstream repository","customProhibitedActivities":[],"impacts":[{"id":2022,"type":"blockchain_dlt","severity":"low","title":"DoS of greater than 10% but less than 30% of validator nodes and does not shut down the network"},{"id":2023,"type":"blockchain_dlt","severity":"low","title":"Significant underpricing of transaction fees relative to computation time"},{"id":2024,"type":"smart_contract","severity":"low","title":"Smart contract fails to deliver promised returns, but doesn’t lose value"},{"id":2025,"type":"blockchain_dlt","severity":"high","title":"Network not being able to confirm new transactions (Total network shutdown)"},{"id":2026,"type":"blockchain_dlt","severity":"high","title":"Unintended permanent chain split requiring hard fork (Network partition requiring hard fork)"},{"id":2027,"type":"blockchain_dlt","severity":"high","title":"Freezing of funds (fix requires hardfork on Axelar)"},{"id":2028,"type":"blockchain_dlt","severity":"high","title":"Non-determinism in the network and consensus failure"},{"id":2029,"type":"blockchain_dlt","severity":"high","title":"Transient consensus failures"},{"id":2030,"type":"blockchain_dlt","severity":"high","title":"Privilege escalation resulting in a severe impact"},{"id":2031,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for a minimum of 24 hours"},{"id":2032,"type":"smart_contract","severity":"high","title":"Invalid command execution"},{"id":2033,"type":"blockchain_dlt","severity":"medium","title":"High compute consumption by validator nodes"},{"id":2034,"type":"blockchain_dlt","severity":"medium","title":"Attacks against light clients"},{"id":2035,"type":"blockchain_dlt","severity":"medium","title":"DoS of greater than 30% of validator or miner nodes and does not shut down the network"},{"id":2036,"type":"blockchain_dlt","severity":"medium","title":"Privilege Escalation causing DoS"},{"id":2037,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of funds"},{"id":2038,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":2039,"type":"blockchain_dlt","severity":"critical","title":"Cryptographic vulnerabilities"},{"id":2040,"type":"smart_contract","severity":"critical","title":"Privilege escalation resulting in a severe impact"},{"id":2041,"type":"smart_contract","severity":"critical","title":"Unauthorized mint/burn/transfer of wrapped assets"},{"id":2042,"type":"smart_contract","severity":"critical","title":"Insolvency"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":2043,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion"}],"rewards":[{"id":42554,"primacy":null,"severity":"critical","assetType":"blockchain_dlt","maxReward":500000,"rewardModel":"up_to","rewardCalculationPercentage":0},{"id":42555,"primacy":null,"severity":"high","assetType":"blockchain_dlt","maxReward":25000,"minReward":5000,"rewardModel":"range"},{"id":42556,"primacy":null,"severity":"medium","assetType":"blockchain_dlt","fixedReward":2500,"rewardModel":"fixed"},{"id":42557,"primacy":null,"severity":"low","assetType":"blockchain_dlt","maxReward":1000,"rewardModel":"up_to"},{"id":42558,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":500000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":42559,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":25000,"minReward":5000,"rewardModel":"range"},{"id":42560,"primacy":null,"severity":"medium","assetType":"smart_contract","fixedReward":2500,"rewardModel":"fixed"},{"id":42561,"primacy":null,"severity":"low","assetType":"smart_contract","maxReward":1000,"rewardModel":"up_to"}],"audits":[]},{"assets":[{"id":"db_1f05e400-a0c6-40bb-9772-9aca92f7b90c","url":"https://etherscan.io/token/0x87f0e6f65ccf64d6d504c9db95f390d2acb033b5#code","type":"smart_contract","addedAt":"2026-02-23T18:10:49.492Z","revision":0,"description":"ernUSDT","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_13bb580b-b65c-440c-b34a-9bab8abee51a","url":"https://etherscan.io/address/0x226455A82E30Ff05E68B37b99C59e503104bA84B","type":"smart_contract","addedAt":"2026-02-23T18:11:11.984Z","revision":0,"description":"ernUSDC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_b2a711bf-2a72-404c-b700-94af44e6926f","url":"https://etherscan.io/address/0x9f76037494092aceac5b23e21c20b1970a866ef5","type":"smart_contract","addedAt":"2026-02-23T18:11:39.695Z","revision":0,"description":"rewardDistributor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_df82f2b8-4f2d-4ad6-bada-1541634c276f","url":"https://immunefi.com/blog/expert-insights/primacy-of-impact/","type":"smart_contract","addedAt":"2026-02-23T18:12:29.188Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99153","url":"https://ern.app/","type":"smart_contract","addedAt":"2026-03-09T14:16:24.927Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":["Arbitration","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":[],"launchDate":"2026-03-03T10:00:00.000Z","logo":"https://qn5bmgziiocgawpp.public.blob.vercel-storage.com/program-logos/sebastian%40immunefi.com-nuTzf1b4woGBcUgNulLMA.png","maxBounty":50000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["Yield Aggregator"],"programOverview":"Ern is a non-custodial DeFi protocol designed to turn stablecoin yield into long-term Bitcoin accumulation.\n\nIt helps users transform income generated in fiat-denominated assets into Bitcoin automatically, providing a simple way to hedge against long-term monetary debasement while maintaining stable capital exposure.\n\nThe result is a new model of saving: stable capital working continuously to accumulate hard money over time.\n\nStable capital. Bitcoin accumulation. A hedge for the future. \n\nFor more information about Ern, please visit [ern.app](https://ern.app).\n\nErn provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the **Rewards by Threat Level section** above.","programType":["Smart Contract"],"project":"Ern","projectType":["Defi"],"rewardsBody":"### Rewards by Threat Level\n\n#### Reward Calculation for Critical Level Reports\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of **USD 50 000**. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of **USD 11 000** is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n#### Repeatable Attack Limitations\n\n* If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward.\n\n* The amount of funds at risk will be calculated with the impact of the first attack being at **100%** and then a reduction of **25%** from the amount of the first attack for every \\[**300 blocks\\]** the attack needs for subsequent attacks from the first attack, rounded down.\n\n#### \n\n#### Reward Calculation for High Level Reports\n\nHigh impacts concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 3 000 to USD 10 000 with the reward calculated based on **100%** of the funds at risk, though capped at the maximum high reward.   \n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. \n\n#### \n\n#### Reward Payment Terms\n\nPayouts are handled by the Ern team directly and are denominated in USD. However, payments are done in USDC on Ethereum.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability. \n\n###","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"ern","tenPercentEconomicRule":false,"updatedDate":"2026-03-09T14:22:44.781Z","impactsBody":null,"websiteUrl":"https://ern.app/","githubUrl":"https://github.com/ernorg/ern","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_2","description":"Ern is a non-custodial DeFi protocol on Ethereum that allocates stablecoin deposits into decentralized money markets and programmatically converts the generated yield into Bitcoin (wBTC).","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"}],"rewards":[{"id":42458,"primacy":"primacy_of_impact","severity":"critical","assetType":"smart_contract","maxReward":50000,"minReward":11000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":42459,"primacy":"primacy_of_impact","severity":"high","assetType":"smart_contract","maxReward":10000,"minReward":3000,"rewardModel":"range"},{"id":42460,"primacy":"primacy_of_impact","severity":"medium","assetType":"smart_contract","fixedReward":2000,"rewardModel":"fixed"},{"id":42461,"primacy":"primacy_of_impact","severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[{"id":"db_6adbdaa6-abd1-4ec5-9751-4a479974e8f1","url":"https://github.com/ernorg/audits/","auditor":"All audits","date":"2026-02-17T00:00:00.000Z"}]},{"assets":[{"id":"2HSXQVXsguHpED3AGtTTzs","url":"https://etherscan.io/address/0x0f864A3e50D1070adDE5100fd848446C0567362B","type":"smart_contract","addedAt":"2025-11-19T09:48:03.569Z","revision":0,"description":"caUSDT","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"38q4ylkPE2oHDELbj0yNu2","url":"https://etherscan.io/address/0xF61159B4a0EE5b1615c9Afb3dA38111043344c32","type":"smart_contract","addedAt":"2025-11-19T09:48:32.430Z","revision":0,"description":"caRPC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3DNnsQIYrnmTcWcxORZIU","url":"https://etherscan.io/address/0xDa5928d59ECE82808Af2cbBE4f2872FeA8E12CD6","type":"smart_contract","addedAt":"2025-11-19T09:47:47.108Z","revision":0,"description":"caWBTC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4B4wpRsRLouiYO4CjOzHgP","url":"https://etherscan.io/address/0x0b9af1fd73885aD52680A1aeAa7A3f17AC702afA","type":"smart_contract","addedAt":"2025-11-19T09:49:00.867Z","revision":0,"description":"Unitroller","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5XAYOvHbjd9gE4qYzvV8Im","url":"https://etherscan.io/address/0xf80eeec09f417Fa7FCc4A848Ef03af9dF2658d7B","type":"smart_contract","addedAt":"2025-11-19T09:48:45.950Z","revision":0,"description":"caWARS","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6ENU2y7LydthIPPonlwBzO","url":"https://etherscan.io/address/0x00dc4965916e03A734190fA382633657c71f867E","type":"smart_contract","addedAt":"2025-11-19T09:49:14.847Z","revision":0,"description":"Comptroller","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6gGYZOT7PREttLVAabOkgU","url":"https://etherscan.io/address/0xc3aD34De18B59A24BD0877e454Fb924181F09C8f","type":"smart_contract","addedAt":"2025-11-19T09:48:18.428Z","revision":0,"description":"caUSDC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6uX4DzqdB47FLGif4B4wwN","url":"https://etherscan.io/address/0x0568F6cb5A0E84FACa107D02f81ddEB1803f3B50","type":"smart_contract","addedAt":"2025-11-19T09:47:32.305Z","revision":0,"description":"caLAC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"cpsDpu4G5EIqsZ0Mkcm8g","url":"https://app.capyfi.com/","type":"websites_and_applications","addedAt":"2025-11-19T09:49:29.735Z","revision":0,"description":"Capyfi App","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"rSGcXhJFwx7TISHirfrPj","url":"https://etherscan.io/address/0x37DE57183491Fa9745d8Fa5DCd950f0c3a4645c9","type":"smart_contract","addedAt":"2025-11-19T09:47:16.383Z","revision":0,"description":"caETH","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_508e98f9-e2d1-49ab-824a-eee790ab44a7","url":"https://app.capyfi.com","type":"smart_contract","addedAt":"2026-02-06T13:39:50.230Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"db_b76aa9b9-62ba-456b-91cf-bd59604677db","url":"https://app.capyfi.com","type":"websites_and_applications","addedAt":"2026-02-06T13:40:16.232Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Essential","Managed Triage: Time Saver","Arbitration"],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":true,"language":[],"launchDate":"2025-11-19T10:10:47.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1EIJT2Cc6oawRdQQHlTt8B/f2a45dceb673a4b14c2f4f05dcf6e8d9/CapyFi.png","maxBounty":1000000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","websites_and_applications - critical","websites_and_applications - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["Lending"],"programOverview":"CapyFi is an algorithmic decentralized finance protocol built on the Ethereum network that allows users to lend and borrow cryptocurrency assets. Suppliers provide liquidity to the market to earn interest, while borrowers are able to borrow liquidity in an over-collateralized fashion. Capyfi's protocol design and architecture references Compound v2, a proven and audited protocol\n\nFor more information about CapyFi, please visit https://capyfi.com/.\n\nCapyFi provides rewards in **USDC** on **ETH**, denominated in **USD**. For more details about the payment process, please view the **Rewards by Threat Level** section.\n\n__KYC Requirement__\n\nCapyFi will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nCapyFi adheres to **Category 2: Notice Required**. This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nCapyFi adheres to the Primacy of Impact for the following impacts:\n\n- Website & Application  —  Critical\n- Website & Application — High\n- Website & Application — Medium\n- Smart Contract  — Critical\n- Smart Contract — High\n- Smart Contract — Medium\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. \n\nFor more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n \nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- [Coinspect - Issue Tracking - Capyfi](https://docs.google.com/spreadsheets/d/1_vAogDWyY3x1bp6NO7NccKWoNACbPybR0OX39fA0LIM/edit?gid=0#gid=0)\n\n__Previous Audits__\n\nCapyFi’s completed audit reports can be found at [Coinspect - Smart Contract Audit - Ripio - Capyfi - v250523.pdf](https://drive.google.com/file/d/1fc--zdl1U8LFhysu7FiTgzviIyfPDgGA/view). Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.","programType":["Smart Contract","Websites and Applications"],"project":"CapyFi","projectType":[],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD $1M. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD $50,000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\nFor critical web/apps bugs, reports will be rewarded with up to USD $10,000, only if the impact leads to:\n\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded within a range of USD $4,001 to USD $10,000 depending on the impact. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. \n\n- The amount of funds at risk will be calculated with the impact of the first attack being at 100% and then a reduction of 25% from the amount of the first attack for every [300 blocks] the attack needs for subsequent attacks from the first attack, rounded down\n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD $10,000 to USD $50,000  with the reward calculated based on 100% of the funds at risk, though capped at the maximum high reward. \nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. \n\n__Reward Payment Terms__\n\nPayouts are handled by the CapyFi team directly and are denominated in **USD**. However, payments are done in **USDC** on **ETH**.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"capyfi","tenPercentEconomicRule":false,"updatedDate":"2026-03-08T21:46:55.124Z","impactsBody":null,"websiteUrl":"https://app.capyfi.com","githubUrl":"https://github.com/Capyfi/capyfi-smart-contracts","eligibilityCriteria":["no_ofac_sdn","no_employee","no_official_contributor","no_auditor"],"responsiblePublicationCategory":"category_2","description":"CapyFi is an algorithmic decentralized finance protocol built on the Ethereum network that allows users to lend and borrow cryptocurrency assets. Suppliers provide liquidity to the market to earn interest, while borrowers are able to borrow liquidity in an over-collateralized fashion. Capyfi's protocol design and architecture references Compound v2, a proven and audited protocol","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":43,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:\n- Modifying transaction arguments or parameters\n- Substituting contract addresses\n- Submitting malicious transactions"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"},{"id":46,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:\n- HTML injection without JavaScript\n- Replacing existing text with arbitrary text\n- Arbitrary file uploads, etc."},{"id":47,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Email\n- Password of the victim etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":51,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as:\n- Reflected HTML Injection\n- Loading external site data"}],"rewards":[{"id":42403,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":1000000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":42404,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":50000,"minReward":10000,"rewardModel":"range"},{"id":42405,"primacy":null,"severity":"medium","assetType":"smart_contract","maxReward":10000,"minReward":5001,"rewardModel":"range"},{"id":42406,"primacy":null,"severity":"low","assetType":"smart_contract","maxReward":5000,"minReward":1000,"rewardModel":"range"},{"id":42407,"primacy":null,"severity":"critical","assetType":"websites_and_applications","fixedReward":8000,"rewardModel":"fixed"},{"id":42408,"primacy":null,"severity":"high","assetType":"websites_and_applications","fixedReward":3000,"rewardModel":"fixed"},{"id":42409,"primacy":null,"severity":"medium","assetType":"websites_and_applications","fixedReward":1500,"rewardModel":"fixed"}],"audits":[{"id":"2JpOzB0OQCQdR944Njfvum","url":"https://www.openzeppelin.com/news/capyfi-audit","auditor":"OpenZeppelin","date":"2025-07-24T00:00:00.000Z"},{"id":"6uF8h399kkI0iKN73JVXSN","url":"https://www.coinspect.com/doc/Coinspect%20-%20Smart%20Contract%20Audit%20-%20Capyfi%20-%20v250711.pdf","auditor":"Coinspect","date":"2025-07-11T00:00:00.000Z"}]},{"assets":[{"id":"4SmphuvPXknl9cJ92botjQ","url":"https://github.com/monero-oxide/monero-oxide/tree/main","type":"blockchain_dlt","addedAt":"2025-09-08T07:13:49.320Z","revision":0,"description":"monero-oxide","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98773","url":"https://immunefi.com/","type":"blockchain_dlt","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":false,"language":["Rust"],"launchDate":"2025-09-09T14:58:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/OBgJTywLzana1ALxCFcc3/85ca6f5463dc82a51c99ffa0cde96553/MoneroOxide.png","maxBounty":100000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["blockchain_dlt - low","blockchain_dlt - high","blockchain_dlt - critical"],"primaryPaymentWallet":"OtherNonEVML1","prioritizedVulnerabilities":"_blank_","productType":[],"programOverview":"monero-oxide is a collection of Rust libraries to work with the Monero protocol, including its zero-knowledge proofs. monero-oxide hosts a monero-wallet, a memory-safe library to build and sign Monero transactions, including an implementation of the FROSTLASS threshold signing protocol. monero-oxide is used by Serai (https://serai.exchange) and Cuprate (https://cuprate.org). For bugs affecting Serai, which hosts its own bug bounty program on Immunefi (https://immunefi.com/bounty/serai), both programs should be submitted to yet only one will issue a reward (of the submitter’s choice).\nFor more information about monero-oxide, please visit https://github.com/monero-oxide/monero-oxide\nmonero-oxide provides rewards in [XMR] on [Monero], denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n\n- Be a member of the monero-oxide, Cuprate, or Serai organizations\n- Have written code required for the submission to be eligible\n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nmonero-oxide adheres to **category 3 - Approval Required**. This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nmonero-oxide adheres to the Primacy of Impact for the following impacts:\n\n- Blockchain/DLT - Critical\n- Blockchain/DLT - High\n- Blockchain/DLT - Medium\n- Blockchain/DLT - Low\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- https://github.com/monero-oxide/monero-oxide/issues\n- https://github.com/Cuprate/cuprate/issues\n- https://github.com/serai-dex/serai/issues\n\n__Previous Audits__\n\nmonero-oxide’s completed audit reports can be found at https://github.com/monero-oxide/monero-oxide/tree/main/audits. Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward without demonstrated remaining impact.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.","programType":["Blockchain/DLT"],"project":"monero-oxide","projectType":["Blockchain"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical Blockchain/DLT bugs, the reward is 100,000 USD. For high Blockchain/DLT bugs, the reward is 10,000 USD. For medium Blockchain/DLT bugs, the reward is 5,000 USD. For low Blockchain/DLT bugs, the reward is 1,000 USD.\n\n__Reward Payment Terms__\n\nPayouts are handled by Power Up Privacy directly and are denominated in **USD**. However, payments are done in **XMR** on **Monero**\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"","slug":"monero-oxide","tenPercentEconomicRule":false,"updatedDate":"2026-03-08T15:52:21.563Z","impactsBody":"monero-oxide does not attempt to implement all Monero consensus rules, instead deferring that to works such as Cuprate, a Monero node written in Rust. Instead, monero-oxide aims to support working with transactions as useful to enable building programs from nodes to wallets with. monero-oxide does include some consensus rules however, whether to provide certain functionality or to maintain certain invariants. Our impact, \"Incompatibilities with the targeted Monero consensus protocol which would require reimplementing notable sections of monero-oxide\", is intended for when we do not simply omit a consensus rule, yet actively conflict with it, requiring the caller to avoid monero-oxide's code and handle the issue themselves. Implementing features, such as the addition of specific consensus rules, will not be considered re-implementation.\n\nRoughly stated, the academic definition of incorrect is an algorithm whose honest execution will not have the expected result. The roughly-stated academic definition of incomplete is an algorithm which claims to work with a set of cases yet actually only works for a subset. This is distinct from unsoundness, where a verifier should be convinced a correct proof is correct yet is convinced by an incorrect proof, and zero-knowledge, where an algorithm which shouldn't reveal any additional information about the secrets does in fact do so. Our occassional (as appropriate within the Monero protocol) support for points which have a term from a small-order subgroup will not inherently be considered incorrect or incomplete unless such effects actually descend from this property.\n\nFor the \"Undocumented panic reachable from a public API\" impact, we are officially considering Rust panics. We cannot prevent an operating system which decides to terminate a program using our library. We will, however, consider out-of-memory issues (and similar) if they're reasonably posited as a Denial of Service. The fact any function allocates, and therefore can exceed the program's allowed memory usage, will not automatically be considered as a valid submission. Notable overhead for the amount of memory allocated as a factor of the amount of memory legitimately present must be demonstrated.\n\nFor documentation-related impacts (e.g. \"Undocumented ...\"), updates to documentation will be considered bug fixes as expected. For non-documentation-related impacts, updates to documentation alone will not be considered bug fixes.\n\nAll submissions will be reviewed with `debug-assertions = false`, `overflow-checks = true`, and `panic = \"abort\"`.","websiteUrl":null,"githubUrl":"https://github.com/monero-oxide/monero-oxide","eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"monero-oxide is a collection of Rust libraries to work with the Monero protocol.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":5756,"type":"blockchain_dlt","severity":"high","title":"Incorrect/incomplete (in the academic sense) cryptographic formulae within a verifier's callstack"},{"id":5720,"type":"blockchain_dlt","severity":"high","title":"Incompatibilities with the targeted Monero consensus protocol which would require reimplementing notable sections of monero-oxide"},{"id":5755,"type":"blockchain_dlt","severity":"low","title":"Incorrect/incomplete (in the academic sense) cryptographic formulae within a prover's callstack"},{"id":5846,"type":"blockchain_dlt","severity":"low","title":"Undocumented fingerprints in created transactions, when compared to the targeted version of Monero’s wallet2"},{"id":5716,"type":"blockchain_dlt","severity":"low","title":"Non-constant-time implementation with regards to secret data"},{"id":5717,"type":"blockchain_dlt","severity":"low","title":"Undocumented panic reachable from a public API"},{"id":5718,"type":"blockchain_dlt","severity":"critical","title":"Unintended, undocumented recovery of private spend keys (or private spend key shares)"},{"id":5719,"type":"blockchain_dlt","severity":"low","title":"Incompatibilities with the targeted Monero wallet protocol which would require reimplementing notable sections of monero-oxide"},{"id":5703,"type":"blockchain_dlt","severity":"critical","title":"Signing of unintended messages"},{"id":5704,"type":"blockchain_dlt","severity":"critical","title":"Reportedly received funds which weren’t actually received"},{"id":5705,"type":"blockchain_dlt","severity":"critical","title":"Ability to forge proofs present with only the default features"}],"rewards":[{"id":42400,"primacy":null,"severity":"critical","assetType":"blockchain_dlt","fixedReward":100000,"rewardModel":"fixed","rewardCalculationPercentage":0},{"id":42401,"primacy":null,"severity":"high","assetType":"blockchain_dlt","fixedReward":10000,"rewardModel":"fixed"},{"id":42402,"primacy":null,"severity":"low","assetType":"blockchain_dlt","fixedReward":1000,"rewardModel":"fixed"}],"audits":[{"id":"53yITTKBZaw5Pa9FrqA3YS","url":"https://github.com/monero-oxide/monero-oxide/tree/main/audits/Cypher%20Stack%20May%202025","auditor":"Cypher Stack","date":"2025-08-14T00:00:00.000Z"}]},{"assets":[{"id":"2HT9dALIL6oTLqweUUCFd2","url":"https://etherscan.io/address/0x046Bb8bb98Db4ceCbB2929542686B74b516274b3","type":"smart_contract","addedAt":"2025-08-04T15:56:00.537Z","revision":0,"description":"LXLY AggLayer Gateway","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3qo51DIuByeTQ1aTzbNoyb","url":"https://github.com/maticnetwork/bor/releases/latest","type":"blockchain_dlt","addedAt":"2025-07-23T08:24:16.904Z","revision":0,"description":"Polygon POS - Bor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4tLiq2UkbOtVm8YaBIKL0D","url":"https://static.polygon.technology/network/mainnet/v1/index.json","type":"smart_contract","addedAt":"2025-07-23T08:24:16.883Z","revision":0,"description":"Polygon Smart Contracts (only)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"73nEWN6d8HvJpY5dfkDJ69","url":"https://etherscan.io/address/0x5132A183E9F3CB7C848b0AAC5Ae0c4f0491B7aB2","type":"smart_contract","addedAt":"2025-07-29T16:10:08.782Z","revision":0,"description":"LXLY Agglayer PolygonRollupManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7hz5Bd6OrA3F0Tk18pzNVK","url":"https://github.com/0xPolygon/cometbft/releases/latest","type":"blockchain_dlt","addedAt":"2025-07-23T08:24:16.888Z","revision":0,"description":"Polygon POS - Commet BFT","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7nVbuVnZsRZ495pqT1aBv","url":"https://github.com/0xPolygon/heimdall-v2/releases/latest","type":"blockchain_dlt","addedAt":"2025-07-23T08:24:16.899Z","revision":0,"description":"Polygon POS - Heimdal V2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"QzBMvyjr3gFvMdro6bN1u","url":"https://etherscan.io/address/0x2a3DD3EB832aF982ec71669E178424b10Dca2EDe","type":"smart_contract","addedAt":"2025-07-29T16:10:08.787Z","revision":0,"description":"LXLY AggLayer PolygonBridgeV2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"RnODLzId0buBMw7v1DTLO","url":"https://etherscan.io/address/0x580bda1e7a0cfae92fa7f6c20a3794f169ce3cfb","type":"smart_contract","addedAt":"2025-07-29T16:10:08.778Z","revision":0,"description":"LXLY Agglayer PolygonGlobalExitRoot","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"h1w9AiiPim849MyKudE8w","url":"https://github.com/0xPolygon/cosmos-sdk/releases/latest","type":"blockchain_dlt","addedAt":"2025-07-23T08:24:16.908Z","revision":0,"description":"Polygon POS - Cosmos SDK","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98726","url":"https://immunefi.com/","type":"blockchain_dlt","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"98748","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":"The list of all deployed contracts can be found at: [https://static.polygon.technology/network/mainnet/v1/index.json](https://static.polygon.technology/network/mainnet/v1/index.json)\n\nImpacts only apply to assets in active use by the project like contracts on mainnet or web/app assets used in production. \n\n**For GitHub repositories please ensure you are reviewing the latest published releases and not the default branch**\n\nAny impact that applies to assets not in active use, like test or mock files, are out-of-scope of the bug bounty program unless explicitly mentioned as in-scope. In the case of Smart Contracts, please always make sure the code has been deployed and present in the JSON file on the first row.\n\n__Blockchain/DLT__\n\n  - __Blockchain/DLT - PoC__, Blockchain/DLT bug reports are to include a runnable Proof of Concept (PoC) in order to prove impact.  \n  - For more information on PoCs please visit: [Proof of Concept (PoC) Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n  - __Smart Contracts - PoC__, Smart Contract bug reports are to include a runnable Proof of Concept (PoC) in order to prove impact.  \n  - For more information on PoCs please visit: [Proof of Concept (PoC) Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n__Dev Environment and Documentation__ \n\nPolygon Labs has included dev documentation and/or instructions to help in reviewing code and looking for bugs:\n\n| __Dev or Staging Environment Links__     |\n| ---------- |\n| https://docs.polygon.technology/](https://docs.polygon.technology/)        |","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH","Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2021-09-13T13:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/8EEzTabH4B0Palx5UgpL8/4d800cd963e02d33e39872b4030e7e2f/Polygon__1_.jpeg","maxBounty":250000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - high","blockchain_dlt - high","smart_contract - medium","blockchain_dlt - critical","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["L2"],"programOverview":"Polygon is a Layer 2 scaling solution that achieves scale by utilizing sidechains for off-chain computation and a decentralized network of Proof-of-Stake (PoS) validators.\n\nPolygon strives to solve the scalability and usability issues while not compromising on decentralization and leveraging the existing developer community and ecosystem. It aims at improving existing platforms by providing scalability and superior user experience to dApps and user functionalities.\n\nIt is a scaling solution for public blockchains. Polygon PoS supports all the existing Ethereum tooling along with faster and cheaper transactions.\nFor more information about Polygon Labs and Polygon protocols, please visit [https://polygon.technology/](https://polygon.technology/). \n\n__For Whitehats__: It is highly recommended that you review the details of this program in full. Although many Bug Bounty programs have standard terms and conditions, each also has their own unique details that are critical to your success.  \n\nPrior to submitting a report please review the Immunefi [Bug Report Template and Best Practices](https://immunefisupport.zendesk.com/hc/en-us/articles/12435277406481-Bug-Report-Template).","programType":["Smart Contract","Blockchain/DLT"],"project":"Polygon","projectType":["Blockchain"],"rewardsBody":"__Reward Distribution__\n\nPayouts over the lower bound reward are directly related to the direct funds at risk. If no funds are at risk, the Critical or High payouts are limited to the minimum, unless decided otherwise by Polygon Labs.\n\nFor the purposes of clarification, funds at risk refer to the proof of loss of funds.\n\nRewards for critical Blockchain/DLT and smart contract bug reports will be further capped at 10% of direct funds at risk if the bug discovered is exploited. However, there is a minimum reward of __USD 50 000__.\n\n__Payouts and Payout Requirements__\n\nPayouts are handled by the Polygon Labs team directly and are denominated in USD. Payouts are done in USDC or POL at the Polygon Labs teams' discretion. Polygon Labs commits to honoring payouts according to the terms set out in this program at the time of report submission, and to treat this program as the agreement and source of truth concerning bug reports and responsible disclosures. \n\nPOL Payouts will be determined using TWAP 5 day price calculated from payment date.\n\nPolygon Labs requires an invoice to be received for each payout. An invoice template can be provided by Polygon Labs.\n\nThis bug bounty program is only open to individuals who reside outside of the countries that are restricted by OFAC and by UNSC resolutions. If the individual is a US person, tax information may be required in order to properly issue a 1099.\n\nPolygon Labs requires an invoice to be received for each payout. An invoice template can be provided by Polygon Labs.\n\n__KYC Requirements__\n\nPolygon Labs does have a Know Your Customer (KYC) requirement for bug bounty payouts. \n\n| __KYC Info Required__     |\n| ---------- |\n| Wallet Address       |\n| Passport |\n| Place of residence |\n\nKYC information is only required on confirmation of the validity of a bug report which Polygon Labs determines in its sole discretion.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC, POL","slug":"polygon","tenPercentEconomicRule":true,"updatedDate":"2026-03-04T19:12:49.632Z","impactsBody":"Important notes:\n- You must be able to prove the real exploitability/severity of a report without doubt or assumptions, and based on the current state of the blockchain at the time of the report.\n- Reports are classified by Impact and Likelihood/Probability and using common frameworks such as CVSS. The combination determines the severity and are determined at Polygon’s sole discretion.\n- Actual reward amounts are determined at Polygon’s sole discretion. Factors influencing payout include report quality, completeness, and severity/exploitability.\n\n__Severity Table__\n\nReports are classified using two dimensions: Impact and Probability (Likelihood) and classified using the following table\n\n|                    | Low Impact | Medium Impact | High Impact |\n|--------------------|------------|----------------|--------------|\n| **High Probability**   | MEDIUM     | HIGH           | CRITICAL     |\n| **Medium Probability** | LOW        | MEDIUM         | HIGH         |\n| **Low Probability**    | LOW        | LOW            | MEDIUM       |\n\n__Understanding Probability__\n\nReports are classified using two dimensions: Impact and Probability (Likelihood). Probability reflects how permissionless and reliably the issue can be exploited against the current production deployment. Critical severity requires both High Impact and High Probability (i.e., a permissionless exploit that can be executed at will).\n\nHigh Probability\n- Permissionless: no privileged role/allowlist or compromised keys required.\n- Exploitable at will on production (reliable/repeatable under normal conditions).\n\nMedium Probability\n- Exploitable, but requires realistic preconditions (e.g., specific state/timing, meaningful capital/positioning, or common MEV/order-dependence).\n- May not succeed every attempt; depends on conditions outside the attacker's full control.\n\nLow Probability\n\n- Requires rare edge conditions or strong assumptions (e.g., very narrow timing, unlikely state/user behavior).\n- Hard to reproduce reliably / low success rate in practice.\n\n__Impacts to other assets__ \n\nHackers are encouraged to submit issues outside of those outlined Impacts and Assets in Scope. \n\nIf Whitehats can demonstrate a critical impact of code in production for an asset not in scope, Polygon Labs encourages you to submit your bug report using the “primacy of impact exception” asset as outlined below.","websiteUrl":"https://polygon.technology","githubUrl":"https://github.com/0xPolygon","eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Polygon is a fast, low cost, and battle tested blockchain. Live for 5+ years, with 99.99% uptime and millions of users, join them in moving money and RWAs today.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Vulnerabilities in unmodified upstream dependencies (e.g., go-ethereum, Cosmos SDK, CometBFT, Tendermint) that are not introduced by Polygon Labs modifications.\n  - Broken link hijacking is out of scope\n  - Loss of funds held by third parties\n  - Best practice critiques\n  - Attacks using vulnerable, old or deprecated libraries, that are not exploitable\n\n__Smart Contracts and Blockchain/DLT__\n\n- Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).\n- Previously known vulnerabilities in Tendermint and or/any other fork of these.\n- Previously known vulnerabilities in cosmos-sdk and or/any other fork of these.\n- Basic economic governance attacks (e.g. 51% attack)\n- Lack of liquidity\n- Best practice critiques\n- Sybil attacks\n- Centralization risks\n- Attacks using vulnerable, old or deprecated libraries, that are not exploitable","customProhibitedActivities":[],"impacts":[{"id":5847,"type":"blockchain_dlt","severity":"high","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":984,"type":"smart_contract","severity":"high","title":"Theft of user fees"},{"id":985,"type":"blockchain_dlt","severity":"high","title":"Transient consensus failures"},{"id":986,"type":"smart_contract","severity":"medium","title":"Denial of service attacks"},{"id":5665,"type":"smart_contract","severity":"critical","title":"Loss of bridge or staking funds"},{"id":5666,"type":"blockchain_dlt","severity":"high","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":5667,"type":"blockchain_dlt","severity":"medium","title":"Denial of service attacks"},{"id":5668,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds for less than 1 week"}],"rewards":[{"id":42311,"primacy":null,"severity":"medium","assetType":"smart_contract","fixedReward":2000,"rewardModel":"fixed"},{"id":42306,"primacy":null,"severity":"critical","assetType":"blockchain_dlt","maxReward":250000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":42307,"primacy":null,"severity":"high","assetType":"blockchain_dlt","fixedReward":10000,"rewardModel":"fixed"},{"id":42308,"primacy":null,"severity":"medium","assetType":"blockchain_dlt","fixedReward":2000,"rewardModel":"fixed"},{"id":42309,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":250000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":42310,"primacy":null,"severity":"high","assetType":"smart_contract","fixedReward":10000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"2U2yI9GVNHZfk152xBPntE","url":"https://github.com/zkVerify/zkverifyjs","type":"websites_and_applications","addedAt":"2025-09-05T16:00:48.834Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98720","url":"https://immunefi.com/","type":"websites_and_applications","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"98766","url":"https://immunefi.com/","type":"blockchain_dlt","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"99125","url":"https://zkverify.io","type":"websites_and_applications","addedAt":"2026-03-04T18:41:10.498Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"99126","url":"https://github.com/zkVerify/zkVerify","type":"blockchain_dlt","addedAt":"2026-03-04T18:41:10.498Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Polkadot"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":true,"language":["Rust"],"launchDate":"2025-09-05T12:00:00.000Z","logo":"https://qn5bmgziiocgawpp.public.blob.vercel-storage.com/43562-XsQidDmPxFzfkmVAQWyt_-QWtGz8DGV5zcFHPyca9xbsMLyiimNP.png","maxBounty":50000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","websites_and_applications - critical"],"primaryPaymentWallet":"Polkadot","prioritizedVulnerabilities":"_blank_","productType":["L1"],"programOverview":"zkVerify allows modular blockchain networks to offload the computationally heavy and expensive process of proof verification, enabling them to focus on their primary functions and stay ahead of their competition.\n\nThis modular approach not only streamlines operations but also significantly boosts overall network efficiency.","programType":["Websites and Applications","Blockchain/DLT"],"project":"zkVerify","projectType":["Blockchain"],"rewardsBody":"__Rewards by Threat Level__\n\nRewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.3. \nReward Calculation for Critical Level Reports\n\nFor critical Blockchain/DLT bugs, the reward amount is 5% of the funds directly affected, capped at the maximum critical reward $50,000. However, a minimum reward of USD $15,000 is to be rewarded in order to incentivize security researchers against withholding on a bug report.\n\nFor critical Blockchain/DLT bugs with a non-funds-at risk impact, the reward will be paid out as follows: \n- Network not being able to confirm new transactions (total network shutdown): $15,000\n- Unintended permanent chain split requiring hard fork (network partition requiring hard fork): $15,000\n\n\nFor critical Blockchain/DLT bugs, the reward is dependent on the ratio between the funds at risk, which includes all affected projects on top of the respective blockchain/DLT, and the market cap according to the average between CoinMarketCap.com and CoinGecko.com, calculated at the time the bug report is submitted. \n\n\nFor critical web/apps bugs, reports will be rewarded with $10,000, only if the impact leads to:\nA loss of funds involving an attack that does not require any user action\nPrivate key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of $5,000. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n\n__Reward Calculation for High Level Reports__\n\nFor high Blockchain/DLT non-funds-at risk impacts, the reward will be paid out as follows: \n- Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments: $5000\n- Causing network processing nodes to process transactions from the mempool beyond set parameters: $5000\n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"zkverify","tenPercentEconomicRule":false,"updatedDate":"2026-03-04T18:41:10.794Z","impactsBody":null,"websiteUrl":"https://zkverify.io","githubUrl":"https://github.com/orgs/zkVerify/","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"zkVerify allows modular blockchain networks to offload the computationally heavy and expensive process of proof verification, enabling them to focus on their primary functions and stay ahead of their competition.\n\nThis modular approach not only streamlines operations but also significantly boosts overall network efficiency.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Everything is in scope except Hyperbridge.","customProhibitedActivities":[],"impacts":[{"id":1,"type":"blockchain_dlt","severity":"critical","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":2,"type":"blockchain_dlt","severity":"critical","title":"Unintended permanent chain split requiring hard fork (network partition requiring hard fork)"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":6,"type":"blockchain_dlt","severity":"high","title":"Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments"},{"id":7,"type":"blockchain_dlt","severity":"high","title":"Causing network processing nodes to process transactions from the mempool beyond set parameters"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"}],"rewards":[{"id":37750,"primacy":null,"severity":"critical","assetType":"blockchain_dlt","maxReward":50000,"minReward":15000,"rewardModel":"range","rewardCalculationPercentage":5},{"id":37751,"primacy":null,"severity":"high","assetType":"blockchain_dlt","maxReward":10000,"minReward":5000,"rewardModel":"range"},{"id":37752,"primacy":null,"severity":"critical","assetType":"websites_and_applications","maxReward":10000,"minReward":5000,"rewardModel":"range"}],"audits":[{"id":"2QWAvo8GYue9yTR4Jpf87P","url":"https://github.com/trailofbits/publications/blob/master/reviews/2025-02-zkverify-foundation-blockchain-securityreview.pdf","auditor":"Trail of Bits","date":"2025-02-06T00:00:00.000Z"},{"id":"1Bww5WFkkdebNNJRttOKGZ","url":"https://github.com/srlabs/audit-reports/blob/main/Polkadot/SRL-zkVerify_baseline_assurance-report-2025.pdf","auditor":"SRLabs","date":"2025-09-03T00:00:00.000Z"}]},{"assets":[{"id":"10NvIxXNuV2VPdexRkrUF3","url":"https://polygonscan.com/address/0x9C68850E18EACD4ea7ca2998b6BBeD9cf55316cb#code","type":"smart_contract","addedAt":"2025-10-02T09:21:10.647Z","revision":0,"description":"Protocol V3 - PRL - PeripheralMigrationContract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"16GcNSgunpY0uwb9HE6EFe","url":"https://snowscan.xyz/address/0x57265a3D7db8f4a4a155eadF6c7326926caC1490#code","type":"smart_contract","addedAt":"2025-10-02T09:21:06.567Z","revision":0,"description":"Protocol V3 - Parallelizer Module - Swapper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"16caJA89lYgvxQneNPNWkg","url":"https://hyperevmscan.io/address/0x24cef236056834f38e9247a1fff6681dd313d3aa#code","type":"smart_contract","addedAt":"2025-10-02T09:21:14.776Z","revision":0,"description":"Protocol V3 - Core Protocol - TokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1C28klfzeubnvvUI6rL117","url":"https://basescan.org/address/0x24CeF236056834f38e9247A1Fff6681Dd313d3aa#code","type":"smart_contract","addedAt":"2025-10-02T09:21:27.782Z","revision":0,"description":"Protocol V3 - Parallelizer Module - DiamondLoupe","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1FHMwim4FYq8g56dkVBw5z","url":"https://sonicscan.org/address/0xDa818995DdEee3AC36BF492133E1FeAE1FA377E6#code","type":"smart_contract","addedAt":"2025-10-02T09:21:02.736Z","revision":0,"description":"Protocol V3 - Bridging Module - lz-USDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1FmUDlbKn5N0tI9xI54u8m","url":"https://snowscan.xyz/address/0x9fFaCB3dB5cB74BdD4C68af3b7CF203130c699ec#code","type":"smart_contract","addedAt":"2025-10-02T09:21:05.965Z","revision":0,"description":"Protocol V3 - Bridging Module - lz-USDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1KmvgUcvDHuXJxBqre0nv0","url":"https://sonicscan.org/address/0xe5C82b4F09Fd4d079757e156Db44AFD2c8032CC8#code","type":"smart_contract","addedAt":"2025-10-02T09:21:02.581Z","revision":0,"description":"Protocol V3 - Parallelizer Module - Redeemer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1LuTHr1uKfTCZ5mc2JLxTQ","url":"https://polygonscan.com/address/0x7790dd69aa10eD3f1271E41CD7222D2a7d2D5948#code","type":"smart_contract","addedAt":"2025-10-02T09:21:10.843Z","revision":0,"description":"Protocol V3 - PRL - PeripheralPRL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1QBI9MpydA9ldSBIQLbzOr","url":"https://snowscan.xyz/address/0xF6Cc47E981ED5902BE382dbe7B54e3696De22dBb#code","type":"smart_contract","addedAt":"2025-10-02T09:21:05.783Z","revision":0,"description":"Protocol V3 - Parallelizer Module - Getters","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1Qr8wUvuBxlCSLJyWpU91G","url":"https://etherscan.io/address/0xa9C21Cf291ad935e0C9B05a55A42254fB159181d#code","type":"smart_contract","addedAt":"2025-10-02T09:21:17.686Z","revision":0,"description":"Protocol V3 - Parallelizer Module - Getters","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1ST58uxkZhwXs9LqOsFaum","url":"https://etherscan.io/address/0x506Ba37aa8e265bE445913B9c4080852277f3c5a#code","type":"smart_contract","addedAt":"2025-10-02T09:21:19.676Z","revision":0,"description":"Protocol V3 - Parallelizer Module - Swapper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1WPBqW8cQ0WkDk4azB8TF3","url":"https://hyperevmscan.io/address/0x472eD57b376fE400259FB28e5C46eB53f0E3e7E7#code","type":"smart_contract","addedAt":"2025-10-02T09:21:14.650Z","revision":0,"description":"Protocol V3 - Parallelizer Module - SettersGovernor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1XGc9BB445fsLHXvjlRMLz","url":"https://seitrace.com/address/0xfD28f108e95f4D41daAE9dbfFf707D677985998E?chain=pacific-1&tab=contract","type":"smart_contract","addedAt":"2025-10-02T09:21:08.668Z","revision":0,"description":"Protocol V3 - Core Protocol - ParallelAccessManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1XHP1CPPVBU20ZDNFnycqX","url":"https://www.oklink.com/fr/fantom/address/0x1ff33cf1607ca109f23a3fb9ec5193037eb26306/contract","type":"smart_contract","addedAt":"2025-10-02T09:21:01.712Z","revision":0,"description":"Protocol V3 - Core Protocol - ParallelAccessManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1XX2QXxFMs9O5vkMN426NM","url":"https://berascan.com/address/0x9fFaCB3dB5cB74BdD4C68af3b7CF203130c699ec#code","type":"smart_contract","addedAt":"2025-10-02T09:21:23.586Z","revision":0,"description":"Protocol V3 - Bridging Module - BridgeableTokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1ZUhfHYehgLKyQabAsM7ro","url":"https://polygonscan.com/address/0xDB7Be3a50bdf5641757EBEa38e8014E1F0AA9475#code","type":"smart_contract","addedAt":"2025-10-02T09:21:10.465Z","revision":0,"description":"Protocol V3 - PRL - SPRL1","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1bvDjsdryU86K48rUe3GE7","url":"https://snowscan.xyz/address/0x6efeDDF9269c3683Ba516cb0e2124FE335F262a2#code","type":"smart_contract","addedAt":"2025-10-02T09:21:06.303Z","revision":0,"description":"Protocol V3 - Parallelizer Module - Redeemer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1dRneymu0raUpVSVEPQD3i","url":"https://polygonscan.com/address/0x09f3964874d3c8494f2e98e9e003e53c2750ab72#code","type":"smart_contract","addedAt":"2025-10-02T09:21:10.951Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallelToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1gl2AyRHaL62p8xMHHkDKG","url":"https://snowscan.xyz/address/0xfD28f108e95f4D41daAE9dbfFf707D677985998E#code","type":"smart_contract","addedAt":"2025-10-02T09:21:05.780Z","revision":0,"description":"Protocol V3 - Core Protocol - ParallelAccessManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1gm8w2e1JmoN2vxJKK76VI","url":"https://etherscan.io/address/0xd8cc2A51556Da84b5DB309e86f30Ff98B5309862#code","type":"smart_contract","addedAt":"2025-10-02T09:21:17.330Z","revision":0,"description":"Protocol V3 - Parallelizer Module - RewardHandler","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1hVciPtF1hk3P6Qov6M9CA","url":"https://etherscan.io/address/0xe8a2d848fe656e34a6caa35f375b42979e322135#code","type":"smart_contract","addedAt":"2025-10-02T09:21:17.169Z","revision":0,"description":"Protocol V3 - PRL - sPRL2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1jiv97cLSa4sDOXV2G6mdy","url":"https://bscscan.com/address/0xfD28f108e95f4D41daAE9dbfFf707D677985998E#code","type":"smart_contract","addedAt":"2025-10-02T09:21:21.649Z","revision":0,"description":"Protocol V3 - Core Protocol - ParallelAccessManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1osLh2Wbv87ldBSYqmCb6z","url":"https://optimistic.etherscan.io/address/0xe8a2d848fe656e34a6caa35f375b42979e322135#code","type":"smart_contract","addedAt":"2025-10-02T09:21:12.714Z","revision":0,"description":"Protocol V3 - Core Protocol - TokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1wzZ7Dh2MexbxitRHCumje","url":"https://sonicscan.org/address/0xfD28f108e95f4D41daAE9dbfFf707D677985998E#code","type":"smart_contract","addedAt":"2025-10-02T09:21:03.642Z","revision":0,"description":"Protocol V3 - PRL - PeripheralPRL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"21CIvhOngRMNxcaYA3yUoU","url":"https://explorer.inkonchain.com/address/0xcB3e564293393E0d4F43305a250d4e1716dE600b?tab=contract","type":"smart_contract","addedAt":"2025-10-02T09:21:17.616Z","revision":0,"description":"Protocol V3 - Core Protocol - TokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"24vK6EbrOev5M9qiFWErDY","url":"https://seitrace.com/address/0x9fFaCB3dB5cB74BdD4C68af3b7CF203130c699ec?chain=pacific-1&tab=contract","type":"smart_contract","addedAt":"2025-10-02T09:21:07.815Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallelToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"25mH3LxMWt0jNZnvG8bShr","url":"https://etherscan.io/address/0x9B3a8f7CEC208e247d97dEE13313690977e24459#code","type":"smart_contract","addedAt":"2025-10-02T09:21:19.337Z","revision":0,"description":"Protocol V3 - Core Protocol - USDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"28qBFnCxFAEmudVwq6f5OQ","url":"https://arbiscan.io/address/0x76A9A0062ec6712b99B4f63bD2b4270185759dd5#code","type":"smart_contract","addedAt":"2025-10-02T09:21:28.074Z","revision":0,"description":"Protocol V3 - Core Protocol - USDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2BATK20OLgbJL8Nkr36oEP","url":"https://uniscan.xyz/address/0x9e0DCF7a33bBde6689560C5c807dd2a3dF991277#code","type":"smart_contract","addedAt":"2025-10-02T09:21:03.744Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallel","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2CUfjgcreQ7y14B4j4bG60","url":"https://berascan.com/address/0xe23b5ded6f7b7cb56ebcd459b19dad4d7e05cf7b#code","type":"smart_contract","addedAt":"2025-10-02T09:21:23.640Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallelToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2EOldwfIdGFv4NtHtNNQBP","url":"https://optimistic.etherscan.io/address/0x0e4e7Ca9D7b1e6293D0713EFEfB4BCA010DeBF46#code","type":"smart_contract","addedAt":"2025-10-02T09:21:11.643Z","revision":0,"description":"Protocol V3 - Core Protocol - ParallelAccessManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2IZnGTjRoWGLKxFOyKl07Z","url":"https://sonicscan.org/address/0xe8a3DA6f5ed1cf04c58ac7f6A7383641e877517b#code","type":"smart_contract","addedAt":"2025-10-02T09:21:02.428Z","revision":0,"description":"Protocol V3 - Savings Module - sUSDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2JvCNvEj5fCymqaNBUu3As","url":"https://www.oklink.com/fr/fantom/address/0xfd28f108e95f4d41daae9dbfff707d677985998e/contract","type":"smart_contract","addedAt":"2025-10-02T09:21:01.719Z","revision":0,"description":"Protocol V3 - PRL - PeripheralMigrationContract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2KQOPJ6L4RvaIQmvKivYku","url":"https://hyperevmscan.io/address/0x1b2741dB9F46a0411852e4cC28dDC476851b5179#code","type":"smart_contract","addedAt":"2025-10-02T09:21:14.801Z","revision":0,"description":"Protocol V3 - Parallelizer Module - Swapper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2O15PwX2WvV4QdcgkqAqPP","url":"https://etherscan.io/address/0xeB197439D1425F3129F01F7763EC511DF2489095#code","type":"smart_contract","addedAt":"2025-10-02T09:21:16.988Z","revision":0,"description":"Protocol V3 - Parallelizer Module - SettersGovernor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2SIA0vposBLvnLzSjoDvNA","url":"https://gnosisscan.io/address/0xe23b5ded6f7b7cb56ebcd459b19dad4d7e05cf7b#code","type":"smart_contract","addedAt":"2025-10-02T09:21:16.700Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallelToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2SbodlgWzWegy3ZYa8xWqA","url":"https://sonicscan.org/address/0x2B6C7c275404e93A14A05b549AF292231D6e4DeC#code","type":"smart_contract","addedAt":"2025-10-02T09:21:05.608Z","revision":0,"description":"Protocol V3 - Parallelizer Module - DiamondLoupe","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2TrgkyddnLhZ52huHyyEKV","url":"https://hyperevmscan.io/address/0xF92eD96C7bEc4aD46FF7937Cae633c907EBDf594#code","type":"smart_contract","addedAt":"2025-10-02T09:21:11.965Z","revision":0,"description":"Protocol V3 - Parallelizer Module - Redeemer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2ZdHZCeNIvviTOO8neMd3x","url":"https://scrollscan.com/address/0x9e0DCF7a33bBde6689560C5c807dd2a3dF991277#code","type":"smart_contract","addedAt":"2025-10-02T09:21:08.645Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallel","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2b071K5mpIekxSALY1uUYa","url":"https://polygonscan.com/address/0x7Df74BBB6F82eC1BCB1562a30ef5Bf5c326e2811#code","type":"smart_contract","addedAt":"2025-10-02T09:21:10.775Z","revision":0,"description":"Protocol V3 - Core Protocol - ParallelAccessManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2hriTSDMXvJlvhPn2SbfSB","url":"https://sonicscan.org/address/0xb3dbece41acdd6ad76d037b8da2e53c58826746c#code","type":"smart_contract","addedAt":"2025-10-02T09:21:03.360Z","revision":0,"description":"Protocol V3 - Core Protocol - TokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2jvdDT7HeZNH9gsreMov1d","url":"https://arbiscan.io/address/0x4Dde0e308CFB60515218C6ad2DF1134Fc48531FC#code","type":"smart_contract","addedAt":"2025-10-02T09:21:28.185Z","revision":0,"description":"Protocol V3 - Bridging Module - BridgeableTokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2l5YMB7kaG7NEto6KFBYtI","url":"https://uniscan.xyz/address/0xcb3e564293393e0d4f43305a250d4e1716de600b#code","type":"smart_contract","addedAt":"2025-10-02T09:21:01.875Z","revision":0,"description":"Protocol V3 - Core Protocol - TokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2q1wj1yFyxWoe6OG4eI0SF","url":"https://basescan.org/token/0x472eD57b376fE400259FB28e5C46eB53f0E3e7E7#code","type":"smart_contract","addedAt":"2025-10-02T09:21:23.769Z","revision":0,"description":"Protocol V3 - Savings Module - sUSDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2uc7E7MmfhxDCWRTwpZ427","url":"https://gnosisscan.io/address/0xfD28f108e95f4D41daAE9dbfFf707D677985998E#code","type":"smart_contract","addedAt":"2025-10-02T09:21:14.974Z","revision":0,"description":"Protocol V3 - Core Protocol - ParallelAccessManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2ufxNlrO25hBOctqe7r5ob","url":"https://gnosisscan.io/address/0xcb3e564293393e0d4f43305a250d4e1716de600b#code","type":"smart_contract","addedAt":"2025-10-02T09:21:16.646Z","revision":0,"description":"Protocol V3 - Core Protocol - TokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2wpY9klaUMD3B7qNZKUYPs","url":"https://sonicscan.org/address/0xBEFBAe2330186F031b469e26283aCc66bb5F8826#code","type":"smart_contract","addedAt":"2025-10-02T09:21:03.215Z","revision":0,"description":"Protocol V3 - Parallelizer Module - ParallelizerUSDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"33z1LcFdYOBV9Wl9lRPNSg","url":"https://snowscan.xyz/address/0x9d92c21205383651610f90722131655a5b8ed3e0#code","type":"smart_contract","addedAt":"2025-10-02T09:21:06.127Z","revision":0,"description":"Protocol V3 - Savings Module - sUSDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3AiK9GJM76CPZWLI9h52NR","url":"https://app.parallel.best/","type":"websites_and_applications","addedAt":"2025-10-02T09:21:28.338Z","revision":0,"description":"App","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3NpAw8J9qj6fq4imRglMrr","url":"https://etherscan.io/address/0xA360E5aD9F17caff53715346888aA0d13541c2F5#code","type":"smart_contract","addedAt":"2025-10-02T09:21:19.358Z","revision":0,"description":"Protocol V3 - Parallelizer Module - DiamondLoupe","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3NsCCRglyy2cpuvZbevgxz","url":"https://sonicscan.org/address/0xCa43eCFCDFBA1fED003649e946Ae6091646B410a#code","type":"smart_contract","addedAt":"2025-10-02T09:21:02.886Z","revision":0,"description":"Protocol V3 - Parallelizer Module - SettersGuardian","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3Q3GCpSSraqMuX7mbopHHa","url":"https://basescan.org/address/0x0e4e7Ca9D7b1e6293D0713EFEfB4BCA010DeBF46#code","type":"smart_contract","addedAt":"2025-10-02T09:21:27.918Z","revision":0,"description":"Protocol V3 - Core Protocol - ParallelAccessManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3TxVpXxIo9oIIX1vylbigw","url":"https://explorer.tac.build/address/0xfD28f108e95f4D41daAE9dbfFf707D677985998E?tab=contract","type":"smart_contract","addedAt":"2025-10-02T09:21:15.302Z","revision":0,"description":"Protocol V3 - Core Protocol - ParallelAccessManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3UXdqwunIoKsoygEbikYCu","url":"https://snowscan.xyz/address/0xcb3e564293393e0d4f43305a250d4e1716de600b#code","type":"smart_contract","addedAt":"2025-10-02T09:21:05.969Z","revision":0,"description":"Protocol V3 - Core Protocol - TokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3UjdyRtdfgpf5z5cqhPI8t","url":"https://optimistic.etherscan.io/address/0x4def531c3060686948f00ecc7504f2e0b71eda14#code","type":"smart_contract","addedAt":"2025-10-02T09:21:11.288Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallelToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3bcxcih7x72XF7tOLMUOEO","url":"https://bscscan.com/address/0x048C4e07D170eEdEE8772cA76AEE1C4e2D133d5c#code","type":"smart_contract","addedAt":"2025-10-02T09:21:23.433Z","revision":0,"description":"Protocol V3 - Core Protocol - USDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3brbrhjlzUiuisbS6kQMqu","url":"https://hyperevmscan.io/address/0xfD28f108e95f4D41daAE9dbfFf707D677985998E#code","type":"smart_contract","addedAt":"2025-10-02T09:21:11.789Z","revision":0,"description":"Protocol V3 - Core Protocol - ParallelAccessManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3cZlSjKhunhvYRO2niZ0gQ","url":"https://arbiscan.io/address/0x3ebe332d2aa8ccb5ddc051c9925d9a41708e54d9#code","type":"smart_contract","addedAt":"2025-10-02T09:21:28.192Z","revision":0,"description":"Protocol V3 - Core Protocol - TokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3ceVaTHhMAfAAwFbMQLRxi","url":"https://etherscan.io/address/0x0d45b129dc868963025Db79A9074EA9c9e32Cae4#code","type":"smart_contract","addedAt":"2025-10-02T09:21:21.630Z","revision":0,"description":"Protocol V3 - Savings Module - sUSDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3kURL5mdET4xj3uxUcCHJk","url":"https://berascan.com/address/0xcb3e564293393e0d4f43305a250d4e1716de600b#code","type":"smart_contract","addedAt":"2025-10-02T09:21:23.558Z","revision":0,"description":"Protocol V3 - Core Protocol - TokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3o6mYgS4pw7IRexeLmXDIM","url":"https://scrollscan.com/address/0xfD28f108e95f4D41daAE9dbfFf707D677985998E#code","type":"smart_contract","addedAt":"2025-10-02T09:21:08.219Z","revision":0,"description":"Protocol V3 - Core Protocol - ParallelAccessManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3of9hQmd00OeMLdyOV1yeD","url":"https://basescan.org/address/0x90e4AE8bA8C6Fd51fcED0f9331668b05c7a4Ee43#code","type":"smart_contract","addedAt":"2025-10-02T09:21:25.872Z","revision":0,"description":"Protocol V3 - Parallelizer Module - SettersGovernor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3pryQ2LSDplSkfG93Qprii","url":"https://sonicscan.org/address/0x2cb56dF31b909854B01D4B1EAd5676cf90e885E7#code","type":"smart_contract","addedAt":"2025-10-02T09:21:05.587Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallel","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3sR5nrQ9jidIR07lhI4HIq","url":"https://hyperevmscan.io/address/0x1250304F66404cd153fA39388DDCDAec7E0f1707#code","type":"smart_contract","addedAt":"2025-10-02T09:21:14.827Z","revision":0,"description":"Protocol V3 - Parallelizer Module - ParallelizerUSDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3uQHxCCUQuYA6ltm7HjGB3","url":"https://snowscan.xyz/address/0x9eE1963f05553eF838604Dd39403be21ceF26AA4#code","type":"smart_contract","addedAt":"2025-10-02T09:21:07.647Z","revision":0,"description":"Protocol V3 - Core Protocol - USDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3v5PTvw7LEbSSCaKdS7mD8","url":"https://sonicscan.org/address/0x7Df74BBB6F82eC1BCB1562a30ef5Bf5c326e2811#code","type":"smart_contract","addedAt":"2025-10-02T09:21:03.847Z","revision":0,"description":"Protocol V3 - PRL - sPRL1","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3yXROZbHHolhqx6q2Weev2","url":"https://seitrace.com/address/0x411dc65548c066Fb0F85bF48A72306D321C783bd?chain=pacific-1&tab=contract","type":"smart_contract","addedAt":"2025-10-02T09:21:08.067Z","revision":0,"description":"Protocol V3 - Core Protocol - TokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3ynvFELCX9A4cODLbfYVu7","url":"https://hyperevmscan.io/address/0x3997f0dbd1e2cfc4eccf60c31366930dcf2298d7#code","type":"smart_contract","addedAt":"2025-10-02T09:21:14.677Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallelToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"40egjWO9ccKnTPYcVtc0j2","url":"https://polygonscan.com/address/0xfefc8635edf0faad83312a713cb67722d049c9bc#code","type":"smart_contract","addedAt":"2025-10-02T09:21:08.759Z","revision":0,"description":"Protocol V3 - Core Protocol - TokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"44joNln4ZUHkrJyjq4e5Nx","url":"https://basescan.org/address/0x15452454A9735D68df430879B2941316a09295B1#code","type":"smart_contract","addedAt":"2025-10-02T09:21:27.914Z","revision":0,"description":"Protocol V3 - Parallelizer Module - DiamondCut","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"46b3acJy6C7Ujln8owCpgn","url":"https://snowscan.xyz/address/0x41d58951cbd12d4ef49b0437897677bbf5547c80#code","type":"smart_contract","addedAt":"2025-10-02T09:21:06.650Z","revision":0,"description":"Protocol V3 - Parallelizer Module - ParallelizerUSDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"46mnknbCHRDvxcJ2zmR7At","url":"https://etherscan.io/address/0xa19c5d1013a8682ac76206a085ec24ac89f7c025#code","type":"smart_contract","addedAt":"2025-10-02T09:21:19.520Z","revision":0,"description":"Protocol V3 - Core Protocol - TokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"475vkRB2MM2dRkg84AIhvd","url":"https://hyperevmscan.io/address/0x9B3a8f7CEC208e247d97dEE13313690977e24459#code","type":"smart_contract","addedAt":"2025-10-02T09:21:12.779Z","revision":0,"description":"Protocol V3 - Savings Module - sUSDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"48SmHzO9OFQ9cbFLn30v6X","url":"https://basescan.org/address/0xBE65F0F410A72BeC163dC65d46c83699e957D588#code","type":"smart_contract","addedAt":"2025-10-02T09:21:25.735Z","revision":0,"description":"Protocol V3 - Parallelizer Module - Getters","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"49eDDpqJn09e9aNEGyioSu","url":"https://basescan.org/address/0xa65821ffe86e6eb613daa1f70af350c5a21759df#code","type":"smart_contract","addedAt":"2025-10-02T09:21:25.770Z","revision":0,"description":"Protocol V3 - Savings Module - SavingsNameable","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4CMgQFTrAqOEKW2PtkXrgQ","url":"https://optimistic.etherscan.io/address/0x3EBE332d2AA8cCB5dDc051c9925D9A41708e54D9#code","type":"smart_contract","addedAt":"2025-10-02T09:21:11.478Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallel","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4DddMbdI1VlHROWhQJVF68","url":"https://basescan.org/address/0x76A9A0062ec6712b99B4f63bD2b4270185759dd5#code","type":"smart_contract","addedAt":"2025-10-02T09:21:25.880Z","revision":0,"description":"Protocol V3 - Core Protocol - USDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4GPfKSdkKFrsGN5gJJEnWD","url":"https://snowscan.xyz/address/0x3dde241c6263eb0cdf2e09f77cbcf90028a9a6c3#code","type":"smart_contract","addedAt":"2025-10-02T09:21:06.705Z","revision":0,"description":"Protocol V3 - Savings Module - SavingsNameable","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4IyfX83oo0h42RQmtWrdrx","url":"https://snowscan.xyz/address/0x657acB8A3BF9383e561565d422ea9b9A90ce0052#code","type":"smart_contract","addedAt":"2025-10-02T09:21:06.312Z","revision":0,"description":"Protocol V3 - Parallelizer Module - DiamondCut","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4KeU6VaxHN8JNUUs3yeLms","url":"https://etherscan.io/address/0xad58Fc13a682a121e5fe2f8E45D4D988A7e51B0D#code","type":"smart_contract","addedAt":"2025-10-02T09:21:17.614Z","revision":0,"description":"Protocol V3 - Parallelizer Module - DiamondCut","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4T6X3mKc7aNr9HUq53iXJ2","url":"https://gnosisscan.io/address/0x9fFaCB3dB5cB74BdD4C68af3b7CF203130c699ec#code","type":"smart_contract","addedAt":"2025-10-02T09:21:15.087Z","revision":0,"description":"Protocol V3 - Bridging Module - BridgeableTokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4Xp6huOTJ4U3sag6X0ZTNx","url":"https://optimistic.etherscan.io/address/0xfD28f108e95f4D41daAE9dbfFf707D677985998E#code","type":"smart_contract","addedAt":"2025-10-02T09:21:12.606Z","revision":0,"description":"Protocol V3 - PRL - PeripheralPRL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4ZRksQ81DCUN38driSGxlH","url":"https://sonicscan.org/address/0xae2fb66d1989ec1684ff095b75d151ae8e403e2e#code","type":"smart_contract","addedAt":"2025-10-02T09:21:03.522Z","revision":0,"description":"Protocol V3 - Savings Module - SavingsNameable","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4aEPCV4IGFLEM1SQw3WKmg","url":"https://hyperevmscan.io/address/0xaE2Fb66d1989EC1684fF095B75D151Ae8E403E2e#code","type":"smart_contract","addedAt":"2025-10-02T09:21:12.601Z","revision":0,"description":"Protocol V3 - Parallelizer Module - SettersGuardian","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4biROrasSDYmJQoS9qBd16","url":"https://explorer.inkonchain.com/address/0x9fFaCB3dB5cB74BdD4C68af3b7CF203130c699ec?tab=contract","type":"smart_contract","addedAt":"2025-10-02T09:21:16.823Z","revision":0,"description":"Protocol V3 - Bridging Module - BridgeableTokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4gGQF56J9GMLmJgFCmFYj6","url":"https://scrollscan.com/address/0x9fFaCB3dB5cB74BdD4C68af3b7CF203130c699ec#code","type":"smart_contract","addedAt":"2025-10-02T09:21:08.457Z","revision":0,"description":"Protocol V3 - Bridging Module - BridgeableTokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4kbV6YFmJMXJAMY4qcIt0f","url":"https://hyperevmscan.io/address/0xBE65F0F410A72BeC163dC65d46c83699e957D588#code","type":"smart_contract","addedAt":"2025-10-02T09:21:12.436Z","revision":0,"description":"Protocol V3 - Core Protocol - USDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4kequidUbqnAQwInd6j2xe","url":"https://basescan.org/address/0x4Dde0e308CFB60515218C6ad2DF1134Fc48531FC#code","type":"smart_contract","addedAt":"2025-10-02T09:21:25.902Z","revision":0,"description":"Protocol V3 - Bridging Module - lz-USDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4nkZH27VEidecne8llA2Mi","url":"https://basescan.org/address/0x472eD57b376fE400259FB28e5C46eB53f0E3e7E7#code","type":"smart_contract","addedAt":"2025-10-02T09:21:27.699Z","revision":0,"description":"Protocol V3 - Savings Module - sUSDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"55Td03qOAUVcJXu5hbeLQp","url":"https://hyperevmscan.io/address/0xC3BEF21Ea7dEB5C34CF33E918c8e28972C8048eD#code","type":"smart_contract","addedAt":"2025-10-02T09:21:12.134Z","revision":0,"description":"Protocol V3 - Bridging Module - lz-USDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"56hZTWce6WjExgNlPBP0u9","url":"https://snowscan.xyz/address/0x9e0DCF7a33bBde6689560C5c807dd2a3dF991277#code","type":"smart_contract","addedAt":"2025-10-02T09:21:06.147Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallel","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"57eamWDekNFqMhKp83z23w","url":"https://etherscan.io/address/0x94Ea8800444017695345156319e96bdB1E355F7a#code","type":"smart_contract","addedAt":"2025-10-02T09:21:19.577Z","revision":0,"description":"Protocol V3 - Core Protocol - ParallelAccessManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"58DeGMDmsoDE17U6dsAJIU","url":"https://uniscan.xyz/address/0x9eE1963f05553eF838604Dd39403be21ceF26AA4#code","type":"smart_contract","addedAt":"2025-10-02T09:21:03.677Z","revision":0,"description":"Protocol V3 - Core Protocol - USDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5AQRHgLvxLk1kKAkPIyESj","url":"https://arbiscan.io/address/0xb3dbece41acdd6ad76d037b8da2e53c58826746c#code","type":"smart_contract","addedAt":"2025-10-02T09:21:28.089Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallelToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5Gj965iBfw14u0qrbgANFL","url":"https://sonicscan.org/address/0xe9fe4720FA99f9b28584dA44ABB8cf91f15990e8#code","type":"smart_contract","addedAt":"2025-10-02T09:21:02.286Z","revision":0,"description":"Protocol V3 - Parallelizer Module - DiamondCut","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5HXRkgHb8kEANX9PsC44mS","url":"https://etherscan.io/address/0x41d58951cbd12d4ef49b0437897677bbf5547c80#code","type":"smart_contract","addedAt":"2025-10-02T09:21:19.741Z","revision":0,"description":"Protocol V3 - Savings Module - SavingsNameable","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5IX9gUunr0zTU1froLcmCD","url":"https://basescan.org/address/0xfD28f108e95f4D41daAE9dbfFf707D677985998E#code","type":"smart_contract","addedAt":"2025-10-02T09:21:23.802Z","revision":0,"description":"Protocol V3 - PRL - PeripheralPRL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5P3j5SHEFmAJ9xkwoJnIYi","url":"https://bscscan.com/address/0x9ffacb3db5cb74bdd4c68af3b7cf203130c699ec#code","type":"smart_contract","addedAt":"2025-10-02T09:21:21.796Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallelToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5W2cNvAC6STaXw2UeVZjqy","url":"https://arbiscan.io/address/0xfD28f108e95f4D41daAE9dbfFf707D677985998E#code","type":"smart_contract","addedAt":"2025-10-02T09:21:28.066Z","revision":0,"description":"Parallel V3 - PRL - PeripheralPRL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5Y6I3DUUW0T0Cp97EQpQWa","url":"https://etherscan.io/address/0xc743BeDE8412228B42Ae755cD64A33Cd3ae4A92f#code","type":"smart_contract","addedAt":"2025-10-02T09:21:17.514Z","revision":0,"description":"Protocol V3 - Parallelizer Module - SettersGuardian","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5YJ5Uvk67RbUMzpJvQfkmR","url":"https://sonicscan.org/address/0x90e4AE8bA8C6Fd51fcED0f9331668b05c7a4Ee43#code","type":"smart_contract","addedAt":"2025-10-02T09:21:03.822Z","revision":0,"description":"Protocol V3 - Parallelizer Module - Getters","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5Z6I15N0SUsZhhBiaNrHsA","url":"https://etherscan.io/address/0x6c0aeceeDc55c9d55d8B99216a670D85330941c3#code","type":"smart_contract","addedAt":"2025-10-02T09:21:19.682Z","revision":0,"description":"Protocol V3 - PRL - PRL Token","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5d6oB1DnGdJvFVjZy0RLsa","url":"https://hyperevmscan.io/address/0x120805265fA944834DC6e930De2995768806a9d2#code","type":"smart_contract","addedAt":"2025-10-02T09:21:14.944Z","revision":0,"description":"Protocol V3 - Parallelizer Module - Getters","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5fftgY6Hcdj3ByO4a4WcLj","url":"https://etherscan.io/address/0x4738682c1d8981ed9583b58f619d91742ad8e74f#code","type":"smart_contract","addedAt":"2025-10-02T09:21:19.707Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallelToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5g7YmBgxIq5iWRfh03JDBJ","url":"https://sonicscan.org/address/0x4dde0e308cfb60515218c6ad2df1134fc48531fc#code","type":"smart_contract","addedAt":"2025-10-02T09:21:05.629Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallelToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5glblP1MQsTy8n6lJNbdpO","url":"https://bscscan.com/address/0x7b54f3D993d3bcA077946034Ea710F9c07420C72#code","type":"smart_contract","addedAt":"2025-10-02T09:21:21.808Z","revision":0,"description":"Protocol V3 - Bridging Module - BridgeableTokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5iyl22di6kinSnEx8AKu9e","url":"https://polygonscan.com/address/0x9aFDB5A5eC2BBDDdAa4573BAA25CAA4e4e4a2CA9#code","type":"smart_contract","addedAt":"2025-10-02T09:21:10.685Z","revision":0,"description":"Protocol V3 - Bridging Module - BridgeableTokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5lxGDWlYehlDLT8LTAuGRo","url":"https://hyperevmscan.io/address/0xA65821FfE86E6Eb613DAa1F70AF350C5A21759dF#code","type":"smart_contract","addedAt":"2025-10-02T09:21:12.780Z","revision":0,"description":"Protocol V3 - Parallelizer Module - DiamondCut","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5onJ2fPDl6pg1wvxF8LKmG","url":"https://basescan.org/address/0xe9fe4720FA99f9b28584dA44ABB8cf91f15990e8#code","type":"smart_contract","addedAt":"2025-10-02T09:21:25.587Z","revision":0,"description":"Protocol V3 - Parallelizer Module - Redeemer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5sv67RL8IFeT0r84U8ACWR","url":"https://scrollscan.com/address/0xe23b5ded6f7b7cb56ebcd459b19dad4d7e05cf7b#code","type":"smart_contract","addedAt":"2025-10-02T09:21:08.284Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallelToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5ujeg8nAPRQcYgeVh1oJdS","url":"https://explorer.tac.build/address/0x90337e484B1Cb02132fc150d3Afa262147348545?tab=contract","type":"smart_contract","addedAt":"2025-10-02T09:21:15.454Z","revision":0,"description":"Protocol V3 - Core Protocol - TokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5wyr1KfoBQZaDj1ayqr3ch","url":"https://optimistic.etherscan.io/address/0x76A9A0062ec6712b99B4f63bD2b4270185759dd5#code","type":"smart_contract","addedAt":"2025-10-02T09:21:11.112Z","revision":0,"description":"Protocol V3 - Bridging Module - BridgeableTokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"62ibMhlM0ooH1IBd4a1WPF","url":"https://sonicscan.org/address/0xC3BEF21Ea7dEB5C34CF33E918c8e28972C8048eD#code","type":"smart_contract","addedAt":"2025-10-02T09:21:03.056Z","revision":0,"description":"Protocol V3 - Parallelizer Module - SettersGovernor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6C1Xnu9asTkkpRKgRy6hOe","url":"https://polygonscan.com/address/0x90337e484B1Cb02132fc150d3Afa262147348545#code","type":"smart_contract","addedAt":"2025-10-02T09:21:10.617Z","revision":0,"description":"Protocol V3 - PRL - MainFeeDistributor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6EI6jI11USW2V1VWBUcEHE","url":"https://explorer.tac.build/address/0xB3DbecE41acDD6aD76d037b8Da2e53C58826746c?tab=contract","type":"smart_contract","addedAt":"2025-10-02T09:21:15.405Z","revision":0,"description":"Protocol V3 - Bridging Module - BridgeableTokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6EXeHU6qMsWNdsNGkhLsKS","url":"https://hyperevmscan.io/address/0x769f533139eb1723c41cadec243ce10bc4d400fd#code","type":"smart_contract","addedAt":"2025-10-02T09:21:14.609Z","revision":0,"description":"Protocol V3 - Savings Module - SavingsNameable","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6GBbfreBl0aMo0C5plX004","url":"https://basescan.org/address/0x08417cdb7F52a5021bB4eb6E0deAf3f295c3f182#code","type":"smart_contract","addedAt":"2025-10-02T09:21:27.933Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallel","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6KEPd8r9NLzD51XRdW5Y6y","url":"https://sonicscan.org/address/0x8eFb3DED78FbaEF2a4eFe01E01BBD911E4094b78#code","type":"smart_contract","addedAt":"2025-10-02T09:21:03.836Z","revision":0,"description":"Protocol V3 - Core Protocol - ParallelAccessManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6KNgPl9c6rCwGyaFH0d4Yc","url":"https://basescan.org/address/0x3ebe332d2aa8ccb5ddc051c9925d9a41708e54d9#code","type":"smart_contract","addedAt":"2025-10-02T09:21:27.755Z","revision":0,"description":"Protocol V3 - Core Protocol - TokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6OxJA0ZZsavPVHx9o1OVyu","url":"https://gnosisscan.io/address/0x9eE1963f05553eF838604Dd39403be21ceF26AA4#code","type":"smart_contract","addedAt":"2025-10-02T09:21:15.141Z","revision":0,"description":"Protocol V3 - Core Protocol - USDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6RC1L8RzCYcuvySNAyj3jY","url":"https://etherscan.io/address/0x2A4ABC8dcBE2f68E48dFc0db5784C71dB8d5B89c#code","type":"smart_contract","addedAt":"2025-10-02T09:21:21.607Z","revision":0,"description":"Protocol V3 - PRL - SideChainFeeCollector","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6Slwu090ORwol2a8net6xK","url":"https://gnosisscan.io/address/0x9e0DCF7a33bBde6689560C5c807dd2a3dF991277#code","type":"smart_contract","addedAt":"2025-10-02T09:21:15.246Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallel","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6VhtpKNkV6YOKioapgSm3E","url":"https://hyperevmscan.io/address/0xBEFBAe2330186F031b469e26283aCc66bb5F8826#code","type":"smart_contract","addedAt":"2025-10-02T09:21:12.284Z","revision":0,"description":"Protocol V3 - Parallelizer Module - DiamondLoupe","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6ZxIagVPpIgQSZQx4LQjCQ","url":"https://sonicscan.org/address/0xA65821FfE86E6Eb613DAa1F70AF350C5A21759dF#code","type":"smart_contract","addedAt":"2025-10-02T09:21:03.687Z","revision":0,"description":"Protocol V3 - Parallelizer Module - Swapper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6hYQM6kkC0weNgPHWoRB0h","url":"https://basescan.org/address/0xfB2D070270e9FfC2dB107D0162b47c2Ed291E3F7#code","type":"smart_contract","addedAt":"2025-10-02T09:21:23.879Z","revision":0,"description":"Protocol V3 - Parallelizer Module - Swapper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6mkFUCHpaIaai6jWa9rxbQ","url":"https://scrollscan.com/address/0xcb3e564293393e0d4f43305a250d4e1716de600b#code","type":"smart_contract","addedAt":"2025-10-02T09:21:08.372Z","revision":0,"description":"Protocol V3 - Core Protocol - TokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6pCTfSq6AsaIp4G7MYN0Io","url":"https://uniscan.xyz/address/0x9fFaCB3dB5cB74BdD4C68af3b7CF203130c699ec#code","type":"smart_contract","addedAt":"2025-10-02T09:21:01.957Z","revision":0,"description":"Protocol V3 - Bridging Module - BridgeableTokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6uaXpc0EBPuf3apc2JSq5","url":"https://snowscan.xyz/address/0x5bEADA21a6B9Cb229117B3EA2C0D1594785013A2#code","type":"smart_contract","addedAt":"2025-10-02T09:21:06.471Z","revision":0,"description":"Protocol V3 - Parallelizer Module - SettersGovernor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6xPeeHgkMrXLRRR09kOv1t","url":"https://basescan.org/address/0xe5C82b4F09Fd4d079757e156Db44AFD2c8032CC8#code","type":"smart_contract","addedAt":"2025-10-02T09:21:25.568Z","revision":0,"description":"Protocol V3 - Parallelizer Module - SettersGuardian","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6yVfuYYBSrngN0Poyr0phs","url":"https://snowscan.xyz/address/0xe23b5ded6f7b7cb56ebcd459b19dad4d7e05cf7b#code","type":"smart_contract","addedAt":"2025-10-02T09:21:05.802Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallelToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6yzMVQSFym1qt7I7TDlXV4","url":"https://etherscan.io/address/0x1bB46FC55E3fd91Ca0F162DCC0B3ef574C8ff97E#code","type":"smart_contract","addedAt":"2025-10-02T09:21:21.486Z","revision":0,"description":"Protocol V3 - Parallelizer Module - Redeemer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"71rKToNPr2E8c3I6RTaXnb","url":"https://berascan.com/address/0xfD28f108e95f4D41daAE9dbfFf707D677985998E#code","type":"smart_contract","addedAt":"2025-10-02T09:21:23.542Z","revision":0,"description":"Protocol V3 - Core Protocol - ParallelAccessManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"742GLIUpkUnKiQbSwRXYWt","url":"https://seitrace.com/address/0x048C4e07D170eEdEE8772cA76AEE1C4e2D133d5c?chain=pacific-1&tab=contract","type":"smart_contract","addedAt":"2025-10-02T09:21:08.109Z","revision":0,"description":"Protocol V3 - Core Protocol - USDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"79stk5A9xSaBslWS4kaxdC","url":"https://basescan.org/address/0x2B6C7c275404e93A14A05b549AF292231D6e4DeC#code","type":"smart_contract","addedAt":"2025-10-02T09:21:27.832Z","revision":0,"description":"Protocol V3 - Parallelizer Module - RewardHandler","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7BEBGf61ZzouxoqhEPcRMQ","url":"https://etherscan.io/address/0xeAd729472f82E5eC2FF4e691d67633077C1B5901#code","type":"smart_contract","addedAt":"2025-10-02T09:21:17.157Z","revision":0,"description":"Protocol V3 - PRL - sPRL1","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7BI4FAyQJ0v8vtmfjOZFkw","url":"https://basescan.org/address/0xC3BEF21Ea7dEB5C34CF33E918c8e28972C8048eD#code","type":"smart_contract","addedAt":"2025-10-02T09:21:25.734Z","revision":0,"description":"Protocol V3 - Parallelizer Module - ParallelizerUSDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7EiFxFQFBouCASqZnPB4Kc","url":"https://explorer.tac.build/address/0x4DeF531c3060686948f00EcC7504f2E0b71EDa14?tab=contract","type":"smart_contract","addedAt":"2025-10-02T09:21:15.631Z","revision":0,"description":"Protocol V3 - Core Protocol - USDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7FMiaV4sGu3nWBsZh1jQEY","url":"https://explorer.inkonchain.com/address/0xfD28f108e95f4D41daAE9dbfFf707D677985998E?tab=contract","type":"smart_contract","addedAt":"2025-10-02T09:21:15.784Z","revision":0,"description":"Protocol V3 - Core Protocol - ParallelAccessManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7Jti9X0ZE2Ipt4SsgTaDA1","url":"https://explorer.tac.build/address/0x76A9A0062ec6712b99B4f63bD2b4270185759dd5?tab=contract","type":"smart_contract","addedAt":"2025-10-02T09:21:15.554Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallel","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7KWiBYnvnuIiFh1ddMe0k9","url":"https://hyperevmscan.io/address/0xa5d9CAA2EF06D39d5992b5046e2DEFFf6D5Cbd18#code","type":"smart_contract","addedAt":"2025-10-02T09:21:12.761Z","revision":0,"description":"Protocol V3 - Parallelizer Module - RewardHandler","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7LO3dzqwFb5pUXeljjRrvB","url":"https://etherscan.io/address/0x6efeDDF9269c3683Ba516cb0e2124FE335F262a2#code","type":"smart_contract","addedAt":"2025-10-02T09:21:19.556Z","revision":0,"description":"Protocol V3 - Parallelizer Module - ParallelizerUSDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7aQh9oWZapvdWwf4t6XCYU","url":"https://explorer.inkonchain.com/address/0xe23B5DED6f7B7cb56Ebcd459B19Dad4D7E05cF7b?tab=contract","type":"smart_contract","addedAt":"2025-10-02T09:21:17.642Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallelToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7fdAkj1lJha7P1D9o8LF8L","url":"https://sonicscan.org/address/0xfB2D070270e9FfC2dB107D0162b47c2Ed291E3F7#code","type":"smart_contract","addedAt":"2025-10-02T09:21:02.136Z","revision":0,"description":"Protocol V3 - Parallelizer Module - RewardHandler","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7jDsqG0W3nXYWQxalY0jlA","url":"https://etherscan.io/address/0xdE91eb8206c228f4208c34510cf0C61C9302a434#code","type":"smart_contract","addedAt":"2025-10-02T09:21:17.323Z","revision":0,"description":"Protocol V3 - PRL - PRL Lockbox","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7lPlA6J3qDVtkbxw1KXJcU","url":"https://bscscan.com/address/0x411dc65548c066fb0f85bf48a72306d321c783bd#code","type":"smart_contract","addedAt":"2025-10-02T09:21:21.792Z","revision":0,"description":"Protocol V3 - Core Protocol - TokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7o7SasBJxXCadvT5HOxjVj","url":"https://hyperevmscan.io/address/0x15452454A9735D68df430879B2941316a09295B1#code","type":"smart_contract","addedAt":"2025-10-02T09:21:14.807Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallel","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7vPlbF3UB030efQ9lmMrZp","url":"https://polygonscan.com/address/0x1250304F66404cd153fA39388DDCDAec7E0f1707#code","type":"smart_contract","addedAt":"2025-10-02T09:21:10.828Z","revision":0,"description":"Protocol V3 - Core Protocol - USDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Ahne7YvLMp98XrLX3KwXM","url":"https://polygonscan.com/address/0x7b54f3D993d3bcA077946034Ea710F9c07420C72#code","type":"smart_contract","addedAt":"2025-10-02T09:21:10.792Z","revision":0,"description":"Protocol V3 - PRL - RewardMerkleDistributor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"AybwhsjpD6W2ZmNqRhPZq","url":"https://basescan.org/address/0xb3dbece41acdd6ad76d037b8da2e53c58826746c#code","type":"smart_contract","addedAt":"2025-10-02T09:21:25.718Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallelToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"BOnUlSyac3QGhkheQcQi4","url":"https://etherscan.io/address/0x0EC5ab257aDf6968A3D3C187BE1Ee0fe74487Eb3#code","type":"smart_contract","addedAt":"2025-10-02T09:21:21.580Z","revision":0,"description":"Protocol V3 - PRL - PrincipalMigrationContract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Dn8vFEsOHkIUdJgpC5Ty4","url":"https://seitrace.com/address/0xc0e62F863bbD9dab9d2F79e4EcC248e60c4fE3FA?chain=pacific-1&tab=contract","type":"smart_contract","addedAt":"2025-10-02T09:21:07.760Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallel","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"E2Yjy9iqpkV3HsYDozJPI","url":"https://arbiscan.io/address/0x0e4e7Ca9D7b1e6293D0713EFEfB4BCA010DeBF46#code","type":"smart_contract","addedAt":"2025-10-02T09:21:28.227Z","revision":0,"description":"Protocol V3 - Core Protocol - ParallelAccessManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"LYUkVu6u6GuKRr8byrnmi","url":"https://berascan.com/address/0x9eE1963f05553eF838604Dd39403be21ceF26AA4#code","type":"smart_contract","addedAt":"2025-10-02T09:21:23.710Z","revision":0,"description":"Protocol V3 - Core Protocol - USDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"NG7xE1ICxWwXpPrJ88WJA","url":"https://explorer.inkonchain.com/address/0x9e0DCF7a33bBde6689560C5c807dd2a3dF991277?tab=contract","type":"smart_contract","addedAt":"2025-10-02T09:21:16.991Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallel","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"NtINwyMIaYz7VZBFp4NVS","url":"https://basescan.org/address/0x01fA35fDE0E813e2D6687660a74A313d8D922E48#code","type":"smart_contract","addedAt":"2025-10-02T09:21:27.999Z","revision":0,"description":"Protocol V3 - PRL - sPRL1","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"O0wwy8iIZ4nG7UcVg4JGI","url":"https://snowscan.xyz/address/0xbBC90E685C4a66EBBDC71a3A1437d3111e43Fe84#code","type":"smart_contract","addedAt":"2025-10-02T09:21:07.618Z","revision":0,"description":"Protocol V3 - Parallelizer Module - SettersGuardian","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"OXIrXFDezgvR2g2rrYoSO","url":"https://arbiscan.io/address/0x08417cdb7F52a5021bB4eb6E0deAf3f295c3f182#code","type":"smart_contract","addedAt":"2025-10-02T09:21:28.245Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallel","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"P8KVO39W8KqdRqdnw25zx","url":"https://sonicscan.org/address/0x08417cdb7F52a5021bB4eb6E0deAf3f295c3f182#code","type":"smart_contract","addedAt":"2025-10-02T09:21:05.763Z","revision":0,"description":"Protocol V3 - Core Protocol - USDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"R3I7q9P1VEMFbNsODDKeC","url":"https://polygonscan.com/address/0xC15Fd01A21E8f6625f709b16f6b3562d2848Da5f#code","type":"smart_contract","addedAt":"2025-10-02T09:21:10.682Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallel","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"RlwIkEWHgyWvkh0CODhYE","url":"https://explorer.inkonchain.com/address/0x9eE1963f05553eF838604Dd39403be21ceF26AA4?tab=contract","type":"smart_contract","addedAt":"2025-10-02T09:21:16.841Z","revision":0,"description":"Protocol V3 - Core Protocol - USDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"U4z11DeWb1AqXwLqLwuCq","url":"https://optimistic.etherscan.io/address/0x90337e484B1Cb02132fc150d3Afa262147348545#code","type":"smart_contract","addedAt":"2025-10-02T09:21:12.637Z","revision":0,"description":"Protocol V3 - Core Protocol - USDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Yo1Dw04YoIIu5ju2SH50e","url":"https://snowscan.xyz/address/0x23D491aa7C0972087F8a607F6f4c7106a02BA95d#code","type":"smart_contract","addedAt":"2025-10-02T09:21:06.850Z","revision":0,"description":"Protocol V3 - Parallelizer Module - DiamondLoupe","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"a6Mplv6zKvWVfiC8qpSOC","url":"https://snowscan.xyz/address/0x36DA06796fD9d22BCD6287b66A87FfdadB12636C#code","type":"smart_contract","addedAt":"2025-10-02T09:21:06.825Z","revision":0,"description":"Protocol V3 - Parallelizer Module - RewardHandler","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"beNCxfgSnpFZDFVy3trrz","url":"https://etherscan.io/address/0xC9B6279baa19dBB8bCc3250c89cAa093AaBA0bfc#code","type":"smart_contract","addedAt":"2025-10-02T09:21:17.465Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallel","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"cUEgVcVnXMe4jY8kNjUee","url":"https://seitrace.com/address/0x7b54f3D993d3bcA077946034Ea710F9c07420C72?chain=pacific-1&tab=contract","type":"smart_contract","addedAt":"2025-10-02T09:21:07.906Z","revision":0,"description":"Protocol V3 - Bridging Module - BridgeableTokenP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"dTQhYcZrtlrh5ngL8DUiQ","url":"https://etherscan.io/address/0x78BB4882b77D74aD9B04Ab71fE8e61f72595823C#code","type":"smart_contract","addedAt":"2025-10-02T09:21:19.502Z","revision":0,"description":"Protocol V3 - Bridging Module - lz-USDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"jHuNNaEXreq1JTfYYA1QA","url":"https://berascan.com/address/0x9e0DCF7a33bBde6689560C5c807dd2a3dF991277#code","type":"smart_contract","addedAt":"2025-10-02T09:21:23.719Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallel","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"jmT40zjLNtkBcD1VGy7rz","url":"https://uniscan.xyz/address/0xe23b5ded6f7b7cb56ebcd459b19dad4d7e05cf7b#code","type":"smart_contract","addedAt":"2025-10-02T09:21:01.723Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallelToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"kkDyaS3tdVmj4p2zCsLvN","url":"https://explorer.tac.build/address/0x3EBE332d2AA8cCB5dDc051c9925D9A41708e54D9?tab=contract","type":"smart_contract","addedAt":"2025-10-02T09:21:15.713Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallelToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"mZCU4R54T0UBZkOrnW3Ag","url":"https://scrollscan.com/address/0x9eE1963f05553eF838604Dd39403be21ceF26AA4#code","type":"smart_contract","addedAt":"2025-10-02T09:21:08.524Z","revision":0,"description":"Protocol V3 - Core Protocol - USDp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"qsbWPEIa3C5o4oMy9buT1","url":"https://uniscan.xyz/address/0xfD28f108e95f4D41daAE9dbfFf707D677985998E#code","type":"smart_contract","addedAt":"2025-10-02T09:21:01.728Z","revision":0,"description":"Protocol V3 - Core Protocol - ParallelAccessManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"sMKyMvqJOBxjMW1qJPc7T","url":"https://bscscan.com/address/0xc0e62F863bbD9dab9d2F79e4EcC248e60c4fE3FA#code","type":"smart_contract","addedAt":"2025-10-02T09:21:21.724Z","revision":0,"description":"Protocol V3 - Flashloan Module - FlashParallel","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH","Polygon","Arbitrum","Avalanche","Base","Gnosis","LayerZero","Optimism","Scroll","Sei","BSC","xDAI / Gnosis Chain"],"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Pro","Managed Triage: Expert Assessment"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["JavaScript","NextJS","ReactJS","Solidity","Typescript","Go"],"launchDate":"2025-10-02T12:10:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2cR3OuUeSXBHqSGDcezrsX/90bffee28924be018f95fac32470840b/Parallel_Protocol.png","maxBounty":250000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["Stablecoin","CDP","DAO"],"programOverview":"Parallel is a decentralized protocol that issues stablecoins, the EUR stablecoin (PAR) and the USD stablecoin (paUSD), on the Ethereum and Polygon PoS blockchains. The PAR & paUSD stablecoin are decentralized, non-custodials, and collateral-backed FIAT stablecoins.\n\nFor more information about Parallel, please visit https://parallel.best/.\n\nParallel provides rewards in paUSD on Ethereum, denominated in USD. For more details about the payment process, please view the **Rewards by Threat Level** section.\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nParallel adheres to the **Primacy of Rules**, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page. \n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Previous Audits__\n\nParallel’s completed audit reports can be found at https://docs.mimo.capital/parallel-protocol/resources/security-audits. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.","programType":["Smart Contract","Websites and Applications"],"project":"Parallel","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\nReward Calculation for Critical Level Reports\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 250,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 50,000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\nFor critical web/apps bugs, reports will be rewarded with USD $50,000, only if the impact leads to:\n\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of $10,000. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\nFor critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of $10,000 to $50,000 depending on the funds at risk, capped at the maximum high reward.  \n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Parallel team directly and are denominated in **USD**. However, payments are done in **USDp** on **Ethereum**.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDp","slug":"parallel","tenPercentEconomicRule":false,"updatedDate":"2026-03-04T14:29:02.052Z","impactsBody":null,"websiteUrl":"https://parallel.best/","githubUrl":"https://github.com/parallel-protocol","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_1","description":"Parallel is a capital-efficient, modular stablecoins protocol that allows the creation of over-collateralized, decentralized stablecoins. The protocol consists of several different modules, which can be added or removed over time by the DAO, from which stablecoins can be issued or minted.","knownIssues":[{"id":1142,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/Savings.sol : Bad governance settings can lead to loss/under-collateralization.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1143,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/Savings.sol : Interest calculation is slightly underestimated.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1144,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/Savings.sol : Function decimals will return the wrong value when the asset has less than 18 decimals.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1145,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/Savings.sol : Burnt initial deposit accrues unrecoverable interest.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1146,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/LibOracle.sol : Oracles with hardcoded addresses will only work on Ethereum.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1147,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/LibOracle.sol : Missing min/max answer checks on Chainlink price feeds.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1148,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/LibOracle.sol : Circuit prices can have high errors.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1149,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/LibOracle.sol : Missing checks for sequencer uptime on rollups.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1150,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/Swapper.sol : Quote functions don't revert when trying to burn more stablecoins than allowed.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1151,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/Swapper.sol : Missing whitelisted check for quoting functions.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1152,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/Swapper.sol : First minter can put the protocol in an extreme exposure towards one collateral.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1153,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/Swapper.sol : DOS on mints when using USDM or stETH as managed collateral.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1154,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/Setters : Zero or negative fees enable arbitrage via oracle deviations.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1155,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/Setters : Admin can drain the system.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1156,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/Setters : Setting a collateral manager with existing funds causes a temporary collateral ratio drop.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1157,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/Setters : Zero fees enable exposure manipulation across collaterals.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1158,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/RewardHandler.sol : Function sellRewards will revert on Sonic due to hardcoded 1Inch router address.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1159,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/RewardHandler.sol : Guardian can self-sandwich sellRewards to steal most of the rewards.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1160,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/Redeemer.sol : Users might be forced into forfeiting a collateral","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1161,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/DiamondProxy.sol : The system doesn't support fee-on-transfer tokens.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1162,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/MultiBlockHarvester.sol : Hardcoded addresses can break functionality on other chains.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1163,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/MultiBlockHarvester.sol : DOS Risk during harvest when a stablecoin depegs.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1164,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/GenericHarvester.sol : Harvesting will be DOSed while there are flashloan fees on TokenP","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1165,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/GenericHarvester.sol : Rebalance interference between harvester contracts.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1166,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-parallelizer/BaseHarvester.sol : _computeRebalanceAmount doesn't completely rebalance the system.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1167,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-tokens/BridgeableTokenP.sol : If feesRate=0 bridge can be done repeatedly to DOS swaps from LZ -> principal token.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1168,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-tokens/BridgeableTokenP.sol : Fee rate changes can lead to unexpected number of received tokens.","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1169,"link":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","description":"parallel-tokens/BridgeableTokenP.sol : LZ messages can be received (causing tokens to be credited) even when the contract is paused. ","lastUpdatedAt":"2025-03-31T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1194,"link":"https://github.com/parallel-protocol/parallel-prl/blob/main/docs/audits/Parallel%20Protocol%20-%20Zenith%20Audit%20Report.pdf","description":"Tokenomics/SideChainFeeCollector.sol : The SideChainFeeCollector does not work correctly when the fee token has decimals other than 18.","lastUpdatedAt":"2025-02-19T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1195,"link":"https://github.com/parallel-protocol/parallel-prl/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20PRL%20Token%20-%20Final%20Report%20-%20January%202025.pdf","description":"Tokenomics/sPRL2.sol : Admin can drain any token from the sPRL2 contract","lastUpdatedAt":"2025-02-01T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1196,"link":"https://github.com/parallel-protocol/parallel-prl/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20PRL%20Token%20-%20Final%20Report%20-%20January%202025.pdf","description":"Tokenomics/sPRL2.sol : Missing unlockingAssets update in withdrawPRLAndWeth","lastUpdatedAt":"2025-02-01T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1197,"link":"https://github.com/parallel-protocol/parallel-prl/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20PRL%20Token%20-%20Final%20Report%20-%20January%202025.pdf","description":"Tokenomics/TimelockPenaltyERC20.sol : Missing 0 address checks","lastUpdatedAt":"2025-02-01T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1198,"link":"https://github.com/parallel-protocol/parallel-prl/blob/main/docs/audits/Parallel%20Protocol%20-%20Zenith%20Audit%20Report.pdf","description":"Tokenomics/RewardMerkleDistributor.sol : 'updateMerkleDrop' safety check might end up not checking accurately.","lastUpdatedAt":"2025-02-19T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1199,"link":"https://github.com/parallel-protocol/parallel-prl/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20PRL%20Token%20-%20Final%20Report%20-%20January%202025.pdf","description":"Tokenomics/RewardMerkleDistributor.sol : No solvency check in 'updateMerkleDrop' function","lastUpdatedAt":"2025-02-01T03:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1200,"link":"https://github.com/parallel-protocol/parallel-prl/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20PRL%20Token%20-%20Final%20Report%20-%20January%202025.pdf","description":"PRL-token/PrincipalMigrationContract.sol : Owner can mint/drain PRL Tokens","lastUpdatedAt":"2025-02-01T03:00:00.000Z","relatedImpactInScope":"smart_contract"}],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":39,"type":"websites_and_applications","severity":"critical","title":"Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:\n- Changing registration information\n- Commenting\n- Voting\n- Making trades\n- Withdrawals, etc."},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":43,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:\n- Modifying transaction arguments or parameters\n- Substituting contract addresses\n- Submitting malicious transactions"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"},{"id":46,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:\n- HTML injection without JavaScript\n- Replacing existing text with arbitrary text\n- Arbitrary file uploads, etc."},{"id":47,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Email\n- Password of the victim etc."},{"id":48,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:\n- Email address\n- Phone number\n- Physical address, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":50,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Changing the first/last name of user\n- Enabling/disabling notifications"},{"id":51,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as:\n- Reflected HTML Injection\n- Loading external site data"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":53,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction, such as:\n- Iframing leading to modifying the backend/browser state (must demonstrate impact with PoC)"},{"id":54,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links, such as:\n- Social media handles, etc."},{"id":55,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as:\n- Locking up the victim from login\n- Cookie bombing, etc."}],"rewards":[{"id":42292,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":250000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":42293,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":50000,"minReward":10000,"rewardModel":"range"},{"id":42294,"primacy":null,"severity":"medium","assetType":"smart_contract","maxReward":5000,"rewardModel":"up_to"},{"id":42295,"primacy":null,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":42296,"primacy":null,"severity":"critical","assetType":"websites_and_applications","maxReward":50000,"minReward":10000,"rewardModel":"range"},{"id":42297,"primacy":null,"severity":"high","assetType":"websites_and_applications","maxReward":2500,"rewardModel":"up_to"},{"id":42298,"primacy":null,"severity":"medium","assetType":"websites_and_applications","maxReward":1500,"rewardModel":"up_to"},{"id":42299,"primacy":null,"severity":"low","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[{"id":"oA5NNB2me0KIGg3pprdiE","url":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Certora_Report_Parallel_Parallelizer_BridgeToken_final.pdf","auditor":"Certora","date":"2025-04-30T00:00:00.000Z"},{"id":"5M39tbS3v3krN9pBEajYbx","url":"https://github.com/parallel-protocol/parallel-parallelizer/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20V3%20Core%20-%20Final%20Report.pdf","auditor":"Bail Security","date":"2025-03-31T00:00:00.000Z"},{"id":"7K5HLRGt186QdRmY56Nw2K","url":"https://github.com/parallel-protocol/parallel-prl/blob/main/docs/audits/Parallel%20Protocol%20-%20Zenith%20Audit%20Report.pdf","auditor":"Zenith","date":"2025-02-19T00:00:00.000Z"},{"id":"6ATCVJz1BYsbPHTJ5WwzzN","url":"https://github.com/parallel-protocol/parallel-prl/blob/main/docs/audits/Bailsec%20-%20Parallel%20Protocol%20-%20PRL%20Token%20-%20Final%20Report%20-%20January%202025.pdf","auditor":"Bail Security","date":"2025-01-31T00:00:00.000Z"}]},{"assets":[{"id":"2vjWhTd4BeqhXuIwLlIM16","url":"https://etherscan.io/address/0xceA81F222e01d6c60A3a64b10A3F5BC512b2a7C9#code","type":"smart_contract","addedAt":"2025-06-05T04:06:51.961Z","revision":0,"description":"payIntentAddress","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"38inkLYxL3yLjYlrEGeqbM","url":"https://etherscan.io/address/0xFdd1837483f03f8db66c679bB0bFcb963B5B4D19","type":"smart_contract","addedAt":"2025-06-24T11:30:34.943Z","revision":0,"description":"daimoPayCctpBridgerAddress","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"58i2mJW0iLa3vJImNoeiC","url":"https://etherscan.io/address/0x8E29a76DD752AD84fc92BAAB4Ac2002b3c960EE8","type":"smart_contract","addedAt":"2025-06-05T03:59:25.398Z","revision":0,"description":"DaimoPay entry point","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5S2uGWMykgWYXPSGPScXSf","url":"https://etherscan.io/address/0x90349056c9aFbAE6A649cC89Bd9E8e0C919E15eB","type":"smart_contract","addedAt":"2025-06-24T11:30:34.943Z","revision":0,"description":"daimoPayAxelarBridgerAddress","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6NvziRjjDcfhnFQW0bxt7J","url":"https://etherscan.io/address/0x05795C2d6dd4e906cd896AbC466Ef276ac82d16b","type":"smart_contract","addedAt":"2025-06-24T11:30:34.916Z","revision":0,"description":"daimoPayRelayerAddress","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7LAt6oIL0xZ9P3HcjD7MkN","url":"https://etherscan.io/address/0xFa296119a96f5bC8a58f2bB0e299FAD64096A4C8","type":"smart_contract","addedAt":"2025-06-24T11:30:34.922Z","revision":0,"description":"daimoPayBridgerAddress","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7mWuu5R6nswdddqAfWFHZm","url":"https://etherscan.io/address/0x08604D2d5fE72FedAD151d5e637181f31dF69E8F","type":"smart_contract","addedAt":"2025-06-24T11:30:34.918Z","revision":0,"description":"daimoPayCctpV2BridgerAddress","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"T9vPmf98FQAEO1Nlso5sE","url":"https://etherscan.io/address/0x6eBebBb1D5ACF8bE4B4DC1877075fec043e8010a#code","type":"smart_contract","addedAt":"2025-06-05T04:05:41.199Z","revision":0,"description":"daimoPayExecutorAddress","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"ks4fMgIqqBXwlnrgpc1rq","url":"https://etherscan.io/address/0x9751572B505F244D9feCfcB9712B00974f458872#code","type":"smart_contract","addedAt":"2025-06-05T04:06:19.508Z","revision":0,"description":"payIntentFactoryAddress","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98769","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":"*Important notes for hackers:*\n\n### Assume a smart relayer\n\nAs in all intent-based protocols, the relayer must validate intents before solving. \"If you fast-finish a malformed intent, you might not get paid back\" is not a bug but as-designed.\n\nOur intents are designed such that `bridgeTokenOutOptions` are meant to be interchangeable alternatives, such as (100 USDC, 100 USDT). Meanwhile, `finalTokenOut` should also be a roughly equal value, say (100 DAI). They are primarily built to be used with stablecoins.\n\nIf an attacker creates an intent address with `finalTokenOut` of $100, but (at least one of) `bridgeTokenOutOptions` is worth less than that, then no solver will fast-finish such an intent, because they are not guaranteed full repayment. This is by design.\n\nFor the DaimoPay.sol/PayIntent.sol system, another known limitation: relayers cannot claim expired intents. Relayers do not fast-finish intents that are close to expiry, to ensure that the underlying bridge can complete before the intent expires.\n\n### Assume valid usage\n\nThe intent protocol ensures, first and foremost, that a user who creates an Intent Address and sends funds to it will either A. see their intent completed, or B. received a full refund. It cannot guarantee that misuse will not result in loss of funds.\n\nIn particular, *overpaying* an intent can result in loss. If Alice makes an intent address to send $100 to Bob on Base, but then she sends $150 to it on Arbitrum, a solver can complete the intent and keep the extra $50. This is analagous to setting a too-high slippage tolerance in Uniswap, or a too-high tip in other intent protocols. It is known behavior, not a bug.\n\n--\n\nThe newer DepositAddress/DepositAddressManager system has no concept of over- or underpayment. (Non-dust) funds are transmitted regardless of amount. Known limitation: if a user sends a very large amount exceeding liquidity of underlying bridge, it may not be possible to run daStart(); in this instance, the user will get a refund once the DepositAddress expires.\n\n\n### Focus on loss of funds\n\nThe scenarios we're particularly interested in are ones where:\n- **A user uses the system as intended, but loses funds.** These are Critical, see Rewards.\n- **A well-implemented relayer does everything right, but still loses funds.** These are High, see Rewards.\n- **A malicious relayer can temporarily freeze or otherwise grief users, or vice versa.**","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH","Arbitrum","Base","Polygon","Linea","Optimism"],"endDate":null,"evaluationEndDate":null,"features":["Managed Triage: Time Saver","Subscription Plan: Essential"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2025-06-06T07:00:00.000Z","logo":"https://qn5bmgziiocgawpp.public.blob.vercel-storage.com/52155-FHJJDkU5LCaQ48hw9XxtL.png","maxBounty":20000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"N/A","productType":[],"programOverview":"Daimo Pay is a intent-based system for crypto payments.\n\nIn particular, it supports fast 1:1 transfers from any major stablecoin across chains.\n\nFor an overview, see https://paydocs.daimo.com/how-it-works\n\nTo try it out yourself, see https://pay.daimo.com/demo/tests\n\nThe purpose of this bug bounty is to build confidence in the Daimo Pay intent address contract system.\n\nWe will treat all **contract** issues that result in loss of user funds as critical.\n\nTemporarily frozen funds count only as vulnerabilities only if they occur 1. due to an error in our contracts, or 2. last longer than 'expirationTimestamp' for a given Daimo Pay intent.\n\nThere are a variety of (known, expected) ways that funds can be frozen temporarily due to user error (for example, double-paying the same intent address twice). These are not vulnerabilities.","programType":["Smart Contract"],"project":"Daimo Pay","projectType":["Infrastructure"],"rewardsBody":"__Rewards by Threat Level__\n\n__Reward Calculation for Critical Level Reports__\n\n- For critical smart contract bugs, the reward amount is 10% of the funds directly affected up to the listed maximum. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. There is also a listed minimum reward in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward.\n- The amount of funds at risk will be calculated with the impact of the first attack.\n\n__Reward Calculation for High Level Reports__\n\n- High impacts concerning theft/permanent freezing of funds are rewarded within the listed range. The reward is calculated based on 100% of the funds at risk, capped at the maximum high reward.\n\nThe assets in scope for this bounty are specifically our Daimo smart contracts.\n\nNot in scope:\n* Web app/SDK/JS issues. We are listing the test page (https://daimo.com/demo/tests) only as an aid for researchers to test and understand our contracts more quickly, not because we are looking for bugs in the test page itself.\n\nSpecial case:\n* 'DaimoPayRelayer'. This is an untrusted contract. Any issues that result in loss of *user* funds will be treated as critical, while issues resulting in loss of our own *company* funds in DaimoPayRelayer will be treated has high severity but not critical.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"daimo-pay","tenPercentEconomicRule":false,"updatedDate":"2026-03-04T08:23:45.806Z","impactsBody":null,"websiteUrl":"https://pay.daimo.com","githubUrl":"https://github.com/daimo-eth/pay","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":null,"description":"Daimo Pay is a intent-based system for crypto payments. In particular, it supports fast 1:1 transfers from any major stablecoin across chains.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"}],"rewards":[{"id":42175,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":20000,"minReward":7500,"rewardModel":"range","rewardCalculationPercentage":10},{"id":42176,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":7500,"minReward":2500,"rewardModel":"range"},{"id":42177,"primacy":null,"severity":"low","assetType":"smart_contract","maxReward":2000,"minReward":1000,"rewardModel":"range"}],"audits":[{"id":"3nPjhcJV3W55r64jfGRhmH","url":"https://github.com/user-attachments/files/20544714/NM-0500-Daimo-Pay-final-report.pdf","auditor":"Nethermind","date":"2025-04-25T00:00:00.000Z"}]},{"assets":[{"id":"S40ThbrJsVIJV8tmiScJ0","url":"https://explorer.hiro.so/txid/SP1A27KFY4XERQCCRCARCYD1CC5N7M6688BSYADJ7.v0-vault-usdh?chain=mainnet","type":"smart_contract","addedAt":"2026-01-28T07:27:11.843Z","revision":0,"description":"v0-vault-usdh","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2DHq1O88YcX1v6dR76K03H","url":"https://explorer.hiro.so/txid/SP1A27KFY4XERQCCRCARCYD1CC5N7M6688BSYADJ7.v0-vault-usdc?chain=mainnet","type":"smart_contract","addedAt":"2026-01-28T07:27:11.867Z","revision":0,"description":"v0-vault-usdc","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"OTAYLdyR7NibpocwI9fSQ","url":"https://explorer.hiro.so/txid/SP1A27KFY4XERQCCRCARCYD1CC5N7M6688BSYADJ7.v0-vault-stx?chain=mainnet","type":"smart_contract","addedAt":"2026-01-28T07:27:11.859Z","revision":0,"description":"v0-vault-stx","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"VYuza96bdpbKMmiidklwF","url":"https://explorer.hiro.so/txid/SP1A27KFY4XERQCCRCARCYD1CC5N7M6688BSYADJ7.v0-vault-ststxbtc?chain=mainnet","type":"smart_contract","addedAt":"2026-01-28T07:27:11.846Z","revision":0,"description":"v0-vault-ststxbtc","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5lS9mNd76tHQqSTuT6eJVA","url":"https://explorer.hiro.so/txid/SP1A27KFY4XERQCCRCARCYD1CC5N7M6688BSYADJ7.v0-vault-ststx?chain=mainnet","type":"smart_contract","addedAt":"2026-01-28T07:27:12.087Z","revision":0,"description":"v0-vault-ststx","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"78VAssXD5gkFmkd6Q8rS86","url":"https://explorer.hiro.so/txid/SP1A27KFY4XERQCCRCARCYD1CC5N7M6688BSYADJ7.v0-vault-sbtc?chain=mainnet","type":"smart_contract","addedAt":"2026-01-28T07:27:12.121Z","revision":0,"description":"v0-vault-sbtc","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"01KDbt3PdaGxn16DrqwrSr","url":"https://explorer.hiro.so/txid/SP1A27KFY4XERQCCRCARCYD1CC5N7M6688BSYADJ7.v0-market-vault?chain=mainnet","type":"smart_contract","addedAt":"2026-01-28T07:27:12.108Z","revision":0,"description":"v0-market-vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4OzlQ20uYWEfCqlMAl8obN","url":"https://explorer.hiro.so/txid/SP1A27KFY4XERQCCRCARCYD1CC5N7M6688BSYADJ7.v0-egroup?chain=mainnet","type":"smart_contract","addedAt":"2026-01-28T07:27:12.136Z","revision":0,"description":"v0-egroup","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1e5Ib7JfrGUDq5sVY1pL7s","url":"https://explorer.hiro.so/txid/SP1A27KFY4XERQCCRCARCYD1CC5N7M6688BSYADJ7.v0-assets?chain=mainnet","type":"smart_contract","addedAt":"2026-01-28T07:27:12.420Z","revision":0,"description":"v0-assets","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2g3kOeZCAqgVPiVSs3OU4n","url":"https://explorer.hiro.so/txid/0xaa6dc8f25dee3cda1bf2fca6c7b65a8c230f9e2dae2f0c6d4f377b19e1189645?chain=mainnet","type":"smart_contract","addedAt":"2026-01-16T09:43:49.524Z","revision":0,"description":"vault-traits","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2zfLvZDzkFGyJQudy3A1ba","url":"https://explorer.hiro.so/txid/0xcb9f16912e5045c61ad2cdada636a244b9c021deb21d9c742547db5a71af14ca?chain=mainnet","type":"smart_contract","addedAt":"2026-01-16T09:43:49.794Z","revision":0,"description":"dao-multisig","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4FQO3OZr1rUjNKun63kei","url":"https://explorer.hiro.so/txid/0x8b54f4d0d5b4fcbf8f881f6a33744b4c51a73851143b51aba26f6509ffd21fed?chain=mainnet","type":"smart_contract","addedAt":"2026-01-16T09:43:51.402Z","revision":0,"description":"dao-treasury","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6HBXktgCzcTk1XdYS9DAgE","url":"https://explorer.hiro.so/txid/0x12f3fa6b08d34737610d43a3a1d6b5662a89076f04224c0691ad151f4d8b2e31?chain=mainnet","type":"smart_contract","addedAt":"2026-01-16T09:43:49.463Z","revision":0,"description":"market-trait","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7ivmUppBG92zJcPLKRiajt","url":"https://explorer.hiro.so/txid/SP3YCQZYWQR0CA6TT35301B28DV9D926VBZBBJWR7.dao-traits?chain=mainnet","type":"smart_contract","addedAt":"2026-01-16T09:43:49.518Z","revision":0,"description":"dao-traits","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"9QR45gNdAJI67M6Q70Zvo","url":"https://explorer.hiro.so/txid/0x110c04dab690e12be239ebd41df6b8a4e71a55782c2c592cbb3350c31e1bdb19?chain=mainnet","type":"smart_contract","addedAt":"2026-01-16T09:43:49.513Z","revision":0,"description":"dao-executor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98692","url":"https://explorer.hiro.so/txid/SP1A27KFY4XERQCCRCARCYD1CC5N7M6688BSYADJ7.v0-3-market?chain=mainnet","type":"smart_contract","addedAt":"2026-02-04T10:00:13.929Z","revision":0,"description":"v0-3-market","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98725","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"99117","url":"https://explorer.hiro.so/txid/SP1A27KFY4XERQCCRCARCYD1CC5N7M6688BSYADJ7.v0-4-market?chain=mainnet","type":"smart_contract","addedAt":"2026-02-26T15:58:19.872Z","revision":0,"description":"v0-4-market","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Stacks"],"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Essential"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Clarity"],"launchDate":"2026-01-15T22:10:00.000Z","logo":"https://qn5bmgziiocgawpp.public.blob.vercel-storage.com/55173-A_F5B1RkUtAzUMkPhW2Tl-3MM75wsf7i85VmIazkqH94mu0J1kxO.png","maxBounty":100000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - high","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["Lending"],"programOverview":"Zest Protocol is a Bitcoin lending protocol. Zest Protocol operates on-chain and is open-source. The protocol strives to create a vibrant borrowing and lending ecosystem around BTC the asset.    \n\nZest v2 introduces efficiency groups for granular risk pricing per asset combination, a hub-spoke architecture with market.clar as the central orchestrator, and collateral flexibility letting users choose between isolated (non-rehypothecated) or yield-bearing (rehypothecated) collateral based on their risk preferences.\n\nFor more information about Zest Protocol, please visit [zestprotocol.com](https://www.zestprotocol.com/).\n\nZest Protocol provides rewards in USDC/T on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n__Primacy of Impact vs Primacy of Rules__\n\nZest Protocol V2 adheres to the Primacy of Impact for the following impacts:\n- Smart Contract - High\n- Smart Contract - Critical\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. \n\nFor more information, please see [Best Practices: Primacy of Impact ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\n__Responsible Publication__\n\nZest Protocol V2 adheres to Category 3: Approval Required. This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our Responsible Publication page.","programType":["Smart Contract"],"project":"Zest Protocol V2","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward\n\nThe amount of funds at risk will be calculated with the impact of the first attack being at 100% and then a reduction of 25% from the amount of the first attack for every [720 blocks] the attack needs for subsequent attacks from the first attack, rounded down\n\n\n__Reward Calculation for High Level Reports__\n\nHigh impacts concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 1 000 to USD 20 000 with the reward calculated based on 100% of the funds at risk, though capped at the maximum high reward. \n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"zest-protocol-v2","tenPercentEconomicRule":false,"updatedDate":"2026-02-26T15:58:20.134Z","impactsBody":null,"websiteUrl":null,"githubUrl":"https://github.com/Zest-Protocol/zest-v2-contracts","eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Zest Protocol is a Bitcoin lending protocol. Zest Protocol operates on-chain and is open-source. The protocol strives to create a vibrant borrowing and lending ecosystem around BTC the asset.    \nZest v2 introduces efficiency groups for granular risk pricing per asset combination, a hub-spoke architecture with market.clar as the central orchestrator, and collateral flexibility letting users choose between isolated (non-rehypothecated) or yield-bearing (rehypothecated) collateral based on their risk preferences.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"• Any logic related to flashloans.   \n• Liquidation of disabled collateral or other protocol safety design decisions  \n• Any \"bug\" raised that requires an attack vector of DAO compromise, or \"accidental\" update called to registry by the DAO is out of scope.  \n• Full control of the asset and egroup registry by the DAO is intended design.  \n• Invariants that require full knowledge of market and all position state are checked by the DAO off-chain before any egroup updates are approved.  \n\n","customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"}],"rewards":[{"id":39957,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":39958,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":20000,"minReward":1000,"rewardModel":"range"}],"audits":[{"id":"3BOtvMGrFwWso90POoiQ5J","url":"https://clarity-alliance.github.io/audits/Clarity%20Alliance%20-%20Zest%20Protocol%20v2.pdf","auditor":"Clarity Alliance","date":"2025-10-22T00:00:00.000Z"},{"id":"3KBFGTlZwGm3aGGBjAvjU8","url":"https://clarity-alliance.github.io/audits/Clarity%20Alliance%20-%20Zest%20Protocol%20v2%20Upgrade.pdf","auditor":"Clarity Alliance","date":"2025-12-02T00:00:00.000Z"},{"id":"6mvDoeoSLW3IWHsxpOTzNW","url":"https://drive.google.com/file/d/1ttWULriHM4yZZ_Y3kMJiSnrFaYee-IMi/view?usp=drive_link","auditor":"Greybeard Security","date":"2025-12-03T00:00:00.000Z"},{"id":"ge8JwDI0HRlo9RynOuVcS","url":"https://clarity-alliance.github.io/audits/Clarity%20Alliance%20-%20Zest%20Protocol%20v2%20Upgrade%20V2.pdf","auditor":"Clarity Alliance","date":"2025-12-19T00:00:00.000Z"}]},{"assets":[{"id":"2kCFFozzMVPDeP2r7Je2mj","url":"https://github.com/sky-ecosystem/dss/blob/master/src/dai.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:12.479Z","revision":0,"description":"MCD_DAI","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3HLitoZoT2E4bd2d0E0hhF","url":"https://github.com/sky-ecosystem/dss/blob/master/src/spot.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:13.500Z","revision":0,"description":"MCD_SPOT","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5J4ijBifjUyiuRRmKNFuVn","url":"https://github.com/sky-ecosystem/dss/blob/master/src/pot.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:14.516Z","revision":0,"description":"MCD_POT","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"53v85jYCi8GaYiIwt1uDX1","url":"https://github.com/sky-ecosystem/dss/blob/master/src/flap.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:16.543Z","revision":0,"description":"MCD_FLAP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1xjxGZ2NBtsJPIB2fhT8ox","url":"https://github.com/sky-ecosystem/dss/blob/master/src/flop.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:17.504Z","revision":0,"description":"MCD_FLOP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3yYYS6cTkRLG7hfJm7LkdV","url":"https://github.com/sky-ecosystem/dss/blob/master/src/vow.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:18.520Z","revision":0,"description":"MCD_VOW","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1wAjMecZZukUKNbYfris3L","url":"https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:19.546Z","revision":0,"description":"MCD_ETH","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2ApBAFBY5xyPWP8oZ4vk56","url":"https://github.com/sky-ecosystem/dss/blob/master/src/vat.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:20.537Z","revision":0,"description":"MCD_VAT","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"e2CXPLOgneQjjWfyo6dXu","url":"https://github.com/sky-ecosystem/dss/blob/master/src/jug.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:21.562Z","revision":0,"description":"MCD_JUG","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7ew3hNzx4F5ACqxPT3xN9k","url":"https://github.com/sky-ecosystem/median/blob/master/src/median.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:22.513Z","revision":0,"description":"Medians","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"oB7zwBB2WqyW50VGOwb0m","url":"https://github.com/sky-ecosystem/osm/blob/master/src/osm.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:23.562Z","revision":0,"description":"OSM","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3zyGIwvAxJiuEndPG9Brw9","url":"https://github.com/sky-ecosystem/rwa-toolkit/blob/master/src/conduits/RwaInputConduit2.sol","type":"smart_contract","addedAt":"2023-11-06T17:50:40.829Z","revision":0,"description":"RwaInputConduit2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"38cHyIw7A0JRjEvdbJrKQQ","url":"https://github.com/sky-ecosystem/rwa-toolkit/blob/master/src/conduits/RwaInputConduit.sol","type":"smart_contract","addedAt":"2023-11-06T17:51:47.187Z","revision":0,"description":"RwaInputConduit","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7JoubHXvJ0dwTw9yE6g6Nc","url":"https://github.com/sky-ecosystem/rwa-toolkit/blob/master/src/conduits/RwaMultiSwapOutputConduit.sol","type":"smart_contract","addedAt":"2023-11-06T17:52:06.956Z","revision":0,"description":"RwaMultiSwapOutputConduit","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3hUGurS4ClSxw9YB9iJC9Y","url":"https://github.com/sky-ecosystem/rwa-toolkit/blob/master/src/conduits/RwaOutputConduit2.sol","type":"smart_contract","addedAt":"2023-11-06T17:52:35.843Z","revision":0,"description":"RwaOutputConduit2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3hvEARB8XuRpK07HvzPXrB","url":"https://github.com/sky-ecosystem/rwa-toolkit/blob/master/src/conduits/RwaOutputConduit.sol","type":"smart_contract","addedAt":"2023-11-06T17:53:04.340Z","revision":0,"description":"RwaOutputConduit","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3PLsHzeoKkoVBavxHL9HDW","url":"https://github.com/sky-ecosystem/rwa-toolkit/blob/master/src/conduits/RwaSwapInputConduit2.sol","type":"smart_contract","addedAt":"2023-11-06T17:53:25.735Z","revision":0,"description":"RwaSwapInputConduit2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"JpvVcCibrkh0GL73s3wyi","url":"https://github.com/sky-ecosystem/rwa-toolkit/blob/master/src/conduits/RwaSwapInputConduit.sol","type":"smart_contract","addedAt":"2023-11-06T17:53:50.474Z","revision":0,"description":"RwaSwapInputConduit","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2WzT0Pyq8wuIPlDzj66DhN","url":"https://github.com/sky-ecosystem/rwa-toolkit/blob/master/src/conduits/RwaSwapOutputConduit.sol","type":"smart_contract","addedAt":"2023-11-06T17:54:11.401Z","revision":0,"description":"RwaSwapOutputConduit","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3Sx2bEZKy3gkk6lYhwBBTY","url":"https://github.com/sky-ecosystem/rwa-toolkit/blob/master/src/jars/RwaJar.sol","type":"smart_contract","addedAt":"2023-11-06T17:54:30.950Z","revision":0,"description":"RwaJar","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"uOksNg1r48RQtjCORn0nX","url":"https://github.com/sky-ecosystem/rwa-toolkit/blob/master/src/tokens/RwaToken.sol","type":"smart_contract","addedAt":"2023-11-06T17:55:11.744Z","revision":0,"description":"RwaToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4aSKX48dEZhUMq07DQZpzK","url":"https://github.com/sky-ecosystem/rwa-toolkit/blob/master/src/tokens/RwaTokenFactory.sol","type":"smart_contract","addedAt":"2023-11-06T17:54:47.671Z","revision":0,"description":"RwaTokenFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2p4LYyFKMXbkWAnM7MK07Q","url":"https://github.com/sky-ecosystem/rwa-toolkit/blob/master/src/urns/RwaUrn2.sol","type":"smart_contract","addedAt":"2023-11-06T17:55:33.986Z","revision":0,"description":"RwaUrn2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5TU8nFNbD3zB3hVbH9h9EY","url":"https://github.com/sky-ecosystem/rwa-toolkit/blob/master/src/urns/RwaUrn.sol","type":"smart_contract","addedAt":"2023-11-06T17:55:54.389Z","revision":0,"description":"RwaUrn","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"8CHcGrEq6Taezsc0mFP4O","url":"https://github.com/sky-ecosystem/dss-cdp-manager/blob/master/src/DssCdpManager.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:25.721Z","revision":0,"description":"DssCdpManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1E5ilKCGBtCwicyVMkJe6s","url":"https://github.com/sky-ecosystem/dss-cdp-manager/blob/master/src/GetCdps.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:26.845Z","revision":0,"description":"GetCdps","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5oL4iWJU4mNFfUmXBwOWGc","url":"https://github.com/sky-ecosystem/dss-proxy-actions/blob/master/src/DssProxyActions.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:27.880Z","revision":0,"description":"DssProxyActions","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3C28zGMqHrjK7bQkdcf4dz","url":"https://github.com/sky-ecosystem/dss-auto-line/blob/master/src/DssAutoLine.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:29.505Z","revision":0,"description":"DssAutoLine","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3orm6ZkmFs0LGLiihPM2vm","url":"https://github.com/sky-ecosystem/clipper-mom/blob/master/src/ClipperMom.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:30.783Z","revision":0,"description":"Clipper Mom","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6JkpSHtlK7sOoxa2qJ40Cg","url":"https://github.com/sky-ecosystem/dsr-manager/blob/master/src/DsrManager.sol","type":"smart_contract","addedAt":"2023-11-07T05:38:11.718Z","revision":0,"description":"DsrManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"KK8eOxOp2mBXXhIiUGjHK","url":"https://github.com/sky-ecosystem/dss-exec-lib/blob/master/src/CollateralOpts.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:33.355Z","revision":0,"description":"CollateralOpts","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"128qKTDF86cYImgFENjIlC","url":"https://github.com/sky-ecosystem/dss-exec-lib/blob/master/src/DssAction.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:34.418Z","revision":0,"description":"DssAction","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"27BkshirpHE6OMEzFw2XWf","url":"https://github.com/sky-ecosystem/dss-exec-lib/blob/master/src/DssExec.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:35.435Z","revision":0,"description":"DssExec","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5jwiK6QTM1OjthoqyjOpFj","url":"https://github.com/sky-ecosystem/dss-exec-lib/blob/master/src/DssExecLib.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:36.443Z","revision":0,"description":"DssExecLib","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6XDUbImYWlIoZcpQq43BvU","url":"https://github.com/sky-ecosystem/dss-flappers/blob/master/src/FlapperMom.sol","type":"smart_contract","addedAt":"2023-11-07T05:40:18.942Z","revision":0,"description":"FlapperMom","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"CJtpUsjtUK2EEkbpJn6T5","url":"https://github.com/sky-ecosystem/dss-flappers/blob/master/src/FlapperUniV2.sol","type":"smart_contract","addedAt":"2023-11-07T05:40:37.234Z","revision":0,"description":"FlapperUniV2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"42itPzztaYS6Q2jV8gtN2x","url":"https://github.com/sky-ecosystem/dss-flash/blob/master/src/flash.sol","type":"smart_contract","addedAt":"2023-11-07T05:41:00.641Z","revision":0,"description":"flash","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6zJIeIwSvHbC1FD8vhZfXF","url":"https://github.com/sky-ecosystem/ilk-registry/blob/master/src/IlkRegistry.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:43.318Z","revision":0,"description":"Ilk Registry","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2m1Z4tuDhIEY2byrsUukgy","url":"https://github.com/sky-ecosystem/line-mom/blob/master/src/LineMom.sol","type":"smart_contract","addedAt":"2023-11-07T05:45:57.540Z","revision":0,"description":"LineMom","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"PJQn3Ugynj9B3x2hMZnth","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/ERC/GemAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:44.288Z","revision":0,"description":"Gem Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5ZNQgSUYDMmmmPSGBT4dcb","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dapp/DSAuthorityAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:45.307Z","revision":0,"description":"DS Authority Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1m9aBFMVBpfQoKpIoyHv3X","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dapp/DSChiefAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:46.301Z","revision":0,"description":"DS Chief Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4F46besNhxzrCjSQqkwSBa","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dapp/DSPauseAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:47.311Z","revision":0,"description":"DS Pause Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4BHDGZf8ap2rm2lYihCkQc","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dapp/DSPauseProxyAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:48.322Z","revision":0,"description":"DS Pause Proxy Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4T2cISxlooCRWnWRdFdy6C","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dapp/DSRolesAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:49.288Z","revision":0,"description":"DS Roles Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1lmbbTeOQU3Of9HnEbrOva","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dapp/DSRuneAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:50.296Z","revision":0,"description":"DS Rune Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1LHGljRMOAVmYvnnAc12TI","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dapp/DSSpellAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:51.332Z","revision":0,"description":"DS Spell Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4BlMCLpu3fbHqwt4evoYtV","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dapp/DSThingAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:52.395Z","revision":0,"description":"DS Thing Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4d245mb4IUGZtWFtgZzL7H","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dapp/DSTokenAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:53.409Z","revision":0,"description":"DS Token Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"74EHDNtUPIJ9QQWmM2oFv4","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dapp/DSValueAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:54.401Z","revision":0,"description":"DS Value Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"PntAcMRTjakS43HyL6pqG","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/AuthGemJoinAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:55.459Z","revision":0,"description":"Auth Gem Join Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5ZxnyeeRnD9bjm8bJhRWsE","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/CatAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:56.580Z","revision":0,"description":"Cat Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6OrJ5F0HWbhh5cK35HctxO","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/ChainlogAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:57.566Z","revision":0,"description":"Chainlog Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7Go8KEom3tAzhMOkIOELl0","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/ClipAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:58.969Z","revision":0,"description":"Clip Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Tr38v1jqjya5nflEs2h23","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/ClipperMomAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:20:59.996Z","revision":0,"description":"Clipper Mom Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3FNrgyT7KotlGMVwREyEPq","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/DaiAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:01.260Z","revision":0,"description":"Dai Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7I3HiRbYcpjm5G0bXUDtMq","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/DaiJoinAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:02.389Z","revision":0,"description":"DaiJoinAbstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7qVWoxqTTadNOrCK0ipWKX","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/DogAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:03.513Z","revision":0,"description":"Dog Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7tKYz4bdwdk5MaRokL9AnY","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/DssAutoLineAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:04.533Z","revision":0,"description":"Dss Auto Line Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6POYH7fYk4rJNbP7YKHlIF","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/DssCdpManager.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:05.546Z","revision":0,"description":"Dss Cdp Manager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1cUmaKYPOawHgRsmKDwwsP","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/ETHJoinAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:07.688Z","revision":0,"description":"ETH Join Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"18RCBZ3oE0NlLKxJfOwa0t","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/ExponentialDecreaseAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:09.759Z","revision":0,"description":"Exponential Decrease Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2jtXBNmhCW1VihjTqutwuK","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/FaucetAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:10.748Z","revision":0,"description":"Faucet Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"tHQeVVkmZpF5WGO2d5TtV","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/FlapAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:11.850Z","revision":0,"description":"Flap Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6HSesu9u1PSFG024xNo8Ir","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/FlashAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:12.946Z","revision":0,"description":"Flash Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1quehZDIzcX2c26HHY2pLd","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/FlipAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:13.902Z","revision":0,"description":"Flip Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1k1bxqRGo5S5jSxe3ugkJW","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/FlipperMomAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:14.898Z","revision":0,"description":"Flipper Mom Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4T88CXw4gNRxd8jWhwcJCA","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/FlopAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:15.987Z","revision":0,"description":"Flop Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2YTaSEyNuTug5XAyayYxwe","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/GemJoinAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:16.961Z","revision":0,"description":"Gem Join Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Ir4Sd54UJcRbTgjlIF3C4","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/GemJoinImplementationAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:17.937Z","revision":0,"description":"Gem Join Implementation Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3skdqB0fKS2j4CbIOG4m5Y","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/GemJoinManagedAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:18.920Z","revision":0,"description":"Gem Join Managed Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6rO0cSAILcQV5gD7CUMlfr","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/GetCdpsAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:19.915Z","revision":0,"description":"Get Cdps Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"305jp8sX6VnxeNDdm76Ot1","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/IlkRegistryAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:21.029Z","revision":0,"description":"Ilk Registry Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5n5S3u4JYDZxJC4NWDqhTa","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/JugAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:22.096Z","revision":0,"description":"Jug Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4ecnCFM4WiXQ62bMyFVzWp","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/LPOsmAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:23.060Z","revision":0,"description":"LPOsm Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7wsbDg2Nvq8dzZWE3Ol3YT","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/LerpAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:28.120Z","revision":0,"description":"Lerp Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2ilzFnu8qVVJnvzrmuUin3","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/LerpFactoryAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:29.170Z","revision":0,"description":"Lerp Factory Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"BsI7XuyZLd1C5Mi05RCUs","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/LinearDecreaseAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:30.206Z","revision":0,"description":"Linear Decrease Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5buG3mo5L8YCTqSHfELIKg","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/MKRAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:31.247Z","revision":0,"description":"MKR Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5PAp90Xwwb9EsV4P5SWjW2","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/MedianAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:32.211Z","revision":0,"description":"Median Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1AGNp44t2rCv1KyMkDwvrw","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/MkrAuthorityAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:33.673Z","revision":0,"description":"MKR Authority Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7jWZs8L0ia37WFpEqIpm59","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/OsmAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:34.714Z","revision":0,"description":"Osm Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6DnEmW3QmXovPO5ykcb5u9","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/OsmMomAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:35.844Z","revision":0,"description":"Osm Mom Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"R9z8kHPmX4sNo0TH81TLC","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/PipAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:36.854Z","revision":0,"description":"Pip Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6k0aS4XDdsfik2vdwFefy","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/PotAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:37.871Z","revision":0,"description":"Pot Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6NRyMZNNMUd6uKH9fxJPbj","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/PotHelper.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:38.911Z","revision":0,"description":"Pot Helper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7xq4jq6mN7qlWGn6KOVZRq","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/PsmAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:39.906Z","revision":0,"description":"Psm Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3E6FQsFFBQlaaeZmwgOZpf","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/SpotAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:41.038Z","revision":0,"description":"Spot Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"veJuOwCuQOBoDHFbGi41u","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/StairstepExponentialDecreaseAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:42.015Z","revision":0,"description":"Stairstep Exponential Decrease Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6l2ZhbPPZbSSbFurdJyhUM","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/VatAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:43.302Z","revision":0,"description":"Vat Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5qvLp90KyyFgO4HDP6RBwK","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/VestAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:44.393Z","revision":0,"description":"Vest Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2VftUlTWCGMzp1Wrz7AyAk","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/dss/VowAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:45.381Z","revision":0,"description":"Vow Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7AranBBEkEwuW9xlSAoJNo","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/sai/GemPitAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:46.339Z","revision":0,"description":"Gem Pit Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"36CO9wcBdZlGJkf34fsevt","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/sai/SaiMomAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:47.835Z","revision":0,"description":"Sai Mom Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1IpTr7KIQvr6Si3CFyyVT6","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/sai/SaiTapAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:48.866Z","revision":0,"description":"Sai Tap Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2XCXJsRGdrEwRIzJZSnwzY","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/sai/SaiTokenAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:49.919Z","revision":0,"description":"Sai Token Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1hDCAFfNeKZWgytZ9dgg1G","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/sai/SaiTopAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:50.933Z","revision":0,"description":"Sai Top Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1WXtGbv8hZ8Wu75BdZt8Hr","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/sai/SaiTubAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:51.969Z","revision":0,"description":"Sai Tub Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5dwVJtFNqpn7z46EPsIQ04","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/sai/SaiVoxAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:52.965Z","revision":0,"description":"Sai Vox Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5rCEOIifQN1qS2d4vqwQAh","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/utils/WardsAbstract.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:53.967Z","revision":0,"description":"Wards Abstract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"isieC5rute3t4mkSDmb19","url":"https://github.com/sky-ecosystem/dss-interfaces/blob/master/src/Interfaces.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:54.972Z","revision":0,"description":"Interfaces (Abstracts)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6J14UqNUaqtIYhaZb7zvPT","url":"https://github.com/sky-ecosystem/dss-vest/blob/master/src/DssVest.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:55.990Z","revision":0,"description":"Dss Vest","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4ErHIpVPumH4qzGqoaNmFG","url":"https://github.com/sky-ecosystem/dss-gem-joins/blob/v1.2/src/join-auth.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:56.965Z","revision":0,"description":"Join Auth","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"35cIoSTFVNBCGmPF443ORR","url":"https://github.com/sky-ecosystem/dss-gem-joins/blob/v1.2/src/join-2.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:58.024Z","revision":0,"description":"Join 2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4F1RxHYRKCfEpHHwcr224i","url":"https://github.com/sky-ecosystem/dss-gem-joins/blob/v1.2/src/join-3.sol","type":"smart_contract","addedAt":"2022-05-10T16:21:59.052Z","revision":0,"description":"Join 3","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3YPomU3962w4EIheseWVNN","url":"https://github.com/sky-ecosystem/dss-gem-joins/blob/v1.2/src/join-4.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:00.044Z","revision":0,"description":"Join 4","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1M6DOrazwwqmdS3pYTew6T","url":"https://github.com/sky-ecosystem/dss-gem-joins/blob/v1.2/src/join-5.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:01.119Z","revision":0,"description":"Join 5","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1yQfJ3jChc0N3opQ0HfAyC","url":"https://github.com/sky-ecosystem/dss-gem-joins/blob/v1.2/src/join-6.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:06.838Z","revision":0,"description":"Join 6","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3uUxn28s6bDrgC0adyHqHp","url":"https://github.com/sky-ecosystem/dss-gem-joins/blob/v1.2/src/join-7.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:12.834Z","revision":0,"description":"Join 7","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2uyKP2tFG9jLBVDEAzNBDg","url":"https://github.com/sky-ecosystem/dss-gem-joins/blob/v1.2/src/join-8.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:13.923Z","revision":0,"description":"Join 8","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3AId2A6v3edNTfjs6KdVZz","url":"https://github.com/sky-ecosystem/dss/blob/v1.2/src/join.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:14.994Z","revision":0,"description":"Join","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5QTxKZW6KytpiJ5tDsdB07","url":"https://github.com/sky-ecosystem/dss/blob/c8d4c806691dacb903ff281b81f316bea974e4c7/src/abaci.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:16.322Z","revision":0,"description":"Abaci","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7uiTWgJpK2dFLGAiSaJOG5","url":"https://github.com/sky-ecosystem/dss-psm/blob/master/src/join-5-auth.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:17.552Z","revision":0,"description":"Join 5 Auth","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5IaBINjOFX0RAtUMSJkKDw","url":"https://github.com/sky-ecosystem/dss-psm/blob/master/src/join-8-auth.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:18.606Z","revision":0,"description":"Join 8 Auth","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3txn0Nuh6670tjM52pzoNq","url":"https://github.com/sky-ecosystem/dss-psm/blob/master/src/join-auth.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:19.636Z","revision":0,"description":"Join Auth (Dss PSM)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3DvlwZqNLBTsiEcvVSTMFf","url":"https://github.com/sky-ecosystem/dss-psm/blob/master/src/psm.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:20.813Z","revision":0,"description":"PSM","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"uWIFflU3kl91gx77D0tlz","url":"https://github.com/sky-ecosystem/dss/blob/master/src/dog.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:24.005Z","revision":0,"description":"Dss Dog","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3ronZDMZCiJYYysEaiOkax","url":"https://github.com/sky-ecosystem/dss/blob/master/src/clip.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:26.074Z","revision":0,"description":"Dss Clip","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"47YNMt9z3o4FPGj9Km1zN9","url":"https://github.com/sky-ecosystem/optimism-dai-bridge/blob/master/contracts/l1/L1DAITokenBridge.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:27.139Z","revision":0,"description":"L1 DAI Token Bridge (Optimism DAI Bridge)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1rjLCrZW6EVqMYiiYLNw5v","url":"https://github.com/sky-ecosystem/optimism-dai-bridge/blob/master/contracts/l1/L1Escrow.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:28.203Z","revision":0,"description":"L1 Escrow (Optimism DAI Bridge)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1RCONIb0mqV8xKWhPFdNnP","url":"https://github.com/sky-ecosystem/optimism-dai-bridge/blob/master/contracts/l1/L1GovernanceRelay.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:29.252Z","revision":0,"description":"L1 Governance Relay (Optimism DAI Bridge)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3xsDK7Rfe3ymIOn6Yp5nxc","url":"https://github.com/sky-ecosystem/optimism-dai-bridge/blob/master/contracts/l2/L2DAITokenBridge.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:30.488Z","revision":0,"description":"L2 DAI Token Bridge (Optimism DAI Bridge)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3J95qoCBauhtu3uduu7lEA","url":"https://github.com/sky-ecosystem/optimism-dai-bridge/blob/master/contracts/l2/L2GovernanceRelay.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:31.544Z","revision":0,"description":"L2 Governance Relay (Optimism DAI Bridge)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6lS1J6L9kGYiKtHpvITfEb","url":"https://github.com/sky-ecosystem/optimism-dai-bridge/blob/master/contracts/l2/dai.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:32.574Z","revision":0,"description":"DAI (Optimism DAI Bridge)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2pOY78EJhYz2Oin163soVj","url":"https://github.com/sky-ecosystem/arbitrum-dai-bridge/blob/master/contracts/l1/L1CrossDomainEnabled.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:33.594Z","revision":0,"description":"L1 Cross Domain Enabled (Arbitrum DAI Bridge)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2obQSIhKWYH2Ar8uVIz0ik","url":"https://github.com/sky-ecosystem/arbitrum-dai-bridge/blob/master/contracts/l1/L1DaiGateway.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:34.593Z","revision":0,"description":"L1 DAI Gateway (Arbitrum DAI Bridge)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"48thP6ObsDChA9De51nX32","url":"https://github.com/sky-ecosystem/arbitrum-dai-bridge/blob/master/contracts/l1/L1Escrow.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:35.680Z","revision":0,"description":"L1 Escrow (Arbitrum DAI Bridge)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2ZQg1wICyl4kC4s7zvC6wa","url":"https://github.com/sky-ecosystem/arbitrum-dai-bridge/blob/master/contracts/l1/L1GovernanceRelay.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:36.682Z","revision":0,"description":"L1 Governance Relay (Arbitrum DAI Bridge)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"58Kk2UoheVWaEksaPrW6Ez","url":"https://github.com/sky-ecosystem/arbitrum-dai-bridge/blob/master/contracts/l1/L1ITokenGateway.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:37.648Z","revision":0,"description":"L1 Token Gateway (Arbitrum DAI Bridge)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4U61YRDvACWAhKokhqtbf0","url":"https://github.com/sky-ecosystem/arbitrum-dai-bridge/blob/master/contracts/l2/L2CrossDomainEnabled.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:38.687Z","revision":0,"description":"L2 Cross Domain Enabled (Arbitrum DAI Bridge)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3RXq0dYQlFyj98T9kNe5vP","url":"https://github.com/sky-ecosystem/arbitrum-dai-bridge/blob/master/contracts/l2/L2DaiGateway.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:39.672Z","revision":0,"description":"L2 DAI Gateway (Arbitrum DAI Bridge)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4ACCBfbRuY3BpwrRVuopC9","url":"https://github.com/sky-ecosystem/arbitrum-dai-bridge/blob/master/contracts/l2/L2GovernanceRelay.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:41.024Z","revision":0,"description":"L2 Governance Relay (Arbitrum DAI Bridge)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"31yzL0yhdUiC5PISzidXWp","url":"https://github.com/sky-ecosystem/arbitrum-dai-bridge/blob/master/contracts/l2/L2ITokenGateway.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:42.187Z","revision":0,"description":"L2 Token Gateway (Arbitrum DAI Bridge)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"61LO9dEYlLZepRLRQo1muf","url":"https://github.com/sky-ecosystem/arbitrum-dai-bridge/blob/master/contracts/l2/dai.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:43.229Z","revision":0,"description":"DAI (Arbitrum DAI Bridge)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3AETksx4FpzDuuHAGAg2tF","url":"https://github.com/sky-ecosystem/starknet-dai-bridge/blob/main/contracts/l1/L1DAIBridge.sol","type":"smart_contract","addedAt":"2022-11-02T22:25:43.364Z","revision":0,"description":"L1DAIBridge (StarkNet)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5OZPkEdJHuN0Sm0J2aIx50","url":"https://github.com/sky-ecosystem/starknet-dai-bridge/blob/main/contracts/l1/L1Escrow.sol","type":"smart_contract","addedAt":"2022-11-02T22:26:05.887Z","revision":0,"description":"L1Escrow (StarkNet)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4Am2PeUQZQvYYqr3uBOFT","url":"https://github.com/sky-ecosystem/starknet-dai-bridge/blob/main/contracts/l1/L1EscrowMom.sol","type":"smart_contract","addedAt":"2022-11-02T22:26:28.272Z","revision":0,"description":"L1EscrowMom (StarkNet)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6SS8Dq8OrN3Lsqwu17Eoz9","url":"https://github.com/sky-ecosystem/starknet-dai-bridge/blob/main/contracts/l1/L1GovernanceRelay.sol","type":"smart_contract","addedAt":"2022-11-02T22:27:01.494Z","revision":0,"description":"L1GovernanceRelay (StarkNet)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"55QVLUqtREj4OnVYmcIiAw","url":"https://github.com/sky-ecosystem/starknet-dai-bridge/blob/main/contracts/l2/dai.cairo","type":"smart_contract","addedAt":"2022-11-02T22:27:30.698Z","revision":0,"description":"dai (StarkNet)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6AKd69REJdg8tW6UBZ0LTA","url":"https://github.com/sky-ecosystem/starknet-dai-bridge/blob/main/contracts/l2/l2_dai_bridge.cairo","type":"smart_contract","addedAt":"2022-11-02T22:28:01.696Z","revision":0,"description":"l2_dai_bridge (StarkNet)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7w4SbA1jQ62fPRf5nx7XTB","url":"https://github.com/sky-ecosystem/starknet-dai-bridge/blob/main/contracts/l2/l2_governance_relay.cairo","type":"smart_contract","addedAt":"2022-11-02T22:28:35.868Z","revision":0,"description":"l2_governance_relay (StarkNet)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4d5rGDyHK5WLwQB7CV0ZSj","url":"https://github.com/sky-ecosystem/starknet-dai-bridge/blob/main/contracts/l2/registry.cairo","type":"smart_contract","addedAt":"2022-11-02T22:29:39.919Z","revision":0,"description":"registry (StarkNet)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2yDnY5r58Er7d85tkzyLZA","url":"https://github.com/sky-ecosystem/dss-chain-log/blob/master/src/ChainLog.sol","type":"smart_contract","addedAt":"2022-05-10T16:22:44.283Z","revision":0,"description":"ChainLog","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1cB2G4Db9pHN81FkVCjoBd","url":"https://github.com/sky-ecosystem/dss-direct-deposit/blob/master/src/D3MHub.sol","type":"smart_contract","addedAt":"2022-12-06T02:53:50.375Z","revision":0,"description":"D3MHub","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1IeE6DTJ5YCF5y70DDF0kz","url":"https://github.com/sky-ecosystem/dss-direct-deposit/blob/master/src/D3MMom.sol","type":"smart_contract","addedAt":"2022-12-06T02:54:20.652Z","revision":0,"description":"D3MMom","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5Vh6vF2uW9yM8xam1vzCdS","url":"https://github.com/sky-ecosystem/dss-direct-deposit/blob/master/src/D3MOracle.sol","type":"smart_contract","addedAt":"2022-12-06T02:54:50.109Z","revision":0,"description":"D3MOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"695anHwMGcZdghB6pKDes8","url":"https://github.com/sky-ecosystem/mip21-toolkit/blob/master/src/oracles/RwaLiquidationOracle.sol","type":"smart_contract","addedAt":"2023-04-22T13:37:48.879Z","revision":0,"description":"MIP21_Liquidation_Oracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7yu3GqKzRnhdi1u5u6ZqNP","url":"https://github.com/sky-ecosystem/mkr-authority/blob/master/src/MkrAuthority.sol","type":"smart_contract","addedAt":"2023-11-07T06:04:00.394Z","revision":0,"description":"MkrAuthority","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"iYg6edqbeOkJT3Ue65oIW","url":"https://github.com/sky-ecosystem/univ2-lp-oracle/blob/master/src/UNIV2LPOracle.sol","type":"smart_contract","addedAt":"2023-04-28T22:22:00.104Z","revision":0,"description":"UNIV2LPOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4BPviZbzo1sKUNkcJnVkhr","url":"https://github.com/sky-ecosystem/univ3-lp-oracle/blob/master/src/GUniLPOracle.sol","type":"smart_contract","addedAt":"2023-04-28T22:22:15.426Z","revision":0,"description":"GUniLPOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5e7TNPNTnwjfDlmojoHQuW","url":"https://vote.sky.money","type":"websites_and_applications","addedAt":"2022-05-10T16:22:45.319Z","revision":0,"description":"Governance Voting","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6Na0yDXCeV8dJtCAANDnLt","url":"https://chainlog.sky.money","type":"websites_and_applications","addedAt":"2022-05-10T16:22:46.388Z","revision":0,"description":"Contract addresses","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"bZrUnJHpiBwUYNqPm9UHA","url":"https://github.com/sky-ecosystem/dss-lite-psm/blob/main/src/DssLitePsmMom.sol","type":"smart_contract","addedAt":"2024-08-01T06:41:16.294Z","revision":0,"description":"DssLitePsmMom","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"DKQo34uQE1U8hPcxc6mTF","url":"https://github.com/sky-ecosystem/dss-lite-psm/blob/main/src/DssLitePsm.sol","type":"smart_contract","addedAt":"2024-08-01T06:41:42.327Z","revision":0,"description":"DssLitePsm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4XwvZXgFCDQkZ1UzWB2aT9","url":"https://github.com/sky-ecosystem/dss-direct-deposit/blob/master/src/plans/D3MOperatorPlan.sol","type":"smart_contract","addedAt":"2024-08-19T04:26:53.133Z","revision":0,"description":"D3MOperatorPlan","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4FHbquMch65xbeEMzIkMp2","url":"https://github.com/sky-ecosystem/dss-direct-deposit/blob/master/src/pools/D3M4626TypePool.sol","type":"smart_contract","addedAt":"2024-08-19T04:27:20.012Z","revision":0,"description":"D3M4626TypePool","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"11Bhb8ybZqzW7mP4TvFjzN","url":"https://sky.money","type":"websites_and_applications","addedAt":"2024-09-24T15:46:43.073Z","revision":0,"description":"Sky Marketing Website","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6K1X6stU58e7BuCiV2RqC","url":"https://app.sky.money","type":"websites_and_applications","addedAt":"2024-09-24T15:47:01.532Z","revision":0,"description":"Sky DeFi Web App","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2HQobGpS0pCuRDR2bvrwIc","url":"https://github.com/sky-ecosystem/endgame-toolkit/blob/master/src/VestedRewardsDistribution.sol","type":"smart_contract","addedAt":"2024-09-24T16:47:05.025Z","revision":0,"description":"Vested Rewards Distribution","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1YZxubJxU5lTW4ACLHJwT9","url":"https://github.com/sky-ecosystem/endgame-toolkit/blob/master/src/synthetix/StakingRewards.sol","type":"smart_contract","addedAt":"2024-09-24T16:47:21.860Z","revision":0,"description":"SKY Staking Rewards","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"szzoPSeCBqa3m091XUK96","url":"https://github.com/sky-ecosystem/endgame-toolkit/blob/master/src/SDAO.sol","type":"smart_contract","addedAt":"2024-09-24T16:47:49.958Z","revision":0,"description":"SubDAO ERC20","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3z7DQhiOa3NSH2CdHtapBV","url":"https://github.com/sky-ecosystem/endgame-toolkit/blob/master/src/SubProxy.sol","type":"smart_contract","addedAt":"2024-09-24T16:48:08.059Z","revision":0,"description":"SubDAO Proxy for Ownership","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"39HizRuKEgPhbSrwjZ6HnD","url":"https://github.com/sky-ecosystem/usds/blob/dev/src/UsdsJoin.sol","type":"smart_contract","addedAt":"2024-09-24T16:48:26.972Z","revision":0,"description":"USDSJoin","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3V3BieInrS0PLo0BbEq4kk","url":"https://github.com/sky-ecosystem/usds/blob/dev/src/Usds.sol","type":"smart_contract","addedAt":"2024-09-24T16:48:43.660Z","revision":0,"description":"USDS ERC20","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"74s92EEn1hNbt4kOSowVud","url":"https://github.com/sky-ecosystem/usds/blob/dev/src/DaiUsds.sol","type":"smart_contract","addedAt":"2024-09-24T16:49:03.487Z","revision":0,"description":"DAI to USDS Converter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3d2oG8MOFQ17rSIhF8lNrT","url":"https://github.com/sky-ecosystem/sky/blob/dev/src/Sky.sol","type":"smart_contract","addedAt":"2024-09-24T16:49:17.564Z","revision":0,"description":"SKY ERC20","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4X9IEjLQI10wYKaQo2Wfx5","url":"https://github.com/sky-ecosystem/sky/blob/one-direction/src/MkrSky.sol","type":"smart_contract","addedAt":"2024-09-24T16:49:32.321Z","revision":0,"description":"MKR to SKY Converter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2nzDUKdOkI32e6z0CFeV3o","url":"https://github.com/sky-ecosystem/sdai/blob/susds/src/SUsds.sol","type":"smart_contract","addedAt":"2024-09-24T16:49:47.121Z","revision":0,"description":"sUSDS","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7oRIsmbOve0pgEOApFfQ5V","url":"https://github.com/sky-ecosystem/lockstake/blob/v2/src/LockstakeSky.sol","type":"smart_contract","addedAt":"2024-09-24T16:50:03.856Z","revision":0,"description":"LSSKY ERC20","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2H5JxhuCOSA1j5t9oeWwBV","url":"https://github.com/sky-ecosystem/lockstake/blob/v2/src/LockstakeEngine.sol","type":"smart_contract","addedAt":"2024-09-24T16:50:20.130Z","revision":0,"description":"Lockstake Engine","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"78d1cPYQPwsSVAfS0kKqsH","url":"https://github.com/sky-ecosystem/lockstake/blob/v2/src/LockstakeClipper.sol","type":"smart_contract","addedAt":"2024-09-24T16:50:34.068Z","revision":0,"description":"Lockstake Clipper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6JoftH6d81KzAbYEkxix9A","url":"https://github.com/sky-ecosystem/vote-delegate/blob/v3/src/VoteDelegate.sol","type":"smart_contract","addedAt":"2024-09-24T16:50:47.711Z","revision":0,"description":"Vote Delegate","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"zvX4Su3JpuRojr8Sl8Ny7","url":"https://github.com/sky-ecosystem/vote-delegate/blob/v3/src/VoteDelegateFactory.sol","type":"smart_contract","addedAt":"2024-09-24T16:51:02.392Z","revision":0,"description":"Vote Delegate Factory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1PiPEDijIUGLm7SGJtLcE3","url":"https://github.com/sky-ecosystem/dss-flappers/blob/dev/src/FlapperUniV2.sol","type":"smart_contract","addedAt":"2024-09-24T16:51:25.555Z","revision":0,"description":"FlapperUniV2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1wLLtmGCBXzVUMDNcxOOE5","url":"https://github.com/sky-ecosystem/dss-flappers/blob/dev/src/FlapperUniV2SwapOnly.sol","type":"smart_contract","addedAt":"2024-09-24T16:51:43.061Z","revision":0,"description":"FlapperUniV2SwapOnly","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4SNcitHhALukieoLsrVrvs","url":"https://github.com/sky-ecosystem/dss-flappers/blob/dev/src/OracleWrapper.sol","type":"smart_contract","addedAt":"2024-09-24T16:52:15.429Z","revision":0,"description":"Oracle Wrapper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3wD3OGLW7P6osta2OjDOvl","url":"https://github.com/sky-ecosystem/dss-flappers/blob/dev/src/Splitter.sol","type":"smart_contract","addedAt":"2024-09-24T16:52:29.471Z","revision":0,"description":"Splitter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4XeDi1XPdkvZhXehNEl0ca","url":"https://github.com/sky-ecosystem/dss-flappers/blob/dev/src/SplitterMom.sol","type":"smart_contract","addedAt":"2024-09-24T16:52:47.774Z","revision":0,"description":"SplitterMom","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"katflgh46gigZ727LcOo8","url":"https://github.com/sky-ecosystem/univ2-pool-migrator/blob/dev/deploy/UniV2PoolMigratorInit.sol","type":"smart_contract","addedAt":"2024-09-24T16:53:02.870Z","revision":0,"description":"UniV2PoolMigratorInit","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5k1krSdq2A4BqHv0dwoW2y","url":"https://github.com/sky-ecosystem/lockstake/blob/v2/src/LockstakeUrn.sol","type":"smart_contract","addedAt":"2025-06-03T15:15:46.307Z","revision":0,"description":"Lockstake Urn","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6n5qtWTuzdpXFWaH6pQbU3","url":"https://github.com/sky-ecosystem/dss-allocator/blob/dev/src/AllocatorOracle.sol","type":"smart_contract","addedAt":"2025-06-03T15:17:24.742Z","revision":0,"description":"Allocator Oracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2Vf1wI7vaXeOqI7SeQN2I8","url":"https://github.com/sky-ecosystem/dss-allocator/blob/dev/src/AllocatorVault.sol","type":"smart_contract","addedAt":"2025-06-03T15:18:22.696Z","revision":0,"description":"Allocator Vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6fX4b7W0xmkVoko786PFgM","url":"https://github.com/sky-ecosystem/dss-allocator/blob/dev/src/AllocatorRoles.sol","type":"smart_contract","addedAt":"2025-06-03T15:26:28.567Z","revision":0,"description":"Allocator Roles","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1yUxB2m32y2vYYphNnqrna","url":"https://github.com/sky-ecosystem/dss-allocator/blob/dev/src/AllocatorRegistry.sol","type":"smart_contract","addedAt":"2025-06-03T15:26:51.792Z","revision":0,"description":"Allocator Registry","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1bbO6Dybdca7Tg2dWch2ei","url":"https://github.com/sky-ecosystem/dss-allocator/blob/dev/src/AllocatorBuffer.sol","type":"smart_contract","addedAt":"2025-06-03T15:27:12.446Z","revision":0,"description":"Allocator Buffer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3WkhHLkGYgRjE7aArRVBfA","url":"https://github.com/sky-ecosystem/op-token-bridge/blob/master/src/Escrow.sol","type":"smart_contract","addedAt":"2025-06-03T15:27:27.859Z","revision":0,"description":"Optimism Escrow","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4lUejt1wsO3DX4Mmx2Ysuf","url":"https://github.com/sky-ecosystem/op-token-bridge/blob/master/src/L1GovernanceRelay.sol","type":"smart_contract","addedAt":"2025-06-03T15:27:50.315Z","revision":0,"description":"Optimism L1 Governance Relay","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1KqF7B1qqoh0SToCx9EFKT","url":"https://github.com/sky-ecosystem/op-token-bridge/blob/master/src/L1TokenBridge.sol","type":"smart_contract","addedAt":"2025-06-03T15:28:10.802Z","revision":0,"description":"Optimism L1 Token Bridge","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4O6ObjZohyBQfi0mgJxlF9","url":"https://github.com/sky-ecosystem/op-token-bridge/blob/master/src/L2GovernanceRelay.sol","type":"smart_contract","addedAt":"2025-06-03T15:28:31.846Z","revision":0,"description":"Optimism L2 Governance Relay","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5BXJB5lz2BSWdem80kY2At","url":"https://github.com/sky-ecosystem/op-token-bridge/blob/master/src/L2TokenBridge.sol","type":"smart_contract","addedAt":"2025-06-03T15:28:50.568Z","revision":0,"description":"Optimism L2 Token Bridge","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6JUwURwsef0xDKq85qBJBX","url":"https://github.com/sky-ecosystem/dss-emergency-spells/blob/master/src/DssEmergencySpell.sol","type":"smart_contract","addedAt":"2025-06-03T15:29:08.561Z","revision":0,"description":"DssEmergencySpell","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2Z8xCDr4oaXON0mAF0y69k","url":"https://github.com/sky-ecosystem/dss-emergency-spells/blob/master/src/DssGroupedEmergencySpell.sol","type":"smart_contract","addedAt":"2025-06-03T15:29:53.160Z","revision":0,"description":"DssGroupedEmergencySpell","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4aP3Sz0ZKYIshhujo2pySd","url":"https://github.com/sky-ecosystem/dss-emergency-spells/tree/master/src/clip-breaker","type":"smart_contract","addedAt":"2025-06-03T15:31:21.145Z","revision":0,"description":"EMSP_GLOBAL_CLIP_BREAKER","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2Hu35EuWJpX6JUPeQxlzQQ","url":"https://github.com/sky-ecosystem/dss-emergency-spells/tree/master/src/line-wipe","type":"smart_contract","addedAt":"2025-06-03T15:31:38.706Z","revision":0,"description":"EMSP_GLOBAL_LINE_WIPE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1RgnA5qmWjUMQOjYZA3dEI","url":"https://github.com/sky-ecosystem/dss-emergency-spells/tree/master/src/osm-stop","type":"smart_contract","addedAt":"2025-06-03T15:31:54.754Z","revision":0,"description":"EMSP_GLOBAL_OSM_STOP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2owyG5gn55f3pTncRGUbIZ","url":"https://github.com/sky-ecosystem/dss-emergency-spells/tree/master/src/ddm-disable","type":"smart_contract","addedAt":"2025-06-03T15:32:13.591Z","revision":0,"description":"EMSP_DDM_DISABLE_FAB","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"qQgeSZmNr6lThQ844g5ud","url":"https://github.com/sky-ecosystem/dss-emergency-spells/tree/master/src/lite-psm-halt","type":"smart_contract","addedAt":"2025-06-03T15:32:29.684Z","revision":0,"description":"EMSP_LITE_PSM_HALT_FAB","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4hcfhjlFdCQJ5SHlcFh3I6","url":"https://github.com/sky-ecosystem/dss-emergency-spells/tree/master/src/splitter-stop","type":"smart_contract","addedAt":"2025-06-03T15:32:47.883Z","revision":0,"description":"EMSP_SPLITTER_STOP","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2SIOBrsNeMkZGnfY3Qoinp","url":"https://github.com/sky-ecosystem/arbitrum-token-bridge/blob/master/src/L1TokenGateway.sol","type":"smart_contract","addedAt":"2025-06-03T15:33:08.711Z","revision":0,"description":"Arbitrum L1 Token Gateway","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6DZagcuff2RRZAnpSoTsMx","url":"https://github.com/sky-ecosystem/arbitrum-token-bridge/blob/master/src/L2TokenGateway.sol","type":"smart_contract","addedAt":"2025-06-03T15:33:32.589Z","revision":0,"description":"Arbitrum L2 Token Gateway","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"21MUtobHBHbeAJHUdQeXmw","url":"https://github.com/sky-ecosystem/dss-blow2/blob/master/src/DssBlow2.sol","type":"smart_contract","addedAt":"2025-06-03T15:33:49.912Z","revision":0,"description":"Blow 2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5TpoBWRPmmz1nJrGOyRPz8","url":"https://github.com/sky-ecosystem/sp-beam/blob/master/src/SPBEAM.sol","type":"smart_contract","addedAt":"2025-06-03T15:34:09.592Z","revision":0,"description":"SPBeam","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5KKEdcl5k581oiJAPJ9uit","url":"https://github.com/sky-ecosystem/sp-beam/blob/master/src/SPBEAMMom.sol","type":"smart_contract","addedAt":"2025-06-03T15:34:26.640Z","revision":0,"description":"SPBeam Mom","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"32bUe0Di9ijqMK89EMpPhW","url":"https://github.com/sky-ecosystem/dss-emergency-spells/tree/master/src/spbeam-halt","type":"smart_contract","addedAt":"2025-06-03T15:34:42.525Z","revision":0,"description":"EMSP_SPBEAM_HALT","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2LUCXGodD1Jn02Gu2y2wCu","url":"https://github.com/sky-ecosystem/protego/blob/master/src/Protego.sol","type":"smart_contract","addedAt":"2025-06-03T15:34:57.695Z","revision":0,"description":"Protego","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"24dflw3xhutFxPSCyC7NdI","url":"https://github.com/sky-ecosystem/protego/blob/master/src/EmergencyDropSpell.sol","type":"smart_contract","addedAt":"2025-06-03T15:35:13.497Z","revision":0,"description":"Emergency Drop Spell","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5VlRAR3Fou4rDDY2tn3Pbl","url":"https://github.com/sky-ecosystem/chief/blob/master/src/Chief.sol","type":"smart_contract","addedAt":"2025-09-15T15:45:40.184Z","revision":0,"description":"Chief","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4Ipvgc1yynOTgM4iaCxMn2","url":"https://github.com/sky-ecosystem/stusds/","type":"smart_contract","addedAt":"2025-09-22T15:16:29.649Z","revision":0,"description":"Staked USDS","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4Yz6Lgrr0Ff5P0zL3maypw","url":"https://github.com/sky-ecosystem/lockstake/blob/master/src/LockstakeCappedOsmWrapper.sol","type":"smart_contract","addedAt":"2025-10-03T09:34:13.793Z","revision":0,"description":"LockStake Capped OSM Wrapper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"52QM0Rh8XO3NUv5FcdZtG","url":"https://github.com/sky-ecosystem/sky-oapp-oft/blob/main/contracts/GovernanceOAppSender.sol","type":"smart_contract","addedAt":"2025-11-19T06:51:44.025Z","revision":0,"description":"Governance OApp Sender","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3uRggpYd7jLt3OvjcxGaUV","url":"https://github.com/sky-ecosystem/lz-governance-relay/blob/master/src/L1GovernanceRelay.sol","type":"smart_contract","addedAt":"2025-11-19T06:52:03.298Z","revision":0,"description":"L1 Governance Relay","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"78O3wQrlkjRLRmVuBJuVYY","url":"https://github.com/sky-ecosystem/sky-oapp-oft/blob/main/programs/governance/src/state/governance.rs","type":"smart_contract","addedAt":"2025-11-19T06:52:20.755Z","revision":0,"description":"Governance OApp Receiver","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4XXKT0eRUgabJjxnoFog2d","url":"https://github.com/sky-ecosystem/sky-oapp-oft/blob/main/contracts/SkyOFTAdapter.sol","type":"smart_contract","addedAt":"2025-11-19T06:52:34.738Z","revision":0,"description":"OFT Adapter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1s4tiBaHd01WDAXrWjkvua","url":"https://github.com/sky-ecosystem/sky-oapp-oft/blob/main/programs/oft/src/state/oft.rs","type":"smart_contract","addedAt":"2025-11-19T06:52:48.096Z","revision":0,"description":"OFT Program","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2GMZcvW8LCOaYW5p3BnSPu","url":"https://github.com/sky-ecosystem/dss-flappers/blob/master/src/Kicker.sol","type":"smart_contract","addedAt":"2025-11-19T06:53:02.440Z","revision":0,"description":"Kicker","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_2ce5ef55-d33b-4ae1-a33e-8f1dd8a18e87","url":"https://github.com/sky-ecosystem/star-guard/blob/main/src/StarGuard.sol","type":"smart_contract","addedAt":"2026-02-26T15:35:36.081Z","revision":0,"description":"StarGuard","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"Assets of Sky can be found at [https://github.com/sky-ecosystem](https://github.com/sky-ecosystem)\n\nDue to the regularly-updating smart contracts, only the GitHub links are provided. However, to find the most up-to-date deployment addresses, you can refer to [https://chainlog.sky.money/](https://chainlog.sky.money). \n\nUnless explicitly listed, only pages of the web/app assets in addition to the direct link are considered in-scope of the bug bounty program. Other subdomains are not considered as in-scope.\n\nFull documentation can be found at [https://developers.sky.money](https://developers.sky.money) and [https://docs.makerdao.com/](https://docs.makerdao.com/) Annotations for the core Maker protocol smart contracts can be found at [https://docs.makerdao.com/other-documentation/smart-contract-annotations](https://docs.makerdao.com/other-documentation/smart-contract-annotations). A comprehensive guide to the smart contracts can be found at [https://docs.makerdao.com/maker-protocol-101](https://docs.makerdao.com/maker-protocol-101). \n\nFurther information about the Governance Voting asset can be found at:\n\n- [https://github.com/sky-ecosystem/gov-polling-db](https://github.com/sky-ecosystem/gov-polling-db)\n- [https://github.com/sky-ecosystem/governance-portal-v2](https://github.com/sky-ecosystem/governance-portal-v2) \n- API documentation: https://vote.sky.money/api-docs\n- Gov polling db endpoint (can be used to view graphql schema)\n  - prod: [https://polling-db-prod.makerdux.com/api/v1](https://polling-db-prod.makerdux.com/api/v1)\n  -  staging: [https://polling-db-staging.makerdux.com/api/v1](https://polling-db-staging.makerdux.com/api/v1)","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":["Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2022-02-10T07:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/29CWfnhFWZUDZ0w83H0wj6/30bb70512c04338d29bd3bd5a261ad2c/Sky_Ecosystem.png","maxBounty":10000000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","smart_contract - low","smart_contract - medium","smart_contract - high","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__Smart Contracts/Blockchain__\n\n__Critical__\n  - Any governance voting result manipulation\n  - Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield\n  - Permanent freezing of funds\n  - Miner-extractable value (MEV)\n  - Protocol Insolvency\n\n__High__\n  - Theft of unclaimed yield\n  - Permanent freezing of unclaimed yield\n  - Temporary freezing of funds for at least five blocks\n\n__Medium__\n  - Smart contract unable to operate due to lack of token funds \n  - Block stuffing for profit\n  - Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)\n  - Theft of gas\n  - Unbounded gas consumption \n\n__Low__\n  - Smart contract fails to deliver promised returns, but doesn’t lose value\n\n__Web/App__\n\n__Critical__\n\n  - Execute arbitrary system commands only when allowing access to sensitive data or causing financial losses\n  - Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)\n  - Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc.\n  - Subdomain takeover with already-connected wallet interaction, only for subdomains that are not used for testing\n  - Direct theft of user funds\n  - Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions \n\n__High__\n\n  - Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc.\n  - Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as email or password of the victim, etc.\n  - Improperly disclosing confidential user information such as email address, phone number, physical address, etc.\n  - Subdomain takeover without already-connected wallet interaction\n\n__Medium__\n  - Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as changing the first/last name of user, or enabling/disabling notifications\n  - Injecting/modifying the static content on the target application without Javascript (Reflected) such as reflected HTML injection or loading external site data\n  - Redirecting users to malicious websites (Open Redirect)\n  - Taking down the application/website in a way that doesn’t allow remediation in less than half an hour","productType":["CDP","Lending","Staking"],"programOverview":"Sky, formerly known as MakerDAO, is one of the first DeFi protocols in the crypto space that introduced the first crypto-backed stablecoin called Dai (DAI), which is set at a value of 1:1 with the United States Dollar. Since the rebranding to Sky, USDS stablecoin was also launched. It is governed by those who hold its governance token MKR or its successor SKY. \n\nFor more information about Sky, please visit https://sky.money/. \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nSky adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms stated in this page.","programType":["Smart Contract","Websites and Applications"],"project":"Sky","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the __Impacts in Scope__ table further below. \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical Smart Contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of __USD 10 000 000__. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of __USD 150 000__ is to be rewarded in order to incentivize security researchers against withholding a bug report.   \n\nCritical website and application bug reports will be rewarded with __USD 100 000__ only if the impact leads to a direct loss in funds involving an attack that does not require any user action at all. An impact of minting tokens on-chain beyond intended activity without requiring any user action would also be rewarded this amount due to the undesired dilution of existing circulating tokens. All other impacts that do not fall under this definition, but would be classified as Critical, and resulting in a theft of funds, will be rewarded __USD 50 000__.\nFor the Protocol Insolvency impact, the amount considered at risk is the amount that lenders cannot receive back. \n\nFor the Critical impact “Prevention of governance participation despite design parameters providing participation rights”, it is downgraded to High if the total amount of SKY that is being staked is less than the average “hat” amount of all active proposals with their respective highest value over 24 hours preceding the bug report submission. If the amount is greater, then it follows the scaling system for Critical impacts with funds affected, but with 1% instead of 10%.\n\n__Repeatable Attack Limitations__\n\nIn cases of repeatable attacks for smart contract bugs, the amount of funds at risk will be calculated with the first attack being at 100% of the funds that could be stolen and then a reduction of 25% from the amount of the first attack for every 300 blocks the attack needs for subsequent attacks from the first attack, rounded down. For avoidance of doubt, if a second attack would happen at 600 blocks and then a third at 900 blocks, the funds at risk would be counted at 50% and 25% of the reward from the first attack, respectively.\n\nHowever, for smart contracts directly holding funds that cannot be paused, if a discovered vulnerability includes the temporary locking of funds that could otherwise be withdrawn and thus prevented from being stolen but still accessible to the exploiter to take the funds, the time is extended to the exact same time as temporary locking. Extensions of the temporary locking that introduce a gap where withdrawals can happen will not be considered. \n\n__Reward Calculation for High Level Reports__\n\nHigh smart contract impacts will be capped at up to 100% of the funds affected. In the event of temporary freezing, the reward doubles for every additional 300 blocks that the funds could be temporarily frozen, rounded down to the nearest multiple of 300, up to the hard cap of USD 100 000. However, if it is within the hard cap, there is a further hard cap of 1000% of the funds affected with the minimum reward of USD 5 000.\nHowever, a temporary freezing impact with less than 150 blocks will be downgraded to Medium.\n\nFurther restrictions are placed on impacts of temporary freezing of funds of an already liquidated position:\n\n- For up to 50120 blocks (approximately 1 week) it is considered as out of scope\n- For 50120 blocks to 200480 blocks (approximately 4 weeks) it would be downgraded to Medium or Low at the discretion of the Sky team\n\n__Restrictions on Security Researcher Eligibility__\n\nSecurity researchers who fall under any of the following are ineligible for a reward:\n\n- Compensated team members of any Sky or MakerDAO affiliate\n- Employees and team members of third-party suppliers to a Sky or MakerDAO affiliate that operate in a technical capacity and have assets covered in this bug bounty program\n- Team members and third-party suppliers of businesses and organizations that are not a Sky or MakerDAO affiliate but have assets considered as critical infrastructure covered under the bug bounty program\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs acknowledged below are not eligible for any reward through the bug bounty program. \n\n- Considering MCD_ETH - The asset steward is aware that the balance of the contract may be different than the total amount that is deposited if users send ETH directly to the contract. They do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of balanceOf values out of scope.\n- Considering all adapters -  The asset steward is aware that the balance (ETH or token) of the contract may be different than the total amount that is joined through the contract if users send tokens or ETH directly to the contract. They do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences they will consider reports on the actual balance being higher than the sum of tokens 'join'ed out of scope.\n- Vote-delegate\n  - The need for expiration logic is not considered important enough anymore, social arguments against that are considered out of scope.\n- Lockstake\n  - Known issues mentioned here or in recursively linked material are considered out of scope - https://github.com/sky-ecosystem/mcd-security/blob/master/liquidations-2.0.md and https://forum.sky.money/t/mip45-liquidations-2-0-liq-2-0-liquidation-system-redesign/6352.\n  - Delaying liquidations in the order of tens of minutes is assumed valid, there is already a big delay in Maker's oracle design.\n  - wipeAll and wipe do not drip because it is actually not convenient for the user to do a drip call on wiping. Then, if we force the drip, we are incentivizing users to repay directly to the vat (which is possible) instead of using the engine for that. We are mimicking the old proxy actions behaviour, where we drip for drawing, as otherwise the user can lose money, but not forcing the drip on wiping so users actually use this function.\n  - The issue of creating a large amount of auctions when the amount of DAI to raise would cause a partial liquidation (e.g small amount to reach hole or Hole ) is known already from dss and the existing clippers. It is known that carefully configuring dust, hole and Hole is important but is just a partial mitigation to this. In the context of lockstake it is known that it has additional implications such as delaying selectVoteDelegate (see Cantina audit's 3.3.2 informational issue), delaying re-farming, causing the exit fees not to be collected (as price might be lower due to many auctions), delaying the formal burning of system fees, and more. Also the fact that the locked SKY can not be used for governance operations is known (thus spells might not pass, governance decisions might be easier or harder to pass, etc..)\n  - The formulas and calculations in the Readme's Exit Fee on Liquidation may not be accurate and are given for rough illustrative purposes.\n  - On certain market conditions such as extreme price movements some of the exit fee may not be burned on liquidations. This is a known attribute of the system.\n  - As getting liquidated is considered a state that should generally be avoided, it is expected that in such cases the urn owner becomes limited in various ways. For example, it cannot delegate or stake during liquidations and in some situations, it can take more time than the urn owner expects due to more liquidations or liquidations taking a lot of time. Other limitations may apply and are not considered an issue unless significant funds are lost permanently. Also the fact that the locked SKY can not be used for governance operations is known (thus spells might not pass, governance decisions might be easier or harder to pass, etc..)\n  - Using the \"stopped\" states in the lockstake clipper is assumed to be used by wards in an extreme emergency. It is a known risk that some of the system attributes and functionality may not hold afterwards, including risking user and system funds. This also includes LSE special functionality (allowing exit of auctions leftover, not burning fees, delegating, staking, etc..).\n  - As the Maker protocol has the ability to mint SKY tokens and also to migrate the Lockstake engine, any situation of locked user SKY should not be regarded as a high severity issue. It is assumed that a lockstake migrator/minter contract can be set up and go live within 5 days (including gov delay).\n  - Using yank() in the lockstake clipper is assumed to only happen as part of a shutdown procedure. Since this is out of scope, it is assumed not to happen.\n  - As with other collaterals, \"tip\" and \"chip\" are assumed to be chosen very carefully, while taking into account the dust parameter and with having in mind incentive farming risks.\n- dss-flappers\n  - Inefficiencies due to configurations or oracle frequencies/pricing are out of scope.\n  - Slow/Unavoidable delay of withdrawing/redeeming the protocol funds in case of an emergency is known.\n  - Possible sandwich attacks and MEV extraction scenarios are known issues. Maker's risk unit is assumed to be setting parameters while having these in mind.\n  - The dss-flappers (SBE) solution assumes losing several percentages of funds by design during the Uniswap interactions due to slippage, MEV, sudden market movements, sandwich attacks, oracles imprecision and update resolution, etc. Obviously in this specific case the numbers mentioned in the severity definitions (e.g 0.5%) are irrelevant.\n  - The fact that the SBE funds are not taken into account in protocol accounting or for flops auction triggering is known.\n  - It is expected that governance sets parameters carefully during the module's life cycle, including maintaining splitter.hop as the same value as the farm's reward duration.\n  - The combination of the governance configuration of vow.bump and splitter.hop is assumed to not allow spending more than 50K DAI per hour (in practice should be a much slower rate).\n- endgame-toolkit\n  - Any issue that exists in the original non-Maker [Synthetix staking rewards](https://github.com/Synthetixio/synthetix/blob/5e9096ac4aea6c4249828f1e8b95e3fb9be231f8/contracts/StakingRewards.sol) contract is out of scope.\n\n__Previous Audits__\n\nSky has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.\n\n- https://chainsecurity.com/security-audit/maker-protocol-liquidations-2-0/  \n- https://chainsecurity.com/security-audit/makerdao-g-uni-lp-oracle/ (narrowly scoped subsystem)\n- https://chainsecurity.com/security-audit/makerdao-direct-deposit-module-d3m/ \n- https://chainsecurity.com/security-audit/makerdao-optimism-dai-bridge/ \n- [StarkNet DAI Bridge audit](https://drive.google.com/file/d/1StG_v4qmV6EJjJDD-p7O11Ql3Dmrtfew/view?usp=share_link)\n- [StarkNet Teleport audit](https://drive.google.com/file/d/1113PnxOz2IjsQih0tMkVW_raWcum0ZgU/view?usp=share_link)\n- [Direct Deposit V2 audit](https://github.com/sky-ecosystem/dss-direct-deposit/blob/master/audits/ChainSecurity_MakerDAO_Direct_Deposit_V2_audit.pdf)\n- https://chainsecurity.com/security-audit/makerdao-dss-charter-smart-contracts/ \n- [Lite PSM Audits](https://github.com/sky-ecosystem/dss-lite-psm/tree/main/audits)\n- https://github.com/sky-ecosystem/usds/blob/dev/audit/20231124-cantina-report-review-makerdao-nst.pdf\n- https://github.com/sky-ecosystem/usds/blob/dev/audit/20240703-cantina-report-maker-nst.pdf\n- https://github.com/sky-ecosystem/usds/blob/dev/audit/20240730-ChainSecurity_MakerDAO_NST_audit.pdf\n- https://github.com/sky-ecosystem/sky/blob/dev/audit/ChainSecurity_MakerDAO_NGT_audit.pdf\n- https://github.com/sky-ecosystem/sky/blob/dev/audit/ChainSecurity_MakerDAO_NGT_deployment_scripts_audit.pdf\n- https://github.com/sky-ecosystem/sky/blob/dev/audit/cantina-report-review-makerdao-ngt.pdf\n- https://github.com/sky-ecosystem/sdai/blob/susds/audit/20240703-cantina-report-maker-snst.pdf\n- https://github.com/sky-ecosystem/sdai/blob/susds/audit/20240730-ChainSecurity_MakerDAO_Savings_NST_audit.pdf \n- https://github.com/sky-ecosystem/endgame-toolkit/blob/master/audits/ChainSecurity_MakerDAO_Endgame_Toolkit_audit.pdf \n- https://github.com/sky-ecosystem/endgame-toolkit/blob/master/audits/report-review-makerdao-endgametoolkit_final.pdf \n- https://github.com/sky-ecosystem/lockstake/blob/dev/audit/20240626-cantina-report-maker-LSE.pdf\n- https://github.com/sky-ecosystem/lockstake/blob/dev/audit/20240730-ChainSecurity_MakerDAO_Lockstake_audit.pdf\n- https://github.com/sky-ecosystem/vote-delegate/blob/master/audits/ABDK-MakerDAO-Vote%20Delegate.pdf \n- https://github.com/sky-ecosystem/vote-delegate/blob/v2/audit/20240703-cantina-report-maker-vote-delegate.pdf\n- https://github.com/sky-ecosystem/vote-delegate/blob/v2/audit/20240730-ChainSecurity_MakerDAO_VoteDelegate_audit.pdf \n- https://github.com/sky-ecosystem/dss-flappers/blob/master/audit/ChainSecurity_MakerDAO_FlapperUniV2SwapOnly_audit.pdf\n- https://github.com/sky-ecosystem/dss-flappers/blob/master/audit/ChainSecurity_MakerDAO_FlapperUniV2_audit.pdf \n- https://github.com/sky-ecosystem/dss-flappers/blob/dev/audit/20230606-ChainSecurity_MakerDAO_FlapperUniV2_audit.pdf\n- https://github.com/sky-ecosystem/dss-flappers/blob/dev/audit/20230727-ChainSecurity_MakerDAO_FlapperUniV2SwapOnly_audit.pdf\n- https://github.com/sky-ecosystem/dss-flappers/blob/dev/audit/20240904-ChainSecurity_MakerDAO_Dss_Flappers_audit.pdf \n- https://github.com/sky-ecosystem/dss-flappers/blob/dev/audit/20240703-cantina-report-maker-flappers.pdf\n- https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2024.08.05%20-%20Final%20-%20MakerDAO%20Endgame%20Audit%20Report.pdf\n\n__Feasibility Limitations__\n\nBug reports that require an attack that involve one or more other protocols (e.g. utilizing flash loans from a margin protocol or manipulating the spot prices on a DEX), either to make an attack more severe than it would be in isolation, or to achieve an attack that would otherwise be impossible or infeasible, would be out-of-scope. However, they will be considered as in-scope and categorized according to the program rules as long as all of the following are true:\n\n- Losses or other negative effects of the attack are inflicted upon Sky ecosystem participants—MKR or SKY holders, DAI or USDS holders, Vault holders, or Keepers.\n- The losses or other negative effects could be prevented via changes to the MCD smart contracts already included in the bounty scope.\n- The additional protocols used must have enough liquidity in various assets to allow the attack to succeed at the time of bug report submission. For example: if an attack requires an ETH flash loan, but the amount is larger than all the ETH available for loan across the ecosystem\n\n__Proof of Concept (PoC) Requirements__\n\n- A PoC is required for all bug reports.\nAll PoCs submitted must comply with the [Immunefi-wide PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules). Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Other Terms and Information__\n\n- Exceptions to the PoC requirement for smart contract bugs may be made in cases where the vulnerability is objectively evident from simply mentioning the vulnerability and where it exists. However, the bug reporter may be required to provide a PoC at any point in time.\n\n- Manipulation of polling votes or voting results, including modifications to their display, qualifies for a reward of USD 100,000 only if it leads to the incorrect option being selected as the final winner of an active poll. Manipulations that do not impact the final outcome, such as temporary alterations of past poll data or display errors without a change in result, are excluded from this reward. \n\n- Vulnerabilities that are exploitable in old versions of smart contracts and have since been mitigated (either deliberately or accidentally) in current versions (as demonstrated by the listing at [https://chainlog.makerdao.com/](https://chainlog.makerdao.com/)) are not in-scope for the bug bounty program. In the event that a vulnerability exists on the GitHub file but not on the most recently deployed contract, this may be due to a “dark spell” to fix a vulnerability quietly. If your bug report is rejected as a known issue due to this, details will be provided to you.\n\n- In order to be eligible for a reward, the vulnerability must exist in the deployed smart contract.\n\n- [https://chainlog.makerdao.com/](https://chainlog.makerdao.com/) is designed to be easy to run locally. Hence, taking down the application/website or denial of service attacks are considered out-of-scope for this asset.\n\n- All Medium and High level bug reports are not in-scope for the [https://vote.makerdao.com/](https://vote.makerdao.com/) asset. Only Critical severity reports are in-scope for this asset.\n\n- If you discover a vulnerability with Critical impact on any deployed smart contract within the Sky codebase, you may submit it for consideration. \n\n- The dai.js repo ([https://github.com/sky-ecosystem/dai.js/](https://github.com/sky-ecosystem/dai.js/) ) is not in scope.\n\n\n- With regards to the terms under __“Feasibility Limitations”__, consideration may be made if the first two bullet points are met but the third isn’t, pending confirmation from the asset steward.\n\n- EIP incompatibilities may be considered as in-scope only for the critical impact “Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield”\n\n- Issues where there is damage to the protocol/users but the net attack cost exceeds the damage caused by 50% or more are considered low severity. For avoidance of doubt, this means that if it costs USD 1500 to steal USD 1 000, then the bug report is downgraded to Low.\n\n- Minor rounding errors leading to missing some fees, getting more fee share compared to someone else, or fees locked in the protocol are downgraded to Low. For the definition of \"minor\" we use 0.5%.\n\n- Any user errors that lead to the loss of their own funds are not in scope\n\n- Oracle value updates outside of the delta governance considered when choosing the parameters of the system are out of scope. This includes trivial issues in the main stable coin system, roughly speaking e.g. when an extreme price drop exceeds the collateral's liquidation ratio, so that a position would become unhealthy after the update and a liquidation wouldn’t raise sufficient funds leading to bad debt. Constructions describing how “loss of funds” (bad debt) could occur in such a scenario are out of scope. For example, if a collateral has a liquidation ratio of 200%, but the asset price suffers a 60% price drop, leading to a bad debt, it is considered a design decision.\n\n- Governance related:\n\n  - It is assumed that wards in all contracts are fully trusted, as well as other privileged roles.\n  - Subdao proxies, facilitators and permissioned keepers are assumed fully trusted.\n  - The option of avoiding future governance actions towards USDS and sUSDS holders by moving to vat.dai is known.\n  - Grouping of specific governance actions if needed (or permissionless actions with governance ones), are assumed to be implemented in the spell or dss-exec-lib level.\n  - Chainlog maintenance is assumed to be possible also after components have been added or removed. Therefore missing/extra/wrong/inconsistent Chainlog values are assumed a non-issue.\n  - Certain models have Mom contracts to allow governance to perform actions without governance delay. Choosing which contracts or actions should have this ability is assumed to be done by the protocol and pointing out a lack of it for a certain module is out of scope.\n\n- Any DoS attack that does not result in the freezing of funds or disruption of protocol functionality, but still allows for the withdrawal of funds, will be downgraded to low.\n\n- A DoS attack that temporarily locks the funds of an already liquidated position for up to one week is considered a non-issue and will be OOS. If the lock extends from one to four weeks, it could be classified as a medium severity issue, depending on the nature of the attack and other relevant circumstances, but this would be categorized as a bonus by the Sky team and thus is under its full discretion.\n\n- It is assumed that users and keepers are aware of the reserveHatch functionality for solving vote-delegate/lockstake related DoS issues. It is assumed that keepers run by 3rd-parties and Sky integrate it to their logic and that the need for using it is constantly monitored\n\n__Reward Payment Terms__\n\nPayouts are handled by **Sky** directly. Payments are denominated in **USD**. However, payouts are done in **DAI** or **USDS**, at the discretion of the **Sky** team, assuming a full 1:1 ratio with the **USD**. However, if the price of **DAI** or **USDS** deviates from the **USD** value by more than 1%, the amount of **DAI** or **USDS** will be adjusted. Upon confirmation, bug bounty payouts should be included in the next possible 'executive spell', which is a governance vote with an onchain payload attached to it. This would involve sending **DAI** or **USDS** directly from the protocol's buffer to the security researcher. As described in the Maker Atlas, for bug bounty rewards over __USD 1 000 000__, after the first million is paid out, the remaining amount is paid out over time with up to __USD 1 000 000__ per consecutive month until the determined amount for payout is reached.\n\nDue to the limitations of the **Sky** governance process, payouts will have a delay of up to 1 calendar month after the date of validation of the bug report.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"","slug":"sky","tenPercentEconomicRule":true,"updatedDate":"2026-02-26T15:35:58.574Z","impactsBody":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Sky, formerly known as MakerDAO, is one of the first DeFi protocols in the crypto space that introduced the first crypto-backed stablecoin called Dai (DAI), which is set at a value of 1:1 with the United States Dollar. Since the rebranding to Sky, USDS stablecoin was also launched. It is governed by those who hold its governance token MKR or its successor SKY.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"The following vulnerabilities are excluded from the rewards for this bug bounty program:\n\n- All impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n\n- Impacts that rely on the governance approval of a malicious spell or governance crafting malicious code\n- Impacts involving the deprecated [Emergency Shutdown Module](https://docs.makerdao.com/smart-contract-modules/shutdown)","customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":1822,"type":"smart_contract","severity":"low","title":"Smart contract fails to work correctly, but doesn’t lose value"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":1823,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least five blocks"},{"id":1824,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc."},{"id":1825,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as email or password of the victim, etc."},{"id":1826,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information such as email address, phone number, physical address, etc."},{"id":1827,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as changing the first/last name of user, or en/disabling notification"},{"id":1828,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without Javascript (Reflected) such as reflected HTML injection or loading external site data"},{"id":1831,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and blockchain keys(this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":1832,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc."},{"id":1833,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions"},{"id":5509,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands, only when allowing access to sensitive data or causing financial losses"},{"id":5510,"type":"smart_contract","severity":"critical","title":"Prevention of governance participation despite design parameters providing participation rights"},{"id":5511,"type":"websites_and_applications","severity":"medium","title":"Taking down the application/website, in a way that doesn’t allow remediation in less than half an hour"},{"id":5512,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction, only for subdomains that are not used for testing"}],"rewards":[{"id":36000,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":10000000,"minReward":150000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":36001,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":100000,"minReward":5000,"rewardModel":"range"},{"id":36002,"primacy":null,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":36003,"primacy":null,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":36004,"primacy":null,"severity":"critical","assetType":"websites_and_applications","maxReward":100000,"rewardModel":"up_to"},{"id":36005,"primacy":null,"severity":"high","assetType":"websites_and_applications","fixedReward":5000,"rewardModel":"fixed"},{"id":36006,"primacy":null,"severity":"medium","assetType":"websites_and_applications","fixedReward":2500,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"5HiG22HMFKkWE8yXDmV16M","url":"https://github.com/stellar/stellar-core","type":"blockchain_dlt","addedAt":"2023-11-28T20:40:07.121Z","revision":0,"description":"Stellar core node","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4UQtxpIqZC1tXGnqk2qPOb","url":"https://github.com/stellar/rs-soroban-sdk","type":"blockchain_dlt","addedAt":"2023-11-28T20:40:20.603Z","revision":0,"description":"Soroban Rust SDK","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1tbbJ8EiXqZ017rYMhDqPH","url":"https://github.com/stellar/rs-soroban-env","type":"blockchain_dlt","addedAt":"2023-11-28T20:40:45.542Z","revision":0,"description":"Soroban contract engine environment","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"55OHbrE4HJTZSm8vKDt6BA","url":"https://github.com/stellar/js-soroban-client","type":"blockchain_dlt","addedAt":"2023-11-28T20:41:18.733Z","revision":0,"description":"Soroban JS client","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"ecDVnRM8bK1oLD8UZIrJB","url":"https://github.com/stellar/rs-stellar-xdr","type":"blockchain_dlt","addedAt":"2023-11-28T20:41:34.292Z","revision":0,"description":"Rust XDR library","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7AnUBCnAjcdqWVxYKdYJOS","url":"https://github.com/stellar/rs-stellar-strkey","type":"blockchain_dlt","addedAt":"2023-11-28T20:41:49.654Z","revision":0,"description":"Rust strkeys library","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3gXfNWvrROcs21KUgfsN9N","url":"https://github.com/stellar/crate-git-revision","type":"blockchain_dlt","addedAt":"2023-11-28T20:42:05.126Z","revision":0,"description":"Rust crate git version management library","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5r54hboA7fwxn3HGbTcIjj","url":"https://github.com/stellar/bytes-lit","type":"blockchain_dlt","addedAt":"2023-11-28T20:42:20.313Z","revision":0,"description":"Bytes Array library","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3wOWwDuLgwbNBxnG7G64fb","url":"https://github.com/stellar/wasmi","type":"blockchain_dlt","addedAt":"2023-11-28T20:42:35.474Z","revision":0,"description":"Wasmi fork","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"99114","url":"https://github.com/stellar/stellar-cli","type":"blockchain_dlt","addedAt":"2026-02-24T13:37:05.671Z","revision":0,"description":"Soroban CLI","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["C/C++","Rust"],"launchDate":"2023-11-29T12:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3ayg1ykT9dYUXmROszIxTv/ad538cadc05e8f1a489e580df21b0373/Stellar_Stacked.png","maxBounty":250000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - medium","blockchain_dlt - low"],"primaryPaymentWallet":"OtherNonEVML1","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["L1"],"programOverview":"Stellar is a layer-1 open-source, decentralized, peer-to-peer blockchain network that provides a framework for developers to create applications, issue assets, and connect to existing financial rails. Stellar is designed to enable creators, innovators, and developers to build projects on the network that can interoperate with each other.\n\nSoroban is a smart contracts platform that is designed to integrate with and work alongside the Stellar blockchain. It is currently live on Testnet.\n\nFor more information about Stellar, please visit [https://stellar.org/](https://stellar.org/) and [https://developers.stellar.org/](https://developers.stellar.org/)\n\nStellar provides rewards in XLM, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__ \n\nStellar will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n- Tax form (W-9/W-8BEN/W-8BEN-E)\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nStellar adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms stated in this page.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. Researchers should check the github repositories issues marked with a security label to make sure a vulnerability has not been published already.\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Stellar has satisfied the requirements for the [Immunefi Standard Badge.](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209)","programType":["Blockchain/DLT"],"project":"Stellar","projectType":["Blockchain"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\nFor critical Blockchain/DLT bugs, the reward amount is 10% of the funds directly affected, capped at the maximum critical reward USD 250 000. However, a minimum reward of USD 50 000 is to be rewarded in order to incentivize security researchers against withholding on a bug report.\n\nFor critical Blockchain/DLT bugs with a  non-funds-at risk impact, the reward will be paid out as follows: \n- Network not being able to confirm new transactions (total network shutdown)\nUSD 50 000\n- Unintended permanent chain split requiring hard fork (network partition requiring hard fork)\nUSD 50 000\n- Permanent freezing of funds (fix requires hardfork)\nUSD 50 000\n\nFor high Blockchain/DLT impacts, the reward will be paid out as follows: \n- Unintended chain split (network partition)\nUSD 50 000 \n- Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments\nUSD 30 000\n- Causing network processing nodes to process transactions from the mempool beyond set parameters\nUSD 20 000\n- RPC API crash affecting projects with greater than or equal to 25% of the market capitalization on top of the respective layer\nUSD 30 000\n\n__Other term__\n\nFor the asset ([https://github.com/stellar/wasmi](https://github.com/stellar/wasmi)), Stellar uses a fork of parity wasmi with few patches for Soroban. We encourage researchers to submit vulnerabilities for wasmi but we retain the right to declare that a vulnerability is out of scope and should be reported to Parity Tech instead.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Stellar team directly and are denominated in USD. However, payments are done in XLM.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"XLM","slug":"stellar","tenPercentEconomicRule":false,"updatedDate":"2026-02-24T13:37:05.790Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Stellar is a layer-1 open-source, decentralized, peer-to-peer blockchain network that provides a framework for developers to create applications, issue assets, and connect to existing financial rails. Stellar is designed to enable creators, innovators, and developers to build projects on the network that can interoperate with each other.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":12,"type":"blockchain_dlt","severity":"low","title":"Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":13,"type":"blockchain_dlt","severity":"low","title":"Modification of transaction fees outside of design parameters"},{"id":5,"type":"blockchain_dlt","severity":"high","title":"Unintended chain split (network partition)"},{"id":6,"type":"blockchain_dlt","severity":"high","title":"Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments"},{"id":7,"type":"blockchain_dlt","severity":"high","title":"Causing network processing nodes to process transactions from the mempool beyond set parameters"},{"id":4644,"type":"blockchain_dlt","severity":"high","title":"RPC API crash affecting projects with greater than or equal to 25% of the market capitalization on top of the respective layer"},{"id":9,"type":"blockchain_dlt","severity":"medium","title":"Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours"},{"id":10,"type":"blockchain_dlt","severity":"medium","title":"Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":11,"type":"blockchain_dlt","severity":"medium","title":"A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk"},{"id":1,"type":"blockchain_dlt","severity":"critical","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":2,"type":"blockchain_dlt","severity":"critical","title":"Unintended permanent chain split requiring hard fork (network partition requiring hard fork)"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":4,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hardfork)"}],"rewards":[{"id":3568,"primacy":null,"severity":"critical","assetType":"blockchain_dlt","maxReward":250000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":3569,"primacy":null,"severity":"high","assetType":"blockchain_dlt","maxReward":50000,"minReward":10000,"rewardModel":"range"},{"id":3570,"primacy":null,"severity":"medium","assetType":"blockchain_dlt","fixedReward":5000,"rewardModel":"fixed"},{"id":3571,"primacy":null,"severity":"low","assetType":"blockchain_dlt","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"3srYKm8XLgdEAsejyAxPyf","url":"https://etherscan.io/address/0x95Af143a021DF745bc78e845b54591C53a8B3A51","type":"smart_contract","addedAt":"2023-02-08T00:16:03.719Z","revision":0,"description":"Unitroller","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7dPUcinfilyTTGaxp0nCkY","url":"https://etherscan.io/address/0x1dD7950c266fB1be96180a8FDb0591F70200E018","type":"smart_contract","addedAt":"2023-02-08T00:16:18.028Z","revision":0,"description":"fOUSG","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5m5sl5AJuhaU7DN1WKCG7r","url":"https://etherscan.io/address/0x465a5a630482f3abD6d3b84B39B29b07214d19e5","type":"smart_contract","addedAt":"2023-02-08T00:16:31.803Z","revision":0,"description":"fUSDC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"JlXtYANSMQq0V567TSqKL","url":"https://etherscan.io/address/0xe2bA8693cE7474900A045757fe0efCa900F6530b","type":"smart_contract","addedAt":"2023-02-08T00:16:44.600Z","revision":0,"description":"fDAI","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2b3nwNQptXOzbqdp7fAg9C","url":"https://etherscan.io/address/0x1C9A2d6b33B4826757273D47ebEe0e2DddcD978B","type":"smart_contract","addedAt":"2023-03-21T16:58:19.845Z","revision":0,"description":"fFRAX","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4DzKDgmfFOqEO7WRM9eNCh","url":"https://etherscan.io/address/0x81994b9607e06ab3d5cF3AffF9a67374f05F27d7","type":"smart_contract","addedAt":"2023-03-21T16:58:44.469Z","revision":0,"description":"fUSDT","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3cNNxtWHNFeHOy8N602BnX","url":"https://etherscan.io/address/0xba9b10f90b0ef26711373a0d8b6e7741866a7ef2","type":"smart_contract","addedAt":"2023-02-08T00:16:59.877Z","revision":0,"description":"OndoPriceOracle V2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2JBMLU4aKBFWfDVEo9DCXB","url":"https://etherscan.io/address/0x336505EC1BcC1A020EeDe459f57581725D23465A","type":"smart_contract","addedAt":"2023-02-08T00:17:14.556Z","revision":0,"description":"GovernorBravoDelegator","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6uyvMFDV21FFpnskrUiH4c","url":"https://etherscan.io/address/0x2c5898da4DF1d45EAb2B7B192a361C3b9EB18d9c","type":"smart_contract","addedAt":"2023-02-08T00:17:27.375Z","revision":0,"description":"Timelock","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"In some cases, only the proxy contracts are listed as in-scope; however, current implementation and any further updates to the implementation are considered in scope. When reporting a bug, please make sure to select the relevant proxy smart contract as the target. \n\nHowever, only those in the Assets in Scope table are considered as in-scope of the bug bounty program. \n\nIf an impact can be caused to any other asset managed by Flux Finance that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2023-02-08T16:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4aokvelvaJE4fFquv6ScJb/7533cb65195c3bb2c9707a314aba7776/2023-02-07_08_Small.png","maxBounty":550000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Lending"],"programOverview":"Flux Finance is a decentralized lending protocol built by the Ondo Finance team.\n\nThe protocol is a fork of Compound V2 with additional functionality to support both permissionless (e.g. USDC) and permissioned (e.g. OUSG) tokens. Permissions are enforced on a per-asset basis. For example, a USDC lender won't have any restrictions, but a USDC borrower using OUSG as collateral will need to satisfy OUSG's permissions.\n\nSimilar to Compound, Flux enables overcollateralized lending and borrowing in a peer-to-pool (p2pool) model.\n\nFor more information about Flux Finance, please visit [https://fluxfinance.com/  ](https://fluxfinance.com/)","programType":["Smart Contract"],"project":"Flux Finance","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the[  Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported. \n\nAll bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. Bug reports are required to include a runnable PoC in order to prove impact. Exceptions may be made in cases where the vulnerability is objectively evident from simply mentioning the vulnerability and where it exists. However, the bug reporter may be required to provide a PoC at any point in time.\n\nRewards for critical smart contract vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of USD 25 000 for Critical smart contract bug reports.\n\nThe following known issues are also considered out of scope of this program:\n- Effects from blacklists (e.g. KYC revoked, USDC blacklist), if the effect only impacts the specific user.\n- Impact of KYC or sanctions status changes on borrower liquidation\n- Effects from using hypothetical use of tokens that do not follow the ERC-20 standard or include unusual behavior (e.g. transfer tax). If a token has certain functionality but that functionality is currently disabled, the effect will also be considered out of scope.\n- Misuse of admin rights (e.g. malicious admin multi-sig)\n- The protocol is forked from CompoundV2. The fToken contracts are forked from this [commit](https://github.com/compound-finance/compound-protocol/tree/a3214f67b73310d547e00fc578e8355911c9d376). All other contracts (Comptroller, CErc20Delegator, InterestRateModel, etc.) are forked from this [commit](https://github.com/compound-finance/compound-protocol/tree/3affca87636eecd901eb43f81a4813186393905d). Bug reports covering previously-discovered bugs are not eligible for the program. If a bug report covers a known issue, it may be rejected together with proof of the issue being known before escalation of the bug report. Previous audits of CompoundV2 can be found at: [https://docs.compound.finance/v2/security/#audits](https://docs.compound.finance/v2/security/#audits)\n- Any known issues in CompoundV2 up to these commits are considered out of scope. This includes, but is not limited to:\n   - First deposit bug when a market is initialized - example [video](https://youtu.be/_pO2jDgL0XE?t=157)\n   - Discrepancy in borrow rate per block on-chain vs. displayed APY in the UI\n\nPayouts are handled by the __Flux Finance__ team directly and are denominated in USD. However, payouts are done in __USDC__.  The payment will be made by Flux Finance (the entity).","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"fluxfinance","tenPercentEconomicRule":false,"updatedDate":"2026-02-23T23:08:17.118Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Flux Finance is a decentralized lending protocol built by the Ondo Finance team.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":3883,"type":"smart_contract","severity":"low","title":"Smart contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":3884,"type":"smart_contract","severity":"medium","title":"Miner-extractable value (MEV)"},{"id":3885,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds for at least 24 hours"},{"id":3886,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":3887,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":40571,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":550000,"minReward":25000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":40572,"primacy":null,"severity":"high","assetType":"smart_contract","fixedReward":25000,"rewardModel":"fixed"},{"id":40573,"primacy":null,"severity":"medium","assetType":"smart_contract","fixedReward":10000,"rewardModel":"fixed"},{"id":40574,"primacy":null,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"2kq8YfrkfDfU3PjjmOLEaQ","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2024-05-29T15:18:46.247Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"3q6Ww4Zmb5xTFDecNIOyP9","url":"https://github.com/0xProject/0x-settler/tree/master/src","type":"smart_contract","addedAt":"2024-05-29T15:17:15.386Z","revision":0,"description":"0x Settler","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5Om3uqsmkOBGssW4r9QNx4","url":"https://matcha.xyz/","type":"websites_and_applications","addedAt":"2024-05-29T15:18:04.679Z","revision":0,"description":"Matcha website","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5oaLGfx87KH7r3uC74SD9v","url":"https://api.0x.org/gasless/","type":"websites_and_applications","addedAt":"2024-05-29T15:17:48.060Z","revision":0,"description":"gasless API","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6zLYnGVm3qvETl3rHRARrX","url":"https://api.0x.org/swap/","type":"websites_and_applications","addedAt":"2024-05-29T15:17:32.313Z","revision":0,"description":"swap API","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7Abi8kqlXJ6yiycwjtU6RD","url":"https://meta.matcha.xyz","type":"websites_and_applications","addedAt":"2025-07-24T14:11:14.960Z","revision":0,"description":"DEX Meta Aggregator","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"Documentation and further resources can be found on [https://0x.org/docs/](https://0x.org/docs/)\n\nFor brevity regarding Smart Contract Assets\n\n- the source tree on GitHub ([https://github.com/0xProject/0x-settler/tree/master/src](https://github.com/0xProject/0x-settler/tree/master/src)) \n- Deployer:\n    - 0x00000000000004533Fe15556B1E086BB1A72cEae\n    - any contract holding a \"Deployer\" ERC721 token (each a \"Settler\")\n- AllowanceHolder:\n    - 0x0000000000001fF3684f28c67538d4D072C22734\n    - 0x0000000000005E88410CcDFaDe4a5EfaE4b49562\n    - 0x000000000000175a8b9bC6d539B3708EEd92EA6c\n- ERC2771 forwarding MultiCall\n    - 0x00000000000000CF9E3c5A26621af382fA17f24f\n- Cross-chain receiver factory\n    - 0x00000000000000304861c3aDfb80dd5ebeC96325\n- Pauser Safe module\n    - 0x1CeC01DC0fFEE5eB5aF47DbEc1809F2A7c601C30\n \n\nThe scope is limited to these addresses, but *is not limited to any chain*. These contracts are deployed to many mainnet chains (the test-nets are not in scope). Presently the supported mainnet chains are: Ethereum mainnet, Ethereum Sepolia, Polygon, Base, Optimism, Arbitrum, Blast, Bnb, Mode, World Chain, Gnosis, Fantom Sonic, Ink, Monad testnet, Avalanche, Unichain, Berachain, Scroll, HyperEvm, Katana, Mantle, Taiko, and Linea. There will be many new chains added in the near future.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Polygon","Avalanche","Arbitrum","Base","Blast","BSC","ETH","Linea","Mantle","Mode","Optimism","Scroll","Solana","xDAI / Gnosis Chain"],"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Pro","Managed Triage: Time Saver","Arbitration"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2024-07-30T16:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/lyQiC5BZ6cB4x9bgGUFPi/dd8c99b13df7edf308ca678c0607ee48/dlhDYt89_400x400.png","maxBounty":1000000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["DEX"],"programOverview":"0x is the trusted open source settlement layer for the permissionless global exchange of value.\n\nFor more information about 0x, please visit http://0x.org/\n\n0x provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__\n\n0x will be requesting KYC information in order to pay the full reward for successful bug submissions. The following information will be required:\n\n- For US based individual(s)/team(s): https://www.irs.gov/pub/irs-pdf/fw9.pdf \n    - Full name \n    - Date of birth\n    - Address\n    - SSN (Social Security Number) or EIN (Employment Identification Number)\n- For non-US based individual(s)/team(s): https://www.irs.gov/pub/irs-prior/fw8ben--2021.pdf\n    - Full Name\n    - Country of citizenship\n    - Address\n    - FTIN (Foreign Tax Identifying Number)\n\nIf a security researcher chooses to not provide information for KYC, they will receive 70% of the reward that one can potentially earn. \n\n\n__Primacy of Impact__\n\n0x adheres to the Primacy of Impact for the following impacts:\n\n- Smart Contract / Critical\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- Exploits resulting in the loss of the senders/signers own funds due to incorrect smart contract behavior that is introduced by incorrect encoding of actions, incorrect action sequencing, misuse of provided slippage fields, or making `BASIC` calls to attacker-controlled contracts; or that could be mitigated by an alternative encoding of actions, making use of provided actions, or making use of provided slippage fields. Or in plain English: using the contracts wrong and losing your own money isn't a bug.\n\n__Previous Audits__\n\n0x’s completed audit reports can be found at https://github.com/0xProject/0x-settler/tree/master/audits. Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, 0x has satisfied the requirements for the [Immunefi Standard Badge.](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209)","programType":["Smart Contract","Websites and Applications"],"project":"0x","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 1 000 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 100 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\nOnly the impact of direct theft of user funds **at-rest** is eligible for the maximum payout of USD 1 000 000; all other Critical-level smart contract reports are eligible for a maximum payout of USD 500 000.\n\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\nFor critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 35 000 to USD 100 000 depending on the funds at risk, capped at the maximum high reward. \n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional [24h] that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\nFor critical web/apps bug reports will be rewarded with USD 50 000, only if the impact leads to:\n\n- A loss of funds involving an attack that does not require any user action\n- Malicious interactions with an already-connected wallet\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of USD 15 000. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Reward Payment Terms__\n\nPayouts are handled by the 0x team directly and are denominated in USD. However, payments are done in USDC on Ethereum.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"0x","tenPercentEconomicRule":false,"updatedDate":"2026-02-23T20:10:41.904Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_2","description":"0x provides DEX aggregation services.  These services are made up of API, Web and mobile frontends, and smart contracts.  The primary services that are offered include: same chain token swaps, cross-chain swaps, gasless swaps, meta aggregation swaps.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":4921,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:  HTML injection without JavaScript, Replacing existing text with arbitrary text, Arbitrary file uploads, etc"},{"id":4922,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:  Email, Password of the victim etc."},{"id":4923,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:  Email address, Phone number, Physical address, etc."},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":4924,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:  Changing the name of user, Enabling/disabling notifications"},{"id":4925,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as:  Reflected HTML injection, Loading external site data"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":4926,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":4927,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:   /etc/shadow, database passwords, blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":4928,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:   Changing registration information, Making trades, Withdrawals, etc."},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":4929,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:  Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions"}],"rewards":[{"id":41491,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":1000000,"minReward":100000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":41492,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":100000,"minReward":35000,"rewardModel":"range"},{"id":41493,"primacy":null,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":41494,"primacy":null,"severity":"critical","assetType":"websites_and_applications","maxReward":50000,"minReward":15000,"rewardModel":"range"},{"id":41495,"primacy":null,"severity":"high","assetType":"websites_and_applications","fixedReward":10000,"rewardModel":"fixed"},{"id":41496,"primacy":null,"severity":"medium","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"1FSwpz3sYWqsBHdQogooWw","url":"https://github.com/hiero-ledger/hiero-consensus-node","type":"blockchain_dlt","addedAt":"2025-01-31T10:53:46.365Z","revision":0,"description":"Hedera Services Codebase","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3Nq50tmnZRHD0YsLGx1pSD","url":"https://github.com/hiero-ledger/hiero-sdk-java","type":"blockchain_dlt","addedAt":"2025-02-03T03:28:14.654Z","revision":0,"description":"Hedera Java SDK","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1XwshECZ3LYmloS6Yax244","url":"https://github.com/hiero-ledger/hiero-sdk-js","type":"blockchain_dlt","addedAt":"2025-02-03T03:28:37.377Z","revision":0,"description":"Hedera Javascript SDK","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6wjloyjBr0cAgodgvH3Z5b","url":"https://github.com/hiero-ledger/hiero-sdk-go","type":"blockchain_dlt","addedAt":"2025-02-03T03:29:06.862Z","revision":0,"description":"Hedera GO SDK","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4bprSu6vVW8iZ9vDpWdo7k","url":"https://github.com/hiero-ledger/hiero-sdk-swift","type":"blockchain_dlt","addedAt":"2025-02-03T03:29:24.452Z","revision":0,"description":"Hedera SWIFT SDK","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3PkiJoYu46jjRseFWMgZkt","url":"https://github.com/hiero-ledger/hiero-mirror-node","type":"blockchain_dlt","addedAt":"2025-02-03T03:29:42.914Z","revision":0,"description":"Hedera Mirror Node Codebase","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5m35lRdkKz1h43niRWBURW","url":"https://github.com/hashgraph/hedera-transaction-tool","type":"blockchain_dlt","addedAt":"2025-02-03T03:29:59.491Z","revision":0,"description":"Hedera Transaction Tool","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"60244dHXbTx4P0g0jkBgr4","url":"https://github.com/hiero-ledger/hiero-json-rpc-relay","type":"blockchain_dlt","addedAt":"2025-02-03T03:30:19.225Z","revision":0,"description":"JSON RPC Relay","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Essential","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":[],"launchDate":"2025-02-05T04:21:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1mdLr3Lrnw2O3ImGQmB84V/1618014dbfe7c18c0da68a28d63c603b/hedera.png","maxBounty":30000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"__Suggestions for places to start__\n\n- Ability to execute system commands\n- Signing transactions for other users\n- Redirection of user deposits and withdrawals\n- Tamper/manipulate Hashgraph history to invalidate transactions\n- Tampering with submitted transactions\n- Authorizing transactions without approval from the required signers/owners\n- Preventing network from reaching consensus on transactions that are submitted\n- Preventing gossip of a transaction or multiple transactions\n- Bugs that cause the in-scope service to crash (e.g., Non-network-based DoS)\n- Remote code execution vulnerabilities\n- Attacks that cause a probabilistic consensus failure; or a deterministic consensus failure in reconnected nodes\n- Effective non-network-bandwidth-flooding DDoS attacks (e.g., transaction hammering)\n- Malicious capabilities of Hedera Token Service functions exposed via System contracts (e.g. transferring assets out of an account without permissions).\n- System Smart contract modifiers not respected\n- Bugs in the economic system to defraud other participants (e.g. avoid transaction fees to full nodes)\n- Prevent node from accessing the network\n- Incorrect or missing records exported to mirror nodes\n- Correct transaction fees not being applied\n- Unauthorized Hedera Token Service (HTS) activity\n- Overpayment or underpayment of staking rewards\n- Theft of unpaid staking rewards\n- Sensitive information leakage (e.g., private keys, wallets credentials etc). Public keys are excluded from this scope","productType":[],"programOverview":"Hedera is a fully open source, proof-of-stake, public network and governing body for building and deploying decentralized applications. It offers developers three primary services: Solidity-based smart contracts, consensus, and token services. Hedera is unique in that it is incredibly fast, energy-efficient (carbon negative), and secure — these advantages can be attributed to its underlying hashgraph consensus algorithm.\n\nFor more information about Hedera, please visit https://hedera.com/\n\nHedera provides rewards in USDC. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n__KYC Requirement__ \n\nHedera will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n- PEP politically exposed person\n\n__Eligibility Criteria__ \n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n- PEP politically exposed persons\n- Persons otherwise barred due to OFAC regulations","programType":["Blockchain/DLT"],"project":"Hedera","projectType":[],"rewardsBody":"__Reward Calculation for Critical Level Reports__\n\nFor critical Blockchain/DLT bugs, the reward amount is 10% of the funds directly affected, capped at the maximum critical reward [$30,000]. However, a minimum reward of USD [$10,000] is to be rewarded in order to incentivize security researchers against withholding on a bug report.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"hedera","tenPercentEconomicRule":false,"updatedDate":"2026-02-23T09:48:23.070Z","impactsBody":"__Suggestions for places to start__\n\n- Ability to execute system commands\n- Signing transactions for other users\n- Redirection of user deposits and withdrawals\n- Tamper/manipulate Hashgraph history to invalidate transactions\n- Tampering with submitted transactions\n- Authorizing transactions without approval from the required signers/owners\n- Preventing network from reaching consensus on transactions that are submitted\n- Preventing gossip of a transaction or multiple transactions\n- Bugs that cause the in-scope service to crash (e.g., Non-network-based DoS)\n- Remote code execution vulnerabilities\n- Attacks that cause a probabilistic consensus failure; or a deterministic consensus failure in reconnected nodes\n- Effective non-network-bandwidth-flooding DDoS attacks (e.g., transaction hammering)\n- Malicious capabilities of Hedera Token Service functions exposed via System contracts (e.g. transferring assets out of an account without permissions).\n- System Smart contract modifiers not respected\n- Bugs in the economic system to defraud other participants (e.g. avoid transaction fees to full nodes)\n- Prevent node from accessing the network\n- Incorrect or missing records exported to mirror nodes\n- Correct transaction fees not being applied\n- Unauthorized Hedera Token Service (HTS) activity\n- Overpayment or underpayment of staking rewards\n- Theft of unpaid staking rewards\n- Sensitive information leakage (e.g., private keys, wallets credentials etc). Public keys are excluded from this scope","websiteUrl":"https://hedera.com/","githubUrl":"https://github.com/hiero-ledger","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Hedera is a fully open source, proof-of-stake, public network and governing body for building and deploying decentralized applications. It offers developers three primary services: Solidity-based smart contracts, consensus, and token services. Hedera is unique in that it is incredibly fast, energy-efficient (carbon negative), and secure — these advantages can be attributed to its underlying hashgraph consensus algorithm.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"__Blockchain/DLT__\n\n- Incorrect data supplied by third party oracles\n    - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 2/3 attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","customProhibitedActivities":[],"impacts":[{"id":1,"type":"blockchain_dlt","severity":"critical","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":5319,"type":"blockchain_dlt","severity":"critical","title":"Network partition caused outside of design parameters"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":9,"type":"blockchain_dlt","severity":"medium","title":"Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours"},{"id":10,"type":"blockchain_dlt","severity":"medium","title":"Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":11,"type":"blockchain_dlt","severity":"medium","title":"A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk"},{"id":5320,"type":"blockchain_dlt","severity":"critical","title":"Unintended permanent freezing of funds"},{"id":5321,"type":"blockchain_dlt","severity":"critical","title":"Any impact caused by Tampering/Manipulating Hashgraph history"},{"id":5322,"type":"blockchain_dlt","severity":"high","title":"Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments"},{"id":5323,"type":"blockchain_dlt","severity":"high","title":"Preventing gossip of a transaction or multiple transactions"},{"id":5324,"type":"blockchain_dlt","severity":"high","title":"Reorganizing transaction history without direct theft of funds"},{"id":5325,"type":"blockchain_dlt","severity":"high","title":"Any impacts caused by Tampering with submitted transactions"},{"id":5326,"type":"blockchain_dlt","severity":"high","title":"Authorizing transactions without approval from signers/owners"},{"id":5327,"type":"blockchain_dlt","severity":"high","title":"Non-network-based DoS affecting projects with greater than or equal to 25% of the market capitalization on top of the respective layer"},{"id":5328,"type":"blockchain_dlt","severity":"medium","title":"Incorrect or missing records exported to mirror nodes"},{"id":5329,"type":"blockchain_dlt","severity":"medium","title":"Impacts caused by griefing with no economic damage to any user on the network"},{"id":5330,"type":"blockchain_dlt","severity":"medium","title":"Theft of unpaid staking rewards"},{"id":5331,"type":"blockchain_dlt","severity":"medium","title":"Modification of transaction fees outside of design parameters"}],"rewards":[{"id":14340,"primacy":null,"severity":"critical","assetType":"blockchain_dlt","maxReward":30000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":14341,"primacy":null,"severity":"high","assetType":"blockchain_dlt","maxReward":10000,"minReward":3000,"rewardModel":"range"},{"id":14342,"primacy":null,"severity":"medium","assetType":"blockchain_dlt","fixedReward":3000,"rewardModel":"fixed"}],"audits":[{"id":"6bzobRsK7slDVxo5g8I3mQ","url":"https://hedera.com/audits-and-standards","auditor":"All Audit Reports","date":"2025-02-05T00:00:00.000Z"}]},{"assets":[{"id":"6ZyuP63lnWlRAJFkwc0SHS","url":"https://etherscan.io/address/0x7613D202Af490c3d1cE1873b0a7022a34E89815f","type":"smart_contract","addedAt":"2026-01-21T11:27:22.127Z","revision":0,"description":"eWSTETH Intermediate Credit Vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6tytRoQFSHmzwDbJ1d2JUq","url":"https://etherscan.io/address/0x75029a47f28550C93Ad5A3BbD2d9b5315204B561","type":"smart_contract","addedAt":"2026-01-21T11:27:22.140Z","revision":0,"description":"aWSTETH Intermediate Credit Vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2QlIEVqh8EXvdcNtDsvYs7","url":"https://etherscan.io/address/0x87b8081A3ace680f35125F469526Ac10f5418Ca7","type":"smart_contract","addedAt":"2025-10-09T11:25:02.005Z","revision":0,"description":"eWETH Intermediate Credit Vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3KPWTCbSspspP26TgaiPQ0","url":"https://etherscan.io/address/0xB5Eb1d005e389Bef38161691E2083b4d86FF647a","type":"smart_contract","addedAt":"2025-10-09T11:24:34.990Z","revision":0,"description":"Intermediate Vault Factory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"59IklEDHPkB71fwfYjfnfk","url":"https://etherscan.io/address/0x335AB81f1C3d9f72639004d3e982902458CF29b3","type":"smart_contract","addedAt":"2025-10-09T11:25:55.273Z","revision":0,"description":"Euler Leverage Operator","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"60tZnpcchN6yiO6hOpU41V","url":"https://etherscan.io/address/0xb001f039D76bA48E577A17c04b6940DB37aF8648","type":"smart_contract","addedAt":"2025-10-09T11:25:14.895Z","revision":0,"description":"Euler Oracle Router","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6Yf3WyBHvvFQsfQ6sWweXs","url":"https://etherscan.io/address/0x0acd3A3c8Ab6a5F7b5A594C88DFa28999dA858aC","type":"smart_contract","addedAt":"2025-10-09T11:25:25.946Z","revision":0,"description":"Vault Manager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6kyGbPvccklgygiMtEDdD7","url":"https://etherscan.io/address/0xa1517cCe0bE75700A8838EA1cEE0dc383cd3A332","type":"smart_contract","addedAt":"2025-10-09T11:24:48.946Z","revision":0,"description":"Collateral Vault Factory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98749","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"98826","url":"https://etherscan.io/address/0xFaBA8f777996C0C28fe9e6554D84cB30ca3e1881","type":"smart_contract","addedAt":"2026-02-13T08:58:12.349Z","revision":0,"description":"awstETH Wrapper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98827","url":"https://etherscan.io/address/0x868a21426852A775395d4b90De23B3e3E662bd78","type":"smart_contract","addedAt":"2026-02-13T08:58:12.349Z","revision":0,"description":"Aave V3 Teleport Operator","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98828","url":"https://etherscan.io/address/0x451949bde57aBe2F5DBD4758Cd50C6DCfC093A4C","type":"smart_contract","addedAt":"2026-02-13T08:58:12.349Z","revision":0,"description":"Aave V3 Leverage Operator","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98829","url":"https://etherscan.io/address/0x229fE10bC00bBE99Ac99703647D4f74F31605e91","type":"smart_contract","addedAt":"2026-02-13T08:58:12.349Z","revision":0,"description":"Aave V3 Deleverage Operator","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2026-01-16T14:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1tEO5hy6BK1IitUVevC7Mm/70f476b0452b9f6af1b327ceaa34bea9/Twyne.png","maxBounty":50000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["Lending"],"programOverview":"Twyne is a modular risk layer that leverages credit-delegation to unlock new levels of capital efficiency in lending markets. Twyne empowers lending market users with the freedom to focus on their individual goals: lenders can re-lend, borrowers can re-borrow, and together they drive the emergence of new markets, ensuring capital flows to where it is needed most.\n\nFor more information about Twyne, please visit [https://twyne.xyz/](https://twyne.xyz/).\n\nTwyne provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section.\n\n__Responsible Publication__\n\nTwyne adheres to  **Category 2: Notice Required**. This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nTwyne adheres to the Primacy of Impact for the following impacts:\n\n- Smart Contract  —  Critical\n- Smart Contract  —  High\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. \n\nFor more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact) \n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n- Twyne inherits the assumptions of external lending markets it integrates. So security issues with Euler, for example, won’t be considered for a bounty.\n- If the reserved credit amount after calling handleExternalLiquidation() is too small, debt may not be socialized and the entire batch will revert. Since these are small positions, it’s fine. Protocol can pay intermediate vault on collateral vault’s behalf.\n- Issues stemming from external lending protocol changing its liquidation ltv. We’re bringing an upgrade to handle this soon.\n- No slippage check on liquidate() or handleExternalLiquidation(). Liquidators need to check for slippage on their side.\n- Credit reservation may fail if the intermediate vault doesn’t have enough liquidity.\n- Issues related to chain re-orgs and network liveness\n- Incompatibilities with ERC-4626 and ERC-20 unless they pose a direct security risk\n- Issues related to censorship / frontrunning users that interact with Pyth and RedStone. We expect users to interact with the EVC or another multicall-like contract to update the price and retrieve it in a single call\n- Issues stemming from sequencer downtime on L2s, including but not limited to inexistent sequencer liveness checks\n- Any issue related to stuck funds for tokens that are airdropped to Twyne contracts\n- Any issue related to rewards accrued to Twyne contracts, example: rewards assigned by external lending protocol or integrations\n\n__Previous Audits__\n\nTwyne’s completed audit reports can be found at [https://twyne.gitbook.io/twyne/resources/security](https://twyne.gitbook.io/twyne/resources/security). Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.","programType":["Smart Contract"],"project":"Twyne","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 50 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 20 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n- For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 10 000 to USD 3 000 depending on the funds at risk, capped at the maximum high reward.  \n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Twyne team directly and are denominated in USD. However, payments are done in USDC on Ethereum.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"twyne","tenPercentEconomicRule":false,"updatedDate":"2026-02-22T21:13:45.399Z","impactsBody":"All vaults deployed using `CollateralVaultFactory` are considered in scope","websiteUrl":"https://twyne.xyz/","githubUrl":"https://github.com/0xTwyne/","eligibilityCriteria":[],"responsiblePublicationCategory":"category_2","description":"Twyne is a modular risk layer that leverages credit-delegation to unlock new levels of capital efficiency in lending markets. Twyne empowers lending market users with the freedom to focus on their individual goals: lenders can re-lend, borrowers can re-borrow, and together they drive the emergence of new markets, ensuring capital flows to where it is needed most.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":" - Reverts originating from operator contracts that solely prevent the execution of batched transactions shall be deemed out of scope.","customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":5742,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds (for at least 24 hours)"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"}],"rewards":[{"id":41257,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":50000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":41258,"primacy":null,"severity":"high","assetType":"smart_contract","maxReward":10000,"minReward":3000,"rewardModel":"range"}],"audits":[{"id":"1beurkDiyFA3vxpT3NCjN0","url":"https://twyne.gitbook.io/twyne/resources/security","auditor":"All Audits","date":"2026-01-16T00:00:00.000Z"}]},{"assets":[{"id":"db_2a96bef9-9bd7-4782-b9e0-b0ba6d78618f","url":"https://mantlescan.xyz/address/0xe9827B4EBeB9AE41FC57efDdDd79EDddC2EA4d03","type":"smart_contract","addedAt":"2026-02-19T04:32:08.367Z","revision":0,"description":"AgniPoolDeployer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_b15fe2fc-b94e-460e-8829-eb8a0f06a4e4","url":"https://mantlescan.xyz/address/0x25780dc8Fc3cfBD75F33bFDAB65e969b603b2035","type":"smart_contract","addedAt":"2026-02-19T04:32:21.734Z","revision":0,"description":"AgniFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_9a73563e-b243-4d96-93ef-5fd226d92f6f","url":"https://mantlescan.xyz/address/0x5cfa0f1c4067C90a50B973e5F98CD265de5Df724","type":"smart_contract","addedAt":"2026-02-19T04:32:34.952Z","revision":0,"description":"InitCodeHashAddress","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_8cb8662b-0d33-4eeb-a629-1da29418ea9a","url":"https://mantlescan.xyz/address/0x319B69888b0d11cEC22caA5034e25FfFBDc88421","type":"smart_contract","addedAt":"2026-02-19T04:32:55.825Z","revision":0,"description":"SwapRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_44df51f1-25b2-4465-ba4e-2128173f667b","url":"https://mantlescan.xyz/address/0xc4aaDc921E1cdb66c5300Bc158a313292923C0cb","type":"smart_contract","addedAt":"2026-02-19T04:33:09.139Z","revision":0,"description":"QuoterV2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_e3110c67-5be8-4a54-8518-91d2eca5d2b3","url":"https://mantlescan.xyz/address/0xEcDbA665AA209247CD334d0D037B913528a7bf67","type":"smart_contract","addedAt":"2026-02-19T04:33:25.764Z","revision":0,"description":"TickLens","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_1e4fb69c-6eff-446d-b285-4865f4d0b284","url":"https://mantlescan.xyz/address/0x70153a35c3005385b45c47cDcfc7197c1a22477a","type":"smart_contract","addedAt":"2026-02-19T04:34:01.363Z","revision":0,"description":"NFTDescriptor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_4b72b170-bf72-4e60-94c9-083a2de80d4f","url":"https://mantlescan.xyz/address/0xcb814b767D41b4BD94dA6Abb860D25b607ad5764","type":"smart_contract","addedAt":"2026-02-19T04:34:15.462Z","revision":0,"description":"NonfungibleTokenPositionDescriptor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_5f791e6c-c426-4360-9975-d39fc34719f5","url":"https://immunefi.com/blog/expert-insights/primacy-of-impact/","type":"smart_contract","addedAt":"2026-02-19T04:36:25.426Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Mantle"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":[],"launchDate":"2026-02-18T17:00:00.000Z","logo":"https://qn5bmgziiocgawpp.public.blob.vercel-storage.com/program-logos/sebastian%40immunefi.com-B5uBh4kgyZRIozvpWP9RK.png","maxBounty":10000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["DEX"],"programOverview":"AGNI is a permissionless, AMM-based exchange that supercharges spot trades with concentrated liquidity within preferred price ranges for a customized trading experience, driving maximum gains at the lowest risks possible. It runs on Mantle Network, a modular Ethereum layer-2 blockchain that delivers hyperscale performance at low fees, while deriving its security from Ethereum.\n\nA one-stop platform that also offers an easy-to-access launchpad and yield-generating features, users will not only get to know new, innovative crypto tokens, but accelerate their decentralized trading experience in safe and trusted environment. Driven by a robust community, AGNI is set to lead the charge for AMM DEXs based on its efficiency, reliability and usability — fit for all types of traders, the DEX companion that you need.\n\nIt is AGNI's vision to build an inclusive, open and community-governed DEX that brings users the best of what decentralized platforms have to offer at present, all in one place.\n\nFor more information about AGNI, please visit [Agni Finance](https://agni.finance/).\n\nAGNI provides rewards in USDT on Mantle, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n__Responsible Publication__\n\nAGNI adheres to **Category 3: Approval Required**. This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n#### \n\n#### Primacy of Impact vs Primacy of Rules\n\nAGNI adheres to the Primacy of Impact for the following impacts:\n\n* Smart Contract  —  Critical\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. \n\nFor more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact) \n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n#### \n\n#### Proof of Concept (PoC) Requirements\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n#### Previous Audits\n\nAGNI’s completed audit reports can be found at [https://github.com/Secure3Audit/AgniFinance\\_PancakeV3\\_Similarity\\_Analysis](https://github.com/Secure3Audit/AgniFinance_PancakeV3_Similarity_Analysis). Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\n####","programType":["Smart Contract"],"project":"AGNI","projectType":[],"rewardsBody":"### Rewards by Threat Level\n\n#### Reward Calculation for Critical Level Reports\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 10 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 1 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n#### \n\n#### Repeatable Attack Limitations\n\n* If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. \n\n* The amount of funds at risk will be calculated with the impact of the first attack being at **100%** and then a reduction of **25%** from the amount of the first attack for every \\[**300 blocks\\]** the attack needs for subsequent attacks from the first attack, rounded down.\n\n#### \n\n#### \n\n#### Reward Payment Terms\n\nPayouts are handled by the AGNI team directly and are denominated in USD. However, payments are done in USDT on Mantle.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDT","slug":"agni","tenPercentEconomicRule":false,"updatedDate":"2026-02-22T20:23:37.963Z","impactsBody":null,"websiteUrl":"https://agni.finance/","githubUrl":"https://github.com/agni-protocol","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"AGNI is a permissionless, AMM-based exchange that supercharges spot trades with concentrated liquidity within preferred price ranges for a customized trading experience, driving maximum gains at the lowest risks possible. It runs on Mantle Network, a modular Ethereum layer-2 blockchain that delivers hyperscale performance at low fees, while deriving its security from Ethereum.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":41236,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":10000,"minReward":1000,"rewardModel":"range","rewardCalculationPercentage":10}],"audits":[{"id":"db_c2f1b09f-4fc6-46f3-86d6-6d739d290e82","url":"https://github.com/Secure3Audit/AgniFinance_PancakeV3_Similarity_Analysis","auditor":"All audits","date":"2026-02-18T00:00:00.000Z"}]},{"assets":[{"id":"db_3cbc6691-7236-4956-a828-ab3930fac20c","url":"https://etherscan.io/address/0xE138136bFF8c6A9337805DE19177E3b29fef2783","type":"smart_contract","addedAt":"2026-02-13T12:43:44.925Z","revision":0,"description":"InstanceDeployer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_a63f4260-9feb-424e-b1a1-bbacb395584e","url":"https://etherscan.io/address/0xCe90BA68BbcdCCe9aed1fCDDcb114d1DCdBc68C9","type":"smart_contract","addedAt":"2026-02-13T12:43:55.340Z","revision":0,"description":"TimelockFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_59d92e2a-c3fa-495f-9f81-e56551eec27a","url":"https://etherscan.io/address/0x56b6d03b995022A612aF6a212C74902f233F52Cc","type":"smart_contract","addedAt":"2026-02-13T12:44:06.128Z","revision":0,"description":"RecoverySpellFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_ffea289a-afb8-4ac7-bea6-ae8b15b2c4c5","url":"https://etherscan.io/address/0xFE49DD6d0CD41C4EC8F151C79f2d4019f5C5AD18","type":"smart_contract","addedAt":"2026-02-13T12:44:16.721Z","revision":0,"description":"Guard","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_50c171a6-4369-4671-9bc0-9dc9134ad7b5","url":"https://etherscan.io/address/0xd1db2c4A9d2BEBd56d42E59F2d90F4136164faD6","type":"smart_contract","addedAt":"2026-02-13T12:44:27.877Z","revision":0,"description":"AddressCalculation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_7c0bc168-d430-4042-959d-a207d97b6f25","url":"https://etherscan.io/address/0x146dfd96Da039FDE3B58D5964feF8E8357df2028","type":"smart_contract","addedAt":"2026-02-13T12:44:37.184Z","revision":0,"description":"BytesHelper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_0c8247a7-a932-4e26-8806-be4f771a5d81","url":"https://basescan.org/address/0xE138136bFF8c6A9337805DE19177E3b29fef2783","type":"smart_contract","addedAt":"2026-02-13T12:44:50.744Z","revision":0,"description":"InstanceDeployer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_025ee04b-d8cb-4ba0-b255-fd654d07f5b3","url":"https://basescan.org/address/0xCe90BA68BbcdCCe9aed1fCDDcb114d1DCdBc68C9","type":"smart_contract","addedAt":"2026-02-13T12:45:14.003Z","revision":0,"description":"TimelockFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_a1dd9c28-787b-44c8-b33c-879e0af46cd3","url":"https://basescan.org/address/0x56b6d03b995022A612aF6a212C74902f233F52Cc","type":"smart_contract","addedAt":"2026-02-13T12:45:34.287Z","revision":0,"description":"RecoverySpellFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_6ccba168-22d5-4733-899c-086d23255073","url":"https://basescan.org/address/0xFE49DD6d0CD41C4EC8F151C79f2d4019f5C5AD18","type":"smart_contract","addedAt":"2026-02-13T12:45:43.994Z","revision":0,"description":"Guard","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_df51a2e2-8bda-4bee-9aa7-301a37b63939","url":"https://basescan.org/address/0xd1db2c4A9d2BEBd56d42E59F2d90F4136164faD6","type":"smart_contract","addedAt":"2026-02-13T12:46:33.905Z","revision":0,"description":"AddressCalculation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_39c2c581-02b1-4398-aa48-7a14d593509e","url":"https://basescan.org/address/0x146dfd96Da039FDE3B58D5964feF8E8357df2028","type":"smart_contract","addedAt":"2026-02-13T12:46:43.407Z","revision":0,"description":"BytesHelper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_88b56f62-57f9-4245-a6c7-3ac832ab8824","url":"https://optimistic.etherscan.io/address/0xE138136bFF8c6A9337805DE19177E3b29fef2783","type":"smart_contract","addedAt":"2026-02-13T12:46:54.581Z","revision":0,"description":"InstanceDeployer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_369291ca-c8ed-4738-8ff0-47fc4bc3dcd5","url":"https://optimistic.etherscan.io/address/0xCe90BA68BbcdCCe9aed1fCDDcb114d1DCdBc68C9","type":"smart_contract","addedAt":"2026-02-13T12:47:04.619Z","revision":0,"description":"TimelockFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_6e5cb4bd-4386-4d14-b043-76e2a735a52e","url":"https://optimistic.etherscan.io/address/0x56b6d03b995022A612aF6a212C74902f233F52Cc","type":"smart_contract","addedAt":"2026-02-13T12:47:29.094Z","revision":0,"description":"RecoverySpellFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_4dc65581-4f68-4076-b028-fa7b2466a376","url":"https://optimistic.etherscan.io/address/0xFE49DD6d0CD41C4EC8F151C79f2d4019f5C5AD18","type":"smart_contract","addedAt":"2026-02-13T12:47:41.401Z","revision":0,"description":"Guard","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_225af58c-f63b-4236-ac7f-439cbbbdd2cd","url":"https://optimistic.etherscan.io/address/0xd1db2c4A9d2BEBd56d42E59F2d90F4136164faD6","type":"smart_contract","addedAt":"2026-02-13T12:47:51.402Z","revision":0,"description":"AddressCalculation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_200a4399-c872-48ee-ac0b-be4c4ec14d4b","url":"https://optimistic.etherscan.io/address/0x146dfd96Da039FDE3B58D5964feF8E8357df2028","type":"smart_contract","addedAt":"2026-02-13T12:48:03.014Z","revision":0,"description":"BytesHelper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"db_7c775771-a320-4726-88b8-d0becc414c5e","url":"https://immunefi.com/bug-bounty/kleidi/information/","type":"smart_contract","addedAt":"2026-02-13T12:48:48.800Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":true,"language":[],"launchDate":"2026-02-13T19:09:05.000Z","logo":"https://qn5bmgziiocgawpp.public.blob.vercel-storage.com/program-logos/phuongn%40immunefi.com-8B83Ue-aQ-fSvpU2qSF8m.png","maxBounty":50000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":[],"programOverview":"The Kleidi Wallet is a collection of smart contracts that can be used to create a full self-custody wallet system for DeFi users. The protocol enables users to access DeFi yields and protocols, pull funds in case of emergency, and recover funds in case of lost keys either through social recovery or predefined backups.\n\nA Timelock module enforces time-delayed execution on all Safe transactions, a Gnosis Guard contract prevents the Safe from bypassing the Timelock, and Recovery Spells enable emergency owner rotation via EIP-712 signatures. Hot signers can execute pre-approved operations immediately through an on-chain calldata whitelisting engine. The system is deployed deterministically via CREATE2, so all contracts share the same addresses across Ethereum, Base, and Optimism. Kleidi Timelocks hold user-deposited ERC-20 tokens and native ETH.\n\nFor more information about Kleidi, please visit [https://kleidi.io/](https://kleidi.io/).\n\nKleidi provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n__Responsible Publication__\n\nKleidi adheres to  Category 2: Notice Required . This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nKleidi adheres to the Primacy of Impact for the following impacts:\nSmart Contract  —  Critical\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. \n\nFor more information, please see [Best Practices: Primacy of Impact ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n[https://github.com/solidity-labs-io/kleidi/blob/main/docs/KNOWN_ISSUES.md](https://github.com/solidity-labs-io/kleidi/blob/main/docs/KNOWN_ISSUES.md)\n\n[https://github.com/solidity-labs-io/kleidi/blob/main/docs/EDGECASES.md](https://github.com/solidity-labs-io/kleidi/blob/main/docs/EDGECASES.md)\n\n__Previous Audits__\n\nKleidi’s completed audit reports can be found at [https://github.com/solidity-labs-io/kleidi/tree/main/audit](https://github.com/solidity-labs-io/kleidi/tree/main/audit). Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.","programType":["Smart Contract"],"project":"Kleidi","projectType":[],"rewardsBody":"__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of **USD 50 000**.  The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of **USD 5 000** is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward.\n- The amount of funds at risk will be calculated with the impact of the first attack being at **100%** and then a reduction of **25%** from the amount of the first attack for every **[300 blocks]** the attack needs for subsequent attacks from the first attack, rounded down.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Kleidi team directly and are denominated in USD. However, payments are done in USDC on Ethereum.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"kleidi","tenPercentEconomicRule":false,"updatedDate":"2026-02-19T17:59:51.088Z","impactsBody":"Deployed Instances. All Timelock, Safe, and RecoverySpell instances deployed through the in-scope factory contracts are also considered in-scope assets. However, vulnerabilities arising from user misconfiguration — such as whitelisting unsafe calldata, failing to configure a guardian, adding an unsafe module, using compromised signing keys, or setting incompatible delay parameters, or setting insecure parameters — are out of scope. See KNOWN_ISSUES.md and EDGECASES.md for documented configuration risks.\n\n[https://github.com/solidity-labs-io/kleidi/blob/main/docs/KNOWN_ISSUES.md](https://github.com/solidity-labs-io/kleidi/blob/main/docs/KNOWN_ISSUES.md)\n\n[https://github.com/solidity-labs-io/kleidi/blob/main/docs/EDGECASES.md](https://github.com/solidity-labs-io/kleidi/blob/main/docs/EDGECASES.md)","websiteUrl":"https://kleidi.io/","githubUrl":"https://github.com/solidity-labs-io","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_auditor","no_employee"],"responsiblePublicationCategory":"category_2","description":"The Kleidi Wallet is a collection of smart contracts that can be used to create a full self-custody wallet system for DeFi users. The protocol enables users to access DeFi yields and protocols, pull funds in case of emergency, and recover funds in case of lost keys either through social recovery or predefined backups.","knownIssues":[{"id":1257,"link":"https://github.com/solidity-labs-io/kleidi/blob/main/docs/EDGECASES.md","description":"EDGECASES.md","lastUpdatedAt":"2026-02-13T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1256,"link":"https://github.com/solidity-labs-io/kleidi/blob/main/docs/KNOWN_ISSUES.md","description":"KNOWN_ISSUES.md","lastUpdatedAt":"2026-02-13T00:00:00.000Z","relatedImpactInScope":"smart_contract"}],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":41105,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":50000,"minReward":5000,"rewardModel":"range","rewardCalculationPercentage":10}],"audits":[{"id":"db_950713d6-8ef7-4db5-a00c-39179e4372be","url":"https://github.com/solidity-labs-io/kleidi/tree/main/audit","auditor":"All Audits","date":"2026-02-13T00:00:00.000Z"}]},{"assets":[{"id":"26JsPA1SMxGLRJFWNyyy0Q","url":"https://github.com/starkware-libs/starkex-for-spot-trading/tree/master/src/starkware/cairo/dex","type":"blockchain_dlt","addedAt":"2023-06-26T21:49:08.938Z","revision":0,"description":"StarkEx cairo code","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1uALipFxm4eyNI0S6q6neE","url":"https://github.com/starkware-libs/stark-perpetual/tree/master/src/services/perpetual/cairo","type":"blockchain_dlt","addedAt":"2023-06-26T21:49:52.755Z","revision":0,"description":"Perpetual cairo code","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1Qdp9lxz7qh8F9dVigZZV8","url":"https://github.com/starkware-libs/starkex-contracts/tree/master/scalable-dex","type":"blockchain_dlt","addedAt":"2023-06-26T21:50:04.413Z","revision":0,"description":"Solidity code","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"73O9XSHN2alxD8zHRSdK8g","url":"https://github.com/starkware-libs/starkex-contracts/tree/master/evm-verifier","type":"blockchain_dlt","addedAt":"2023-08-01T22:07:05.962Z","revision":0,"description":"SHARP EVM verifier solidity code ","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4BajHT1TjDfrqDEuYwstMz","url":"https://etherscan.io/address/0xF5C9F957705bea56a7e806943f98F7777B995826","type":"smart_contract","addedAt":"2023-06-26T21:53:16.375Z","revision":0,"description":"Proxy (Sorare contract)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4Ox9xklgjCd5PrITfIzEYf","url":"https://etherscan.io/address/0x3318074aD502B7dee59463595fba226653944522","type":"smart_contract","addedAt":"2023-06-26T21:53:33.644Z","revision":0,"description":"EscapeVerifier (Sorare contract)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6E2SwE9n8HthbC23Iok8Le","url":"https://etherscan.io/address/0x879cD57975d596004863D30c59d579ef78BBbe32","type":"smart_contract","addedAt":"2023-06-26T21:53:47.656Z","revision":0,"description":"Committee (Sorare contract)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"23A2gMT9zeu2FNyc7tuJC8","url":"https://etherscan.io/address/0x4EDD62189732e9fF476ABa880b48c29432A7AC9B","type":"smart_contract","addedAt":"2023-06-26T21:54:01.363Z","revision":0,"description":"StarkExchange (Sorare contract)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3HnUtJJDIQxhGgWLtX7Dds","url":"https://etherscan.io/address/0x62BCA4DB742A99c834e2c24b609656A70EA25379","type":"smart_contract","addedAt":"2023-06-26T21:54:13.671Z","revision":0,"description":"AllVerifiers (Sorare contract)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"mzf3hOUg6w7MTQ585JoL0","url":"https://etherscan.io/address/0x8536850750956c2FEebeCAB786d82271a5467687","type":"smart_contract","addedAt":"2023-06-26T21:54:28.948Z","revision":0,"description":"TokensAndRamping (Sorare contract)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7mpP9VzMapV3YlhBchySep","url":"https://etherscan.io/address/0x1c3A4EfF75a287Fe6249CAb49606FA25659929A2","type":"smart_contract","addedAt":"2023-06-26T21:54:44.762Z","revision":0,"description":"StarkExState (Sorare contract)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3hzCJ2e0A6GBKh5zyzfnTW","url":"https://etherscan.io/address/0x3799ad2a4Eb4E882219B02C036656d4ECbD437A1","type":"smart_contract","addedAt":"2023-06-26T21:55:00.454Z","revision":0,"description":"ForcedActions (Sorare contract)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4PQZhHvN153xUe0cwCHtjB","url":"https://etherscan.io/address/0x1688abB0B5c72F34B7f78e857Aa317deD5B5D339","type":"smart_contract","addedAt":"2023-06-26T21:55:17.933Z","revision":0,"description":"OnchainVaults (Sorare contract)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"esKDUIOnnD9enBZzaq8R3","url":"https://etherscan.io/address/0xB3788a88F063B217227E27ae16Ba550db3132bE6","type":"smart_contract","addedAt":"2023-06-26T21:55:32.171Z","revision":0,"description":"ProxyUtils (Sorare contract)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6H4HThlOpBj8LC0T7PLylY","url":"https://etherscan.io/address/0xbcc17446B99465fF01E6816d9bcb2d8b1D7cEdB1","type":"smart_contract","addedAt":"2023-06-26T21:55:44.516Z","revision":0,"description":"GpsFactRegistryAdapter (Sorare contract)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6CypiFZwh8UIC3yLZEY4PZ","url":"https://etherscan.io/address/0x518c4A79a1102eEDc987005CA8cE6B87Ca14dDf8","type":"smart_contract","addedAt":"2023-06-26T21:55:58.021Z","revision":0,"description":"OrderRegistry (Sorare contract)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"22v7eSx5LhnuFAPiCEaU5Y","url":"https://etherscan.io/address/0x3071BE11F9e92A9eb28F305e1Fa033cD102714e7","type":"smart_contract","addedAt":"2023-06-26T21:59:10.510Z","revision":0,"description":"Proxy (Myria contract)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1Q720hPZ1s1JBRflHgRD5G","url":"https://etherscan.io/address/0x3318074aD502B7dee59463595fba226653944522","type":"smart_contract","addedAt":"2023-06-26T21:59:24.251Z","revision":0,"description":"EscapeVerifier (Myria contract)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Or03qpyl4qY2X7Aez6omM","url":"https://etherscan.io/address/0x1e601435E181423e7A8430813d7500012a6169cB","type":"smart_contract","addedAt":"2023-06-26T21:59:37.749Z","revision":0,"description":"Committee (Myria contract)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"31fvnyWOVhJXHzITxZDB9M","url":"https://etherscan.io/address/0xdF2f24751F7e84ccDCD39e7b49904FAB0Fb0f583","type":"smart_contract","addedAt":"2023-06-26T21:59:51.303Z","revision":0,"description":"StarkExchange (Myria contract)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7bDDu8GOe1Go3055gld8os","url":"https://etherscan.io/address/0xfbea22FeB369DB10C0d3a2aAa8F4939E76815f12","type":"smart_contract","addedAt":"2023-06-26T22:00:04.908Z","revision":0,"description":"AllVerifiers (Myria contract)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7543E2QVv2kq96VdZE7Q6l","url":"https://etherscan.io/address/0x2Dbc18A3ac126abE1fF90A83Bbc3947ff7912Afb","type":"smart_contract","addedAt":"2023-06-26T22:00:18.780Z","revision":0,"description":"TokensAndRamping (Myria contract)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6wax0g8VuRHHjbMYDnNlWK","url":"https://etherscan.io/address/0x67e198743BC19fa4757720eDd0e769f8291e1F1D","type":"smart_contract","addedAt":"2023-06-26T22:00:31.688Z","revision":0,"description":"StarkExState (Myria contract)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6SYF4Rvihedlgh24GV2ttv","url":"https://etherscan.io/address/0x613ee54C54D5548627064B4D648942bF3648f376","type":"smart_contract","addedAt":"2023-06-26T22:00:45.444Z","revision":0,"description":"ForcedActions (Myria contract)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6E5RVgBjB8ZCPf4IX5TgEc","url":"https://etherscan.io/address/0xb2ED005D0278179001a49a9969BB22BA8e98f31F","type":"smart_contract","addedAt":"2023-06-26T22:00:59.257Z","revision":0,"description":"OnchainVaults (Myria contract)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2T7y2EO65kb7JLAzrKBPlI","url":"https://etherscan.io/address/0xB5353268d8d4D711a92cb838F8fEDFC2A66E50Db","type":"smart_contract","addedAt":"2023-06-26T22:01:11.666Z","revision":0,"description":"ProxyUtils (Myria contract)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7qKVcb7AKc1gVUaRaDUSwi","url":"https://etherscan.io/address/0x5339AB7557b3152b91A57D10B0Caf5da88Db5143","type":"smart_contract","addedAt":"2023-06-26T22:01:25.898Z","revision":0,"description":"GpsFactRegistryAdapter (Myria contract)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1l500txNTpNzgfaF7VZ9Aw","url":"https://etherscan.io/address/0x806d435a82B0381bD884540c2235147c13B97fe6","type":"smart_contract","addedAt":"2023-06-26T22:01:39.064Z","revision":0,"description":"OrderRegistry (Myria contract)","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"Impacts only apply to assets in active use by the project like contracts on mainnet or web/app assets used in production. For those assets, the code is in scope only if it relates to the latest commit in the master branch. \n\nAny impact that applies to assets not in active use, like test or mock files, are out-of-scope of the bug bounty program unless explicitly mentioned as in-scope. \n\n__Blockchain/DLT__ \n\n- __Blockchain/DLT - PoC__, Blockchain/DLT bug reports are to include a runnable Proof of Concept (PoC) in order to prove impact.  \n- For more information on PoCs please visit: [Proof of Concept (PoC) Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n__Smart Contracts__ \n\n- __Smart Contracts - PoC__, Smart Contract bug reports are to include a runnable Proof of Concept (PoC) in order to prove impact.  \n- For more information on PoCs please visit: [Proof of Concept (PoC) Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n\n__Impacts in Scope__\n\n(For Blockchain/DLTR and Smart Contracts Only) This program is considered to be governed by Primacy of Rule. For more information on what this means visit: [Best Practice - Primacy of Impact vs Primacy of Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact) \n\nImpacts are based on the [Immunefi Vulnerability Severity Classification System V2.2.](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/)\n\nAt Immunefi, we classify bugs on a simplified 5-level scale:\n- Critical\n- High\n- Medium\n- Low\n- None","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":["Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2023-06-27T08:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6t4qbnsCLpWXBvsPoQ5s2g/17cf9df21e075276f7522e2ca3c67e9c/StarkEx-symbol.png","maxBounty":500000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are considered out-of-scope and ineligible for payout.","productType":["DEX","Perpetuals"],"programOverview":"StarkEx leverages STARK technology to power scalable, self-custodial trading and payment transactions for applications such as DeFi and gaming. StarkEx enables an application to scale significantly and improve transaction speed while also reducing transaction costs.StarkEx is a production-grade platform that has been deployed on Ethereum Mainnet since June 2020 and settled over $800B since then.\n\nFor more information about StarkEx, please visit [https://starkware.co/starkex/. ](https://starkware.co/starkex/)\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nStarkEx adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms stated in this page.\n\n__For Whitehats:__ It is highly recommended that you review the details of this program in full. Although many Bug Bounty programs have standard terms and conditions, each also has their own unique details that are critical to your success.  \n\nPrior to submitting a report please review the Immunefi [Bug Report Template and Best Practices](https://immunefisupport.zendesk.com/hc/en-us/articles/12435277406481-Bug-Report-Template).","programType":["Smart Contract","Blockchain/DLT"],"project":"StarkEx","projectType":["Defi"],"rewardsBody":"__Reward Distribution__\n\nPlease review how rewards are distributed based on the [Immunefi Vulnerability Severity Classification System V2.2.](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/) This is a simplified 5-level scale system with separate scales for Blockchain/DLTs and Smart Contracts.\n\n__Payouts and Payout Requirements__\n\nPayouts are handled by StarkWare directly and are denominated in USD. However, payouts are done in USDC. StarkWare commits to honoring payouts according to the terms set out in this program at the time of report submission, and to treat this program as the agreement and source of truth concerning bug reports and responsible disclosures. \n\nRewards for both critical Blockchain/DLT and critical Smart Contract vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of USD 40 000 and a maximum reward of USD 500 000 for Blockchain/DLT vulnerabilities; minimum reward of USD 50 000 and a maximum reward of USD 1 000 000 for Smart Contracts vulnerabilities. \n\nFor the purposes of determining report validity, this is a Primacy of Rule program. \n\nLearn more about report validity best practices here: [Best Practice - Primacy of Impact vs Primacy of Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact) \n\n__Repeatable Attack Limitations__\n\nIn cases of repeatable attacks for smart contract bugs, only the first attack will be counted, regardless of whether the smart contract is upgradable, pausable, or killable.\n\nStarkWare does have a Know Your Customer (KYC) requirement for bug bounty payouts. \n\nStarkWare requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. The information needed is a full legal name, residential address, date of birth and copy of national ID/passport. Bounty hunters must pass OFAC Screening. Rewards cannot be paid out if hunters are on the OFAC SDN list and/or do not complete the KYC.\n\nKYC information is only required on confirmation of the validity of a bug report.   \n\n__Audit Discoveries and Known Issues__\n\nBug reports covering previously-discovered bugs are not eligible for any reward through the bug bounty program. If a bug report covers a known issue, it may be rejected together with proof of the issue being known before escalation of the bug report via Immunefi. \n\nPrevious audits and known issues can be found at:\n[https://github.com/starkware-libs/starkex-contracts/tree/master/audit ](https://github.com/starkware-libs/starkex-contracts/tree/master/audit)","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"starkex","tenPercentEconomicRule":false,"updatedDate":"2026-02-18T13:58:05.314Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"StarkEx leverages STARK technology to power scalable, self-custodial trading and payment transactions for applications such as DeFi and gaming. StarkEx enables an application to scale significantly and improve transaction speed while also reducing transaction costs.StarkEx is a production-grade platform that has been deployed on Ethereum Mainnet since June 2020 and settled over $800B since then.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Broken link hijacking is out of scope\n- Attacks requiring access to Operator’s API\n- Best practice critiques\n- Attacks requiring privileged access from within the organization\n- SPF records for email domains","customProhibitedActivities":["Violation of these rules can result in a temporary suspension or permanent ban from the Immunefi platform at the sole discretion of the Immunefi team, which may also result in: 1) the forfeiture and loss of access to all bug submissions, and 2) zero payout.","Please note that Immunefi has no tolerance for spam/low-quality/incomplete bug reports, “beg bounty” behavior, and misrepresentation of assets and severity. Immunefi exists to protect the global crypto community, not facilitate grift."],"impacts":[{"id":4320,"type":"blockchain_dlt","severity":"high","title":"Temporary freezing of funds for at least 1 week"},{"id":4321,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least a week"},{"id":4322,"type":"smart_contract","severity":"high","title":"Temporary freezing of NFTs for at least a week"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":4,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"}],"rewards":[{"id":40208,"primacy":null,"severity":"critical","assetType":"blockchain_dlt","maxReward":250000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":40209,"primacy":null,"severity":"high","assetType":"blockchain_dlt","fixedReward":15000,"rewardModel":"fixed"},{"id":40210,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":500000,"minReward":25000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":40211,"primacy":null,"severity":"high","assetType":"smart_contract","fixedReward":15000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"98981","url":"https://polygonscan.com/address/0xfdc7b8bFe0DD3513Cc669bB8d601Cb83e2F69cB0","type":"smart_contract","addedAt":"2026-02-17T15:53:24.620Z","revision":0,"description":"PoolFactory and linked contracts","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98982","url":"https://optimistic.etherscan.io/address/0x5e61a079A178f0E5784107a4963baAe0c5a680c6","type":"smart_contract","addedAt":"2026-02-17T15:53:24.620Z","revision":0,"description":"PoolFactory and linked contracts","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98983","url":"https://etherscan.io/address/0x96D33bCF84DdE326014248E2896F79bbb9c13D6d","type":"smart_contract","addedAt":"2026-02-17T15:53:24.620Z","revision":0,"description":"PoolFactory and linked contracts","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98984","url":"https://basescan.org/address/0x49Afe3abCf66CF09Fab86cb1139D8811C8afe56F","type":"smart_contract","addedAt":"2026-02-17T15:53:24.620Z","revision":0,"description":"PoolFactory and linked contracts","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98985","url":"https://arbiscan.io/address/0xffFb5fB14606EB3a548C113026355020dDF27535","type":"smart_contract","addedAt":"2026-02-17T15:53:24.620Z","revision":0,"description":"PoolFactory and linked contracts","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"Deployed contracts that are currently linked to the PoolFactory are considered in scope. Linked contracts include, but not limited to: vault implementation contracts (PoolLogic, PoolManagerLogic), numerous contract/asset guards (3rd party integrations related code) and price aggregator contracts used for assets pricing.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","Base","ETH","Optimism","Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-11-09T12:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7jfCx6b5D8nfAMemuBnaOW/25d35d4095909785d015401d8cff263f/dHEDGE_logo.jpeg","maxBounty":50000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":[],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["Asset Management"],"programOverview":"dHEDGE is a one-stop location for managing investment activities on the blockchain where you can put your capital to work in different strategies based on a transparent track record. Multi-chain, non-custodial, decentralized asset management integrated with multiple protocols; allowing for trades, providing liquidity and yield farming.\n\nFor more information about dHEDGE, please visit [https://app.dhedge.org/](https://app.dhedge.org/).   \n\nThis bug bounty program is focused on their smart contracts and is focused on preventing:\n\n  - Loss of user funds by freezing or theft\n  - Loss of governance funds\n  - Theft of unclaimed yield\n  - Freezing of unclaimed yield\n  - Temporary freezing of funds for any amount of time\n  - Deposit and withdrawal bugs\n  - Protocol integration bugs","programType":["Smart Contract"],"project":"dHEDGE","projectType":["Defi"],"rewardsBody":"If a vulnerability is found in integration-related contracts (such as contract guards or asset guards), the funds at risk should be calculated per chain, based on which deployments actually include the affected integration.\n\nIn the dHEDGE system, managers/traders are generally not considered trusted, and issues exploitable by a manager/trader are typically treated as putting user funds at risk. However, this assumption does not apply to vaults managed directly by the protocol team. Vaults operated by dHEDGE itself or by incubated protocols under its operational control (e.g., Toros, mStable) should be considered trusted. Therefore, if a vulnerability is exploitable only by a permissioned manager/trader, the funds at risk should exclude vaults under direct team management.\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"dhedge","tenPercentEconomicRule":false,"updatedDate":"2026-02-17T16:15:11.006Z","impactsBody":"dHEDGE vaults are trust minimized, meaning that the vault manager may not follow a set strategy, or may make bad trades, including trades with poor slippage. A complete loss of funds is possible via poor risk-management strategies by the manager. These types of losses are not in scope for the bounty.","websiteUrl":"https://dhedge.org/","githubUrl":"https://github.com/dhedge/V2-Public","eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"dHEDGE is a one-stop location for managing investment activities on the blockchain where you can put your capital to work in different strategies based on a transparent track record. Multi-chain, non-custodial, decentralized asset management integrated with multiple protocols; allowing for trades, providing liquidity and yield farming.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Attacks by privileged manager accounts which relate to poor trading practices or slippage. \n  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"}],"rewards":[{"id":41068,"primacy":null,"severity":"critical","assetType":"smart_contract","maxReward":50000,"minReward":2000,"rewardModel":"range","rewardCalculationPercentage":0.1},{"id":41069,"primacy":null,"severity":"high","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[{"id":"1296","url":"https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Ff03kK69OTEEthfwi6VoC%2Fuploads%2FoacAphKLdPdHKiU9sPIw%2FSherlock%20Audit%20%E2%80%93%20mStable%20Pendled%20sUSDe%20(via%20dHEDGE).pdf?alt=media&token=b53f3638-0019-48a8-af2a-b8affc8471f5","auditor":"Sherlock","date":"2025-09-06T00:00:00.000Z"},{"id":"1297","url":"https://github.com/santipu03/santipu03/blob/main/private-audits/dHEDGE_GMX.md","auditor":"Santipu","date":"2025-01-20T00:00:00.000Z"},{"id":"1298","url":"https://github.com/santipu03/santipu03/blob/main/private-audits/dHEDGE_Aave.md","auditor":"Santipu","date":"2025-01-15T00:00:00.000Z"},{"id":"1299","url":"https://github.com/santipu03/santipu03/blob/main/private-audits/dHEDGE_SAW.md","auditor":"Santipu","date":"2024-10-07T00:00:00.000Z"},{"id":"1300","url":"https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Ff03kK69OTEEthfwi6VoC%2Fuploads%2F5G6Izg7noSGT7QsvSeho%2FdHEDGE%20Trust%20Security%20Audit.pdf?alt=media&token=66115a16-ef90-47af-b01d-f757248ddcea","auditor":"Trust Security","date":"2024-09-04T00:00:00.000Z"},{"id":"1301","url":"https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Ff03kK69OTEEthfwi6VoC%2Fuploads%2Fo3epQZwV9tbnGp8EclE2%2FSherlock%20dhedge-audit-report.pdf?alt=media&token=9b5fed38-6f68-4274-9b9b-4eed9920c908","auditor":"Sherlock","date":"2024-06-01T00:00:00.000Z"},{"id":"1302","url":"https://iosiro.com/audits/dhedge-synthetix-v3-integration-smart-contract-audit","auditor":"iosiro","date":"2023-12-03T00:00:00.000Z"},{"id":"1303","url":"https://github.com/zobront/audits/blob/main/reports/dhedge.md","auditor":"Zach Obront","date":"2023-05-31T00:00:00.000Z"},{"id":"1304","url":"https://skynet.certik.com/projects/dhedge?auditId=dHEDGE%20V2#code-security","auditor":"CertiK","date":"2021-07-03T00:00:00.000Z"},{"id":"1305","url":"https://iosiro.com/audits/dhedge-differential-smart-contract-audit","auditor":"iosiro","date":"2021-03-06T00:00:00.000Z"},{"id":"1306","url":"https://iosiro.com/audits/dhedge-platform-smart-contract-audit","auditor":"iosiro","date":"2020-09-01T00:00:00.000Z"}]},{"assets":[{"id":"3l7HE0RYYSAAcVezfLbJhu","url":"https://nearblocks.io/address/ibtc-usdc-1.v1.tmplr.near","type":"smart_contract","addedAt":"2025-10-28T14:57:44.374Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"wSfhCplYiJWc9dMxFGmH4","url":"https://nearblocks.io/address/v1.tmplr.near","type":"smart_contract","addedAt":"2025-10-28T14:57:54.519Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Near"],"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Essential","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Rust"],"launchDate":"2025-10-27T19:59:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1vPg0ELzd0xPUVL2rzMzNp/68486c1f6dca79432f8bd2818bb57fb4/Templar_Protocol.png","maxBounty":100000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - medium","smart_contract - critical","smart_contract - high","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["Lending"],"programOverview":"Templar’s goal is to allow anyone to borrow Bitcoin, or any asset, without trusting centralized institutions. Current BTC lending solutions require users to surrender their Bitcoin to a centralized custodian, like Coinbase, creating risks of seizure, censorship, and counterparty failure, like what happened with BlockFi and Celsius. \n\nTemplar’s Cypher Lending Protocol solves this by using multi-party computation (MPC) networks and open-source smart contracts built on NEAR, ensuring that borrowers retain full control of their collateral without the need for trusted third parties (TTPs).\n\nFor more information about Templar, please visit [https://www.templarfi.org/](https://www.templarfi.org/).\n\nTemplar provides rewards in USDC on ETH, denominated in USD. For more details about the payment process, please view the **Rewards by Threat Level** section.\n\nTemplar’s goal is to allow anyone to borrow Bitcoin, or any asset, without trusting centralized institutions. Current BTC lending solutions require users to surrender their Bitcoin to a centralized custodian, like Coinbase, creating risks of seizure, censorship, and counterparty failure, like what happened with BlockFi and Celsius. \n\nTemplar’s Cypher Lending Protocol solves this by using multi-party computation (MPC) networks and open-source smart contracts built on NEAR, ensuring that borrowers retain full control of their collateral without the need for trusted third parties (TTPs).\n\nFor more information about Templar, please visit [https://www.templarfi.org/](https://www.templarfi.org/).\n\nTemplar provides rewards in USDC on ETH, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n__KYC Requirement__\n\nTemplar will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nTemplar adheres to **Category 2: Notice Required**. This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nTemplar adheres to the Primacy of Impact for the following impacts:\n\n- Smart Contract  —  Critical\n- Smart Contract  —  High\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. \n\nFor more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact) \n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Previous Audits__\n\nTemplar’s completed audit reports can be found at https://github.com/Templar-Protocol/contracts/tree/dev/audits. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.","programType":["Smart Contract"],"project":"Templar Protocol","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/).\n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD $100,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD $50,000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n- For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of $5,000 to $10,000 depending on the funds at risk, capped at the maximum high reward.  \n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Templar team directly and are denominated in USD. However, payments are done in USDC on ETH.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"templar-protocol","tenPercentEconomicRule":false,"updatedDate":"2026-01-29T22:04:11.963Z","impactsBody":"All markets deployed through the registry at v1.tmplr.near ,as documented in the Templar Deployments Guide (https://docs.templarfi.org/guide/deployments.html#markets) are considered in scope. Each market represents a unique asset pair of the form COLLATERAL → BORROW.\n\nAt the time of publication, there are two older markets currently registered — stnear-usdc.v1.tmplr.near and ibtc-usdc.v1.tmplr.near which share the same subset of core assets. However, these older markets are excluded from scope under this Program.\n\nAs new markets are added to the v1.tmplr.near registry, they will automatically be considered in scope, provided they are deployed under the registry contract and follow the standard Templar market architecture.","websiteUrl":"https://www.templarfi.org/","githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_2","description":"Templar’s goal is to allow anyone to borrow Bitcoin, or any asset, without trusting centralized institutions. Current BTC lending solutions require users to surrender their Bitcoin to a centralized custodian, like Coinbase, creating risks of seizure, censorship, and counterparty failure, like what happened with BlockFi and Celsius.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"}],"rewards":[{"id":37655,"severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":37656,"severity":"high","assetType":"smart_contract","maxReward":10000,"minReward":5000,"rewardModel":"range"},{"id":37657,"severity":"medium","assetType":"smart_contract","fixedReward":2500,"rewardModel":"fixed"},{"id":37658,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[{"id":"1TFeAeKSgubgOrn1LJfkcl","url":"https://github.com/Templar-Protocol/contracts/tree/dev/audit","auditor":"All Audits","date":"2025-10-28T00:00:00.000Z"}]},{"assets":[{"id":"98886","url":"https://github.com/starkware-libs/starknet-staking/tree/%40staking/contracts-v1.0.1-dev.854/workspace/apps/staking/L1/starkware/solidity/stake/RewardSupplierStorage.sol","type":"smart_contract","addedAt":"2026-02-17T08:53:43.707Z","revision":0,"description":"RewardSupplierStorage.sol","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98887","url":"https://github.com/starkware-libs/starknet-staking/tree/%40staking/contracts-v1.0.1-dev.854/workspace/apps/staking/L1/starkware/solidity/stake/RewardSupplierExternalInterfaces.sol","type":"smart_contract","addedAt":"2026-02-17T08:53:43.707Z","revision":0,"description":"RewardSupplierExternalInterfaces.sol","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98888","url":"https://github.com/starkware-libs/starknet-staking/tree/%40staking/contracts-v1.0.1-dev.854/workspace/apps/staking/L1/starkware/solidity/stake/RewardSupplier.sol","type":"smart_contract","addedAt":"2026-02-17T08:53:43.707Z","revision":0,"description":"RewardSupplier.sol","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98889","url":"https://github.com/starkware-libs/starknet-staking/tree/%40staking/contracts-v1.0.1-dev.854/workspace/apps/staking/L1/starkware/solidity/stake/MintManager.sol","type":"smart_contract","addedAt":"2026-02-17T08:53:43.707Z","revision":0,"description":"MintManager.sol","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98890","url":"https://github.com/starkware-libs/starknet-staking/tree/%40staking/contracts-v1.0.1-dev.854/workspace/apps/staking/L1/starkware/solidity/libraries","type":"smart_contract","addedAt":"2026-02-17T08:53:43.707Z","revision":0,"description":"L1 Solidity Libraries","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98891","url":"https://github.com/starkware-libs/starknet-staking/tree/%40staking/contracts-v1.0.1-dev.854/workspace/apps/staking/L1/starkware/solidity/interfaces","type":"smart_contract","addedAt":"2026-02-17T08:53:43.707Z","revision":0,"description":"L1 Solidity Interfaces","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98892","url":"https://github.com/starkware-libs/starknet-staking/tree/%40staking/contracts-v1.0.1-dev.854/workspace/apps/staking/L1/starkware/solidity/components","type":"smart_contract","addedAt":"2026-02-17T08:53:43.707Z","revision":0,"description":"L1 Solidity Components","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98893","url":"https://github.com/starkware-libs/starknet-staking/blob/%40staking/contracts-v1.0.1-dev.854/workspace/apps/staking/L1/starkware/solidity/upgrade/ProxySupportImpl.sol","type":"smart_contract","addedAt":"2026-02-17T08:53:43.707Z","revision":0,"description":"Upgrade_ProxySupportImpl.sol","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98894","url":"https://github.com/starkware-libs/starknet-staking/blob/%40staking/contracts-v1.0.1-dev.854/workspace/apps/staking/L1/starkware/solidity/stake/PeriodMintLimit.sol","type":"smart_contract","addedAt":"2026-02-17T08:53:43.707Z","revision":0,"description":"PeriodMintLimit.sol","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98895","url":"https://github.com/starkware-libs/starknet-staking/blob/%40staking/contracts-v1.0.1-dev.854/workspace/apps/staking/contracts/src/utils.cairo","type":"smart_contract","addedAt":"2026-02-17T08:53:43.707Z","revision":0,"description":"utils.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98896","url":"https://github.com/starkware-libs/starknet-staking/blob/%40staking/contracts-v1.0.1-dev.854/workspace/apps/staking/contracts/src/staking/staking.cairo","type":"smart_contract","addedAt":"2026-02-17T08:53:43.707Z","revision":0,"description":"staking.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98897","url":"https://github.com/starkware-libs/starknet-staking/blob/%40staking/contracts-v1.0.1-dev.854/workspace/apps/staking/contracts/src/staking/interface.cairo","type":"smart_contract","addedAt":"2026-02-17T08:53:43.707Z","revision":0,"description":"staking_interface.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98898","url":"https://github.com/starkware-libs/starknet-staking/blob/%40staking/contracts-v1.0.1-dev.854/workspace/apps/staking/contracts/src/reward_supplier/reward_supplier.cairo","type":"smart_contract","addedAt":"2026-02-17T08:53:43.707Z","revision":0,"description":"reward_supplier.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98899","url":"https://github.com/starkware-libs/starknet-staking/blob/%40staking/contracts-v1.0.1-dev.854/workspace/apps/staking/contracts/src/reward_supplier/interface.cairo","type":"smart_contract","addedAt":"2026-02-17T08:53:43.707Z","revision":0,"description":"reward_supplier_interface.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98900","url":"https://github.com/starkware-libs/starknet-staking/blob/%40staking/contracts-v1.0.1-dev.854/workspace/apps/staking/contracts/src/pool/pool.cairo","type":"smart_contract","addedAt":"2026-02-17T08:53:43.707Z","revision":0,"description":"Pool.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98901","url":"https://github.com/starkware-libs/starknet-staking/blob/%40staking/contracts-v1.0.1-dev.854/workspace/apps/staking/contracts/src/pool/interface.cairo","type":"smart_contract","addedAt":"2026-02-17T08:53:43.707Z","revision":0,"description":"Pool_interface.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98902","url":"https://github.com/starkware-libs/starknet-staking/blob/%40staking/contracts-v1.0.1-dev.854/workspace/apps/staking/contracts/src/minting_curve/minting_curve.cairo","type":"smart_contract","addedAt":"2026-02-17T08:53:43.707Z","revision":0,"description":"minting_curve.cairo","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98903","url":"https://github.com/starkware-libs/starknet-staking/blob/%40staking/contracts-v1.0.1-dev.854/workspace/apps/staking/contracts/src/minting_curve/interface.cairo","type":"smart_contract","addedAt":"2026-02-17T08:53:43.707Z","revision":0,"description":"minting_curve_interface,cairo","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"Starknet Staking’s codebase can be found at https://github.com/starkware-libs/starknet-staking. Documentation and further resources can be found on https://docs.starknet.io/staking/overview/. \n\nSubmitting multiple vulnerabilities that can be resolved with one solution may result in reduced severity ratings or invalidation of the later submissions. \n\nSecurity Researchers are required to address all vulnerable points across contracts in one fix. Any missed issues later reported by the security researcher will be considered unique.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Starknet"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":[],"launchDate":"2024-11-19T22:50:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/ZfXCvEBrW9zv4R7VqmZg5/8ec5fed17af2d46128a91be5507f4e3f/starknet.png","maxBounty":100000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - medium","smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["Staking"],"programOverview":"Staking on Starknet involves locking STRK tokens in the staking protocol, in order to contribute to network security and performance. Users can either stake directly or delegate their tokens to others, with staking rewards based on their level of participation and contribution.\n\nFor more information about Starknet Staking, please visit [https://docs.starknet.io/staking/overview/](https://docs.starknet.io/staking/overview/)\n\nStarkWare provides rewards in USDC or STRK, denominated in USD, at its discretion. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n__Public Disclosure of Known Issues__\n- Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n- The reward calculation using a round-up/down in compute_commission_amount_rounded_down and compute_commission_amount_rounded_up under utils.cairo\n- There is a set_reward_supplier function in addition to having it in the consructor. This is a non-issue.\n- The used token is STRK and is trusted, reentrency vulnerabilities regarding the token are a non-issue\n- All relevant contracts, i.e. Staking, RewardSupplier, MintingCurve, Pool contracts,  are all ours and trusted. Reentrency vulnerabilities in interactions between these contracts (again, including all different pool instances), are a non-issue.\n- In case of commision change on stakers, pool members will not get the updated comission automatically. All issues regarding this phenomenon are known.\n- Users can not switch out of finalized pool if they hadn’t made an exit intent prior to the staker’s unstake_action.\n- In PeriodMintLimit.sol the periodic mint cap is an interval (and not sliding window), and is reset on timestamp rounded week, so potentially someone can mint double the mint cap in 2 seconds (the one before end of week, and one after). This is a non-issue.\n- Out of order messages to `update_total_supply` are a non-issue.","programType":["Smart Contract"],"project":"Starknet Staking","projectType":["Infrastructure"],"rewardsBody":"Payouts are handled by the StarkWare team directly and are denominated in USD. However, payments are done in USDC or STRK, at StarkWare’s discretion.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC or STRK","slug":"starknet-staking","tenPercentEconomicRule":false,"updatedDate":"2026-02-11T09:29:02.760Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Staking on Starknet involves locking STRK tokens, and/or BTC wrappers in the staking protocol, in order to contribute to network security and performance. Users can either stake directly or delegate their tokens to others (BTC can only be delegated), with staking rewards based on their level of participation and contribution.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Vulnerabilities that can be reverted by upgrading the contract will have reduced severity.\n","customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"}],"rewards":[{"id":40757,"severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":15000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":40758,"severity":"high","assetType":"smart_contract","maxReward":10000,"minReward":1500,"rewardModel":"range"},{"id":40759,"severity":"medium","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"60six1Ti27IUrwTdMUD8QA","url":"https://play.google.com/store/apps/details?id=io.zerion.android&hl=en_US&gl=US","type":"websites_and_applications","addedAt":"2022-05-13T13:14:32.605Z","revision":0,"description":"Zerion Android App","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"79I4awEQiDIWQdIGWD0Wew","url":"https://apps.apple.com/us/app/zerion-crypto-defi-wallet/id1456732565","type":"websites_and_applications","addedAt":"2022-05-13T13:15:08.710Z","revision":0,"description":"Zerion Apple App","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7sbMZTxYOwc78Lg3jIALSZ","url":"https://app.zerion.io/","type":"websites_and_applications","addedAt":"2022-05-13T15:13:28.452Z","revision":0,"description":"Zerion Web App","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"59HW4evQ2QvYZ6vO7JReRB","url":"https://chromewebstore.google.com/detail/zerion-wallet-for-web3-nf/klghhnkeealcohjjanjjdaeeggmfmlpl","type":"websites_and_applications","addedAt":"2024-06-27T08:12:47.493Z","revision":0,"description":"Zerion Extension","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98870","url":"https://www.oklink.com/fantom/address/0x1ab3747da0f88e883895de58c105fd25c21491ce","type":"smart_contract","addedAt":"2026-02-17T08:52:38.771Z","revision":0,"description":"PREMIUM_PURCHASER_CONTRACT_FANTOM","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98871","url":"https://snowtrace.io/address/0x1AB3747DA0F88E883895DE58c105Fd25C21491ce","type":"smart_contract","addedAt":"2026-02-17T08:52:38.771Z","revision":0,"description":"PREMIUM_PURCHASER_CONTRACT_AVALANCHE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98872","url":"https://scrollscan.com/address/0x1AB3747DA0F88E883895DE58c105Fd25C21491ce","type":"smart_contract","addedAt":"2026-02-17T08:52:38.771Z","revision":0,"description":"PREMIUM_PURCHASER_CONTRACT_SCROLL","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98873","url":"https://polygonscan.com/address/0x1AB3747DA0F88E883895DE58c105Fd25C21491ce","type":"smart_contract","addedAt":"2026-02-17T08:52:38.771Z","revision":0,"description":"PREMIUM_PURCHASER_CONTRACT_POLYGON","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98874","url":"https://optimistic.etherscan.io/address/0x1AB3747DA0F88E883895DE58c105Fd25C21491ce","type":"smart_contract","addedAt":"2026-02-17T08:52:38.771Z","revision":0,"description":"PREMIUM_PURCHASER_CONTRACT_OPTIMISM","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98875","url":"https://lineascan.build/address/0x1AB3747DA0F88E883895DE58c105Fd25C21491ce","type":"smart_contract","addedAt":"2026-02-17T08:52:38.771Z","revision":0,"description":"PREMIUM_PURCHASER_CONTRACT_LINEA","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98876","url":"https://gnosisscan.io/address/0x1AB3747DA0F88E883895DE58c105Fd25C21491ce","type":"smart_contract","addedAt":"2026-02-17T08:52:38.771Z","revision":0,"description":"PREMIUM_PURCHASER_CONTRACT_XDAI","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98877","url":"https://explorer.zora.energy/address/0x1AB3747DA0F88E883895DE58c105Fd25C21491ce","type":"smart_contract","addedAt":"2026-02-17T08:52:38.771Z","revision":0,"description":"PREMIUM_PURCHASER_CONTRACT_ZORA","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98878","url":"https://explorer.zksync.io/address/0xa71B5eCb48669580ea46bEffB74E6CA0Ec9EefA3","type":"smart_contract","addedAt":"2026-02-17T08:52:38.771Z","revision":0,"description":"PREMIUM_PURCHASER_CONTRACT_ZKSYNC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98879","url":"https://explorer.zero.network/address/0x4667fFb6a24017f977c93Da1BD630CF1801343b6","type":"smart_contract","addedAt":"2026-02-17T08:52:38.771Z","revision":0,"description":"Zerion Paymaster","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98880","url":"https://explorer.mainnet.aurora.dev/address/0x1AB3747DA0F88E883895DE58c105Fd25C21491ce","type":"smart_contract","addedAt":"2026-02-17T08:52:38.771Z","revision":0,"description":"PREMIUM_PURCHASER_CONTRACT_AURORA","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98881","url":"https://etherscan.io/address/0x1AB3747DA0F88E883895DE58c105Fd25C21491ce","type":"smart_contract","addedAt":"2026-02-17T08:52:38.771Z","revision":0,"description":"PREMIUM_PURCHASER_CONTRACT_ETHEREUM","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98882","url":"https://celoscan.io/address/0x1AB3747DA0F88E883895DE58c105Fd25C21491ce","type":"smart_contract","addedAt":"2026-02-17T08:52:38.771Z","revision":0,"description":"PREMIUM_PURCHASER_CONTRACT_CELO","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98883","url":"https://bscscan.com/address/0x1AB3747DA0F88E883895DE58c105Fd25C21491ce","type":"smart_contract","addedAt":"2026-02-17T08:52:38.771Z","revision":0,"description":"PREMIUM_PURCHASER_CONTRACT_BSC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98884","url":"https://basescan.org/address/0x1AB3747DA0F88E883895DE58c105Fd25C21491ce","type":"smart_contract","addedAt":"2026-02-17T08:52:38.771Z","revision":0,"description":"PREMIUM_PURCHASER_CONTRACT_BASE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98885","url":"https://arbiscan.io/address/0x1AB3747DA0F88E883895DE58c105Fd25C21491ce","type":"smart_contract","addedAt":"2026-02-17T08:52:38.771Z","revision":0,"description":"PREMIUM_PURCHASER_CONTRACT_ARBITRUM","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"Only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","Avalanche","BSC","ETH","Fantom","Optimism","Polygon","xDAI / Gnosis Chain"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["JavaScript","Solidity"],"launchDate":"2022-03-29T19:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/rl1wbbQqjXdQOjPmDm331/6f9697fe2c9b6d98dd68c81072bba5c6/Zerion_Logo.jpg","maxBounty":25000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__Smart Contracts/Blockchain__\n\n__Critical__\n  - Theft and/or permanent freezing of assets\n  - Any logic manipulation\n\n__High__\n  - Temporary freezing of funds for at least 1 hour\n\n__Medium__\n  - Unable to call smart contract\n  - Unbounded gas consumption\n  - Theft of gas\n\n__Web/App__\n\n__Critical__\n  - Leak of user data\n  - Deletion of user data\n  - Redirected funds by address modification\n  - Site goes down\n  - Accessing sensitive pages without authorization\n  - Users spoofing other users\n  - Open redirects and modifying user’s vital information\n\n__High__\n  - Injection of text\n\n__Medium__\n  - Redirecting users to malicious websites (open redirect)\n  - Changing details of other users without direct financial impact (CSRF)\n  - Third-Party API keys leakage that demonstrates loss of funds or modification on the website","productType":["Bridge","Crosschain Liquidity","DEX","Wallet"],"programOverview":"At Zerion, we are on a mission to empower more people around the world with efficient, transparent, and censorship-resistant financial services. \n\nWe do this by building applications, tools, and infrastructure enabling any smartphone holder, anywhere in the world, to build and manage their decentralized finance (DeFi) portfolios. The company was founded in 2016 by a technical team of crypto-native builders who sought to change the way centralized financial services work, primarily driven by experiencing the lack of financial opportunity within their countries.\n\nZerion has grown to become one of the most popular DeFi interfaces in the world. Since inception, Zerion has processed over $1.4 billion in transaction volume and serves more than 200K monthly active users from over 217 countries.\n\nZerion gives customers access to more than 50,000 digital assets, 60 protocols & all NFTs on the Ethereum blockchain through their app, which streamlines the UI of DeFi. Users can access tokens and invest through the app similar to exchanges like Coinbase or Gemini, but do so using their own personal wallets like MetaMask, meaning user funds and private keys aren’t controlled by or accessible to Zerion.\n\nFor more information about Zerion, please visit [https://zerion.io/](https://zerion.io/).   \n\nThis bug bounty program is focused on their smart contracts, website and app and is focused on preventing:\n\n  - Loss of user funds\n  - Leak of user data\n  - Deletion of user data","programType":["Smart Contract","Websites and Applications"],"project":"Zerion","projectType":["Defi","NFT"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll web/app bug reports and Critical/High/Medium smart contract bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. In addition, all Critical/High/Medium bug reports must come with a suggestion for a fix in order to be considered for a reward. \n\nThe following known issues are considered to be out of scope of this bounty program: \n  - All issues highlighted previously in the following audit report: \n    - Peckshield Audit for DeFi SDK (August, 2020): [https://drive.google.com/file/d/158GG-J681xAc4d8pMibpP_SFJikX4HPM/view?usp=sharing](https://drive.google.com/file/d/158GG-J681xAc4d8pMibpP_SFJikX4HPM/view?usp=sharing)\n    - Audit: [https://github.com/zeriontech/defi-sdk/blob/interactive/audits/Zerion%20DeFi%20SDK%20Trail%20of%20Bits%20Audit%20Report.pdf](https://github.com/zeriontech/defi-sdk/blob/interactive/audits/Zerion%20DeFi%20SDK%20Trail%20of%20Bits%20Audit%20Report.pdf)\n  - External apps having integrations with Zerion\n\nRewards for critical smart contract vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of __USD 10 000__ for Critical bug reports. \n\nCritical website and application bug reports will be rewarded with the full __USD 15 000__ only if the impact leads to a direct loss in funds or a manipulation of the votes or the voting result, as well as the modification of its display leading to a misrepresentation of the result or vote. All other impacts that would be classified as Critical would be rewarded no more than __USD 10 000__.\n\nZerion requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. The information needed is email address, full name, and country of residence.\n\nPayouts are handled by the __Zerion__ team directly and are denominated in USD. However, payouts are done in __USDC or DAI__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC, DAI","slug":"zerion","tenPercentEconomicRule":false,"updatedDate":"2026-02-03T15:04:12.871Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"At Zerion, we are on a mission to empower more people around the world with efficient, transparent, and censorship-resistant financial services.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":" - Attacks requiring physical access to a user's device, social engineering, phishing, physical, or other fraud activities \n - Best practice critiques\n","customProhibitedActivities":[],"impacts":[{"id":2141,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 1 hour"},{"id":2142,"type":"websites_and_applications","severity":"high","title":"Injection of text"},{"id":2143,"type":"smart_contract","severity":"medium","title":"Unable to call smart contract"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":2144,"type":"websites_and_applications","severity":"medium","title":"Changing details of other users without direct financial impact (CSRF)"},{"id":2145,"type":"websites_and_applications","severity":"medium","title":"Third-Party API keys leakage that demonstrates loss of funds or modification on the website"},{"id":2146,"type":"smart_contract","severity":"critical","title":"Theft and/or permanent freezing of assets"},{"id":2147,"type":"smart_contract","severity":"critical","title":"Any logic manipulation"},{"id":2148,"type":"websites_and_applications","severity":"critical","title":"Leak of user data"},{"id":2149,"type":"websites_and_applications","severity":"critical","title":"Deletion of user data"},{"id":2150,"type":"websites_and_applications","severity":"critical","title":"Redirected funds by address modification"},{"id":2151,"type":"websites_and_applications","severity":"critical","title":"Site goes down"},{"id":2152,"type":"websites_and_applications","severity":"critical","title":"Accessing sensitive pages without authorization"},{"id":2153,"type":"websites_and_applications","severity":"critical","title":"Users spoofing other users"},{"id":2154,"type":"websites_and_applications","severity":"critical","title":"Open redirects and modifying user’s vital information"}],"rewards":[{"id":40880,"severity":"critical","assetType":"smart_contract","maxReward":25000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":40881,"severity":"high","assetType":"smart_contract","fixedReward":7500,"rewardModel":"fixed"},{"id":40882,"severity":"medium","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":40883,"severity":"critical","assetType":"websites_and_applications","maxReward":15000,"rewardModel":"up_to"},{"id":40884,"severity":"high","assetType":"websites_and_applications","fixedReward":7500,"rewardModel":"fixed"},{"id":40885,"severity":"medium","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"1RAoFV3mwlgCx2ILAqAnfx","url":"https://app.mux.network/#/trade?chainId=42161","type":"websites_and_applications","addedAt":"2022-02-15T13:07:14.734Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5ryPAEDsEynUxLrbTRBUza","url":"https://app.mux.network/#/liquidity","type":"websites_and_applications","addedAt":"2022-02-15T13:07:36.312Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"27lcDiSCMe9dWlF1rmNvDM","url":"https://app.mux.network/#/stake","type":"websites_and_applications","addedAt":"2022-02-15T13:07:55.211Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3p4m8CTWMnVjOfzSgAQk6N","url":"https://app.mux.network/#/redeem","type":"websites_and_applications","addedAt":"2022-02-15T13:08:27.988Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"76Tg9tlfRmhDDtuw0XMiKp","url":"https://github.com/mux-world/muxlp-tranches-protocol","type":"smart_contract","addedAt":"2024-08-28T12:02:40.994Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5mZvhOe95LrCNj1n6L0qc4","url":"https://github.com/mux-world/mux-degen-protocol","type":"smart_contract","addedAt":"2024-08-28T12:02:51.850Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3eoO8FPvuWnv9Yq6PnO1sA","url":"https://github.com/mux-world/mux-aggregator-protocol","type":"smart_contract","addedAt":"2024-08-28T12:03:04.502Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3EnvNaAvGjLeScRTEgwhUY","url":"https://github.com/mux-world/mux3-protocol/","type":"smart_contract","addedAt":"2025-03-17T10:39:34.439Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2iLIEDhC19m0lyq9tKxQvR","url":"https://github.com/mux-world/mux-aggregator-protocol/tree/main/contracts/proxyFactory","type":"smart_contract","addedAt":"2025-08-28T23:18:57.469Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5MhqtU6OjHMi1VCJAvBJUT","url":"https://github.com/mux-world/mux-aggregator-protocol/tree/main/contracts/aggregators/gmxV2","type":"smart_contract","addedAt":"2025-08-28T23:19:09.336Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3rYDe2Owh0EOtE0VolZVso","url":"https://github.com/mux-world/mux-protocol/tree/main/contracts/components","type":"smart_contract","addedAt":"2025-08-28T23:19:21.175Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3R4vPSH6yYCWgvVFOplmEh","url":"https://github.com/mux-world/mux-protocol/tree/main/contracts/core","type":"smart_contract","addedAt":"2025-08-28T23:19:33.102Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6R6GaysJUNIynYWzYI9i7w","url":"https://github.com/mux-world/mux-protocol/tree/main/contracts/governance","type":"smart_contract","addedAt":"2025-08-28T23:19:40.097Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1Pr9CgCg4s7SLir47wIJXt","url":"https://github.com/mux-world/mux-protocol/tree/main/contracts/libraries","type":"smart_contract","addedAt":"2025-08-28T23:19:48.239Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7G1FsqHDgxL7hPpecRb9Yx","url":"https://github.com/mux-world/mux-protocol/tree/main/contracts/orderbook","type":"smart_contract","addedAt":"2025-08-28T23:19:57.951Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3KyoVQ7NoyAXntpMLxZXRo","url":"https://github.com/mux-world/mux-staking","type":"smart_contract","addedAt":"2025-08-28T23:20:48.558Z","revision":0,"description":null,"isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"Only web/app vulnerabilities that __directly__ affect the web/app assets listed in this table and their subfolders are accepted within the bug bounty program. All others are out-of-scope.\n\nUnder the Github link, only mainnet smart contract vulnerabilities are considered in-scope for the bug bounty program. Smart contracts labeled as testnet are out-of-scope. Additionally, __all smart contracts in the test, oracle, and reader folders are out-of-scope__. \n\nVulnerabilities surfaced in the audits provided by [ConsenSys](https://diligence.consensys.net/audits/private/nxaosool-mcdexio-mai-protocol-v2), [OpenZeppelin](https://blog.openzeppelin.com/mcdex-mai-protocol-audit/) and [Quantstamp](https://certificate.quantstamp.com/full/mcdex) are not considered in scope of the bug bounty program even if they affect the assets listed in this table.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","Avalanche","BSC","ETH","Fantom","Optimism"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-06-09T07:00:00.000Z","logo":"https://qn5bmgziiocgawpp.public.blob.vercel-storage.com/55511-foBiGCvU6KeufT7DGoIoY.png","maxBounty":100000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the following types:\n\n__Smart Contracts and Blockchain__ \n\n  - Re-entrancy\n  - Logic errors\n    - including user authentication errors\n  - Solidity/EVM details not considered\n    - including integer over-/under-flow\n    - including rounding errors\n    - including unhandled exceptions\n  - Trusting trust/dependency vulnerabilities\n    - including composability vulnerabilities\n  - Oracle failure/manipulation\n  - Novel governance attacks\n  - Economic/financial attacks\n    - including flash loan attacks\n  - Congestion and scalability\n    - including running out of gas\n    - including block stuffing\n    - including susceptibility to frontrunning\n  - Consensus failures\n  - Cryptography problems\n    - Signature malleability\n    - Susceptibility to replay attacks\n    - Weak randomness\n    - Weak encryption\n  - Susceptibility to block timestamp manipulation\n  - Missing access controls / unprotected internal or debugging interfaces\n\n__Websites and Apps__\n\n  - Remote Code Execution\n  - Trusting trust/dependency vulnerabilities\n  - Vertical Privilege Escalation\n  - XML External Entities Injection\n  - SQL Injection\n  - LFI/RFI\n  - Horizontal Privilege Escalation\n  - Stored XSS\n  - Reflective XSS with impact\n  - CSRF with impact\n  - Direct object reference\n  - Internal SSRF\n  - Session fixation\n  - Insecure Deserialization\n  - DOM XSS\n  - SSL misconfigurations\n  - SSL/TLS issues (weak crypto, improper setup)\n  - URL redirect\n  - Clickjacking (must be accompanied with PoC)\n  - Misleading Unicode text (e.g. using right to left override characters)","productType":["DEX","Liquid Staking"],"programOverview":"MUX is a decentralized leveraged trading protocol allowing zero price impact trading, up to 100x leverage, no counterparty risks for traders and an optimized on-chain trading experience. In addition, MUX is the first multi-chain native protocol unifying pooled liquidity across deployed chains to maximize capital efficiency.\n\nCurrently, MUX protocol is live on Arbitrum, BNB chain, Avalanche and Fantom. \nFor more information about MUX Protocol, you can visit their website at [https://mux.network/](https://mux.network/). \n\nThis bug bounty program covers its smart contracts and its critical frontend software and is focused on the prevention of loss of user funds.","programType":["Smart Contract","Websites and Applications"],"project":"MUX","projectType":["Defi","Exchange"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nAll web and app bugs must come with a Proof of Concept (PoC) in order to be accepted. All web and app bug reports without a PoC will be rejected with a request for a PoC. Critical web and app bugs can only be paid the full USD 15 000 if there is a vulnerability directly leading to a loss in user funds that don’t require social engineering or extensive non-normal user actions. \n\nRewards for smart contract vulnerabilities are variable based on their exploitability, and other factors deemed relevant by the MUX team. For critical vulnerabilities, the payout is capped at 10% of economic damage and is the main determinant of the reward amount. Bug reports for critical vulnerabilities also require PoC. If no PoC is submitted but the bug is still validated and addressed, only USD 20 000 will be rewarded regardless of economic damage. \n\nRecommendations for fixes are required for a reward. Though bug reports without recommendations for fixes may be considered, the resulting reward cannot be the maximum amount. \n\nThe final decision for all rewards are at the discretion of MUX Protocol. \n\nPayouts are handled by the __MUX Protocol__ team directly and are denominated in USD. Payouts are done in __USDC__. However, for payouts USD 1 000 and lower, the reward can be paid in __ETH__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC, ETH","slug":"mux","tenPercentEconomicRule":true,"updatedDate":"2026-02-16T08:53:46.509Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"MUX is a decentralized leveraged trading protocol allowing zero price impact trading, up to 100x leverage, no counterparty risks for traders and an optimized on-chain trading experience. In addition, MUX is the first multi-chain native protocol unifying pooled liquidity across deployed chains to maximize capital efficiency.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":540,"type":"smart_contract","severity":"high","title":"Theft of >1% of total unclaimed yield"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":542,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc."},{"id":543,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as email or password of the victim, etc."},{"id":544,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information such as email address, phone number, physical address, etc."},{"id":545,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":546,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as changing the name of user, or enabling/disabling notifications"},{"id":547,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without Javascript (Reflected) such as reflected HTML injection or loading external site data"},{"id":548,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":549,"type":"smart_contract","severity":"critical","title":"Direct theft of >1% of user funds, other than unclaimed yield, in excess of gas costs or swap fees"},{"id":550,"type":"smart_contract","severity":"critical","title":"Permanent freezing of >1% of total funds in excess of gas costs or swap fees"},{"id":552,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and blockchain keys(this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":553,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc."},{"id":554,"type":"websites_and_applications","severity":"critical","title":"Direct theft of >1% of total user funds"},{"id":555,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions"},{"id":5439,"type":"smart_contract","severity":"medium","title":"Permanent freezing of unclaimed yield"},{"id":5440,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds"}],"rewards":[{"id":40856,"severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":40857,"severity":"high","assetType":"smart_contract","maxReward":20000,"minReward":5000,"rewardModel":"range"},{"id":40858,"severity":"medium","assetType":"smart_contract","maxReward":5000,"minReward":2000,"rewardModel":"range"},{"id":40859,"severity":"critical","assetType":"websites_and_applications","maxReward":15000,"minReward":7500,"rewardModel":"range"},{"id":40860,"severity":"high","assetType":"websites_and_applications","maxReward":5000,"rewardModel":"up_to"},{"id":40861,"severity":"medium","assetType":"websites_and_applications","maxReward":1000,"rewardModel":"up_to"}],"audits":[]},{"assets":[{"id":"1GUfhj5s71VqB9yyRp0PG2","url":"https://etherscan.io/address/0x1d02F6A86Ed5650f93E40FCD62fa5727c32ad746#code","type":"smart_contract","addedAt":"2026-01-05T10:45:54.410Z","revision":0,"description":"yYB Reward Distributor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1KjG6kdSc06HblkKE05yzG","url":"https://etherscan.io/address/0xca12459a931643BF28388c67639b3F352fe9e5Ce","type":"smart_contract","addedAt":"2025-11-06T10:55:32.699Z","revision":0,"description":"Role Manager Factory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1OsDuV2SKImZ46VGFuATUR","url":"https://etherscan.io/address/0x5A74Cb32D36f2f517DB6f7b0A0591e09b22cDE69#code","type":"smart_contract","addedAt":"2025-10-29T09:47:03.882Z","revision":0,"description":"Accountant","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1fm1sW6IhGfbqrf1FnjoR4","url":"https://etherscan.io/address/0xbC587a495420aBB71Bbd40A0e291B64e80117526","type":"smart_contract","addedAt":"2025-10-29T09:47:03.693Z","revision":0,"description":"Auction Factory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1kyOC2q5S0v8r4XiEijG3z","url":"https://etherscan.io/address/0x7Fd8Af959B54A677a1D8F92265Bd0714274C56a3#code","type":"smart_contract","addedAt":"2023-12-02T10:38:53.612Z","revision":0,"description":"yGauge Curve YFI-ETH","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1urST0jXHNv0KlP0BwCQ8b","url":"https://etherscan.io/address/0x22222222aEA0076fCA927a3f44dc0B4FdF9479D6#code","type":"smart_contract","addedAt":"2026-01-05T10:45:54.423Z","revision":0,"description":"yYB Token","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"27u4dT30F1aYwgnvcdiaYa","url":"https://etherscan.io/address/0xE9A115b77A1057C918F997c32663FdcE24FB873f#code","type":"smart_contract","addedAt":"2024-10-22T13:42:37.699Z","revision":0,"description":"yCRV Boosted Staker","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2GQBau5qvXxg11ERrPRkkQ","url":"https://etherscan.io/address/0x770D0d1Fb036483Ed4AbB6d53c1C88fb277D812F","type":"smart_contract","addedAt":"2025-11-06T10:55:32.703Z","revision":0,"description":"3.0.4 Vault V3 Factory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2lq7hZfi5WOrzEHsc0TfjM","url":"https://etherscan.io/address/0xB226c52EB411326CdB54824a88aBaFDAAfF16D3d#code","type":"smart_contract","addedAt":"2024-10-22T13:42:52.806Z","revision":0,"description":"yCRV Boosted Staker Reward Distributor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2rszBurN4m8KUtN2ZLmBGO","url":"https://etherscan.io/address/0xFCc5c47bE19d06BF83eB04298b026F81069ff65b#code","type":"smart_contract","addedAt":"2022-02-17T14:10:51.087Z","revision":0,"description":"yCRV contract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2vIHBEiDfYoEbpEXv5ddLm","url":"https://etherscan.io/address/0x7dC3A74F0684fc026f9163C6D5c3C99fda2cf60a#code","type":"smart_contract","addedAt":"2023-12-02T10:40:06.181Z","revision":0,"description":"dYFI","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"315E3SyKgKgHPXV6uxZb5b","url":"https://etherscan.io/address/0x2fBa208E1B2106d40DaA472Cb7AE0c6C7EFc0224#code","type":"smart_contract","addedAt":"2023-12-02T10:38:31.239Z","revision":0,"description":"dYFI Redemption","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"31LeVuGMx8WP3MTAroXD7f","url":"https://etherscan.io/address/0xD377919FA87120584B21279a491F82D5265A139c","type":"smart_contract","addedAt":"2025-11-06T10:55:32.624Z","revision":0,"description":"3.0.4 Tokenized Strategy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"39iAf3PdqZ8yl4fTOpBAB5","url":"https://etherscan.io/address/0x1111111Ecd5Ae05422aeCe517072ec33Dbf34af9#code","type":"smart_contract","addedAt":"2026-01-05T10:45:54.416Z","revision":0,"description":"yYB Operator","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3Gm9nMhD0Nqcov6DbEg1OJ","url":"https://etherscan.io/address/0xb287a1964AEE422911c7b8409f5E5A273c1412fA#code","type":"smart_contract","addedAt":"2023-12-02T10:39:11.540Z","revision":0,"description":"YFI Reward Pool","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3h1E0VNt3HpUbf1Wr0D9yX","url":"https://etherscan.io/address/0x46b38522422D597dDbAA2D6E98D6C9b397028d5B#code","type":"smart_contract","addedAt":"2024-10-22T13:42:07.062Z","revision":0,"description":"veYFI Gauge Controller","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"46Pa6a7yOLCN83C9SQyMEe","url":"https://etherscan.io/address/0xF728f839796a399ACc2823c1e5591F05a31c32d1","type":"smart_contract","addedAt":"2025-11-06T10:55:32.299Z","revision":0,"description":"Accountant Factory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4zrBrwqX0lJXwVmv3t9mS2","url":"https://etherscan.io/address/0x0bc529c00c6401aef6d220be8c6ea1667f6ad93e#code","type":"smart_contract","addedAt":"2023-06-06T03:21:27.367Z","revision":0,"description":"YFI Token","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5Q8enqva4hJLgR7DlxfGVp","url":"https://etherscan.io/address/0x2391Fc8f5E417526338F5aa3968b1851C16D894E#code","type":"smart_contract","addedAt":"2023-12-02T10:39:29.932Z","revision":0,"description":"dYFI Reward Pool","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5ensJW9I1D8i4Wve2zXtby","url":"https://etherscan.io/address/0x03D43dF6FF894C848fC6F1A0a7E8a539Ef9A4C18","type":"smart_contract","addedAt":"2025-10-29T09:47:03.880Z","revision":0,"description":"Debt Allocator Factory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5zCFJTHH6vECdumiaVFiVm","url":"https://etherscan.io/address/0xd0660cd418a64a1d44e9214ad8e459324d8157f1#code","type":"smart_contract","addedAt":"2023-06-06T03:22:18.262Z","revision":0,"description":"Woofy Token","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"64NFdZgFR3JEdpSi8OaRQC","url":"https://etherscan.io/address/0x1D0fdCb628b2f8c0e22354d45B3B2D4cE9936F8B#code","type":"smart_contract","addedAt":"2024-10-22T13:42:22.507Z","revision":0,"description":"veYFI Gauge Registry","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"66XN7JAznpSMQDgI9KSoj1","url":"https://etherscan.io/address/0x5D2eA33449A60a70E8FCdc5251FDd86a030fAD91#code","type":"smart_contract","addedAt":"2026-01-05T10:45:54.408Z","revision":0,"description":"yYB Boosted Staker","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6KNPAcb2KI95cyhy9sXrGp","url":"https://etherscan.io/address/0xf8dF17a35c88AbB25e83C92f9D293B4368b9D52D","type":"smart_contract","addedAt":"2025-11-06T10:55:32.318Z","revision":0,"description":"Common Report Trigger","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7ASqGORjw2qbyMQkrAvCOy","url":"https://etherscan.io/address/0xe28fCC9FB2998ba57754789F6666DAa8C815614D#code","type":"smart_contract","addedAt":"2025-11-06T10:55:32.324Z","revision":0,"description":"Splitter Factory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"IgvqO4CKk8jXloSZSjmLj","url":"https://etherscan.io/address/0xd8063123BBA3B480569244AE66BFE72B6c84b00d","type":"smart_contract","addedAt":"2025-11-06T10:55:32.313Z","revision":0,"description":"3.0.4 Vault V3 ","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"OFqCbZyKTUzq8253DLC0q","url":"https://etherscan.io/address/0x90c1f9220d90d3966FbeE24045EDd73E1d588aD5#code","type":"smart_contract","addedAt":"2023-12-02T10:40:21.388Z","revision":0,"description":"veYFI","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"sKSNChy1Gl6V31bcPjxjz","url":"https://etherscan.io/address/0x0000000C90799449af8eE0B240Da639144a36C6A","type":"smart_contract","addedAt":"2026-01-05T10:45:54.682Z","revision":0,"description":"yYB Locker","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98857","url":"https://etherscan.io/address/0xd31911a33a5577Be233Dc096F6F5a7e496fF5934#code","type":"smart_contract","addedAt":"2026-02-15T10:30:27.065Z","revision":0,"description":"stYFI Main Reward Distributor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98858","url":"https://etherscan.io/address/0xc32bd1A70e831c43956Ff2f5F23f2Ee45a04C020","type":"smart_contract","addedAt":"2026-02-15T10:30:27.065Z","revision":0,"description":"stYFI Staking Middleware","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98859","url":"https://etherscan.io/address/0xA82454009E01Ae697012a73cB232d85e61B05e50","type":"smart_contract","addedAt":"2026-02-15T10:30:27.065Z","revision":0,"description":"stYFI Reward Claimer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98860","url":"https://etherscan.io/address/0xA16F6FC7380300525C812ea2733Ad62DDA58143B","type":"smart_contract","addedAt":"2026-02-15T10:30:27.065Z","revision":0,"description":"stYFI Liquid Locker Depositor StakeDAO","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98861","url":"https://etherscan.io/address/0x9C42461AA8422926e3AEF7B1C6e3743597149d79","type":"smart_contract","addedAt":"2026-02-15T10:30:27.065Z","revision":0,"description":"stYFIx","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98862","url":"https://etherscan.io/address/0x95547ede56cf74b73dd78a37f547127dffda6113","type":"smart_contract","addedAt":"2026-02-15T10:30:27.065Z","revision":0,"description":"stYFI Reward Distributor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98863","url":"https://etherscan.io/address/0x952B31960C97E76362Ac340D07D183aDa15e3d6E","type":"smart_contract","addedAt":"2026-02-15T10:30:27.065Z","revision":0,"description":"stYFIx Reward Distributor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98864","url":"https://etherscan.io/address/0x7eFc3953Bed2fc20b9f825eBffaB1cC8B072a000","type":"smart_contract","addedAt":"2026-02-15T10:30:27.065Z","revision":0,"description":"stYFI Liquid Locker Reward Distributor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98865","url":"https://etherscan.io/address/0x52Aa16860E0D42B6a7b6ecC15688472eb20135c9","type":"smart_contract","addedAt":"2026-02-15T10:30:27.065Z","revision":0,"description":"stYFI Liquid Locker Depositor 1up","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98866","url":"https://etherscan.io/address/0x42b25284E8ae427D79da78b65DFFC232aAECc016#code","type":"smart_contract","addedAt":"2026-02-15T10:30:27.065Z","revision":0,"description":"stYFI","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98867","url":"https://etherscan.io/address/0x3d4Ced97ADb0ae3A53DA95a47fFc749aAd26BC8f#code","type":"smart_contract","addedAt":"2026-02-15T10:30:27.065Z","revision":0,"description":"stYFI Liquid Locker Depositor Cove","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98868","url":"https://etherscan.io/address/0x2548BF65916fdABB5A5673fC4225011FF29ee884","type":"smart_contract","addedAt":"2026-02-15T10:30:27.065Z","revision":0,"description":"stYFI veYFI Reward Distributor","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"__Finding More Assets in Scope__\nYearn adds and removes Vaults and Strategies from Production on an ongoing basis. Yearn provides helper contracts (see table below) to list the __actual contracts__ that are considered in scope for this bug bounty program. \n\nThe following functions can be called to obtain a list of smart contract addresses that are currently in Production and that are covered by the program:\n\n| Network     | Contracts     | Addresses (NOT IN SCOPE)     |\n| ---------- | ---------- | ---------- |\n| Ethereum       | StrategiesHelper AddressesGeneratorV2 Vaults       | 0x5b4F3BE554a88Bd0f8d8769B9260be865ba03B4a 0x437758D475F70249e03EDa6bE23684aD1FC375F0    |\n| Fantom       | StrategiesHelper AddressesGeneratorV2Vaults       | 0x97D0bE2a72fc4Db90eD9Dbc2Ea7F03B4968f6938 0x8ca27a3ab8917a033f278D20135d2467faA099bA       |\n| Optimism       | StrategiesHelper AddressesGeneratorV2Vaults       | 0xD3A93C794ee2798D8f7906493Cd3c2A835aa0074 0xD63aB09ac2048a7eCac92f0fFad5F104edD0E032       |\n| Arbitrum       | StrategiesHelper AddressesGeneratorV2Vaults       | 0x66a1a27f4b22dcaa24e427dcffbf0cddd9d35e0f 0x3a8efa2d87d60c0289f19b44a0928f4269c0f094       |\n\nFunctions to list bounty program contracts:\nStrategiesHelper - assetsStrategiesAddresses()\n\nAddressesGeneratorV2Vaults - assetsAddresses()\n\nOther contracts, outside of the ones mentioned here, might be considered on a case by case basis, as long as economic damage can be achieved. \n\n__Submission Requirements__\n\nIn order to be considered for a reward, all bug reports must contain the following:\n\n- Description of suspected vulnerability\n- Steps to reproduce the issue\n- A valid POC showing the attack where the outcome has clear economic damage for any of the contracts listed in scope.\n- Your name and/or colleagues if you wish to be later recognized\n- (Optional) A patch and/or suggestions to resolve the vulnerability\n\n__Ethical Behavior Requirements__\n\nResponsible disclosure is predicated on ethical behavior. These guidelines outline best practices for the community as whole, whether you are reporting, or the recipient of a report. By stating that you adhere to this policy, you’re claiming to handle vulnerability information ethically, and abide by the following:\n\n- Do not attempt to leverage a vulnerability, or information of its existence, as part of a financial trading strategy or otherwise for financial gain.\n- Do not attempt to compromise systems upon which development of a product relies; including but not limited to compromising development systems, accounts, domains, email etc..\n- Do not attempt to sell vulnerability information or exploits.\n- Do not ask for any form of compensation from an affected party.\nYou may compensate a disclosing party if you would like to after all known vulnerability details have been disclosed.\n- Do not disclose a bug or vulnerability on mailing lists, public boards, forums, social media or any other channel prior to Responsibly Disclosing to the organizations you have a published relationship with\n- Do not attempt any illegal acts, including phishing, physical attacks, DDoS, or any attempt to gain access without authorization\n\n__3rd Party Affected Projects__\n\nIn the case where we become aware of security issues affecting other projects that has never affected Yearn, our intention is to inform those projects of security issues on a best effort basis.\n\nIn the case where we fix a security issue in Yearn that also affects the following neighboring projects, our intention is to engage in responsible disclosures with them as described in the adopted standard, subject to the deviations described in the deviations section below.\n\n__Deviations from the Standard__\n\nIn the case of a counterfeiting or fund-stealing bug affecting Yearn, however, we might decide not to include those details with our reports to partners ahead of coordinated release, as long as we are sure that they are not vulnerable.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","ETH","Fantom","Optimism"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-07-01T07:00:00.000Z","logo":"https://qn5bmgziiocgawpp.public.blob.vercel-storage.com/46652-poMYBlE470F3ANFEzLX3a-PhDjdUVamAGgfjv2TMLhs2M2H40O54.png","maxBounty":200000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":[],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the following types:\n\n- Re-entrancy\n- Logic errors\n  - including user authentication errors\n- Solidity/EVM details not considered\n  - including integer over-/under-flow\n  - including unhandled exceptions\n- Trusting trust/dependency vulnerabilities\n  - including composability vulnerabilities\n- Oracle failure/manipulation\n- Novel governance attacks\n- Economic/financial attacks\n  - including flash loan attacks\n- Congestion and scalability\n  - including running out of gas\n  - including block stuffing\n  - including susceptibility to frontrunning\n- Consensus failures\n- Cryptography problems\n- Signature malleability\n- Susceptibility to replay attacks\n- Weak randomness\n- Weak encryption\n- Susceptibility to block timestamp manipulation\n- Missing access controls / unprotected internal or debugging interfaces","productType":["Lending","Yield Aggregator"],"programOverview":"Yearn Finance is a suite of products in Decentralized Finance (DeFi) that provides lending aggregation and yield generation on the Ethereum blockchain. The protocol is maintained by various independent developers and is governed by YFI holders. Their products include: \n\n__Vaults__\nCapital pools that automatically generate yield based on opportunities present in the market. Vaults benefit users by socializing gas costs, automating the yield generation and rebalancing process, and automatically shifting capital as opportunities arise. End users also do not need to have a proficient knowledge of the underlying protocols involved or DeFi, thus the Vaults represent a passive-investing strategy.\n\nFurther resources regarding Yearn Finance can be found on their website, [https://yearn.finance/](https://yearn.finance/).\n\nThe bug bounty program is focused on its smart contracts and is mostly concerned with the prevention of the loss of user funds.\n\n\n__Bug Bounty FAQ__\n\nQ: Is there a time limit for the Bug Bounty program?\nA: No. The Bug Bounty program currently has no end date, but this can be changed at any time at the discretion of Yearn.\n\nQ: Can I submit bugs anonymously and still receive payment?\nA: Yes. If you wish to remain anonymous you can do so and still be eligible for rewards as long as they are for valid bugs. Rewards will be sent to the valid Ethereum address that you provide.\n\nQ: Can I donate my reward to charity?\nA: Yes. You may donate your reward to a charity of your choosing, or to a gitcoin grant.","programType":["Smart Contract"],"project":"Yearn Finance","projectType":["Blockchain","Defi"],"rewardsBody":"Rewards for Smart Contract vulnerabilities are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. \n\nTo determine the final reward amount, the likelihood to have a meaningful impact on availability, integrity, and/or loss of funds is considered. The final decision on the payout amount will be determined by the Yearn Finance team at its discretion.\n\nPayouts are handled by the __Yearn Finance__ team directly and are denominated in USD. Payouts can be made in USDC, DAI, YFI, or their Yearn Vault counterparts.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC, DAI, YFI","slug":"yearnfinance","tenPercentEconomicRule":false,"updatedDate":"2026-01-29T22:03:14.005Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Yearn Finance is a suite of products in Decentralized Finance (DeFi) that provides lending aggregation and yield generation on the Ethereum blockchain. The protocol is maintained by various independent developers and is governed by YFI holders. Their products include:","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques\n - Any report on contracts not actively/directly supported by Yearn Finance. E.g.: Ironbank.\n  - Any report for the following helper contracts are not valid for bounties or in scope:\n    - https://etherscan.io/address/0x5b4F3BE554a88Bd0f8d8769B9260be865ba03B4a\n    - https://etherscan.io/address/0x437758D475F70249e03EDa6bE23684aD1FC375F0\n    - https://etherscan.io/address/0xa0B57619A980DFEfD50f24F310EE1b55A40A9D46\n    - https://ftmscan.com/address/0x97D0bE2a72fc4Db90eD9Dbc2Ea7F03B4968f6938\n    - https://ftmscan.com/address/0x8ca27a3ab8917a033f278D20135d2467faA099bA\n    - https://ftmscan.com/address/0x5ABdfDfa0cF2d83c4755E0a2a782eF57FEd5c23B\n    - https://arbiscan.io/address/0x3a8efa2d87d60c0289f19b44a0928f4269c0f094\n    - https://arbiscan.io/address/0x66a1a27f4b22dcaa24e427dcffbf0cddd9d35e0f\n    - https://optimistic.etherscan.io/address/0xD63aB09ac2048a7eCac92f0fFad5F104edD0E032\n    - https://optimistic.etherscan.io/address/0xD3A93C794ee2798D8f7906493Cd3c2A835aa0074\n","customProhibitedActivities":["The bug has not been submited on other bug bounty platforms.","Vulnerabilities that have been previously submitted by another contributor or already known by the Yearn development team are not eligible for rewards.","Vulnerabilities that have been previously submitted by another contributor or already known by the Yearn development team are not eligible for rewards.","Bugs must be reproducible in order for us to verify the vulnerability.","Rewards and the validity of bugs are determined by the Yearn security team and any payouts are made at their sole discretion.","Terms and conditions of the Bug Bounty program can be changed at any time at the discretion of Yearn.","Details of any valid bugs may be shared with complementary protocols utilized in the Yearn ecosystem in order to promote ecosystem cohesion and safety."],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":612,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 7 days"},{"id":613,"type":"smart_contract","severity":"high","title":"Definite losses due to Miner-extractable value (MEV) on user actions without any external factors"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":614,"type":"smart_contract","severity":"medium","title":"Definite losses due to  Miner-extractable value (MEV) on user actions with external factors"},{"id":615,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds for at least for 2 days"},{"id":616,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":617,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":618,"type":"smart_contract","severity":"critical","title":"Indefinite losses due to Miner-extractable value (MEV) on user actions without any external factors."}],"rewards":[{"id":36199,"severity":"critical","assetType":"smart_contract","maxReward":200000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":0},{"id":36200,"severity":"high","assetType":"smart_contract","maxReward":20000,"minReward":5000,"rewardModel":"range"},{"id":36201,"severity":"medium","assetType":"smart_contract","maxReward":5000,"minReward":1000,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"13kLtVgo8ji21twohx9uTq","url":"https://etherscan.io/address/0x4eff2d77D9fFbAeFB4b141A3e494c085b3FF4Cb5#code","type":"smart_contract","addedAt":"2025-08-12T07:01:57.215Z","revision":0,"description":"LiquidityBoostrappingPoolFactory (Balancer V3)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1AxDW7lJkeq2jkrKbF8umj","url":"https://polygonscan.com/address/0x22625eEDd92c81a219A83e1dc48f88d54786B017#code","type":"smart_contract","addedAt":"2022-05-11T19:13:42.621Z","revision":0,"description":"ChildChainGaugeFactory V2","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1DUaton7qSvY9JLTSKgtBA","url":"https://etherscan.io/address/0xC128a9954e6c874eA3d62ce62B468bA073093F25#code","type":"smart_contract","addedAt":"2022-05-11T19:10:34.469Z","revision":0,"description":"VotingEscrow","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1FesnHfrhcFUhJMz8IsyNg","url":"https://etherscan.io/address/0x136f1EFcC3f8f88516B9E94110D56FDBfB1778d1","type":"smart_contract","addedAt":"2025-01-15T08:09:24.208Z","revision":0,"description":"BatchRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1ahrvDbTyF2AhAuOk8iwLF","url":"https://etherscan.io/address/0xa98Bce70c92aD2ef3288dbcd659bC0d6b62f8F13","type":"smart_contract","addedAt":"2022-05-11T19:12:32.212Z","revision":0,"description":"PolygonRootGaugeFactory (V2)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1lZPxTcK2D1fXocfiPEqcj","url":"https://etherscan.io/address/0xD3cf852898b21fc233251427c2DC93d3d604F3BB","type":"smart_contract","addedAt":"2022-05-11T19:12:46.642Z","revision":0,"description":"FeeDistributor (V2)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2Lhy7KHa0q0TguZJhE5aBa","url":"https://etherscan.io/address/0x355bd33f0033066bb3de396a6d069be57353ad95#code","type":"smart_contract","addedAt":"2025-08-12T07:01:57.210Z","revision":0,"description":"StableSurgePoolFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2RQwX2DBIRGADzD09z3CvY","url":"https://etherscan.io/address/0xa731C23D7c95436Baaae9D52782f966E1ed07cc8","type":"smart_contract","addedAt":"2025-01-15T08:09:10.491Z","revision":0,"description":"ProtocolFeeController","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2lnkiRHC3JybA12pQrlNvF","url":"https://etherscan.io/address/0xB9d01CA61b9C181dA1051bFDd28e1097e920AB14","type":"smart_contract","addedAt":"2025-01-15T08:10:33.981Z","revision":0,"description":"StablePoolFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"311ZIUmYkJMhawfdIt73zu","url":"https://etherscan.io/address/0x5DbAd78818D4c8958EfF2d5b95b28385A22113Cd","type":"smart_contract","addedAt":"2022-05-11T19:10:21.005Z","revision":0,"description":"GaugeAdder (V4)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3SDJ61MOcJeA0tj518drX9","url":"https://etherscan.io/address/0xf1665E19bc105BE4EDD3739F88315cC699cc5b65","type":"smart_contract","addedAt":"2022-05-11T19:11:28.988Z","revision":0,"description":"LiquidityGaugeFactory (V2)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3hBvLUtftz7gGbJs18UKvh","url":"https://etherscan.io/address/0x897888115Ada5773E02aA29F775430BFB5F34c51","type":"smart_contract","addedAt":"2022-05-11T19:07:25.583Z","revision":0,"description":"WeightedPoolFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3of9FDP9ax7EbiuafSnpK9","url":"https://etherscan.io/address/0xA331D84eC860Bf466b4CdCcFb4aC09a1B43F3aE6#code","type":"smart_contract","addedAt":"2022-05-11T19:05:39.230Z","revision":0,"description":"Authorizer","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"49k5mZABKu3bKVsfd90p27","url":"https://etherscan.io/address/0xe5F96070CA00cd54795416B1a4b4c2403231c548","type":"smart_contract","addedAt":"2022-05-11T19:11:15.937Z","revision":0,"description":"LiquidityGaugeV5 (V2)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4K4BlEKq5RtuObzkBEjGr3","url":"https://etherscan.io/address/0x8F42aDBbA1B16EaAE3BB5754915E0D06059aDd75#code","type":"smart_contract","addedAt":"2022-05-11T19:09:43.267Z","revision":0,"description":"AuthorizerAdaptor","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4N8dhWpXgjUT9r8hui9fsh","url":"https://etherscan.io/address/0xeA66501dF1A00261E3bB79D1E90444fc6A186B62","type":"smart_contract","addedAt":"2022-05-11T19:08:45.585Z","revision":0,"description":"BatchRelayerLibrary (V6)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4id2VnSGT0XqjXUm7rPSVp","url":"https://etherscan.io/address/0x1CD776897ef4f647bf8241Ec69549e4A9cb1D608","type":"smart_contract","addedAt":"2025-01-15T08:10:02.084Z","revision":0,"description":"CompositeLiquidityRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5AZVJq3rhLu3GiRdOVDPu2","url":"https://etherscan.io/address/0x35fFB749B273bEb20F40f35EdeB805012C539864","type":"smart_contract","addedAt":"2025-01-15T08:08:52.300Z","revision":0,"description":"VaultAdmin","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5CXLZZZW2Lgt2nbjuU3oLZ","url":"https://etherscan.io/address/0x0E8B07657D719B86e06bF0806D6729e3D528C9A9","type":"smart_contract","addedAt":"2025-01-15T08:08:30.338Z","revision":0,"description":"VaultExtension","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5CvObjwRhrx7QWYfXM5EnX","url":"https://etherscan.io/address/0xbA1333333333a1BA1108E8412f11850A5C319bA9","type":"smart_contract","addedAt":"2025-01-15T08:08:15.135Z","revision":0,"description":"Vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5GLPHbiUzQeogPL6XhNqzh","url":"https://etherscan.io/address/0x5C6fb490BDFD3246EB0bB062c168DeCAF4bD9FDd","type":"smart_contract","addedAt":"2025-01-15T08:10:21.059Z","revision":0,"description":"Router","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5H6X04FiqVx6Ffu0StT7sj","url":"https://etherscan.io/address/0xf302f9F50958c5593770FDf4d4812309fF77414f#code","type":"smart_contract","addedAt":"2022-05-11T19:10:08.382Z","revision":0,"description":"BalancerTokenAdmin","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5Mkdk342qZqcOi6do7RYeo","url":"https://etherscan.io/address/0x5939ab16fDf1991B0EF603c639B6b501A7841fAB#code","type":"smart_contract","addedAt":"2025-08-12T07:01:57.187Z","revision":0,"description":"ReClammPoolFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5Ux6WsgRAirDhh4kbsInZO","url":"https://polygonscan.com/address/0x2E96068b3D5B5BAE3D7515da4A1D2E52d08A2647#code","type":"smart_contract","addedAt":"2022-05-11T19:13:27.954Z","revision":0,"description":"RewardsOnlyGauge","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5dzo81ouGbDr3kT9Xgum9y","url":"https://etherscan.io/address/0x67F8DF125B796B05895a6dc8Ecf944b9556ecb0B","type":"smart_contract","addedAt":"2022-05-11T19:11:52.946Z","revision":0,"description":"VotingEscrowDelegation (V2)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5tXZeU6Z17Esn1s7fO8ExA","url":"https://etherscan.io/address/0x1c99324EDC771c82A0DCCB780CC7DDA0045E50e7","type":"smart_contract","addedAt":"2022-05-11T19:12:20.049Z","revision":0,"description":"ArbitrumRootGaugeFactory (V2)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"61qjqQQeJ0zBpLNZtUIDbI","url":"https://etherscan.io/address/0x9179C06629ef7f17Cb5759F501D89997FE0E7b45","type":"smart_contract","addedAt":"2025-01-15T08:09:45.862Z","revision":0,"description":"BufferRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"63KSmYjc71QHFZpXNCP2Bb","url":"https://polygonscan.com/address/0xc9b36096f5201ea332Db35d6D195774ea0D5988f#code","type":"smart_contract","addedAt":"2022-05-11T19:13:56.906Z","revision":0,"description":"ChildChainLiquidityGaugeFactory (V2)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"64lClnvo0nsUvEw4bvhIE3","url":"https://etherscan.io/address/0x239e55F427D44C3cc793f49bFB507ebe76638a2b#code","type":"smart_contract","addedAt":"2022-05-11T19:11:02.010Z","revision":0,"description":"BalancerMinter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"67ShrCo1COSezyzDhHpKFP","url":"https://etherscan.io/address/0xC128468b7Ce63eA702C1f104D55A2566b13D3ABD#code","type":"smart_contract","addedAt":"2022-05-11T19:10:49.179Z","revision":0,"description":"GaugeController","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6DMJJR4BLeHmXU0iCcrA3f","url":"https://etherscan.io/address/0x7869296Efd0a76872fEE62A058C8fBca5c1c826C#code","type":"smart_contract","addedAt":"2022-05-11T19:13:00.896Z","revision":0,"description":"SmartWalletChecker","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6hwgj1zLpVsnymoah8JWeJ","url":"https://etherscan.io/address/0x6f5a2eE11E7a772AeB5114A20d0D7c0ff61EB8A0#code","type":"smart_contract","addedAt":"2022-05-11T19:12:07.337Z","revision":0,"description":"VotingEscrowDelegationProxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"8vFO2nzi7N68n6dQlhPIT","url":"https://etherscan.io/address/0x35Cea9e57A393ac66Aaa7E25C391D52C74B5648f","type":"smart_contract","addedAt":"2022-05-11T19:08:58.054Z","revision":0,"description":"BalancerRelayer (V6)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Aje5VJ9f6kfI02n8XOylf","url":"https://etherscan.io/address/0xBA12222222228d8Ba445958a75a0704d566BF2C8#code","type":"smart_contract","addedAt":"2022-05-11T19:07:12.306Z","revision":0,"description":"Vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Ie6bM2i3u4ItZy6hjNvw7","url":"https://etherscan.io/address/0xA5bf2ddF098bb0Ef6d120C98217dD6B141c74EE0#code","type":"smart_contract","addedAt":"2022-05-11T19:07:38.792Z","revision":0,"description":"WeightedPool2TokensFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"WjBxG95ORXgl5pmnopFzg","url":"https://etherscan.io/address/0xba100000625a3754423978a60c9317c58a424e3d#code","type":"smart_contract","addedAt":"2022-05-11T19:05:19.181Z","revision":0,"description":"BalancerGovernanceToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"m5xbrG17Kt5AeIyvIjQiY","url":"https://etherscan.io/address/0x201efd508c8DfE9DE1a13c2452863A78CB2a86Cc","type":"smart_contract","addedAt":"2025-01-15T08:10:49.928Z","revision":0,"description":"WeightedPoolFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"yQ9sKncSrGWUbJO1aip3U","url":"https://etherscan.io/address/0x4fb47126Fa83A8734991E41B942Ac29A3266C968","type":"smart_contract","addedAt":"2022-05-11T19:11:40.761Z","revision":0,"description":"SingleRecipientGaugeFactory (V2)","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nIf a Critical impact can be caused to any other asset managed by Balancer that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH","Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["JavaScript","Solidity"],"launchDate":"2022-05-12T16:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5RONBs8MvUillmn49FRQ8G/58ec9b1dcf5079426bebf218c3948166/Balancer_Logo.png","maxBounty":1000000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__Smart Contracts__\n\nCritical \n  - Theft of >1% of total funds in the Vault\n  - Permanent freezing of >1% of total funds in the Vault\n\nHigh\n  - Theft of funds in excess of gas costs or swap fees\n  - Permanent freezing of funds in excess of gas costs or swap fees\n\nMedium\n  - Temporary freezing of funds in excess of gas costs or swap fees\n  - Theft of unclaimed yield\n  - Permanent freezing of unclaimed yield","productType":["AMM","DEX"],"programOverview":"Balancer is a community-driven protocol, liquidity provider, and price sensor that empowers decentralized exchange and the automated portfolio management of tokens on the Ethereum blockchain and other EVM compatible systems.\n\nBalancer Pools contain two or more tokens that traders can swap between. Liquidity Providers put their tokens in the pools in order to collect swap fees. \n\nBalancer adopts powerful features to slash gas costs, super-charge capital efficiency, unlock arbitrage with zero-token starting capital, and open the door to custom AMMs.\n\nFor more information about Balancer, please visit [https://balancer.fi/](https://balancer.fi/).","programType":["Smart Contract"],"project":"Balancer","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll Critical/High severity bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nCritical smart contract vulnerabilities are further capped at __10%__ of economic damage, taking into account the funds at risk at the moment of the bug report submission. However, there is a minimum reward of __USD 250 000__. Additionally, the maximum reward is capped at __USD 1 000 000__, even if __10%__ of the damage in USD equivalent is greater than __USD 1 000 000__.\n\nHigh severity smart contract vulnerabilities are also further capped at __10%__ of economic damage, taking into account the funds at risk at the moment of the bug report submission. However, there is a minimum reward of __50 000 USD__. Additionally, the maximum reward is capped at __USD 250 000__, even if __10%__ of the damage is greater than __USD 250 000__.\n\nVulnerabilities involving non-standard ERC20 tokens are considered out of scope, as it would be trivial to insert an exploit into a token for the sake of applying to this bug bounty. A standard, Balancer-compatible ERC20 token is one that conforms to all [EIP-20 interfaces](https://eips.ethereum.org/EIPS/eip-20) and exhibits expected behavior in implementation; i.e., transfers move exactly N tokens from sender to recipient, and balances do not change by any means other than transfers. Notably, tokens with transfer fees, rebasing supplies, streaming mechanics or multiple entrypoints are not compatible with Balancer, but that list is not exhaustive.\n\nFollowing the same line, vulnerabilities that require the user to interact with explicitly malicious routers, pools, hooks or rate providers are out of scope. This is because introducing such vulnerabilities in a permissionless protocol is both trivial and impossible to prevent.\n\nKnown issues such as those previously highlighted in the following audit report are considered out of scope (list is not exhaustive): \n  - [https://github.com/balancer-labs/balancer-v2-monorepo/tree/master/audits](https://github.com/balancer-labs/balancer-v2-monorepo/tree/master/audits) \n  - [https://github.com/balancer-labs/balancer-v3-monorepo/tree/master/audits](https://github.com/balancer-labs/balancer-v3-monorepo/tree/master/audits)\n  - [https://github.com/balancer/reclamm/tree/main/audits](https://github.com/balancer/reclamm/tree/main/audits)\n\nPayouts are handled by the __Balancer__ team directly and are denominated in __USD__. However, payouts are done in __ETH__ or __USDC__, at the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC, ETH","slug":"balancer","tenPercentEconomicRule":false,"updatedDate":"2026-02-11T13:16:38.818Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Balancer is a community-driven protocol, liquidity provider, and price sensor that empowers decentralized exchange and the automated portfolio management of tokens on the Ethereum blockchain and other EVM compatible systems.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques\n  - Known issues acknowledged in past audits and / or security contests.","customProhibitedActivities":[],"impacts":[{"id":2652,"type":"smart_contract","severity":"high","title":"Theft of funds in excess of gas costs or swap fees"},{"id":2653,"type":"smart_contract","severity":"high","title":"Permanent freezing of funds in excess of gas costs or swap fees"},{"id":2654,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds in excess of gas costs or swap fees"},{"id":2655,"type":"smart_contract","severity":"medium","title":"Permanent freezing of unclaimed yield"},{"id":2656,"type":"smart_contract","severity":"medium","title":"Theft of unclaimed yield"},{"id":2657,"type":"smart_contract","severity":"critical","title":"Theft of >1% of total funds in the Vault"},{"id":2658,"type":"smart_contract","severity":"critical","title":"Permanent freezing of >1% of total funds in the Vault"}],"rewards":[{"id":10345,"severity":"critical","assetType":"smart_contract","maxReward":1000000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":10346,"severity":"high","assetType":"smart_contract","maxReward":250000,"rewardModel":"up_to"},{"id":10347,"severity":"medium","assetType":"smart_contract","maxReward":25000,"rewardModel":"up_to"}],"audits":[]},{"assets":[{"id":"4H9jOxIZhUY2jb5sXIMvYx","url":"https://seiscan.io/address/0x6f04B655d5209E85E47D3920A2EF407A66e83f6c","type":"smart_contract","addedAt":"2026-01-28T07:30:40.965Z","revision":0,"description":"OndoMintBurnAdapter (Sei)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3pkHhNikhcEEEWb4gP6lrK","url":"https://seiscan.io/address/0x54cD901491AeF397084453F4372B93c33260e2A6","type":"smart_contract","addedAt":"2026-01-28T07:30:40.995Z","revision":0,"description":"USDY Token (Sei)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3fVzSTp8iZv5mnHXMywPb","url":"https://explorer.plume.org/address/0xD2B65e851Be3d80D3c2ce795eB2E78f16cB088b2","type":"smart_contract","addedAt":"2026-01-28T07:30:40.991Z","revision":0,"description":"USDY Token (Plume)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1D4823ZA702C6DvOfDaKvG","url":"https://bscscan.com/address/0x2D3Fa4e1AaB6E4BBd909CF81518A8084873c47B5","type":"smart_contract","addedAt":"2025-10-29T09:48:00.289Z","revision":0,"description":"IssuanceHours (BSC)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1DqKwGmJJZmSrXgLQXFTDy","url":"https://etherscan.io/address/0x87b126e5518b6a1Bb8465779b4607C45C643DF90","type":"smart_contract","addedAt":"2025-12-17T12:08:25.520Z","revision":0,"description":"USDYOracleWrapper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1I4aOolbm8s2fcdjbW3QnW","url":"https://bscscan.com/address/0x898128F9f22c0192da0c5acD394D9eeAc461D911","type":"smart_contract","addedAt":"2025-10-29T09:47:58.519Z","revision":0,"description":"OndoIDRegistry (BSC)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1JCjHxUia8E1vxTXoMP4Ln","url":"https://polygonscan.com/address/0xbA11C5effA33c4D6F8f593CFA394241CfE925811","type":"smart_contract","addedAt":"2024-04-25T14:41:41.678Z","revision":0,"description":"OUSG Token (Polygon)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1QPIZFMIkMpFGgMDVESMIo","url":"https://bscscan.com/address/0x4D4E562D6882Dc523B8d629d2E9dF9230B699933","type":"smart_contract","addedAt":"2025-12-15T09:47:03.681Z","revision":0,"description":"OndoOwner (BSC)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1TVlBsTv3kC1KKGgoYI8tj","url":"https://solscan.io/token/i7u4r16TcsJTgq1kAG8opmVZyVnAKBwLKu6ZPMwzxNc#metadata","type":"smart_contract","addedAt":"2024-04-25T14:41:26.276Z","revision":0,"description":"OUSG Token (Solana)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1b4Is79YQdj2gYoHElb567","url":"https://etherscan.io/address/0x914D5Cb27cb30E80BdE8215ff577eD63Eb986B79","type":"smart_contract","addedAt":"2025-09-15T22:00:25.497Z","revision":0,"description":"OndoSanityCheckOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1eJQ8QLfNXFPJifGKyNjHf","url":"https://bscscan.com/address/0x01bB8620c0aEF4390c983A5A792d178AF2733e82","type":"smart_contract","addedAt":"2025-10-29T09:48:00.452Z","revision":0,"description":"GMTokenFactory (BSC)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1szSefhlBsgBDF7Dkn4nOn","url":"https://polygonscan.com/address/0x7cd852c0d7613aa869e632929560f310d4059ac1","type":"smart_contract","addedAt":"2024-04-25T14:40:43.211Z","revision":0,"description":"KYCRegistry (Polygon)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1zHPIJc3cT7IFmw2wSUXT5","url":"https://solscan.io/account/3cKyGYojYbFxeUnBf5xak3cTpaxmYuzpFbSnP9n3kyui","type":"smart_contract","addedAt":"2026-01-22T09:49:44.659Z","revision":0,"description":"Solana GMTokenManagerState","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2D2pcPDGtkFRCUPJivF78Q","url":"https://solscan.io/account/7YNReenG6AXgVUfmSizt6hoVXrznS4zDdgCj1UTLJ2S3","type":"smart_contract","addedAt":"2025-05-05T08:53:14.206Z","revision":0,"description":"OndoMintBurnAdapter (Solana)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2F9jmSfh9enq7ZiXpRbxAr","url":"https://etherscan.io/address/0xa0219aa5b31e65bc920b5b6dfb8edf0988121de0","type":"smart_contract","addedAt":"2024-04-25T14:44:51.720Z","revision":0,"description":"USDY Price Oracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2Z2D6457Gbi2rMe13e4HhS","url":"https://solscan.io/account/CKW82CT7QtJUDkxCa6sSHZ3UXvUSu6EuGDXUtKyXgn67","type":"smart_contract","addedAt":"2026-01-22T09:49:44.667Z","revision":0,"description":"Solana USDonManagerState","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2b68lQcDpEavPH0RjZvS6L","url":"https://bscscan.com/address/0x87786323ad9997924B22eac3AA9f71f562795633","type":"smart_contract","addedAt":"2025-12-15T09:47:03.692Z","revision":0,"description":"OndoOFT (BSC)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2iMuoYZjhZydB4n4aLqSYT","url":"https://arbiscan.io/address/0x0bE393DC46248E4285dc5CAcA3084bc7e9bfbB41#code","type":"smart_contract","addedAt":"2024-11-26T07:52:47.626Z","revision":0,"description":"OndoMintBurnAdapter (Arbitrum)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2mFHjVqnm2KwMhGUgWaKDL","url":"https://bscscan.com/address/0xCd6D30a1A585eb67E0d0ef5c1ae601BE20862897","type":"smart_contract","addedAt":"2025-10-29T09:47:58.352Z","revision":0,"description":"OndoRateLimiter (BSC)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"32DQuxkbUCuF6UIWLJ0wrZ","url":"https://bscscan.com/address/0x91f8Aff3738825e8eB16FC6f6b1A7A4647bDB299","type":"smart_contract","addedAt":"2025-10-29T09:47:58.344Z","revision":0,"description":"GMTokenManager (BSC)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"33vSk5IFfOHltDRf5vJGse","url":"https://etherscan.io/address/0x54043c656F0FAd0652D9Ae2603cDF347c5578d00","type":"smart_contract","addedAt":"2024-04-25T14:41:56.725Z","revision":0,"description":"rOUSG Token","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"34oYv1hQzMHEYhUMpOrbp7","url":"https://etherscan.io/address/0xe9b3c628103580702b465c052f67843cac61fb35","type":"smart_contract","addedAt":"2025-04-09T08:15:45.935Z","revision":0,"description":"BasicRecipient - USDC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"354kMljxeU271GPxbKL49X","url":"https://etherscan.io/address/0xcf6958D69d535FD03BD6Df3F4fe6CDcd127D97df","type":"smart_contract","addedAt":"2025-04-09T08:12:18.291Z","revision":0,"description":"OndoIDRegistry","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"36j2WovOV4r60uLOCowWt5","url":"https://etherscan.io/address/0x98Db502215Da1ad9F626D4a0090A8A2f4971003c","type":"smart_contract","addedAt":"2025-04-09T08:13:52.704Z","revision":0,"description":"OndoRateLimiter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"36tEanWtF8QmIaP0blwssO","url":"https://etherscan.io/address/0xeA8dBF5F3456FaB742fc11b977330A58069758eF","type":"smart_contract","addedAt":"2025-12-15T09:47:03.359Z","revision":0,"description":"OndoOFT","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3NaUpk9J81qHjSa0M0n7nk","url":"https://bscscan.com/address/0x14032815B65f6B65f23d2532ad5F5DFf7BE48C03","type":"smart_contract","addedAt":"2025-10-29T09:48:00.406Z","revision":0,"description":"OndoSanityCheckOracle (BSC)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3RUuTskeCn6UnYiyZo5ea2","url":"https://etherscan.io/address/0x99B8d1D1c17a10CD1A878d1A44c11fd7E4daD7bC","type":"smart_contract","addedAt":"2025-04-09T08:14:50.287Z","revision":0,"description":"OndoTokenRouter","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3Zl74YH2wjIJspiihuDvo7","url":"https://etherscan.io/address/0xfD48112E448417CA79305a518c4186dF4b0A200a","type":"smart_contract","addedAt":"2025-09-15T22:01:38.886Z","revision":0,"description":"TokenPauseManger","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3na9s2abRIZ2juuBSYjrE8","url":"https://etherscan.io/address/0xff2BABA46Df92919705E60120C477Ae5b7341Eb3","type":"smart_contract","addedAt":"2025-12-15T09:47:03.445Z","revision":0,"description":"Messenger","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3oLb5MgAR0T2EWK6M7DxdH","url":"https://etherscan.io/address/0xD2746617c58b72254785BDb483e04f311c858d5f","type":"smart_contract","addedAt":"2025-09-15T22:01:09.302Z","revision":0,"description":"TokenManagerRegistrar","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3vca5jMkjCkb5XccCj54Wu","url":"https://etherscan.io/address/0x2c158BC456e027b2AfFCCadF1BDBD9f5fC4c5C8c","type":"smart_contract","addedAt":"2025-09-15T22:02:15.017Z","revision":0,"description":"GMTokenManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3wNkIHNmYmzfZGhLVPMhYR","url":"https://bscscan.com/address/0x578f397CA4661D1dB4D9a65065D6B284A1A850fd","type":"smart_contract","addedAt":"2025-10-29T09:47:58.678Z","revision":0,"description":"GMToken Implementation (BSC)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"44mmOWoiUdP1y3nakyVy76","url":"https://solscan.io/token/A1KLoBrKBde8Ty9qtNQUtq3C2ortoC3u7twggz7sEto6#metadata","type":"smart_contract","addedAt":"2024-04-25T14:43:50.726Z","revision":0,"description":"USDY Token (Standard SPL Token on Solana)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"47DAiuDuv29dtOAbWWHRvo","url":"https://etherscan.io/address/0x0b34233a94c3433092009D8903080553039bB7a1","type":"smart_contract","addedAt":"2025-12-15T09:47:03.631Z","revision":0,"description":"Inspector","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"48Jwose3l9xfjauJHL44J7","url":"https://etherscan.io/address/0x56A5D911052323D688C731d516530878557463e7","type":"smart_contract","addedAt":"2025-04-09T08:12:32.948Z","revision":0,"description":"OndoIDRegistryView","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4M304BTapgeMB8O3Zv5KoA","url":"https://etherscan.io/address/0xE59dbF08CccF8D1ab90156b9664d31Fd20BB2AC7","type":"smart_contract","addedAt":"2025-09-15T22:00:09.614Z","revision":0,"description":"OndoIssuanceHours","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4OEwyM3wTmdgQRl68iAg3g","url":"https://etherscan.io/address/0x54a8757c2FEF8649830b158a8C19D3a670e80318","type":"smart_contract","addedAt":"2025-09-15T22:01:51.580Z","revision":0,"description":"OndoComplianceGMView","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4S4SorXAoTFnyoFednxr59","url":"https://etherscan.io/address/0x95feCDD21D48426d3bAd195c6A3f0686e6b4d635","type":"smart_contract","addedAt":"2025-09-15T21:59:40.212Z","revision":0,"description":"USDCSource","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4Sc6p0Hhih1maG2OzH0bTs","url":"https://etherscan.io/address/0xaf37c1167910ebc994e266949387d2c7c326b879","type":"smart_contract","addedAt":"2024-05-08T11:24:39.926Z","revision":0,"description":"rUSDY Token","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4sLrsVaMrjZFzyKaA6hf5t","url":"https://bscscan.com/address/0x2ced30744edcF9eDe5799eb07a0A29CE4f012a0c","type":"smart_contract","addedAt":"2025-12-15T09:47:03.855Z","revision":0,"description":"RateLimiter (OFTs) (BSC)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4uvY2gzrwyGSjQERNjImfS","url":"https://etherscan.io/address/0xEaC2181075BA0FC53D5141B17943Ea9F913954e6","type":"smart_contract","addedAt":"2025-04-09T08:12:47.359Z","revision":0,"description":"OndoSubscriptionFees","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4v549PJbXsqxt646flBHAw","url":"https://etherscan.io/address/0xAcE8E719899F6E91831B18AE746C9A965c2119F1","type":"smart_contract","addedAt":"2025-09-15T21:58:45.152Z","revision":0,"description":"USDon","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4w3sisY63j5t6JNrPWHLHm","url":"https://etherscan.io/address/0xbC6D5C103a3f586e68bd475942a49d041b171C3e","type":"smart_contract","addedAt":"2025-12-15T09:47:03.452Z","revision":0,"description":"OndoOwner","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5GhUOY1685ETpg6sOuT6O5","url":"https://etherscan.io/address/0xa6275720b3fB1Efe3E6EF2b5BF2293148852307D#code","type":"smart_contract","addedAt":"2024-11-26T07:51:14.705Z","revision":0,"description":"OndoMintBurnAdapter (Ethereum)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5JVsLIPq3l6JhhSY7IHEpu","url":"https://bscscan.com/address/0x55E0b3aC59D3F6A924483B25A9F3D83C0Dd7C31c","type":"smart_contract","addedAt":"2025-10-29T09:48:00.369Z","revision":0,"description":"BridgeRegistrarStub (BSC)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5Waq0MZQYbda9PdC1bBiYC","url":"https://etherscan.io/address/0x14dd822e1b75253525a209e3cc917cd0d54b6cae","type":"smart_contract","addedAt":"2025-09-15T21:59:56.403Z","revision":0,"description":"USDC/USDonRecipient","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5ZvccnSOzAJz2YFvP8972c","url":"https://etherscan.io/address/0x156F73fc73197555e950743Cb2B23F411c751002","type":"smart_contract","addedAt":"2025-04-09T08:12:02.895Z","revision":0,"description":"OndoCompliance","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5hvUM0AM1h5Oo9HtSN0qa8","url":"https://arbiscan.io/address/0x35e050d3C0eC2d29D269a8EcEa763a183bDF9A9D","type":"smart_contract","addedAt":"2024-07-15T08:39:26.415Z","revision":0,"description":"USDY Token (Arbitrum)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5kEmPMOIbi02edgxcOJQ2N","url":"https://etherscan.io/address/0xebBcb2cEE51c2FeE4062c9C1270dcb98B0b22250","type":"smart_contract","addedAt":"2025-09-15T22:00:57.413Z","revision":0,"description":"GMToken Implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5smEAhasH5fYcaXmG5XmT2","url":"https://etherscan.io/address/0x9Cad45a8BF0Ed41Ff33074449B357C7a1fAb4094","type":"smart_contract","addedAt":"2025-04-09T08:14:19.795Z","revision":0,"description":"OndoOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5uavndQmk9LaHXjClyowjA","url":"https://bscscan.com/address/0x5f7d50242206993A4476C76b21950219a4ED2c91","type":"smart_contract","addedAt":"2025-12-15T09:47:03.684Z","revision":0,"description":"Messenger (BSC)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5ueXCR78RaZjYo27ympqLr","url":"https://explorer.mantle.xyz/address/0x5bE26527e817998A7206475496fDE1E68957c5A6","type":"smart_contract","addedAt":"2024-04-25T14:43:34.838Z","revision":0,"description":"USDY Token (Mantle)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"611CKJy19FdSgKs9bJUD5y","url":"https://etherscan.io/address/0xa42613C243b67BF6194Ac327795b926B4b491f15","type":"smart_contract","addedAt":"2025-12-17T12:08:25.535Z","revision":0,"description":"USDY Instant RWA Manager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6GfbDIHkp4d10hSASUSlCX","url":"https://etherscan.io/address/0x27370016A46fF10255b8DAAbE7035f5203ce280E","type":"smart_contract","addedAt":"2025-04-09T08:15:31.120Z","revision":0,"description":"BasicSource - PYUSD","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6Gpl690o30t6b2HMx0NVz9","url":"https://www.oklink.com/xlayer/address/0x5903E2Be82832c42a868A4748B64b5c401DE91Eb/contract#category=read","type":"smart_contract","addedAt":"2024-04-25T14:44:05.398Z","revision":0,"description":"USDY Token (X Layer)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6QRTGY8RlCVAQObUBd0QJs","url":"https://etherscan.io/address/0x44cBF4D4Db78a48F80d54b61FA1955979f07AEfd","type":"smart_contract","addedAt":"2025-09-15T21:59:24.638Z","revision":0,"description":"USDonSource","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6mw7WC3xxcHyKXPTdXRWrQ","url":"https://etherscan.io/address/0x10d8bbFAE5dF091DC1646A95685F7aFAe0c853E7","type":"smart_contract","addedAt":"2025-04-09T08:15:58.492Z","revision":0,"description":"BasicRecipient - PYUSD","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6oTcuEs56NJ0SJZ0s95ZT7","url":"https://explorer.mantle.xyz/address/0xA96abbe61AfEdEB0D14a20440Ae7100D9aB4882f#code","type":"smart_contract","addedAt":"2024-04-25T14:45:07.102Z","revision":0,"description":"USDY Price Oracle (Mantle)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6skHHLKBU1AoJ4Wy8ya8ly","url":"https://bscscan.com/address/0x6334924c787Ebd21C881740Ef6237Ef51962638F","type":"smart_contract","addedAt":"2025-10-29T09:47:58.525Z","revision":0,"description":"TokenPauseManager (BSC)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6u49DeizPTadFzQcEFSSwP","url":"https://etherscan.io/address/0x93358db73B6cd4b98D89c8F5f230E81a95c2643a","type":"smart_contract","addedAt":"2025-04-09T08:11:49.694Z","revision":0,"description":"OUSG Instant RWA Manager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7F6fEIeg0dpQx75WbV2K0M","url":"https://etherscan.io/address/0x25A103A1D6AeC5967c1A4fe2039cdc514886b97e","type":"smart_contract","addedAt":"2024-04-25T14:44:35.674Z","revision":0,"description":"USDY Manager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7KVmmz7L6BZwzLX1BcffR","url":"https://etherscan.io/address/0x9F205E1aC7698F59EdbAa0a28C4A4c4ed605b722","type":"smart_contract","addedAt":"2025-04-09T08:15:15.286Z","revision":0,"description":"BuidlUSDCSource","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7aWqjVfH9FwYxJ9JGWWZok","url":"https://bscscan.com/address/0xA21Ed4C3122fc51c6D6Db0d668D968C3B3f689CB","type":"smart_contract","addedAt":"2025-10-29T09:47:58.345Z","revision":0,"description":"TokenManagerRegistrar (BSC)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7l3SmSJBn7GLvVbFDDEXVs","url":"https://bscscan.com/address/0x0b34233a94c3433092009d8903080553039bb7a1","type":"smart_contract","addedAt":"2025-12-15T09:47:05.459Z","revision":0,"description":"Inspector (BSC)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"9GeDAT7suA3EXGebE9zon","url":"https://www.mintscan.io/noble/assets/native/YXVzZHk=","type":"smart_contract","addedAt":"2024-07-15T08:39:08.711Z","revision":0,"description":"USDY Token (Noble)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"9Q8aeDRwKHuX1aQ7zcbQJ","url":"https://etherscan.io/address/0x1B19C19393e2d034D8Ff31ff34c81252FcBbee92","type":"smart_contract","addedAt":"2024-04-25T14:41:10.094Z","revision":0,"description":"OUSG Token","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"BMyZkIhAAyM7RRoxrOv0N","url":"https://etherscan.io/address/0x0502c5ae08E7CD64fe1AEDA7D6e229413eCC6abe","type":"smart_contract","addedAt":"2024-04-25T14:40:55.716Z","revision":0,"description":"OUSG Oracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"BuX74VFrq4JdaQ26sEFRQ","url":"https://explorer.mantle.xyz/address/0x0bE393DC46248E4285dc5CAcA3084bc7e9bfbB41?tab=contract","type":"smart_contract","addedAt":"2024-11-26T07:52:03.749Z","revision":0,"description":"OndoMintBurnAdapter (Mantle)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"C7jJIp5K3076mlqAuQ3xi","url":"https://etherscan.io/address/0x05CCbB4b74854f8A067b83475E8c34f5a413D7e1","type":"smart_contract","addedAt":"2025-09-15T21:59:07.567Z","revision":0,"description":"USDonManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"J15fQjmHBeDbXpYZBrce9","url":"https://explorer.mantle.xyz/address/0xab575258d37EaA5C8956EfABe71F4eE8F6397cF3?tab=contract#address-tabs","type":"smart_contract","addedAt":"2024-04-25T14:43:19.866Z","revision":0,"description":"rUSDY Token (a.k.a mUSD) (Mantle)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"SNUa4df67cHNceIbrL7Vd","url":"https://etherscan.io/address/0x7a17Ad297b79f1fA7e40FF4F81A332bE85D10f29","type":"smart_contract","addedAt":"2025-09-15T22:01:23.580Z","revision":0,"description":"BridgeRegistrarStub","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"TJwGG8nT5j2ZoBYq234Wz","url":"https://explorer.aptoslabs.com/account/0xcfea864b32833f157f042618bd845145256b1bf4c0da34a7013b76e42daa53cc/modules/code/usdy?network=mainnet","type":"smart_contract","addedAt":"2024-04-25T14:44:19.928Z","revision":0,"description":"USDY Token (Aptos)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"UBFXxEaZIfJSKv9LiMWtT","url":"https://bscscan.com/address/0x76be569C94C39a2E2492DE2F4D1C253F348250D0","type":"smart_contract","addedAt":"2025-10-29T09:47:58.667Z","revision":0,"description":"OndoComplianceGMView (BSC)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"ZDCt6DU5KFdZaWM9pLxoL","url":"https://etherscan.io/address/0xF16c188c2D411627d39655A60409eC6707D3d5e8","type":"smart_contract","addedAt":"2024-04-25T14:42:12.918Z","revision":0,"description":"OUSG Manager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"bTRUgA0m9itLvAfnj3I1R","url":"https://bscscan.com/address/0x1f8955E640Cbd9abc3C3Bb408c9E2E1f5F20DfE6","type":"smart_contract","addedAt":"2025-10-29T09:48:00.561Z","revision":0,"description":"USDon (BSC)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"czSQSN4XaRsSODXXDFfA4","url":"https://solscan.io/account/XzTT4XB8m7sLD2xi6snefSasaswsKCxx5Tifjondogm","type":"smart_contract","addedAt":"2026-01-22T09:49:44.668Z","revision":0,"description":"Solana GM Program","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"hG4XhNerFWQTSd99X6YkW","url":"https://etherscan.io/address/0xADC4966E4F8CAAf12C777f07AA7A0Ae8D894cDf3","type":"smart_contract","addedAt":"2025-04-09T08:14:06.856Z","revision":0,"description":"OUSGOracleWrapper","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"i2lZCCznitpmeMyglzvWz","url":"https://etherscan.io/address/0xe28AfEC27C50096B4e98cd5546eAE8414b5e7542","type":"smart_contract","addedAt":"2025-04-09T08:15:03.759Z","revision":0,"description":"PauseManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"oVNNHOVfvhgAm02eaFn1f","url":"https://etherscan.io/address/0xE60F44AA6b7084d5Ca05D0e9145921e94bc23caB","type":"smart_contract","addedAt":"2025-09-15T22:00:42.756Z","revision":0,"description":"GMTokenFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"qRJsG9LoKlU1MCEcYvK4P","url":"https://etherscan.io/address/0x96F6eF951840721AdBF46Ac996b59E0235CB985C","type":"smart_contract","addedAt":"2024-04-25T14:43:03.971Z","revision":0,"description":"USDY Token","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"sBBsTmGcZAYwvo14kai3p","url":"https://etherscan.io/address/0xE1cb24077d77d2fE763fCAC63e5653D97dc8D20C","type":"smart_contract","addedAt":"2025-04-09T08:13:38.696Z","revision":0,"description":"OndoRedemptionFees","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"tuXK1mW45VjBwiIjFrYpN","url":"https://etherscan.io/address/0x4D4E562D6882Dc523B8d629d2E9dF9230B699933","type":"smart_contract","addedAt":"2025-12-15T09:47:03.449Z","revision":0,"description":"RateLimiter (OFTs)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"ygVey6hIjvto9KFT6PvDZ","url":"https://bscscan.com/address/0xC58584FF45b06822f49Ec8871BA8af9B8943A689","type":"smart_contract","addedAt":"2025-10-29T09:47:58.381Z","revision":0,"description":"USDonConverter (BSC)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"yrxyaBAo2Xyvja0vXIQf0","url":"https://etherscan.io/address/0x1cb2Dcc325615d02ae384941149d1dA6521fa018","type":"smart_contract","addedAt":"2025-04-09T08:14:33.740Z","revision":0,"description":"AdminSubscriptionChecker","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98713","url":"https://etherscan.io/address/0x9BC39DB6fbB44B91a48b8D5A6C208B82B1741bE6","type":"smart_contract","addedAt":"2026-02-06T18:50:51.374Z","revision":0,"description":"SyntheticSharesOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98714","url":"https://bscscan.com/address/0xF4Fd8a1B412633e10527454137A29Db7Aa35F15e","type":"smart_contract","addedAt":"2026-02-06T18:50:51.374Z","revision":0,"description":"SyntheticSharesOracle (BSC)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98775","url":"https://etherscan.io/address/0xf0Bc39Fc911F6437C84d16188dD8294F7110f451","type":"smart_contract","addedAt":"2026-02-10T08:49:15.010Z","revision":0,"description":"GMTokenLimitOrder","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98776","url":"https://bscscan.com/address/0x96b525B1a93f31E65F4aAf18C53842eD28525D48","type":"smart_contract","addedAt":"2026-02-10T08:49:15.010Z","revision":0,"description":"GMTokenLimitOrder (BSC)","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"If an impact can be caused to any other asset managed by Ondo Finance that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.\n\n\nFor the USDY Token (Noble) asset, please refer to https://github.com/ondoprotocol/usdy-noble for the source code.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2023-03-07T21:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2dR2c08kamplNaWIiF37h6/c269496e763806bbbd815efa7c662590/ondo-logo.svg","maxBounty":1000000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Yield Aggregator"],"programOverview":"Ondo Finance brings exposure to US Treasuries on-chain, making it possible for token holders to earn yield daily with highly  liquid, bankruptcy-remote, tokenized assets. Ondo significantly broadens the investor base that can capitalize on these yields and put their assets to work in blockchain-based applications, while reducing the friction experienced when converting between stablecoins and tokenized traditional assets.\n\nQualifying purchasers receive tokenized assets which are transferable on-chain, including through approved smart contracts, paving the way for a compliant on-chain financial ecosystem powered by real world assets.\n\nFor more information about Ondo Finance, please visit https://ondo.finance/\n\nOndo Finance provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n__KYC Requirement__ \n\nOndo Finance will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n__Eligibility Criteria__ \n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Compensated team members of Ondo Finance or any of its affiliates;\n- Third-party vendors, suppliers and service providers to Ondo Finance or any of its affiliates, and team members of those third parties;\n- Businesses or organizations that are not Ondo Finance affiliates but hold or have held assets considered as critical infrastructure covered under the bug bounty program; third-party vendors, suppliers and service providers to those business or organizations; and team members of those business, organizations or third parties; and\n- Security auditors that directly or indirectly participated in the review of the code impacted, except for auditors that solely participated in crowdsourced/competitive audits sponsored by Ondo Finance.\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nOndo Finance adheres to the Primacy of Impact for the following impacts, subject to the provisions of this section of Ondo’s Program:\n- Smart Contract - Critical\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n \nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nFor any impact that would be eligible for a reward based on the Primacy of Impact approach, but otherwise would not be eligible for a reward, the amount of the reward will be at Ondo Finance’s discretion. Rewards will not be provided for impacts that are out of scope, or where the limitations of this Program otherwise apply.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nAll bug reports must come with a PoC with one or more Impacts in Scope on one or more Assets in Scope in order to be considered for a reward. Explanations and statements are not sufficient as PoC; bug reports must include a runnable PoC in order to prove impact. Exceptions may be made, at Ondo Finance’s discretion, in cases where the vulnerability is objectively evident; however, the bug reporter may be required to provide a PoC at any point in time. In addition to these requirements, all PoCs submitted must demonstrate a good-faith effort to comply with the Immunefi-wide PoC Guidelines and Rules. Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n- Profiting from purchasing OUSG or USDY before a price increase and then immediately selling after. This includes using MEV and flash loans. \n- Effects from large price swings in the SHV ETF, which may constrain the prices at which OUSG can be set to\n- Effects from allowlists or blocklists (e.g. KYC Registry, USDC blacklist, Chainalysis Sanctions Oracle, USDY Blocklist, BUIDL Whitelist, etc.)\n- Effects from the BUIDL token being seized by the issuer or configured in a way that interferes with OUSGInstantManager Redemptions\n- Users unable to perform instant redemptions because there is not enough USDC or BUIDL in the OUSGInstantManager contract\n- Users unable to perform instant redemptions because there is not enough USDC liquidity available for the BUIDL token\n- Effects from USDC depegging\n- Misuse of admin rights (malicious or accidental)\n- Taking advantage of rate limits to DDOS subscriptions, redemptions or bridges\n- Minimum redemption amounts prohibiting a user from performing a redemption\n- Minor imprecision stemming from rebasing tokens or differences in decimals. This includes intentional and unintentional dust accumulation in the form of token balances and rebasing token “shares.”\n- Front running permissioned setter functions that pertain to fees\n- Front running permissioned override functions for subscription or redemption state in OUSG Manager and USDY Manager\n- Bridge liveness impacts caused by the rate limiting configuration\n\n__Previous Audits__\n\nOndo Finance’s completed audit reports can be found below. Any issues mentioned in the following reports, including but not limited to unfixed vulnerabilities,  are not eligible for a reward. For Code4rena Audits, findings in the competition READMEs and findings repositories are also not eligible for a reward. \n- [April 2024 Code4rena Audit](https://code4rena.com/reports/2024-03-ondo-finance)\n- [April 2024 Cyfrin Audit](https://docs.ondo.finance/pdf/Ondo-Cyfrin-Audit-April-2024.pdf)\n- [September 2023 Code4rena Audit](https://code4rena.com/reports/2023-09-ondo/)\n- [August 2023 Zokyo Audit](https://docs.ondo.finance/pdf/Ondo-Zokyo-Audit-August-2023.pdf)\n- [April 2023 NetherMind Audit](https://docs.ondo.finance/pdf/Ondo-NetherMind-Audit-April-2023.pdf)\n- [January 2023 Code4rena Audit](https://code4rena.com/reports/2023-01-ondo/)\n\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Ondo Finance has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).\n\n__Other Terms__\n\nThe Terms of Use between each participant in this bug bounty program and Immunefi Software Pte. Ltd., available at https://immunefi.com/terms-of-use/, shall apply between the participant and Ondo as if the participant were “you” or “User”, as if Ondo were “Company”, “we”, “our” or “us”, and as if “Interface”, “Website” and “Platform” referred only to the portions thereof that are applicable to this bug bounty program (except for Sections 7, 8, 11, 23, the first two paragraphs of Section 1 and the first paragraph of Section 12).","programType":["Smart Contract"],"project":"Ondo Finance","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 1 000 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 50 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\nIn cases of repeatable attacks for smart contract bugs, the amount of funds at risk will be calculated within the first 45 minutes from the first attack, inclusive, no matter how many times the attack can be executed within that time frame, as demonstrated by the PoC provided by the security researcher.\n\nExample 1: vulnerability is discovered that can steal USD 1 million 30 times within 45 minutes from the first execution of the attack, then the funds at risk is considered as USD 30 million.\n\nExample 2: if a vulnerability is discovered that can steal USD 1 million once every 45 minutes from the first execution of the attack, then the funds at risk is considered as USD 1 million.\n\nHowever, for smart contracts directly holding funds that can’t be protected, if a discovered vulnerability includes the temporary locking of funds that could otherwise be withdrawn and thus prevented from being stolen but still accessible to the exploiter to take the funds, the time is extended to the exact same time as temporary locking. Extensions of the temporary locking that introduce a gap where withdrawals can happen will not be considered.\n\n__Reward Calculation for High Level Reports__\n\n- High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 11 000 to USD 50 000 depending on the funds at risk, capped at the maximum high reward.  \n\n- In the event of temporary freezing, the reward doubles from the full frozen value for every additional [24h] that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Payment Terms__\nPayouts are handled by the Ondo Finance team directly and are denominated in USD. However, payments are done in USDC on Ethereum based on an implied USD:USDC exchange rate of 1:1.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"ondofinance","tenPercentEconomicRule":true,"updatedDate":"2026-02-06T18:50:52.111Z","impactsBody":"If an impact can be caused to any other asset managed by Ondo Finance that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for consideration by the project.\n\n\nFor the USDY Token (Noble) asset, please refer to https://github.com/ondoprotocol/usdy-noble for the source code.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Ondo Finance brings exposure to US Treasuries on-chain, making it possible for token holders to earn yield daily with highly  liquid, bankruptcy-remote, tokenized assets. Ondo significantly broadens the investor base that can capitalize on these yields and put their assets to work in blockchain-based applications, while reducing the friction experienced when converting between stablecoins and tokenized traditional assets.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Impacts that have already been reported, or that are highly similar to impacts that have already been reported, under this Ondo Finance bug bounty program ","customProhibitedActivities":[],"impacts":[{"id":1735,"type":"smart_contract","severity":"low","title":"Smart contract failure to deliver promised returns (but without losing value)"},{"id":1736,"type":"smart_contract","severity":"low","title":"Theft of gas"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":1737,"type":"smart_contract","severity":"high","title":"Ability to bypass contract paused state"},{"id":1738,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds for at least 24 hours"},{"id":1739,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":1740,"type":"smart_contract","severity":"medium","title":"Bypassing blocklists, sanctions list, or allowlists, successfully allowing blocked actors to acquire OUSG or USDY tokens or rebasing versions of the same (note: use of wrappers does not constitute a bypass)"},{"id":1741,"type":"smart_contract","severity":"medium","title":"Bypassing the Noble USDY IBC channel blocklist, successfully allowing USDY on Noble to be bridged out through a blocked channel via IBC (note: use of wrappers does not constitute a bypass)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":34688,"severity":"critical","assetType":"smart_contract","maxReward":1000000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":34689,"severity":"high","assetType":"smart_contract","maxReward":50000,"minReward":11000,"rewardModel":"range"},{"id":34690,"severity":"medium","assetType":"smart_contract","fixedReward":10000,"rewardModel":"fixed"},{"id":34691,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[{"id":"1gNA3b2vZsxVp7OloUGQoi","url":"https://docs.ondo.finance/audits","auditor":"Various","date":"2025-10-06T00:00:00.000Z"}]},{"assets":[{"id":"uN6gUiqXA5Ptq0M1BHcHD","url":"https://github.com/ref-finance/ref-contracts/blob/main/ref-exchange/src/account_deposit.rs","type":"smart_contract","addedAt":"2022-05-12T17:18:47.026Z","revision":0,"description":"Exchange (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"74gBd4NpOhQWkx2At7SK3E","url":"https://github.com/ref-finance/ref-contracts/blob/main/ref-exchange/src/action.rs","type":"smart_contract","addedAt":"2022-05-12T17:19:12.778Z","revision":0,"description":"Exchange (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5A87WfpUx6HuWntFSXmtsz","url":"https://github.com/ref-finance/ref-contracts/blob/main/ref-exchange/src/admin_fee.rs","type":"smart_contract","addedAt":"2022-05-12T17:19:35.154Z","revision":0,"description":"Exchange (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3ngvjiqLeD0nIJcAOfCsn2","url":"https://github.com/ref-finance/ref-contracts/blob/main/ref-exchange/src/errors.rs","type":"smart_contract","addedAt":"2022-05-12T17:20:20.536Z","revision":0,"description":"Exchange (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3Mh1YRYtNiOlXqCNBRnCrP","url":"https://github.com/ref-finance/ref-contracts/blob/main/ref-exchange/src/legacy.rs","type":"smart_contract","addedAt":"2022-05-12T17:20:35.287Z","revision":0,"description":"Exchange (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4Pb4AYrAtcUYaGGfUdPfHv","url":"https://github.com/ref-finance/ref-contracts/blob/main/ref-exchange/src/lib.rs","type":"smart_contract","addedAt":"2022-05-12T17:20:50.120Z","revision":0,"description":"Exchange (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3rzeMIgsHBvFtZ7c1roiih","url":"https://github.com/ref-finance/ref-contracts/blob/main/ref-exchange/src/multi_fungible_token.rs","type":"smart_contract","addedAt":"2022-05-12T17:21:03.655Z","revision":0,"description":"Exchange (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1gqdPlqKUTB7X6MyjMra6b","url":"https://github.com/ref-finance/ref-contracts/blob/main/ref-exchange/src/owner.rs","type":"smart_contract","addedAt":"2022-05-12T17:21:22.796Z","revision":0,"description":"Exchange (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4qAvkppe2MW8gPUxk1B0cp","url":"https://github.com/ref-finance/ref-contracts/blob/main/ref-exchange/src/pool.rs","type":"smart_contract","addedAt":"2022-05-12T17:21:44.520Z","revision":0,"description":"Exchange (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5FpuqQNUbR3IlCrz3tEfk7","url":"https://github.com/ref-finance/ref-contracts/blob/main/ref-exchange/src/simple_pool.rs","type":"smart_contract","addedAt":"2022-05-12T17:21:57.222Z","revision":0,"description":"Exchange (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1WBlv7g9b2OUxT77Kz48T4","url":"https://github.com/ref-finance/ref-contracts/blob/main/ref-exchange/src/storage_impl.rs","type":"smart_contract","addedAt":"2022-05-12T17:22:08.060Z","revision":0,"description":"Exchange (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5qOUEGpm8DP8GrktZxW6Rl","url":"https://github.com/ref-finance/ref-contracts/blob/main/ref-exchange/src/token_receiver.rs","type":"smart_contract","addedAt":"2022-05-12T17:22:20.085Z","revision":0,"description":"Exchange (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2RjJyn6xafvfsH6m3dz1VI","url":"https://github.com/ref-finance/ref-contracts/blob/main/ref-exchange/src/utils.rs","type":"smart_contract","addedAt":"2022-05-12T17:22:31.579Z","revision":0,"description":"Exchange (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1sIL9EA3ES07Qf1Q7PxgAT","url":"https://github.com/ref-finance/ref-contracts/blob/main/ref-exchange/src/views.rs","type":"smart_contract","addedAt":"2022-05-12T17:22:45.778Z","revision":0,"description":"Exchange (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7adiFulVBWnGxXXCJ7zfHm","url":"https://github.com/ref-finance/ref-contracts/blob/main/ref-exchange/src/stable_swap/math.rs","type":"smart_contract","addedAt":"2022-05-12T17:22:57.512Z","revision":0,"description":"Exchange (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2qgz5SPLrl8vVwotOHc00Z","url":"https://github.com/ref-finance/ref-contracts/blob/main/ref-exchange/src/stable_swap/mod.rs","type":"smart_contract","addedAt":"2022-05-12T17:23:08.874Z","revision":0,"description":"Exchange (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"r0gQ1jWR7SdoHABitlrPf","url":"https://github.com/ref-finance/boost-farm/blob/main/contracts/boost-farming/src/actions_of_farmer_reward.rs","type":"smart_contract","addedAt":"2022-09-05T14:39:52.786Z","revision":0,"description":"Boosted Farming (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4Q2XQP7UDxvpmF0BSDPhBq","url":"https://github.com/ref-finance/boost-farm/blob/main/contracts/boost-farming/src/actions_of_farmer_seed.rs","type":"smart_contract","addedAt":"2022-09-05T14:40:15.625Z","revision":0,"description":"Boosted Farming (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1EIWvlI5MwO4JsMJOhHrta","url":"https://github.com/ref-finance/boost-farm/blob/main/contracts/boost-farming/src/actions_of_seed.rs","type":"smart_contract","addedAt":"2022-09-05T14:40:43.644Z","revision":0,"description":"Boosted Farming (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"11QJ6j47pgJQYUy7NNeqZI","url":"https://github.com/ref-finance/boost-farm/blob/main/contracts/boost-farming/src/big_decimal.rs","type":"smart_contract","addedAt":"2022-09-05T14:41:05.580Z","revision":0,"description":"Boosted Farming (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3OFHQqBIWhQYlUNGId2Rqg","url":"https://github.com/ref-finance/boost-farm/blob/main/contracts/boost-farming/src/booster.rs","type":"smart_contract","addedAt":"2022-09-05T14:41:25.034Z","revision":0,"description":"Boosted Farming (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4yGitoDJMzPs3EUz6cHQS6","url":"https://github.com/ref-finance/boost-farm/blob/main/contracts/boost-farming/src/errors.rs","type":"smart_contract","addedAt":"2022-09-05T14:41:44.585Z","revision":0,"description":"Boosted Farming (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"65sjroWESQBwL8g1hg7IVN","url":"https://github.com/ref-finance/boost-farm/blob/main/contracts/boost-farming/src/events.rs","type":"smart_contract","addedAt":"2022-09-05T14:50:04.474Z","revision":0,"description":"Boosted Farming (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"BI3dPBW4RvjOaYYra15g3","url":"https://github.com/ref-finance/boost-farm/blob/main/contracts/boost-farming/src/farmer.rs","type":"smart_contract","addedAt":"2022-09-05T14:50:31.528Z","revision":0,"description":"Boosted Farming (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"25BGxeqInD89RTP6yH7VcZ","url":"https://github.com/ref-finance/boost-farm/blob/main/contracts/boost-farming/src/farmer_seed.rs","type":"smart_contract","addedAt":"2022-09-05T14:50:48.612Z","revision":0,"description":"Boosted Farming (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6ViOGfL7sGXMf0QQ9y4q97","url":"https://github.com/ref-finance/boost-farm/blob/main/contracts/boost-farming/src/legacy.rs","type":"smart_contract","addedAt":"2022-09-05T14:51:00.093Z","revision":0,"description":"Boosted Farming (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4HelBSkyLvf9ASn2tMz2NN","url":"https://github.com/ref-finance/boost-farm/blob/main/contracts/boost-farming/src/lib.rs","type":"smart_contract","addedAt":"2022-09-05T14:51:11.573Z","revision":0,"description":"Boosted Farming (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7xEAUgrjLeeYK8JKq4CH4G","url":"https://github.com/ref-finance/boost-farm/blob/main/contracts/boost-farming/src/management.rs","type":"smart_contract","addedAt":"2022-09-05T14:51:22.055Z","revision":0,"description":"Boosted Farming (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1uJpyiNczMuDYLUqYljh3p","url":"https://github.com/ref-finance/boost-farm/blob/main/contracts/boost-farming/src/owner.rs","type":"smart_contract","addedAt":"2022-09-05T14:51:32.716Z","revision":0,"description":"Boosted Farming (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"eABWjgWKkXeeHhTpp94Wp","url":"https://github.com/ref-finance/boost-farm/blob/main/contracts/boost-farming/src/seed.rs","type":"smart_contract","addedAt":"2022-09-05T14:51:43.981Z","revision":0,"description":"Boosted Farming (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7nXTzSsjISBCzIeXBQvgbq","url":"https://github.com/ref-finance/boost-farm/blob/main/contracts/boost-farming/src/seed_farm.rs","type":"smart_contract","addedAt":"2022-09-05T14:51:55.014Z","revision":0,"description":"Boosted Farming (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3BVUgglBEKv2ngNZPBnlMI","url":"https://github.com/ref-finance/boost-farm/blob/main/contracts/boost-farming/src/storage_impl.rs","type":"smart_contract","addedAt":"2022-09-05T14:52:08.023Z","revision":0,"description":"Boosted Farming (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6Sx4dlhH5d34XNzTaIbGZp","url":"https://github.com/ref-finance/boost-farm/blob/main/contracts/boost-farming/src/token_receiver.rs","type":"smart_contract","addedAt":"2022-09-05T14:52:19.512Z","revision":0,"description":"Boosted Farming (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1L3cv82ezB0q47EQzbHNKi","url":"https://github.com/ref-finance/boost-farm/blob/main/contracts/boost-farming/src/utils.rs","type":"smart_contract","addedAt":"2022-09-05T14:52:31.094Z","revision":0,"description":"Boosted Farming (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3ovAQEaNoELUpQ99Fo7n2q","url":"https://github.com/ref-finance/boost-farm/blob/main/contracts/boost-farming/src/view.rs","type":"smart_contract","addedAt":"2022-09-05T14:52:42.942Z","revision":0,"description":"Boosted Farming (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2tjSyKLiOOfMwdyT5PlUbo","url":"https://github.com/ref-finance/boost-farm/blob/main/contracts/mock-ft/src/lib.rs","type":"smart_contract","addedAt":"2022-09-05T14:52:54.831Z","revision":0,"description":"Boosted Farming (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1M2T1dlIfy1B03WHm0nPfR","url":"https://github.com/ref-finance/boost-farm/blob/main/contracts/mock-mft/src/lib.rs","type":"smart_contract","addedAt":"2022-09-05T14:53:11.206Z","revision":0,"description":"Boosted Farming (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"hmyRElzpSt8Gn9rxpuM8N","url":"https://github.com/ref-finance/boost-farm/blob/main/contracts/mock-mft/src/mft.rs","type":"smart_contract","addedAt":"2022-09-05T14:53:27.402Z","revision":0,"description":"Boosted Farming (Github)","isSafeHarbor":false,"isPrimacyOfImpact":false}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Near"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Rust"],"launchDate":"2022-05-17T18:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4TAtaBVjyvSndkNO3Y61F2/2a3c5d9cda7a3aa4ecb2d9548a4390b3/Ref_Finance_Logo__Small.png","maxBounty":250000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":[],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["AMM","DEX"],"programOverview":"Ref Finance is a community-led, multi-purpose DeFi platform built on NEAR Protocol. Ref takes full advantage of NEAR’s low fees, one-to-two second finality, and WebAssembly-based runtime (hello, Rust smart contracts!).\n\nIn addition to the advantages of being built on top of NEAR, Ref Finance provides: \n  - Multiple pools in one contract\n  - Atomic transactions\n  - Customisable pool fee\n  - Liquidity Aggregation across networks\n\nFor more information about Ref Finance, please visit [https://www.ref.finance/](https://www.ref.finance/).","programType":["Smart Contract"],"project":"Ref Finance","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. In addition, all bug reports must come with a suggestion for a fix in order to be considered for a reward. \n\nRewards for critical smart contract vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of __USD 50 000__ for Critical smart contract bug reports. \n\nIssues previously highlighted in the following audit report are considered as out of scope: \n  - [https://422665050-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MhIB0bSr6nOBfTiANqT-2910905616%2Fuploads%2Fh8mipVuJTakoLC6XmzfU%2FRef%20Finance%20Security%20Audit-1.pdf?alt=media&token=cf0398d1-97d5-4367-9776-07bc8e4c67ea](https://422665050-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MhIB0bSr6nOBfTiANqT-2910905616%2Fuploads%2Fh8mipVuJTakoLC6XmzfU%2FRef%20Finance%20Security%20Audit-1.pdf?alt=media&token=cf0398d1-97d5-4367-9776-07bc8e4c67ea)\n\nPayouts are handled by the __Ref Finance__ team directly and are denominated in USD. However, payouts are done in __USDT__, __USDC__, __NEAR__, __wNEAR__ or __REF__, at the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDT, USDC, NEAR, wNEAR or REF","slug":"reffinance","tenPercentEconomicRule":false,"updatedDate":"2026-02-09T17:37:12.715Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Ref Finance is a community-led, multi-purpose DeFi platform built on NEAR Protocol. Ref takes full advantage of NEAR’s low fees, one-to-two second finality, and WebAssembly-based runtime (hello, Rust smart contracts!).","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques\n  - Issues related to the frontend without concrete impact and PoC\n  - Best practices issues without concrete impact and PoC","customProhibitedActivities":[],"impacts":[{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":2660,"type":"smart_contract","severity":"high","title":"Direct theft of any user funds (with value > $5,000 and < $250,000), whether at-rest or in-motion"},{"id":2661,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds (including unclaimed yield) for any amount of time"},{"id":2665,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds (with value > $250,000), whether at-rest or in-motion, other than unclaimed yield"},{"id":2666,"type":"smart_contract","severity":"critical","title":"Permanent freezing of user funds (with value > $250,000)"},{"id":2667,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"},{"id":2659,"type":"smart_contract","severity":"low","title":"Smart contract fails to work correctly, but doesn’t lose value"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":5272,"type":"smart_contract","severity":"low","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"}],"rewards":[{"id":40259,"severity":"critical","assetType":"smart_contract","maxReward":250000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":40260,"severity":"high","assetType":"smart_contract","fixedReward":30000,"rewardModel":"fixed"},{"id":40261,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":40262,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"1DP5A7i6w23bCRBNv4iMkc","url":"https://basescan.org/address/0x93e5260Ac975B475aF8BF818c14DEEE7fEfd5927","type":"smart_contract","addedAt":"2025-05-01T06:09:29.870Z","revision":0,"description":"YO Multisig","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2aOcDhMFd1khXV73R9VP3m","url":"https://basescan.org/address/0x3a43aec53490cb9fa922847385d82fe25d0e9de7","type":"smart_contract","addedAt":"2025-05-01T06:09:51.137Z","revision":0,"description":"yoETH vault proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6Pog845i5sAJjsZV6Cx0ZS","url":"https://basescan.org/address/0xbCbc8cb4D1e8ED048a6276a5E94A3e952660BcbC","type":"smart_contract","addedAt":"2025-05-01T06:10:42.367Z","revision":0,"description":"yoBTC vault proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5b8iBHAyeMJBOFgHOc4ZKy","url":"https://basescan.org/token/0x0000000f2eb9f69274678c76222b35eec7588a65","type":"smart_contract","addedAt":"2025-08-22T00:03:29.559Z","revision":0,"description":"yoUSD vault proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5Yn1wHhhWLthb9N3M4NFvH","url":"https://basescan.org/address/0xfd62e454a75357b039fed34a0c92b60ef115c713#code","type":"smart_contract","addedAt":"2025-08-22T00:00:48.522Z","revision":0,"description":"yoVaults implementation contract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5qForazU0aBEdDYEek7GcU","url":"https://basescan.org/address/0xF1EeE0957267b1A474323Ff9CfF7719E964969FA","type":"smart_contract","addedAt":"2025-08-22T00:01:54.782Z","revision":0,"description":"YOGateway proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"b6PV4B9SmZEf31xYTOyL3","url":"https://basescan.org/address/0x0cf9a84bb9e916229f3037dc079ef418b97bb0cf#code","type":"smart_contract","addedAt":"2025-08-22T00:02:15.398Z","revision":0,"description":"YOGateway implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3kb5TKO0tvGuheYnaCdGK8","url":"https://www.yo.xyz/","type":"websites_and_applications","addedAt":"2025-05-01T06:10:53.309Z","revision":0,"description":"YO website","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4JjoBN55fv7KC8HavRYZ40","url":"https://app.yo.xyz","type":"websites_and_applications","addedAt":"2025-07-07T08:17:07.863Z","revision":0,"description":"YO application","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98750","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"98774","url":"https://immunefi.com/","type":"websites_and_applications","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":[],"launchDate":"2025-05-05T13:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4tiXVdfiMqdRMuuLMVDjsc/f048a90f465a4625784d6d7acb1c8ebb/Screenshot_2025-04-30_at_09.50.39.png","maxBounty":10000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low","websites_and_applications - critical","websites_and_applications - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Vulnerabilities are prioritized according to impact and/or severity.","productType":["Yield Aggregator","Asset Management"],"programOverview":"YO (Yield Optimizer) is a DeFi protocol that helps you easily boost your crypto earnings without the hassle. It automatically moves your funds across the best-performing pools no matter the blockchain, so you’re always getting the highest risk-adjusted yield. \n\nYO leverages Exponential.fi's trusted Risk Ratings to smartly balance risks and reward—so you don’t have to spend time managing risk yourself. YO is fully decentralized, meaning you’re always in control of your assets from your own wallet. If you want a simple, secure way to earn more from your crypto, YO’s got you covered.\n\nFor more information about YO Protocol, please visit [https://www.yo.xyz/](https://www.yo.xyz/).\n\nYO Protocol provides rewards in USDC on Base, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n__KYC Requirement__\n\nYO Protocol will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Copy of Passport or other Government issued ID\n\n\n- Security auditors that directly or indirectly participated in the audit review\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nYO Protocol adheres to the Primacy of Impact for the following impacts:\n\n- Smart Contract  —  Critical\n- Smart Contract  —  High\n- Website & Application  —  Critical\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. \n\nFor more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact) \n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Previous Audits__\n\nYO Protocol’s completed audit reports can be found at [https://docs.yo.xyz](https://docs.yo.xyz). Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.","programType":["Smart Contract","Websites and Applications"],"project":"YO Protocol","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 10 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 5 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\nFor critical web/apps bugs, reports will be rewarded with USD 5 000, only if the impact leads to:\n\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of USD 1000. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n- For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 2 000 to USD 4 000 depending on the funds at risk, capped at the maximum high reward.  \n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Payment Terms__\n\nPayouts are handled by the YO Protocol team directly and are denominated in USD. However, payments are done in USDC on Base.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"","slug":"yo-protocol","tenPercentEconomicRule":false,"updatedDate":"2026-01-29T22:03:28.891Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_2","description":"YO (Yield Optimizer) is a DeFi protocol that helps you easily boost your crypto earnings without the hassle. It automatically moves your funds across the best-performing pools no matter the blockchain, so you’re always getting the highest risk-adjusted yield.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":5515,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds (for at least 24 hours)"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":28,"type":"smart_contract","severity":"high","title":"Temporary freezing of NFTs"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":39,"type":"websites_and_applications","severity":"critical","title":"Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:\n- Changing registration information\n- Commenting\n- Voting\n- Making trades\n- Withdrawals, etc."},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":43,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:\n- Modifying transaction arguments or parameters\n- Substituting contract addresses\n- Submitting malicious transactions"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"},{"id":46,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:\n- HTML injection without JavaScript\n- Replacing existing text with arbitrary text\n- Arbitrary file uploads, etc."},{"id":47,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Email\n- Password of the victim etc."},{"id":48,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:\n- Email address\n- Phone number\n- Physical address, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"}],"rewards":[{"id":34480,"severity":"critical","assetType":"smart_contract","maxReward":10000,"minReward":5000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":34481,"severity":"high","assetType":"smart_contract","maxReward":4000,"minReward":2000,"rewardModel":"range"},{"id":34482,"severity":"medium","assetType":"smart_contract","fixedReward":2000,"rewardModel":"fixed"},{"id":34483,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":34484,"severity":"critical","assetType":"websites_and_applications","maxReward":5000,"minReward":1500,"rewardModel":"range"},{"id":34485,"severity":"high","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"5RL34psw18fMtpo8NPcEXm","url":"https://basescan.org/address/0x6e3e0fe13dae2c42cca7ae2e849b0976e2e63e05","type":"smart_contract","addedAt":"2024-09-16T11:53:06.027Z","revision":0,"description":"DepositBatch","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3CUIS8muWgTvUI7NQOcJJe","url":"https://basescan.org/address/0xe4e23120a38c4348d7e22ab23976fa0c4bf6e2ed","type":"smart_contract","addedAt":"2024-09-16T11:53:47.931Z","revision":0,"description":"DepositManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"64CjFfQUmVUzy2epkq8mBl","url":"https://basescan.org/address/0xaead7d9202f3efb73657ca031f645c6b46cfe177","type":"smart_contract","addedAt":"2024-09-16T11:54:34.479Z","revision":0,"description":"WithdrawBatch","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"21ductzNlr8rRmvh149GUw","url":"https://basescan.org/address/0xa9452eaf5aa440790e6ca90e38c10b40fb611e59","type":"smart_contract","addedAt":"2024-09-16T11:55:23.774Z","revision":0,"description":"WithdrawManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2ypR7u1CJsuroWk4GjCMrG","url":"https://basescan.org/address/0x6ec2a3a88a72943d2e87ed05cdf25914983ab7f6","type":"smart_contract","addedAt":"2024-09-16T11:55:40.391Z","revision":0,"description":"EnsoHandler","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2XyyjOhFU0J4wencvNDga2","url":"https://basescan.org/address/0x3475dd4b852baf51279a463f0e5f38e5aed2e784","type":"smart_contract","addedAt":"2024-09-16T11:57:03.307Z","revision":0,"description":"BasePortfolioAddress","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3bG6yyLlr5wKmHQBg7uk5f","url":"https://basescan.org/address/0x4f69982392ba29e98c62b07482be190301d12ca7","type":"smart_contract","addedAt":"2024-09-16T11:57:32.102Z","revision":0,"description":"BaseTokenExclusionManagerAddress","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5pZZuf20wTJqQ9OZLn0DWO","url":"https://basescan.org/address/0x0827cf431c2f2a4f12584fddb6f01ab0e26ccbe0","type":"smart_contract","addedAt":"2024-09-16T11:59:48.271Z","revision":0,"description":"BaseRebalancingAddress","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"72YGfhX2wPmfsK4jGnpfxr","url":"https://basescan.org/address/0x17e14a8bc2380096f9e9eafea47fe1015502a09d","type":"smart_contract","addedAt":"2024-09-16T12:00:20.192Z","revision":0,"description":"BaseAssetManagementConfigAddress","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"IyRr8H6lry5zb8PDJmKBf","url":"https://basescan.org/address/0xc05d2e4bbe442172c649faa1fdc503e627062bd3","type":"smart_contract","addedAt":"2024-09-16T12:00:46.654Z","revision":0,"description":"FeeModuleImplementationAddress","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3nNAJLu6vbUNVZ4NXUwrcn","url":"https://basescan.org/address/0xf93659fb357899e092813bc3a2959ceDb3282a7f","type":"smart_contract","addedAt":"2024-09-16T12:01:22.595Z","revision":0,"description":"PortfolioFactory","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"SC55oJNVKlitYxuUZNp0F","url":"https://basescan.org/address/0x0490A477e4fc96392bDf1e2846E3230A1263a5D2","type":"smart_contract","addedAt":"2024-09-16T12:02:21.767Z","revision":0,"description":"ProtocolConfig","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1wMtjkyZXyBWpIX5DVblUe","url":"https://basescan.org/address/0x608e93ad410f3e3288dfc1a60446925a0fcf967e","type":"smart_contract","addedAt":"2024-09-16T12:02:45.244Z","revision":0,"description":"PriceOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98724","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["BSC"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":[],"launchDate":"2024-09-05T21:23:24.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5GovZHnyLiccbBurf4U2im/8f1fb7c9a835c6939d0fc7d6b3e2ae70/velvet.png","maxBounty":10000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - medium","smart_contract - high","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Asset Management"],"programOverview":"Velvet.Capital is a DeFi Asset Management protocol that helps launch & manage on-chain funds and structured products. Users can launch their own tokenized fund or access existing ones created by world-class managers and influencers.\n\nFor more information about Velvet, please visit [https://www.velvet.capital/](https://www.velvet.capital/)\n\nVelvet provides rewards in __USDC__, denominated in __USD__. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__Primacy of Impact vs Primacy of Rules__\n\nVelvet adheres to the Primacy of Impact for the following impacts:\n- Smart Contract - Critical\n- Smart Contract - High\n- Smart Contract - Medium\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see[ Best Practices: Primacy of Impact ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n__Previous Audits__\n\nVelvet’s completed audit reports can be found at [https://github.com/Velvet-Capital/audits.](https://github.com/Velvet-Capital/audits) Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Velvet has satisfied the requirements for the [Immunefi Standard Badge.](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209)","programType":["Smart Contract"],"project":"Velvet Capital V2","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the[ Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is __10%__ of the funds directly affected up to a maximum of __USD 51 000__. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of __USD 10 000__ is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attacks within the first hour will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\nFor critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are considered at the full amount of funds at risk, capped at the maximum high reward. This is to incentivize security researchers to uncover and responsibly disclose vulnerabilities that may have not have significant monetary value today, but could still be damaging to the project if it goes unaddressed.   \n\n__Reward Payment Terms__\n\nPayouts are handled by the __Velvet__ team directly and are denominated in __USD__. However, payments are done in __USDC__\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"","slug":"velvet-capital-v2","tenPercentEconomicRule":false,"updatedDate":"2026-01-29T22:03:33.375Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Velvet.Capital is a DeFi Asset Management protocol that helps launch & manage on-chain funds and structured products. Users can launch their own tokenized fund or access existing ones created by world-class managers and influencers.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":5091,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for more than 24 hours"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":5092,"type":"smart_contract","severity":"medium","title":"Theft Gas"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":3997,"severity":"high","assetType":"smart_contract","maxReward":5000,"minReward":3000,"rewardModel":"range"},{"id":3998,"severity":"medium","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":8137,"severity":"critical","assetType":"smart_contract","maxReward":10000,"minReward":7000,"rewardModel":"range","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"2lFJWE0nlcGqlOlIn9vl36","url":"https://bscscan.com/address/0x4DCdeBc14c8e3A1dc499976fe57a16162045eFBd","type":"smart_contract","addedAt":"2023-12-13T20:15:00.762Z","revision":0,"description":"IndexSwapLibrary","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2KHQulJyT0m2unHguu9K6L","url":"https://bscscan.com/address/0x0Fb11066768e7775e1b9dAC3C6022F17D893853f","type":"smart_contract","addedAt":"2023-12-13T20:15:15.187Z","revision":0,"description":"FeeLibrary","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5T4skalGfgJC01glDJ8W0r","url":"https://bscscan.com/address/0x2606ac7e68044245282643202A391d82D6650b3B","type":"smart_contract","addedAt":"2023-12-13T20:15:31.752Z","revision":0,"description":"RebalanceLibrary","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7xBhmEnKf5yKsc9ejzokDn","url":"https://bscscan.com/address/0x1d2bA92e2227377fCD3c047CCdF1D4389c98f29B","type":"smart_contract","addedAt":"2023-12-13T20:15:51.953Z","revision":0,"description":"OffChainRebalance","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7M10WgJ0ORJP0B0S9QuY0A","url":"https://bscscan.com/address/0x8133c0f5414950e3ecd3870732A38D4c3510BdeE","type":"smart_contract","addedAt":"2023-12-13T20:16:39.698Z","revision":0,"description":"RebalanceAggregator","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3VxM3YL203gqv31DKZJSlZ","url":"https://bscscan.com/address/0xA1c283f1C9C3A70378160434B37e79635aAB52Bf","type":"smart_contract","addedAt":"2023-12-13T20:16:55.301Z","revision":0,"description":"Exchange","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4PjPZf9DmCPDCOBHriBQ2o","url":"https://bscscan.com/address/0x80EF871da875Bebe6D9F04aEb9eA883d00192636","type":"smart_contract","addedAt":"2023-12-13T20:17:20.260Z","revision":0,"description":"IndexSwap","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6P65iyd7O2NBswx1t9dDTI","url":"https://bscscan.com/address/0xdbA97FF0dc7ddDB8c42Dc50DCD151F2E95978ae6","type":"smart_contract","addedAt":"2023-12-13T20:17:33.079Z","revision":0,"description":"Rebalancing","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"cSdlS3B5CZlOaCKK1ZTug","url":"https://bscscan.com/address/0x433879587EC11845ACE71C9c4061DeDa7a6d17Be","type":"smart_contract","addedAt":"2023-12-13T20:17:46.427Z","revision":0,"description":"AssetManagerConfig","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4ZUEdBiXCq55g4XHf5VeRy","url":"https://bscscan.com/address/0x3bD9A49283F059b3faa7DdBD7515e2E82dce02b1","type":"smart_contract","addedAt":"2023-12-13T20:17:59.625Z","revision":0,"description":"FeeModule","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3vu9buZvxFi4tB4s15I9EF","url":"https://bscscan.com/address/0x577d56b755f5904184abE5792477a57f9CE37463","type":"smart_contract","addedAt":"2023-12-13T20:18:12.657Z","revision":0,"description":"OffChainIndexSwap","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2E2ty5hyCny0qFvzZNPwmV","url":"https://bscscan.com/address/0xf68e38906DD101f0617A6fB4A0FA25694620C013","type":"smart_contract","addedAt":"2023-12-13T20:18:25.229Z","revision":0,"description":"VelvetSafeModule","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"YEylFDrAIM8mFN42EqNSc","url":"https://bscscan.com/address/0xC2f2Bf0c228714d038c2495343224c0d9199cC82","type":"smart_contract","addedAt":"2023-12-13T20:18:41.146Z","revision":0,"description":"PriceOracle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7gYTY9jMli0adZPrWEOCRo","url":"https://bscscan.com/address/0x5c2Cd133c766ea78F7BEA635fcfFff3191bD5F56","type":"smart_contract","addedAt":"2023-12-13T20:18:52.891Z","revision":0,"description":"PancakeSwapHandler","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2t6Jtrwq5DQ1YiSU6pboSx","url":"https://bscscan.com/address/0x74003BD2bDB88EE4D6b55F88FB88616686a6f214","type":"smart_contract","addedAt":"2023-12-13T20:19:08.653Z","revision":0,"description":"BaseHandler","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3tXuUMxJYaEJO6xV90KBrH","url":"https://bscscan.com/address/0x9AFC0716beAEe8a7632df4bdbE14C27055145aC7","type":"smart_contract","addedAt":"2023-12-13T20:19:22.255Z","revision":0,"description":"VenusHandler","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"67z30GokiHMYYg8T1rfs2s","url":"https://bscscan.com/address/0x26Ae500eDcE7c7a9F00007fCeF026062E10E9FE1","type":"smart_contract","addedAt":"2023-12-13T20:19:39.363Z","revision":0,"description":"PancakeSwapLPHandler","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2KXq1BjciGCXDaN9UoZq8e","url":"https://bscscan.com/address/0x9B85c8D03E082365AB48230761BFaD28D4e45B37","type":"smart_contract","addedAt":"2023-12-13T20:19:55.169Z","revision":0,"description":"BiSwapLPHandler","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5Hg2FwE5Asyy8tKDNp1QxJ","url":"https://bscscan.com/address/0xb0a7f3da89634F31E904a369F83241744B5c2a7d","type":"smart_contract","addedAt":"2023-12-13T20:20:07.858Z","revision":0,"description":"ApeSwapLPHandler","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1Kdo05v68XiIcAhvpBTh4j","url":"https://bscscan.com/address/0xD9528E3Ca04A9dd0cC6515Af69B7958eB3b6E248","type":"smart_contract","addedAt":"2023-12-13T20:20:24.599Z","revision":0,"description":"WombatHandler","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1LdNdoi1mBiPpSEX6yrYYw","url":"https://bscscan.com/address/0x8DF80904404010a5B8C767236f2d8671e1d5250D","type":"smart_contract","addedAt":"2023-12-13T20:20:41.746Z","revision":0,"description":"ApeSwapLendingHandler","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3tSHxSYrsQY3BQIB2drrGT","url":"https://bscscan.com/address/0x5Dec110904701E1888ff740362231f735b4D0487","type":"smart_contract","addedAt":"2023-12-13T20:20:59.791Z","revision":0,"description":"BeefyLPHandler","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"49Q3beJ3Jdp8fPW7Qe8eUH","url":"https://bscscan.com/address/0x87279059F6c600D894579A6EF6B87e8Df14E4779","type":"smart_contract","addedAt":"2023-12-13T20:21:14.669Z","revision":0,"description":"BeefyHandler","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"542XO5g4iv2MSbIqP0TC7N","url":"https://bscscan.com/address/0x5d3405Db3A16Cd9C545DBac651ab5D9456C14B73","type":"smart_contract","addedAt":"2023-12-13T20:21:30.114Z","revision":0,"description":"ZeroExHandler","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6OCXiZQr0hdhRtXFPxHcV","url":"https://bscscan.com/address/0xe776BAa635d7FA9D2a62371A180895F016eD4045","type":"smart_contract","addedAt":"2023-12-13T20:21:48.623Z","revision":0,"description":"OneInchHandler","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1H0JvNUGCE9sFiN1bMD0Nw","url":"https://bscscan.com/address/0x4Dc08588a95244DF46ADd6b274079d99Bf521d57","type":"smart_contract","addedAt":"2023-12-13T20:22:05.686Z","revision":0,"description":"ParaswapHandler","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"B336c0vp4I8m7I3yQHbZd","url":"https://bscscan.com/address/0xB9669646EBb93A03dB67CC05f2894487C9923775","type":"smart_contract","addedAt":"2023-12-13T20:22:17.479Z","revision":0,"description":"ERC1967Proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5VsHXYfiI0RHp594nnFRsJ","url":"https://bscscan.com/address/0xE61472Ce45e559830ECF12F6a215Cd732F4D798B","type":"smart_contract","addedAt":"2023-12-13T20:22:30.602Z","revision":0,"description":"ERC1967Proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6IZCPr4OCuz2fKcGqCCFwR","url":"https://bscscan.com/address/0xb0e7a890ae4351bd0bc8e3e6ebec4525f3edf171#code","type":"smart_contract","addedAt":"2024-01-30T14:13:44.808Z","revision":0,"description":"New IndexSwap","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"ia66tMarqGAqoXx8KqBX7","url":"https://bscscan.com/address/0xd21d51E9BB8aF5De3dbacc519dc73DCD95a7c036","type":"smart_contract","addedAt":"2024-01-30T14:13:56.626Z","revision":0,"description":"New OffChainRebalance","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98719","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["BSC"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":[],"launchDate":"2023-12-15T09:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4fNtrMshK2BRjG0W6Iez6i/bd85f8f23f50089eeae19d9502755b09/tYpL6jGL_400x400.png","maxBounty":51000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Asset Management"],"programOverview":"Velvet.Capital is a DeFi Asset Management protocol that helps launch & manage on-chain funds and structured products. Users can launch their own tokenized fund or access existing ones created by world-class managers and influencers.\n\nFor more information about Velvet, please visit [https://www.velvet.capital/](https://www.velvet.capital/)\n\nVelvet provides rewards in __USDC__, denominated in __USD__. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nVelvet adheres to the Primacy of Impact for the following impacts:\n- Smart Contract - Critical\n- Smart Contract - High\n- Smart Contract - Medium\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see[ Best Practices: Primacy of Impact ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n\n__Previous Audits__\n\nVelvet’s completed audit reports can be found at [https://github.com/Velvet-Capital/audits.](https://github.com/Velvet-Capital/audits) Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Velvet has satisfied the requirements for the [Immunefi Standard Badge.](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209)","programType":["Smart Contract"],"project":"Velvet Capital","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the[ Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is __10%__ of the funds directly affected up to a maximum of __USD 51 000__. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of __USD 10 000__ is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attacks within the first hour will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\nFor critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are considered at the full amount of funds at risk, capped at the maximum high reward. This is to incentivize security researchers to uncover and responsibly disclose vulnerabilities that may have not have significant monetary value today, but could still be damaging to the project if it goes unaddressed.   \n\n__Reward Payment Terms__\n\nPayouts are handled by the __Velvet__ team directly and are denominated in __USD__. However, payments are done in __USDC__\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"velvetcapital","tenPercentEconomicRule":false,"updatedDate":"2026-01-29T22:01:36.558Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Velvet.Capital is a DeFi Asset Management protocol that helps launch & manage on-chain funds and structured products. Users can launch their own tokenized fund or access existing ones created by world-class managers and influencers.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":4689,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for more than 24 hours"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":6791,"severity":"high","assetType":"smart_contract","maxReward":10000,"minReward":1500,"rewardModel":"range"},{"id":6792,"severity":"medium","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":8350,"severity":"critical","assetType":"smart_contract","maxReward":51000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"4RGyCkYmTZPl211a19u33l","url":"https://github.com/scroll-tech/usx-contracts/tree/main/src","type":"smart_contract","addedAt":"2025-10-24T09:47:25.564Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4jwzzenNJaLiBiM3pwxCpo","url":"https://scrollscan.com/address/0xcb14bcdf6cd483665d10dfd6f87d908996c7f922","type":"smart_contract","addedAt":"2025-11-14T19:39:36.158Z","revision":0,"description":"StakedUSX","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"suNaU6wnbDAZbpbFgcoFF","url":"https://scrollscan.com/address/0xd16909ecc9c71d481ee3b2cb1968c0dadcf0d300","type":"smart_contract","addedAt":"2025-11-14T19:39:53.580Z","revision":0,"description":"AssetManager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5N5anvm6YFm0IZMMimrGrr","url":"https://scrollscan.com/address/0x3b005fefc63ca7c8d25ee21fba3787229ba4cf03","type":"smart_contract","addedAt":"2025-11-14T19:40:07.133Z","revision":0,"description":"USX","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5YcVT7iTw27zu1ybsScdhx","url":"https://scrollscan.com/address/0x9f3d4b0c9e930ca3957ecd3dedb7417f8e0e4c35","type":"smart_contract","addedAt":"2025-11-14T19:40:24.425Z","revision":0,"description":"TreasuryDiamond","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4okj3WbUCrvOZG26yTMEIs","url":"https://www.usx.capital/home","type":"websites_and_applications","addedAt":"2025-10-24T09:47:25.562Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98743","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"98728","url":"https://immunefi.com/","type":"websites_and_applications","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Scroll"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2025-11-17T00:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2lRBH26pAxocnsiynpY6aR/c5b94993ba8acacf4f6dc114ec09e9a5/q0bTg-11_400x400_Small.png","maxBounty":100000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":[],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["Stablecoin"],"programOverview":"USX is a fully collateralized neodollar developed by Scroll, designed to merge the best of traditional finance (TradFi) and decentralized finance (DeFi) to deliver stable, sustainable rewards. Unlike conventional stablecoins, USX introduces a new paradigm — it is private, gasless, and spendable in real life. This is made possible through Cloak, Scroll’s privacy layer, along with chain- level customizations and integrated payment partners.\n\nFor more information about USX, please visit https://www.usx.capital/.\n\nUSX provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n\n__KYC Requirement__\n\nUSX will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nUSX adheres to the Primacy of Impact for the following impacts:\nSmart Contract  —  Critical\nSmart Contract  —  High\nSmart Contract  —  Medium\nWebsite & Application  —  Critical\nWebsite & Application  —  High\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. \n\nFor more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.","programType":["Smart Contract","Websites and Applications"],"project":"USX","projectType":["Defi"],"rewardsBody":"__Rewards by Threat Level__\n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD $100,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD $50,000  is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\nFor critical web/apps bugs, reports will be rewarded a flat amount of $5,000. The rest of the severity levels are paid out according to the Impact in Scope table.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. \n- The amount of funds at risk will be calculated with the impact of the first attack being at 100% and then a reduction of 25% from the amount of the first attack for every [1800 blocks] the attack needs for subsequent attacks from the first attack, rounded down.\n\n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of $5,000 to $10,000 with the reward calculated based on 100% of the funds at risk, though capped at the maximum high reward.\n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward.\n\n\n__Reward Payment Terms__\n\nPayouts are handled by the USX team directly and are denominated in USD. However, payments are done in USDC on Ethereum.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"usx","tenPercentEconomicRule":false,"updatedDate":"2026-01-29T22:01:18.373Z","impactsBody":null,"websiteUrl":"https://www.usx.capital/home","githubUrl":"https://github.com/scroll-tech/usx-contracts/tree/main/src","eligibilityCriteria":["no_auditor","no_employee","no_ofac_sdn"],"responsiblePublicationCategory":"category_2","description":"USX is a fully collateralized neodollar developed by Scroll, designed to merge the best of traditional finance (TradFi) and decentralized finance (DeFi) to deliver stable, sustainable rewards.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":39,"type":"websites_and_applications","severity":"critical","title":"Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:\n- Changing registration information\n- Commenting\n- Voting\n- Making trades\n- Withdrawals, etc."},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"}],"rewards":[{"id":38294,"severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":1},{"id":38295,"severity":"high","assetType":"smart_contract","maxReward":10000,"minReward":5000,"rewardModel":"range"},{"id":38296,"severity":"medium","assetType":"smart_contract","fixedReward":3000,"rewardModel":"fixed"},{"id":38297,"severity":"critical","assetType":"websites_and_applications","maxReward":5000,"rewardModel":"up_to"}],"audits":[{"id":"20M3qI37wjj3XODw4wotvl","url":"https://3601501210-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdTt60r5om0G1pRfwMApK%2Fuploads%2F6rf6tkbaggWN6AQ73SzA%2FUSX%20-%20Zellic%20Audit%20Report.pdf?alt=media&token=c986f8ab-c581-4dab-9bb3-4c9d9d22552a","auditor":"Zellic","date":"2025-10-01T00:00:00.000Z"}]},{"assets":[{"id":"jFzw1MIvt9yOvXeqgkLXq","url":"https://arbiscan.io/address/0x1546B2aE60a2aDe3F8F1a9276c198e8f52212c05","type":"smart_contract","addedAt":"2024-01-04T16:38:14.010Z","revision":0,"description":"TeaVaultV3Pair_USDs-USDC.e_arbitrum ","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"DkM4oAZPMTb3WR8oL4jLn","url":"https://arbiscan.io/address/0x433821D0653548482Fa22479721db15fbcf303a3","type":"smart_contract","addedAt":"2024-01-04T16:38:27.897Z","revision":0,"description":"TeaVaultV3Pair_WBTC-WETH_arbitrum","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4FjOfun7P7A7DxdszzqyyB","url":"https://arbiscan.io/address/0x99c2901d2883F8D295A989544f118e31eC21823e","type":"smart_contract","addedAt":"2024-01-04T16:38:42.126Z","revision":0,"description":"TeaVaultV3Pair_wstETH-WETH001_arbitrum","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"38O02eIbuQtqbGeXV9DkaA","url":"https://arbiscan.io/address/0xB38e48B8Bc33CD65551BdaC8d954801D56625eeC","type":"smart_contract","addedAt":"2024-01-04T16:38:58.944Z","revision":0,"description":"TeaVaultV3Pair_wstETH-WETH03_arbitrum","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3s7awY8NKFwDtnsbb8pJny","url":"https://arbiscan.io/address/0xB9Fe0EC178163a66f2BAf8eD97E057964cCaE876","type":"smart_contract","addedAt":"2024-01-04T16:39:21.954Z","revision":0,"description":"TeaVaultV3Pair_USDC-USDC.e_arbitrum","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"29DO7RMk9tFW9s2MC7e8iL","url":"https://bobascan.com/address/0x07811284e36fDc45f65cd56FC7c6929855d6A0cc","type":"smart_contract","addedAt":"2024-01-04T16:39:36.397Z","revision":0,"description":"TeaVaultV3Pair_USDC-BOBA_boba","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"PXGdJ91U2woAefy0zhW46","url":"https://bobascan.com/address/0x216d3e7520B09605B7c4243b59aD02Cc6E052F52","type":"smart_contract","addedAt":"2024-01-04T16:39:51.654Z","revision":0,"description":"TeaVaultV3Pair_USDC-WETH_boba","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1z20KpEMEbCp1th7HiYltW","url":"https://bobascan.com/address/0xB67A8Af68207cceEaD014b6ceFA3Fc40BfBBBD0e","type":"smart_contract","addedAt":"2024-01-04T16:40:06.805Z","revision":0,"description":"TeaVaultV3Pair_WBTC-WETH_boba","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"xiXPeo4Mwj632RHRNAs8A","url":"https://optimistic.etherscan.io/address/0x199044E2799cf9099B1d84B29A09f8ff23D00391","type":"smart_contract","addedAt":"2024-01-04T16:40:21.684Z","revision":0,"description":"TeaVaultV3Pair_USDC-USDC.e_optimism","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6YMI2ybAfTvzBGfc0aZPIG","url":"https://optimistic.etherscan.io/address/0xF31900132dFf544Cfe536e76C38a357FF08183D9","type":"smart_contract","addedAt":"2024-01-04T16:40:37.409Z","revision":0,"description":"TeaVaultV3Pair_USDC-sUSD_optimism","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5vlADeeP2A7PI2c3kIrWMl","url":"https://polygonscan.com/address/0x1546B2aE60a2aDe3F8F1a9276c198e8f52212c05","type":"smart_contract","addedAt":"2024-01-04T16:40:52.499Z","revision":0,"description":"TeaVaultV3Pair_USDC-agEUR_polygon","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2OAZoFylAQo5cn4GYmp6ll","url":"https://mantlescan.info/address/0x878aD0bD8DB80A8C6Cc650EdEEd4B9941b571c5F","type":"smart_contract","addedAt":"2024-01-04T16:41:08.554Z","revision":0,"description":"TeaVaultV3Pair_USDC-USDT_mantle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1FJHbYPNVjCKSUrlDi3I5F","url":"https://mantlescan.info/token/0xF31900132dFf544Cfe536e76C38a357FF08183D9","type":"smart_contract","addedAt":"2024-03-20T14:52:15.165Z","revision":0,"description":"TeaVaultV3Pair_WMNT-mETH_mantle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4aalmRdYUSdghApEGnSGic","url":"https://mantlescan.info/token/0x84Bb4EE4a01237673968e8A3fB05E5E6E8690153","type":"smart_contract","addedAt":"2024-03-20T14:52:30.901Z","revision":0,"description":"TeaVaultV3Pair_mETH-WETH_mantle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"xfZee597FG6V4fnCvGrW2","url":"https://mantlescan.info/token/0x160d2E89bCe037559561d378021df9A93E2a70eC","type":"smart_contract","addedAt":"2024-03-20T14:52:46.596Z","revision":0,"description":"TeaVaultV3Pair_USDC-WETH_mantle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"aBEKb3e5YuujnO2prNdoM","url":"https://mantlescan.info/token/0x07811284e36fDc45f65cd56FC7c6929855d6A0cc","type":"smart_contract","addedAt":"2024-03-20T14:53:01.546Z","revision":0,"description":"TeaVaultV3Pair_USDC-WMNT_mantle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2m6qPf3rUoGxdVZawptd5e","url":"https://arbiscan.io/address/0xf9b099f8EebCC675B63E4f0a4657c10F246af77A","type":"smart_contract","addedAt":"2024-03-20T14:53:18.748Z","revision":0,"description":"TeaVaultV3Port_Beta+LongStrategy_arbitrum","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1kPpUrm3mMiIW43Cm3cM51","url":"https://explorer.mantle.xyz/address/0xC96b4dD06A514Ea8aeFc93394bB05Aa6ba7B5FaC","type":"smart_contract","addedAt":"2024-05-21T15:42:57.255Z","revision":0,"description":"TeaVaultV3Port_Beta+LongStrategy_mantle","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3aDw0jVV94ujqJkgVajkxb","url":"https://bscscan.com/address/0x57c99087FD5daDe38E25e1033e69FEb0CCEa0823","type":"smart_contract","addedAt":"2024-05-21T15:43:14.867Z","revision":0,"description":"TeaVaultV3Pair_ETH-WBNB_bsc_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1cyyZLoghqfL7U0sKiYjDC","url":"https://bscscan.com/address/0x462119b19070F9E682d8d76bc04cc0bbe45f3c2F","type":"smart_contract","addedAt":"2024-05-21T15:43:33.107Z","revision":0,"description":"TeaVaultV3Pair_USDT-BTCB_bsc_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6vnCR87NZfezMdVyBNaHqY","url":"https://bscscan.com/address/0x94975306325A3bD643C971BE836C7f04121c8ee0","type":"smart_contract","addedAt":"2024-05-21T15:43:52.455Z","revision":0,"description":"TeaVaultV3Pair_USDT-USDC_bsc_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4rWU5UE9Hp7PdkQdQwPlDn","url":"https://bscscan.com/address/0x5dC3aa958cBF6656044b63BC9A051eEdfb78b9Ac","type":"smart_contract","addedAt":"2024-05-21T15:44:08.290Z","revision":0,"description":"TeaVaultV3Pair_USDT-WBNB_bsc_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"526EIPECABYXB2KDTYEuiO","url":"https://bscscan.com/address/0x42536cb019FF8A8eAcE72a008e01d3f4Ce53679f","type":"smart_contract","addedAt":"2024-05-21T15:44:25.329Z","revision":0,"description":"TeaVaultV3Pair_ETH-USDT_bsc_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6ufIWfaMGZ47EY9eRja5Gq","url":"https://bscscan.com/address/0xB64Ba2A7613D8250FB9a94df6667B7b8a893c7F6","type":"smart_contract","addedAt":"2024-05-21T15:44:41.834Z","revision":0,"description":"TeaVaultV3Pair_ETH-BTCB_bsc_Pancakeswap","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1DRX9Cmg7RewskkHuRLhJ5","url":"https://scrollscan.com/address/0xA21eF834861734763938F33A73B3e576AaAf8db2","type":"smart_contract","addedAt":"2024-05-21T15:44:56.816Z","revision":0,"description":"TeaVaultV3Pair_USDC-USDT_scroll_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6XsJ4KUWizC6NGgzBKGSH8","url":"https://scrollscan.com/address/0x8f11DB35891C055434D0eB17F87a129421CB02F6","type":"smart_contract","addedAt":"2024-05-21T15:45:12.472Z","revision":0,"description":"TeaVaultV3Pair_USDC-UNI_scroll_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"485cSFtYcuwgBDhM2TiXqT","url":"https://scrollscan.com/address/0xa4239736Bfc8FDA7A90635F4c649EF4F8A1211F0","type":"smart_contract","addedAt":"2024-05-21T15:45:28.237Z","revision":0,"description":"TeaVaultV3Pair_UNI-WETH_scroll_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3VU3Rw1WSb2Z2uy69Q2vNn","url":"https://scrollscan.com/address/0xbB4ce34c3F6731103f474E204445eB830E627F1F","type":"smart_contract","addedAt":"2024-05-21T15:45:44.215Z","revision":0,"description":"TeaVaultV3Pair_WBTC-WETH_scroll_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2Bzg0onq2SoJE6g9OQUxlA","url":"https://scrollscan.com/address/0xA1E291AD62f34Ef3286156A57E9b45AAEFDfF81A","type":"smart_contract","addedAt":"2024-05-21T15:45:59.870Z","revision":0,"description":"TeaVaultV3Pair_USDC-WETH_scroll_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"28GtJRtIjFqxjOTG6Bo1ah","url":"https://basescan.org/address/0x66aDcF8A434a22b825074E67486A138A30b3478b","type":"smart_contract","addedAt":"2024-05-21T15:46:15.822Z","revision":0,"description":"TeaVaultV3Pair_WETH-USDC_base_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2iFmQutBe7PWbAuqEOXwTo","url":"https://basescan.org/address/0xB38e48B8Bc33CD65551BdaC8d954801D56625eeC","type":"smart_contract","addedAt":"2024-05-21T15:46:31.266Z","revision":0,"description":"TeaVaultV3Pair_USDC-USDT_base_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5QJOnWTZocgFjVhK8FGFRx","url":"https://basescan.org/address/0xB0412D2baB1c5d396d9a52F1A2aCDB58C82a14f0","type":"smart_contract","addedAt":"2024-05-21T15:46:46.649Z","revision":0,"description":"TeaVaultV3Pair_cbETH-WETH_base_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"37LTof4SuHj2V2J58hVfrT","url":"https://basescan.org/address/0x9cD73d12dF1DB78EcffD1519c240a5512A498ff3","type":"smart_contract","addedAt":"2024-05-21T15:47:01.951Z","revision":0,"description":"TeaVaultV3Pair_WETH-USDT_base_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1peCpu7vfoxqniLxQZxkRl","url":"https://basescan.org/address/0xB38e48B8Bc33CD65551BdaC8d954801D56625eeC","type":"smart_contract","addedAt":"2024-08-28T12:06:31.972Z","revision":0,"description":"TeaVaultV3Pair_USDC-USDT_base_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2LL4VY1zYhBcoBYkpL17SQ","url":"https://basescan.org/address/0xb38e48b8bc33cd65551bdac8d954801d56625eec","type":"smart_contract","addedAt":"2024-08-28T12:06:42.879Z","revision":0,"description":"TeaVaultV3Pair_USDC-USDT_Base_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4uvACPqzv3a9wMEafEFVTi","url":"https://lineascan.build/address/0x7d372Cc969211502D5C3a5721a85fc382f83bC8F","type":"smart_contract","addedAt":"2024-08-28T12:06:52.113Z","revision":0,"description":"TeaVaultV3Pair_WBTC-WETH_Linea_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1cLP64YODnNEUy2Fif4Y39","url":"https://lineascan.build/address/0x73d9ccd3017b41e9b29f1e4a49d5468b52bd17c6","type":"smart_contract","addedAt":"2024-08-28T12:07:03.766Z","revision":0,"description":"TeaVaultV3Pair_USDC.e-USDT_Linea_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5LeJ0v5FuSpeyZp5lqyyA0","url":"https://lineascan.build/address/0x172dba015ddfa642a3e3e0e8bab040468d8d9879","type":"smart_contract","addedAt":"2024-08-28T12:07:13.005Z","revision":0,"description":"TeaVaultV3Pair_USDC.e-WETH_Linea_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"25RI7rC3s7680oRXraeC8Q","url":"https://bscscan.com/address/0x5dC3aa958cBF6656044b63BC9A051eEdfb78b9Ac","type":"smart_contract","addedAt":"2024-08-28T12:07:21.476Z","revision":0,"description":"TeaVaultV3Pair_USDT-WBNB_BSC_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6vDAL3OotuHkN1Vvy13o5F","url":"https://bscscan.com/address/0x94975306325a3bd643c971be836c7f04121c8ee0","type":"smart_contract","addedAt":"2024-08-28T12:07:32.099Z","revision":0,"description":"TeaVaultV3Pair_USDT-USDC_BSC_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"UijZBYhteRIwxr2EWw6fK","url":"https://bscscan.com/address/0x462119b19070f9e682d8d76bc04cc0bbe45f3c2f","type":"smart_contract","addedAt":"2024-08-28T12:07:44.652Z","revision":0,"description":"TeaVaultV3Pair_USDT-BTCB_BSC_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7s6Oadjt5oMEBXBJJ0bZ0V","url":"https://bscscan.com/address/0x57c99087fd5dade38e25e1033e69feb0ccea0823","type":"smart_contract","addedAt":"2024-08-28T12:07:57.731Z","revision":0,"description":"TeaVaultV3Pair_ETH-WBNB_BSC_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6PDEiQtEQD9pKbpof0Umqw","url":"https://bscscan.com/address/0x42536cb019ff8a8eace72a008e01d3f4ce53679f","type":"smart_contract","addedAt":"2024-08-28T12:08:06.856Z","revision":0,"description":"TeaVaultV3Pair_ETH-USDT_BSC_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3mw5YGHZhUsL5jT7QEKdwA","url":"https://mantlescan.info/address/0xC96b4dD06A514Ea8aeFc93394bB05Aa6ba7B5FaC","type":"smart_contract","addedAt":"2024-08-28T12:08:17.341Z","revision":0,"description":"TeaVaultV3Pair_Beta+ Long Strategy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2JyUj0J4eHd3YjBrrI0PLm","url":"https://lineascan.build/address/0x1adc5e10933b696fa5311db5339f9a15e959e2b5","type":"smart_contract","addedAt":"2024-08-28T12:08:26.311Z","revision":0,"description":"TeaVaultV3Pair_wrsETH-WETH_Linea_NILE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"73YEihpStJpEuINI92eVFq","url":"https://starkscan.co/token/0x075205228ce0db6f47cd442bd5687a081d10cf40b46b4f847e86ae880e228698","type":"smart_contract","addedAt":"2024-08-28T12:08:34.173Z","revision":0,"description":"TeaVaultV3Pair_STRK-USDC_Starknet_Jediswap","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"ECfnHXAh25YXoSTZciYS7","url":"https://starkscan.co/token/0x0755afc533e7e01b585d715b8dd7300cbce632018daabc4ad6fb144f24308ff5","type":"smart_contract","addedAt":"2024-08-28T12:14:31.213Z","revision":0,"description":"TeaVaultV3Pair_STRK-ETH_Starknet_Jediswap","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2cbIhDB1W07SB1XdLQXO5D","url":"https://starkscan.co/token/0x005a9ea21b7c8450d6e710bc19fac12003a64dca08160a049b71e5934c129513","type":"smart_contract","addedAt":"2024-08-28T12:14:50.242Z","revision":0,"description":"TeaVaultV3Pair_USDC-USDT_Starknet_Jediswap","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"35QPF1V0aa2Wrc8ICYJ4Ea","url":"https://starkscan.co/token/0x07d03a029137e8307f2370096a5afaa43ec64971b43cbe0309ff98858d070936","type":"smart_contract","addedAt":"2024-08-28T12:15:08.047Z","revision":0,"description":"TeaVaultV3Pair_ETH-USDC_Starknet_Jediswap","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6QNy9AbPVFcMPgShFGpR0c","url":"https://starkscan.co/token/0x06b18536837097a755b368ac681ae5ae079fe078e7a825186a9b8ca5584d6992","type":"smart_contract","addedAt":"2024-08-28T12:15:22.186Z","revision":0,"description":"TeaVaultV3Pair_WBTC-ETH_Starknet_Jediswap","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"TW6VBwgCjNTjQGxcsNRRY","url":"https://starkscan.co/token/0x069f4f5ce1597fd9900c2fbed64b84edc31b7c563632cdf0e5decc1ff6f42e7c","type":"smart_contract","addedAt":"2024-08-28T12:15:51.281Z","revision":0,"description":"TeaVaultV3Pair_WSTETH-ETH_Starknet_Jediswap","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6QCWyZwSFLoxHFSsJKaN95","url":"https://starkscan.co/token/0x04b06bbe8fd1fbe0564ad37f1bd37a19078672c4c08507bc5090001119baff3b","type":"smart_contract","addedAt":"2024-08-28T12:16:10.518Z","revision":0,"description":"TeaVaultV3Pair_USDC-DAI(new)_Starknet_Jediswap","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7dIGpIphKIVvbOO7nO1Cvq","url":"https://starkscan.co/token/0x033cc2ccad8df1386acd3f09d13de371ba71218b20b1e903c89bad31d2114f6b","type":"smart_contract","addedAt":"2024-08-28T12:25:51.543Z","revision":0,"description":"TeaVaultV3Pair_STRK-USDC_Starknet_Jediswap","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6b4GJsQ9GOlyWd3K4wEIrp","url":"https://arbiscan.io/address/0x902b1e06919ed9a01f9b035f42402b7c48e6e28a","type":"smart_contract","addedAt":"2024-08-28T12:26:12.576Z","revision":0,"description":"TeaVaultV3Pair_USDC-gUSDC_Arbitrum_Ramses","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"31nyo8MlJAZEF4jeTRLylY","url":"https://mantlescan.info/address/0xdf6BFE64838dbdD91960E0E87b8f32e12659af02","type":"smart_contract","addedAt":"2024-08-28T12:26:33.873Z","revision":0,"description":"TeaVaultV3Pair_USDT-aUSD_Mantle_Agni","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4znE1xBYpvNvHi6s3VUKGy","url":"https://starkscan.co/token/0x04be453d6753775b12216a79c7e62af6a074426d977bcba5ec2cc9b44cb7e0b0","type":"smart_contract","addedAt":"2024-08-28T12:26:49.434Z","revision":0,"description":"TeaVaultV3Pair_SWAY-USDC_Starknet_Jediswap","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1MaKTU0k01wFAr0NwBPMb2","url":"https://mantlescan.info/address/0x3Af73F4991954d8332150B05864947A617283Ec9","type":"smart_contract","addedAt":"2024-08-28T12:27:16.929Z","revision":0,"description":"TeaVaultV3Pair_METH-aUSD_Mantle_Agni","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5EwrXpY1Gpunocd7TTh7fn","url":"https://lineascan.build/address/0x446c3a1a648eea79cc67bc71e0396490f51b4ab1","type":"smart_contract","addedAt":"2024-08-28T12:27:34.246Z","revision":0,"description":"TeaVaultV3Pair_ZERO-WETH_Linea_NILE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Tz1blqpbbCPnxYGMmz6r4","url":"https://lineascan.build/address/0x718e140219a2d1cd76645dfd8c45b16ca08b3454","type":"smart_contract","addedAt":"2024-08-28T12:28:11.352Z","revision":0,"description":"TeaVaultV3Pair_ezETH-WETH_Linea_NILE","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4aFQIrmcZ705pl9oMN3L9S","url":"https://lineascan.build/address/0x7fd6c4ef2d04de0df3e0236c4bd8c787abc74396","type":"smart_contract","addedAt":"2024-08-28T12:28:29.275Z","revision":0,"description":"TeaVaultV3Pair_UNI-WETH_Linea_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"200pHMXbPNIZjzakvidWXQ","url":"https://basescan.org/address/0xd4e10dd0c0e64c5f6eb134e7d2f2d43f82d8dc00","type":"smart_contract","addedAt":"2024-08-28T12:28:45.119Z","revision":0,"description":"TeaVaultV3Pair_WETH-UNI _Base_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2WNPdfEmTJQJlzl6esaHes","url":"https://scrollscan.com/address/0xa4239736bfc8fda7a90635f4c649ef4f8a1211f0","type":"smart_contract","addedAt":"2024-08-28T12:28:59.382Z","revision":0,"description":"TeaVaultV3Pair_UNI-WETH _Scroll_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6eTKF93bqgCa0cx9ISxU24","url":"https://scrollscan.com/address/0x8f11db35891c055434d0eb17f87a129421cb02f6","type":"smart_contract","addedAt":"2024-08-28T12:29:24.645Z","revision":0,"description":"TeaVaultV3Pair_USDC-UNI_Scroll_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4KUuGzk5CAjaS4x96kfbDE","url":"https://lineascan.build/address/0xeb564d2a33661b0bb18e5ca64d00ce54c1830959","type":"smart_contract","addedAt":"2024-08-28T12:55:51.452Z","revision":0,"description":"TeaVaultV3Pair_USDC-UNI_Linea_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6YSTitBBioKl0NCXlOeTiL","url":"https://basescan.org/address/0x0f3cc3ea42b989323e7c7e499b5b6a343ea55c18","type":"smart_contract","addedAt":"2024-08-28T12:56:12.660Z","revision":0,"description":"TeaVaultV3Pair_USDC-UNI_Base_Oku","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5JgDHAvAI4yUl4n2QDA3xs","url":"https://mantlescan.info/token/0x6d2c01bA525C8aeD3bd38fC1734ABc4b953832C1","type":"smart_contract","addedAt":"2024-08-28T14:21:21.152Z","revision":0,"description":"TeaVaultV3Pair_METH-WETH_Mantle_Cleopatra","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2N0GgoqrCnbV9pZ4YecDg4","url":"https://mantlescan.info/address/0xfF70aD8e9d8AFAcBa648F4084D267C51993Cc8b9","type":"smart_contract","addedAt":"2024-08-28T14:21:42.501Z","revision":0,"description":"TeaVaultV3Pair_USDT-METH_Mantle_Cleopatra","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"12rAUMpOT6wXVMc5qIr9vF","url":"https://arbiscan.io/address/0xedf7732991B3De8F46fb97dcD4c5CdB28E6aD859","type":"smart_contract","addedAt":"2024-08-28T14:22:07.495Z","revision":0,"description":"TeaVaultV3Pair_ezETH-WETH_Arbitrum_Ramses","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7MkRiFuJnXrOt4mfNmogRo","url":"https://arbiscan.io/address/0x33fcc803298317227f64fed9c05522b33d3b820c","type":"smart_contract","addedAt":"2024-08-28T14:22:52.536Z","revision":0,"description":"TeaVaultV3Pair_uniETH-WETH_Arbitrum_Ramses","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6SiTlVZGaq7GVS5uZlrvxi","url":"https://mantlescan.info/address/0xdf6BFE64838dbdD91960E0E87b8f32e12659af02","type":"smart_contract","addedAt":"2024-08-28T14:23:10.128Z","revision":0,"description":"TeaVaultV3Pair_USDT-aUSD_Mantle_Cleopatra","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"KljWOxxAZcU0gimJMTdrx","url":"https://mantlescan.info/address/0x3Af73F4991954d8332150B05864947A617283Ec9","type":"smart_contract","addedAt":"2024-08-28T14:23:30.689Z","revision":0,"description":"TeaVaultV3Pair_METH-aUSD_Mantle_Cleopatra","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Ws2r8pKOsHwI6tQGhtOXr","url":"https://optimistic.etherscan.io/address/0xB78810d6B1C21998cdCC67545D6562925C88b38b","type":"smart_contract","addedAt":"2024-08-28T14:23:58.402Z","revision":0,"description":"TeaVaultV3Pair_WBTC-uniBTC_Optimism_Uniswap","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1ja4awWA9GaTHsAbXVm0m8","url":"https://arbiscan.io/address/0x95a3f11a2b94a7b0088165c4f8a684cd20160220","type":"smart_contract","addedAt":"2024-08-28T14:24:18.381Z","revision":0,"description":"TeaVaultV3Pair_WBTC-tBTC_Arbitrum_Uniswap","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6kykT6SvoEExJ4SPt9CYQL","url":"https://starkscan.co/token/0x077cf7d8bf8f5a7372626b92d314b4586e868bfad918737f619f089c648c08fd","type":"smart_contract","addedAt":"2024-08-28T14:24:52.576Z","revision":0,"description":"TeaVaultV3Pair_ETH-EKUBO_Starknet_Jediswap","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4pzrr9pErev1XfuUi1pwoh","url":"https://scrollscan.com/address/0x13ba218016d5288312B2248cc112e3DD1b67aaa5","type":"smart_contract","addedAt":"2024-08-28T14:25:10.391Z","revision":0,"description":"TeaVaultV3Pair_WETH-wrsETH_Scroll_Nuri","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2GUAZkzHNamDUSZIkjoM1H","url":"https://scrollscan.com/address/0x36a69a13e1ea69827daad78abb66789efc869b12","type":"smart_contract","addedAt":"2024-08-28T14:25:31.176Z","revision":0,"description":"TeaVaultV3Pair_WETH-pufETH_Scroll_Nuri","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98747","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","Boba Network","Mantle","Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2024-01-10T09:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1dkPI5NhB39YcEBvxMw1SO/8a6d4a07a6f58083af0df52ae2d63655/teahouse-meta-image_copy.png","maxBounty":15000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in the scope table.","productType":["Asset Management"],"programOverview":"Teahouse Finance is a multi-strategy DeFi investment platform dedicated to secure and flexible asset management.\n\nTeahouse Finance functions as a simplified layer above DeFi platforms such as Uniswap V3. This approach removes the complexities of managing liquidity and crypto assets, enabling users to deposit and entrust Teahouse Finance to generate passive income on their behalf.\n\nUsers can find a wide range of strategies on the Teahouse strategy platform. Teahouse Finance offers investment choices based on risk tolerance, selecting from low, medium, to high-risk strategies. Additionally, users have the flexibility to choose strategies aligned with their specific preferences and investment goals.\n\nFor more information about Teahouse Finance, please visit [https://teahouse.finance/](https://teahouse.finance/)\n\nTeahouse Finance provides rewards in USDC. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nTeahouse Finance adheres to the Primacy of Impact for the following severity levels:\n- Smart Contract: Critical\n- Smart Contract: High\n\nIf a category’s severity level is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program as long as it involves an impact under that respective severity level. When submitting a report, just select the Primacy of Impact asset placeholder. If the team behind this project has multiple projects, those other projects are not covered under the Primacy of Impact of this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nTestnet and mock files are not covered under the Primacy of Impact.\n\nAll other severity levels not listed here are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program.\n\n__Restrictions on Security Researcher Eligibility__\n\nSecurity researchers who fall under any of the following are ineligible for a reward\n\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors who directly or indirectly participated in the audit review\n\n\n__Immunefi Standard Badge__\n\nTeahouse Finance has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/6427157117713-The-Immunefi-Standard-Badge-), which is given to projects that adhere to our best practices.","programType":["Smart Contract"],"project":"Teahouse Finance","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below. \n\n__Repeatable Attack Limitations__\n\nIn cases of repeatable attacks for smart contract bugs, only the first attack is considered if the smart contracts where the vulnerability exists can be upgraded, paused, or killed. If the attack impacts a smart contract directly holding funds that cannot be upgraded or paused, the amount of funds at risk will be calculated with the first attack being at 100% of the funds that could be stolen and then a reduction of 25% from the amount of the first attack for every 300 blocks the attack needs for subsequent attacks from the first attack, rounded down. For avoidance of doubt, if a second attack would happen at 600 blocks and then a third at 900 blocks, the funds at risk would be counted at 50% and 75% of the reward from the first attack, respectively.\n\n\n__Previous Audits__\n\nTeahouse Finance has provided these completed audit review reports for reference. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n- [https://vault.teahouse.finance/Teahouse-Finance_audit_report_2023-06-14.pdf](https://vault.teahouse.finance/Teahouse-Finance_audit_report_2023-06-14.pdf)\n- https://omniscia.io/reports/teahouse-finance-portfolio-strategy-65ad01e4cd79e50018d6fa75/ \n\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n- Smart Contract: Critical\n- Smart Contract: High\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules) Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Teahouse Finance team directly and are denominated in USD. However, payments are done in USDC.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"teahousefinance","tenPercentEconomicRule":false,"updatedDate":"2026-01-29T22:00:18.240Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Teahouse Finance is a multi-strategy DeFi investment platform dedicated to secure and flexible asset management.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":9185,"severity":"critical","assetType":"smart_contract","fixedReward":15000,"rewardModel":"fixed","rewardCalculationPercentage":0},{"id":9186,"severity":"high","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"7DdLMg3FbRStg9cfTFdmbz","url":"https://github.com/Swaylend/swaylend-monorepo/tree/develop/apps/frontend","type":"websites_and_applications","addedAt":"2024-10-30T14:12:03.219Z","revision":0,"description":"Frontend","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98744","url":"https://immunefi.com/","type":"websites_and_applications","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":"__Asset Accuracy Assurance__\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Reward Policy__\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n__Primacy of Impact vs Primacy of Rules__\n\nSwaylend: frontend adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page. \n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this audit competition and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Swaylend has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"","boostedIntroFinished":"IOP Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/16LqmkVujUjyV91Bvtj4QK7ibtUxKt4iC?usp=sharing)\n\nAll paid bug reports are available in original format [here](https://app.gitbook.com/o/swaylendfrontend)","boostedIntroLive":"","boostedIntroStartingIn":"Swaylend is a leading lending protocol on the Fuel network. It is a fork of Compound V3 \n\nFor more information about Swaylend, please visit https://swaylend.com/\n\nSwaylend provides rewards in UDSC, denominated in USD.","boostedLeaderboard":[{"high":0,"name":"Brainiac5","critical":0,"earnings":2000,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Blockian","critical":0,"earnings":2000,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1GnZOoyjRpHNSmXatyN2xB44de-BGdCUm/view?usp=sharing","ecosystem":["Fuel Network"],"endDate":"2024-12-17T10:00:00.000Z","evaluationEndDate":"2025-01-10T10:00:00.000Z","features":["IOP (Invite Only Program)","Managed Triage: Time Saver","Boost","Vault"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Sway"],"launchDate":"2024-11-12T10:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5ZPcNO8qqh3O8FjVrcWHTd/da4827c44e7251bf7edcfce0f98ac6fb/Screenshot_2024-10-29_alle_15.13.33-removebg-preview.png","maxBounty":30000,"outOfScopeAndRules":"These impacts are out of scope for this bug bounty program. \n\n__All Categories:__\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n\n__Websites and Apps__\n\n- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n- This does not exclude reflected HTML injection with or without JavaScript\n- This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering\n\n__Prohibited Activities:__\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"The most critical things that should be tested are:\n\n- Withdrawing only assets that you supplied\n- Borrowing only the amount you're allowed (based on supplied collateral asset and collateral factor)\n- Repaying the borrowed amount before withdrawing collateral asset","productType":[],"programOverview":"Swaylend is a leading lending protocol on the Fuel network. It is a fork of Compound V3.\n\nFor more information about Swaylend, please visit https://swaylend.com/\n\nSwaylend  provides rewards in UDSC, denominated in USD.","programType":["Websites and Applications"],"project":"IOP | SwayLend Frontend","projectType":[],"rewardsBody":"The following reward terms are a summary, for the full details read our [IOP | SwayLend: Frontend - Reward Distribution Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/29893062996881-IOP-SwayLend-Frontend-Rewards-Terms). \n\nA reward pool of $30,000 USD will be distributed among participants, even if no valid bugs are found. \n\nDuplicates and private known issues are valid for a reward.\n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/).\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.\n\n__Insight Rewards Payment Terms__\n\nInsight Rewards: Portion of the Rewards Pool\n\n*The \"Insight\" severity was introduced on Audit Competition & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi)\n\nDuplicates of Insight are not rewarded.","rewardsPool":30000,"primaryPool":30000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"swaylend-frontend-iop","tenPercentEconomicRule":false,"updatedDate":"2026-01-29T22:03:15.303Z","impactsBody":"__Whitehat Educational Resources & Technical Info__\n\nDocumentation: https://docs.swaylend.com/\n\n\n**Is this an upgrade of an existing system? If so, which? And what are the main differences?**\n\nSwaylend is the port of Compound V3 lending protocol and architecture in the Sway programming language for the Fuel Network.\n\n\n**What external dependencies are there?**\n\nThe frontend uses many external libraries, the most important dependencies related to smart contracts are: \n1. Fuel libraries for handling wallet connections, contract types and calling of smart contract methods.\n- @fuel-ts/contract\n- @fuels/connectors\n- @fuels/react\n- fuels\n\n2. Pyth libraries for handling fetching of price updates from their Hermes network and load Pyth contract ABI types. \n- @pythnetwork/hermes-client\n- @pythnetwork/pyth-fuel-js\n\n3. Other larger libraries used are:\n- Next.js 14\n- Tailwind\n- @tanstack/react-query\n- Zustand\n\n\n**What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?**\n\nOnly SRC-20 are supported, which are similar to ERC-20 standard but on the Fuel Network\n\n\n**Where might whitehats confuse out-of-scope code to be in-scope?**\n\nBugs found inside external libraries related to contract calls, specifically Fuel and Pyth libraries.\nWrong usage of the above libraries, still counts as in-scope.\n\n**Are there any unusual points about your protocol that may confuse whitehats?**\n\nPyth is used as a pull oracle by Swaylend. Pyth pull oracle information: https://docs.pyth.network/price-feeds/pull-updates\n\n**Where do you suspect there may be bugs?**\n\nSwaylend is the lending protocol that offers functionalities like other lending protocols, i.e., supplying base assets (in our case, USDC) and borrowing base assets in exchange for providing collateral assets. The most critical things that should be tested are:\n- Withdrawing only assets that you supplied\n- Borrowing only the amount you're allowed (based on supplied collateral asset and collateral factor)\n- Repaying the borrowed amount before withdrawing collateral asset\n\n\n__Public Disclosure of Known Issues__\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\nThere are no known public disclosures for frontend\n\n__Previous Audits__\n\nSwaylend’s completed audit reports can be found at https://www.halborn.com/audits/swaylend. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.","websiteUrl":"https://swaylend.com/","githubUrl":"https://github.com/Swaylend/swaylend-monorepo/tree/develop/apps/frontend  https://app.swaylend.com/","eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Swaylend is a leading lending protocol on the Fuel network, based on a fork of Compound V3.\n\nFor more information, visit: https://swaylend.com/\n\n**IOP | Swaylend Frontend focuses on Web2 attack vectors. Please review the in-scope impacts.**\n\nSwaylend rewards are provided in USDC, denominated in USD.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":39,"type":"websites_and_applications","severity":"critical","title":"Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:\n- Changing registration information\n- Commenting\n- Voting\n- Making trades\n- Withdrawals, etc."},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":43,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:\n- Modifying transaction arguments or parameters\n- Substituting contract addresses\n- Submitting malicious transactions"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"},{"id":46,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:\n- HTML injection without JavaScript\n- Replacing existing text with arbitrary text\n- Arbitrary file uploads, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":50,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Changing the first/last name of user\n- Enabling/disabling notifications"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":51,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as:\n- Reflected HTML Injection\n- Loading external site data"},{"id":53,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction, such as:\n- Iframing leading to modifying the backend/browser state (must demonstrate impact with PoC)"},{"id":54,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links, such as:\n- Social media handles, etc."},{"id":55,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as:\n- Locking up the victim from login\n- Cookie bombing, etc."}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":false},{"level":"high","payout":"Portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":false},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":false},{"level":"low","payout":"Portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":false}],"audits":[{"id":"2tOSkA6yKPBrJAW1xeePu3","url":"https://www.halborn.com/audits/swaylend","auditor":"Halborn","date":"2024-09-09T00:00:00.000Z"}]},{"assets":[{"id":"1Eg6t3JkxqQoKzeB0AxSVq","url":"https://github.com/serai-dex/serai/tree/develop/crypto/ciphersuite","type":"blockchain_dlt","addedAt":"2023-07-31T21:32:53.470Z","revision":0,"description":"ciphersuite","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"23cnhEMoYY1M6X7dgosrUQ","url":"https://github.com/serai-dex/serai/tree/develop/crypto/dkg/src","type":"blockchain_dlt","addedAt":"2023-07-31T21:33:36.436Z","revision":0,"description":"dkg","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4pj5Yi3VZHdQf2o8pyRdMw","url":"https://github.com/serai-dex/serai/tree/develop/crypto/frost","type":"blockchain_dlt","addedAt":"2023-07-31T21:33:51.866Z","revision":0,"description":"modular-frost","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"60IxgiY2tZOwDc0PLsICOY","url":"https://github.com/serai-dex/serai/tree/develop/networks/bitcoin","type":"blockchain_dlt","addedAt":"2025-08-27T16:56:33.209Z","revision":0,"description":"bitcoin-serai","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6YH3ugptVFFnU8RrL4anNk","url":"https://github.com/serai-dex/serai/tree/develop/crypto/dalek-ff-group","type":"blockchain_dlt","addedAt":"2023-07-31T21:32:24.643Z","revision":0,"description":"dalek-ff-group","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6jm53RI29T7duolrIEfFz3","url":"https://github.com/serai-dex/serai/tree/develop/crypto/schnorrkel","type":"blockchain_dlt","addedAt":"2023-07-31T21:34:06.736Z","revision":0,"description":"frost-schnorrkel","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7Gm6mlwT0WqsqD68yB0ttp","url":"https://github.com/serai-dex/serai/tree/develop/crypto/transcript","type":"blockchain_dlt","addedAt":"2023-07-31T21:32:11.114Z","revision":0,"description":" flexible-transcript","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7M9H4VGubNNFpMS37bg4nl","url":"https://github.com/serai-dex/serai/tree/develop/crypto/dkg/musig","type":"blockchain_dlt","addedAt":"2025-08-27T16:56:10.335Z","revision":0,"description":"dkg-musig","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"S0HPyOGuPLO9RoqQ42dKy","url":"https://github.com/serai-dex/serai/tree/develop/crypto/schnorr","type":"blockchain_dlt","addedAt":"2023-07-31T21:33:05.787Z","revision":0,"description":"schnorr-signatures","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Y4c8YGTbaJy4jATtAsncD","url":"https://github.com/serai-dex/serai/tree/develop/crypto/multiexp","type":"blockchain_dlt","addedAt":"2023-07-31T21:32:40.227Z","revision":0,"description":"multiexp","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98757","url":"https://immunefi.com/","type":"blockchain_dlt","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Rust"],"launchDate":"2023-08-04T11:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5xUPQvjAjam8ACUKuhW1Ga/472fbbbcb27749a403d6dcbac86577ab/Screenshot_2024-11-15_at_3.48.57___PM.png","maxBounty":30000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["AMM","Crosschain Liquidity","DEX","L1"],"programOverview":"Serai is an actively developed cross-chain, decentralized exchange for Bitcoin, Ethereum, and Monero. Built from scratch in Rust, Serai uses threshold multisignatures to secure coins under its own decentralized network.\n\nFor more information about Serai, please visit [https://github.com/serai-dex/serai](https://github.com/serai-dex/serai)\n\nSerai provides rewards in USDC. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__\n\nThe provision of KYC is required to receive a reward for this bug bounty program, where the following information will be required to be provided:\n- IRS form W-8/W-9, as applicable\n- Applicant is not listed on the [OFAC SDN list](https://www.treasury.gov/ofac/downloads/sdnlist.pdf)\n\nKYC information is only required on confirmation of the validity of a bug report.   \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nSerai adheres to the Primacy of Impact for the following severity levels:\n- Blockchain/DLT - Critical\n- Blockchain/DLT - High\n- Blockchain/DLT - Medium\n- Blockchain/DLT - Low\n\nIf a category’s severity level is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program as long as it involves an impact under that respective severity level. When submitting a report, just select the Primacy of Impact asset placeholder. If the team behind this project has multiple projects, those other projects are not covered under the Primacy of Impact of this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nAll other severity levels not listed here are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program.\n\n\n__Immunefi Standard Badge__\n\nSerai has satisfied the requirements for the [Immunefi Standard Badge,](https://immunefisupport.zendesk.com/hc/en-us/articles/6427157117713-The-Immunefi-Standard-Badge-) which is given to projects that adhere to our best practices.","programType":["Blockchain/DLT"],"project":"Serai","projectType":["Exchange","Defi","Blockchain"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below. \n\n__Overtime Attack Limitations__\n\nIn cases of attacks executed over time for smart contract and blockchain/DLT bugs, an explicit two hour window without human intervention is provided, starting from the first erroneous or malicious action. Only achievements during this window will be counted, regardless of further impact.\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs acknowledged below are not eligible for any reward through the bug bounty program. \n- [https://github.com/serai-dex/serai/issues](https://github.com/serai-dex/serai/issues)\n- [https://github.com/serai-dex/serai/tree/develop/audits](https://github.com/serai-dex/serai/tree/develop/audits)\n\n__Previous Audits__\n\nSerai has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.\n- [https://github.com/serai-dex/serai/blob/develop/audits/Cypher%20Stack%20crypto%20March%202023/Audit.pdf](https://github.com/serai-dex/serai/blob/develop/audits/Cypher%20Stack%20crypto%20March%202023/Audit.pdf)\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n- Blockchain/DLT - Critical\n\nIn addition, PoC will be required for the following low impact:\n- Undocumented panic reachable from a public API\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules) Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Serai team directly and are denominated in USD. However, payments are done in USDC.\n\n__ Exclusion with monero-oxide __\n\nFor submissions mutual to Serai DEX and monero-oxide, both programs should be submitted to yet only one will issue a reward (of the submitter's choice).","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"serai","tenPercentEconomicRule":false,"updatedDate":"2026-01-29T21:59:37.321Z","impactsBody":null,"websiteUrl":"https://serai.exchange","githubUrl":"https://github.com/serai-dex/serai","eligibilityCriteria":["no_ofac_sdn"],"responsiblePublicationCategory":"category_1","description":"Serai is an actively developed cross-chain, decentralized exchange for Bitcoin, Ethereum, and Monero. Built from scratch in Rust, Serai uses threshold multisignatures to secure coins under its own decentralized network.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Attacks breaking BFT assumptions\n- Best practice critiques\n- Signature production by the threshold\n- Attacks reliant on attacking an out of scope communication protocol between library users\n- Invalid circumstances reachable by providing invalid hashes/curves/ciphersuites/algorithms/etc\n- Attacks on the cross-group discrete logarithm proof, marked experimental\n- Vulnerabilities/issues in tests/code explicitly for tests\n- Bugs only reachable via unsafe code","customProhibitedActivities":[],"impacts":[{"id":4394,"type":"blockchain_dlt","severity":"low","title":"Undocumented panic reachable from a public API"},{"id":4395,"type":"blockchain_dlt","severity":"low","title":"Non-constant time implementation with regards to secret data"},{"id":4397,"type":"blockchain_dlt","severity":"medium","title":"Undocumented transcript collision"},{"id":4399,"type":"blockchain_dlt","severity":"critical","title":"Signing of unintended messages"},{"id":4400,"type":"blockchain_dlt","severity":"critical","title":"Ability to forge proofs"},{"id":5812,"type":"blockchain_dlt","severity":"critical","title":"Unintended, undocumented recovery of private spend keys (or private spend key shares)"},{"id":5813,"type":"blockchain_dlt","severity":"critical","title":"Reportedly received funds which weren’t actually received/spendable"},{"id":5814,"type":"blockchain_dlt","severity":"high","title":"Incorrect/incomplete (in the academic sense) cryptographic formulae within a verifier's callstack"},{"id":5815,"type":"blockchain_dlt","severity":"low","title":"Incorrect/incomplete (in the academic sense) cryptographic formulae within a prover's callstack"}],"rewards":[{"id":5763,"severity":"critical","assetType":"blockchain_dlt","fixedReward":30000,"rewardModel":"fixed","rewardCalculationPercentage":10},{"id":5764,"severity":"high","assetType":"blockchain_dlt","fixedReward":5000,"rewardModel":"fixed"},{"id":5765,"severity":"medium","assetType":"blockchain_dlt","fixedReward":1000,"rewardModel":"fixed"},{"id":5766,"severity":"low","assetType":"blockchain_dlt","fixedReward":250,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"4mPaq6luhr2GncbWfsBzIh","url":"wss://ws.api.prod.paradex.trade/v1","type":"websites_and_applications","addedAt":"2025-08-25T03:43:59.417Z","revision":0,"description":"WebSocket API","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1VwNdaQ3sBB1plgLkONtmM","url":"https://api.prod.paradex.trade/v1","type":"websites_and_applications","addedAt":"2025-08-25T03:43:59.402Z","revision":0,"description":"REST API","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"34NUgRRfox10cqTPFNkubT","url":"https://app.paradex.trade/","type":"websites_and_applications","addedAt":"2025-08-25T03:02:50.918Z","revision":0,"description":"UI","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3jF5giG9OJtHLp5URDH53g","url":"https://rpc.api.prod.paradex.trade/rpc/v0_8","type":"websites_and_applications","addedAt":"2025-08-25T03:02:32.445Z","revision":0,"description":"RPC","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3xonwpwfPiqt9YDPYHMw2A","url":"https://voyager.prod.paradex.trade/contract/0x03ca9388f8d4e04adecbd7b06b9b24a33030a593522248a7bddd87afc0b61a0c","type":"smart_contract","addedAt":"2025-08-25T03:01:07.563Z","revision":0,"description":"Paraclear Contract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"460VivMwY0dyDDGTyJjxDe","url":"https://voyager.prod.paradex.trade/contract/0x0662d75749ee4b4afa63f891308cb0bae63ce10999d1c332d92b53eb9ac0a0d3","type":"smart_contract","addedAt":"2025-08-25T03:02:17.113Z","revision":0,"description":"Oracle Contract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Y0Y0nPg0jxznlS1MNq1s4","url":"https://voyager.prod.paradex.trade/contract/0x0355b9f48262d37607098294a37aea883cf34cb81458039e8c0d0871a4f4e4e8","type":"smart_contract","addedAt":"2025-08-25T03:01:56.187Z","revision":0,"description":"Registry Contract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"vKQMiNUwPGAU8sxPaUrH6","url":"https://voyager.prod.paradex.trade/contract/0x071408d2903ac0876602f105a198c17028519d7f48f318adb94a0650c686dfc3","type":"smart_contract","addedAt":"2025-08-25T03:01:32.661Z","revision":0,"description":"Vault Factory Contract","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98735","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"98768","url":"https://immunefi.com/","type":"websites_and_applications","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Essential","Managed Triage: Time Saver","Safe Harbor Documents Signed"],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":true,"language":[],"launchDate":"2025-08-22T01:34:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2jxO6gDlNVXPLn4MT1JLtQ/fd3d05358610c2b50b679fa2812fe9f6/EnotVJl3_400x400.png","maxBounty":500000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - high","smart_contract - critical","smart_contract - medium","smart_contract - low","websites_and_applications - critical","websites_and_applications - medium","websites_and_applications - low","websites_and_applications - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":[],"programOverview":"Paradex is an advanced perp DEX built on a ZK-rollup Layer 2, combining self-custodial security with CEX-like performance through deep liquidity, portfolio margin capabilities, and innovative features like trading privacy and retail price improvement.\nFor more information about Paradex, please visit https://www.paradex.trade/\n\nParadex provides rewards in USDC on ETH, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n__Primacy of Impact vs Primacy of Rules__\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact) \nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.","programType":["Websites and Applications","Smart Contract"],"project":"Paradex","projectType":[],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.3. \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 500k. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 25k is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n- For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\n- High vulnerabilities concerning theft/permanent freezing of unrealized pnl are rewarded within a range of 10k to 15k depending on the funds at risk, capped at the maximum high reward.  \n\n- In the event of temporary freezing, the reward doubles from the full frozen value for every additional [24h] that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\nFor critical web/apps bug reports will be rewarded with 20k, only if the impact leads to:\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of 10k. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Reward Payment Terms__\n\nPayouts are handled by the Paradex team directly and are denominated in USDC. However, payments are done in [USDC] on ETH\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"paradex","tenPercentEconomicRule":false,"updatedDate":"2026-01-29T22:03:28.252Z","impactsBody":null,"websiteUrl":"https://www.paradex.trade/","githubUrl":null,"eligibilityCriteria":["no_employee","no_auditor","no_official_contributor","no_ofac_sdn"],"responsiblePublicationCategory":"category_3","description":"Paradex is an advanced perp DEX built on a ZK-rollup Layer 2, combining self-custodial security with CEX-like performance through deep liquidity, portfolio margin capabilities, and innovative features like trading privacy and retail price improvement.\nFor more information about Paradex, please visit https://www.paradex.trade/","knownIssues":[{"id":72,"link":"https://rpc.api.prod.paradex.trade/rpc/v0_8","description":"All issues from Pathfinder RPC dependency","lastUpdatedAt":"2025-08-25T00:00:00.000Z","relatedImpactInScope":"websites_and_applications"},{"id":71,"link":"https://rpc.api.prod.paradex.trade/rpc/v0_8","description":"All issues from Juno RPC dependency","lastUpdatedAt":"2025-08-25T00:00:00.000Z","relatedImpactInScope":"websites_and_applications"},{"id":67,"link":"https://github.com/Cairo-Security-Clan/Audit-Portfolio/blob/main/Paradex_Audit_Report.pdf","description":"Acknowledged issues from Cairo Security Clan Audit","lastUpdatedAt":"2025-08-25T00:00:00.000Z","relatedImpactInScope":"smart_contract"}],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":55,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as:\n- Locking up the victim from login\n- Cookie bombing, etc."},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":54,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links, such as:\n- Social media handles, etc."},{"id":5689,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds (or assets), whether at-rest or in-motion, other than unrealized pnl"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":5690,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds or assets"},{"id":5691,"type":"smart_contract","severity":"high","title":"Theft of unrealized pnl"},{"id":5692,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds or assets"},{"id":5693,"type":"websites_and_applications","severity":"high","title":"Taking down the application/website"},{"id":5694,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as: Making trades that gets settled Withdrawals, etc."},{"id":5695,"type":"websites_and_applications","severity":"high","title":"Malicious interactions with an already-connected wallet, such as:  Modifying transaction arguments or parameters Substituting contract addresses Submitting malicious transactions"},{"id":5696,"type":"websites_and_applications","severity":"high","title":"Injection of malicious HTML or XSS through metadata"},{"id":5697,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:  HTML injection without JavaScript Replacing existing text with arbitrary text Arbitrary file uploads, etc"},{"id":5698,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as:  Reflected HTML injection Loading external site data"},{"id":5699,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"}],"rewards":[{"id":34568,"severity":"critical","assetType":"smart_contract","maxReward":500000,"minReward":25000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":34569,"severity":"high","assetType":"smart_contract","maxReward":15000,"minReward":10000,"rewardModel":"range"},{"id":34570,"severity":"medium","assetType":"smart_contract","fixedReward":4000,"rewardModel":"fixed"},{"id":34571,"severity":"low","assetType":"smart_contract","fixedReward":2000,"rewardModel":"fixed"},{"id":34572,"severity":"critical","assetType":"websites_and_applications","maxReward":20000,"minReward":10000,"rewardModel":"range"},{"id":34573,"severity":"high","assetType":"websites_and_applications","fixedReward":3000,"rewardModel":"fixed"},{"id":34574,"severity":"medium","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"},{"id":34575,"severity":"low","assetType":"websites_and_applications","fixedReward":500,"rewardModel":"fixed"}],"audits":[{"id":"MK2nOd50Lnoou7I8BmOoS","url":"https://docs.paradex.trade/security/audit-pentests","auditor":"All Audits","date":"2025-08-25T00:00:00.000Z"}]},{"assets":[{"id":"njmWVml2QuVUBVaj2uAQN","url":"https://etherscan.io/address/0xe335d314BD4eF7DD44F103dC124FEFb7Ce63eC95","type":"smart_contract","addedAt":"2025-12-04T06:58:56.989Z","revision":0,"description":"Address Registry","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1FoDqtweWi1oAb6aPugiRH","url":"https://etherscan.io/address/0x9a0c630c310030c4602d1a76583a3b16972ecaa0","type":"smart_contract","addedAt":"2026-01-16T02:21:42.373Z","revision":0,"description":"Morpho Lending Router","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7qfQWpFzD7KJrfZldZkKUX","url":"https://etherscan.io/address/0xaf14d06a65c91541a5b2db627ecd1c92d7d9c48b","type":"smart_contract","addedAt":"2026-01-16T02:21:50.339Z","revision":0,"description":"sUSDe Staking Vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3wCYAB1xEDjI7qaQjOy8Uc","url":"https://etherscan.io/address/0x7f723fee1e65a7d26be51a05af0b5efee4a7d5ae","type":"smart_contract","addedAt":"2026-01-16T02:22:17.745Z","revision":0,"description":"weETH Staking Vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3okQDRZ7wnCBNsYzHapxMG","url":"https://etherscan.io/address/0x2716561755154eef59bc48eb13712510b27f167f","type":"smart_contract","addedAt":"2026-01-16T02:22:31.758Z","revision":0,"description":"Convex OETH/ETH Liquidity Vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5LVtOHPjUrRwKFPTHg4niD","url":"https://etherscan.io/address/0x0e61e810f0918081cbfd2ac8c97e5866daf3f622","type":"smart_contract","addedAt":"2026-01-16T02:22:44.692Z","revision":0,"description":"sUSDe NOV 27 2025 PT Vault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7pzCHM9aZ396UOYmnxeeA7","url":"https://etherscan.io/address/0x71ba37c7c0eab9f86de6d8745771c66fd3962f20","type":"smart_contract","addedAt":"2026-01-16T02:23:00.853Z","revision":0,"description":"weETH Withdraw Request Manager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"fzlLKeNkyVKq2voTLjV3s","url":"https://etherscan.io/address/0x8c7c9a45916550c6fe04cdaa139672a1b5803c9f","type":"smart_contract","addedAt":"2026-01-16T02:23:13.686Z","revision":0,"description":"sUSDe Withdraw Request Manager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"53qpILIWPKtnl6nRF2bw9Y","url":"https://etherscan.io/address/0x59aa04b190ec76c95a1eb02d9a184b7fdd64b9fb","type":"smart_contract","addedAt":"2026-01-16T02:23:25.949Z","revision":0,"description":"OETH Withdraw Request Manager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Tt8kufQkRcgAkki7enXJB","url":"https://etherscan.io/address/0xe854ceb7e57988b083b93195d092d289fed1d0ff","type":"smart_contract","addedAt":"2026-01-16T02:23:42.744Z","revision":0,"description":"WETH Withdraw Request Manager","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6yOkBBQgmdEMJGYGZ4HNoC","url":"https://etherscan.io/address/0x091356e6793a0d960174eaab4d470e39a99dd673","type":"smart_contract","addedAt":"2026-01-16T03:19:42.064Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3mTZEptsBz9dXzRvIya7J4","url":"https://etherscan.io/address/0x94f6cb4fae0eb3fa74e9847dff2ff52fd5ec7e6e","type":"smart_contract","addedAt":"2026-01-16T03:20:01.894Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1jezgm16t9EtnDdRMtlhRB","url":"https://etherscan.io/address/0xe4ebb6ea270a70491c3af06376a5862a0fda7268","type":"smart_contract","addedAt":"2026-01-16T03:20:27.091Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4FYc7DZsN0KySHhQkoJG0S","url":"https://etherscan.io/address/0x18f86644781fc9f7b4641d371f377c96744ec10f","type":"smart_contract","addedAt":"2026-01-16T03:21:20.853Z","revision":0,"description":"","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98772","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":true,"language":[],"launchDate":"2026-01-16T14:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2cpwpSh7XNbPe5n3GffDmt/e9d7b88d67f58ba463bd9f30c32c4f26/zk8nf4kv_400x400.png","maxBounty":250000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - high","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":[],"programOverview":"Notional Exponent is a leveraged yield protocol that enables users to maximize returns on DeFi yield strategies with leverage. It represents a major evolution of Notional’s core product. Notional was founded in 2020 to bring fixed rate lending to DeFi and we’ve been working on lending products ever since. Notional Exponent narrows our focus on what we do best.\n\nFor more information about Notional Exponent, please visit https://notional.finance/.\n\nNotional Exponent provides rewards in USDC, USDT, ETH, DAI on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n__KYC Requirement__ \n\nNotional Exponent will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n__Primacy of Impact vs Primacy of Rules__\n\nNotional Exponent adheres to the Primacy of Impact for the following impacts:\n\n- Smart Contract  —  Critical\n- Smart Contract  —  High\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. \n\nFor more information, please see [Best Practices: Primacy of Impact ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.","programType":["Smart Contract"],"project":"Notional Exponent","projectType":[],"rewardsBody":"**Rewards by Threat Level**\n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD $250,0000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. \n\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. \n- The amount of funds at risk will be calculated with the impact of the first attack being at 100% and then a reduction of 25% from the amount of the first attack for every [300 blocks] the attack needs for subsequent attacks from the first attack, rounded down.\n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of $10,000 to $50,000 with the reward calculated based on 25% of the funds at risk, though capped at the maximum high reward. \n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. \n\n__Reward Payment Terms__\nPayouts are handled by the Notional Exponent team directly and are denominated in USD. However, payments are done in USDC, USDT, ETH, DAI on Ethereum.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability._","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC, USDT, ETH, DAI","slug":"notional-exponent","tenPercentEconomicRule":false,"updatedDate":"2026-01-29T22:04:38.766Z","impactsBody":null,"websiteUrl":"https://www.notional.finance/","githubUrl":"https://github.com/notional-finance/contracts-v2","eligibilityCriteria":["no_ofac_sdn","no_auditor","no_employee","no_official_contributor"],"responsiblePublicationCategory":"category_1","description":"Notional Exponent is a leveraged yield protocol that enables users to maximize returns on DeFi yield strategies with leverage. It represents a major evolution of Notional’s core product. Notional was founded in 2020 to bring fixed rate lending to DeFi and we’ve been working on lending products ever since. Notional Exponent narrows our focus on what we do best.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":28,"type":"smart_contract","severity":"high","title":"Temporary freezing of NFTs"}],"rewards":[{"id":39780,"severity":"critical","assetType":"smart_contract","maxReward":250000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":39781,"severity":"high","assetType":"smart_contract","maxReward":50000,"rewardModel":"up_to"}],"audits":[{"id":"5Olp5JM3KsWlOWnwU3RZbo","url":"https://blog.openzeppelin.com/notional-audit/","auditor":"Notional V1, Open Zeppelin","date":"2020-12-01T00:00:00.000Z"},{"id":"4D5sllXR8pYqMVJ7MnyzjA","url":"https://blog.openzeppelin.com/notional-v2-audit-governance-contracts/","auditor":"Notional V2 Governance, Open Zeppelin","date":"2021-11-01T00:00:00.000Z"},{"id":"3OOsSHG33JBFwqy2KDdb6S","url":"https://github.com/notional-finance/contracts-v2/blob/master/audits/ABDK%20-%20Notional%20V2%2C%20Sept%201%202021.pdf","auditor":"Notional V2, ABDK","date":"2021-09-01T00:00:00.000Z"},{"id":"49NjTeiYUUczX8fvn55wDi","url":"https://github.com/notional-finance/contracts-v2/blob/master/audits/Certora%20-%20Formal%20Verfication%20Report%2C%20Nov%201%202021.pdf","auditor":"Notional V2, Certora","date":"2021-11-01T00:00:00.000Z"},{"id":"4tJ5XoiDioOetuIeCVOSGy","url":"https://github.com/notional-finance/contracts-v2/blob/master/audits/ABDK%20-%20Notional%20V2%20Fixes%2C%20Nov%201%202021.pdf","auditor":"Notional V2, ABDK Fixes","date":"2021-11-01T00:00:00.000Z"},{"id":"1CSQGOc1YKOa5e5UBedBH1","url":"https://code4rena.com/reports/2021-08-notional/","auditor":"Notional V2, Code Arena","date":"2021-10-01T00:00:00.000Z"},{"id":"4bl6AGSjdfI2F42dXvPka","url":"https://code4rena.com/reports/2022-01-notional/","auditor":"Staked NOTE","date":"2022-03-01T00:00:00.000Z"},{"id":"3iEwXk4qKrsD0Qo13N7kKa","url":"https://consensys.net/diligence/audits/2022/03/notional-protocol-v2.1/","auditor":"Notional V2.1, Consensys Diligence","date":"2022-03-01T00:00:00.000Z"},{"id":"6vYO7EboNuUOusLgbmQkj0","url":"https://code4rena.com/reports/2022-06-notional-coop/","auditor":"Wrapped fCash, Code Arena","date":"2022-07-16T00:00:00.000Z"},{"id":"4m9in8oz7dPhD0Q1iL0b8r","url":"https://consensys.net/diligence/audits/2022/07/notional-finance/","auditor":"Leveraged Vaults, Consensys Diligence","date":"2022-07-01T00:00:00.000Z"},{"id":"7jSkZMhtbI8a0Q1NDK52h3","url":"https://app.sherlock.xyz/audits/contests/2","auditor":"Leveraged Vaults + Balancer Vault Strategy, Sherlock","date":"2022-10-01T00:00:00.000Z"},{"id":"4aGUCdQ0qqyQUFvSz5WJiU","url":"https://app.sherlock.xyz/audits/contests/31","auditor":"Balancer Vault Strategy Fixes, Sherlock","date":"2023-01-01T00:00:00.000Z"},{"id":"1kIhqTRDwIIm9LsSeDyNYb","url":"https://app.sherlock.xyz/audits/contests/52","auditor":"Convex Leveraged Vault, Sherlock","date":"2023-03-01T00:00:00.000Z"},{"id":"2YLa2uR3UBe7X3NyLH687q","url":"https://app.sherlock.xyz/audits/contests/59","auditor":"Notional V3, Sherlock","date":"2023-05-01T00:00:00.000Z"},{"id":"51bmso0jrw6na0DqEjHHay","url":"https://audits.sherlock.xyz/contests/119","auditor":"Single Sided LP Leveraged Vaults","date":"2023-11-01T00:00:00.000Z"},{"id":"1LytkY81e9wrIJCoxKnbJt","url":"https://audits.sherlock.xyz/contests/142","auditor":"External Lending, Wrapped fCash","date":"2024-06-01T00:00:00.000Z"},{"id":"391sN3tGp7aMW83k3hlmYK","url":"https://audits.sherlock.xyz/contests/446?filter=questions","auditor":"Pendle PTs, Vault Incentives","date":"2024-06-01T00:00:00.000Z"},{"id":"3qq0DdfnkUAW8KIihlXvNw","url":"https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.07.18%20-%20Final%20-%20Notional%20Exponent%20Audit%20Report.pdf","auditor":"Sherlock","date":"2025-07-18T00:00:00.000Z"},{"id":"4XKDrR8jJx1zog4ifmpU4P","url":"https://github.com/mixbytes/audits_public/tree/master/Notional%20Finance/Notional%20v4","auditor":"Mixbytes","date":"2025-11-28T00:00:00.000Z"},{"id":"416kMHV3LOth2lHoymwlNI","url":"https://sherlock-files.ams3.digitaloceanspaces.com/reports/2026.01.17%20-%20Final%20-%20Notional%20Collaborative%20Audit%20Report%201768611627.pdf","auditor":"Sherlock","date":"2026-01-09T00:00:00.000Z"}]},{"assets":[{"id":"6Zf9rvXHoUzL4Ld2NT5aJq","url":"https://github.com/Lightprotocol/light-protocol/tree/e5f84a03054f88245b3545c314a1adb8e465aca3/prover/server/prover","type":"smart_contract","addedAt":"2025-11-28T13:57:56.049Z","revision":0,"description":"light-prover/prover","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1UCOBZbcy0EW5SRUd6YqIx","url":"https://github.com/Lightprotocol/light-protocol/tree/81f4456154a7eb4b612bbbdd0ec1930a2a15b272/merkle-tree/bounded-vec","type":"smart_contract","addedAt":"2025-01-31T07:09:48.354Z","revision":0,"description":"Crate - light_bounded_vec","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3YqmaeXzy0hvG7GXFdWHmW","url":"https://docs.rs/light-hasher/latest/light_hasher/","type":"smart_contract","addedAt":"2025-01-31T07:10:17.320Z","revision":0,"description":"Crate - light_hasher","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4HPL1BYnxBFXNHgboyW6RY","url":"https://docs.rs/aligned-sized/latest/aligned_sized/","type":"smart_contract","addedAt":"2025-01-31T07:09:25.526Z","revision":0,"description":"Crate - aligned_sized","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5AeaLuvVOJTiRPva9tQ336","url":"https://docs.rs/light-indexed-merkle-tree/latest/light_indexed_merkle_tree/","type":"smart_contract","addedAt":"2025-01-31T07:10:27.984Z","revision":0,"description":"Crate - light_indexed_merkle_tree","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5fKh5DRsjo0w56g31cLoLj","url":"https://solscan.io/account/SySTEM1eSU2p4BGQfQpimFEWWSC1XDFeun3Nqzz3rT7","type":"smart_contract","addedAt":"2025-01-31T07:11:46.076Z","revision":0,"description":"Crate - light_system_program","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5naBeDVoUqbfyNBTXDEwZp","url":"https://docs.rs/light-verifier/latest/light_verifier/","type":"smart_contract","addedAt":"2025-01-31T07:09:01.221Z","revision":0,"description":"Crate - light_verifier","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5vc4NCIYybmfR0wwRez06Z","url":"https://docs.rs/light-hash-set/latest/light_hash_set/","type":"smart_contract","addedAt":"2025-01-31T07:10:05.352Z","revision":0,"description":"Crate - light_hash_set","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6Xh0fCHeGZWLsDuSD21xKa","url":"https://docs.rs/light-utils/latest/light_utils/","type":"smart_contract","addedAt":"2025-01-31T07:11:59.046Z","revision":0,"description":"Crate - light_utils","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6Y5cMRZWHWTuRB2tapfZty","url":"https://docs.rs/light-heap/latest/light_heap/","type":"smart_contract","addedAt":"2025-01-31T07:09:17.759Z","revision":0,"description":"Crate - light_heap","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6sqFIiR4nD4ibQwEiHM1fb","url":"https://docs.rs/groth16-solana/latest/groth16_solana/","type":"smart_contract","addedAt":"2025-01-31T07:09:10.251Z","revision":0,"description":"Crate - groth16_solana","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6xcBP6GRm9eiKfwCJQE38o","url":"https://solscan.io/account/compr6CUsB5m2jS4Y3831ztGSTnDpnKJTKS95d64XVq","type":"smart_contract","addedAt":"2025-01-31T07:10:37.906Z","revision":0,"description":"Crate - account_compression","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"71oQrNhaSolNVZmyomdjhN","url":"https://solscan.io/account/Lighton6oQpVkeewmo2mcPTQQp7kYHr4fWpAgJyEmDX","type":"smart_contract","addedAt":"2025-01-31T07:11:29.535Z","revision":0,"description":"Crate - light_registry","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"78RDgthb74BB1blVEVrvG8","url":"https://docs.rs/light-macros/latest/light_macros/","type":"smart_contract","addedAt":"2025-01-31T07:09:39.914Z","revision":0,"description":"Crate - light_macros","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7dHsRdmdVcew5f5DIcfDlY","url":"https://docs.rs/light-concurrent-merkle-tree/latest/light_concurrent_merkle_tree/","type":"smart_contract","addedAt":"2025-01-31T07:09:56.679Z","revision":0,"description":"Crate - light_concurrent_merkle_tree","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"DoTcxodRmnsEzmC5GsXKa","url":"https://solscan.io/account/cTokenmWW8bLPjZEBAUgYy3zKxQZW6VKi7bqNFEVv3m","type":"smart_contract","addedAt":"2025-01-31T07:11:18.811Z","revision":0,"description":"Crate - light_compressed_token","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98759","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":"The Light Programs, deployed on Solana mainnet, and commit hashes of the deployed code can be found in the MutiSig:\n- Account Compression Progam: https://app.squads.so/squads/7PeqkcCXeqgsp5Mi15gjJh8qvSLk7n3dgNuyfPhJJgqY/developer/programs/compr6CUsB5m2jS4Y3831ztGSTnDpnKJTKS95d64XVq;\n\n- Compressed Token Program: https://app.squads.so/squads/7PeqkcCXeqgsp5Mi15gjJh8qvSLk7n3dgNuyfPhJJgqY/developer/programs/cTokenmWW8bLPjZEBAUgYy3zKxQZW6VKi7bqNFEVv3m;\n\n- Registry: https://app.squads.so/squads/7PeqkcCXeqgsp5Mi15gjJh8qvSLk7n3dgNuyfPhJJgqY/developer/programs/Lighton6oQpVkeewmo2mcPTQQp7kYHr4fWpAgJyEmDX; and\n\n- System Program: https://app.squads.so/squads/7PeqkcCXeqgsp5Mi15gjJh8qvSLk7n3dgNuyfPhJJgqY/developer/programs/SySTEM1eSU2p4BGQfQpimFEWWSC1XDFeun3Nqzz3rT7.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Solana"],"endDate":null,"evaluationEndDate":null,"features":["Managed Triage: Time Saver","Subscription Plan: Essential","Vault","Arbitration"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":[],"launchDate":"2024-09-12T19:39:57.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3HcRnAd91ErHn7EXd04vRw/a7a0424ee3f4060fe1d14551ed1673a5/light__1_.png","maxBounty":50000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Zero-Knowledge Proofs"],"programOverview":"Light Protocol introduces ZK Compression, a new primitive designed to scale Solana’s L1 while maintaining security and performance. It delivers significant cost savings for developers, addresses the problem of state growth, and provides a foundation for native ZK compute on Solana.\n\nLight is a protocol built on Solana introducing ZK compression, a new primitive that enables the secure scaling of state directly on the L1.\n\nSolana users and program developers can opt-in to compress their on-chain state via the Light Protocol smart contracts. This reduces state cost by orders of magnitude while preserving the security, performance, and composability of the Solana L1.\n\nLight Protocol compressed state natively supports custom ZK compute. This creates a new space for previously impossible computation designs on Solana.\n\nHow it works in a nutshell:\n\n- Off-Chain State Storage: State is stored off-chain, i.e., as calldata on the Solana ledger.\n- Transactions specify state: Transactions define the off-chain state they access (read/write) and include it in the transaction payload.\n- State Validation: Solana Programs invoke the light_system_program to create and update compressed state. \n    - The light_system_program validates the state (validity of read state via compressed-account schema, sum checks, ownership checks, verification of input state inclusion ZKP). Compressed accounts have a layout similar to classic accounts.\n\n- State Updates: The light_system_program invokes the account_compression_program which checks against double-spends and updates merkle trees. the new state is recorded as a log on the Solana ledger via the noop-program.\n- Photon RPC Nodes: index and persist the logs, making the compressed account state available to clients via the ZK Compression RPC API.\n- Forester nodes (cranks): Interact with the account compression program to empty nullifier_queues, empty address_queues, and roll-over trees.\n\nFor more information about Light Protocol, please visit [https://lightprotocol.com](https://lightprotocol.com)\n- Our Docs [https://www.zkcompression.com](https://www.zkcompression.com)\n- Our GitHub [https://github.com/Lightprotocol/light-protocol](https://github.com/Lightprotocol/light-protocol).\n- Our Twitter (X) [https://x.com/LightProtocol](https://x.com/LightProtocol)\n\nLight Protocol Labs provides rewards in USDC, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__\n\nLight Protocol will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Copy of Passport or other Government issued ID\n\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nLight Protocol adheres to the Primacy of Impact for the following impacts:\n- Smart Contract - Critical\n- Smart Contract - High\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact) \n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, the project has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","programType":["Smart Contract"],"project":"Light Protocol","projectType":["Infrastructure"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD $50,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD $10,000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n- For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\n- High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties, as well as arbitrary creation/deletion/permanent freezing of state, are rewarded within a range of USD $5,000 to USD $10,000  depending on the funds at risk, capped at the maximum high reward.\n\n- In the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Payment Terms__\n\nPayouts are handled by the service providers of Light Protocol directly and are denominated in USD. However, payments are done in USDC.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"light-protocol","tenPercentEconomicRule":false,"updatedDate":"2026-01-29T22:01:02.156Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn"],"responsiblePublicationCategory":"category_1","description":"Light Protocol introduces ZK Compression, a new primitive designed to scale Solana’s L1 while maintaining security and performance. It delivers significant cost savings for developers, addresses the problem of state growth, and provides a foundation for native ZK compute on Solana.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"From the assets listed above, only the latest releases are in scope. The latest main on https://github.com/Lightprotocol/light-protocol is not automatically in scope. Make sure the asset’s commit hash you review matches the commit hash of the Light Programs in the resources section.\n\nThese assets are out of scope for this bug bounty program: client side libraries, sdks, cli, server, tests, test-utilities or code only used for testing.","customProhibitedActivities":[],"impacts":[{"id":5311,"type":"smart_contract","severity":"high","title":"Temporary freezing of state"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":5312,"type":"smart_contract","severity":"critical","title":"Arbitrary creation or deletion of state"},{"id":5313,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of compressed tokens/sol"},{"id":5314,"type":"smart_contract","severity":"critical","title":"Permanent freezing of compressed tokens/sol"},{"id":5315,"type":"smart_contract","severity":"critical","title":"Permanent freezing of state"}],"rewards":[{"id":11869,"severity":"critical","assetType":"smart_contract","maxReward":50000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":11870,"severity":"high","assetType":"smart_contract","maxReward":10000,"minReward":5000,"rewardModel":"range"},{"id":11871,"severity":"medium","assetType":"smart_contract","maxReward":5000,"minReward":1000,"rewardModel":"range"},{"id":11872,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[{"id":"78CxDHj3kIqFa7GbqqnErz","url":"https://github.com/Lightprotocol/light-protocol/blob/main/audits/ottersec_v1_audit.pdf","auditor":"OtterSec","date":"2024-08-15T00:00:00.000Z"},{"id":"1yN8LmBYcAQRQaVs8aGliw","url":"https://github.com/Lightprotocol/light-protocol/blob/main/audits/neodyme_v1_audit.pdf","auditor":"Neodyme","date":"2024-08-28T00:00:00.000Z"},{"id":"7Ip961EKsZw4FgdxQ3c7qw","url":"https://github.com/Lightprotocol/light-protocol/blob/main/audits/reilabs_circuits_formal_verification_report.pdf","auditor":"Reilabs","date":"2024-08-08T00:00:00.000Z"},{"id":"2LZyw1FEXA7bzMy9kCforv","url":"https://github.com/Lightprotocol/light-protocol/blob/main/audits/zellic_v1_audit.pdf","auditor":"Zellic","date":"2024-09-06T00:00:00.000Z"},{"id":"6gCJWxlpVZOjuy2JhFFBw0","url":"https://github.com/Lightprotocol/light-protocol/blob/main/audits/accretion_v1_update_audit.pdf","auditor":"Accretion","date":"2025-01-21T00:00:00.000Z"}]},{"assets":[{"id":"929WlCBGIKfDp1Nw8RikS","url":"https://etherscan.io/address/0xBa5E35E26Ae59c7aea6F029B68c6460De2d13eB6","type":"smart_contract","addedAt":"2025-06-09T17:22:14.029Z","revision":0,"description":"L1 Ethereum Mainnet Chain ID 1 - Bridge Proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7lWPwL735YrjoAC1jdhPSL","url":"https://etherscan.io/address/0x177EaFe0f1F3359375B1728dae0530a75C83E154","type":"smart_contract","addedAt":"2025-06-09T17:22:27.347Z","revision":0,"description":"L1 Ethereum Mainnet Chain ID 1 - Bridge Implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7xQKZPqV2zZaKVOudph0qN","url":"https://etherscan.io/address/0x4f49b53928a71e553bb1b0f66a5bcb54fd4e8932","type":"smart_contract","addedAt":"2025-06-09T17:22:40.200Z","revision":0,"description":"L1 Ethereum Mainnet Chain ID 1 - Adapter Proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"AxkEzrEois1971XaKwdcq","url":"https://etherscan.io/address/0xE2E91C1Ae2873720C3b975a8034e887A35323345","type":"smart_contract","addedAt":"2025-06-09T17:22:58.702Z","revision":0,"description":"L1 Ethereum Mainnet Chain ID 1 - Adapter Implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3pLE59cpPYLPmUMU1Cvuj2","url":"https://explorer.immutable.com/address/0xBa5E35E26Ae59c7aea6F029B68c6460De2d13eB6","type":"smart_contract","addedAt":"2025-06-09T17:24:06.679Z","revision":0,"description":"L2 zkEVM Chain ID 13371 - Bridge Proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6uO76lmxp86rMyBwTqfSQL","url":"https://explorer.immutable.com/address/0xb4c3597e6b090A2f6117780cEd103FB16B071A84","type":"smart_contract","addedAt":"2025-06-09T17:24:17.017Z","revision":0,"description":"L2 zkEVM Chain ID 13371 - Bridge Implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"TL87Ggcxr7FtDOCDweFHv","url":"https://explorer.immutable.com/address/0x4f49B53928A71E553bB1B0F66a5BcB54Fd4E8932","type":"smart_contract","addedAt":"2025-06-09T17:24:29.028Z","revision":0,"description":"L2 zkEVM Chain ID 13371 - Adapter Proxy","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3Y3gMJw8wAvoshdnbwIAlY","url":"https://explorer.immutable.com/address/0x1d49c44dc4BbDE68D8D51a9C5732f3a24e48EFA6","type":"smart_contract","addedAt":"2025-06-09T17:24:39.221Z","revision":0,"description":"L2 zkEVM Chain ID 13371 - Adapter Implementation","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"28TZvhCDwNl1jC2D3qyxET","url":"https://explorer.immutable.com/address/0x8804A8aA1F18f23aE8A456dD73806FdA3219FaD1","type":"smart_contract","addedAt":"2025-06-09T17:24:50.237Z","revision":0,"description":"L2 zkEVM Chain ID 13371 - ChildERC20 Token Template","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98734","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Essential","Managed Triage: Signal Booster"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":[],"launchDate":"2025-06-10T05:44:56.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4jyESr3DuPBvV84CVG2sL1/4a66b3f802b2aa1117a34981a098921b/immutable.png","maxBounty":1000000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"dep","productType":[],"programOverview":"Immutable is a global leader in gaming on a mission to bring digital ownership to every player by making it safe and easy to build great web3 games through the power of immutable NFTs.\n\nFor more information about Immutable, please visit www.immutable.com.\n\nImmutable provides rewards in USDC, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n__Primacy of Impact vs Primacy of Rules__\n\nImmutable adheres to the Primacy of Impact for the following impacts:\n- Smart Contract - Critical\n- Smart Contract - High\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. \n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.","programType":["Smart Contract"],"project":"Immutable","projectType":[],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 1,000,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 50,000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n- For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\n- High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 5,000 to USD 20,000 depending on the funds at risk, capped at the maximum high reward.\n\n- In the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"immutable","tenPercentEconomicRule":false,"updatedDate":"2026-01-29T22:03:25.078Z","impactsBody":null,"websiteUrl":"https://www.immutable.com/","githubUrl":"https://github.com/immutable/","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Immutable is a global leader in gaming on a mission to bring digital ownership to every player by making it safe and easy to build great web3 games through the power of immutable NFTs.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":5757,"type":"smart_contract","severity":"medium","title":"Griefing i.e. an attack with no direct profit motive for an attacker, but which results in notable, persistent or permanent damage to the protocol, its assets or users. This excludes transient or minor inconveniences (like a user needing to resubmit a transaction)"},{"id":5758,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion"}],"rewards":[{"id":37567,"severity":"critical","assetType":"smart_contract","maxReward":1000000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":37568,"severity":"high","assetType":"smart_contract","maxReward":20000,"minReward":5000,"rewardModel":"range"},{"id":37569,"severity":"medium","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[{"id":"5pi1COXLvAR6iQqo0FlG3c","url":"https://github.com/immutable/contracts/tree/main/audits","auditor":"All Audits","date":"2025-06-09T00:00:00.000Z"}]},{"assets":[{"id":"1xiu2gRT5gxq4N3docaq91","url":"https://polygonscan.com/address/0xE5417Af564e4bFDA1c483642db72007871397896","type":"smart_contract","addedAt":"2022-05-10T16:30:44.647Z","revision":0,"description":"GainsNetworkToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6JPQAu5DqWAKfgvuHYQkms","url":"https://arbiscan.io/address/0x18c11FD286C5EC11c3b683Caa813B77f5163A122","type":"smart_contract","addedAt":"2023-01-06T10:49:46.655Z","revision":0,"description":"GainsNetworkToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6EW3s1mUhhxknFzctu5sqv","url":"https://polygonscan.com/address/0x7075cAB6bCCA06613e2d071bd918D1a0241379E2","type":"smart_contract","addedAt":"2022-05-10T16:30:45.686Z","revision":0,"description":"GFarm2Token","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"7KFWks7gaIU1E2MwE4k0Sa","url":"https://etherscan.io/address/0x831091da075665168e01898c6dac004a867f1e1b","type":"smart_contract","addedAt":"2023-01-06T10:51:31.519Z","revision":0,"description":"GFarmToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1MPuC1F8sajwrnfMgYYNKG","url":"https://polygonscan.com/address/0xDF774A4F3EA5095535f5B8f5b9149caF90FF75Bd","type":"smart_contract","addedAt":"2023-01-06T11:11:02.653Z","revision":0,"description":"ERC20Bridge","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4HrBJsPjGsm5ZZSc78g6vj","url":"https://arbiscan.io/address/0x01cAaaA682Ceba8cd6c02f93BB1393fB415fA5e2","type":"smart_contract","addedAt":"2023-01-06T11:11:22.655Z","revision":0,"description":"ERC20Bridge","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3rPrrluZMg8Zaw8jRTkvuf","url":"https://polygonscan.com/address/0xa33f7069f075A54481868e4C0b8D26925A218362","type":"smart_contract","addedAt":"2023-01-06T11:11:44.033Z","revision":0,"description":"ERC721LockingBridge","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"FOcM1N3ihWaUMKSK9Xbkx","url":"https://arbiscan.io/address/0x0F9E4375facBeB90DAA850f677819b438ce50827","type":"smart_contract","addedAt":"2023-01-06T11:12:05.966Z","revision":0,"description":"ERC721MintingBridge","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3KjWOSvlizntaA8N1q1Vj4","url":"https://polygonscan.com/address/0x91993f2101cc758D0dEB7279d41e880F7dEFe827","type":"smart_contract","addedAt":"2023-01-06T11:12:28.202Z","revision":0,"description":"GToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"TEApTAscbsT0v0tmJC1SZ","url":"https://arbiscan.io/address/0xd85E038593d7A098614721EaE955EC2022B9B91B","type":"smart_contract","addedAt":"2023-01-06T11:12:47.502Z","revision":0,"description":"GToken","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"TNU4pT6qYMHPiVm8Pit7m","url":"https://polygonscan.com/address/0x8d687276543b92819F2f2B5C3faad4AD27F4440c","type":"smart_contract","addedAt":"2023-01-06T11:13:27.696Z","revision":0,"description":"GTokenOpenPnlFeed","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"Y9CvHbk7tQB2XRre1VH5G","url":"https://arbiscan.io/address/0x990BA9Edd8a9615A23E4c452E63A80e519A4a23D","type":"smart_contract","addedAt":"2023-01-06T11:13:47.143Z","revision":0,"description":"GTokenOpenPnlFeed","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5LVCTIHPVlJ2y1n5V7RYtj","url":"https://polygonscan.com/address/0xDd42AA3920C1d5b5FD95055d852135416369Bcc1","type":"smart_contract","addedAt":"2023-01-06T11:14:07.548Z","revision":0,"description":"GTokenLockedDepositNft","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6eUzCMzNo6uiyRH4vYatCN","url":"https://arbiscan.io/address/0x673cf5AB7b44Caac43C80dE5b99A37Ed5B3E4Cc6","type":"smart_contract","addedAt":"2023-01-06T11:14:28.486Z","revision":0,"description":"GTokenLockedDepositNft","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"40vBlJR1pkC8hrBXr29cGO","url":"https://polygonscan.com/address/0x209A9A01980377916851af2cA075C2b170452018","type":"smart_contract","addedAt":"2024-02-02T14:02:00.091Z","revision":0,"description":"GNSMultiCollatDiamond (and all its facets)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"4tRLyyDQSM8rh6m33Zs1A2","url":"https://arbiscan.io/address/0xFF162c694eAA571f685030649814282eA457f169","type":"smart_contract","addedAt":"2024-02-02T14:02:14.449Z","revision":0,"description":"GNSMultiCollatDiamond (and all its facets)","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"1moAR9Ss558hw8IMHpuibV","url":"https://polygonscan.com/address/0x8C74B2256fFb6705F14aDA8E86FBd654e0e2BECa","type":"smart_contract","addedAt":"2023-01-06T11:18:17.926Z","revision":0,"description":"GNSStakingV6_4_1","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"WQtP6nzyfmUIrqICHdOxn","url":"https://arbiscan.io/address/0x7edDE7e5900633F698EaB0Dbc97DE640fC5dC015","type":"smart_contract","addedAt":"2023-01-06T11:18:42.474Z","revision":0,"description":"GNSStakingV6_4_1","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"6xMNlE9moIJ8oK8zGjhHjy","url":"https://polygonscan.com/address/0xC7d91A130ad0521E212f04c2CFA2aDAf926df6AE","type":"smart_contract","addedAt":"2023-10-04T08:01:02.056Z","revision":0,"description":"GNSCompensationHandlerV6_4_1","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"2KEehkMj6rN9CRWyCFpgJ6","url":"https://arbiscan.io/address/0x30d8C505516Ab7693e2DE491bdceB028d8ae7EbF","type":"smart_contract","addedAt":"2023-10-04T08:01:23.610Z","revision":0,"description":"GNSCompensationHandlerV6_4_1","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5mbGfJ8gcexnekdYKGLi3U","url":"https://polygonscan.com/address/0xd285f881886505b9ef6684e1aaa7949a56b0c7da","type":"smart_contract","addedAt":"2022-05-10T16:31:04.576Z","revision":0,"description":"GFarmTokenMigration","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3AkRO1MYnbm6bP3W1YI7Q2","url":"https://etherscan.io/address/0x1E887E7115321B4ee5d58DD446eC09e12B45d81B","type":"smart_contract","addedAt":"2022-05-10T16:31:05.514Z","revision":0,"description":"GFarm","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3MC0xqRu8S9UaeZ2Dpx5i9","url":"https://etherscan.io/address/0x14e2f9B0381Af4227D26BEE7d8E4D424466A7F3F","type":"smart_contract","addedAt":"2022-05-10T16:31:06.579Z","revision":0,"description":"GFarmNftSwap","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"LmrleMwbDFcfbU5svwmzP","url":"https://gains.trade/","type":"websites_and_applications","addedAt":"2023-08-01T21:34:20.943Z","revision":0,"description":"Trade Web","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"3OeYp9Bh5JJhzP1zp9Sges","url":"https://gainsnetwork.io/","type":"websites_and_applications","addedAt":"2023-08-01T21:34:42.401Z","revision":0,"description":"Main Web/App","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98756","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true},{"id":"98751","url":"https://immunefi.com/","type":"websites_and_applications","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":"All of the smart contracts of Gains Network can be found at [https://github.com/GainsNetwork](https://github.com/GainsNetwork) and [https://github.com/GainsNetwork/GNS-ethereum](https://github.com/GainsNetwork/GNS-ethereum). However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nIn case of discrepancy between [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)I and Gains Network’s classification above, Gains Network classification will be followed. \n\nOur trading contracts use the diamond architecture. All facets of the diamond are considered in-scope for this bounty.\n\nMore generally, any active smart contract deployed by the Gains Network protocol containing or having the ability to impact significant Gains Network users funds (>$100k) is considered as in-scope. For example gDAI is listed above but we didn’t list every gToken (gETH, gUSDC, and any future gToken) for practical reasons.\n\nFor the same reasons, we also didn’t list every deprecated version of our previous NFTs (which can be redeemed for $GNS) to not clog up assets in scope, however if a vulnerability is found in these old contracts that can affect current Gains Network user funds, it will be considered in-scope.\n\nIn summary, if an impact can be caused to any other asset managed by Gains Network that isn’t on this table but for which the impact is in the Impacts in Scope section, you are encouraged to submit it for the consideration of the project.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2022-03-10T20:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/53Lo497dIPH3nrT78lr8qx/8009fbbcd62a15a011fa8c394e5c5c59/Gains_Network_logo.jpeg","maxBounty":200000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__Smart Contracts__\n\n__Critical__\n  - Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield\n  - Permanent freezing of funds\n  - Insolvency\n\n__High__\n  - Theft of unclaimed yield\n  - Permanent freezing of unclaimed yield\n  - Temporary freezing of funds for at least 1 day\n\n__Medium__\n  - Miner-extractable value (MEV)\n  - Block stuffing for profit\n  - Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)\n  - Theft of gas\n  - Unbounded gas consumption \n\n__Low__\n  - Smart contract unable to operate due to lack of funds\n  - Smart contract fails to deliver promised returns, but doesn’t lose value\n\n__Websites and Applications__\n\n__Critical__\n  - Ability to execute system commands\n  - Extract Sensitive data/files from the server such as /etc/passwd\n  - Stealing User Cookies\n  - Taking Down the application/website\n  - Signing transactions for other users\n  - Redirection of user deposits and withdrawals\n  - Subdomain takeover resulting in financial loss (applicable for subdomains with addresses published)\n  - Wallet interaction modification resulting in financial loss\n  - Direct theft of user funds \n  - Tampering with transactions submitted to the user’s wallet\n  - Submitting malicious transactions to an already-connected wallet\n\n__High__\n  - Spoofing content on the target application (Persistent)\n  - Users Confidential information disclosure such as Email\n  - Subdomain Takeover without financial loss (applicable for subdomains with no addresses published)\n  - Privilege escalation to access unauthorized functionalities\n\n__Medium__\n  - Changing details of other users without direct financial impact (CSRF)\n  - Third-Party API keys leakage that demonstrates loss of funds or modification on the website.\n  - Redirecting users to malicious websites (Open Redirect)\n\n__Low__\n  - Framing sensitive pages leading to financial loss (ClickJacking)\n  - Any impact involving a publicly released CVE without a working PoC\n\nIn case of discrepancy between [Immunefi Vulnerability Severity Classification System V2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2/) and Gains Network’s classification above, Gains Network classification will be followed.","productType":["Bridge","DEX","Derivatives","Options","Perpetuals","Staking","Token"],"programOverview":"Gains Network is building the decentralized finance ecosystem of the future. Their first product, gTrade is a capital-efficient decentralized leveraged trading platform on Polygon and Arbitrum.\n\nFor more information about Gains Network, please visit [https://gains.trade/](https://gains.trade/).  \n\nThis bug bounty program is focused on their smart contracts, website and app and is focused on preventing:\n\n  - Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield\n  - Permanent freezing of user funds, other than unclaimed yield\n  - Insolvency\n  - Theft of unclaimed yield\n  - Permanent freezing of unclaimed yield","programType":["Smart Contract","Websites and Applications"],"project":"Gains Network","projectType":["Defi","NFT"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). This is a simplified 4-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nCritical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of USD 50 000.\n\nVulnerabilities concerning temporary freezing of funds, where the impact affects more than one user, the reward increases at a multiplier of 1.5 from the Medium Reward category for every additional 24h that the funds are temporarily frozen, up until a max cap of the High Reward category. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature. \n\nPayouts are handled by the __Gains Network__ team directly and are denominated in USD. However, payouts are done in __GNS and DAI__, with the choice of the ratio at the discretion of the team.\n\n__Primacy of Impact vs Primacy of Rules__\n\nGains Network adheres to the Primacy of Impact for the following impacts:\n\nSmart Contract - Critical\nSmart Contract - High\nSmart Contract - Medium\nWebsites and Applications - Critical\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\nLearn more about report validity best practices here: [Best Practice - Primacy of Impact vs Primacy of Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact?utm_source=immunefi).","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"ETH","slug":"gainsnetwork","tenPercentEconomicRule":false,"updatedDate":"2026-01-29T22:04:20.356Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_2","description":"Gains Network is building the decentralized finance ecosystem of the future. Their first product, gTrade is a capital-efficient decentralized leveraged trading platform on Polygon and Arbitrum.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":1995,"type":"smart_contract","severity":"low","title":"Smart contract unable to operate due to lack of funds"},{"id":1996,"type":"smart_contract","severity":"low","title":"Smart contract fails to deliver promised returns, but doesn’t lose value"},{"id":1997,"type":"smart_contract","severity":"low","title":"Block stuffing for profit"},{"id":1998,"type":"smart_contract","severity":"low","title":"Theft of Gas"},{"id":1999,"type":"smart_contract","severity":"low","title":"Unbounded gas consumption"},{"id":2000,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction & with significant user interaction, such as: framing leading to modifying the backend/browser state(must demonstrate impact with PoC)"},{"id":2001,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links, such as: Social media handles, etc."},{"id":2002,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as: Locking up the victim from login, Cookie bombing, etc."},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":2003,"type":"websites_and_applications","severity":"high","title":"Spoofing content on the target application (Persistent)"},{"id":2004,"type":"websites_and_applications","severity":"high","title":"Users Confidential information disclosure such as Email"},{"id":2005,"type":"websites_and_applications","severity":"high","title":"Subdomain Takeover without financial loss (applicable for subdomains with no addresses published)"},{"id":2006,"type":"websites_and_applications","severity":"high","title":"Privilege escalation to access unauthorized functionalities"},{"id":2007,"type":"websites_and_applications","severity":"high","title":"Taking down the application/website"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":2008,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds, including unclaimed yield"},{"id":2009,"type":"websites_and_applications","severity":"medium","title":"Changing details of other users without direct financial impact (CSRF)"},{"id":2010,"type":"websites_and_applications","severity":"medium","title":"Third-Party API keys leakage that demonstrates loss of funds or modification on the website"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":2011,"type":"smart_contract","severity":"critical","title":"Insolvency"},{"id":2012,"type":"smart_contract","severity":"critical","title":"Permanent freezing of user funds, other than unclaimed yield"},{"id":2013,"type":"websites_and_applications","severity":"critical","title":"Ability to execute system commands"},{"id":2014,"type":"websites_and_applications","severity":"critical","title":"Extract Sensitive data/files from the server such as /etc/passwd"},{"id":2015,"type":"websites_and_applications","severity":"critical","title":"Stealing User Cookies"},{"id":2016,"type":"websites_and_applications","severity":"critical","title":"Signing transactions for other users"},{"id":2017,"type":"websites_and_applications","severity":"critical","title":"Redirection of user deposits and withdrawals"},{"id":2018,"type":"websites_and_applications","severity":"critical","title":"Wallet interaction modification resulting in financial loss"},{"id":2019,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover resulting in financial loss (applicable for subdomains with addresses published)"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":2020,"type":"websites_and_applications","severity":"critical","title":"Tampering with transactions submitted to the user’s wallet"},{"id":2021,"type":"websites_and_applications","severity":"critical","title":"Submitting malicious transactions to an already-connected wallet"}],"rewards":[{"id":10072,"severity":"critical","assetType":"smart_contract","maxReward":200000,"minReward":25000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":10073,"severity":"high","assetType":"smart_contract","maxReward":25000,"minReward":10000,"rewardModel":"range"},{"id":10074,"severity":"medium","assetType":"smart_contract","fixedReward":10000,"rewardModel":"fixed"},{"id":10075,"severity":"low","assetType":"smart_contract","fixedReward":2500,"rewardModel":"fixed"},{"id":10076,"severity":"critical","assetType":"websites_and_applications","fixedReward":40000,"rewardModel":"fixed"},{"id":10077,"severity":"high","assetType":"websites_and_applications","fixedReward":10000,"rewardModel":"fixed"},{"id":10078,"severity":"medium","assetType":"websites_and_applications","fixedReward":5000,"rewardModel":"fixed"},{"id":10079,"severity":"low","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"1ZeaEnNgHHcDJXCdVGOq3u","url":"https://basescan.org/address/0x6e5430C10fce10e5c6F67dC54506e4564dD7A6E5","type":"smart_contract","addedAt":"2025-08-13T12:40:39.120Z","revision":0,"description":"TransferBlacklistHook","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"40spSzCYEZ1rMR5UNwzCqK","url":"https://basescan.org/address/0x69dd4d44eed6bbc33b8a0bdfe17897ab9044372e","type":"smart_contract","addedAt":"2025-08-13T12:40:39.120Z","revision":0,"description":"PriceAndFeeCalculator","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"5PQ9OuE6kp7FwhTtOgBHuQ","url":"https://basescan.org/address/0x000000000001CdB57E58Fa75Fe420a0f4D6640D5","type":"smart_contract","addedAt":"2025-08-13T12:40:39.115Z","revision":0,"description":"MultiDepositervault","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"79QAeyHHlvkrMpsQPgf3eN","url":"https://basescan.org/address/0x18cf8d963e1a727f9bbf3aeffa0bd04fb4dbda07","type":"smart_contract","addedAt":"2025-08-13T12:40:39.141Z","revision":0,"description":"Provisioner","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"OYIZCqUJKxxGRrxG6bjg3","url":"https://basescan.org/address/0xdDfd960a7150520548dD1F6E53CC2f201b364692","type":"smart_contract","addedAt":"2025-08-13T12:40:39.128Z","revision":0,"description":"Whitelist","isSafeHarbor":false,"isPrimacyOfImpact":false},{"id":"98739","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2026-02-06T15:58:36.804Z","revision":0,"description":"Primacy of Impact","isSafeHarbor":false,"isPrimacyOfImpact":true}],"assetsBodyV2":"Other helpful links include:\n- [https://uploads-ssl.webflow.com/62cd150e5e9efc960319c44d/6346c4525380f8fa6435c2b5_Aera_Whitepaper.pdf](https://uploads-ssl.webflow.com/62cd150e5e9efc960319c44d/6346c4525380f8fa6435c2b5_Aera_Whitepaper.pdf)","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH","Arbitrum","Base","Polygon","Optimism"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2023-11-20T12:00:00.000Z","logo":"https://qn5bmgziiocgawpp.public.blob.vercel-storage.com/68079-n9d0rNJbDR1UhZrk5PB-8-drmxDRKWuwD1uXuimpkrn5Bgau0swQ.png","maxBounty":500000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Perpetuals","Lending","Restaking"],"programOverview":"Aera is a treasury management protocol that aims to address existing shortcomings with controlling treasury funds.\n\nFor more information about Aera, please visit [https://www.aera.finance/.](https://www.aera.finance/)  \n\nAera provides rewards in USDC. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__\n\nThe provision of KYC is required to receive a reward for this bug bounty program where the following information will be required to be provided:\n- Government-Issued ID or Corporate Charter Docs; EIN/TIN/ITIN or W9 (or equivalent); \n- Proof of current address\n\nKYC information is only required on confirmation of the validity of a bug report.\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nAera adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms stated in this page.\n\n\n__Invoicing Information__\n\nIf needed by the security researcher, Aera is able to provide the necessary information for the proper issuance of an invoice. This includes:\n- Legal Entity \n- Registered Address\n- Email where to send the invoice","programType":["Smart Contract"],"project":"Aera","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope. The final classification however takes into consideration the likelihood of the impact being achieved based on the table. When submitting a bug report, select the original assigned impact level, but please be aware that its severity level may be reassigned based on the likelihood according to this table.\n\n\n| | Low Impact | Medium Impact | High Impact |\n|--------|--------|--------|--------|\n| High Probability | MEDIUM | HIGH | CRITICAL |\n| Medium Probability  | LOW | MEDIUM | HIGH |\n| Low Probability  | LOW | LOW | MEDIUM |\n\nIn addition to Immunefi’s Vulnerability Severity Classification System, Gauntlet classifies vulnerabilities using the Common Vulnerability Scoring System (CVSS). In case of discrepancy, final determination is done by Gauntlet.\n\n__Repeatable Attack Limitations__\n\nIn cases of repeatable attacks for smart contract bugs, only the first attack is considered if the smart contracts where the vulnerability exists can be upgraded, paused, or killed. If the attack impacts a smart contract directly holding funds that cannot be upgraded or paused, the amount of funds at risk will be calculated with the first attack being at 100% of the funds that could be stolen and then a reduction of 25% from the amount of the first attack for every 300 blocks the attack needs for subsequent attacks from the first attack, rounded down. For avoidance of doubt, if a second attack would happen at 600 blocks and then a third at 900 blocks, the funds at risk would be counted at 50% and 75% of the reward from the first attack, respectively.\n\n__Out of Scope__\n\nIn addition to previously discovered bugs acknowledged in published audits or bug bounty competitions linked here, the following are out of scope:\n- Risks of MEV in executed or submitted transactions\n- Risks associated with an untrusted guardian, accountant or solver\n- Risks associated with faulty oracles or third-party ERC20/ERC4626 asset implementations\n- Risks associated with use of `execute` by treasury\n- Risks associated with unsanctioned collusion of different roles (e.g., guardian and owner of asset registry)","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"aera","tenPercentEconomicRule":false,"updatedDate":"2026-01-29T22:03:00.431Z","impactsBody":null,"websiteUrl":"https://www.aera.finance/","githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_employee","no_official_contributor","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Scalable strategies onchain require best-in-class infrastructure to realize edge. Aera provides a platform from which a variety of strategies can be built.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice recommendations","customProhibitedActivities":[],"impacts":[{"id":4276,"type":"smart_contract","severity":"critical","title":"Theft of unclaimed yield"},{"id":4277,"type":"smart_contract","severity":"critical","title":"Permanent freezing of unclaimed yield"},{"id":5683,"type":"smart_contract","severity":"medium","title":"Temporary freezing of yield for less than 1 week"},{"id":5684,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds for less then 1 week"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"}],"rewards":[{"id":34323,"severity":"critical","assetType":"smart_contract","maxReward":500000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":34324,"severity":"high","assetType":"smart_contract","fixedReward":10000,"rewardModel":"fixed"},{"id":34325,"severity":"medium","assetType":"smart_contract","fixedReward":2000,"rewardModel":"fixed"}],"audits":[{"id":"6msYQ3akGPMo62rj92tMst","url":"https://cantina.xyz/portfolio/e41f79e5-5fc4-47dd-829d-725e08fe642c","auditor":"Cantina Competition","date":"2025-06-25T00:00:00.000Z"},{"id":"1tCCt3BAUGKQwmsdnbkTq9","url":"https://github.com/aera-finance/aera-contracts-public/blob/main/v2/audits/spearbit/2023-09-22.pdf","auditor":"Spearbit","date":"2023-09-22T00:00:00.000Z"},{"id":"6MBNQpcq3ef99pfSKed7bE","url":"https://cantina.xyz/portfolio/0dd974f2-aed8-4a06-a50e-881286e5d4bd","auditor":"Spearbit","date":"2025-05-07T00:00:00.000Z"}]},{"assets":[{"id":"HTBrOXBH22lTQzSW7qJ2X","url":"https://basescan.org/address/0xf97492a5B53eeF9AA10295dDAe6D6A58c7988D21","type":"smart_contract","addedAt":"2025-10-06T09:55:11.665Z","revision":0,"description":"AccessControl (Implementation)","isPrimacyOfImpact":false},{"id":"67pwxJHN4dLdOsr3yCmFH3","url":"https://basescan.org/address/0xe64Fab0952125a5A9968AD41D8a202014869a8cc","type":"smart_contract","addedAt":"2025-10-06T09:55:11.672Z","revision":0,"description":"LinkRewards (Implementation)","isPrimacyOfImpact":false},{"id":"2FkljzNNoleh33MX3TYhlr","url":"https://basescan.org/address/0xbA8d6AC691D0946d03e5A4c93bA9e711E82F4D27","type":"smart_contract","addedAt":"2025-10-06T09:55:11.676Z","revision":0,"description":"LinkStaking (Implementation)","isPrimacyOfImpact":false},{"id":"6xQF75znQfAn4GJJJcd4eE","url":"https://basescan.org/address/0xA77168C879f7EBaA8CA3C981e389D4578b12C9d8","type":"smart_contract","addedAt":"2025-10-06T09:55:11.870Z","revision":0,"description":"ICNLink (Implementation)","isPrimacyOfImpact":false},{"id":"3zTrZMVvHtpu99sUNwnZev","url":"https://basescan.org/address/0xa3A5C7a4aF29F5bA0d8D77EB6B6b2f25536fBc34","type":"smart_contract","addedAt":"2025-10-06T09:55:11.863Z","revision":0,"description":"EraManager (Implementation)","isPrimacyOfImpact":false},{"id":"44RsyrAvk6ZW3xa52TZ7g5","url":"https://basescan.org/address/0x9Ed9A87e3237cE29fB1aCd30649dA9d2847987c3","type":"smart_contract","addedAt":"2025-10-06T09:55:13.478Z","revision":0,"description":"ExternalContractManager (Implementation)","isPrimacyOfImpact":false},{"id":"40Gq5rtvUS7FcErUXQWhsu","url":"https://basescan.org/address/0x9232ede9e52E75af165E73E7a9d8cd740CEeE6a0","type":"smart_contract","addedAt":"2025-10-06T09:55:13.562Z","revision":0,"description":"ICNRegistryGetters (Implementation)","isPrimacyOfImpact":false},{"id":"3gxMsruyvQcxNh8hEBXWGl","url":"https://basescan.org/address/0x86fED0FEA3C25D11430C242623CF439AbC3B8Bba","type":"smart_contract","addedAt":"2025-10-06T09:55:13.695Z","revision":0,"description":"ICNRegistry (Implementation)","isPrimacyOfImpact":false},{"id":"468wPjdatF796nueuOBFEy","url":"https://basescan.org/address/0x6EC92B42a53F07b4C061F597CF6B3776B4542093","type":"smart_contract","addedAt":"2025-10-06T09:55:13.594Z","revision":0,"description":"HPRewards (Implementation)","isPrimacyOfImpact":false},{"id":"1XSi2hTAVFnoSipi5zzxhW","url":"https://basescan.org/address/0x5c86CC0b585295151966EC8fc2b590FB1dC737f7","type":"smart_contract","addedAt":"2025-10-06T09:55:13.649Z","revision":0,"description":"ReservePool (Implementation)","isPrimacyOfImpact":false},{"id":"WL3UyHBhJ9yBAumsla9b9","url":"https://basescan.org/address/0x31fb85fD348F2F14AB70E7e41e7C3Df30A8C417d","type":"smart_contract","addedAt":"2025-10-06T09:55:13.748Z","revision":0,"description":"Treasury (Implementation)","isPrimacyOfImpact":false},{"id":"3T7KEPEO0X5ITKDHSVIhgY","url":"https://basescan.org/address/0x2e38083d45A72bC12019C54DCC40109d088f7EB5","type":"smart_contract","addedAt":"2025-10-06T09:55:13.759Z","revision":0,"description":"BookingManager (Implementation)","isPrimacyOfImpact":false},{"id":"2VlRQicWEm7KBDuNl4NwDg","url":"https://basescan.org/address/0x2f9D478da5DC5304d3C8b3094c70411828C671EB","type":"smart_contract","addedAt":"2025-08-11T16:14:23.186Z","revision":0,"description":"Slashing (Implementation)","isPrimacyOfImpact":false},{"id":"36G74oKCqMa28l0IIITt6X","url":"https://basescan.org/address/0x5AcBfF1f97CB82E69910a825d7d724880C62Eec8","type":"smart_contract","addedAt":"2025-08-11T16:10:47.628Z","revision":0,"description":"ReservePool (Proxy)","isPrimacyOfImpact":false},{"id":"3GcoWQBq3sbkxi8Uf8nMKV","url":"https://etherscan.io/token/0xe5e0b73380181273abCfD88695F52C4D0C825661","type":"smart_contract","addedAt":"2025-08-11T16:09:47.244Z","revision":0,"description":"ICNToken","isPrimacyOfImpact":false},{"id":"4w0irO9FkV8Wt5ODkDgv0V","url":"https://basescan.org/address/0x9131f272d9eAA4BeC30eb4254C78B50Df7bc8791","type":"smart_contract","addedAt":"2025-08-11T16:10:28.532Z","revision":0,"description":"ICNProtocol (Proxy)","isPrimacyOfImpact":false},{"id":"4zL90tHolFkFxphD9A7TIF","url":"https://basescan.org/token/0xDa24c1F7669bf9b12EAfE5A3967BC9358eE48A12","type":"smart_contract","addedAt":"2025-08-11T16:14:39.721Z","revision":0,"description":"ICNLink (Proxy)","isPrimacyOfImpact":false},{"id":"6UJswS0bqym1c3TqEk77QQ","url":"https://basescan.org/address/0xFb2d8aDac4f3D5e7A834C28F6376E439c0171C31","type":"smart_contract","addedAt":"2025-08-11T16:11:09.870Z","revision":0,"description":"Treasury (Proxy)","isPrimacyOfImpact":false},{"id":"744kq8YEbdbj7hl4UJEkKq","url":"https://basescan.org/token/0xE0Cd4cAcDdcBF4f36e845407CE53E87717b6601d","type":"smart_contract","addedAt":"2025-08-11T16:10:11.619Z","revision":0,"description":"ICNToken","isPrimacyOfImpact":false},{"id":"98691","url":"https://basescan.org/address/0xB81ea0EeceaF09166b559eeaCFA20F9379cB2372","type":"smart_contract","addedAt":"2026-02-02T07:39:44.303Z","revision":0,"description":"HPDelegationICNT (Implementation)","isPrimacyOfImpact":false}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":["Managed Triage: Signal Booster"],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":true,"language":[],"launchDate":"2025-09-09T09:35:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2fNcM2b76UqW8raeG7M9CB/555e39a32a36ac34d77775c2b572d068/deLN0OMT_400x400_Small.png","maxBounty":25000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":[],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":[],"programOverview":"Impossible Cloud Network (ICN) is developing the foundational layer for the next-gen internet. Challenging the dominance of centralized tech giants, ICN introduces a fully open, multi-service, permissionless and composable cloud infrastructure that integrates storage, compute, and networking at scale. Our enterprise-grade, decentralized architecture ensures high performance, security, and censorship resistance – making web3 as seamless as web2. With real-world adoption and a pragmatic approach to decentralization, ICN is positioned to become the foundation of a future internet, powering the next generation of cloud services, AI agents, enterprise software, and digital ecosystems.\n\nUnlimited Scale: AI and cloud demand cannot be met. Traditional cloud is hitting scalability limits, preventing dynamic expansion and restricting new entrants. The internet needs infrastructure that can adapt to an evolving digital era.\n\nUnrestricted Cloud: Most of the internet is controlled by a handful of large players, limiting opportunities for individuals and businesses to participate in AI and cloud growth. Web3 offers greater trustlessness, data authenticity, and accessibility with ICNs performance and efficiency.\n\nNetworks without demand: Many Web3 companies are bootstrapping networks without a viable path to profitability. ICN introduces a decentralized, market-driven approach that enables sustainable growth and economic opportunity with a network that dynamically shifts with the ecosystem.\nICN decentralizes cloud infrastructure by bringing together a global network of Hardware Providers (HPs) and Builders in a transparent and open ecosystem with a deeply enabled crypto-native core. This model allows protocols and businesses to access top-tier computing power and storage capacity without the limitations of traditional cloud services—ensuring scalable, secure, and performant solutions while maintaining composability and trust optionality for a truly modular network layer.\n\n\nFor more information about Impossible Cloud Network, please visit https://www.icn.global/\n\nImpossible Cloud Network provides rewards in USDC on Base, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\nThe assessment of the extent of any potential indirect economic damage, defined as damage other than that evidenced by a PoC that showcases the direct exploitation of the vulnerability leading to impact, is at the full discretion of the project.","programType":["Smart Contract"],"project":"Impossible Cloud Network","projectType":[],"rewardsBody":"__Rewards by Threat Level__\n\nRewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.3. \nReward Calculation for Critical Level Reports\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 25 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 10 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. \nThe amount of funds at risk will be calculated with the impact of the first attack being at 100% and then a reduction of 25% from the amount of the first attack for every 1h the attack needs for subsequent attacks from the first attack, rounded down\nReward Calculation for High Level Reports\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 3 000 to USD 5 000 with the reward calculated based on 100% of the funds at risk, though capped at the maximum high reward.\n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. \n\n__Primacy of Impact vs Primacy of Rules__\n\nImpossible Cloud Network adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page.\n\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.\n\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk.\n\n\nIntended functionality:\n\n- Temporary freezing of funds: The ICN Protocol has implemented a pause feature which stops funds from being able to transit through the protocol. Meaning ICNT cannot be deposited or withdrawn until unpaused. This is used only in critical scenarios of catastrophic bugs that may jeopardize user funds or protocol economies to minimize damage and give time for the team to issue fixes.\n\n- Smart contract unable to operate due to lack of token funds: Protocol rewards are funded by a smart contract that rewards activity via a reward fund. As the reward fund depletes, the ICN protocol will be topped up to maintain healthy operation. While there is no protocol rule to prevent the reward fund from depleting completely, ICN is regularly maintaining checks and periodically returns the fund to healthy levels.\n\n- Scenarios that involve unsupported states or rely on assumptions (such as transferring an NFT while staked, etc) are not considered valid and will be rejected. \n\nKnown issues:\n\n- ScalerNode can be removed before its utilized capacity is reset: Users can create bookings for resources on ScalerNodes. The BookingManager is responsible for updating the utilized capacity trackers for the region, cluster and hardware provider for the node that's being booked/re-booked. As a booking expires the updates to these trackers are not updated immediately, instead a call to expireCapacity() needs to be made which will perform the desired operations. Currently a node can be removed by a call to removeScalerNode() on ICNRegistry which does not check whether the capacity for the node is still marked as utilized. After removing the node it will be impossible to revert the utilized capacity updates that were made in creating the last booking for the removed node. As a result various computations around protocol rewards will be inaccurate since they'll operate with inaccurate utilized capacity numbers.\n\n- Users are not guarded against price increase in the extendBooking path: Users are guarded against unexpected price increases in the bookCapacity function by specifying a maxBookingPrice. But this guard is not present in the extendBooking function where similar similar issue can occur.\n\n- Link token ids must be smaller than the max uint32 value: The modules supporting link staking and reward claiming assume that link token ids have a value lower than the max uint32 value.Currently the ICN link contract supports minting tokens that do not satisfy this constraint, as a result governance might accidentally mint tokens that are incompatible with the modules.\n\n\n__Reward Payment Terms__\n\nPayouts are handled by the Impossible Cloud Network team directly and are denominated in USD. However, payments are done in USDC  on Base.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"impossible-cloud-network","tenPercentEconomicRule":false,"updatedDate":"2026-01-29T22:03:39.382Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Impossible Cloud Network (ICN) is developing the foundational layer for the next-gen internet.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":28,"type":"smart_contract","severity":"high","title":"Temporary freezing of NFTs"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"}],"rewards":[{"id":35205,"severity":"critical","assetType":"smart_contract","maxReward":25000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":35206,"severity":"high","assetType":"smart_contract","maxReward":5000,"minReward":3000,"rewardModel":"range"},{"id":35207,"severity":"medium","assetType":"smart_contract","fixedReward":1500,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"1gIGZr1iB6BscTqJXpd1eF","url":"https://github.com/OpenZeppelin/stellar-contracts/releases","type":"smart_contract","addedAt":"2026-01-29T06:34:50.151Z","revision":0,"description":"OpenZeppelin Stellar Contracts Library (the current latest release is v0.6.0, only the content inside the packages folder is in scope)","isPrimacyOfImpact":false}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":[],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":true,"language":[],"launchDate":"2025-05-08T02:51:06.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5dlUG1E6sheSJXTj8T3pbh/810c198bb74efdb222d701da00d91957/oz.png","maxBounty":25000,"outOfScopeAndRules":null,"pocPerTypeAndSeverity":[],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"deprecated","productType":[],"programOverview":"As the premier crypto cybersecurity technology and services company, we’ve built OpenZeppelin Contracts with our best security practices. We are committed to ensuring the utmost security in our community-vetted smart contracts, and our bounty program provides rewards of up to $25,000 USD for reporting critical vulnerabilities in our smart contracts library. \n\nThis bug bounty program is focused on OpenZeppelin Stellar Contracts and mainly intends to prevent:\n- Loss of funds by freezing another user’s funds, or theft of another user’s funds\n- Permanent denial of service (smart contract is made unable to operate)\n- Access control bypass, including privilege escalation\n- Smart contract not behaving as intended\n\nFor more information about OpenZeppelin on Stellar, please visit https://docs.openzeppelin.com/stellar-contracts/0.1.0/.\n\nOpenZeppelin on Stellar provides rewards in XLM on Stellar, denominated in USD.\n\nFor more details about the payment process, please view the Rewards by Threat Level section further below.\n\n__Previous Audits__\nOpenZeppelin on Stellar’s completed audit reports can be found at https://github.com/OpenZeppelin/stellar-contracts/tree/main/audits. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\n__KYC Requirement__\n\nOpenZeppelin’s bug bounty program requires an invoice to be submitted and a KYC screen to be performed prior to OpenZeppelin providing a bug bounty reward. Once a payout is confirmed, a member of OpenZeppelin will reach out to you directly to collect the necessary information, including:\n- Full Legal Name\n- Email Address\n- Mailing Address\n- Wallet Address (Stellar Only)\n\n__Proof of Concept (PoC) Requirements__\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.\nA PoC compliant with Immunefi PoC Guidelines and Rules is required for the following severity levels:\n- Smart Contract: Critical\n- Smart Contract: High\n\nBugs introduced by a release candidate version and reported during the review period, the dates for which will be declared by OpenZeppelin on each release, will receive a 50% bonus.","programType":["Smart Contract"],"project":"OpenZeppelin on Stellar","projectType":[],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.3. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nThe rewards stated here are additive to any existing bug bounty programs hosted by projects that are currently using OpenZeppelin on Stellar contracts.\n\nBounty rewards are given according to an [impact/likelihood matrix for assessing threat levels. ](https://raw.githubusercontent.com/OpenZeppelin/immunefi-assets/main/impact-likelihood-matrix.png?utm_source=immunefi)Each issue is assessed considering the likelihood of the vulnerability being successfully exploited and the expected impact in scope to a single instance of the affected smart contract. Note that, as can be seen in the matrix, if the impact is Critical then the threat is always Critical, for other impacts the maximum reduction is one level only if the likelihood is low, and if the likelihood is high then the threat is increased one level above the impact.\n\n__Critical Reward Calculation__\nMainnet assets:\n- Reward amount is 10% of the funds directly affected up to a maximum of: $25,000\n- Minimum reward to discourage security researchers from withholding a bug report: $5,000\n\n__Reward Payment Terms__\n\n- Total maximum payout for this bug bounty contest is $250,000.\n- Maximum single bounty payout is capped at $25,000.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"XLM","slug":"openzeppelin-stellar","tenPercentEconomicRule":false,"updatedDate":"2026-01-29T21:59:40.706Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_1","description":"As the premier crypto cybersecurity technology and services company, we’ve built OpenZeppelin Contracts with our best [security practices](https://contracts.openzeppelin.com/security?utm_source=immunefi). We are committed to ensuring the utmost security in our community-vetted smart contracts, and our bounty program provides rewards of up to $25,000 USD for reporting critical vulnerabilities in our smart contracts library.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":5520,"type":"smart_contract","severity":"critical","title":"Access control is bypassed, including privilege escalation"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":5521,"type":"smart_contract","severity":"high","title":"Governance voting result manipulation"},{"id":5522,"type":"smart_contract","severity":"high","title":"Permanent freezing of funds"},{"id":5523,"type":"smart_contract","severity":"high","title":"Permanent denial of service (smart contract is made unable to operate)"},{"id":5524,"type":"smart_contract","severity":"low","title":"Temporary denial of service (smart contract is made unable to operate for one block, functionality is restored in the next block)"},{"id":5525,"type":"smart_contract","severity":"low","title":"Invalid events are emitted, potentially confusing indexers (internal storage is unaffected)"}],"rewards":[{"id":29678,"severity":"critical","assetType":"smart_contract","maxReward":25000,"minReward":5000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":29679,"severity":"high","assetType":"smart_contract","maxReward":5000,"minReward":2500,"rewardModel":"range"},{"id":29680,"severity":"medium","assetType":"smart_contract","fixedReward":2500,"rewardModel":"fixed"},{"id":29681,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[{"id":"6pUQudEgQoSImO3PHil1lR","url":"https://github.com/OpenZeppelin/stellar-contracts/tree/main/audits","auditor":"All Audits","date":"2025-05-09T00:00:00.000Z"}]},{"assets":[{"id":"4MXQh5kgglYNyamdaQLgn2","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/AlchemistV3.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"AlchemistV3","isPrimacyOfImpact":null},{"id":"2Lp190XTfNlG9svuwqwP5O","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/Transmuter.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"Transmuter","isPrimacyOfImpact":null},{"id":"6MyVSGXc1paDEAcyXV4wqS","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/AlchemistV3Position.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"AlchemistV3Position","isPrimacyOfImpact":null},{"id":"1C9GzVy2FToz0FlWCUnCVQ","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/AlchemistTokenVault.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"AlchemistTokenVault","isPrimacyOfImpact":null},{"id":"6kvJRe4Gfjzq4YVA8U0RVw","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/AlchemistETHVault.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"AlchemistETHVault","isPrimacyOfImpact":null},{"id":"7gQPNpoH95vI2kY5cx17gW","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/MYTStrategy.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"MYTStrategy","isPrimacyOfImpact":null},{"id":"4HPILKNh3sf3pet5MgiZtL","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/AlchemistAllocator.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"AlchemistAllocator","isPrimacyOfImpact":null},{"id":"1rSjlW3ir85e644UbyBTi8","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/AlchemistCurator.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"AlchemistCurator","isPrimacyOfImpact":null},{"id":"6jupTpfVJtodJZRF8YrejB","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/AlchemistStrategyClassifier.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"AlchemistStrategyClassifier","isPrimacyOfImpact":null},{"id":"1fzoYjmqtItF4mcKyOAvFl","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/strategies/mainnet/EulerUSDCStrategy.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"EulerUSDCStrategy","isPrimacyOfImpact":null},{"id":"5jgcqIjVkx0eu2Hv3GtovR","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/strategies/mainnet/EulerWETHStrategy.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"EulerWETHStrategy","isPrimacyOfImpact":null},{"id":"17uuTJIKqwqJa1CQvH7lcR","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/strategies/mainnet/MorphoYearnOGWETH.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"MorphoYearnOGWETH","isPrimacyOfImpact":null},{"id":"3ji4eGDCaM1gI0RtpjpZ4A","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/strategies/mainnet/PeapodsETH.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"PeapodsETH","isPrimacyOfImpact":null},{"id":"4XbF0oMGITvFkLXPLlLSRT","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/strategies/mainnet/PeapodsUSDC.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"PeapodsUSDC","isPrimacyOfImpact":null},{"id":"5uRMsxFzsfBRaBDhKEf7e0","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/strategies/mainnet/TokeAutoEth.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"TokeAutoEth","isPrimacyOfImpact":null},{"id":"6msPACSwG0KGaHprGVl3GX","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/strategies/mainnet/TokeAutoUSDStrategy.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"TokeAutoUSDStrategy","isPrimacyOfImpact":null},{"id":"5EulJsFgiNIhjoiiqC339J","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/strategies/arbitrum/AaveV3ARBUSDCStrategy.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"AaveV3ARBUSDCStrategy","isPrimacyOfImpact":null},{"id":"3NNbTzJTgWQphXOXdlrgPa","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/strategies/arbitrum/AaveV3ARBWETHStrategy.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"AaveV3ARBWETHStrategy","isPrimacyOfImpact":null},{"id":"5G6ZFCzQ4KXXswLKA77PvC","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/strategies/arbitrum/EulerARBUSDCStrategy.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"EulerARBUSDCStrategy","isPrimacyOfImpact":null},{"id":"2qqBLhPHyl1YXKxh5XaH4y","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/strategies/arbitrum/EulerARBWETHStrategy.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"EulerARBWETHStrategy","isPrimacyOfImpact":null},{"id":"7piA9cjyR4cjKRULv6S5j1","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/strategies/arbitrum/FluidARBUSDCStrategy.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"FluidARBUSDCStrategy","isPrimacyOfImpact":null},{"id":"2GaVElYsE36Z7dcvzDG3R2","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/strategies/optimism/AaveV3OPUSDCStrategy.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"AaveV3OPUSDCStrategy","isPrimacyOfImpact":null},{"id":"a1S0wwqoXkgoFM2oLE7eM","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/strategies/optimism/MoonwellUSDCStrategy.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"MoonwellUSDCStrategy","isPrimacyOfImpact":null},{"id":"4EzimyZ52Snf9T1YCIJ613","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/strategies/optimism/MoonwellWETHStrategy.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"MoonwellWETHStrategy","isPrimacyOfImpact":null},{"id":"36kcyncNcPUQVN26xVPlDx","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/strategies/optimism/StargateEthPoolStrategy.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"StargateEthPoolStrategy","isPrimacyOfImpact":null},{"id":"yAV86ytObdFqoZohODw1h","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/utils/PermissionedProxy.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"PermissionedProxy","isPrimacyOfImpact":null},{"id":"6Qe1UHNae68pbq5jZtdQ2Y","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/utils/Whitelist.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"Whitelist","isPrimacyOfImpact":null},{"id":"37Vqb5nMNcg1msDxmQ1D1F","url":"https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/utils/ZeroXSwapVerifier.sol","type":"smart_contract","addedAt":"2025-10-14T15:00:00.000Z","revision":1,"description":"ZeroXSwapVerifier","isPrimacyOfImpact":null}],"assetsBodyV2":"**Insight Reporting**\n\nInsight reports may be reported to this program and require a PoC. Insights are rewarded according to [Immunefi’s Standardized Competition Reward Terms.](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms)\n\n**Dispute Resolution**\n\nIf there is any dispute over bug reports between projects and security researchers, Immunefi has final say on validity and severity based on the terms of this program.\n\n**Responsible Publication Policy**\n\n- Immunefi will publish bug reports, earnings, and a leaderboard for this Audit Competition.\n- Security Researchers may publish their bug reports as well, but only after Immunefi has published the valid bug reports as part of the competition results.\n\n**Eligibility Criteria**\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in an audit review of the code in scope (Such auditors may still participate in this program only if they receive project permission)","boostedIntroEvaluating":"### Thank You to All Participating Security Researchers!\n\nThe audit competition has now concluded and is currently in the evaluation phase. During this period, all submitted reports are being carefully reviewed by the Immunefi triage team and the project team.","boostedIntroFinished":"### Thank You to All Participating Security Researchers!\n\nYour valuable contributions played a crucial role in identifying and resolving critical vulnerabilities, helping to strengthen and secure the platform for all users.","boostedIntroLive":"### **$100,000 USD** in rewards is available for finding bugs on Alchemix’s V3 contracts. \n\nFor more information about the project, please visit about [Alchemix](https://alchemix.fi/)\n\n- KYC is not required.\n\n- Flat Reward Pool\n\n**Proof of Concept (PoC) Requirements**\n\n- A **runnable PoC**, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n- Any technical questions and support requests can be asked directly to Alchemix team or Immunefi in the [#alchemix-v3-audit-competition](https://discord.com/channels/787092485969150012/1425119521261490338) discord channel.","boostedIntroStartingIn":"### **$100,000 USD** in rewards is available for finding bugs on Alchemix’s V3 contracts. \n\nFor more information about the project, please visit about [Alchemix](https://alchemix.fi/)\n\nAny technical questions and support requests can be asked directly to Alchemix team or Immunefi in the [#alchemix-v3-audit-competition](https://discord.com/channels/787092485969150012/1425119521261490338) discord channel. \n\nWhen the Audit Competition ends, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nA few days after the launch, Immunefi will publish Alchemix's technical walkthrough on our official [YouTube channel](https://www.youtube.com/@immunefi).\n\n**A runnable PoC is required**. For more information, please read [Immunefi Proof of Concept (PoC) Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules?utm_source=immunefi)\n\nInsight reports can be submitted. Read our [Insight validity rules](https://immunefisupport.zendesk.com/hc/en-us/articles/34179768760337-Insight-Severity-Level)","boostedLeaderboard":[{"high":6,"name":"farismaulana","aspRank":1,"critical":4,"earnings":9046,"insights":1,"mediumLow":5,"allStarTier":"Non-ASP","totalEarnings":12446,"totalValidBugs":15,"aspPoolEarnings":0,"podiumPoolEarnings":3400},{"high":2,"name":"zeroK","aspRank":9,"critical":3,"earnings":2047,"insights":0,"mediumLow":0,"allStarTier":"ASSOCIATE (ACTIVE)","totalEarnings":8714,"totalValidBugs":5,"aspPoolEarnings":6667,"podiumPoolEarnings":0},{"high":3,"name":"niroh","aspRank":2,"critical":2,"earnings":4480,"insights":0,"mediumLow":4,"allStarTier":"Non-ASP","totalEarnings":7780,"totalValidBugs":9,"aspPoolEarnings":0,"podiumPoolEarnings":3300},{"high":0,"name":"magtentic","aspRank":4,"critical":1,"earnings":3697,"insights":2,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":6997,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":3300},{"high":2,"name":"Paludo0x","aspRank":90,"critical":0,"earnings":81,"insights":1,"mediumLow":2,"allStarTier":"SENIOR (ACTIVE)","totalEarnings":6748,"totalValidBugs":4,"aspPoolEarnings":6667,"podiumPoolEarnings":0},{"high":1,"name":"shadowHunter","aspRank":83,"critical":0,"earnings":31,"insights":0,"mediumLow":0,"allStarTier":"ELITE (ACTIVE)","totalEarnings":6698,"totalValidBugs":1,"aspPoolEarnings":6667,"podiumPoolEarnings":0},{"high":1,"name":"gizzy","aspRank":3,"critical":2,"earnings":3632,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":3632,"totalValidBugs":5,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"pirex","aspRank":5,"critical":1,"earnings":3557,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":3557,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"arturtoros","aspRank":6,"critical":1,"earnings":3556,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":3556,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"MahdiKarimi","aspRank":7,"critical":1,"earnings":3556,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":3556,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"silver_eth","aspRank":8,"critical":1,"earnings":2554,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":2554,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":6,"name":"OxPhantom","aspRank":10,"critical":0,"earnings":1868,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":1868,"totalValidBugs":7,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":3,"name":"kenzo","aspRank":11,"critical":0,"earnings":1832,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":1832,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":3,"name":"XDZIBECX","aspRank":12,"critical":2,"earnings":1756,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":1756,"totalValidBugs":5,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"fullstop","aspRank":14,"critical":1,"earnings":1556,"insights":1,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":1556,"totalValidBugs":5,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":3,"name":"Tadev","aspRank":13,"critical":0,"earnings":1537,"insights":0,"mediumLow":5,"allStarTier":"Non-ASP","totalEarnings":1537,"totalValidBugs":8,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Icon0x","aspRank":17,"critical":1,"earnings":1537,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":1537,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"JoeMama","aspRank":15,"critical":2,"earnings":1533,"insights":1,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":1533,"totalValidBugs":6,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"algizsec","aspRank":16,"critical":2,"earnings":1443,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":1443,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"pashap9990","aspRank":20,"critical":1,"earnings":1119,"insights":2,"mediumLow":5,"allStarTier":"Non-ASP","totalEarnings":1119,"totalValidBugs":7,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"ox9527","aspRank":18,"critical":0,"earnings":1096,"insights":0,"mediumLow":5,"allStarTier":"Non-ASP","totalEarnings":1096,"totalValidBugs":7,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"hashbug","aspRank":19,"critical":1,"earnings":1057,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":1057,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":4,"name":"godwinudo","aspRank":21,"critical":1,"earnings":909,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":909,"totalValidBugs":6,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"T0nraq","aspRank":22,"critical":1,"earnings":902,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":902,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"Brainiac5","aspRank":23,"critical":0,"earnings":899,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":899,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"al0x23","aspRank":24,"critical":0,"earnings":889,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":889,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":3,"name":"dobrevaleri","aspRank":26,"critical":0,"earnings":887,"insights":2,"mediumLow":5,"allStarTier":"Non-ASP","totalEarnings":887,"totalValidBugs":8,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"blacksaviour","aspRank":25,"critical":1,"earnings":864,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":864,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"terrah","aspRank":27,"critical":0,"earnings":729,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":729,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"PotEater","aspRank":39,"critical":0,"earnings":636,"insights":5,"mediumLow":4,"allStarTier":"Non-ASP","totalEarnings":636,"totalValidBugs":6,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":3,"name":"Outliers","aspRank":28,"critical":2,"earnings":611,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":611,"totalValidBugs":5,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"aua_oo7","aspRank":29,"critical":1,"earnings":567,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":567,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"aman","aspRank":30,"critical":0,"earnings":437,"insights":0,"mediumLow":5,"allStarTier":"Non-ASP","totalEarnings":437,"totalValidBugs":6,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"teoslaf1","aspRank":31,"critical":1,"earnings":437,"insights":0,"mediumLow":5,"allStarTier":"Non-ASP","totalEarnings":437,"totalValidBugs":8,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"MentemDeus28","aspRank":32,"critical":1,"earnings":435,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":435,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"blackdruiid","aspRank":33,"critical":1,"earnings":420,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":420,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"enoch","aspRank":35,"critical":1,"earnings":403,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":403,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"Oxdeadmanwalking","aspRank":37,"critical":2,"earnings":384,"insights":1,"mediumLow":6,"allStarTier":"Non-ASP","totalEarnings":384,"totalValidBugs":10,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Razkky","aspRank":34,"critical":0,"earnings":360,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":360,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"oxrex","aspRank":40,"critical":0,"earnings":323,"insights":1,"mediumLow":5,"allStarTier":"Non-ASP","totalEarnings":323,"totalValidBugs":6,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":3,"name":"nem0thefinder","aspRank":38,"critical":0,"earnings":305,"insights":1,"mediumLow":6,"allStarTier":"Non-ASP","totalEarnings":305,"totalValidBugs":9,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"Cryptor","aspRank":36,"critical":1,"earnings":291,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":291,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"manvi","aspRank":41,"critical":0,"earnings":255,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":255,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"algiz","aspRank":46,"critical":1,"earnings":211,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":211,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"SOPROBRO","aspRank":42,"critical":1,"earnings":195,"insights":0,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":195,"totalValidBugs":5,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"OxPrince","aspRank":177,"critical":0,"earnings":194,"insights":2,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":194,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"joicygiore","aspRank":50,"critical":2,"earnings":175,"insights":1,"mediumLow":4,"allStarTier":"Non-ASP","totalEarnings":175,"totalValidBugs":7,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"damdam0249","aspRank":43,"critical":2,"earnings":171,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":171,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"a16","aspRank":44,"critical":1,"earnings":158,"insights":0,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":158,"totalValidBugs":5,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"pindarev","aspRank":45,"critical":2,"earnings":156,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":156,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"luc1jan","aspRank":47,"critical":0,"earnings":147,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":147,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"flora","aspRank":48,"critical":0,"earnings":147,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":147,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":3,"name":"Smartkelvin","aspRank":49,"critical":0,"earnings":137,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":137,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":3,"name":"spongebob","aspRank":60,"critical":1,"earnings":135,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":135,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Cyborg","aspRank":51,"critical":0,"earnings":134,"insights":0,"mediumLow":4,"allStarTier":"Non-ASP","totalEarnings":134,"totalValidBugs":5,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"mohitisimmortal","aspRank":52,"critical":0,"earnings":130,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":130,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"sol_4th05","aspRank":93,"critical":0,"earnings":117,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":117,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Snuggle","aspRank":162,"critical":0,"earnings":116,"insights":2,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":116,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"wylis","aspRank":168,"critical":0,"earnings":116,"insights":2,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":116,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"chief_hunter888","aspRank":73,"critical":0,"earnings":116,"insights":2,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":116,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"Anirruth","aspRank":107,"critical":1,"earnings":109,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":109,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Ambitious_DyDx","aspRank":53,"critical":0,"earnings":100,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":100,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"X0sauce","aspRank":54,"critical":0,"earnings":99,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":99,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"j3x","aspRank":55,"critical":0,"earnings":99,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":99,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Arkindyo","aspRank":56,"critical":0,"earnings":99,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":99,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Davuka","aspRank":164,"critical":0,"earnings":97,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":97,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Bluedragon","aspRank":57,"critical":0,"earnings":96,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":96,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"hunter0xweb3","aspRank":80,"critical":0,"earnings":93,"insights":1,"mediumLow":4,"allStarTier":"Non-ASP","totalEarnings":93,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"InAllHonesty","aspRank":58,"critical":0,"earnings":92,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":92,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Josh4324","aspRank":85,"critical":1,"earnings":87,"insights":1,"mediumLow":4,"allStarTier":"Non-ASP","totalEarnings":87,"totalValidBugs":6,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":3,"name":"Petrus","aspRank":59,"critical":1,"earnings":78,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":78,"totalValidBugs":5,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"haidoka017","aspRank":179,"critical":0,"earnings":77,"insights":2,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":77,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"silencedogood","aspRank":61,"critical":0,"earnings":77,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":77,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"sus_bandicoot","aspRank":62,"critical":0,"earnings":77,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":77,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"SAAJ","aspRank":153,"critical":0,"earnings":58,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":58,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Purpledragon","aspRank":176,"critical":0,"earnings":58,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":58,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"rbd3","aspRank":182,"critical":0,"earnings":58,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":58,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"randomnpc","aspRank":183,"critical":0,"earnings":58,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":58,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"yesofcourse","aspRank":63,"critical":1,"earnings":57,"insights":0,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":57,"totalValidBugs":6,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"legion","aspRank":64,"critical":0,"earnings":57,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":57,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Orhuk1","aspRank":65,"critical":0,"earnings":54,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":54,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"pxng0lin","aspRank":66,"critical":0,"earnings":54,"insights":0,"mediumLow":5,"allStarTier":"Non-ASP","totalEarnings":54,"totalValidBugs":5,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"Codexstar","aspRank":67,"critical":0,"earnings":47,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":47,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Jugger63","aspRank":68,"critical":0,"earnings":46,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":46,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"winnerz","aspRank":69,"critical":0,"earnings":41,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":41,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Oxvictorsr","aspRank":70,"critical":0,"earnings":40,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":40,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"jayx","aspRank":71,"critical":1,"earnings":39,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":39,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"kodyvim","aspRank":178,"critical":0,"earnings":39,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":39,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"tygra","aspRank":180,"critical":0,"earnings":39,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":39,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"lirezarazavi","aspRank":181,"critical":0,"earnings":39,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":39,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Django","aspRank":72,"critical":0,"earnings":38,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":38,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Impala53732","aspRank":74,"critical":0,"earnings":38,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":38,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"InquisitorScythe","aspRank":75,"critical":0,"earnings":38,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":38,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"Tarnishedx0","aspRank":76,"critical":0,"earnings":38,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":38,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"IronsideSec","aspRank":77,"critical":0,"earnings":37,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":37,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"kaysoft","aspRank":78,"critical":0,"earnings":37,"insights":0,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":37,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"dldLambda","aspRank":79,"critical":0,"earnings":36,"insights":0,"mediumLow":4,"allStarTier":"Non-ASP","totalEarnings":36,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"ByteKnight","aspRank":81,"critical":0,"earnings":32,"insights":0,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":32,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"ayden","aspRank":82,"critical":0,"earnings":31,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":31,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"humaira45","aspRank":84,"critical":1,"earnings":30,"insights":0,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":30,"totalValidBugs":5,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"dray","aspRank":86,"critical":1,"earnings":29,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":29,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Ratt13snak3","aspRank":87,"critical":0,"earnings":27,"insights":0,"mediumLow":5,"allStarTier":"Non-ASP","totalEarnings":27,"totalValidBugs":5,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"dizaye","aspRank":88,"critical":0,"earnings":26,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":26,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"fawarano","aspRank":89,"critical":0,"earnings":25,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":25,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Idealz","aspRank":91,"critical":0,"earnings":21,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":21,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"griffin","aspRank":92,"critical":0,"earnings":20,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":20,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"unique","aspRank":94,"critical":0,"earnings":20,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":20,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"emmac002","aspRank":95,"critical":0,"earnings":17,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":17,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"x0xmechanic","aspRank":96,"critical":0,"earnings":17,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":17,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"failsafe_intern","aspRank":97,"critical":1,"earnings":16,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"oct0pwn","aspRank":98,"critical":0,"earnings":15,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":15,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"securehash1","aspRank":99,"critical":0,"earnings":15,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":15,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"nvalkov","aspRank":100,"critical":0,"earnings":15,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":15,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"riptide","aspRank":101,"critical":1,"earnings":13,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":13,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Pro_King","aspRank":102,"critical":0,"earnings":13,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":13,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"grearlake","aspRank":103,"critical":0,"earnings":13,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":13,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"theboiledcorn","aspRank":104,"critical":0,"earnings":13,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":13,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"vivekd","aspRank":105,"critical":1,"earnings":13,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":13,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":3,"name":"zcai","aspRank":106,"critical":0,"earnings":12,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":12,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"xanony","aspRank":108,"critical":1,"earnings":12,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":12,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":3,"name":"Bizarro","aspRank":109,"critical":0,"earnings":11,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":11,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"mzfr","aspRank":110,"critical":0,"earnings":11,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":11,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Another","aspRank":111,"critical":0,"earnings":11,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":11,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Pig46940","aspRank":112,"critical":0,"earnings":10,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":10,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Lion47624","aspRank":113,"critical":0,"earnings":9,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":9,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Coachmike","aspRank":114,"critical":0,"earnings":9,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":9,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"omarAli001","aspRank":115,"critical":0,"earnings":9,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":9,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"resosiloris","aspRank":116,"critical":0,"earnings":9,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":9,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"bigbear1229","aspRank":117,"critical":0,"earnings":9,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":9,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Bug82427","aspRank":118,"critical":0,"earnings":7,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":7,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"LogicalJosselyn798","aspRank":119,"critical":0,"earnings":6,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":6,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"ZenHunter","aspRank":120,"critical":0,"earnings":6,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":6,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"Diavol0","aspRank":121,"critical":1,"earnings":6,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":6,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"DeoGratias","aspRank":122,"critical":1,"earnings":5,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":5,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"niffylord","aspRank":123,"critical":1,"earnings":3,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":3,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"auditagent","aspRank":124,"critical":1,"earnings":3,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":3,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"KiLl3rX","aspRank":125,"critical":1,"earnings":3,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":3,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"ayeslick","aspRank":126,"critical":1,"earnings":3,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":3,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"edantes","aspRank":127,"critical":0,"earnings":3,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":3,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"ihtishamsudo","aspRank":128,"critical":0,"earnings":3,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":3,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"HandsomeEarthworm6","aspRank":129,"critical":0,"earnings":3,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":3,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"Pataroff","aspRank":130,"critical":0,"earnings":3,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":3,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Ibukun","aspRank":131,"critical":0,"earnings":3,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":3,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Bear36435","aspRank":132,"critical":0,"earnings":3,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":3,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"ibrahimatix0x01","aspRank":133,"critical":0,"earnings":2,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":2,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Tomioka","aspRank":134,"critical":0,"earnings":2,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":2,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"TyroneX","aspRank":135,"critical":0,"earnings":2,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":2,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Aiden","aspRank":136,"critical":0,"earnings":2,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":2,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Tee0x","aspRank":137,"critical":0,"earnings":2,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":2,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"iAfrika","aspRank":138,"critical":0,"earnings":2,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":2,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"call_me_rp","aspRank":139,"critical":0,"earnings":1,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":1,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Novathemachine","aspRank":140,"critical":0,"earnings":1,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":1,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"rshackin","aspRank":141,"critical":0,"earnings":0,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"unineko","aspRank":142,"critical":0,"earnings":0,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Kissiahmyo","aspRank":143,"critical":0,"earnings":0,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"DashBug","aspRank":144,"critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"JavaScript36142","aspRank":145,"critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"IShiftOnBlue","aspRank":146,"critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Johnyfwesh","aspRank":147,"critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"konvati","aspRank":148,"critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"EagleEye","aspRank":149,"critical":0,"earnings":0,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"ENIGMA","aspRank":150,"critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"akioniace","aspRank":151,"critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"liae","aspRank":152,"critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Eagle_Eye","aspRank":154,"critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"KKam86","aspRank":155,"critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"pikachu0203","aspRank":156,"critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"silverologist","aspRank":157,"critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Y4nhu1","aspRank":158,"critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Ekene","aspRank":159,"critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"acnologiac","aspRank":160,"critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Bx4","aspRank":161,"critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Vanshika","aspRank":163,"critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"rand","aspRank":165,"critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Khay3","aspRank":166,"critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Shivansh","aspRank":167,"critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"madman","aspRank":169,"critical":0,"earnings":0,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"s_a_l_e_m","aspRank":170,"critical":0,"earnings":0,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"cmds","aspRank":171,"critical":0,"earnings":0,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"vah_13","aspRank":172,"critical":0,"earnings":0,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"gor97","aspRank":173,"critical":0,"earnings":0,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"DeusVult","aspRank":174,"critical":0,"earnings":0,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"TianYu4n","aspRank":175,"critical":0,"earnings":0,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"[redacted]","aspRank":"disqualified","critical":0,"earnings":0,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"[redacted]","aspRank":"disqualified","critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"[redacted]","aspRank":"disqualified","critical":1,"earnings":0,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":5,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"[redacted]","aspRank":"disqualified","critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"[redacted]","aspRank":"disqualified","critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"[redacted]","aspRank":"disqualified","critical":0,"earnings":0,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"[redacted]","aspRank":"disqualified","critical":0,"earnings":0,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"[redacted]","aspRank":"disqualified","critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0}],"boostedSummaryReport":"https://drive.google.com/file/d/18LmIajwn6NOCbxKQJ49MVLyLSKb9gmD1/view?usp=sharing","ecosystem":null,"endDate":"2025-11-04T14:00:00.000Z","evaluationEndDate":"2026-01-16T14:00:00.000Z","features":["Boost","Managed Triage: Time Saver","Vault"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":null,"launchDate":"2025-10-14T15:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1n32B4eQNgsTaCpybMEudK/57f8ae5777af97e0e7a91f4b2ec17517/alchemix.png","maxBounty":100000,"outOfScopeAndRules":"To be determined","pocPerTypeAndSeverity":["smart_contract - low","smart_contract - medium","smart_contract - high","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":null,"programOverview":"Alchemix is your unified platform for saving, earning, borrowing, and fixed-term fixed-yield opportunities—all in one place. Built on years of iteration since launching the original self-repaying loan in 2021, Alchemix v3 brings all three pillars together with a smarter, more flexible design. The protocol allows you to:\n\n- Save and grow – deposit ETH or USDC and let our vault invest and earn yield across diversified strategies.\n- Borrow up to 90% LTV – access liquidity now while your collateral grows with yield and your leverage is reduced over time through scheduled redemptions. No interest rates to monitor, no price-based liquidations.\n- Earn fixed-rate yield – lock in predictable returns through fixed-term redemptions of alETH or alUSD.\n\nThere are a few elements to the system. \nFirst, there is the Meta Yield Token. This is a Morpho V2 vault with custom strategies and some custom admin roles. There is an ETH and a USDC vault for each chain. \n\nThe core system is based around the Alchemist/Transmuter. Alchemists mint alAssets, and accept MYT as collatearl. Each Alchemist has a single alAsset it can mint (alETH for ETH, alUSD for USDC). Each Alchemist can only accept a single MYT token as collateral (MYT ETH for alETH Alchemist). Each Alchemist has a single Transmuter paired with it, and each Transmuter is only paired with a single Alchemist. \n\nThe Transmuter’s role is to redeem alAssets. Users may deposit alAssets to the transmuter. After a fixed period of time, they may claim equivalent value (based on protocol assumption that 1 alAsset = 1 Underlying, ie 1 alETH = 1 ETH) of the MYT. \n\nThe Alchemist’s role is to accept the MYT as collateral, mint alAsset debt, and fulfill redemption obligations to the transmuter. When a transmuter claim is executed, the Alchemist reduces global system debt, and sends MYT from the alchemist to the transmuter user. Thus, when a redemption occurs, an individual Alchemist position will see both their collateral and debt reduced. \n\nTo ensure collateral will always be available for redemptions, the Alchemist employs an earmarking system. Essentially, the system will reserve collateral and debt from user positions for future transmuter claims (time-based, continuous). Earmarked collateral cannot be withdrawn from the system. The only way to withdraw earmarked collateral is to repay earmarked debt with external MYT tokens. Separately, non-earmarked collateral/debt may be repaid and/or withdrawn at any time (subject to LTV requirements). \n\nThe MYT strategies are meant to be priced based off of fundamental oracles, ie the backing of each strategy. This is meant to avoid unfair liquidations due to flash crashes. Additionally, the MYT is never unwrapped or wrapped with the Alchemist - this is why transmuter positions recieve MYT tokens at time of redemption, not underlying.\n\nThe MYT strategies have a dual-unwrap approach through contracts and dexes. When a better outcome is gained through a dex (vs wrapping), a dex is used. For unwrapping, if the contract unwrap is unavailable (due to a queue), a dex is used. Thus, the MYT may be worth 1 ETH from the Alchemist point of view, even if the unwrap value at that exact instance is 0.99 (due to one of the strategies having a withdrawal queue). For this reason, long-tail risk strategies should not be used in the MYT.","programType":["Smart Contract"],"project":"Audit Comp | Alchemix V3","projectType":null,"rewardsBody":"Rewards are distributed among SRs according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms) and includes All Star Pool and Podium Pool reserved for [All Star Program participants](https://immunefi.com/allstars/). \n\nRewards are denominated in USD and distributed in USDC on Optimism\n\nThe reward pool is **$100,000 USD** if any bug is found. That means that even if 1 Low severity bug is found, the whole reward pool is unlocked and has to be fully distributed between security researchers. \n\nIf not a single bug is found (Insights do not count as bugs) the insight reward pool is $15,000 USD.\n\n**Proof of Concept (PoC) Requirements**\nA **runnable PoC**, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)","rewardsPool":100000,"primaryPool":70000,"allStarsPool":20000,"podiumPool":10000,"rewardsToken":"USDC","slug":"alchemix-v3-audit-competition","tenPercentEconomicRule":false,"updatedDate":"2026-01-29T16:56:59.233Z","impactsBody":"**Proof of Concept (PoC) Requirements**\n\nA **runnable PoC**, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n**Build Commands, Test Commands, and How to Run Them**\n\nAll tests for the Alchemists/Transmuters can be run at once if you specify the fork and block. Whitehats will need their own fork URL. The block number currently used for testing is: \n\nExamples: \n- AlchemistV3: FOUNDRY_PROFILE=default forge test --fork-url <URL> --match-path src/test/AlchemistV3.t.sol  -vvvv --evm-version cancun \n- Transmuter: FOUNDRY_PROFILE=default forge test --fork-url <URL> --match-path src/test/Transmuter.t.sol  -vvvv --evm-version cancun \n- All MYT strategies: FOUNDRY_PROFILE=default forge test --match-path \"src/test/strategies/**/*.sol\" -vvvv --evm-version cancun \n\n**Asset Accuracy Assurance**\n\nBugs found on assets incorrectly listed in-scope are valid.\n\n**Code Freeze Assurance**\n\nCode of the assets in scope is frozen while the program is live. \n\nDuplicate submissions of bugs are **valid**. Duplicate submissions of Insights are **invalid**.\n\nThe project commits to keeping private all info related to bug findings until this program is over. This means the project will not leak info about any bug findings or planned bug fixes, including bug findings found independently by the project or from concurrent private audits.\n\n**Previous Audits**\n\n- Alchemix’s completed audit reports can be found at - https://cantina.xyz/portfolio/f638950d-a8ad-4df8-a6ec-8b067e416d7b or in the github repository. \n- Unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n- All cantina audit items are resolved and all tests are passing, EXCEPT the below items. Reporting any of the below items are NOT IN SCOPE for this contest. All other bug findings in cantina would be valid reportings if still occurring:\n    - 3.1.8 - Devs did fix the calculation here but disagree that people putting money into the transmuter is a bad thing. They are technically adding backing to the system\n    - 3.2.2 - intended behavior \n    - 3.2.8 - UI handles this so intended behavior\n    - 3.2.15 - Incorrect. A user wouldnt be able to deposit into a new position twice in one block since they wouldnt know what the ID they were assigned until after the block is written.\n    - 3.2.21 - Intended behavior\n\n**Public Disclosure of Known Issues**\n\nBug reports for publicly disclosed bugs are not eligible for a reward. \n\n- Technically an individual could open numerous small positions at max LTV, hoping that they become eligible for liquidation so they can liquidate themselves and get paid from the feeVault for a net profit. However, the feeVault ONLY pays out when the alchemist is globally undercollateralized, NOT for liquidate individually undercollateralized positions when global collateralization is otherwise acceptable. This is an acceptable risk and therefore not considered in scope. None currently known\n\n**Private Known Issues Reward Policy**\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n**Where might Security Researchers confuse out-of-scope code to be in-scope?**\n\n*Fundamental Oracles*\n\n- We are pricing strategies based on the fundamental backing, rather than dex price, whenever possible. This means there may be scenarios where the fundamental backing has a queue to access (such as the exit queue for wstETH). In these scenarios, as an example, 1 alETH in the transmuter would return 1 ETH worth of MYT, but that 1 ETH of MYT would not be accessible until the withdrawal queue clears, OR the user could sell the 1 ETH of MYT for < 1 ETH. Thus, the MYT market price may be < 1 ETH, which may bring the price of the alAsset < 1 ETH. This is intended behavior, as should the withdrawal queue clear the 1 ETH of MYT value would once again be instantly accessible and thus the alAsset would be redeemable for 1 ETH. \n\n- IF the price of the MYT drops below the LTV (say 1 ETH of MYT has a market price of 0.85 ETH) due to withdrawal queues, then it would be expected that arbitragers mint alETH to sell at > 100% LTV. However, so long as the value of the MYT these arbitragers collateralize returns to 1:1, there is no bad debt created in the system. Only a situation that returns permanent bad debt, even after MYT recovery, would be in scope (or a situation where the MYT is prevented from recovering). \n\n*Morpho V2 Vaults*\n\nThe Meta Yield Token is a Morpho v2 Vault. The base Morpho v2 code is unchanged and not in scope. Only the implementation of the base code and associated wrappers/extensions are in scope. (Ie, only issues that propogate from the main v2 code and implementation into the in-scope contracts are in scope). \n\n*Interfaces, Unit Tests, Mock Tokens*\n\nInterface Definitions, Unit Tests, and Mock Tokens are not in scope unless the issues propogate to the actual logic of the in-scope contracts. \n\n**Is this an upgrade of an existing system? If so, which? And what are the main differences?**\n\nWhile some of the economic ideas of Alchemix V3 are closely tied to Alchemix v2, this is an entirely new codebase. The only carryover is that the alAssets that are currently minted by Alchemix v2 will be the same alAssets minted by Alchemix v3.\n\n**Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?**\n\n*Flash Loans*: Alchemix v2 does not allow smart contract interactions, which means flash loans could never interact with Alchemix v2. Alchemix v3 does not have this restriction, thus attention paid to potential attacks that take significant capital (ie, flashloans) is appreciated.\n\n*Bad Debt and MYT Pricing*: Any attack vectors that would create permanent bad debt are very high priority, due to pricing exploits, pricing manipulation of internal oracles, or otherwise in the Meta Yield Tokens. The internal oracle especially should be a point of focus. \n\n*Liqudations*:  Liquidations are unique in that they need to interact with earmarking, as the system’s highest priority repayment is to fulfill transmuter obligations. This means if a position is eligible for liquidation, it will first have all earmarked debt cleared early, and then a liquidation will only occur if the redemption did not bring the user to a safe LTV. Thus, an invariant is that a liquidation shall never take priority over a redemption. The multistep liquidation system, with partial liquidations, is also somewhat custom and should be paid attention to.\n\n*0x Matcha Swaps*: Our ZeroXSwapVerifier (part of the dual unwrap/wrapping approach that uses both fundamental contracts and dex aggregation) heavily relies on implicit calldata parsing. We would like explicit effort put into the review that such in-place verification matches the 0x protocol logic and a malicious swap event cannot make it trough the strategy with manipulated tokens, senders, amounts, receivers, slippages etc\n\n*Earmarking*: Redemptions are discrete - when someone claims their transmuter position, their alAsset is burned and they recieve collateral directly from the Alchemist. Vault users will see both collateral and debt decrease. However, earmarking is continuous - essentially ensuring that building up to the time a transmuter position is claimed, enough collateral is being “reserved” in the system to ensure that users are unable to withdraw collateral that will be necessary to fulfill redemption obligations to the transmuter. This requires a continuous accounting weighting / earmarking system. Any inaccuracies in this system could be considered a valid bug. \n\n\n**What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?**\n\nERC20 (throughout), ERC721 (transmuter, and enumerables used for alchemist NFT positions), ERC4626 (Meta Yield Token)\n\n**What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?**\n\nNone (Ie, if trusted roles such as Alchemix DAO (Admin), 0xMatcha Aggregator, and Guardians are operating normally and a bug can occur, that would be in scope. Entering the wrong function inputs would NOT be in scope. Griefing would NOT be in scope.)\n\n**What addresses would you consider any bug report requiring their involvement be out of scope, even if they exceed the privileges attributed to them?**\n\n- Any Alchemix DAO multisig (Admin)\n- 0xMatcha Aggregator\n- Guardians\n\n(These are all trusted roles, however if there was a valid exploit that could be executed for example only when the 0xMatcha Aggregator is down or has a temporary loss of service, that would be in scope. Loss of functionality of the contracts while the aggregator is down would NOT be in scope unless it could result in permanent loss of user funds or bad debt. The aggregator just “being down” is not in scope, there would need to be impact beyond temporarily reduced protocol functionality)\n\n**Which chains and/or networks will the code in scope be deployed to?**\n- Ethereum, Optimism, Arbitrum, Base\n\n**What external dependencies are there?**\n- Morpho v2 Vaults\n- OpenZeppelin\n- Permit2\n- 0x Matcha Routing\n- Twap Pricing Mechanism\n- All yield strategies are dependent on the protocol they derive yield from\n\n**Are there any unusual points about your protocol that may confuse Security Researchers?**\n\n- The earmarking and redemption system is unique. The purpose of earmarking is to time-weight the communal redemptions in the system\n- The liquidation system is unique, especially in how it interacts with earmarking.\n\n**What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)**\n\n- https://keenanlukeom.github.io/alchemix-v3-docs/\n- https://keenanlukeom.github.io/alchemix-v3-docs/dev/alchemist/alchemist-contract\n\nResources related to: https://github.com/alchemix-finance/v3-poc/tree/immunefi_audit/src/strategies/mainnet\n- https://app.tokemak.xyz/pools/autoETH?breakdown=pools\n- https://app.euler.finance/vault/0xD8b27CF359b7D15710a5BE299AF6e7Bf904984C2?network=ethereum\n- https://app.morpho.org/ethereum/vault/0xE89371eAaAC6D46d4C3ED23453241987916224FC/yearn-og-weth\n- https://peapods.finance/lending/1/0x9a42e1bEA03154c758BeC4866ec5AD214D4F2191\n- https://app.euler.finance/vault/0xe0a80d35bB6618CBA260120b279d357978c42BCE?network=ethereum\n- https://peapods.finance/lending/1/0x3717e340140D30F3A077Dd21fAc39A86ACe873AA\n- https://app.tokemak.xyz/pools/autoUSD","websiteUrl":"https://alchemix.fi/","githubUrl":"https://github.com/alchemix-finance","eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Alchemix is your unified platform for saving, earning, borrowing, and fixed-term fixed-yield opportunities—all in one place. Built on years of iteration since launching the original self-repaying loan in 2021, Alchemix v3 brings all three pillars together with a smarter, more flexible design.","knownIssues":[{"id":1170,"link":"https://github.com/alchemix-finance/v3-poc/tree/immunefi_audit","description":"Technically an individual could open numerous small positions at max LTV, hoping that they become eligible for liquidation so they can liquidate themselves and get paid from the feeVault for a net profit. However, the feeVault ONLY pays out when the alchemist is globally undercollateralized, NOT for liquidate individually undercollateralized positions when global collateralization is otherwise acceptable. This is an acceptable risk and therefore not considered in scope. ","lastUpdatedAt":"2025-10-13T00:00:00.000Z","relatedImpactInScope":"smart_contract"}],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":5744,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 24 hour"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":5745,"type":"smart_contract","severity":"high","title":"Temporary freezing of NFTs for at least 24 hour"},{"id":5746,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds for at least 1 hour"},{"id":5747,"type":"smart_contract","severity":"medium","title":"Temporary freezing of NFTs for at least 1 hour"}],"rewards":[{"level":"critical","payout":"Portion of Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[{"id":"3YMioc0qaaIZggYqXguqCG","url":"https://cantina.xyz/portfolio/f638950d-a8ad-4df8-a6ec-8b067e416d7b","auditor":"All Audits","date":"2025-09-30"}]},{"assets":[{"id":"6bXntWlBIds3IkGJpnnOkI","url":"https://github.com/firedancer-io/firedancer/releases","type":"blockchain_dlt","addedAt":"2024-09-18T13:00:00.000Z","revision":2,"description":"Firedancer Latest Mainnet Release","isPrimacyOfImpact":null}],"assetsBodyV2":"The Firedancer codebase can be found at https://github.com/firedancer-io/firedancer/tree/main. \n\nDocumentation and further resources can be found at:\n\n- Documentation: [https://firedancer-io.github.io/firedancer/](https://firedancer-io.github.io/firedancer/)\n- Technical education: Technical articles, ReadMe's, whitepaper, etc.\n- [https://github.com/firedancer-io/firedancer/blob/main/README.md](https://github.com/firedancer-io/firedancer/blob/main/README.md)\n- [https://github.com/firedancer-io/firedancer/blob/main/src/disco/README.md](https://github.com/firedancer-io/firedancer/blob/main/src/disco/README.md)\n- All header files contain sufficient documentation about each component's function\n- Developer codebase walkthrough (recorded for the preceding contest): https://youtu.be/KJzZ5QApW2s\n- Non-technical education: introductory videos, protocol summaries, FAQs, etc\n- Solana Docs: https://solana.com/docs\n- How to build and run a Node [https://firedancer-io.github.io/firedancer/guide/getting-started.html](https://firedancer-io.github.io/firedancer/guide/getting-started.html)\n\nThe full Firedancer implementation now exists as a separate binary, but only the Frankendancer validator `fdctl` is in scope for this bug bounty program.\nFindings that apply exclusively to the full Firedancer binary (i.e., code not used by Frankendancer or fdctl) will be treated as informational (insight reports) and are not eligible for bounty rewards.\n\n\nThe Firedancer repository contains code for two validators:\n\n- The latest Firedancer mainnet release, lovingly nicknamed “Frankendancer”, a split between Firedancer and the existing Agave validator written in Rust\n- A full C-only Firedancer, completely replacing the existing Agave validator.\n\n\nThe full Firedancer code is behind a development flag, and findings in code that is only reachable in full Firedancer will be considered informational (aka insight reports).\n\n\nThe Frankendancer validator interfaces with the existing Agave validator written in Rust via an FFI interface. This FFI interface and the modifications to Agave to support such FFI are in scope, but bugs in the Agave validator itself that would impact existing Solana validators should be reported to the Agave bug bounty and are not considered in scope for the contest.\n\n\nThe directory and file listing are provided to help navigate the codebase and determine what is in scope. The ground truth for scope and impact will follow the production binary.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Solana"],"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Essential"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Rust","C/C++"],"launchDate":"2024-09-18T13:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2O0QVg3wfx8rp3u3rzgqUg/4df69f867867b9c6b65a0cc30533e0b4/Firedancer_Transparent.png","maxBounty":500000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - medium","blockchain_dlt - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["Validator"],"programOverview":"Firedancer is a new validator client for Solana.\n\n\n**Fast** - Designed from the ground up to be fast. The concurrency model draws from experience in the low latency trading space, and the code contains many novel high performance reimplementations of core Solana primitives.\n\n**Secure** - The validator's architecture allows it to run with a highly restrictive sandbox and almost no system calls.\n\n**Independent** - Firedancer is written from scratch. This brings client diversity to the Solana network and helps it stay resilient to supply chain attacks in building tooling or dependencies.\n\nFor more information about **Firedancer**, please visit [https://firedancer-io.github.io/firedancer/](https://firedancer-io.github.io/firedancer/).\n\nFiredancer provides rewards in __USDC__ on Solana, denominated in __USD__. For more details about the payment process, please view the __Rewards by Threat Level__ section further below.\n\n\n__KYC Requirement__\n\nFiredancer will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n- Eligibility Criteria \n\n\n__Responsible Publication__\n\nFiredancer adheres to category 3 - Approval Required. This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\nFiredancer adheres to the Primacy of Rules, meaning the whole bug bounty program is run strictly under the terms and conditions stated on this page.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Known Issue Guidelines__\n\nTo ensure fairness and transparency in the bug reporting process, Firedancer is prohibited from claiming that a bug report is a known or duplicate issue without providing clear and verifiable evidence. This measure is crucial to maintaining the integrity of the bug bounty program. \n\nFiredancer must present specific proof that an issue has been previously reported and acknowledged, even if not disclosed publicly or privately as a known issue. Without such evidence, the bug report will be considered valid and eligible for the appropriate reward as per the bug bounty program terms. \n\nFor detailed information as what qualifies as acceptable proof of known issues, refer to the article on Immunefi Support: [Report Closed for Known Issues](https://immunefisupport.zendesk.com/hc/en-us/articles/10644746170897-Report-Closed-for-Known-Issues).\n\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- [https://immunefi.com/boost/firedancer-boost/information/](https://immunefi.com/boost/firedancer-boost/information/)\n- [https://github.com/firedancer-io/firedancer/issues](https://github.com/firedancer-io/firedancer/issues)\n- [https://github.com/firedancer-io/firedancer/pulls](https://github.com/firedancer-io/firedancer/pulls)\n- [https://github.com/firedancer-io/audits](https://github.com/firedancer-io/audits)\n\n\n__Previous Audits__\n\nFiredancer’s completed audit reports can be found at https://github.com/firedancer-io/audits. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Firedancer has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209)\n\n__Root Cause Duplicity Exemption__\n\nIf multiple distinct bugs are reported with the same root cause, they will be treated and grouped as one bug.","programType":["Blockchain/DLT"],"project":"Firedancer","projectType":["Infrastructure"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n\n__Reward Payment Terms__\n\nPayouts are handled by the Firedancer team directly and are denominated in USD. However, payments are made in USDC.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"firedancer","tenPercentEconomicRule":false,"updatedDate":"2026-01-28T16:03:49.939Z","impactsBody":"Firedancer builds as a single production binary, fdctl. Code linked into and reachable from this binary in the latest Frankendancer release build and branch is in scope, including the primary `fdctl run` command. Code from the consensus, runtime, and other components of the full future Firedancer validator are not in scope. The FFI interface between Frankendancer and Agave is in scope, but bugs in Agave code that exist in the standalone Anza Agave validator are not in scope, and should be reported to Anza. Protocol bugs or design flaws in Solana are not in scope, and are reportable to Anza.\n\nFor cluster-level impact, a theoretical Firedancer-only chain is in scope. For example, while a chain halt is not currently possible on mainnet via a Firedancer-only exploit (since the network includes other validator clients), you may assume a 100% Firedancer validator set and demonstrate impacts such as a chain halt or chain split under those conditions.\n\nThe sandbox and security model are in scope. You may assume an existing RCE within a specific tile, and any findings downstream of that breach—such as a sandbox escape or gaining RCE in the sandbox of a different tile—are considered valid.\n\nDownstream findings must give attackers a new capability/advantage that they wouldn't have without RCE. For example, causing a Denial of Service in a different tile is not a new capability, as RCE can already be used for that.\n\nAdditionally, tiles in the Agave address space (e.g., bank, poh, store) are not considered tightly sandboxed. As such, transitions from a tile in the Agave to any other tile are not in-scope. Furthermore, the link between pack and bank is trusted and out-of-scope. Regarding severity of inter-tile RCE, we are most interested in starting in a complex tile that is close to input from the network. (e.g. net or quic).\n\nThe primary security concern of the validator is defending against untrusted or malicious behavior originating from the network, and limiting damage in the event of RCE. Issues that are purely local to the validator and not remotely exploitable—such as command-line argument or environment variable handling—will be considered out of scope or informational.\n\nThe GUI is in scope. You may assume the GUI’s HTTP port is exposed to the public internet.\nVulnerabilities that involve, are triggered by, or relate to the block engine functionality may be considered valid. However, such findings will typically be assessed at a lower severity level.\n\n**Special Note:** Severities noted by the **“*”** are those that we don’t believe are currently realizable risks with the amount of stake applied to Firedancer when authoring these terms. \n\nHowever, We believe these risks could be realized with more stake applied to Firedancer.  If you find something that realizes these risks, you are encouraged to submit it, and they will be rewarded according to their impact.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Firedancer is a new validator client for Solana.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"__Additional Rules/Information:__\n\nFor exploits denoted as RCE, we expect an actual proof of RCE. Memory corruptions that are merely building blocks in a full RCE exploit chain will be rewarded less than full RCE exploits.\n\nPlease keep validator code patches in PoCs to a minimum, and thoroughly explain for each change why the bug can still be exploited on an unpatched validator, and under what conditions.\n\nThese impacts are out of scope for this bug bounty program:. \n\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers.\n- Any affected code, from dependent Solana client implementations (e.g. Agave) should be reported upstream.","customProhibitedActivities":[],"impacts":[{"id":5094,"type":"blockchain_dlt","severity":"low","title":"A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk*"},{"id":5095,"type":"blockchain_dlt","severity":"low","title":"Modification of transaction fees outside of design parameters*"},{"id":5097,"type":"blockchain_dlt","severity":"high","title":"Unintended chain split (network partition)*"},{"id":5098,"type":"blockchain_dlt","severity":"high","title":"Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments*"},{"id":5099,"type":"blockchain_dlt","severity":"medium","title":"Process to process RCE between sandboxed tiles"},{"id":5102,"type":"blockchain_dlt","severity":"medium","title":"Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours*"},{"id":5103,"type":"blockchain_dlt","severity":"medium","title":"Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network*"},{"id":5104,"type":"blockchain_dlt","severity":"medium","title":"A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk*"},{"id":5106,"type":"blockchain_dlt","severity":"critical","title":"Any bug leading to loss of funds or acceptance of forged / invalid signatures"},{"id":5107,"type":"blockchain_dlt","severity":"critical","title":"Key compromise/exfiltration exploit chain"},{"id":5108,"type":"blockchain_dlt","severity":"critical","title":"Network not being able to confirm new transactions (total network shutdown)*"},{"id":5109,"type":"blockchain_dlt","severity":"critical","title":"Unintended permanent chain split requiring hard fork (network partition requiring hard fork)*"},{"id":5110,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds*"},{"id":5111,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hard fork)*"},{"id":5223,"type":"blockchain_dlt","severity":"high","title":"Elevate privileges in the Firedancer GitHub repository to cut releases or commit to protected branches"},{"id":5224,"type":"blockchain_dlt","severity":"medium","title":"Gain persistence on a CI runner node as an unprivileged user"},{"id":5225,"type":"blockchain_dlt","severity":"medium","title":"Other security relevant privilege escalations in the Firedancer GitHub repository/organization"},{"id":5299,"type":"blockchain_dlt","severity":"medium","title":"Any bug leading Firedancer to produce an invalid block or skip its leader slot"},{"id":5300,"type":"blockchain_dlt","severity":"medium","title":"Consensus issues causing Firedancer validators to fork"},{"id":5301,"type":"blockchain_dlt","severity":"high","title":"Liveness issues that cause Firedancer validators to crash or be unavailable*"},{"id":5427,"type":"blockchain_dlt","severity":"critical","title":"Infinite Mint"},{"id":5679,"type":"blockchain_dlt","severity":"high","title":"Any sandbox escape"}],"rewards":[{"id":40034,"severity":"critical","assetType":"blockchain_dlt","maxReward":500000,"minReward":100000,"rewardModel":"range","rewardCalculationPercentage":0},{"id":40035,"severity":"high","assetType":"blockchain_dlt","maxReward":100000,"minReward":50000,"rewardModel":"range"},{"id":40036,"severity":"medium","assetType":"blockchain_dlt","maxReward":50000,"minReward":5000,"rewardModel":"range"},{"id":40037,"severity":"low","assetType":"blockchain_dlt","fixedReward":5000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"6iLMs20hawpnK5emxBEAwX","url":"https://github.com/immunefi-team/audit-comp-belong/blob/main/contracts/v2/platform/Factory.sol","type":"smart_contract","addedAt":"2025-10-20T15:00:00.000Z","revision":3,"description":"Factory.sol","isPrimacyOfImpact":null},{"id":"6UVuUmqnRJf5LORjqLHw5b","url":"https://github.com/immunefi-team/audit-comp-belong/blob/main/contracts/v2/platform/BelongCheckIn.sol","type":"smart_contract","addedAt":"2025-10-20T15:00:00.000Z","revision":3,"description":"BelongCheckIn.sol","isPrimacyOfImpact":null},{"id":"131gIPdH8pByVpu2mjrpIA","url":"https://github.com/immunefi-team/audit-comp-belong/blob/main/contracts/v2/platform/extensions/ReferralSystemV2.sol","type":"smart_contract","addedAt":"2025-10-20T15:00:00.000Z","revision":3,"description":"ReferralSystemV2.sol","isPrimacyOfImpact":null},{"id":"3rtSo4rbgGPrrORcL2MfYn","url":"https://github.com/immunefi-team/audit-comp-belong/blob/main/contracts/v2/periphery/Escrow.sol","type":"smart_contract","addedAt":"2025-10-20T15:00:00.000Z","revision":3,"description":"Escrow.sol","isPrimacyOfImpact":null},{"id":"6GSWYVJo2kC1AplVgyAY23","url":"https://github.com/immunefi-team/audit-comp-belong/blob/main/contracts/v2/periphery/RoyaltiesReceiverV2.sol","type":"smart_contract","addedAt":"2025-10-20T15:00:00.000Z","revision":3,"description":"RoyaltiesReceiverV2.sol","isPrimacyOfImpact":null},{"id":"4wJD06thZeapuICjj1y6IF","url":"https://github.com/immunefi-team/audit-comp-belong/blob/main/contracts/v2/periphery/Staking.sol","type":"smart_contract","addedAt":"2025-10-20T15:00:00.000Z","revision":3,"description":"Staking.sol","isPrimacyOfImpact":null},{"id":"5HS5PwK4V3JvR9lyCRrzdL","url":"https://github.com/immunefi-team/audit-comp-belong/blob/main/contracts/v2/periphery/VestingWalletExtended.sol","type":"smart_contract","addedAt":"2025-10-20T15:00:00.000Z","revision":3,"description":"VestingWalletExtended.sol","isPrimacyOfImpact":null},{"id":"4LFCwx41oMlOJ2KoNS2HuC","url":"https://github.com/immunefi-team/audit-comp-belong/blob/main/contracts/v2/tokens/AccessToken.sol","type":"smart_contract","addedAt":"2025-10-20T15:00:00.000Z","revision":3,"description":"AccessToken.sol","isPrimacyOfImpact":null},{"id":"2Wtm3lXlUO9iY03kAasgDg","url":"https://github.com/immunefi-team/audit-comp-belong/blob/main/contracts/v2/tokens/CreditToken.sol","type":"smart_contract","addedAt":"2025-10-20T15:00:00.000Z","revision":4,"description":"CreditToken.sol","isPrimacyOfImpact":null},{"id":"18i9TzcjY6sZTxGAocCMl7","url":"https://github.com/immunefi-team/audit-comp-belong/blob/main/contracts/v2/tokens/base/ERC1155Base.sol","type":"smart_contract","addedAt":"2025-10-20T15:00:00.000Z","revision":3,"description":"ERC1155Base.sol","isPrimacyOfImpact":null},{"id":"7HNmcCE4RpvzLLRR1465fZ","url":"https://github.com/immunefi-team/audit-comp-belong/blob/main/contracts/v2/utils/Helper.sol","type":"smart_contract","addedAt":"2025-10-20T15:00:00.000Z","revision":3,"description":"Helper.sol","isPrimacyOfImpact":null},{"id":"7LJ8BXPfw3UnyW4MdpR2lq","url":"https://github.com/immunefi-team/audit-comp-belong/blob/main/contracts/v2/utils/SignatureVerifier.sol","type":"smart_contract","addedAt":"2025-10-20T15:00:00.000Z","revision":3,"description":"SignatureVerifier.sol","isPrimacyOfImpact":null},{"id":"7eryaLJVZeQUMQSYG30QUJ","url":"https://github.com/immunefi-team/audit-comp-belong/blob/main/contracts/v2/Structures.sol","type":"smart_contract","addedAt":"2025-10-20T15:00:00.000Z","revision":3,"description":"Structures.sol","isPrimacyOfImpact":null},{"id":"6y6zkKttNSabHXumpu23kU","url":"https://github.com/immunefi-team/audit-comp-belong/blob/feat/cairo/src/nftfactory/nftfactory.cairohttps://github.com/immunefi-team/audit-comp-belong/blob/feat/cairo/src/nftfactory/nftfactory.cairo","type":"smart_contract","addedAt":"2025-10-21T07:33:36.694Z","revision":2,"description":"nftfactory.cairo","isPrimacyOfImpact":null},{"id":"8t4cKSE6YZGwkQVXdCwmF","url":"https://github.com/immunefi-team/audit-comp-belong/blob/feat/cairo/src/nftfactory/interface.cairohttps://github.com/immunefi-team/audit-comp-belong/blob/feat/cairo/src/nftfactory/interface.cairo","type":"smart_contract","addedAt":"2025-10-21T07:34:44.541Z","revision":2,"description":"interface.cairo","isPrimacyOfImpact":null},{"id":"7kz0vgm3uABCTIxulCXRcv","url":"https://github.com/immunefi-team/audit-comp-belong/blob/feat/cairo/src/nft/nft.cairo","type":"smart_contract","addedAt":"2025-10-21T07:34:57.352Z","revision":3,"description":"nft.cairo","isPrimacyOfImpact":null},{"id":"079QNc8NDC1i8P6cDssD5","url":"https://github.com/immunefi-team/audit-comp-belong/blob/feat/cairo/src/nft/interface.cairo","type":"smart_contract","addedAt":"2025-10-21T07:35:11.755Z","revision":2,"description":"interface.cairo","isPrimacyOfImpact":null},{"id":"7vIgeKGa5UZaKJNUQRYOXS","url":"https://github.com/immunefi-team/audit-comp-belong/blob/feat/cairo/src/receiver/receiver.cairo","type":"smart_contract","addedAt":"2025-10-21T07:35:31.965Z","revision":1,"description":"receiver.cairo","isPrimacyOfImpact":null},{"id":"7xhAdQKpfDdZQJJG3PFm17","url":"https://github.com/immunefi-team/audit-comp-belong/blob/feat/cairo/src/receiver/interface.cairo","type":"smart_contract","addedAt":"2025-10-21T07:35:53.732Z","revision":1,"description":"interface.cairo","isPrimacyOfImpact":null},{"id":"58nFK72bCJnYIqGsBdIVqP","url":"https://github.com/immunefi-team/audit-comp-belong/blob/feat/cairo/src/snip12/dynamic_price_hash.cairo","type":"smart_contract","addedAt":"2025-10-21T07:36:10.318Z","revision":1,"description":"dynamic_price_hash.cairo","isPrimacyOfImpact":null},{"id":"1b0iMYm7JwtlaS0fRMwMnd","url":"https://github.com/immunefi-team/audit-comp-belong/blob/feat/cairo/src/snip12/interfaces.cairo","type":"smart_contract","addedAt":"2025-10-21T07:36:29.319Z","revision":1,"description":"interfaces.cairo","isPrimacyOfImpact":null},{"id":"o1gXV5Dl99LpDsqqnxbqc","url":"https://github.com/immunefi-team/audit-comp-belong/blob/feat/cairo/src/snip12/produce_hash.cairo","type":"smart_contract","addedAt":"2025-10-21T07:36:40.203Z","revision":1,"description":"produce_hash.cairo","isPrimacyOfImpact":null},{"id":"12TtgLBf13gF242rPPBZv9","url":"https://github.com/immunefi-team/audit-comp-belong/blob/feat/cairo/src/snip12/snip12.cairo","type":"smart_contract","addedAt":"2025-10-21T07:36:52.860Z","revision":1,"description":"snip12.cairo","isPrimacyOfImpact":null},{"id":"7vNn1XW0qWJsNCaVy0Xcq3","url":"https://github.com/immunefi-team/audit-comp-belong/blob/feat/cairo/src/snip12/static_price_hash.cairo","type":"smart_contract","addedAt":"2025-10-21T07:37:06.693Z","revision":1,"description":"static_price_hash.cairo","isPrimacyOfImpact":null},{"id":"7w9mf60V87qtkHWqrTbJG1","url":"https://github.com/immunefi-team/audit-comp-belong/blob/feat/cairo/src/snip12/u256_hash.cairo","type":"smart_contract","addedAt":"2025-10-21T07:37:17.790Z","revision":1,"description":"u256_hash.cairo","isPrimacyOfImpact":null}],"assetsBodyV2":"**Insight Reporting** \n\nInsight reports may be reported to this program and require a PoC. Insights are rewarded according to [Immunefi’s Standardized Competition Reward Terms.](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms)\n\n**Dispute Resolution**\n\nIf there is any dispute over bug reports between projects and security researchers, Immunefi has final say on validity and severity based on the terms of this program.\n\n**Responsible Publication Policy**\n\n- Immunefi will publish bug reports, earnings, and a leaderboard for this Audit Competition.\n- Security Researchers may publish their bug reports as well, but only after Immunefi has published the valid bug reports as part of the competition results.\n\n**Eligibility Criteria**\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in an audit review of the code in scope (Such auditors may still participate in this program only if they receive project permission)","boostedIntroEvaluating":"### Thank You to All Participating Security Researchers!\n\nThe audit competition has now concluded and is currently in the evaluation phase. During this period, all submitted reports are being carefully reviewed by the Immunefi triage team and the project team.","boostedIntroFinished":"","boostedIntroLive":"### **$30,000 USD** in rewards is available for finding bugs on Belong Network's contracts. \n\nFor more information about the project, please visit https://belong.net/\n\n- KYC is not required.\n\n- Flat Reward Pool\n\n**Proof of Concept (PoC) Requirements**\n\n- A **runnable PoC**, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\nAny technical questions and support requests can be asked directly to Belong team or Immunefi in the [#belong-audit-competition](https://discord.com/channels/787092485969150012/1429675232926634074) discord channel.","boostedIntroStartingIn":"### **$30,000 USD** in rewards is available for finding bugs on Belong Network's contracts. \n\nFor more information about the project, please visit https://belong.net/\n\nAny technical questions and support requests can be asked directly to Belong team or Immunefi in the [#belong-audit-competition](https://discord.com/channels/787092485969150012/1429675232926634074) discord channel. \n\nWhen the Audit Competition ends, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nA few days after the launch, Immunefi will publish Alchemix's technical walkthrough on our official [YouTube channel](https://www.youtube.com/@immunefi).\n\n**A runnable PoC is required**. For more information, please read [Immunefi Proof of Concept (PoC) Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules?utm_source=immunefi)\n\nInsight reports can be submitted. Read our [Insight validity rules](https://immunefisupport.zendesk.com/hc/en-us/articles/34179768760337-Insight-Severity-Level)","boostedLeaderboard":[{"high":1,"name":"shadowHunter","aspRank":9,"critical":1,"earnings":832,"insights":0,"mediumLow":0,"allStarTier":"ELITE (ACTIVE)","totalEarnings":6832,"totalValidBugs":2,"aspPoolEarnings":6000,"podiumPoolEarnings":0},{"high":2,"name":"kaysoft","aspRank":1,"critical":2,"earnings":2041,"insights":1,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":3061,"totalValidBugs":6,"aspPoolEarnings":0,"podiumPoolEarnings":1020},{"high":1,"name":"ZestfulHedgehog609","aspRank":2,"critical":0,"earnings":1883,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":2873,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":990},{"high":0,"name":"blackgrease","aspRank":3,"critical":0,"earnings":1803,"insights":1,"mediumLow":6,"allStarTier":"Non-ASP","totalEarnings":2793,"totalValidBugs":6,"aspPoolEarnings":0,"podiumPoolEarnings":990},{"high":2,"name":"Rhaydden","aspRank":4,"critical":1,"earnings":1100,"insights":1,"mediumLow":4,"allStarTier":"Non-ASP","totalEarnings":1100,"totalValidBugs":7,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"pirex","aspRank":5,"critical":1,"earnings":1036,"insights":0,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":1036,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Josh4324","aspRank":6,"critical":0,"earnings":924,"insights":2,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":924,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"OxPrince","aspRank":7,"critical":0,"earnings":844,"insights":0,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":844,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"koko7","aspRank":8,"critical":0,"earnings":842,"insights":0,"mediumLow":4,"allStarTier":"Non-ASP","totalEarnings":842,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"iehnnkta","aspRank":11,"critical":2,"earnings":795,"insights":2,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":795,"totalValidBugs":5,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Oxv1bh4","aspRank":10,"critical":1,"earnings":773,"insights":0,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":773,"totalValidBugs":5,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Hunterrrr","aspRank":12,"critical":0,"earnings":458,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":458,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"ox9527","aspRank":13,"critical":1,"earnings":446,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":446,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"jo13","aspRank":14,"critical":0,"earnings":389,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":389,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"TECHFUND_inc","aspRank":15,"critical":1,"earnings":349,"insights":0,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":349,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Another","aspRank":26,"critical":0,"earnings":339,"insights":2,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":339,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Oxlookman","aspRank":21,"critical":0,"earnings":314,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":314,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Happy_Hunter","aspRank":18,"critical":1,"earnings":299,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":299,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Divine_Dragon","aspRank":28,"critical":1,"earnings":275,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":275,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"InquisitorScythe","aspRank":16,"critical":1,"earnings":273,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":273,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"danial","aspRank":17,"critical":1,"earnings":273,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":273,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"bugdaddy96","aspRank":19,"critical":1,"earnings":263,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":263,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"queen","aspRank":20,"critical":1,"earnings":263,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":263,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Kissiahmyo","aspRank":22,"critical":0,"earnings":254,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":254,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"spongebob","aspRank":23,"critical":0,"earnings":243,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":243,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"kodyvim","aspRank":24,"critical":0,"earnings":229,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":229,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"pawps","aspRank":25,"critical":1,"earnings":225,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":225,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"rzizah","aspRank":27,"critical":1,"earnings":215,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":215,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"doichantran","aspRank":29,"critical":1,"earnings":215,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":215,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"siddhu","aspRank":30,"critical":1,"earnings":215,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":215,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"TheWeb3Mechanic","aspRank":31,"critical":1,"earnings":215,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":215,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"daxun","aspRank":32,"critical":0,"earnings":209,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":209,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"kenzo","aspRank":37,"critical":0,"earnings":208,"insights":1,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":208,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"preview","aspRank":33,"critical":0,"earnings":167,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":167,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"i0x1982us","aspRank":34,"critical":0,"earnings":167,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":167,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"komane007","aspRank":35,"critical":0,"earnings":167,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":167,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"chupinexx","aspRank":36,"critical":0,"earnings":155,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":155,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"BYNNAI","aspRank":38,"critical":0,"earnings":129,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":129,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Carrot","aspRank":39,"critical":0,"earnings":129,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":129,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"count_sum","aspRank":40,"critical":0,"earnings":129,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":129,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Bx4","aspRank":41,"critical":0,"earnings":105,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":105,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"xKeywordx","aspRank":46,"critical":0,"earnings":79,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":79,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Queerantagonism","aspRank":42,"critical":0,"earnings":76,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":76,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"DoD4uFN","aspRank":51,"critical":0,"earnings":73,"insights":1,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":73,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"chief_hunter888","aspRank":67,"critical":0,"earnings":72,"insights":2,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":72,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"failsafe_intern","aspRank":43,"critical":0,"earnings":70,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":70,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"ehappyer","aspRank":68,"critical":0,"earnings":60,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":60,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"iamephraim","aspRank":44,"critical":0,"earnings":53,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":53,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"chinepun","aspRank":45,"critical":0,"earnings":51,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":51,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"manvi","aspRank":52,"critical":0,"earnings":49,"insights":1,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":49,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"blacksaviour","aspRank":47,"critical":0,"earnings":43,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":43,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"hunterine123","aspRank":69,"critical":0,"earnings":36,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":36,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"cholakovvv","aspRank":48,"critical":0,"earnings":27,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":27,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"flora","aspRank":49,"critical":0,"earnings":27,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":27,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Bug82427","aspRank":50,"critical":0,"earnings":26,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":26,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Vanshika","aspRank":53,"critical":0,"earnings":10,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":10,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"v0id","aspRank":54,"critical":0,"earnings":10,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":10,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"lllll","aspRank":55,"critical":0,"earnings":10,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":10,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"KalyanSingh","aspRank":56,"critical":0,"earnings":10,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":10,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"brivan","aspRank":57,"critical":0,"earnings":9,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":9,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"ciphermalware","aspRank":58,"critical":0,"earnings":2,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":2,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"zzkiel","aspRank":59,"critical":0,"earnings":2,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":2,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"BBHGuild","aspRank":60,"critical":0,"earnings":2,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":2,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"grearlake","aspRank":61,"critical":0,"earnings":2,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":2,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"auditagent","aspRank":62,"critical":0,"earnings":2,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":2,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Codexstar","aspRank":63,"critical":0,"earnings":2,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":2,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Saediek","aspRank":64,"critical":0,"earnings":2,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":2,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Sparrow_23","aspRank":65,"critical":0,"earnings":2,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":2,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"vah_13","aspRank":66,"critical":0,"earnings":2,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":2,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"[redacted]","aspRank":"disqualified","critical":1,"earnings":0,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"[redacted]","aspRank":"disqualified","critical":0,"earnings":0,"insights":1,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"[redacted]","aspRank":"disqualified","critical":0,"earnings":0,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"[redacted]","aspRank":"disqualified","critical":1,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"[redacted]","aspRank":"disqualified","critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"[redacted]","aspRank":"disqualified","critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0}],"boostedSummaryReport":"https://drive.google.com/drive/folders/1-hlKK5sopsKz3XdBQhRn7COtgOdRz1qT","ecosystem":null,"endDate":"2025-10-29T15:00:00.000Z","evaluationEndDate":"2026-01-16T10:00:00.000Z","features":["Boost","Managed Triage: Time Saver","Vault"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Cairo","Solidity"],"launchDate":"2025-10-20T15:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6wGxp3jPKUtCXRmcgiGkV0/0ae8a242923818caf5667db2bc0c9b9e/belong.png","maxBounty":30000,"outOfScopeAndRules":"To be determined","pocPerTypeAndSeverity":["smart_contract - medium","smart_contract - high","smart_contract - critical","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":null,"programOverview":"Belong is building the world’s first performance-based affiliate network for physical businesses, combining real-world experiences with on-chain technology to transform how venues, promoters, and customers interact. Through its flagship product, Belong CheckIn, venues pay only for verified customer visits and spending, ensuring marketing efforts directly translate to measurable outcomes. The platform rewards promoters with visit bounties and a share of customer spend, all tracked transparently on-chain and paid instantly in LONG tokens. With a seamless Web2.5 approach, Belong eliminates the need for crypto wallets, making blockchain participation accessible to everyone. Beyond CheckIn, the Belong ecosystem enables tokenized venues and events, AI-driven community engagement, location-verified rewards, and on-chain bounty programs that bridge digital and physical interactions. Available on Web, iOS, and Android, Belong is redefining how physical spaces connect with digital communities through trust, transparency, and automation.","programType":["Smart Contract"],"project":"Audit Comp | Belong","projectType":null,"rewardsBody":"Rewards are distributed among SRs according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms) and includes All Star Pool and Podium Pool reserved for [All Star Program](https://immunefi.com/allstars/) participants. \n\nRewards are denominated in USD and distributed in both USDC and $LONG token.\n\nThe reward pool is $30,000 USD if any bug is found. That means that even if 1 Low severity bug is found, the whole reward pool is unlocked and has to be fully distributed between security researchers. \n\nThe reward pool consists of $7.5k USDC on ETH and $22.5k $LONG token. The latter will be distributed among the leaderboard winners post TGE on October 29th with a 1 month cliff.\n\nIf not a single bug is found (Insights do not count as bugs) the reward pool is $4,500 USD of Max SR Rewards.","rewardsPool":30000,"primaryPool":21000,"allStarsPool":6000,"podiumPool":3000,"rewardsToken":"USDC","slug":"audit-comp-belong","tenPercentEconomicRule":false,"updatedDate":"2026-01-28T15:16:57.675Z","impactsBody":"**Build Commands, Test Commands, and How to Run Them**\n\nhttps://github.com/belongnet/checkin-contracts/tree/main/docs/guides \n\n**Asset Accuracy Assurance**\n\nBugs found on assets incorrectly listed in-scope are valid.\n\n**Code Freeze Assurance**\n\nCode of the assets in scope is frozen while the program is live.\n\n**Duplicate submissions of bugs are valid. Duplicate submissions of Insights are invalid.**\n\nThe project commits to keeping private all info related to bug findings until this program is over. This means the project will not leak info about any bug findings or planned bug fixes, including bug findings found independently by the project or from concurrent private audits.\n\n-----\n**Previous Audits**\n\nBelong’s completed audit reports can be found at https://hacken.io/audits/belong-net/. Unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n**Private Known Issues Reward Policy**\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n------\n\n**Where might Security Researchers confuse out-of-scope code to be in-scope?**\n\nSmart contracts only from ./contracts/v2 should be audited. LONG.sol has been built by OZ Wizard.\n\n**Is this an upgrade of an existing system? If so, which? And what are the main differences?**\n\nFactory has been updated from the previous version, which stored token and royalties receiver codes within itself. Currently, Factory utilises a minimal proxy clone deployment.\n\n**What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?**\n\n- LONG.sol - ERC20\n- CreditToken.sol - ERC1155\n- AccessToken.sol - ERC721\n\n**Which chains and/or networks will the code in scope be deployed to?**\n\nBNB Smart Chain\n\n**What external dependencies are there?**\n\n- Solady library.\n- Uniswap/Pancakeswap V3.\n\n**What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)**\n\nDocumentation can be found in: ./docs/ folder.","websiteUrl":"https://belong.net/","githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Belong is building the world’s first performance-based affiliate network for physical businesses, combining real-world experiences with on-chain technology to transform how venues, promoters, and customers interact.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":5751,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 24 hour"},{"id":5752,"type":"smart_contract","severity":"high","title":"Temporary freezing of NFTs for at least 24 hour"},{"id":5753,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds for at least 1 hour"},{"id":5754,"type":"smart_contract","severity":"medium","title":"Temporary freezing of NFTs for at least 1 hour"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[{"id":"78IQm3mo1kScUgUbXKtXsa","url":"https://hacken.io/audits/belong-net/","auditor":"Hacken","date":"2024-11-15"}]},{"assets":[{"id":"1HuzXeFf6kok8Pkrvtv0sR","url":"https://github.com/babylonlabs-io/babylon-toolkit/tree/simple-staking/v1.4.6/packages/babylon-core-ui","type":"websites_and_applications","addedAt":"2025-11-26T07:44:35.758Z","revision":1,"description":"Core UI","isPrimacyOfImpact":null},{"id":"1QCvF2jhIbZ4bXaDwTw4fw","url":"https://github.com/babylonlabs-io/cli-tools/tree/v0.2.x/","type":"blockchain_dlt","addedAt":"2025-04-09T17:28:13.021Z","revision":2,"description":"Unbonding Pipeline Process","isPrimacyOfImpact":null},{"id":"2EQJ5GeOcZAEfT5xSae40q","url":"https://immunefi.com","type":"websites_and_applications","addedAt":"2025-04-09T17:31:39.538Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true},{"id":"2MGIv3bghRuIffi8BEIf2d","url":"https://github.com/babylonlabs-io/babylon-toolkit/tree/simple-staking/v1.4.6/services/simple-staking","type":"websites_and_applications","addedAt":"2025-11-26T07:44:33.729Z","revision":1,"description":"Staking dApp","isPrimacyOfImpact":null},{"id":"2RmvredMyPv4hy38ea1f8F","url":"https://github.com/babylonlabs-io/babylon-staking-indexer/releases/tag/v3.0.2","type":"websites_and_applications","addedAt":"2025-11-26T07:44:35.746Z","revision":1,"description":"Babylon Genesis and Bitcoin Indexer","isPrimacyOfImpact":null},{"id":"2WN7O3badYXxg4X4I09thz","url":"https://github.com/babylonlabs-io/babylon-toolkit/tree/simple-staking/v1.4.6/packages/babylon-proto-ts","type":"websites_and_applications","addedAt":"2025-11-26T07:44:35.522Z","revision":1,"description":"Babylon Proto Libraries","isPrimacyOfImpact":null},{"id":"4Y2URmKMK7Tvr5lgRXSw5B","url":"https://github.com/babylonlabs-io/vigilante/tree/release/v0.24.x","type":"blockchain_dlt","addedAt":"2025-11-14T08:17:42.168Z","revision":1,"description":"Vigilante","isPrimacyOfImpact":null},{"id":"4g0upQsI7sazaqLYW4gdGm","url":"https://github.com/babylonlabs-io/covenant-emulator/tree/release/v0.15.x","type":"blockchain_dlt","addedAt":"2025-04-09T17:30:24.635Z","revision":2,"description":"Covenant Emulator","isPrimacyOfImpact":null},{"id":"57L5B2e02LXYGH8DtLCLjX","url":"https://immunefi.com","type":"blockchain_dlt","addedAt":"2025-04-09T17:27:47.824Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true},{"id":"5awZi4KfVe4xMH45dyC4ws","url":"https://github.com/babylonlabs-io/finality-provider/tree/release/v2.x","type":"blockchain_dlt","addedAt":"2025-11-14T08:17:42.174Z","revision":1,"description":"Finality Provider Tool Set","isPrimacyOfImpact":null},{"id":"671cGIoGdZ2J9YNKOScDaD","url":"https://github.com/babylonlabs-io/babylon-toolkit/tree/simple-staking/v1.4.6/packages/babylon-wallet-connector","type":"websites_and_applications","addedAt":"2025-11-26T07:44:33.749Z","revision":1,"description":"Wallet Connect","isPrimacyOfImpact":null},{"id":"67xPgvMyUWgO2uF0m3ztSI","url":"https://github.com/babylonlabs-io/staking-expiry-checker/tree/release/v1.x","type":"blockchain_dlt","addedAt":"2025-04-09T17:28:44.762Z","revision":2,"description":"Staking Expiration Checker Micro-Service","isPrimacyOfImpact":null},{"id":"6Q9PrPU614EvfL7RcWH6SV","url":"https://github.com/babylonlabs-io/staking-queue-client/tree/release/v1.x","type":"blockchain_dlt","addedAt":"2025-04-09T17:29:05.800Z","revision":2,"description":"Staking Queue Client","isPrimacyOfImpact":null},{"id":"727tKHDvFBo6z4r80n9fjs","url":"https://github.com/babylonlabs-io/covenant-emulator/tree/release/v0.16.x","type":"blockchain_dlt","addedAt":"2025-11-14T08:17:42.186Z","revision":1,"description":"Covenant Emulator Signer Program","isPrimacyOfImpact":null},{"id":"7hvh4HDZ1Afo76vAGVCqP8","url":"https://github.com/babylonlabs-io/staking-api-service/releases/tag/v3.0.3","type":"websites_and_applications","addedAt":"2025-11-26T07:44:33.581Z","revision":1,"description":"Staking API Service","isPrimacyOfImpact":null},{"id":"qkYNebrSwBwEpTUwbi4qd","url":"https://github.com/babylonlabs-io/btc-staking-ts/releases/tag/v2.8.2","type":"websites_and_applications","addedAt":"2025-11-26T07:44:35.343Z","revision":1,"description":"TypeScript BTC Staking Library","isPrimacyOfImpact":null},{"id":"ukDOj50cUOHTqOxGm4nV3","url":"https://github.com/babylonlabs-io/babylon/tree/release/v4.2.x","type":"blockchain_dlt","addedAt":"2025-12-08T07:59:31.178Z","revision":1,"description":"Babylon Genesis chain node","isPrimacyOfImpact":null}],"assetsBodyV2":"Babylon Labs’ codebase can be found at [https://github.com/babylonlabs-io](https://github.com/babylonlabs-io). Documentation and further resources can be found on [https://docs.babylonlabs.io](https://docs.babylonlabs.io).\n\nBelow are general purpose technical documentations around the Bitcoin Staking Protocol and the lock-only system operated by the current testnet. Documentation on individual components of the system can be found in the component repositories.\n\n- Our documentations website: [https://docs.babylonlabs.io](https://docs.babylonlabs.io)\n\n__Bitcoin Staking Protocol and Litepaper:__ \n- [https://docs.babylonlabs.io/guides/research/btc_staking_litepaper/](https://docs.babylonlabs.io/guides/research/btc_staking_litepaper/)\n\n__Introductory reading:__ \n\nBitcoin staking 101 Series:\n\n- [https://babylonlabs.io/blog/what-is-bitcoin-staking](https://babylonlabs.io/blog/what-is-bitcoin-staking)\n- [https://babylonlabs.io/blog/technical-preliminaries-of-bitcoin-staking](https://babylonlabs.io/blog/technical-preliminaries-of-bitcoin-staking)\n- [https://babylonlabs.io/blog/babylon-s-bitcoin-staking-contract](https://babylonlabs.io/blog/babylon-s-bitcoin-staking-contract)\n\n__Bitcoin Staking Scripts:__ \n- [https://github.com/babylonlabs-io/babylon/blob/release/v1.x/docs/staking-script.md](https://github.com/babylonlabs-io/babylon/blob/release/v1.x/docs/staking-script.md)\n\n__Creating Bitcoin Staking Transactions:__ \n- [https://github.com/babylonlabs-io/babylon/blob/release/v1.x/docs/transaction-impl-spec.md](https://github.com/babylonlabs-io/babylon/blob/release/v1.x/docs/transaction-impl-spec.md)\n\n__Registering Bitcoin Stakes__\n- [https://github.com/babylonlabs-io/babylon/blob/release/v1.x/docs/register-bitcoin-stake.md](https://github.com/babylonlabs-io/babylon/blob/release/v1.x/docs/register-bitcoin-stake.md)","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Bitcoin"],"endDate":null,"evaluationEndDate":null,"features":["Arbitration","Subscription Plan: Elite","Managed Triage: Signal Booster"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Go","Typescript","JavaScript","Rust"],"launchDate":"2024-09-16T15:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5ZuVO0D8rx9fzSoB5UVsx4/e5f38f1b93be6cb32b6255c21f6db81c/NEW_Babylon_Labs.png","maxBounty":500000,"pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - medium","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low","blockchain_dlt - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["Staking"],"programOverview":"Babylon introduces a new major utility for Bitcoin: trustless and self-custodial staking. The Babylon Bitcoin staking protocol turns Bitcoin into a stakable and slashable asset for any Proof-of-Stake systems. This allows Bitcoin HODLERs to hold their Bitcoins while earning  staking rewards from the PoS systems for the slashable security they provide, in the same way as how native PoS token staking works.\n\nPhase 2 of Babylon marks the launch of Babylon Genesis, our Cosmos SDK-based chain.This includes complete feature implementation on the Babylon node (slashing and rewards), dashboard and API services, scalable infrastructure deployments, staker registration, Finality Providers coordination, and wallet support.\n\nFor more information about Babylon Labs Ltd. (“Babylon Labs”), please visit [https://babylonlabs.io](https://babylonlabs.io)\n\nBabylon Labs provides rewards in USDC on Ethereum and BABY on Babylon Genesis, denominated in USD. For more details about the payment process, please view the __Rewards by Threat Level__ section.\n\nThis bug bounty program will have a hard cap of **USD $3,000,000**. If multiple bug reports are submitted that exceed this amount, the rewards will be provided on a first come first served basis until that cap is reached.\n\n__KYC Requirement__\n\nBabylon Labs will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\nAdditional or alternate KYC information may be required by Babylon Labs or its KYC services provider. If you are an entity, KYB information will be required. Security researchers will need to  provide accurate and complete information in response to each such KYC or KYB request. \t\n\n__Primacy of Impact vs Primacy of Rules__\n\nBabylon Labs adheres to the Primacy of Impact for the following impacts:\n\n- Blockchain/DLT - Critical\n- Web/App - Critical\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact) \n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- Anything included as an open issue in the GitHub repositories.\n- A staker intentionally setting a very low Bitcoin fee, might find their transaction stuck in the mempool or included in a Bitcoin block where different staking parameters apply.\n\n__Previous Audits__\n\nBabylon Labs’ completed audit reports can be found on our documentation [website](https://docs.babylonlabs.io/guides/security/audit_reports/). Any vulnerabilities  mentioned in these reports, fixed or unfixed, are not eligible for a reward.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Babylon Labs has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).\n\n__Additional Terms__\n\nAs a condition of your participation in Babylon Labs Bug Bounty Programs, including the submission of bug reports, you agree to be bound by the following terms and conditions in addition to any other terms and conditions that govern your participation.  If you do not agree to these terms and conditions, you should not submit any bug report.\n  \n1. Babylon Labs will determine the severity level and impact for each submission, whether any submission is within scope and eligible for a reward, and the amount of a reward within a stated range, in its reasonable discretion.\n\n2. Babylon Labs is not liable or responsible for any costs, fees, or expenses incurred by you in connection with this Bug Bounty Program. You acknowledge and agree that you shall be solely and exclusively responsible for the payment of any and all taxes, levies, duties, or similar governmental charges (collectively, \"Taxes\") that may arise in connection with any reward payments made to you.  However, Babylon Labs may be required by applicable law to withhold or deduct any Taxes from payments.\n\n3. Babylon Labs is an express third-party beneficiary of the Security Researchers Terms & Conditions between you and Immunefi, and entitled to enforce the terms and conditions therein as if it were an original contracting party. Babylon Labs is the party designated to be the transferee of intellectual property rights under Section 7 of the Security Researchers Terms & Conditions.\n\n4. **Babylon Labs, its affiliates and licensors, and their respective directors, officers, and employees (collectively, “Babylon Parties”) will have no liability arising from or relating to your use of, or conduct in connection with this Bug Bounty Program or the Immunefi platform, other than Babylon Labs’ potential obligations to pay you a reward.  To the fullest extent permitted by applicable law, under no circumstances will any Babylon Parties be responsible or liable under any theory of liability, whether based in tort, contract, negligence, strict liability, warranty, or otherwise: (a) for any direct, indirect, exemplary, special, punitive, incidental, or consequential losses or damages of any kind, including without limitation, loss of profits arising from or relating to the bug bounty program or your use of the Immunefi platform.** The foregoing limitations apply even if Babylon Parties were advised of or should have known of the possibility of such losses or damages and notwithstanding any failure of essential purpose of any limited remedy. The foregoing limitations will apply even if the above stated remedy fails of its essential purpose. Some jurisdictions do not allow the limitation or exclusion of certain liabilities, and damages. Accordingly, some of the disclaimers and limitations set forth in this Agreement may not apply in full to you, but will apply to the fullest extent as permitted by applicable law.","programType":["Blockchain/DLT","Websites and Applications"],"project":"Babylon Labs","projectType":["Infrastructure"],"rewardsBody":"__Reward Calculation for Blockchain/DLT Critical Level Reports__\n\nFor critical Blockchain/DLT bugs, the reward amount is 10% of the funds directly affected, capped at the maximum critical reward __USD 500 000__. However, a minimum reward of __USD 20 000__ is to be rewarded in order to incentivize security researchers against withholding on a bug report.\n\nAll other impacts that would be classified as Critical would be rewarded with a minimum of __USD 20 000__. The rest of the severity levels are paid out according to the Impact in Scope table.\n\n__Reward Calculation for Blockchain/DLT High Level Reports__\n\n- If the vulnerability can be demonstrated to cause temporary freezing (without actually being exploited)  as defined in the impacts table, the reward doubles from the full frozen value for every additional **24h** that the funds are temporarily frozen, up to a max cap of the High reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Calculation for Web/Apps Critical Level Reports__\n\nFor critical web/apps bug reports will be rewarded with __USD 100 000__, only if the impact leads to:\n\n- A loss of funds involving an attack that does not require any user action\n- Users funds being permanently inaccesible involving an attack that does not require any user action\n- Unauthorized access to user funds due to a cryptographic or key management vulnerability\n\nAll other impacts that would be classified as Critical would be rewarded with a minimum of __USD 10 000__. \n\nThe rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Reward Payment Terms__\n\nPayouts are handled by the Babylon Labs team directly and are denominated in USD. However, payments are done in USDC on Ethereum, BABY on Babylon Genesis or a mix as determined by Babylon Labs in its sole discretion. If payment or part of the payment is in BABY tokens the conversion price for the purposes of calculation shall be determined based on the arithmetic average of the daily closing prices of the BABY token over the immediately preceding fourteen (14) calendar days before the date of payment. The daily closing price for each day during the calculation period shall be obtained from the publicly available data published on Coingecko (https://www.coingecko.com/en/coins/babylon/historical_data). Babylon Labs shall perform the calculation in its sole but reasonable discretion.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC/BABY","slug":"babylon-labs","tenPercentEconomicRule":false,"updatedDate":"2026-01-28T13:04:30.873Z","impactsBody":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__For the Unbonding Pipeline Process, the following code components and branches are in-scope:__\n\nEverything here [https://github.com/babylonlabs-io/cli-tools/blob/v0.2.x/](https://github.com/babylonlabs-io/cli-tools/blob/v0.2.x/), except the following test commands:\n- createStakingTxCmd https://github.com/babylonlabs-io/cli-tools/blob/v0.2.x/cmd/createStakingTxCmd.go \n- createUnbondingTxCmd https://github.com/babylonlabs-io/cli-tools/blob/v0.2.x/cmd/createUnbondingTxCmd.go \n- createWithdrawTxCmd https://github.com/babylonlabs-io/cli-tools/blob/v0.2.x/cmd/createWithdrawTxCmg.go","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_official_contributor","no_employee","no_auditor","no_ofac_sdn"],"responsiblePublicationCategory":"category_3","description":"Babylon introduces a new major utility for Bitcoin: trustless and self-custodial staking. The Babylon Bitcoin staking protocol turns Bitcoin into a stakable and slashable asset for any Proof-of-Stake systems. This allows Bitcoin HODLERs to hold their Bitcoins while earning  staking rewards from the PoS systems for the slashable security they provide, in the same way as how native PoS token staking works.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":null,"customOutOfScopeInformation":"__Additional Blockchain/DLT Specific:__\n\n- Impacts involving centralization risks\n- Impacts involving Bitcoin not being live or safe.\n- Impacts involving the Babylon validator set not being live or safe.\n- Impacts involving the temporary downtime of relayers between Babylon and Bitcoin.\n- Impacts involving the submission of a large number of transactions to the Bitcoin ledger and their delayed inclusion.\n- Impacts involving >=⅓ malicious finality voting power.\n- Impacts involving >= ⅓ malicious CometBFT voting power.\n- Impacts involving a quorum of the covenant committee being malicious.\n- Impacts preventing a quorum of the covenant committee to be reached due to a full quorum not being live.\n- Impacts involving the confirmation depth and finalization timeout parameters being set to an improperly low value.\n- Impacts involving a user’s staking transaction being included in a Bitcoin block in which different Bitcoin staking parameters than the ones the user used apply.\n\n__Prohibited Activities:__\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles, third-party smart contracts or cloud services\n- Attempting phishing or other social engineering attacks against our employees, and/or customers, service providers and community members\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","customProhibitedActivities":[],"impacts":[{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":5467,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds"},{"id":5468,"type":"blockchain_dlt","severity":"critical","title":"Retrieve the private key of a covenant committee member"},{"id":5469,"type":"blockchain_dlt","severity":"critical","title":"Leakage of EOTS private keys without the holder double-signing"},{"id":5473,"type":"blockchain_dlt","severity":"high","title":"Generation of invalid  EOTS keys"},{"id":5474,"type":"blockchain_dlt","severity":"high","title":"Generation of invalid EOTS key signatures/ Invalid verification of EOTS key signatures"},{"id":5476,"type":"blockchain_dlt","severity":"high","title":"Inability to process new staking registrations and activate them for more than 12 hours without the chain being halted."},{"id":5480,"type":"blockchain_dlt","severity":"high","title":"Temporary freezing of funds for more than the staking timelock for a staking transaction or more than the unbonding timelock for an unbonding transaction."},{"id":5482,"type":"blockchain_dlt","severity":"high","title":"Staking back-end not processing a valid phase-1 unbonding request."},{"id":5483,"type":"blockchain_dlt","severity":"high","title":"Avoiding slashing despite malicious behavior"},{"id":5484,"type":"blockchain_dlt","severity":"high","title":"Causing loss of liveness of Bitcoin headers or Bitcoin checkpoints on the Babylon Genesis chain for more than 24h."},{"id":5485,"type":"blockchain_dlt","severity":"medium","title":"Causing a temporary (more than 1 hour) inability to process phase-1 unbonding requests"},{"id":5486,"type":"blockchain_dlt","severity":"medium","title":"Generation of staking transactions that cannot be confirmed by the Bitcoin ledger"},{"id":5487,"type":"blockchain_dlt","severity":"high","title":"Causing BTC and Babylon Genesis Chains to become out of sync for more than 100 blocks"},{"id":5488,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:   /etc/shadow database passwords blockchain keys  This does not include non-sensitive environment variables, open source code, or usernames etc with no operational impact."},{"id":5489,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:   Making trades"},{"id":5490,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":5491,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds or causing their freezing"},{"id":5492,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet without user interaction, such as:  Modifying transaction arguments or parameters Submitting malicious transactions"},{"id":5493,"type":"websites_and_applications","severity":"high","title":"Taking down the API/website"},{"id":5494,"type":"websites_and_applications","severity":"high","title":"Causing API to unable to process unbonding requests"},{"id":5495,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:  HTML injection without JavaScript Replacing existing text with arbitrary text Arbitrary file uploads, etc"},{"id":5496,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":5497,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as their stored pending transactions."},{"id":5498,"type":"websites_and_applications","severity":"medium","title":"Staking back-end having an invalid view of the status of a stake for more than 2 hours."},{"id":5499,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as:  Reflected HTML injection Loading external site data"},{"id":5500,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":5501,"type":"websites_and_applications","severity":"medium","title":"Circumventing access restrictions on Web without using special tools"},{"id":5502,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction, such as:  Iframing leading to modifying the backend/browser state (must demonstrate impact with PoC)"},{"id":5503,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired Babylon-owned outgoing links, such as:  Social media handles, etc."},{"id":5504,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as:  Locking up the victim from login Cookie bombing, etc."},{"id":5505,"type":"websites_and_applications","severity":"low","title":"Invalid calculation of TVL"},{"id":5506,"type":"websites_and_applications","severity":"low","title":"Incorrectly identifying a staking/unbonding transaction as expired"},{"id":5560,"type":"blockchain_dlt","severity":"high","title":"Chain halt"},{"id":5565,"type":"blockchain_dlt","severity":"low","title":"Causing temporary, minor or easily recoverable disruptions to normal Babylon Genesis chain operations"},{"id":5585,"type":"blockchain_dlt","severity":"high","title":"Inability for covenant signer to activate staking requests for more than 24h."},{"id":5586,"type":"blockchain_dlt","severity":"high","title":"Permanently halting the Bitcoin Staking finalization of blocks."},{"id":5587,"type":"blockchain_dlt","severity":"high","title":"Babylon node recognizes Bitcoin Staking protocol transactions and/or signatures as valid when they are invalid."},{"id":5588,"type":"blockchain_dlt","severity":"medium","title":"Babylon node recognizes Bitcoin Staking protocol transactions and/or signatures as invalid when they are valid."}],"rewards":[{"id":40014,"severity":"critical","assetType":"blockchain_dlt","maxReward":500000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":40015,"severity":"high","assetType":"blockchain_dlt","maxReward":15000,"minReward":6000,"rewardModel":"range"},{"id":40016,"severity":"medium","assetType":"blockchain_dlt","maxReward":5000,"minReward":1300,"rewardModel":"range"},{"id":40017,"severity":"low","assetType":"blockchain_dlt","fixedReward":1000,"rewardModel":"fixed"},{"id":40018,"severity":"critical","assetType":"websites_and_applications","maxReward":70000,"minReward":10000,"rewardModel":"range","otherImpactMaxReward":0},{"id":40019,"severity":"high","assetType":"websites_and_applications","maxReward":7500,"rewardModel":"up_to"},{"id":40020,"severity":"medium","assetType":"websites_and_applications","fixedReward":3000,"rewardModel":"fixed"},{"id":40021,"severity":"low","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"1CpuhqJXzcxXVJfe1uan3a","url":"https://github.com/matter-labs/zksync-protocol/tree/main/crates/zkevm_circuits/src/storage_application","type":"blockchain_dlt","addedAt":"2024-04-18T14:59:38.052Z","revision":3,"description":"Storage Application","isPrimacyOfImpact":null},{"id":"1LkVDroyHFfJF0bY7jyLBT","url":"https://etherscan.io/address/0xECE8e30bFc92c2A8e11e6cb2e17B70868572E3f6#code","type":"smart_contract","addedAt":"2025-07-25T15:54:50.857Z","revision":2,"description":"EmergencyUpgradeBoard.sol","isPrimacyOfImpact":null},{"id":"1SN3LFalLZWVrGhdb6Zkjl","url":"https://etherscan.io/address/0xE30Dca3047B37dc7d88849dE4A4Dc07937ad5Ab3","type":"smart_contract","addedAt":"2025-07-25T15:53:32.431Z","revision":2,"description":"ProtocolUpgradeHandler proxy TransparentUpgradeableProxy.sol","isPrimacyOfImpact":null},{"id":"1UCQYBfAfo2DLYcjOmCOtS","url":"https://github.com/matter-labs/zksync-protocol/tree/main/crates/zkevm_circuits/src/ecrecover","type":"blockchain_dlt","addedAt":"2024-04-18T14:58:23.914Z","revision":3,"description":"EC Recover","isPrimacyOfImpact":null},{"id":"1ejHZJ5StKquSxdGihOAGS","url":"https://zksync2-mainnet-explorer.zksync.io/network_stats","type":"websites_and_applications","addedAt":"2023-03-10T17:00:00.000Z","revision":2,"description":"Block Explorer API","isPrimacyOfImpact":null},{"id":"1fL1otq8zNcdnGdRpCDqAy","url":"https://etherscan.io/address/0xECE8e30bFc92c2A8e11e6cb2e17B70868572E3f6#code","type":"smart_contract","addedAt":"2025-07-25T15:55:24.896Z","revision":2,"description":"EmergencyUpgradeBoard.sol","isPrimacyOfImpact":null},{"id":"1h13SonYwn6kusfCJicnuR","url":"https://etherscan.io/address/0xc6f08efb7ba78f40d00f41afac00211d59eb9431#code","type":"smart_contract","addedAt":"2025-01-22T13:35:12.982Z","revision":4,"description":"L1Nullifier.sol","isPrimacyOfImpact":null},{"id":"1oPvQt6zLUGVfHrf1aKat7","url":"https://zksync2-mainnet.zksync.io/","type":"websites_and_applications","addedAt":"2023-03-10T17:00:00.000Z","revision":2,"description":"WEB3 HTTP API","isPrimacyOfImpact":null},{"id":"1yfxRbfLtc9SHXMBiUy5la","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000000100#contract","type":"smart_contract","addedAt":"2024-06-13T13:29:34.935Z","revision":2,"description":"P256Verify","isPrimacyOfImpact":null},{"id":"201GJ8EW0XaU6UNxe3wOKX","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000000008#contract","type":"smart_contract","addedAt":"2024-06-13T13:29:01.643Z","revision":2,"description":"EcPairing","isPrimacyOfImpact":null},{"id":"28Gt0aqrqL2gI8bBPwzXvB","url":"https://etherscan.io/address/0x32400084c286cf3e17e7b677ea9583e60a000324","type":"smart_contract","addedAt":"2023-03-10T17:00:00.000Z","revision":2,"description":"DiamondProxy.sol","isPrimacyOfImpact":null},{"id":"2JWhzic26st9x1iYOxTc6U","url":"https://etherscan.io/address/0x303a465B659cBB0ab36eE643eA362c509EEb5213#code","type":"smart_contract","addedAt":"2025-01-22T13:37:18.596Z","revision":2,"description":"Bridgehub proxy TransparentUpgradeableProxy.sol","isPrimacyOfImpact":null},{"id":"2PfKL3H0ZNHxnigjFFr5c6","url":"https://github.com/matter-labs/zksync-protocol/tree/main/crates/zkevm_circuits/src/main_vm","type":"blockchain_dlt","addedAt":"2024-04-18T14:13:46.957Z","revision":3,"description":"Main vm","isPrimacyOfImpact":null},{"id":"2YMyPSROCqOzjammvrPm2U","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000000006#contract","type":"smart_contract","addedAt":"2024-04-18T13:56:43.418Z","revision":2,"description":"EcAdd","isPrimacyOfImpact":null},{"id":"2YTsHF6g858EWQgP9hoi8o","url":"https://github.com/matter-labs/era-contracts/blob/release-v28/system-contracts/contracts/DefaultAccount.sol","type":"smart_contract","addedAt":"2023-03-28T02:06:02.657Z","revision":5,"description":"DefaultAccount","isPrimacyOfImpact":null},{"id":"2ZqbGJGXcCCA7kxv0CnxRn","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000000007#contract","type":"smart_contract","addedAt":"2024-04-18T13:57:08.857Z","revision":2,"description":"EcMul","isPrimacyOfImpact":null},{"id":"2kZbZrJAb09Ew7EIIWCc5q","url":"https://github.com/matter-labs/zksync-crypto/tree/main/crates/snark-wrapper","type":"blockchain_dlt","addedAt":"2024-04-18T15:05:56.536Z","revision":2,"description":"SNARK wrapper","isPrimacyOfImpact":null},{"id":"2ocyMADl4TQ4e4zjZG5TWZ","url":"https://github.com/matter-labs/zksync-protocol/tree/main/crates/zkevm_circuits/src/transient_storage_validity_by_grand_product","type":"blockchain_dlt","addedAt":"2024-09-17T14:48:00.585Z","revision":2,"description":"Transient Storage","isPrimacyOfImpact":null},{"id":"2oz4cwnKp78mcsHFWM7lTi","url":"https://immunefi.com","type":"smart_contract","addedAt":"2023-10-05T15:27:48.424Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true},{"id":"2tXPvU3XwKkvYsnkKKhu1s","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000008010#contract","type":"smart_contract","addedAt":"2023-03-28T02:05:29.539Z","revision":4,"description":"Keccak256","isPrimacyOfImpact":null},{"id":"2wPM3INs0GPSIWjYLr2trg","url":"https://etherscan.io/address/0x08a98b1048fb61e9fff7d7d98305ac6286ae9f32#code","type":"smart_contract","addedAt":"2025-01-22T13:34:29.977Z","revision":3,"description":"Bridgehub.sol","isPrimacyOfImpact":null},{"id":"2zS2cRE2jvyQLKFayDpvbE","url":"https://etherscan.io/address/0x57891966931Eb4Bb6FB81430E6cE0A03AAbDe063","type":"smart_contract","addedAt":"2023-03-10T17:00:00.000Z","revision":2,"description":"L1ERC20Bridge proxy TransparentUpgradeableProxy.sol","isPrimacyOfImpact":null},{"id":"3125GQBGwftKPhyVDsPmn8","url":"https://github.com/matter-labs/zksync-protocol/tree/main/crates/zkevm_circuits/src/demux_log_queue","type":"blockchain_dlt","addedAt":"2024-04-18T14:59:01.047Z","revision":3,"description":"Log Demuxer","isPrimacyOfImpact":null},{"id":"32zDlTU5tScvP8HdHKuMlK","url":"https://github.com/matter-labs/zksync-protocol/tree/main/crates/zkevm_circuits/src/secp256r1_verify","type":"blockchain_dlt","addedAt":"2024-09-17T14:52:03.074Z","revision":2,"description":"Secp256r1 verify","isPrimacyOfImpact":null},{"id":"3BbLKJ1e3YoVh9RRpN2qQw","url":"https://etherscan.io/address/0x431449e2a28A69122860A4956A3f7191eE15aFBC#code","type":"smart_contract","addedAt":"2023-03-10T17:00:00.000Z","revision":7,"description":"AdminFacet.sol","isPrimacyOfImpact":null},{"id":"3CD4d92PhImakn55St2hBl","url":"https://etherscan.io/address/0x2f116b9033d88Bb3Cf64C371AE5458fbA22BA39A#code","type":"smart_contract","addedAt":"2023-03-10T17:00:00.000Z","revision":7,"description":"ExecutorFacet.sol","isPrimacyOfImpact":null},{"id":"3MOaOCX0xku2CNfAA1JMUq","url":"https://explorer.zksync.io/address/0x76705327e682F2d96943280D99464Ab61219e34f#contract","type":"smart_contract","addedAt":"2025-07-25T15:55:55.265Z","revision":2,"description":"ZkProtocolGovernor.sol","isPrimacyOfImpact":null},{"id":"3ZGqrbqw9M2Kd59XJo5Jwb","url":"https://etherscan.io/address/0x365D0ae3ECA13004daf2A4ba1501c01AaEbb4fec#code","type":"smart_contract","addedAt":"2023-03-10T17:00:00.000Z","revision":7,"description":"MailboxFacet.sol","isPrimacyOfImpact":null},{"id":"3b9SE6vqFouLTNTlQ6kRrH","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000010006#contract","type":"smart_contract","addedAt":"2025-07-25T16:24:15.949Z","revision":2,"description":"SloadContract","isPrimacyOfImpact":null},{"id":"3e4E1Saw4aLx6jp4mZM2A3","url":"https://github.com/matter-labs/zksync-protocol/tree/main/crates/zkevm_circuits/src/fsm_input_output","type":"blockchain_dlt","addedAt":"2024-04-18T15:01:03.272Z","revision":3,"description":"Finite State Machine Input Output","isPrimacyOfImpact":null},{"id":"3hFzWCmrJ9Nh1UuoF4FqQs","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000008006#contract","type":"smart_contract","addedAt":"2023-03-28T02:06:04.493Z","revision":3,"description":"ContractDeployer","isPrimacyOfImpact":null},{"id":"3vJLZJSuEk4fTLAgsIEuFe","url":"https://etherscan.io/address/0x345314c7e4af84b763d98d23f772622e23afb5ce#code","type":"smart_contract","addedAt":"2025-01-22T13:39:12.595Z","revision":3,"description":"ChainTypeManager.sol","isPrimacyOfImpact":null},{"id":"3wHeclCBMgdfaNdAcSKUq8","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000000002#contract","type":"smart_contract","addedAt":"2023-03-28T02:05:27.081Z","revision":4,"description":"SHA256","isPrimacyOfImpact":null},{"id":"3wlESJFPIMA8mKs0tMkk4Y","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000008011#contract","type":"smart_contract","addedAt":"2024-06-13T13:26:33.985Z","revision":2,"description":"PubdataChunkPublisher","isPrimacyOfImpact":null},{"id":"43D3t9zni7spmDMhHegaZG","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000000001#contract","type":"smart_contract","addedAt":"2023-03-28T02:05:32.823Z","revision":4,"description":"Ecrecover","isPrimacyOfImpact":null},{"id":"4AR8H5M1wKWPOgBfTKSq9G","url":"https://etherscan.io/address/0x66E4431266DC7E04E7d8b7FE9d2181253df7F410#code","type":"smart_contract","addedAt":"2025-07-25T15:54:13.664Z","revision":2,"description":"SecurityCouncil.sol","isPrimacyOfImpact":null},{"id":"4BhR8BidNwNiNziu4qa6ze","url":"https://etherscan.io/address/0x0a67f0fd2f7523057039f14969fe23a5f620f19a#code","type":"smart_contract","addedAt":"2025-07-19T20:45:47.835Z","revision":2,"description":"ProtocolUpgradeHandler.sol","isPrimacyOfImpact":null},{"id":"4DjJphqxRe4rvSVeAoRzhS","url":"https://explorer.zksync.io/address/0x000000000000000000000000000000000000800d#contract","type":"smart_contract","addedAt":"2023-03-28T02:05:57.066Z","revision":4,"description":"EventWriter","isPrimacyOfImpact":null},{"id":"4IS55mwoAbgDsy6p60e4lt","url":"https://explorer.zksync.io/address/0x000000000000000000000000000000000000800e#contract","type":"smart_contract","addedAt":"2023-03-28T02:06:06.892Z","revision":4,"description":"Compressor","isPrimacyOfImpact":null},{"id":"4JkIYXxALzLzhhxNREp5sX","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000010001#contract","type":"smart_contract","addedAt":"2025-07-25T16:22:52.323Z","revision":2,"description":"L2GenesisUpgrade","isPrimacyOfImpact":null},{"id":"4K2P3nMviPgJNzhKFWt7Oo","url":"https://explorer.zksync.io/address/0x000000000000000000000000000000000000800c#contract","type":"smart_contract","addedAt":"2023-03-28T02:06:08.810Z","revision":3,"description":"BootloaderUtilities","isPrimacyOfImpact":null},{"id":"4PLtrRb4ODJgpWMwfWBqwz","url":"https://immunefi.com","type":"websites_and_applications","addedAt":"2023-10-05T15:27:50.222Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true},{"id":"4QAViAHl7CzNPp4RBgobWW","url":"https://etherscan.io/address/0xae5cbB5f70e134668a13d7C8EcEF5e9E6FffCF22#code","type":"smart_contract","addedAt":"2023-03-10T17:00:00.000Z","revision":7,"description":"GettersFacet.sol","isPrimacyOfImpact":null},{"id":"4QOOgcaiczrOAmtalOjrvd","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000010007#contract","type":"smart_contract","addedAt":"2025-07-25T16:24:36.430Z","revision":2,"description":"L2WrappedBaseToken","isPrimacyOfImpact":null},{"id":"5DxqgUPE6JLGNEtnK6yBcL","url":"https://explorer.zksync.io/address/0xC9E442574958f96C026DeF9a50C3236cab17428a#contract","type":"smart_contract","addedAt":"2025-07-25T16:19:38.399Z","revision":2,"description":"ZkGovOps TimelockController.sol","isPrimacyOfImpact":null},{"id":"5I4H5pPAvGbY7eRtrYzlwj","url":"https://etherscan.io/address/0x2dd3329a2ae9de60da02828a34f0cb6d6aff9142#code","type":"smart_contract","addedAt":"2023-03-10T17:00:00.000Z","revision":6,"description":"L1ERC20Bridge.sol","isPrimacyOfImpact":null},{"id":"5IrK35LRvY2eptJMCmvVDQ","url":"https://etherscan.io/address/0x600dA620Ab29F41ABC6596a15981e14cE58c86b8","type":"smart_contract","addedAt":"2025-07-25T15:53:53.071Z","revision":2,"description":"Guardians.sol","isPrimacyOfImpact":null},{"id":"5LKEQx6NVceqcI51pjNltL","url":"https://explorer.zksync.io/address/0xcc87d9e8525bc40afc11e79f637e1570d7e5ba46#contract","type":"smart_contract","addedAt":"2025-01-22T13:35:58.010Z","revision":3,"description":"L2SharedBridge.sol","isPrimacyOfImpact":null},{"id":"5VylA86DfswyBpu9Cqohmr","url":"https://explorer.zksync.io/address/0xb83FF6501214ddF40C91C9565d095400f3F45746#contract","type":"smart_contract","addedAt":"2025-07-25T16:07:19.381Z","revision":2,"description":"Smart Contract - ZkTokenGovernor.sol","isPrimacyOfImpact":null},{"id":"5nB4zrkjsJt82nySCmflRB","url":"https://github.com/matter-labs/zksync-protocol/tree/main/crates/zkevm_circuits/src/storage_validity_by_grand_product","type":"blockchain_dlt","addedAt":"2024-04-18T15:00:02.501Z","revision":3,"description":"Storage sorter","isPrimacyOfImpact":null},{"id":"5rLKAOZDL1NusNiQlPluuo","url":"https://etherscan.io/address/0xD7f9f54194C633F36CCD5F3da84ad4a1c38cB2cB#code","type":"smart_contract","addedAt":"2025-01-22T13:37:41.648Z","revision":3,"description":"L1Nullifier proxy TransparentUpgradeableProxy.sol","isPrimacyOfImpact":null},{"id":"5rtNAVSHC9KU4bA7bkE1le","url":"https://explorer.zksync.io/address/0x000000000000000000000000000000000000800f#contract","type":"smart_contract","addedAt":"2024-04-18T13:40:50.427Z","revision":1,"description":"ComplexUpgrader","isPrimacyOfImpact":null},{"id":"5tc3ew7zzBCfa2aWGplEVV","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000008012#contract","type":"smart_contract","addedAt":"2024-06-13T13:27:41.676Z","revision":2,"description":"CodeOracle","isPrimacyOfImpact":null},{"id":"5xH4yze36e54dMN948saPZ","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000010005#contract","type":"smart_contract","addedAt":"2025-07-25T16:23:56.695Z","revision":2,"description":"MessageRoot","isPrimacyOfImpact":null},{"id":"5xYkErfuFZPpyXaZltWvvG","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000008003#contract","type":"smart_contract","addedAt":"2023-03-28T02:05:39.057Z","revision":3,"description":"NonceHolder","isPrimacyOfImpact":null},{"id":"5yMGCURUBDhhSXz3hHOh9n","url":"https://github.com/matter-labs/zksync-protocol/tree/main/crates/zkevm_circuits/src/eip_4844","type":"blockchain_dlt","addedAt":"2024-04-18T15:00:22.859Z","revision":3,"description":"Eip 4844","isPrimacyOfImpact":null},{"id":"5zA8BCZzpzPtYbhTsuy2nt","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000008008#contract","type":"smart_contract","addedAt":"2023-03-28T02:05:46.989Z","revision":3,"description":"L1Messenger","isPrimacyOfImpact":null},{"id":"64BSzHttIAt10x5nCDj75x","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000010002#contract","type":"smart_contract","addedAt":"2025-07-25T16:23:14.502Z","revision":2,"description":"BridgeHub","isPrimacyOfImpact":null},{"id":"68MGyP2mMDhnQxJuSlc1MC","url":"https://github.com/matter-labs/zksync-protocol/tree/main/crates/zkevm_circuits/src/ram_permutation","type":"blockchain_dlt","addedAt":"2024-04-18T14:58:39.625Z","revision":3,"description":"RAM Permutation","isPrimacyOfImpact":null},{"id":"69TKLf0VwwxB9bsgzARJup","url":"https://etherscan.io/address/0x8c0bfc04ada21fd496c55b8c50331f904306f564","type":"smart_contract","addedAt":"2023-03-28T02:06:16.210Z","revision":5,"description":"ValidatorTimelock","isPrimacyOfImpact":null},{"id":"6BaacyTpaAVr62RzRAwfMm","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000008004#contract","type":"smart_contract","addedAt":"2023-03-28T02:05:49.938Z","revision":3,"description":"KnownCodesStorage","isPrimacyOfImpact":null},{"id":"6EQ2jlAKf9UT2gqhhusTN8","url":"https://explorer.zksync.io/","type":"websites_and_applications","addedAt":"2023-03-10T17:00:00.000Z","revision":2,"description":"zkSync Era Block Explorer","isPrimacyOfImpact":null},{"id":"6FPUMjWF1l4SvJqDqLM7ym","url":"https://etherscan.io/address/0x06aa7a7B07108F7C5539645e32DD5c21cBF9EB66#code","type":"smart_contract","addedAt":"2025-07-19T15:45:01.574Z","revision":2,"description":"PlonkVerifier.sol","isPrimacyOfImpact":null},{"id":"6HWyejDftep8ViU7QYC6YJ","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000008005#contract","type":"smart_contract","addedAt":"2023-03-28T02:05:54.493Z","revision":3,"description":"ImmutableSimulator","isPrimacyOfImpact":null},{"id":"6QtfLfAgcwyv0O6K5WALm0","url":"https://explorer.zksync.io/address/0x000000000000000000000000000000000000800a#contract","type":"smart_contract","addedAt":"2023-03-28T02:05:44.720Z","revision":4,"description":"L2BaseToken","isPrimacyOfImpact":null},{"id":"6UOTwRJYvmPHrQOy8tITXG","url":"https://zksync2-mainnet.zksync.io/ws","type":"websites_and_applications","addedAt":"2023-03-10T17:00:00.000Z","revision":3,"description":"WEB3 WebSocket API","isPrimacyOfImpact":null},{"id":"6ZavAk6DhU54PZ84kUp8Xq","url":"https://github.com/matter-labs/zksync-protocol/tree/main/crates/zkevm_circuits/src","type":"blockchain_dlt","addedAt":"2024-04-18T15:05:38.187Z","revision":3,"description":"Supplementary code","isPrimacyOfImpact":null},{"id":"6bJijzVvclpb0oZFICFQUA","url":"https://github.com/matter-labs/zksync-protocol/tree/main/crates/zkevm_circuits/src/sha256_round_function","type":"blockchain_dlt","addedAt":"2024-04-18T14:58:08.788Z","revision":3,"description":"SHA256","isPrimacyOfImpact":null},{"id":"6dFGTW1Kg5jl0sMQLC1Igi","url":"https://github.com/matter-labs/zksync-protocol/tree/main/crates/zkevm_circuits/src/linear_hasher","type":"blockchain_dlt","addedAt":"2024-04-18T15:00:43.316Z","revision":3,"description":"Linear Hasher","isPrimacyOfImpact":null},{"id":"6fA5h0MbZaecjfnzuhpEq2","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000000000#contract","type":"smart_contract","addedAt":"2023-03-28T02:06:00.342Z","revision":3,"description":"EmptyContract","isPrimacyOfImpact":null},{"id":"6i1KEciDO8qBnLfsmU9goR","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000008002#contract","type":"smart_contract","addedAt":"2023-03-28T02:06:10.955Z","revision":3,"description":"AccountCodeStorage","isPrimacyOfImpact":null},{"id":"6t7mv3bw32x27gDBJbanay","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000008009#contract","type":"smart_contract","addedAt":"2023-03-28T02:05:41.663Z","revision":3,"description":"MsgValueSimulator","isPrimacyOfImpact":null},{"id":"6woobg9z3wKKTDWLmn44Jf","url":"https://github.com/matter-labs/era-contracts/blob/release-v28/system-contracts/bootloader/bootloader.yul","type":"smart_contract","addedAt":"2023-03-28T02:06:14.184Z","revision":5,"description":"Bootloader","isPrimacyOfImpact":null},{"id":"757PVfSBlKinLinPORA2Wu","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000010003#contract","type":"smart_contract","addedAt":"2025-07-25T16:23:27.997Z","revision":2,"description":"L2AssetRouter","isPrimacyOfImpact":null},{"id":"75qSjPRnBvgEtT3uEm9MW3","url":"https://explorer.zksync.io/address/0x085b8B6407f150D62adB1EF926F7f304600ec714#contract","type":"smart_contract","addedAt":"2025-07-25T15:56:30.391Z","revision":2,"description":"ZkProtocol TimelockController.sol","isPrimacyOfImpact":null},{"id":"763kZLNTXippImzoqealr5","url":"https://etherscan.io/address/0xD5dBE903F5382B052317D326FA1a7B63710C6a5b#code","type":"smart_contract","addedAt":"2025-07-19T15:43:16.199Z","revision":3,"description":"L1VerifierFflonk.sol","isPrimacyOfImpact":null},{"id":"76Stj0wWRGgUoKY12ku2Me","url":"https://github.com/matter-labs/zksync-protocol/tree/main/crates/zkevm_circuits/src/code_unpacker_sha256","type":"blockchain_dlt","addedAt":"2024-04-18T14:57:36.269Z","revision":4,"description":"Code unpacker","isPrimacyOfImpact":null},{"id":"7EyAgSgK1098R9ihp0nn8M","url":"https://github.com/matter-labs/zksync-protocol/tree/main/crates/zkevm_circuits/src/log_sorter","type":"blockchain_dlt","addedAt":"2024-04-18T14:59:22.477Z","revision":3,"description":"Events sorter (L1Messages)","isPrimacyOfImpact":null},{"id":"7crv6pshsAro7hRgzetsNf","url":"https://explorer.zksync.io/address/0x01a6715d3560241e09e865a46122bf347a576c09#contract","type":"smart_contract","addedAt":"2025-07-25T16:20:53.525Z","revision":2,"description":"ZkToken.sol","isPrimacyOfImpact":null},{"id":"7dMIvXvMfEycwgGm6qYw31","url":"https://etherscan.io/address/0x53F5DE9De3B2DA90633a2c74BEb3b9912cdd1579#code","type":"smart_contract","addedAt":"2023-03-10T17:00:00.000Z","revision":7,"description":"DualVerifier.sol","isPrimacyOfImpact":null},{"id":"7gMVOBDAFmZTYukYAeyz7e","url":"https://etherscan.io/address/0xc2eE6b6af7d616f6e27ce7F4A451Aedc2b0F5f5C#code","type":"smart_contract","addedAt":"2025-01-22T13:38:31.804Z","revision":3,"description":"ChainTypeManagerr proxy TransparentUpgradeableProxy.sol","isPrimacyOfImpact":null},{"id":"7y2jSMkwi7lMHz59PS3uIn","url":"https://explorer.zksync.io/address/0x5A7d6b2F92C77FAD6CCaBd7EE0624E64907Eaf3E#contract","type":"smart_contract","addedAt":"2025-07-25T16:20:02.904Z","revision":2,"description":"ZkToken proxy TransparentUpgradeableProxy.sol","isPrimacyOfImpact":null},{"id":"7z1AM1yaK0hVfWxC1jh4vU","url":"https://github.com/matter-labs/zksync-protocol/tree/main/crates/zkevm_circuits/src/scheduler","type":"blockchain_dlt","addedAt":"2024-04-18T15:05:12.895Z","revision":3,"description":"Scheduler","isPrimacyOfImpact":null},{"id":"H3VJhB24w4GtMq5F0dUzK","url":"https://explorer.zksync.io/address/0xe5d21A9179CA2E1F0F327d598D464CcF60d89c3d#contract","type":"smart_contract","addedAt":"2025-07-25T16:08:11.244Z","revision":2,"description":"ZkToken TimelockController.sol","isPrimacyOfImpact":null},{"id":"Q9kYpJoUirm3X7P7WVvqv","url":"https://portal.zksync.io/","type":"websites_and_applications","addedAt":"2023-03-10T17:00:00.000Z","revision":2,"description":"zkSync Era Portal","isPrimacyOfImpact":null},{"id":"RFhNcruj55g4ZI7jAnesJ","url":"https://explorer.zksync.io/address/0x11f943b2c77b743AB90f4A0Ae7d5A4e7FCA3E102#contract","type":"smart_contract","addedAt":"2025-01-22T13:38:07.537Z","revision":2,"description":"L2SharedBridge proxy TransparentUpgradeableProxy.sol","isPrimacyOfImpact":null},{"id":"WWmvsRJb44ni7FVVXwDod","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000010000#contract","type":"smart_contract","addedAt":"2024-06-13T13:25:01.080Z","revision":2,"description":"Create2Factory","isPrimacyOfImpact":null},{"id":"XsEYq3GSjno4mkbSyyOFi","url":"https://github.com/matter-labs/zksync-protocol/tree/main/crates/zkevm_circuits/src/keccak256_round_function","type":"blockchain_dlt","addedAt":"2024-04-18T14:57:53.059Z","revision":3,"description":"Keccak","isPrimacyOfImpact":null},{"id":"gSE535R7nqAVApfCNohwG","url":"https://github.com/matter-labs/zksync-protocol/tree/main/crates/zkevm_circuits/src/recursion","type":"blockchain_dlt","addedAt":"2024-04-18T15:04:53.601Z","revision":3,"description":"Recursion","isPrimacyOfImpact":null},{"id":"hM5ov8JPyLEypQYcHE6yi","url":"https://explorer.zksync.io/address/0x000000000000000000000000000000000000800b#contract","type":"smart_contract","addedAt":"2023-03-28T02:05:36.285Z","revision":3,"description":"SystemContext","isPrimacyOfImpact":null},{"id":"jNn5ApsPtqSM4IXYiPaa9","url":"https://explorer.zksync.io/address/0x0000000000000000000000000000000000010004#contract","type":"smart_contract","addedAt":"2025-07-25T16:23:42.200Z","revision":2,"description":"L2NativeTokenVault","isPrimacyOfImpact":null},{"id":"wxo9L0G7mQvOunGLeopiJ","url":"https://github.com/matter-labs/zksync-protocol/tree/main/crates/zkevm_circuits/src/sort_decommittment_requests","type":"blockchain_dlt","addedAt":"2024-04-18T14:57:19.103Z","revision":3,"description":"Code decommitment sorter","isPrimacyOfImpact":null}],"assetsBodyV2":"- __Smart Contracts - PoC__, Smart Contract bug reports are to include a runnable Proof of Concept (PoC) in order to prove impact.  \n- For more information on PoCs please visit: [Proof of Concept (PoC) Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n- __Web/App__ - Bug reports are to include a runnable Proof of Concept (PoC) in order to prove impact. All web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. All PoC content must adhere to the [PoC guidelines and rules of Immunefi](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules). In the event that a PoC requires an attack on a web/app asset provided, they must still adhere to the rules provided, otherwise eligibility for a reward may be revoked. \n\n- For more information on PoCs please visit: [Proof of Concept (PoC) Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\nWhitehats we highly encourage you to review any potential subdomains and what specific port(s) are in scope. Even though the domain may be the same, different ports may point to different assets.  \n\n__Dev Environment and Documentation:__\n\nZKsync has included dev documentation and/or instructions to help in reviewing code and exploring for bugs:\n\n- [https://github.com/matter-labs/zksync-era](https://github.com/matter-labs/zksync-era)\n- [https://github.com/matter-labs/era-contracts](https://github.com/matter-labs/era-contracts)\n- [https://github.com/matter-labs/era-zkevm_circuits](https://github.com/matter-labs/era-zkevm_circuits)\n- [https://github.com/matter-labs/era-zkevm_opcode_defs](https://github.com/matter-labs/era-zkevm_opcode_defs)\n- [https://github.com/matter-labs/era-zkEVM-assembly](https://github.com/matter-labs/era-zkEVM-assembly)\n- [https://github.com/matter-labs/era-zkevm_test_harness](https://github.com/matter-labs/era-zkevm_test_harness)\n- [https://github.com/matter-labs/era-zk_evm](https://github.com/matter-labs/era-zk_evm)\n\n__Impacts to other assets:__\n\nHackers are encouraged to submit issues outside of the outlined Impacts and Assets in Scope. \n\nIf whitehats can demonstrate a critical and high impact for an asset not in scope, ZKsync encourages you to submit your bug report using the “primacy of impact exception” asset.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH","zkSync"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity","Yul"],"launchDate":"2023-03-10T17:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5C91MGheTJXJfhYXd7Jjry/89c1af83fcb8de564462eb5e0e727012/era-arrows-white__1_.png","maxBounty":1100000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low","websites_and_applications - critical","websites_and_applications - high","blockchain_dlt - critical","blockchain_dlt - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["L2"],"programOverview":"ZKsync Era is a layer 2 rollup that uses zero-knowledge proofs to scale Ethereum without compromising on security or decentralization. Since it's EVM compatible (Solidity/Vyper), 99% of Ethereum projects can redeploy without refactoring or re-auditing a single line of code. ZKsync Era also uses an LLVM-based compiler that will eventually let developers write smart contracts in C++, Rust and other popular languages.\n\nFor more information about ZKsync Era, please visit [https://zksync.io/](https://zksync.io/)\n\n__For Whitehats__: It is highly recommended that you review the details of this program in full. Although many Bug Bounty programs have standard terms and conditions, each also has their own unique details that are critical to your success. \n\nPrior to submitting a report please review the Immunefi [Bug Report Template and Best Practices. ](https://immunefisupport.zendesk.com/hc/en-us/articles/12435277406481-Bug-Report-Template)","programType":["Smart Contract","Websites and Applications","Blockchain/DLT"],"project":"ZKsync Era","projectType":["Blockchain"],"rewardsBody":"__Reward Distribution:__\n\nPlease review how rewards are distributed based on the [Immunefi Vulnerability Severity Classification System V2.2.](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/) This is a simplified 5-level scale system with separate scales for Smart Contracts and Websites/Apps.\n\n__Payouts and Payout Requirements:__\n\nRewards for critical smart contract bug reports will be further capped at 10% of direct funds at risk based on the PoC provided.. However, there is a minimum reward of __USD 100 000__.\n\nFor the project's bug bounty program, high-severity smart contract vulnerability rewards are determined according to an internal set of criteria established by the team. These criteria take into account the exploitability, impact, and probability of the vulnerability occurring, with special consideration given to bug reports that require multiple conditions not currently in place. There is a minimum reward of __USD 20,000__ for high-severity level vulnerabilities, and the maximum reward is capped at 100% of the affected funds, up to the max high cap, whichever is lower.\n\nPayouts are handled by the ZKsync team directly and are denominated in USD. However, payouts are done in USDC (ZKsync Era). ZKsync commits to honoring payouts according to the terms set out in this program at the time of report submission, and to treat this program as the agreement and source of truth concerning bug reports and responsible disclosures. \n\nFor the purposes of determining report validity, this is a Primacy of Impact program. \n\nLearn more about report validity best practices here: [Best Practice - Primacy of Impact vs Primacy of Rules. ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\n__KYC Requirements:__\n\nzkSync Era has a Know Your Customer (KYC) requirement for bug bounty payouts. Government identification is required for the KYC process.\n\n__Audit Discoveries and Known Issues:__\n\nBug reports covering previously-discovered bugs are not eligible for any reward through the bug bounty program. If a bug report covers a known issue, it may be rejected together with proof of the issue being known before escalation of the bug report via Immunefi. \n\nPrevious audits and known issues can be found at:\n- [https://docs.zksync.io/zksync-protocol/security/audits](https://docs.zksync.io/zksync-protocol/security/audits)\nA separate note on the fee model: ZKsync has different gas prices per opcodes than Ethereum. Also, it is known that since gasPerPubdataByte is fluctuating, it may lead for gasLimits to not be reliable in the middle/long-term. \n\nThe fee model is still in development and so the operator may not be fully compensated. The impact of griefing attacks will be evaluated based on the ratio between funds spent by the attacker and the funds spent by the operator.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"zksyncera","updatedDate":"2026-01-23T10:23:53.567Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"ZKsync Era is a layer 2 rollup that uses zero-knowledge proofs to scale Ethereum without compromising on security or decentralization. Since it's EVM compatible (Solidity/Vyper), 99% of Ethereum projects can redeploy without refactoring or re-auditing a single line of code.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Broken link hijacking is out of scope\n- Attacks requiring changing the verifier key\n\n","customProhibitedActivities":["The following activities are prohibited by this bug bounty program. Violation of these rules can result in a temporary suspension or permanent ban from the Immunefi platform at the sole discretion of the Immunefi team, which may also result in: 1) the forfeiture and loss of access to all bug submissions, and 2) zero payout.","Please note that Immunefi has no tolerance for spam/low-quality/incomplete bug reports, “beg bounty” behavior, and misrepresentation of assets and severity. Immunefi exists to protect the global crypto community, not facilitate grift."],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":3947,"type":"smart_contract","severity":"high","title":"Permanent freezing of funds (that can be fixed by upgrade)"},{"id":3948,"type":"smart_contract","severity":"high","title":"Permanent stopping the priority queue"},{"id":3949,"type":"smart_contract","severity":"high","title":"Theft of user fees"},{"id":3950,"type":"websites_and_applications","severity":"high","title":"Contract verification bypass"},{"id":3951,"type":"websites_and_applications","severity":"high","title":"Misrepresentation of the transaction data that may lead to misleading third party users (e.g. manipulating transaction event log representation, transfer amount, etc)"},{"id":3952,"type":"websites_and_applications","severity":"high","title":"Misrepresentation of the transaction data that may lead to misleading API users (e.g. manipulating transaction event log representation, transfer amount, etc)"},{"id":3953,"type":"blockchain_dlt","severity":"high","title":"Difference between implementation outside of the circuit and within the circuit, where the in-circuit implementation is accurate (e.g. overconstraint in the circuit)"},{"id":3954,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":3955,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion"},{"id":3956,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds (that cannot be fixed by upgrade)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":3957,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as: database passwords, blockchain keys, etc (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"}],"rewards":[{"id":39975,"severity":"critical","assetType":"blockchain_dlt","fixedReward":50000,"rewardModel":"fixed","rewardCalculationPercentage":10},{"id":39976,"severity":"high","assetType":"blockchain_dlt","fixedReward":15000,"rewardModel":"fixed"},{"id":39977,"severity":"critical","assetType":"smart_contract","maxReward":1100000,"minReward":100000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":39978,"severity":"high","assetType":"smart_contract","maxReward":50000,"minReward":20000,"rewardModel":"range"},{"id":39979,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":39980,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":39981,"severity":"critical","assetType":"websites_and_applications","fixedReward":20000,"rewardModel":"fixed"},{"id":39982,"severity":"high","assetType":"websites_and_applications","fixedReward":5000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"1HWax05ZGVCUGhWL0sNHQM","url":"https://snowtrace.io/address/0xd586e7f844cea2f87f50152665bcbc2c279d8d70","type":"smart_contract","addedAt":"2023-12-04T13:15:40.833Z","revision":3,"description":"DAI.e","isPrimacyOfImpact":null},{"id":"1flWTR2OvWjPPi1az8Tt3n","url":"https://snowtrace.io/address/0xa7d7079b0fead91f3e65f86e8915cb59c1a4c664","type":"smart_contract","addedAt":"2023-12-04T13:15:16.970Z","revision":3,"description":"USDC.e","isPrimacyOfImpact":null},{"id":"1qbqO5aROx4gA3BfPlOBTS","url":"https://snowtrace.io/address/0x98443b96ea4b0858fdf3219cd13e98c7a4690588","type":"smart_contract","addedAt":"2023-12-04T13:15:49.567Z","revision":3,"description":"BAT.e","isPrimacyOfImpact":null},{"id":"1tvW4As5gr8ACPLxaa3Tsr","url":"https://github.com/ava-labs/icm-services","type":"blockchain_dlt","addedAt":"2025-12-04T07:04:18.963Z","revision":1,"description":"ICM Services","isPrimacyOfImpact":null},{"id":"1wvzTXLfwkDOtaHHkdaCt0","url":"https://snowtrace.io/address/0x49d5c2bdffac6ce2bfdb6640f4f80f226bc10bab","type":"smart_contract","addedAt":"2023-12-04T13:15:10.421Z","revision":3,"description":"WETH.e","isPrimacyOfImpact":null},{"id":"2pCWkETonU4qiNx6OfqNNa","url":"https://snowtrace.io/address/0x152b9d0fdc40c096757f570a51e494bd4b943e50","type":"smart_contract","addedAt":"2023-12-04T13:15:56.856Z","revision":3,"description":"BTC.b","isPrimacyOfImpact":null},{"id":"303VpJ6azWQqzL1m8gFc3C","url":"https://snowtrace.io/address/0x8ebaf22b6f053dffeaf46f4dd9efa95d89ba8580","type":"smart_contract","addedAt":"2023-12-04T13:15:18.744Z","revision":3,"description":"UNI.e","isPrimacyOfImpact":null},{"id":"3D66pzjjY4ZQoWUKbCKMFT","url":"https://snowtrace.io/address/0x9eaac1b23d935365bd7b542fe22ceee2922f52dc","type":"smart_contract","addedAt":"2023-12-04T13:15:05.712Z","revision":3,"description":"YFI.e","isPrimacyOfImpact":null},{"id":"3SXvrmimAdSebEv95DuW2D","url":"https://snowtrace.io/address/0x3bd2b1c7ed8d396dbb98ded3aebb41350a5b2339","type":"smart_contract","addedAt":"2023-12-04T13:15:20.599Z","revision":3,"description":"UMA.e","isPrimacyOfImpact":null},{"id":"3vT5WjlvgH6dGs9tWT5i0g","url":"https://snowtrace.io/address/0x50b7545627a5162f82a992c33b87adc75187b218","type":"smart_contract","addedAt":"2023-12-04T13:15:12.951Z","revision":3,"description":"WBTC.e","isPrimacyOfImpact":null},{"id":"4ZKI36VprcDk6GRzjV5RQm","url":"https://snowtrace.io/address/0xbec243c995409e6520d7c41e404da5deba4b209b","type":"smart_contract","addedAt":"2023-12-04T13:15:27.246Z","revision":3,"description":"SNX.e","isPrimacyOfImpact":null},{"id":"50thggwLxDBTiMYDO1RTJV","url":"https://snowtrace.io/address/0x8a0cac13c7da965a312f08ea4229c37869e85cb9","type":"smart_contract","addedAt":"2023-12-04T13:15:38.007Z","revision":3,"description":"GRT.e","isPrimacyOfImpact":null},{"id":"5zAUwdBO34NLsHv6rX1eVU","url":"https://snowtrace.io/address/0x37b608519f91f70f2eeb0e5ed9af4061722e4f76","type":"smart_contract","addedAt":"2023-12-04T13:15:25.328Z","revision":3,"description":"SUSHI.e","isPrimacyOfImpact":null},{"id":"5zNkny0rIozPMVEyMgrdQ","url":"https://snowtrace.io/address/0x88128fd4b259552a9a1d457f435a6527aab72d42","type":"smart_contract","addedAt":"2023-12-04T13:15:33.061Z","revision":3,"description":"MKR.e","isPrimacyOfImpact":null},{"id":"6A2KBSTFqpYTjX7Xisygks","url":"https://snowtrace.io/address/0xc7b5d72c836e718cda8888eaf03707faef675079","type":"smart_contract","addedAt":"2023-12-04T13:15:22.520Z","revision":3,"description":"SWAP.e","isPrimacyOfImpact":null},{"id":"6DnCkoszIzNpBiNA4STVyF","url":"https://snowtrace.io/address/0xc3048e19e76cb9a3aa9d77d8c03c29fc906e2437","type":"smart_contract","addedAt":"2023-12-04T13:15:45.185Z","revision":3,"description":"COMP.e","isPrimacyOfImpact":null},{"id":"6Nw0jaM43mIuuZBq1noYb","url":"https://snowtrace.io/address/0xc7198437980c041c805a1edcba50c1ce5db95118","type":"smart_contract","addedAt":"2023-12-04T13:15:15.027Z","revision":3,"description":"USDT.e","isPrimacyOfImpact":null},{"id":"6UXY9PFLO4UIHob0AibX1M","url":"https://snowtrace.io/address/0x5947bb275c521040051d82396192181b413227a3","type":"smart_contract","addedAt":"2023-12-04T13:15:36.211Z","revision":3,"description":"LINK.e","isPrimacyOfImpact":null},{"id":"6Y5IS4uUfLSQCq5OT583vz","url":"https://snowtrace.io/address/0x63a72806098bd3d9520cc43356dd78afe5d386d9","type":"smart_contract","addedAt":"2023-12-04T13:15:53.103Z","revision":6,"description":null,"isPrimacyOfImpact":null},{"id":"6xnlVXQjtTW4z6FDrJyJet","url":"https://github.com/ava-labs/avalanchego","type":"blockchain_dlt","addedAt":"2023-12-04T13:06:35.666Z","revision":5,"description":" AvalancheGo","isPrimacyOfImpact":null},{"id":"7bGs3OcOwiTY2vZGRTdHLv","url":"https://snowtrace.io/address/0x596fa47043f99a4e0f122243b841e55375cde0d2","type":"smart_contract","addedAt":"2023-12-04T13:15:03.878Z","revision":6,"description":" ZRX.e","isPrimacyOfImpact":null},{"id":"7lQrlXxrZhiy7ef0VObv96","url":"https://snowtrace.io/address/0x02d980a0d7af3fb7cf7df8cb35d9edbcf355f665","type":"smart_contract","addedAt":"2023-12-04T13:15:29.159Z","revision":3,"description":"SHIB.e","isPrimacyOfImpact":null},{"id":"7oKth99H19D5zc5xAiF4ZP","url":"https://snowtrace.io/address/0x19860ccb0a68fd4213ab9d8266f7bbf05a8dde98","type":"smart_contract","addedAt":"2023-12-04T13:15:47.758Z","revision":3,"description":"BUSD.e","isPrimacyOfImpact":null},{"id":"7rj46oO8zhV0cjm0bXrntM","url":"https://github.com/ava-labs/libevm","type":"blockchain_dlt","addedAt":"2025-12-08T08:06:46.619Z","revision":1,"description":"libevm","isPrimacyOfImpact":null},{"id":"HZzFVxAP3QbZvlCdMVKwn","url":"https://snowtrace.io/address/0xd501281565bf7789224523144fe5d98e8b28f267","type":"smart_contract","addedAt":"2023-12-04T13:15:54.891Z","revision":3,"description":"1inch.e","isPrimacyOfImpact":null},{"id":"QkEQBxjK0VDa0WhuuCRGF","url":"https://snowtrace.io/address/0x249848beca43ac405b8102ec90dd5f22ca513c06","type":"smart_contract","addedAt":"2023-12-04T13:15:42.860Z","revision":3,"description":"CRV.e","isPrimacyOfImpact":null},{"id":"Y2jqBFo1hI1q6aVYAxIkN","url":"https://snowtrace.io/address/address/0x2147efff675e4a4ee1c2f918d181cdbd7a8e208f","type":"smart_contract","addedAt":"2023-12-04T13:15:51.343Z","revision":3,"description":"ALPHA.e","isPrimacyOfImpact":null},{"id":"w3pve0pkm8YdtRV3FP226","url":"https://snowtrace.io/address/0xabc9547b534519ff73921b1fba6e672b5f58d083","type":"smart_contract","addedAt":"2023-12-04T13:15:07.929Z","revision":3,"description":"WOO.e","isPrimacyOfImpact":null}],"assetsBodyV2":"Ava Labs’s codebase can be found at [https://github.com/ava-labs](https://github.com/ava-labs). Documentation and further resources can be found on [https://docs.avax.network/](https://docs.avax.network/). For details on standing up a local test network, sees [https://docs.avax.network/tooling/network-runner](https://docs.avax.network/tooling/network-runner).\n\n**libevm and avalanchego/graft**\n- If a bug is publicly disclosed in [ethereum/go-ethereum](https://github.com/ethereum/go-ethereum), that bug is considered out-of-scope in this program.\n- The following issues are considered out of scope:\n    - Network-level Denial-of-Service (TCP/IP/P2P)\n    - Misconfigurations of AvalancheGo nodes currently running on the Avalanche Network\n    - Denial-of-Service, OOM, or panic on any API exposed by AvalancheGo\n    - Any usage of the node's HTTP API through intended mediums. Intended mediums include usage:\n        - requiring direct machine access\n        - through explicitly opened RPC ports\n        - This includes the ability to send HTTP requests that cause node panics, OOMs, increased disk usage, or causing the node to become unhealthy.\n    - Consensus liveness failure requiring network control.\n    - Ex: BGP hijacking attacks\n    - Preventing a node from properly connecting to the P2P network due to brute force networking DoS vectors.\n    - Ex: Syn attacking a specific node with a botnet.\n    - Unintended node behavior caused by local disk failures.\n    - Unintended node behavior caused by unusual node configuration deviating from best practices for node configurations\n    - Compile time or runtime errors due to using unsupported hardware or operating systems.\n    - Inability to automatically perform NAT-hole punching on specific router hardware.\n\nEven if a bug is considered out-of-scope but you feel it should be disclosed privately, we appreciate any and all informational disclosures through this portal. Thanks for your responsible disclosure! \n\nBlockchain/DLT - ICM Services: Excluding tests","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":["Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":null,"launchDate":"2023-12-03T22:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5fRxILLIATvLUm99ia2pOU/4e6a64dbb5b672f8f7dd6960bfaa324e/Avalanche_AVAX_Black.png","maxBounty":100000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - medium","blockchain_dlt - low","smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["L1","Services"],"programOverview":"Ava Labs __Avalanche Protocol__\n\nAva Labs makes it simple to deploy high-performance solutions for Web3, led by innovations on Avalanche. The company was founded by Cornell computer scientists, who partnered with Wall Street veterans and early Web3 leaders to execute a promising vision for redefining the way people build and use open, permissionless networks. Ava Labs is redefining the way people create value with Web3.\n\nFor more information about Ava Labs, please visit [https://www.avalabs.org/](https://www.avalabs.org/)\n\nAva Labs provides rewards in __USDC__ and locked __AVAX__, denominated in __USD__. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__\n\nAva Labs will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n  - Full name \n  - Date of birth\n  - Proof of address (either a redacted bank statement with address or a recent utility bill)\n  - Copy of Passport or other Government issued ID\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nAva Labs adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms stated in this page.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Previous Audits__\n\nAva Labs’s completed audit reports can be found in the following link:\n\n  - [https://github.com/ava-labs/audits](https://github.com/ava-labs/audits)\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Ava Labs has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","programType":["Blockchain/DLT","Smart Contract"],"project":"Ava Labs Avalanche","projectType":null,"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\nFor critical Blockchain/DLT bugs, the reward amount is 10% of the funds directly affected, capped at the maximum critical reward USD $100,000.\nFor critical Blockchain/DLT bugs with a non-funds-at risk impact, the reward will be paid out as follows: \n\n  - Network not being able to confirm new transactions (total network shutdown)\nUSD $100,000\n  - Unintended permanent chain split requiring hard fork (network partition requiring hard fork)\nUSD $100,000\n  - Permanent freezing of funds (fix requires hardfork)\nUSD $100,000\n\nFor high Blockchain/DLT non-funds-at risk impacts, the reward will be paid out as follows: \n\n  - Causing network processing nodes to process transactions from the mempool beyond set parameters\nUSD $5,000\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 100 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 10 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\nNOTE: Smart contracts deployed by third-parties on Avalanche are EXPLICITLY OUT OF SCOPE. This bug bounty ONLY includes the smart contracts listed as in scope below.\n\n__Repeatable Attack Limitations__\n\n  - If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attacks within the first hour will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n  - For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\n  - High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are considered at the full amount of funds at risk, capped at the maximum high reward. This is to incentivize security researchers to uncover and responsibly disclose vulnerabilities that may have not have significant monetary value today, but could still be damaging to the project if it goes unaddressed.   \n\n  - In the event of temporary freezing, the reward increases at a multiplier of two from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lenghents, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.    \n\n__Reward Payment Terms__\n\nPayouts are handled by the __Ava Labs__ team directly and are denominated in __USD__.\n\nPlease note: In cases where the size of the reward exceeds an equivalent of 10 000 USD, Ava Labs is entitled to make the payment in one-year locked AVAX at the rate calculated based on the VWAP of AVAX during 90 calendar days preceding the date of the respective validated report.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"AVAX","slug":"avalanche","updatedDate":"2026-01-22T19:25:42.227Z","impactsBody":"**Expected resource-intensive operations including but not limited to:**\n- Node synchronization after being offline or behind on block height\n- Initial blockchain sync or historical data loading\n- Large database migrations or reindexing operations\n- Batch processing of accumulated transactions or events\n\n**Valid DoS vulnerabilities must demonstrate:**\n- An exploitable vulnerability beyond normal resource consumption\n- Malicious input or actions that cause disproportionate resource usage\n- A realistic attack scenario that differs from standard operational load\n- Impact that prevents legitimate users from accessing the service beyond expected operational delays\n- Disproportionate resource consumption relative to the cost paid (e.g., spending $1 in gas to cause $1000 in computational cost)","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Ava Labs makes it simple to deploy high-performance solutions for Web3, led by innovations on Avalanche. The company was founded by Cornell computer scientists, who partnered with Wall Street veterans and early Web3 leaders to execute a promising vision for redefining the way people build and use open, permissionless networks.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":" - If a bug is publicly disclosed (in the repo of an \"asset in scope\" or otherwise), that bug is considered out-of-scope in this program.\n  - If a bug is publicly disclosed in a dependency of any of the \"assets in scope\", that bug is considered out-of-scope in this program.\n\n__Coreth/Subnet-EVM__\n\n- If a bug is publicly disclosed in https://github.com/ethereum/go-ethereum, that bug is considered out-of-scope in this program.\n- If a bug is publicly disclosed in https://github.com/ava-labs/subnet-evm that affects https://github.com/ava-labs/coreth (or vice-versa), that bug is considered out-of-scope in this program.\n\n  - Network-level Denial-of-Service (TCP/IP/P2P)\n  - Misconfigurations of AvalancheGo nodes currently running on the Avalanche Network\n  - Denial-of-Service, OOM, or panic on any API exposed by AvalancheGo\n  - Any usage of the node's HTTP API through intended mediums. Intended mediums include usage:\n    - requiring direct machine access\n    - through explicitly opened RPC ports\n    - This includes the ability to send HTTP requests that cause node panics, OOMs, increased disk usage, or causing the node to become unhealthy.\n  - Consensus liveness failure requiring network control.\n  - Ex: BGP hijacking attacks\n  - Preventing a node from properly connecting to the P2P network due to brute force networking DoS vectors.\n    - Ex: Syn attacking a specific node with a botnet.\n  - Unintended node behavior caused by local disk failures.\n  - Unintended node behavior caused by unusual node configuration deviating from best practices for node configurations\n  - Compile time or runtime errors due to using unsupported hardware or operating systems.\n  - Inability to automatically perform NAT-hole punching on specific router hardware.\n\nEven if a bug is considered out-of-scope but you feel it should be disclosed privately, we appreciate any and all informational disclosures through this portal. Thanks for your responsible disclosure!","customProhibitedActivities":[],"impacts":[{"id":1,"type":"blockchain_dlt","severity":"critical","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":2,"type":"blockchain_dlt","severity":"critical","title":"Unintended permanent chain split requiring hard fork (network partition requiring hard fork)"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":4,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":5,"type":"blockchain_dlt","severity":"high","title":"Unintended chain split (network partition)"},{"id":6,"type":"blockchain_dlt","severity":"high","title":"Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments"},{"id":7,"type":"blockchain_dlt","severity":"high","title":"Causing network processing nodes to process transactions from the mempool beyond set parameters"},{"id":9,"type":"blockchain_dlt","severity":"medium","title":"Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours"},{"id":10,"type":"blockchain_dlt","severity":"medium","title":"Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":13,"type":"blockchain_dlt","severity":"low","title":"Modification of transaction fees outside of design parameters"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":4648,"type":"blockchain_dlt","severity":"high","title":"Ability to produce a disproportionate number of blocks compared to the amount of controlled stake (High) Assuming the blockchain is using the Snowman++ congestion control mechanism."},{"id":4649,"type":"blockchain_dlt","severity":"high","title":"Delay message handling of other validators due to sending messages over the P2P network"},{"id":4650,"type":"blockchain_dlt","severity":"high","title":"Ability to circumvent P2P network message throttling"},{"id":4651,"type":"blockchain_dlt","severity":"medium","title":"Ability to display arbitrary logs to users"},{"id":4652,"type":"blockchain_dlt","severity":"medium","title":"A bug in the respective layer 1 network code that results in unintended smart contract behavior with no concrete funds at direct risk"},{"id":4653,"type":"blockchain_dlt","severity":"critical","title":"Ability to exfiltrate a node's staking keys (TLS or BLS) without direct machine access"}],"rewards":[{"id":39592,"severity":"critical","assetType":"blockchain_dlt","maxReward":100000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":39593,"severity":"high","assetType":"blockchain_dlt","maxReward":10000,"minReward":5000,"rewardModel":"range"},{"id":39594,"severity":"medium","assetType":"blockchain_dlt","fixedReward":5000,"rewardModel":"fixed"},{"id":39595,"severity":"low","assetType":"blockchain_dlt","fixedReward":1000,"rewardModel":"fixed"},{"id":39596,"severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":39597,"severity":"high","assetType":"smart_contract","maxReward":10000,"minReward":5000,"rewardModel":"range"},{"id":39598,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"6zFytSn2rU4R99iFGDjSGH","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/AgentAlwaysAllowedMintersFacet.sol","type":"smart_contract","addedAt":"2025-05-15T10:05:13.671Z","revision":2,"description":"AgentAlwaysAllowedMintersFacet.sol","isPrimacyOfImpact":null},{"id":"7D0SVcBRLvR19gcf5BxiB2","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/AgentCollateralFacet.sol","type":"smart_contract","addedAt":"2025-05-15T10:05:44.126Z","revision":2,"description":"AgentCollateralFacet.sol","isPrimacyOfImpact":null},{"id":"3157zDcyzjUfvJuPIl5qpW","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/AgentInfoFacet.sol","type":"smart_contract","addedAt":"2025-05-15T10:06:18.875Z","revision":2,"description":"AgentInfoFacet.sol","isPrimacyOfImpact":null},{"id":"UDFY3KYfY0nLZztkYY8lr","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/AgentPingFacet.sol","type":"smart_contract","addedAt":"2025-05-15T10:20:36.072Z","revision":2,"description":"AgentPingFacet.sol","isPrimacyOfImpact":null},{"id":"63mNxEhON5osHEAznaYO8t","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/AgentSettingsFacet.sol","type":"smart_contract","addedAt":"2025-05-15T10:21:03.850Z","revision":2,"description":"AgentSettingsFacet.sol","isPrimacyOfImpact":null},{"id":"6ByjJP9zOqhvmnraAvwu22","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/AgentVaultAndPoolSupportFacet.sol","type":"smart_contract","addedAt":"2025-05-15T10:21:32.056Z","revision":2,"description":"AgentVaultAndPoolSupportFacet.sol","isPrimacyOfImpact":null},{"id":"3BZxBOGppAou5grTr9rJLr","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/AgentVaultManagementFacet.sol","type":"smart_contract","addedAt":"2025-05-15T10:21:56.582Z","revision":2,"description":"AgentVaultManagementFacet.sol","isPrimacyOfImpact":null},{"id":"3LUxw7sd3re2UCRlqeEu4M","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/AssetManagerBase.sol","type":"smart_contract","addedAt":"2025-05-15T10:22:19.469Z","revision":2,"description":"AssetManagerBase.sol","isPrimacyOfImpact":null},{"id":"2iSrtx1ztuZD4POo9dZoxQ","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/AssetManagerDiamondCutFacet.sol","type":"smart_contract","addedAt":"2025-05-15T10:22:44.667Z","revision":2,"description":"AssetManagerDiamondCutFacet.sol","isPrimacyOfImpact":null},{"id":"3JFO0f1z6cOcFg0UA36zHn","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/AssetManagerInit.sol","type":"smart_contract","addedAt":"2025-05-15T10:23:07.330Z","revision":2,"description":"AssetManagerInit.sol","isPrimacyOfImpact":null},{"id":"01KVLNYkpLhix7MjBWCPly","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/AvailableAgentsFacet.sol","type":"smart_contract","addedAt":"2025-05-15T10:23:30.828Z","revision":2,"description":"AvailableAgentsFacet.sol","isPrimacyOfImpact":null},{"id":"1utsb1CIHuwfIYlndjDHQQ","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/ChallengesFacet.sol","type":"smart_contract","addedAt":"2025-05-15T10:23:55.873Z","revision":2,"description":"ChallengesFacet.sol","isPrimacyOfImpact":null},{"id":"3dovQ9lCOzXgP4AuhZHD7W","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/CollateralReservationsFacet.sol","type":"smart_contract","addedAt":"2025-05-15T10:24:18.246Z","revision":2,"description":"CollateralReservationsFacet.sol","isPrimacyOfImpact":null},{"id":"2jROD84yd8aIQj6wk6t7Ky","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/CollateralTypesFacet.sol","type":"smart_contract","addedAt":"2025-05-15T10:27:37.041Z","revision":2,"description":"CollateralTypesFacet.sol","isPrimacyOfImpact":null},{"id":"4sbcnXbP6Pr3uZV0WQI22H","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/CoreVaultFacet.sol","type":"smart_contract","addedAt":"2025-05-15T10:31:06.682Z","revision":2,"description":"CoreVaultFacet.sol","isPrimacyOfImpact":null},{"id":"56u6tnpIhjWS5M8G8jArHM","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/CoreVaultSettingsFacet.sol","type":"smart_contract","addedAt":"2025-05-15T10:31:40.704Z","revision":2,"description":"CoreVaultSettingsFacet.sol","isPrimacyOfImpact":null},{"id":"1G8Tz5r8KKIYvR060J4a9j","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/EmergencyPauseFacet.sol","type":"smart_contract","addedAt":"2025-05-15T10:32:01.410Z","revision":2,"description":"EmergencyPauseFacet.sol","isPrimacyOfImpact":null},{"id":"5bzSoBb6dCkBw60gaDKRlG","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/EmergencyPauseTransfersFacet.sol","type":"smart_contract","addedAt":"2025-05-15T10:33:01.930Z","revision":2,"description":"EmergencyPauseTransfersFacet.sol","isPrimacyOfImpact":null},{"id":"3HP8h0vVfJqQb71jhPLjX7","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/LiquidationFacet.sol","type":"smart_contract","addedAt":"2025-05-15T10:33:35.006Z","revision":2,"description":"LiquidationFacet.sol","isPrimacyOfImpact":null},{"id":"4OAmr5JwqfUFzAqEHvt1NY","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/MintingFacet.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:41.765Z","revision":1,"description":"MintingFacet.sol","isPrimacyOfImpact":null},{"id":"1n6Oy34cnzTqROF20rtsGQ","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/RedemptionConfirmationsFacet.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:42.417Z","revision":1,"description":"RedemptionConfirmationsFacet.sol","isPrimacyOfImpact":null},{"id":"79Vzm54W3VbEVS25Ib1IJA","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/RedemptionDefaultsFacet.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:42.921Z","revision":1,"description":"RedemptionDefaultsFacet.sol","isPrimacyOfImpact":null},{"id":"4fcwFlrUFERdSCozYuhI79","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/RedemptionRequestsFacet.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:43.426Z","revision":1,"description":"RedemptionRequestsFacet.sol","isPrimacyOfImpact":null},{"id":"5iQ84ylFPLNIYP1oFczcUY","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/RedemptionTimeExtensionFacet.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:43.950Z","revision":1,"description":"RedemptionTimeExtensionFacet.sol","isPrimacyOfImpact":null},{"id":"3LCIxQUtgVWC1NbFFVvl6t","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/SettingsManagementFacet.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:44.417Z","revision":1,"description":"SettingsManagementFacet.sol","isPrimacyOfImpact":null},{"id":"4nKeTPvYf7gHkjrAIyaN2q","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/SettingsReaderFacet.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:44.925Z","revision":1,"description":"SettingsReaderFacet.sol","isPrimacyOfImpact":null},{"id":"26iKqlbd94urZ8OeYKdDrv","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/SystemInfoFacet.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:45.417Z","revision":1,"description":"SystemInfoFacet.sol","isPrimacyOfImpact":null},{"id":"6WwLAOArIjT35Vthisg6Rh","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/SystemStateManagementFacet.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:45.919Z","revision":1,"description":"SystemStateManagementFacet.sol","isPrimacyOfImpact":null},{"id":"5bKAVbbpQDlGDNr4uiBx1Z","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/TransferFeeFacet.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:46.412Z","revision":1,"description":"TransferFeeFacet.sol","isPrimacyOfImpact":null},{"id":"5pG2arxfjQ1bqwzinY3FhA","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/UnderlyingBalanceFacet.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:46.915Z","revision":1,"description":"UnderlyingBalanceFacet.sol","isPrimacyOfImpact":null},{"id":"4CTgIRLdISWOIiVtuXcZv8","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/UnderlyingTimekeepingFacet.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:47.419Z","revision":1,"description":"UnderlyingTimekeepingFacet.sol","isPrimacyOfImpact":null},{"id":"5392DIJIoy6pHFCSZJn02w","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/implementation/AgentOwnerRegistry.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:47.911Z","revision":1,"description":"AgentOwnerRegistry.sol","isPrimacyOfImpact":null},{"id":"6ho5pDsR0DV56skVuY21mJ","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/implementation/AgentVault.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:48.407Z","revision":1,"description":"AgentVault.sol","isPrimacyOfImpact":null},{"id":"5FtRkKppT2rDueF9WokeaQ","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/implementation/AgentVaultFactory.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:48.920Z","revision":1,"description":"AgentVaultFactory.sol","isPrimacyOfImpact":null},{"id":"4o8DksIsWkDlDFY0niv7dD","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/implementation/AssetManager.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:49.446Z","revision":1,"description":"AssetManager.sol","isPrimacyOfImpact":null},{"id":"6aRECegL1wIBNSCKdzKdIB","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/implementation/AssetManagerController.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:50.037Z","revision":1,"description":"AssetManagerController.sol","isPrimacyOfImpact":null},{"id":"2DbetIJAZ3P9asSWg7rpJW","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/implementation/AssetManagerControllerProxy.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:50.528Z","revision":1,"description":"AssetManagerControllerProxy.sol","isPrimacyOfImpact":null},{"id":"5QoscoKOY84Re8wiLvHzdr","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/implementation/CollateralPool.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:51.033Z","revision":1,"description":"CollateralPool.sol","isPrimacyOfImpact":null},{"id":"4qooc4eG79cN6lw4NbqqGm","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/implementation/CollateralPoolFactory.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:51.551Z","revision":1,"description":"CollateralPoolFactory.sol","isPrimacyOfImpact":null},{"id":"1WeflHaquHLPQuiOSwo936","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/implementation/CollateralPoolToken.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:52.039Z","revision":1,"description":"CollateralPoolToken.sol","isPrimacyOfImpact":null},{"id":"31I4fLc2Qo3iyPZsyohlJO","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/implementation/CollateralPoolTokenFactory.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:52.551Z","revision":1,"description":"CollateralPoolTokenFactory.sol","isPrimacyOfImpact":null},{"id":"27N82ODtVWsmTxoPSXLIyl","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/implementation/CoreVaultManager.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:53.092Z","revision":1,"description":"CoreVaultManager.sol","isPrimacyOfImpact":null},{"id":"4PvaPgs1KL0m7d7ismNBU6","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/implementation/CoreVaultManagerProxy.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:53.599Z","revision":1,"description":"CoreVaultManagerProxy.sol","isPrimacyOfImpact":null},{"id":"4i4KPOu4homxwT6vgEYroB","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/implementation/FtsoV1PriceReader.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:54.137Z","revision":1,"description":"FtsoV1PriceReader.sol","isPrimacyOfImpact":null},{"id":"3q9eEXMsk8OPNfKhtyz6P5","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/implementation/FtsoV2PriceStore.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:54.618Z","revision":1,"description":"FtsoV2PriceStore.sol","isPrimacyOfImpact":null},{"id":"7kl8kDN2yztAnhWBNqMpse","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/implementation/Whitelist.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:55.114Z","revision":1,"description":"Whitelist.sol","isPrimacyOfImpact":null},{"id":"6XGpY4XrNhBkspqCSKo0bP","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/interfaces/IAgentVaultFactory.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:55.591Z","revision":1,"description":"IAgentVaultFactory.sol","isPrimacyOfImpact":null},{"id":"5w2Gbk8PXjRLwQCovTy6uQ","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/interfaces/ICollateralPoolFactory.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:56.111Z","revision":1,"description":"ICollateralPoolFactory.sol","isPrimacyOfImpact":null},{"id":"38JkzzluZvpMTZIRTrOSJ9","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/interfaces/ICollateralPoolTokenFactory.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:56.622Z","revision":1,"description":"ICollateralPoolTokenFactory.sol","isPrimacyOfImpact":null},{"id":"3lRNnDU0T89mSQe5RyXtgd","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/interfaces/IIAgentVault.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:57.108Z","revision":1,"description":"IIAgentVault.sol","isPrimacyOfImpact":null},{"id":"1po09UYVEbsblWJO4iNzEJ","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/interfaces/IIAssetManager.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:57.566Z","revision":1,"description":"IIAssetManager.sol","isPrimacyOfImpact":null},{"id":"2dj09eKyxSI9md62bq9LbC","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/interfaces/IIAssetManagerController.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:58.032Z","revision":1,"description":"IIAssetManagerController.sol","isPrimacyOfImpact":null},{"id":"1XjpYJoqmq4GvPGarDrk8a","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/interfaces/IICollateralPool.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:58.512Z","revision":1,"description":"IICollateralPool.sol","isPrimacyOfImpact":null},{"id":"6lxnJJxEm2MjK2QdEiAyBI","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/interfaces/IICollateralPoolToken.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:59.029Z","revision":1,"description":"IICollateralPoolToken.sol","isPrimacyOfImpact":null},{"id":"6RQRwmFF2HzjaHr4adGVeu","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/interfaces/IICoreVaultManager.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:59.464Z","revision":1,"description":"IICoreVaultManager.sol","isPrimacyOfImpact":null},{"id":"3dAAZmj4G7rOSZ029NFrg8","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/interfaces/IISettingsManagement.sol","type":"smart_contract","addedAt":"2025-05-15T13:55:59.947Z","revision":1,"description":"IISettingsManagement.sol","isPrimacyOfImpact":null},{"id":"JrNwfm2CkRjM4BhgO1BYg","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/interfaces/IPriceChangeEmitter.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:00.436Z","revision":1,"description":"IPriceChangeEmitter.sol","isPrimacyOfImpact":null},{"id":"DAtAIH0hVrhjTjE1biBib","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/interfaces/IPricePublisher.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:00.905Z","revision":1,"description":"IPricePublisher.sol","isPrimacyOfImpact":null},{"id":"6LYUXSc6vl5OmwKC0TXVRy","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/interfaces/IPriceReader.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:01.391Z","revision":1,"description":"IPriceReader.sol","isPrimacyOfImpact":null},{"id":"6rAqniPlMPb02oXAMo0wSG","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/interfaces/IUpgradableContractFactory.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:01.897Z","revision":1,"description":"IUpgradableContractFactory.sol","isPrimacyOfImpact":null},{"id":"7qu5zRVE9zPrk4CcWUOXZ2","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/interfaces/IWNat.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:02.382Z","revision":1,"description":"IWNat.sol","isPrimacyOfImpact":null},{"id":"6EnsiXJv7RPIkizll8kCd5","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/AgentCollateral.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:02.906Z","revision":1,"description":"AgentCollateral.sol","isPrimacyOfImpact":null},{"id":"2bhxbJqkZepxGJhqMrs5wf","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/AgentSettingsUpdater.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:03.350Z","revision":1,"description":"AgentSettingsUpdater.sol","isPrimacyOfImpact":null},{"id":"VvWqZETKxwyG5oRQa2wYR","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/Agents.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:03.820Z","revision":1,"description":"Agents.sol","isPrimacyOfImpact":null},{"id":"5bihRkj8L93oUcLd4s8nAH","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/AgentsCreateDestroy.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:04.388Z","revision":1,"description":"AgentsCreateDestroy.sol","isPrimacyOfImpact":null},{"id":"1GwK6zX32t6stvlwBCWJX1","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/AgentsExternal.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:04.856Z","revision":1,"description":"AgentsExternal.sol","isPrimacyOfImpact":null},{"id":"4L71EJ6AjbGjKcTHQPfn3i","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/AvailableAgents.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:05.344Z","revision":1,"description":"AvailableAgents.sol","isPrimacyOfImpact":null},{"id":"5BaefG3UJX6X4Aw0p4btpe","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/Challenges.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:05.872Z","revision":1,"description":"Challenges.sol","isPrimacyOfImpact":null},{"id":"73KXnEDfuPOc4aUSCH34JP","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/CollateralReservations.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:06.354Z","revision":1,"description":"CollateralReservations.sol","isPrimacyOfImpact":null},{"id":"6agF2PDH8Hni5QpkFFiOPD","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/CollateralTypes.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:06.857Z","revision":1,"description":"CollateralTypes.sol","isPrimacyOfImpact":null},{"id":"5KGCpHbjkfcGYOoA4X3yKV","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/Conversion.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:07.345Z","revision":1,"description":"Conversion.sol","isPrimacyOfImpact":null},{"id":"6MSWq5jSuCUNIvEyvlCtdZ","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/CoreVault.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:07.777Z","revision":1,"description":"CoreVault.sol","isPrimacyOfImpact":null},{"id":"rNYkblGK2AFeGWcRu4N9G","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/FullAgentInfo.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:08.273Z","revision":1,"description":"FullAgentInfo.sol","isPrimacyOfImpact":null},{"id":"1Efpm2uCzwjA8I9WyHT2xS","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/Globals.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:08.743Z","revision":1,"description":"Globals.sol","isPrimacyOfImpact":null},{"id":"3vtuur8JwxyQdYjMep9Obq","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/Liquidation.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:09.281Z","revision":1,"description":"Liquidation.sol","isPrimacyOfImpact":null},{"id":"2KiYsoRxVG6qaUDmFLPbLz","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/LiquidationPaymentStrategy.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:09.718Z","revision":1,"description":"LiquidationPaymentStrategy.sol","isPrimacyOfImpact":null},{"id":"3dKLGCQTx4XBR7KDS7aF21","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/MerkleTree.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:10.222Z","revision":1,"description":"MerkleTree.sol","isPrimacyOfImpact":null},{"id":"53fHrLJqecP3cK7iqGMfmi","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/Minting.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:10.760Z","revision":1,"description":"Minting.sol","isPrimacyOfImpact":null},{"id":"5m0jV1A9knQA8kS0DrxNmN","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/RedemptionConfirmations.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:11.271Z","revision":1,"description":"RedemptionConfirmations.sol","isPrimacyOfImpact":null},{"id":"3YJC3gbLEMF4B6gFD25AHt","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/RedemptionFailures.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:11.783Z","revision":1,"description":"RedemptionFailures.sol","isPrimacyOfImpact":null},{"id":"4E2ipDyZwYj1ASHiQuX0eD","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/RedemptionQueueInfo.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:12.274Z","revision":1,"description":"RedemptionQueueInfo.sol","isPrimacyOfImpact":null},{"id":"3MrfUTKW4GI2zzi2dFp9Sv","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/RedemptionRequests.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:12.799Z","revision":1,"description":"RedemptionRequests.sol","isPrimacyOfImpact":null},{"id":"2xQsGMHhPIvXYybZT3g7ou","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/Redemptions.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:13.298Z","revision":1,"description":"Redemptions.sol","isPrimacyOfImpact":null},{"id":"7hXqemOyzAReKVzwLNHxqE","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/SettingsInitializer.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:13.802Z","revision":1,"description":"SettingsInitializer.sol","isPrimacyOfImpact":null},{"id":"4OVUQK4EVRjLy6hN8qiYma","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/SettingsUpdater.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:14.297Z","revision":1,"description":"SettingsUpdater.sol","isPrimacyOfImpact":null},{"id":"65mOg27mpqUArmHyU5RV8L","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/SettingsValidators.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:14.804Z","revision":1,"description":"SettingsValidators.sol","isPrimacyOfImpact":null},{"id":"5iCYZPYLUYItbpyIwNF3EI","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/StateUpdater.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:15.474Z","revision":1,"description":"StateUpdater.sol","isPrimacyOfImpact":null},{"id":"6fvnKNcyXSJHdDgzBAAwBq","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/TransactionAttestation.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:15.974Z","revision":1,"description":"TransactionAttestation.sol","isPrimacyOfImpact":null},{"id":"SPRGgMNmBV6AP36ARCmYW","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/TransferFees.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:16.487Z","revision":1,"description":"TransferFees.sol","isPrimacyOfImpact":null},{"id":"1Tx2nXClSVOoXjV66eKIuo","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/UnderlyingBalance.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:16.967Z","revision":1,"description":"UnderlyingBalance.sol","isPrimacyOfImpact":null},{"id":"3n3zLV8TEsCnK8bcJ6PADW","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/UnderlyingWithdrawalAnnouncements.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:17.436Z","revision":1,"description":"UnderlyingWithdrawalAnnouncements.sol","isPrimacyOfImpact":null},{"id":"1CtgJ75dbXJJfN5dVKPPoy","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/data/Agent.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:17.927Z","revision":1,"description":"Agent.sol","isPrimacyOfImpact":null},{"id":"3T5pLiPBcGXw7F4gGO3jVT","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/data/AssetManagerState.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:18.381Z","revision":1,"description":"AssetManagerState.sol","isPrimacyOfImpact":null},{"id":"7wyA3PeAf6XP0ACcK5nIpT","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/data/Collateral.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:18.949Z","revision":1,"description":"Collateral.sol","isPrimacyOfImpact":null},{"id":"1Jo1Mg3Z4jwZuA8VxaIOm0","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/data/CollateralReservation.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:19.416Z","revision":1,"description":"CollateralReservation.sol","isPrimacyOfImpact":null},{"id":"7FdpCh2A7rzFaxCXYLqq2f","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/data/CollateralTypeInt.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:19.898Z","revision":1,"description":"CollateralTypeInt.sol","isPrimacyOfImpact":null},{"id":"CSaowdVQwcPANWeTrTP5l","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/data/PaymentConfirmations.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:20.408Z","revision":1,"description":"PaymentConfirmations.sol","isPrimacyOfImpact":null},{"id":"3R44veVpLTXET6FKsl87YY","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/data/PaymentReference.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:20.920Z","revision":1,"description":"PaymentReference.sol","isPrimacyOfImpact":null},{"id":"1vbn9RyGUvmyj3BsqWak9z","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/data/Redemption.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:21.360Z","revision":1,"description":"Redemption.sol","isPrimacyOfImpact":null},{"id":"zFWB0pW8r8QlP0mW6w2lJ","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/data/RedemptionQueue.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:21.881Z","revision":1,"description":"RedemptionQueue.sol","isPrimacyOfImpact":null},{"id":"7vwXxG46cdLa8n2qvxXvdn","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/data/RedemptionTimeExtension.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:22.396Z","revision":1,"description":"RedemptionTimeExtension.sol","isPrimacyOfImpact":null},{"id":"7CcrehVtR3kNwpVF0JPny4","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/data/TransferFeeTracking.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:22.855Z","revision":1,"description":"TransferFeeTracking.sol","isPrimacyOfImpact":null},{"id":"5P2x8sG19s6dzrfZCOdNnk","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/data/UnderlyingAddressOwnership.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:23.367Z","revision":1,"description":"UnderlyingAddressOwnership.sol","isPrimacyOfImpact":null},{"id":"3V5nDjX2ySxcJZ0tCY6M6E","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/diamond/facets/DiamondLoupeFacet.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:23.851Z","revision":1,"description":"DiamondLoupeFacet.sol","isPrimacyOfImpact":null},{"id":"4Qu2gDRo6olxJ37BOfdSHY","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/diamond/implementation/Diamond.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:24.267Z","revision":1,"description":"Diamond.sol","isPrimacyOfImpact":null},{"id":"RYon9FTDKiO3mzclJp73S","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/diamond/interfaces/IDiamond.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:24.854Z","revision":1,"description":"IDiamond.sol","isPrimacyOfImpact":null},{"id":"54CcgTlqBx79DuxJudqcvf","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/diamond/interfaces/IDiamondCut.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:25.336Z","revision":1,"description":"IDiamondCut.sol","isPrimacyOfImpact":null},{"id":"52AnqIBJG4xBsvdsnqsA0R","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/diamond/interfaces/IDiamondLoupe.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:25.828Z","revision":1,"description":"IDiamondLoupe.sol","isPrimacyOfImpact":null},{"id":"E1ltgVTmyqMkLFXxntO7S","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/diamond/library/LibDiamond.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:26.348Z","revision":1,"description":"LibDiamond.sol","isPrimacyOfImpact":null},{"id":"25rj49yerhDiqhOVkqlsy7","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/fassetToken/implementation/CheckPointable.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:26.890Z","revision":1,"description":"CheckPointable.sol","isPrimacyOfImpact":null},{"id":"6MKdsSYET7XYE4AWQuqXqo","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/fassetToken/implementation/FAsset.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:27.336Z","revision":1,"description":"FAsset.sol","isPrimacyOfImpact":null},{"id":"66sddJ0EK7OHCFQ7kFWzcO","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/fassetToken/implementation/FAssetProxy.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:27.814Z","revision":1,"description":"FAssetProxy.sol","isPrimacyOfImpact":null},{"id":"2ENNhmbkFPsX2IBEipYbAh","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/fassetToken/interfaces/ICheckPointable.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:28.310Z","revision":1,"description":"ICheckPointable.sol","isPrimacyOfImpact":null},{"id":"3Xozq8rnLhL4XPsPKgCHHP","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/fassetToken/interfaces/IIFAsset.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:28.747Z","revision":1,"description":"IIFAsset.sol","isPrimacyOfImpact":null},{"id":"3WNIhubswKe8LZeelMuHtM","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/fassetToken/library/CheckPointHistory.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:29.234Z","revision":1,"description":"CheckPointHistory.sol","isPrimacyOfImpact":null},{"id":"3n4H8iAe24g1v5dsn5u4Jy","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/fassetToken/library/CheckPointsByAddress.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:29.720Z","revision":1,"description":"CheckPointsByAddress.sol","isPrimacyOfImpact":null},{"id":"2kKGxnK8kpDsIzh1zu10Ew","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/governance/implementation/AddressUpdatable.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:30.214Z","revision":1,"description":"AddressUpdatable.sol","isPrimacyOfImpact":null},{"id":"2QitUbNBqVYTIm5mpT1Bgr","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/governance/implementation/Governed.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:30.694Z","revision":1,"description":"Governed.sol","isPrimacyOfImpact":null},{"id":"7HHkBeLhxRd6ljb1HNfRIv","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/governance/implementation/GovernedBase.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:31.195Z","revision":1,"description":"GovernedBase.sol","isPrimacyOfImpact":null},{"id":"34NCqXsSVtzBoi1wGh3P6T","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/governance/implementation/GovernedProxyImplementation.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:31.695Z","revision":1,"description":"GovernedProxyImplementation.sol","isPrimacyOfImpact":null},{"id":"6CMouq6HqMM3kQiUIORdos","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/governance/interfaces/IGoverned.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:32.268Z","revision":1,"description":"IGoverned.sol","isPrimacyOfImpact":null},{"id":"35NjnvLZa0h46VVzPwIelZ","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/openzeppelin/library/Reentrancy.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:32.782Z","revision":1,"description":"Reentrancy.sol","isPrimacyOfImpact":null},{"id":"2mPEvnlvZ1drtYCOR0T5Ka","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/openzeppelin/security/ReentrancyGuard.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:33.313Z","revision":1,"description":"ReentrancyGuard.sol","isPrimacyOfImpact":null},{"id":"4m8owYJ0o5YdLXouPvwo5N","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/openzeppelin/token/ERC20Permit.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:33.834Z","revision":1,"description":"ERC20Permit.sol","isPrimacyOfImpact":null},{"id":"1A7TdjxVXFgLbbz30rn7lY","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/openzeppelin/utils/EIP712.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:34.352Z","revision":1,"description":"EIP712.sol","isPrimacyOfImpact":null},{"id":"7N0EsdfRGRN2vNEk5bgVVa","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/userInterfaces/IAgentAlwaysAllowedMinters.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:34.887Z","revision":1,"description":"IAgentAlwaysAllowedMinters.sol","isPrimacyOfImpact":null},{"id":"3HmNVp5lUclisfzEMGZLjc","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/userInterfaces/IAgentOwnerRegistry.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:35.386Z","revision":1,"description":"IAgentOwnerRegistry.sol","isPrimacyOfImpact":null},{"id":"53JbwN4lbeosFxR2ZssdEy","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/userInterfaces/IAgentPing.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:35.896Z","revision":1,"description":"IAgentPing.sol","isPrimacyOfImpact":null},{"id":"6blxeQ3Ko2SwCSOi2ocQvM","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/userInterfaces/IAgentVault.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:36.427Z","revision":1,"description":"IAgentVault.sol","isPrimacyOfImpact":null},{"id":"3gKX1yFpglPlBD53E6NKD","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/userInterfaces/IAssetManager.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:36.936Z","revision":1,"description":"IAssetManager.sol","isPrimacyOfImpact":null},{"id":"1w664cj8LqEpjOJ0UWG9e3","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/userInterfaces/IAssetManagerEvents.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:37.550Z","revision":1,"description":"IAssetManagerEvents.sol","isPrimacyOfImpact":null},{"id":"3Pm3x43BnkttmOKMyNqIX4","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/userInterfaces/ICollateralPool.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:38.023Z","revision":1,"description":"ICollateralPool.sol","isPrimacyOfImpact":null},{"id":"4l33uQlXeYK7TpOYZrDMn7","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/userInterfaces/ICollateralPoolToken.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:38.527Z","revision":1,"description":"ICollateralPoolToken.sol","isPrimacyOfImpact":null},{"id":"6cLFtFf7Pfjp7sMhk6g5Cp","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/userInterfaces/ICoreVault.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:38.996Z","revision":1,"description":"ICoreVault.sol","isPrimacyOfImpact":null},{"id":"2V3ZxNCWciYTmrnnzozNPG","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/userInterfaces/ICoreVaultManager.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:39.499Z","revision":1,"description":"ICoreVaultManager.sol","isPrimacyOfImpact":null},{"id":"2KZZuBVyvQiM9ttFeWmPTO","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/userInterfaces/ICoreVaultSettings.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:39.989Z","revision":1,"description":"ICoreVaultSettings.sol","isPrimacyOfImpact":null},{"id":"45EOmxZkvbiypCSkFMBbg4","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/userInterfaces/IFAsset.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:40.457Z","revision":1,"description":"IFAsset.sol","isPrimacyOfImpact":null},{"id":"18BdXjfRfeHKizVWLXVTYm","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/userInterfaces/IRedemptionTimeExtension.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:40.960Z","revision":1,"description":"IRedemptionTimeExtension.sol","isPrimacyOfImpact":null},{"id":"1yjkNlk3rKqXA5vbA0yuio","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/userInterfaces/ITransferFees.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:41.444Z","revision":1,"description":"ITransferFees.sol","isPrimacyOfImpact":null},{"id":"5Io7FdC3dnHtgnBqycVQU","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/userInterfaces/IWhitelist.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:41.936Z","revision":1,"description":"IWhitelist.sol","isPrimacyOfImpact":null},{"id":"6RebMdvquPpMdNLLiVb8KW","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/userInterfaces/data/AgentInfo.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:42.461Z","revision":1,"description":"AgentInfo.sol","isPrimacyOfImpact":null},{"id":"Kqvo3yT6SlyGfSY0glOFz","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/userInterfaces/data/AgentSettings.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:42.982Z","revision":1,"description":"AgentSettings.sol","isPrimacyOfImpact":null},{"id":"1AAtKNLcI8uE2eZunUvC64","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/userInterfaces/data/AssetManagerSettings.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:43.489Z","revision":1,"description":"AssetManagerSettings.sol","isPrimacyOfImpact":null},{"id":"3wZaEIWIQDiYHI14FlwsaS","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/userInterfaces/data/AvailableAgentInfo.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:44.059Z","revision":1,"description":"AvailableAgentInfo.sol","isPrimacyOfImpact":null},{"id":"41Q4GfOAkrFjVyv3rLhx8E","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/userInterfaces/data/CollateralReservationInfo.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:44.559Z","revision":1,"description":"CollateralReservationInfo.sol","isPrimacyOfImpact":null},{"id":"5niSotOYgIogIDLcz98FQ2","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/userInterfaces/data/CollateralType.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:45.002Z","revision":1,"description":"CollateralType.sol","isPrimacyOfImpact":null},{"id":"2LZ2Hlju2ODB5Xe2sJcdKa","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/userInterfaces/data/RedemptionRequestInfo.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:45.421Z","revision":1,"description":"RedemptionRequestInfo.sol","isPrimacyOfImpact":null},{"id":"5xvZ02jOVi4IOXuxFabyV","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/userInterfaces/data/RedemptionTicketInfo.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:45.886Z","revision":1,"description":"RedemptionTicketInfo.sol","isPrimacyOfImpact":null},{"id":"29HZcGUDDKbDwOvFKEv0kn","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/utils/interfaces/IUpgradableProxy.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:46.422Z","revision":1,"description":"IUpgradableProxy.sol","isPrimacyOfImpact":null},{"id":"3Wu5xTkpPaVeVPoDTYw6Sc","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/utils/lib/MathUtils.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:46.913Z","revision":1,"description":"MathUtils.sol","isPrimacyOfImpact":null},{"id":"6plajFxJhqxN16fmIYxqTZ","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/utils/lib/SafeMath64.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:47.438Z","revision":1,"description":"SafeMath64.sol","isPrimacyOfImpact":null},{"id":"3MM3vgfCi0vaIWyHoNzMq1","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/utils/lib/SafePct.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:47.954Z","revision":1,"description":"SafePct.sol","isPrimacyOfImpact":null},{"id":"33jxaRsCu3jF83oD9O6D5u","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/utils/lib/TimeCumulative.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:48.563Z","revision":1,"description":"TimeCumulative.sol","isPrimacyOfImpact":null},{"id":"ub97PZfRV5PTjqgIIO91x","url":"https://github.com/flare-foundation/fassets/blob/main/contracts/utils/lib/Transfers.sol","type":"smart_contract","addedAt":"2025-05-15T13:56:49.057Z","revision":1,"description":"Transfers.sol","isPrimacyOfImpact":null}],"assetsBodyV2":"__Asset Accuracy Assurance__\n\n- Bugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Reward Policy__\n\n- Private known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n__Primacy of Impact vs Primacy of Rules__\n\n- Flare adheres to the Primacy of Rules, which means that the whole Audit Competition & Mitigation Audit program is run strictly under the terms and conditions stated within this page.\n\n__KYC Requirement__\n\n- No KYC is required for the Flare FAssets Audit Competition & Mitigation Audit\n\n__Eligibility Criteria__\n\n- Security researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n   - On OFACs SDN list \n   - Official contributor, both past or present\n   - Employees and/or individuals closely associated with the project \n   - Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\n- Whitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n   - Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\n- Immunefi may publish bug reports submitted to this Audit Competition and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\n- When there is uncertainty about how feasible an attack is Immunefi will use our feasibility limitation standards to determine the severity of the report.\n\n__Immunefi Standard Badge__\n\n- By adhering to Immunefi’s best practice recommendations, Flare Network has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"**Thank You to All Participating Security Researchers!**\n\nThe audit competition has now concluded and is currently in the evaluation phase. During this period, all submitted reports are being carefully reviewed by the Immunefi triage team and the project team.","boostedIntroFinished":"### Thank You to All Participating Security Researchers!\n\nYour valuable contributions played a crucial role in identifying and resolving critical vulnerabilities, helping to strengthen and secure the platform for all users.","boostedIntroLive":"**$125,000 USD** in rewards available for finding bugs on the Flare Network's FAssets smart contracts. \n\n\nThis is a **Mainnet Audit Competition** and the project may fix bugs mid-competition. The more bugs a project fixes the more rewards will be unlocked for a simultaneously running mitigation competition that is open for everyone to participate in. \n\n- Read the Mainnet Audition Competition **Rules** [here](https://immunefisupport.zendesk.com/hc/en-us/articles/33256328266769-Mainnet-Audit-Competition-Rules) \n\nIf Flare Network doesn't make any public bug fix during their Mainnet Audit Competition, then within a maximum of 30 days after mainnet competition has ended their **Mitigation Audit** will launch. \n\nFor more information, please visit [Flare Network](https://flare.network/)\n\n\n- KYC is not required.\n\n- Flat Reward Pool for the Mainnet Audit Competition\n\n- Any technical questions and support requests can be asked directly to Flare Network or Immunefi in the [Flare Network Audit Competition Discord channel](https://discord.com/channels/787092485969150012/1369326485659189259).\n\n- When the Audit Competition has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\n- A few days after the launch, Immunefi will publish Flare Network's technical walkthrough on our official [YouTube channel](https://www.youtube.com/@immunefi).\n\n- Runnable POCs are not required. Read our [New Audit Competition Proof-of-Concept Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/33260632501777-Audit-Competition-Proof-of-Concept-Rules)\n\n- Insight reports can be submitted. Read our [Insight validity rules](https://immunefisupport.zendesk.com/hc/en-us/articles/34179768760337-Insight-Severity-Level)","boostedIntroStartingIn":"**$125,000 USD** in rewards available for finding bugs on the Flare Network's FAssets smart contracts. \n\n\nThis is a **Mainnet Audit Competition** and the project may fix bugs mid-competition. The more bugs a project fixes the more rewards will be unlocked for a simultaneously running mitigation competition that is open for everyone to participate in. \n\n\nIf Flare Network doesn't make any public bug fix during their Mainnet Audit Competition, then within a maximum of 30 days after mainnet competition has ended their **mitigation audit** will launch. \n\n\n__Mitigation Audit Rewards__\n\n\nThe maximum reward pool for the mitigation audit is **$25,000 USD**.\n\n\nIf any bug in scope is fixed during the Mainnet Audit Competition then a mitigation audit will begin immediately, run simultaneously, and end 5 days after the mainnet Audit Competition has ended.\n\n\nThe mitigation audit’s reward pool is based on how many bugs are fixed while the competitions are live relative to how many bugs are found in the mainnet Audit Competition. So if projects make more bug fixes mid-competition then the size of the mitigation audit reward pool increases up to the maximum.\n\nKYC is not required.\n\n\nWhen the Audit Competition has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\n\nFor more information, please visit [Flare Network](https://flare.network/)","boostedLeaderboard":[{"high":2,"name":"nnez","critical":0,"earnings":19356,"insights":0,"mediumLow":4,"totalValidBugs":6},{"high":2,"name":"a090325","critical":0,"earnings":16956,"insights":2,"mediumLow":2,"totalValidBugs":4},{"high":1,"name":"farman1094","critical":0,"earnings":10583,"insights":0,"mediumLow":2,"totalValidBugs":3},{"high":1,"name":"NHristov","critical":0,"earnings":8155,"insights":0,"mediumLow":1,"totalValidBugs":2},{"high":1,"name":"danvinci_20","critical":0,"earnings":6493,"insights":6,"mediumLow":6,"totalValidBugs":7},{"high":0,"name":"avoloder","critical":0,"earnings":5632,"insights":0,"mediumLow":3,"totalValidBugs":3},{"high":0,"name":"holydevoti0n","critical":0,"earnings":5460,"insights":1,"mediumLow":3,"totalValidBugs":3},{"high":0,"name":"pseudoArtist","critical":0,"earnings":5345,"insights":0,"mediumLow":3,"totalValidBugs":3},{"high":1,"name":"Bluedragon","critical":0,"earnings":5143,"insights":3,"mediumLow":2,"totalValidBugs":3},{"high":0,"name":"swarun","critical":0,"earnings":3646,"insights":0,"mediumLow":3,"totalValidBugs":3},{"high":2,"name":"ox9527","critical":0,"earnings":3581,"insights":0,"mediumLow":1,"totalValidBugs":3},{"high":0,"name":"ni8mare","critical":0,"earnings":3200,"insights":3,"mediumLow":4,"totalValidBugs":4},{"high":1,"name":"io10","critical":0,"earnings":3161,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"aman","critical":0,"earnings":2907,"insights":1,"mediumLow":3,"totalValidBugs":3},{"high":0,"name":"niroh","critical":0,"earnings":2731,"insights":1,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"escrow","critical":0,"earnings":2601,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"OxSCSamurai","critical":0,"earnings":2601,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":1,"name":"rilwan99","critical":0,"earnings":2147,"insights":0,"mediumLow":1,"totalValidBugs":2},{"high":1,"name":"DSbeX","critical":0,"earnings":2008,"insights":0,"mediumLow":1,"totalValidBugs":2},{"high":1,"name":"rick137","critical":0,"earnings":1866,"insights":0,"mediumLow":2,"totalValidBugs":3},{"high":0,"name":"EFCCWEB3","critical":0,"earnings":1348,"insights":1,"mediumLow":2,"totalValidBugs":2},{"high":1,"name":"RNemes","critical":0,"earnings":1280,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"light279","critical":0,"earnings":1218,"insights":0,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"Rhaydden","critical":0,"earnings":1022,"insights":2,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"dldLambda","critical":0,"earnings":971,"insights":2,"mediumLow":1,"totalValidBugs":1},{"high":1,"name":"Cryptor","critical":0,"earnings":922,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"ayden","critical":0,"earnings":922,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"Josh4324","critical":0,"earnings":867,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Audittens","critical":0,"earnings":429,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Oxgritty","critical":0,"earnings":398,"insights":1,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"hunter0xweb3","critical":0,"earnings":233,"insights":3,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"magtentic","critical":0,"earnings":220,"insights":1,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"MyssTeeQue","critical":0,"earnings":129,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Machicoulis","critical":0,"earnings":129,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"kenzo","critical":0,"earnings":129,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"elyas6126","critical":0,"earnings":129,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"dawn","critical":0,"earnings":129,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Pig46940","critical":0,"earnings":129,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"lufP","critical":0,"earnings":102,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"vargalove","critical":0,"earnings":78,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Anirruth","critical":0,"earnings":78,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"chista0x","critical":0,"earnings":78,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"MRXSNOWDEN","critical":0,"earnings":78,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Victor_TheOracle","critical":0,"earnings":78,"insights":3,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"TheCarrot","critical":0,"earnings":78,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"blackgrease","critical":0,"earnings":78,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"onthehunt","critical":0,"earnings":77,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"rusalka711","critical":0,"earnings":52,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Paludo0x","critical":0,"earnings":52,"insights":2,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1iGUzL8JNrFDFm9sPQ6kukNyvCXH9-fw-/view?usp=sharing","ecosystem":["ETH"],"endDate":"2025-06-09T10:00:00.000Z","evaluationEndDate":"2025-08-06T07:15:35.603Z","features":["Boost","Vault","Managed Triage: Signal Booster"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2025-05-12T10:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4Ht5ANaRgVQI77zZ9AsJDm/18581691b5f8dd8c0e52fc9eb9364029/F_light_bg.png","maxBounty":125000,"outOfScopeAndRules":"To be determined","pocPerTypeAndSeverity":["smart_contract - low","smart_contract - medium","smart_contract - high","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"To be determined","productType":null,"programOverview":"Flare is the blockchain for data. It is a layer-1, EVM smart contract platform designed to expand the utility of blockchain by delivering data certainty for dApp builders.\n\nFAssets is a trustless, over-collateralized bridge built on Flare that connects non smart contract networks to Flare/Songbird. It enables the creation of wrapped tokens (FAssets) for assets like BTC, DOGE and XRP. The original assets are deposited to the address of an agent and can later be redeemed.  \n\n\nAt the core of FAssets v1.1 is a new architecture component called the Core Vault, designed to improve system liquidity, scalability, and capital efficiency. It serves as a liquidity hub where Agents can deposit native assets (e.g., XRP) and unlock their FLR or SGB collateral. The minted FAssets are secured by collateral, which is in the form of ERC20 tokens on Flare/Songbird chain and native tokens (FLR on Flare, SGB on Songbird). These tokens can participate in Flare's DeFi ecosystem. \n\n\nThe FAsset system maintains security by ensuring every minted Fasset is backed by more value than it represents, creating a safeguard against volatility and protecting users from potential losses. \n\n\nTwo protocols, available on Flare and Songbird blockchains, enable the FAsset system to operate:\n\n- **FTSO** contracts which provide decentralised price feeds for multiple tokens.\n- Flare’s **Flare data connector**, which bridges payment data from any connected chain.\n\nFor more information, please visit [Flare Network](https://flare.network/)","programType":["Smart Contract"],"project":"Audit Comp | Flare | FAssets","projectType":["Blockchain"],"rewardsBody":"__Mainnet Audit Competition Reward Pool__\n\n- Rewards are distributed among SRs according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms).\n\n- Rewards are denominated in USD and distributed in USDC on Ethereum\n\n- The reward pool is **$125,000 USD** if any bug is found.\n\n- If not a single bug is found (Insights do not count as bugs) the reward pool is **$15,000 USD**.\n\n__Mitigation Audit Rewards__\n\n- The maximum reward pool for the mitigation competition is **$25,000 USD**.\n\n- If any bug in scope is fixed during the mainnet AC then a mitigation audit will begin immediately, run simultaneously, and end 5 days after the mainnet Audit Competition has ended.\n\n- The mitigation audit’s reward pool is based on how many bugs are fixed while the competitions are live relative to how many bugs are found in the mainnet Audit Competition. So if projects make more bug fixes mid-competition then the size of the mitigation audit reward pool increases up to the maximum.\n\n- The full mitigation audit reward terms can be [read here](https://immunefisupport.zendesk.com/hc/en-us/articles/33256328266769-Mainnet-Audit-Competition-Rules).","rewardsPool":125000,"primaryPool":125000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"audit-comp-flare-fassets","tenPercentEconomicRule":false,"updatedDate":"2026-01-22T11:53:58.499Z","impactsBody":"**Build commands, Test commands, and instructions on how to run them:**\n\n- Instructions on how to start the project: https://github.com/flare-foundation/fassets?tab=readme-ov-file#getting-started. The easiest way is to add code in unit tests because the functionality on which the project relates is mocked.\n- Look at https://github.com/flare-foundation/fassets/blob/main/test/integration/fasset-simulation/AttackScenarios.ts where researchers have submitted their reports.\n- Information and some guides can also be found on Flare Dev Hub: https://dev.flare.network/fassets/overview\n\n\n**What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?**\n\n- Only ERC20 for FAsset implementation\n\n\n**Which chains and/or networks will the code in scope be deployed to?**\n\n- Coston (testnet), Coston2 (testnet), Songbird, Flare\n\n\n**Is this an upgrade of an existing system? If so, which? And what are the main differences?**\n\n- The project is an upgrade of FAssets V1. The new functionality is centered around the core vault, exposed in the `CoreVaultFacet.sol`\n\n\n\n**Where do you suspect there may be bugs?**\n\n- Those interacting with new Core Vault features.\n\n\n**What external dependencies are there?**\n\n- FDC (Flare Data Connector), FTSO-V2 (Flare Time Series Oracle)\n\n\n**Where might Security Researchers confuse out-of-scope code to be in-scope?**\n\n- The FAssets system is able to support wrapped tokens for XRP, BTC and DOGE. However, the initial v1.1 deployment will only have XRP (FXRP) enabled and that will be the sole scope of this audit competition. Any attacks related to FBTC, FDOGE, or UTXO-based logic in general, are out of scope.\n- handshake-based functionalities based on a non-zero `handshakeType` setting are also out of scope.\n- Impacts caused by attacks requiring access to an **Agent** role without additional modifications to the privileges attributed are open to be downgraded by one level of severity (e.g. from Critical to High) \n\n\n**What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?**\n\n- governance, core vault multisig\n\n**What addresses would you consider any bug report requiring their involvement be out of scope, even if they exceed the privileges attributed to them?**\n\n- governance (hard to exceed the privileges, as they can update the contracts)\n\n\n**Previous Audits**\n\n- Flare Network’s completed audit reports can be found at https://dev.flare.network/support/audits/. Unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.","websiteUrl":"https://flare.network/","githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Flare is the blockchain for data. It is a layer-1, EVM smart contract platform designed to expand the utility of blockchain by delivering data certainty for dApp builders. \n\nFAssets is a trustless, over-collateralized bridge built on Flare that connects non smart contract networks to Flare/Songbird. It enables the creation of wrapped tokens (FAssets) for assets like BTC, DOGE and XRP. \n\n\nAt the core of FAssets v1.1 is a new architecture component called the Core Vault, designed to improve system liquidity, scalability, and capital efficiency.","knownIssues":[{"id":40,"link":"https://dev.flare.network/support/audits/","description":"Triggering instructions might run out of gas: the size of the allowed destination addresses will be low (5-10).","lastUpdatedAt":"2025-04-15T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":39,"link":"https://dev.flare.network/support/audits/","description":"Array of escrows always grows: the number of escrows created will be low (if it is more than one or two, we will increase the daily escrow amount). So the total number of escrows will not be huge, perhaps a few hundred.","lastUpdatedAt":"2025-04-15T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":38,"link":"https://dev.flare.network/support/audits/","description":"Escrows finalized close to expiry time decouple the Core Vault internal accountancy: before escrows are released, the triggering bots will be shut down, and they will only be enabled after setEscrowsFinished is called. So there will be no instructions triggered between escrow finalization and the corresponding update on the core vault manager.","lastUpdatedAt":"2025-04-15T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":37,"link":"https://dev.flare.network/support/audits/","description":"Users are unprotected against missing or malformed vault redemption payments: in that case, we assume the core vault has full trust, and its redemptions don't have a time limit. Also, core-vault redeemers are special entities.","lastUpdatedAt":"2025-04-15T00:00:00.000Z","relatedImpactInScope":"smart_contract"}],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- The FAssets system is able to support wrapped tokens for XRP, BTC and DOGE. However, the initial v1.1 deployment will only have XRP (FXRP) enabled and that will be the sole scope of this audit competition. Any attacks related to FBTC, FDOGE, or UTXO-based logic in general, are out of scope.  \n- handshake-based functionalities based on a non-zero `handshakeType` setting are also out of scope.\n- Impacts caused by attacks requiring access to an **Agent** role without additional modifications to the privileges attributed are open to be downgraded by one level of severity (e.g. from Critical to High) ","customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":5518,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 24 hour"},{"id":5519,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds for at least 1 hour"}],"rewards":[{"level":"critical","payout":"Portion of Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[{"id":"6BwfNYUlVA7VUckYvvo0Ey","url":"https://dev.flare.network/support/audits/","auditor":"Various Auditors","date":"2025-02-01"}]},{"assets":[{"id":"10mfwShB7bwMBi8snEtp3Q","url":"https://github.com/Consensys/linea-monorepo/blob/a9a43aafe9004c043b61063373264e2c9217a978/contracts-tge/src/L1/LineaToken.sol","type":"smart_contract","addedAt":"2025-09-24T06:30:08.153Z","revision":1,"description":"L1 LineaToken","isPrimacyOfImpact":null},{"id":"1FPzD4dotx57KpWJxWMQzZ","url":"https://github.com/Consensys/linea-monorepo/blob/a83412e247b7d352b905c906271138e97c1ee5a4/contracts/contracts/tokenBridge/TokenBridge.sol","type":"smart_contract","addedAt":"2025-09-10T15:22:40.709Z","revision":2,"description":"TokenBridge.sol","isPrimacyOfImpact":null},{"id":"3VbMArIG72Wl69rNbum0Qi","url":"https://github.com/Consensys/linea-monorepo/blob/a83412e247b7d352b905c906271138e97c1ee5a4/contracts/contracts/ZkEvmV2.sol","type":"smart_contract","addedAt":"2023-07-11T14:00:00.000Z","revision":6,"description":"Rollup ZkEVMv2.sol","isPrimacyOfImpact":null},{"id":"5jYVL8AED9m5hDaXSr4ETL","url":"https://github.com/Consensys/linea-monorepo/blob/a9a43aafe9004c043b61063373264e2c9217a978/contracts-tge/src/L2/L2LineaToken.sol","type":"smart_contract","addedAt":"2025-09-29T20:48:36.614Z","revision":1,"description":"L2 LineaToken","isPrimacyOfImpact":null},{"id":"6Q0CDCPsGM3tUlA5NgLIAf","url":"https://github.com/Consensys/linea-monorepo/blob/a83412e247b7d352b905c906271138e97c1ee5a4/contracts/contracts/messageService/l2/L2MessageService.sol","type":"smart_contract","addedAt":"2025-09-10T15:22:22.817Z","revision":2,"description":"L2MessageService.sol","isPrimacyOfImpact":null},{"id":"7K70pZ6znMGmIF2IRkt3cF","url":"https://github.com/Consensys/linea-monorepo/blob/a83412e247b7d352b905c906271138e97c1ee5a4/contracts/contracts/LineaRollup.sol","type":"smart_contract","addedAt":"2023-07-11T14:00:00.000Z","revision":5,"description":"Rollup LineaRollup.sol","isPrimacyOfImpact":null},{"id":"6lgarcovcirtWYOC2BUZZN","url":"https://immunefi.com/bug-bounty/linea/scope/#top","type":"smart_contract","addedAt":"2025-10-01T14:59:11.013Z","revision":1,"description":null,"isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH","Linea"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2023-07-11T14:00:00.000Z","logo":"https://qn5bmgziiocgawpp.public.blob.vercel-storage.com/79486-iBsXHAc2W40JUtjhEvU61-2Fr4tDIwLvSnpvuY4fUfVIpcBLgwQj.png","maxBounty":100000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["L2"],"programOverview":"Linea is a type 2 zero knowledge Ethereum Virtual Machine (zkEVM). A zkEVM replicates the Ethereum environment as a rollup and allows developers to build on it as they would on Ethereum mainnet. Linea allows you to deploy any smart contract, use any tool, and develop as if you're building on Ethereum. For users, this enables the experience and security guarantees of Ethereum, but with lower transaction costs.\n\nLinea is a Consensys product. From the genesis block of Ethereum, Consensys was formed to be the strongest force for decentralization on the planet. We believe that through networks like Ethereum, humankind can achieve more. Our teams will steer the Linea project as we have other public goods, with an eye towards full decentralization and a commitment to open development.\n\nFor more information about Linea, please visit [https://linea.build/](https://linea.build/)\n\nConsensys provides rewards in USDC. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__\n\nThe provision of KYC is required to receive a reward for this bug bounty program where the following information will be required to be provided:\n- Government ID\n\nKYC information is only required on confirmation of the validity of a bug report.   \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nConsensys adheres to the Primacy of Impact for the following severity levels:\n- Smart Contract - Critical\n- Smart Contract - High\n- Smart Contract - Medium\n- Smart Contract - Low\n\nIf a category’s severity level is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program as long as it involves an impact under that respective severity level. When submitting a report, just select the Primacy of Impact asset placeholder. If the team behind this project has multiple projects, those other projects are not covered under the Primacy of Impact of this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nTestnet and mock files are not covered under the Primacy of Impact. \n\nAll other severity levels not listed here are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program.\n\n\n__Immunefi Standard Badge__\n\nConsensys has satisfied the requirements for the [Immunefi Standard Badge,](https://immunefisupport.zendesk.com/hc/en-us/articles/6427157117713-The-Immunefi-Standard-Badge-) which is given to projects that adhere to our best practices.","programType":["Smart Contract"],"project":"Linea","projectType":["Blockchain"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below.\n\n__Repeatable Attack Limitations__\n\nIn cases of repeatable attacks or attacks stemming from the same root cause, for smart contract bugs, only the first attack will be counted, regardless of whether the smart contract is upgradable, pausable, or killable.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n- Smart Contract - Critical\n- Smart Contract - Medium\n- Smart Contract - Low\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules) Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Consensys team directly and are denominated in USDC.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"linea","updatedDate":"2026-01-22T11:53:56.373Z","impactsBody":null,"websiteUrl":"https://linea.build/","githubUrl":"https://github.com/Consensys/linea-monorepo","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Linea is a type 2 zero knowledge Ethereum Virtual Machine (zkEVM). A zkEVM replicates the Ethereum environment as a rollup and allows developers to build on it as they would on Ethereum mainnet. Linea allows you to deploy any smart contract, use any tool, and develop as if you're building on Ethereum.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Impacts caused by incorrectly provided user data (e.g. wrong fees, values or addresses etc.)\n- External 3rd party systems not maintained by Linea\n- Typographical errors\n- Gas optimizations\n\n","customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"}],"rewards":[{"id":35856,"severity":"critical","assetType":"smart_contract","fixedReward":100000,"rewardModel":"fixed","rewardCalculationPercentage":0},{"id":35857,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":35858,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[{"id":"4nUCOiV1knd41jBm5Zsx2i","url":"https://diligence.consensys.io/audits/2025/07/linea-token-and-airdrop-contracts/","auditor":"Diligence Consensys","date":"2025-07-20T22:00:00.000Z"},{"id":"1rCoxsPaV7QMIKAdVbwTri","url":"https://www.openzeppelin.com/news/linea-tge-audit","auditor":"OpenZeppelin","date":"2025-09-02T22:00:00.000Z"},{"id":"1rr8EKoTuwmM3flf2GLoLf","url":"https://github.com/Cyfrin/cyfrin-audit-reports/blob/b9aace5911e3ff84488cb5199cfd28e7fe24d6aa/reports/2025-09-10-cyfrin-linea-tokens-v2.5.pdf","auditor":"Cyfrin","date":"2025-09-09T22:00:00.000Z"},{"id":"3pe5CIL27NWKabtjPorNdE","url":"https://diligence.consensys.io/audits/2024/12/linea-rollup-update/","auditor":"Consensys Diligence","date":"2024-12-05T23:00:00.000Z"},{"id":"1edOj04aBX6J28le2OFMPk","url":"https://www.openzeppelin.com/news/linearollup-and-tokenbridge-role-upgrade","auditor":"OpenZeppelin","date":"2024-11-27T23:00:00.000Z"},{"id":"7ooejn6y3t8UawH7VkJ6qq","url":"https://github.com/Cyfrin/cyfrin-audit-reports/blob/642b409c207d0e31679467480c3d9b8797b98696/reports/2025-01-06-cyfrin-linea-v2.2.pdf","auditor":"Cyfrin","date":"2025-01-05T23:00:00.000Z"},{"id":"616A6B7Rib0Nvg2d3w9rcY","url":"https://diligence.consensys.io/audits/2024/07/linea-rollup-update/","auditor":"Consensys Diligence","date":"2024-07-02T22:00:00.000Z"},{"id":"3QnYkcpXWtXoT0Gli8yYT1","url":"https://www.openzeppelin.com/news/linea-gas-optimizations-audit","auditor":"OpenZeppelin","date":"2024-05-16T22:00:00.000Z"},{"id":"zCKRAjPsG4kYFw1dz5cfp","url":"https://github.com/Cyfrin/cyfrin-audit-reports/blob/main/reports/2024-05-24-cyfrin-linea-v2.0.pdf","auditor":"Cyfrin","date":"2024-05-23T22:00:00.000Z"},{"id":"24279TU6lEThsCHL4uHTXs","url":"https://www.openzeppelin.com/news/linea-blob-submission-audit","auditor":"OpenZeppelin","date":"2024-03-20T23:00:00.000Z"},{"id":"14I7sW06XRc5wAi7IFLP4r","url":"https://diligence.consensys.io/audits/2024/01/linea-contracts-update/","auditor":"Consensys Diligence","date":"2024-01-11T23:00:00.000Z"},{"id":"2eS5ch0EiLZko2dWTg08cd","url":"https://www.openzeppelin.com/news/linea-v2-audit","auditor":"OpenZeppelin","date":"2024-02-13T23:00:00.000Z"},{"id":"4ST58nnKUf9b2Jr9jfDDj2","url":"https://diligence.consensys.io/audits/2023/06/linea-plonk-verifier/","auditor":"Consensys Diligence","date":"2023-05-07T22:00:00.000Z"},{"id":"6EROuSRkZOXt5UczKXhMgo","url":"https://diligence.consensys.io/audits/2023/06/linea-message-service/","auditor":"Consensys Diligence","date":"2023-06-04T22:00:00.000Z"},{"id":"7acGk6IVUECVhALjrFCVt1","url":"https://diligence.consensys.io/audits/2023/06/linea-canonical-token-bridge/","auditor":"Consensys Diligence","date":"2023-06-22T22:00:00.000Z"},{"id":"22EbmWyOi2ebfMpUXO1CVv","url":"https://www.openzeppelin.com/news/linea-bridge-audit-1","auditor":"OpenZeppelin","date":"2023-11-02T23:00:00.000Z"},{"id":"13zhIfTqPV9U5cZ43lq6jB","url":"https://www.openzeppelin.com/news/linea-verifier-audit-1","auditor":"OpenZeppelin","date":"2023-11-02T23:00:00.000Z"}]},{"assets":[{"id":"72Gdp3p81Pt25jDEtiPFAg","url":"https://github.com/flare-foundation/fassets/commit/59373cee12e6d2a9fa0a9cc8735bb486faa51b36","type":"smart_contract","addedAt":"2025-09-18T10:00:00.000Z","revision":1,"description":"Fix of Report - 45439","isPrimacyOfImpact":null},{"id":"7LBgYGXPY1kzYtiL1vbHlE","url":"https://github.com/flare-foundation/fassets/commit/2abc918d3dec2ea6c4f34ca972a6eeb89b4ecafc","type":"smart_contract","addedAt":"2025-09-18T10:00:00.000Z","revision":2,"description":"Fix of Report - 45478","isPrimacyOfImpact":null},{"id":"6jtjACTIFW4wz8P00O8tw4","url":"https://github.com/flare-foundation/fassets/commit/7aa02b62285cd5313032103710c2e083b166bf60","type":"smart_contract","addedAt":"2025-09-18T10:00:00.000Z","revision":3,"description":"Fix of Report - 45533","isPrimacyOfImpact":null},{"id":"4qgCuj27NYYUdx256TQGC0","url":"https://github.com/flare-foundation/fassets/commit/92e1e2bdc6e8f75f61cfd9f10ddb05df4a7c8c6b","type":"smart_contract","addedAt":"2025-09-18T10:00:00.000Z","revision":2,"description":"Fix of Report - 45893","isPrimacyOfImpact":null},{"id":"7DwOhGihEk2D9RG11V2txD","url":"https://github.com/flare-foundation/fassets/commit/29d4370abb61ca0e2df4d741245537a15cdf2e2e","type":"smart_contract","addedAt":"2025-09-18T10:00:00.000Z","revision":3,"description":"Fix of Report - 45897","isPrimacyOfImpact":null},{"id":"70nxgTeBC03Eu7bXSADrHq","url":"https://github.com/flare-foundation/fassets/commit/5f82ac58e9c74f58a927c66a0df50df25b67e60b","type":"smart_contract","addedAt":"2025-09-18T10:00:00.000Z","revision":2,"description":"Fix of Report - 45904","isPrimacyOfImpact":null},{"id":"22GdQOkEXrUpNXVSXMLimh","url":"https://github.com/flare-foundation/fassets/commit/03304ecf8110fd32f94620f111e2593f6969d573","type":"smart_contract","addedAt":"2025-09-18T10:00:00.000Z","revision":3,"description":"Fix of Report - 45514","isPrimacyOfImpact":null},{"id":"aqhqDUgfU7ql8f3viPbqx","url":"https://github.com/flare-foundation/fassets/commit/01190b0e4386714d4c2b968597fce5f35cf58047","type":"smart_contract","addedAt":"2025-09-18T10:00:00.000Z","revision":2,"description":"Fix of Report - 46265","isPrimacyOfImpact":null},{"id":"6ntq9fZvD1worIw8qTIFQn","url":"https://github.com/flare-foundation/fassets/commit/7dd1ddd574989c44b3057ce426ff188bc69743d1","type":"smart_contract","addedAt":"2025-09-18T10:00:00.000Z","revision":3,"description":"Fix of Report - 46520","isPrimacyOfImpact":null}],"assetsBodyV2":"**Proof of Concept (PoC) Requirements**: A runnable PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n__Asset Accuracy Assurance__\n\n- Bugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Reward Policy__\n\n- Private known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n__Primacy of Impact vs Primacy of Rules__\n\n- Flare adheres to the Primacy of Rules, which means that the whole Audit Competition & Mitigation Audit program is run strictly under the terms and conditions stated within this page.\n\n__KYC Requirement__\n\n- No KYC is required for the Flare FAssets Audit Competition & Mitigation Audit\n\n__Eligibility Criteria__\n\n- Security researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n   - On OFACs SDN list \n   - Official contributor, both past or present\n   - Employees and/or individuals closely associated with the project \n   - Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\n- Whitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n   - Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\n- Immunefi may publish bug reports submitted to this Audit Competition and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\n- When there is uncertainty about how feasible an attack is Immunefi will use our feasibility limitation standards to determine the severity of the report.\n\n__Immunefi Standard Badge__\n\n- By adhering to Immunefi’s best practice recommendations, Flare Network has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"**Thank You to All Participating Security Researchers!**\n\nThe audit competition has now concluded and is currently in the evaluation phase. During this period, all submitted reports are being carefully reviewed by the Immunefi triage team and the project team.","boostedIntroFinished":"### Thank You to All Participating Security Researchers!\n\nYour valuable contributions played a crucial role in identifying and resolving vulnerabilities, helping to strengthen and secure the platform for all users.\n\n[Leaderboard](https://immunefi.com/audit-competition/flare-fassets--mitigation-audit/leaderboard)   |   [Findings](https://reports.immunefi.com/flare-fassets-or-mitigation-audit)   |   [Summary Report](https://drive.google.com/file/d/1A5I57H4WPB4kOqeHE5oxsffKxDfUTKuU/view)","boostedIntroLive":"**$25,000 USD** in rewards available for finding bugs in the fixes from the [Flare Fassets Mainnet Audit Competition](https://immunefi.com/audit-competition/audit-comp-flare-fassets/leaderboard/#top)\n\nFor more information, please visit [Flare Network](https://flare.network/)\n\n- KYC is not required.\n\n- Flat Reward Pool \n\n- Any technical questions and support requests can be asked directly to Flare Network or Immunefi in the [Flare Network Audit Competition Discord channel](https://discord.com/channels/787092485969150012/1369326485659189259).\n\n- When the Audit Competition has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\n- **Runnable POCs are required**. Read our [Proof-of-Concept Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n- Insight reports can be submitted. Read our [Insight validity rules](https://immunefisupport.zendesk.com/hc/en-us/articles/34179768760337-Insight-Severity-Level)","boostedIntroStartingIn":"**$25,000 USD** in rewards available for finding bugs in the fixes from the <a href=\"https://immunefi.com/audit-competition/audit-comp-flare-fassets/information\" target=\"_blank\" rel=\"noopener noreferrer\">Flare Fassets Mainnet Audit Competition</a>\n\nFor more information, please visit [Flare Network](https://flare.network/)\n\n- KYC is not required.\n\n- Flat Reward Pool \n\n- Any technical questions and support requests can be asked directly to Flare Network or Immunefi in the [Flare Network Audit Competition Discord channel](https://discord.com/channels/787092485969150012/1369326485659189259).\n\n- When the Audit Competition has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\n- **Runnable POCs are required**. Read our [Proof-of-Concept Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n- Insight reports can be submitted. Read our [Insight validity rules](https://immunefisupport.zendesk.com/hc/en-us/articles/34179768760337-Insight-Severity-Level)","boostedLeaderboard":[{"high":0,"name":"Pig46940","aspRank":2,"critical":0,"earnings":7396,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":8246,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":850},{"high":0,"name":"holydevoti0n","aspRank":1,"critical":0,"earnings":7083,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":7908,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":825},{"high":0,"name":"rick137","aspRank":3,"critical":0,"earnings":7083,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":7908,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":825},{"high":0,"name":"XDZIBECX","aspRank":6,"critical":0,"earnings":625,"insights":2,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":625,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"r1ver","aspRank":7,"critical":0,"earnings":188,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":188,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"HarryBarz","aspRank":4,"critical":0,"earnings":62,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":62,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Rhaydden","aspRank":5,"critical":0,"earnings":62,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":62,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"[redacted]","aspRank":"disqualified","critical":0,"earnings":0,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"[redacted]","aspRank":"disqualified","critical":0,"earnings":0,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1A5I57H4WPB4kOqeHE5oxsffKxDfUTKuU/view?usp=sharing","ecosystem":null,"endDate":"2025-09-25T10:00:00.000Z","evaluationEndDate":"2025-10-22T09:09:40.106Z","features":["Boost","Vault","Managed Triage: Signal Booster"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2025-09-18T10:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1JzpONYtkc9rdKHoU36rbo/04803c1136f97e969cf93c7a77b20ee6/Flare.png","maxBounty":25000,"outOfScopeAndRules":"To be determined","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":null,"programOverview":"Flare is the blockchain for data. It is a layer-1, EVM smart contract platform designed to expand the utility of blockchain by delivering data certainty for dApp builders.\n\nFAssets is a trustless, over-collateralized bridge built on Flare that connects non smart contract networks to Flare/Songbird. It enables the creation of wrapped tokens (FAssets) for assets like BTC, DOGE and XRP. The original assets are deposited to the address of an agent and can later be redeemed.  \n\nAt the core of FAssets v1.1 is a new architecture component called the **Core Vault**, designed to improve system liquidity, scalability, and capital efficiency. It serves as a liquidity hub where Agents can deposit native assets (e.g., XRP) and unlock their FLR or SGB collateral. The minted FAssets are secured by collateral, which is in the form of ERC20 tokens on Flare/Songbird chain and native tokens (FLR on Flare, SGB on Songbird). These tokens can participate in Flare's DeFi ecosystem. \n\nThe FAsset system maintains security by ensuring every minted Fasset is backed by more value than it represents, creating a safeguard against volatility and protecting users from potential losses. \nTwo protocols, available on Flare and Songbird blockchains, enable the FAsset system to operate:\n- **FTSO** contracts which provide decentralised price feeds for multiple tokens.\n- Flare’s **Flare data connector**, which bridges payment data from any connected chain.\nFlare provides rewards in USDC, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\nFor more information about Flare, please visit [https://flare.network](https://flare.network)\n\nThis is the **Mitigation Audit** following the [Flare FAssets Mainnet Audit Competition](https://immunefi.com/audit-competition/audit-comp-flare-fassets/information) and the project may fix bugs mid-competition.","programType":["Smart Contract"],"project":"Mitigation Audit | Flare | FAssets","projectType":null,"rewardsBody":"Rewards are distributed among SRs according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms).\n\nRewards are denominated in USD and distributed in **USDC** on **Ethereum**.\n\n### Flat Rewards\n\n**Mitigation Audit Rewards**: The reward pool is **$25,000 USD** if any bug is found.\n\nIf not a single bug is found (Insights do not count as bugs) the reward pool is **$3,750 USD**","rewardsPool":25000,"primaryPool":17500,"allStarsPool":5000,"podiumPool":2500,"rewardsToken":"USDC","slug":"flare-fassets--mitigation-audit","tenPercentEconomicRule":false,"updatedDate":"2026-01-22T11:53:49.899Z","impactsBody":"**Build Commands, Test Commands, and How to Run Them**\n- Instructions on how to start the project: https://github.com/flare-foundation/fassets?tab=readme-ov-file#getting-started\n- The easiest way is to add code in unit tests because the functionality on which the project relates is mocked.\n- You can look at https://github.com/flare-foundation/fassets/blob/main/test/integration/fasset-simulation/AttackScenarios.ts where researchers have submitted their reports.\n- Information and some guides you can also find on Flare Dev Hub: https://dev.flare.network/fassets/overview\n\n**Where might Security Researchers confuse out-of-scope code to be in-scope?**\n\nThe FAssets system is able to support wrapped tokens for XRP, BTC and DOGE. However, the initial v1.1 deployment will only have XRP (FXRP) enabled and that will be the sole scope of this audit competition. Any attacks related to FBTC, FDOGE, or UTXO-based logic in general, are out of scope.\n\n**Is this an upgrade of an existing system? If so, which? And what are the main differences?**\n\nAs a result of the Main Audit Competition, here are the changes: \n\n- Removed trailing fees\n- Removed handshake\n- Removed collateral pool topup functionality\n- Simplified enter/exit logic in collateral pool, so that FAsset fees are transfered separately by payFAssetFeeDebt and withdrawPoolFees\n- Each main operation in collateral pool now emits own event\n- Removed special support for WNat as vault collateral\n- All NAT transfers from asset manager (e.g. paying executor) are WNat deposits to avoid reenetrancy and DOS issues (the exception is returning overpaid fee to msg.sender, but that is strictly done at the end of methods)\n- Removed token tracking in agent vault; instead tokens can be withdrawn from agent vault after destroy\n- Bulk of the external code has been moved to the facets (previously the facets just delegated to the library methods). The libraries now only contain internal reusable code.\n- Removed FTSOv1 support.\n- Removed minUnderlyingBackingBIPS, now the backing must always be 100%.\n- Removed waiting time for underlying withdrawal confirmation (it was supposed to solve an issue that was better solved with withdrawal id randomization)\n- Instead of deleting storage structures at the end of lifetime, just mark them as deleted (for agents, collateral reservations, redemption requests)\n- Removed EOA ownership proofs - they were obsoleted by EIP-7702 and we officially don't support smart contract chains now.\n- Removed terminate and agent buyback functionality - replaced by allowing agents to transfer all their backing to the core vault when the FAsset is winding down.\n- Refactored Agents library into several libraries.\n- To keep the storage compatible with the deployed contracts on Songbird (to enable upgrade by diamond cut), the variables not needed anymore have remained, but we have prefixed them with __.\n- ##Code organization\n- Use custom errors in reverts instead of error strings.\n- Major contracts grouped with related files in their own directories.\n- No more '*' imports.\n\n**Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?**\n\nThose interacting with new Core Vault features.\n\n**What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?**\n\nWe use only ERC20 for our FAsset implementation\n\n**What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?**\n\ngovernance, core vault multisig\n\n**What addresses would you consider any bug report requiring their involvement be out of scope, even if they exceed the privileges attributed to them?**\n\ngovernance (hard to exceed the privileges, as they can update the contracts)\n\n**Which chains and/or networks will the code in scope be deployed to?**\n\nCoston (testnet), Coston2 (testnet), Songbird, Flare\n\n**What external dependencies are there?**\n\nFDC (Flare Data Connector), FTSO-V2 (Flare Time Series Oracle)\n\n**What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)**\n\n- For concept-level understanding, visit the Flare Developer Hub https://dev.flare.network/fassets/overview \n- For technical details:\n    - Refer to the inline code documentation directly in the repository.\n    - As an example, you can explore the Redemption function implementation in RedemptionRequestsFacet.sol https://github.com/flare-labs-ltd/fassets/blob/main/contracts/assetManager/facets/RedemptionRequestsFacet.sol#L33\n\n**Previous Audits**\n- Flare Network’s completed audit reports can be found at https://dev.flare.network/support/audits/. Unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n- Flare FAssets Mainnet Audit Competition Reports are available at https://reports.immunefi.com/flare-fassets","websiteUrl":"https://flare.network/","githubUrl":"https://github.com/flare-foundation/fassets","eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Flare is the blockchain for data. It is a layer-1, EVM smart contract platform designed to expand the utility of blockchain by delivering data certainty for dApp builders. \n\nFAssets is a trustless, over-collateralized bridge built on Flare that connects non smart contract networks to Flare/Songbird. It enables the creation of wrapped tokens (FAssets) for assets like BTC, DOGE and XRP. \n\n\nAt the core of FAssets v1.1 is a new architecture component called the **Core Vault**, designed to improve system liquidity, scalability, and capital efficiency.","knownIssues":[{"id":76,"link":"https://reports.immunefi.com/flare-fassets/","description":"Triggering instructions might run out of gas: the size of the allowed destination addresses will be low (5-10).","lastUpdatedAt":"2025-09-16T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":75,"link":"https://reports.immunefi.com/flare-fassets/","description":"Array of escrows always grows: the number of escrows created will be low (if it is more than one or two, we will increase the daily escrow amount). So the total number of escrows will not be huge, perhaps a few hundred.","lastUpdatedAt":"2025-09-16T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":74,"link":"https://reports.immunefi.com/flare-fassets/","description":"Escrows finalized close to expiry time decouple the Core Vault internal accountancy: before escrows are released, the triggering bots will be shut down, and they will only be enabled after setEscrowsFinished is called. So there will be no instructions triggered between escrow finalization and the corresponding update on the core vault manager.","lastUpdatedAt":"2025-09-16T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":73,"link":"https://reports.immunefi.com/flare-fassets/","description":"Users are unprotected against missing or malformed vault redemption payments: in that case, we assume the core vault has full trust, and its redemptions don't have a time limit. Also, core-vault redeemers are special entities.","lastUpdatedAt":"2025-09-16T00:00:00.000Z","relatedImpactInScope":"smart_contract"}],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":5721,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 24 hour"},{"id":5722,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds for at least 1 hour"}],"rewards":[{"level":"critical","payout":"Portion of Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[{"id":"jiWQmbK8Tppe0B6eYSPi6","url":"https://dev.flare.network/support/audits/","auditor":"All Audits","date":"2025-04-01"},{"id":"17MP0yQRt99lnDME6BySuK","url":"https://reports.immunefi.com/flare-fassets","auditor":"Immunefi","date":"2025-08-25"}]},{"assets":[{"id":"Rf11ZFafbAyQfBkdknp8s","url":"https://www.bscscan.com/address/0xb68F5247f31fe28FDe0b0F7543F635a4d6EDbD7F","type":"smart_contract","addedAt":"2023-02-09T20:00:00.000Z","revision":2,"description":"Main Pool USDC Deposit Helper","isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nIf an Critical and High impact can be caused to any other asset managed by MagpieXYZ that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["BSC","Arbitrum","ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2023-02-09T20:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2vJzZgqrXJMktkGnp6dAD0/aa53b3071c402376d83ff78bd71fe24b/Magpie_logo_Small.png","maxBounty":10000,"pocPerTypeAndSeverity":["smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["DAO","Staking","Token","Yield Aggregator"],"programOverview":"Magpie is a BNB Chain native yield boosting platform that maximizes governance benefits for veTokenomics based protocols. Incubated by Wombat Exchange, Magpie is focused on locking WOM tokens to own governance rights and boosted yield benefits as liquidity provider on Wombat. \n\nThe platform offers users the opportunity to deposit their Stablecoins, BNB and Liquid BNB in single-sided boosted pools to earn high APR % while it allows Wombat Exchange voters to cost-effectively acquire voting power and earn passive income at the same time through the MGP token.\n\nMagpie offers WOM holders the chance to earn high APR by converting their tokens into mWOM. mWOM refers to \"Magpie WOM\". mWOM can be staked on Magpie to earn boosted passive income.\n\nWhen users convert their WOM tokens, they get mWOM that allows them to earn high rewards while Magpie locks all the converted WOM as veWOM on Wombat Exchange. That's how Magpie accumulates veWOM. veWOM entitles Magpie to boosted WOM rewards and governance benefits on Wombat Exchange. That's why Magpie can offer users sustainable boosted passive income.\n\nFor more information about MagpieXYZ, please visit [https://www.magpiexyz.io/ ](https://www.magpiexyz.io/)","programType":["Smart Contract"],"project":"MagpieXYZ","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the  [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported. \n\nAll Critical Smart Contract bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.  In addition, all Critical severity bug reports must come with a suggestion for a fix in order to be considered for a reward. \n\nRewards for critical smart contract vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of __USD 50 000__ for Critical smart contract bug reports. \n\nRewards for high smart contract vulnerabilities are further capped at 20% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of __USD 5 000__ for High smart contract bug reports.\n\nKnown issues highlighted in the following audit reports are considered out of scope: \n- [https://docs.magpiexyz.io/security/audit-reports](https://docs.magpiexyz.io/security/audit-reports)\n\nPayouts are handled by the __MagpieXYZ__ team directly and are denominated in USD. However, payouts are done in __USDC__ and __BUSD__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC and BUSD","slug":"magpiexyz","updatedDate":"2026-01-22T11:53:45.711Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Magpie is a liquid locker for yield boosting platform that maximizes governance benefits for veTokenomics based protocols. Wompie is currently inactive, we will share more contracts for bug bounty soon.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":3806,"type":"smart_contract","severity":"low","title":"Smart contract fails to deliver promised returns, but doesn’t lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":3807,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 24 hours"},{"id":3808,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds (vulnerabilities purely relying on the project neglecting to top up funds in their smart contracts are out of scope)"},{"id":3809,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":3810,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":38739,"severity":"critical","assetType":"smart_contract","maxReward":200000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":38740,"severity":"high","assetType":"smart_contract","maxReward":50000,"rewardModel":"up_to"},{"id":38741,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":38742,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"6znr3yyInsHNxHmK72oSOV","url":"https://arbiscan.io/address/0x489ee077994B6658eAfA855C308275EAd8097C4A","type":"smart_contract","addedAt":"2024-11-06T07:35:03.558Z","revision":1,"description":"Vault","isPrimacyOfImpact":null},{"id":"3RzMeElWMsXtFKHqdte23C","url":"https://arbiscan.io/address/0xaBBc5F99639c9B6bCb58544ddf04EFA6802F4064","type":"smart_contract","addedAt":"2024-11-06T07:35:04.125Z","revision":1,"description":"Router","isPrimacyOfImpact":null},{"id":"6CXWry8TcOoyf17cdLf7aq","url":"https://arbiscan.io/address/0x321f653eed006ad1c29d174e17d96351bde22649","type":"smart_contract","addedAt":"2024-11-06T07:35:04.709Z","revision":1,"description":"Glp Manager","isPrimacyOfImpact":null},{"id":"12qnkwdy04V8R230LaRb1J","url":"https://arbiscan.io/address/0x5E4766F932ce00aA4a1A82d3Da85adf15C5694A1","type":"smart_contract","addedAt":"2024-11-06T07:35:05.354Z","revision":1,"description":"Reward RouterV2","isPrimacyOfImpact":null},{"id":"2vKOQA2WB4OlMt8n9IS8vT","url":"https://arbiscan.io/address/0x4277f8F2c384827B5273592FF7CeBd9f2C1ac258","type":"smart_contract","addedAt":"2024-11-06T07:35:05.894Z","revision":1,"description":"GLP","isPrimacyOfImpact":null},{"id":"2OuNbnqnTukuud1NMLHbFN","url":"https://arbiscan.io/address/0xfc5A1A6EB076a2C7aD06eD22C90d7E710E35ad0a","type":"smart_contract","addedAt":"2024-11-06T07:35:06.432Z","revision":1,"description":"GMX","isPrimacyOfImpact":null},{"id":"74fyGoRdmqF46jKpmcdxnv","url":"https://arbiscan.io/address/0xf42Ae1D54fd613C9bb14810b0588FaAa09a426cA","type":"smart_contract","addedAt":"2024-11-06T07:35:07.169Z","revision":1,"description":"EsGMX","isPrimacyOfImpact":null},{"id":"6235JTbsmYToqypgzlEkC6","url":"https://arbiscan.io/address/0x35247165119B69A40edD5304969560D0ef486921","type":"smart_contract","addedAt":"2024-11-06T07:35:07.757Z","revision":1,"description":"BnGMX","isPrimacyOfImpact":null},{"id":"5eqm12ti0oK9vxLeaLkYM","url":"https://arbiscan.io/address/0x45096e7aA921f27590f8F19e457794EB09678141","type":"smart_contract","addedAt":"2024-11-06T07:35:08.577Z","revision":1,"description":"USDG","isPrimacyOfImpact":null},{"id":"3ZwxGAMB3LhmD3HlMtwNF1","url":"https://arbiscan.io/address/0x908c4d94d34924765f1edc22a1dd098397c59dd4","type":"smart_contract","addedAt":"2024-11-06T07:35:09.093Z","revision":1,"description":"Staked Gmx Tracker","isPrimacyOfImpact":null},{"id":"3oQEEDDnfVSFo10IVVJMcK","url":"https://arbiscan.io/address/0x4d268a7d4C16ceB5a606c173Bd974984343fea13","type":"smart_contract","addedAt":"2024-11-06T07:35:09.655Z","revision":1,"description":"Bonus Gmx Tracker","isPrimacyOfImpact":null},{"id":"1AeWObIV3EtuYPiM1bmxYO","url":"https://arbiscan.io/address/0x0755D33e45eD2B874c9ebF5B279023c8Bd1e5E93","type":"smart_contract","addedAt":"2024-11-06T07:35:10.171Z","revision":1,"description":"Extended Gmx Tracker","isPrimacyOfImpact":null},{"id":"1Zp8dqi7TAmTjWwVi8es7z","url":"https://arbiscan.io/address/0xd2D1162512F927a7e282Ef43a362659E4F2a728F","type":"smart_contract","addedAt":"2024-11-06T07:35:10.734Z","revision":1,"description":"Fee Gmx Tracker","isPrimacyOfImpact":null},{"id":"3jjBWjucWkELPesqw9X0i2","url":"https://arbiscan.io/address/0x1aDDD80E6039594eE970E5872D247bf0414C8903","type":"smart_contract","addedAt":"2024-11-06T07:35:11.278Z","revision":1,"description":"Staked Glp Tracker","isPrimacyOfImpact":null},{"id":"6W4517SNAYbi1pWh9swCx5","url":"https://arbiscan.io/address/0x4e971a87900b931fF39d1Aad67697F49835400b6","type":"smart_contract","addedAt":"2024-11-06T07:35:11.818Z","revision":1,"description":"Fee Glp Tracker","isPrimacyOfImpact":null},{"id":"6cbqlidVzvHhrFMAj5HbnH","url":"https://arbiscan.io/address/0x23208b91a98c7c1cd9fe63085bff68311494f193","type":"smart_contract","addedAt":"2024-11-06T07:35:12.549Z","revision":1,"description":"Staked Gmx Distributor","isPrimacyOfImpact":null},{"id":"1tG77pZtD8xSIFvheChe7W","url":"https://arbiscan.io/address/0x03f349b3cc4f200d7fae4d8ddaf1507f5a40d356","type":"smart_contract","addedAt":"2024-11-06T07:35:13.099Z","revision":1,"description":"Bonus Gmx Distributor","isPrimacyOfImpact":null},{"id":"7hzwBHh9qHV6NPl4mABAv6","url":"https://arbiscan.io/address/0x1de098faf30bd74f22753c28db17a2560d4f5554","type":"smart_contract","addedAt":"2024-11-06T07:35:13.627Z","revision":1,"description":"Fee Gmx Distributor","isPrimacyOfImpact":null},{"id":"6znwREp4hkFbnMsRq1RI1c","url":"https://arbiscan.io/address/0x60519b48ec4183a61ca2b8e37869e675fd203b34","type":"smart_contract","addedAt":"2024-11-06T07:35:14.136Z","revision":1,"description":"Staked Glp Distributor","isPrimacyOfImpact":null},{"id":"4wQwmPTpCAicEMIRi6yzHN","url":"https://arbiscan.io/address/0x5c04a12eb54a093c396f61355c6da0b15890150d","type":"smart_contract","addedAt":"2024-11-06T07:35:14.601Z","revision":1,"description":"Fee Glp Distributor","isPrimacyOfImpact":null},{"id":"7MUcSRBv0KIeOEy5LLPssT","url":"https://arbiscan.io/address/0x199070DDfd1CFb69173aa2F7e20906F26B363004","type":"smart_contract","addedAt":"2024-11-06T07:35:15.137Z","revision":1,"description":"Gmx Vester","isPrimacyOfImpact":null},{"id":"3NALhE5Fe1JVkPM4qWVLtE","url":"https://arbiscan.io/address/0xA75287d2f8b217273E7FCD7E86eF07D33972042E","type":"smart_contract","addedAt":"2024-11-06T07:35:15.630Z","revision":1,"description":"Glp Vester","isPrimacyOfImpact":null},{"id":"6iffl4DlyY2hBn3Z01UV6","url":"https://arbiscan.io/address/0x3f3e77421e30271568ef7a0ab5c5f2667675341e","type":"smart_contract","addedAt":"2024-11-06T07:35:16.281Z","revision":1,"description":"Timelock","isPrimacyOfImpact":null},{"id":"2T8EX3mayqwHOVNk5qVSmd","url":"https://arbiscan.io/address/0x01AF26b74409d10e15b102621EDd29c326ba1c55","type":"smart_contract","addedAt":"2024-11-06T07:35:16.811Z","revision":1,"description":"Staked Glp","isPrimacyOfImpact":null},{"id":"ymWL98ul8d4S3R5jg3srv","url":"https://arbiscan.io/address/0x13E0BbE893B33b64D4f3F96725dd70531fA4EbCe","type":"smart_contract","addedAt":"2024-11-06T07:35:17.343Z","revision":1,"description":"Glp Balance","isPrimacyOfImpact":null},{"id":"4ZMjMhGJi6AG1n9LGCqbud","url":"https://arbiscan.io/address/0x09f77e8a13de9a35a7231028187e9fd5db8a2acb#code","type":"smart_contract","addedAt":"2024-11-06T07:35:17.850Z","revision":1,"description":"Order Book","isPrimacyOfImpact":null},{"id":"PEjEWGY9XTQGOTSfEvAJs","url":"https://snowtrace.io/address/0x9ab2De34A33fB459b538c43f251eB825645e8595","type":"smart_contract","addedAt":"2024-11-06T07:35:18.358Z","revision":1,"description":"Vault","isPrimacyOfImpact":null},{"id":"6kjFZeWi2q9xZVq7xl0iMM","url":"https://snowtrace.io/address/0x5f719c2f1095f7b9fc68a68e35b51194f4b6abe8","type":"smart_contract","addedAt":"2024-11-06T07:35:18.813Z","revision":1,"description":"Router","isPrimacyOfImpact":null},{"id":"2zPpOylacSLM25uzMS77d1","url":"https://snowtrace.io/address/0xe1ae4d4b06A5Fe1fc288f6B4CD72f9F8323B107F","type":"smart_contract","addedAt":"2024-11-06T07:35:19.301Z","revision":1,"description":"Glp Manager","isPrimacyOfImpact":null},{"id":"3iL5BlPgEU3bSb9rRNcLIt","url":"https://snowtrace.io/address/0x091eD806490Cc58Fd514441499e58984cCce0630","type":"smart_contract","addedAt":"2024-11-06T07:35:19.816Z","revision":1,"description":"Reward RouterV2","isPrimacyOfImpact":null},{"id":"510q5DCl8oKV0mgHKoJwsE","url":"https://snowtrace.io/address/0x01234181085565ed162a948b6a5e88758CD7c7b8","type":"smart_contract","addedAt":"2024-11-06T07:35:20.331Z","revision":1,"description":"GLP","isPrimacyOfImpact":null},{"id":"rinKKzQjwg7PqQ148nOIG","url":"https://snowtrace.io/address/0x62edc0692BD897D2295872a9FFCac5425011c661","type":"smart_contract","addedAt":"2024-11-06T07:35:20.815Z","revision":1,"description":"GMX","isPrimacyOfImpact":null},{"id":"4i0IlvalTu5A1rXLz2khAS","url":"https://snowtrace.io/address/0xFf1489227BbAAC61a9209A08929E4c2a526DdD17","type":"smart_contract","addedAt":"2024-11-06T07:35:21.319Z","revision":1,"description":"EsGMX","isPrimacyOfImpact":null},{"id":"67BLOXaIDdGEBUAz0JfvbI","url":"https://snowtrace.io/address/0x8087a341D32D445d9aC8aCc9c14F5781E04A26d2","type":"smart_contract","addedAt":"2024-11-06T07:35:21.775Z","revision":1,"description":"BnGMX","isPrimacyOfImpact":null},{"id":"4kc4yiMSGdeUpZFLvSDEEI","url":"https://snowtrace.io/address/0xc0253c3cC6aa5Ab407b5795a04c28fB063273894","type":"smart_contract","addedAt":"2024-11-06T07:35:22.232Z","revision":1,"description":"USDG","isPrimacyOfImpact":null},{"id":"4hE5NDMQ8m6UfND7EWb9Yq","url":"https://snowtrace.io/address/0x2bD10f8E93B3669b6d42E74eEedC65dd1B0a1342","type":"smart_contract","addedAt":"2024-11-06T07:35:22.811Z","revision":1,"description":"Staked Gmx Tracker","isPrimacyOfImpact":null},{"id":"5m4KKlm1VlpYpl35UZmNRH","url":"https://snowtrace.io/address/0x908C4D94D34924765f1eDc22A1DD098397c59dD4","type":"smart_contract","addedAt":"2024-11-06T07:35:23.256Z","revision":1,"description":"Bonus Gmx Tracker","isPrimacyOfImpact":null},{"id":"3Thlveg4jC6686K2xwVw1F","url":"https://snowtrace.io/address/0xB0D12Bf95CC1341d6C845C978daaf36F70b5910d","type":"smart_contract","addedAt":"2024-11-06T07:35:23.744Z","revision":1,"description":"Extended Gmx Tracker","isPrimacyOfImpact":null},{"id":"6dTl4MdM3jOesrdVZhI124","url":"https://snowtrace.io/address/0x4d268a7d4C16ceB5a606c173Bd974984343fea13","type":"smart_contract","addedAt":"2024-11-06T07:35:24.221Z","revision":1,"description":"Fee Gmx Tracker","isPrimacyOfImpact":null},{"id":"1jKyfKtpwuIRK6V8Uqb8HB","url":"https://snowtrace.io/address/0x9e295B5B976a184B14aD8cd72413aD846C299660","type":"smart_contract","addedAt":"2024-11-06T07:35:24.755Z","revision":1,"description":"Staked Glp Tracker","isPrimacyOfImpact":null},{"id":"2NYxI5SpxvfdWeMd4QIoE5","url":"https://snowtrace.io/address/0xd2D1162512F927a7e282Ef43a362659E4F2a728F","type":"smart_contract","addedAt":"2024-11-06T07:35:25.253Z","revision":1,"description":"Fee Glp Tracker","isPrimacyOfImpact":null},{"id":"2CSV5DEm1mP7kN0mCGVzl7","url":"https://snowtrace.io/address/0xfc5A1A6EB076a2C7aD06eD22C90d7E710E35ad0a","type":"smart_contract","addedAt":"2024-11-06T07:35:25.753Z","revision":1,"description":"Staked Gmx Distributor","isPrimacyOfImpact":null},{"id":"4cFymrDEnRSvwqKlgV3Fzt","url":"https://snowtrace.io/address/0x23208b91a98c7c1cd9fe63085bff68311494f193","type":"smart_contract","addedAt":"2024-11-06T07:35:26.272Z","revision":1,"description":"Bonus Gmx Distributor","isPrimacyOfImpact":null},{"id":"6XpJvb8QJHkMdfefUNvBK5","url":"https://snowtrace.io/address/0x03f349b3cc4f200d7fae4d8ddaf1507f5a40d356","type":"smart_contract","addedAt":"2024-11-06T07:35:26.728Z","revision":1,"description":"Fee Gmx Distributor","isPrimacyOfImpact":null},{"id":"5n3rgx0g3CIfmTRPAlujpw","url":"https://snowtrace.io/address/0xdd593cf40734199afc9207ebe9fff23da4bf7720","type":"smart_contract","addedAt":"2024-11-06T07:35:27.207Z","revision":1,"description":"Staked Glp Distributor","isPrimacyOfImpact":null},{"id":"01fvYmEsqXIMvrinEzG3om","url":"https://snowtrace.io/address/0x1de098faf30bd74f22753c28db17a2560d4f5554","type":"smart_contract","addedAt":"2024-11-06T07:35:27.709Z","revision":1,"description":"Fee Glp Distributor","isPrimacyOfImpact":null},{"id":"5Io0xbEMm3w3ua2O0z6dYN","url":"https://snowtrace.io/address/0x472361d3cA5F49c8E633FB50385BfaD1e018b445","type":"smart_contract","addedAt":"2024-11-06T07:35:28.208Z","revision":1,"description":"Gmx Vester","isPrimacyOfImpact":null},{"id":"o0aTSCjqXQyKobyRHW1B6","url":"https://snowtrace.io/address/0x62331A7Bd1dfB3A7642B7db50B5509E57CA3154A","type":"smart_contract","addedAt":"2024-11-06T07:35:28.735Z","revision":1,"description":"Glp Vester","isPrimacyOfImpact":null},{"id":"60DgPpJ7EF5EGzSlEd0Ucx","url":"https://snowtrace.io/address/0x5643F4b25E36478eE1E90418d5343cb6591BcB9d","type":"smart_contract","addedAt":"2024-11-06T07:35:29.270Z","revision":1,"description":"Staked Glp","isPrimacyOfImpact":null},{"id":"7gw6HGCmen5GrkQidfpT5m","url":"https://snowtrace.io/address/0x4296e307f108B2f583FF2F7B7270ee7831574Ae5","type":"smart_contract","addedAt":"2024-11-06T07:35:29.835Z","revision":1,"description":"Order Book","isPrimacyOfImpact":null},{"id":"61fykRwlo9Rl5CYgHUZphy","url":"https://arbiscan.io/address/0x9242FbED25700e82aE26ae319BCf68E9C508451c","type":"smart_contract","addedAt":"2024-11-06T07:35:30.321Z","revision":1,"description":"AdlHandler","isPrimacyOfImpact":null},{"id":"4JR9EPRJOexQ63Ov79SZcS","url":"https://arbiscan.io/address/0x113Fc422d9D49b7371b7A164f62b839877DCbb93","type":"smart_contract","addedAt":"2024-11-06T07:35:30.765Z","revision":1,"description":"AdlUtils","isPrimacyOfImpact":null},{"id":"6E38tyynebnL5GUENvGsBd","url":"https://arbiscan.io/address/0xa3346F984c3c5F73B603adA39FC2b2C88899dd67","type":"smart_contract","addedAt":"2024-11-06T07:35:31.247Z","revision":1,"description":"AutoCancelSyncer","isPrimacyOfImpact":null},{"id":"2XrCpQnkyicCvMTnplWm1G","url":"https://arbiscan.io/address/0x23aD637ccC648F0D83A74491bDB4cd4C50983911","type":"smart_contract","addedAt":"2024-11-06T07:35:31.888Z","revision":1,"description":"BaseOrderUtils","isPrimacyOfImpact":null},{"id":"5a4dJI4QDUs0gRMluVKj3o","url":"https://arbiscan.io/address/0x41418793Aa2B2D595b37398ec6AF99ec6b40f48e","type":"smart_contract","addedAt":"2024-11-06T07:35:32.400Z","revision":1,"description":"CallbackUtils","isPrimacyOfImpact":null},{"id":"1O8Pko6vNt2Tam8PfNxBoZ","url":"https://arbiscan.io/address/0x9E6ac9e474Ce93040141391bf52fa74135490f50","type":"smart_contract","addedAt":"2024-11-06T07:35:32.867Z","revision":1,"description":"ChainReader","isPrimacyOfImpact":null},{"id":"cdQbMu5gk4WjjkIVil8kh","url":"https://arbiscan.io/address/0x83cBb05AA78014305194450c4AADAc887fe5DF7F","type":"smart_contract","addedAt":"2024-11-06T07:35:33.353Z","revision":1,"description":"ChainlinkDataStreamProvider","isPrimacyOfImpact":null},{"id":"44yEtQQ2p3NBdSnzQjKvX4","url":"https://arbiscan.io/address/0x527FB0bCfF63C47761039bB386cFE181A92a4701","type":"smart_contract","addedAt":"2024-11-06T07:35:33.810Z","revision":1,"description":"ChainlinkPriceFeedProvider","isPrimacyOfImpact":null},{"id":"1VSamHT4EtcBR3Mp3jLbOf","url":"https://arbiscan.io/address/0xE37D052e1DeB99901de205E7186E31A36E4Ef70c","type":"smart_contract","addedAt":"2024-11-06T07:35:34.482Z","revision":1,"description":"Config","isPrimacyOfImpact":null},{"id":"xdF7JGYcDIM4YJLAS9e44","url":"https://arbiscan.io/address/0x55E8E153048294c060455e5762d7280FAee86Dc7","type":"smart_contract","addedAt":"2024-11-06T07:35:34.954Z","revision":1,"description":"ConfigSyncer","isPrimacyOfImpact":null},{"id":"3T1FYg8OmXOC3uncONg73S","url":"https://arbiscan.io/address/0xFD70de6b91282D8017aA4E741e9Ae325CAb992d8","type":"smart_contract","addedAt":"2024-11-06T07:35:35.363Z","revision":1,"description":"DataStore","isPrimacyOfImpact":null},{"id":"4MiFVjgxLoq7PdU9Y3gDOp","url":"https://arbiscan.io/address/0xAB30090059B1ABc98eE6e95e13c10934B94caDC8","type":"smart_contract","addedAt":"2024-11-06T07:35:35.782Z","revision":1,"description":"DecreaseOrderUtils","isPrimacyOfImpact":null},{"id":"4XSm4lg4A9en05n1ZsQ4OS","url":"https://arbiscan.io/address/0xCe5440d9812A38e566Ca761b3B0AB35b2ecB2F48","type":"smart_contract","addedAt":"2024-11-06T07:35:36.257Z","revision":1,"description":"DecreasePositionCollateralUtils","isPrimacyOfImpact":null},{"id":"4Hea01yeIzqiqiGnq8qLas","url":"https://arbiscan.io/address/0x447ddf3aCdb6809FFE90a033D0de1d85F30C8c16","type":"smart_contract","addedAt":"2024-11-06T07:35:36.722Z","revision":1,"description":"DecreasePositionSwapUtils","isPrimacyOfImpact":null},{"id":"33tqzszfOV9zDeUmtKJl2m","url":"https://arbiscan.io/address/0x98A768791Dc8C0E2F0b0cDd7Af9E5FadF71E042e","type":"smart_contract","addedAt":"2024-11-06T07:35:37.224Z","revision":1,"description":"DecreasePositionUtils","isPrimacyOfImpact":null},{"id":"4XIbJ56Pd6PSUOoZ62JwxI","url":"https://arbiscan.io/address/0xb4Fc59988E1aFee8354E2222CC81ea4D8643bCD6","type":"smart_contract","addedAt":"2024-11-06T07:35:37.698Z","revision":1,"description":"DepositEventUtils","isPrimacyOfImpact":null},{"id":"7FjCH0WwcDUWfHVQ9zjezR","url":"https://arbiscan.io/address/0xfe2Df84627950A0fB98EaD49c69a1DE3F66867d6","type":"smart_contract","addedAt":"2024-11-06T07:35:38.227Z","revision":1,"description":"DepositHandler","isPrimacyOfImpact":null},{"id":"7n9jrc4FVV9kZnDCDpyWK4","url":"https://arbiscan.io/address/0xAd3a89131048b85acF899f089F2fD17424cb77b2","type":"smart_contract","addedAt":"2024-11-06T07:35:38.759Z","revision":1,"description":"DepositStoreUtils","isPrimacyOfImpact":null},{"id":"z1XbaXFpVFdYEKe9jO1aQ","url":"https://arbiscan.io/address/0x5554B2055aB335B1f4c811bb98d1EB62a18D3deE","type":"smart_contract","addedAt":"2024-11-06T07:35:39.187Z","revision":1,"description":"DepositUtils","isPrimacyOfImpact":null},{"id":"7GUwQ6EcCx6swVmyJlPH5v","url":"https://arbiscan.io/address/0xF89e77e8Dc11691C9e8757e84aaFbCD8A67d7A55","type":"smart_contract","addedAt":"2024-11-06T07:35:39.713Z","revision":1,"description":"DepositVault","isPrimacyOfImpact":null},{"id":"4Y6pXGstlBKu7bBvennI32","url":"https://arbiscan.io/address/0xC8ee91A54287DB53897056e12D9819156D3822Fb","type":"smart_contract","addedAt":"2024-11-06T07:35:40.239Z","revision":1,"description":"EventEmitter","isPrimacyOfImpact":null},{"id":"1581SgrLnr6lfQmmAh1dVi","url":"https://arbiscan.io/address/0x674Ee2FFe588c4b1Fde6D5481c55Ef6133004cbA","type":"smart_contract","addedAt":"2024-11-06T07:35:40.689Z","revision":1,"description":"ExchangeRouter","isPrimacyOfImpact":null},{"id":"14KqkajT8rezhY9cNlYgF7","url":"https://arbiscan.io/address/0x8B613227962B2d90a56155D1f1779c7610787143","type":"smart_contract","addedAt":"2024-11-06T07:35:41.158Z","revision":1,"description":"ExecuteDepositUtils","isPrimacyOfImpact":null},{"id":"33VoZGvcXQCktQuxaR2e2Y","url":"https://arbiscan.io/address/0x56e0172be5d13180c92c9448b6D24EF9096A5d33","type":"smart_contract","addedAt":"2024-11-06T07:35:41.667Z","revision":1,"description":"ExecuteOrderUtils","isPrimacyOfImpact":null},{"id":"46wVreGLk1tFSyqG97aTmH","url":"https://arbiscan.io/address/0x1364DeC7e321059A1bD803e2B634b7a8efd5aE75","type":"smart_contract","addedAt":"2024-11-06T07:35:42.086Z","revision":1,"description":"ExecuteWithdrawalUtils","isPrimacyOfImpact":null},{"id":"6uvpHuBLZx9o98UFXGGIhm","url":"https://arbiscan.io/address/0x389CEf541397e872dC04421f166B5Bc2E0b374a5","type":"smart_contract","addedAt":"2024-11-06T07:35:42.564Z","revision":1,"description":"ExternalHandler","isPrimacyOfImpact":null},{"id":"1s1pvIqJrTBnsadV8uOI4e","url":"https://arbiscan.io/address/0x7EB417637a3E6d1C19E6d69158c47610b7a5d9B3","type":"smart_contract","addedAt":"2024-11-06T07:35:43.094Z","revision":1,"description":"FeeHandler","isPrimacyOfImpact":null},{"id":"1wub6iKzahIjd1G3BZNkBQ","url":"https://arbiscan.io/address/0xf7F06d4e6aB73058B25707C0C2c288C4F70B9dA6","type":"smart_contract","addedAt":"2024-11-06T07:35:43.592Z","revision":1,"description":"FeeUtils","isPrimacyOfImpact":null},{"id":"2gxwAg66F7a6QHU6YDHCzy","url":"https://arbiscan.io/address/0x4ae2629279256847CDAbAF9e7b8ef8BFaed457da","type":"smart_contract","addedAt":"2024-11-06T07:35:44.028Z","revision":1,"description":"GasUtils","isPrimacyOfImpact":null},{"id":"6VSgucHeSqqnz0yLkmcYhM","url":"https://arbiscan.io/address/0x5AE447830925bE3E8D16D9D5afb96C2FDD6b567F","type":"smart_contract","addedAt":"2024-11-06T07:35:44.510Z","revision":1,"description":"GlvDepositEventUtils","isPrimacyOfImpact":null},{"id":"7ju55mydYbXPuZmO12O4gS","url":"https://arbiscan.io/address/0x17fA5E5e5BeeB8896e1bE5F663aAE1618F8B35e0","type":"smart_contract","addedAt":"2024-11-06T07:35:45.090Z","revision":1,"description":"GlvDepositStoreUtils","isPrimacyOfImpact":null},{"id":"30PrHKo4bcCinBrdFUQQ7r","url":"https://arbiscan.io/address/0x157E6bd60d71Ad6202448bF85699Fe2695F80B6F","type":"smart_contract","addedAt":"2024-11-06T07:35:45.620Z","revision":1,"description":"GlvDepositUtils","isPrimacyOfImpact":null},{"id":"48JsV4AO9qlhjlbZcUIPbE","url":"https://arbiscan.io/address/0xdaFa7Deb67805d7498Aa926002bB2d713D1d9256","type":"smart_contract","addedAt":"2024-11-06T07:35:46.184Z","revision":1,"description":"GlvFactory","isPrimacyOfImpact":null},{"id":"GfzMYvCxIE5PBDiFsAahH","url":"https://arbiscan.io/address/0x3f6dF0c3A7221BA1375E87e7097885a601B41Afc","type":"smart_contract","addedAt":"2024-11-06T07:35:46.688Z","revision":1,"description":"GlvHandler","isPrimacyOfImpact":null},{"id":"42VS7CDHbP2xutInLng4E6","url":"https://arbiscan.io/address/0x6a9505D0B44cFA863d9281EA5B0b34cB36243b45","type":"smart_contract","addedAt":"2024-11-06T07:35:47.209Z","revision":1,"description":"GlvReader","isPrimacyOfImpact":null},{"id":"1tiOhgb4xEw5r9mbca9Tpx","url":"https://arbiscan.io/address/0xd59a808bCA24812C483C1B3bF0A0E8D7D5932E4c","type":"smart_contract","addedAt":"2024-11-06T07:35:47.748Z","revision":1,"description":"GlvRouter","isPrimacyOfImpact":null},{"id":"4uBMEfcjkNPBP1dFaf6Y7S","url":"https://arbiscan.io/address/0x36368FB5CEd1b6A53034a6D514452084fff3cAcd","type":"smart_contract","addedAt":"2024-11-06T07:35:48.275Z","revision":1,"description":"GlvShiftEventUtils","isPrimacyOfImpact":null},{"id":"6nENRHoN1YiW7l6zryP3Tl","url":"https://arbiscan.io/address/0x5453b265BB51162B16eE8d79039144dEb5eB7256","type":"smart_contract","addedAt":"2024-11-06T07:35:48.724Z","revision":1,"description":"GlvShiftStoreUtils","isPrimacyOfImpact":null},{"id":"7EhCGMF1OuCvqsrXJB14J8","url":"https://arbiscan.io/address/0xC5Be2e12166b36a15F2324b5a8AD13030a677507","type":"smart_contract","addedAt":"2024-11-06T07:35:49.259Z","revision":1,"description":"GlvShiftUtils","isPrimacyOfImpact":null},{"id":"2oS0LzHCk00isGrimoyNsg","url":"https://arbiscan.io/address/0xE6BCA9f99AAAD29d698DbE0D13e9B802ff04467C","type":"smart_contract","addedAt":"2024-11-06T07:35:49.726Z","revision":1,"description":"GlvStoreUtils","isPrimacyOfImpact":null},{"id":"g2cl1OwalriswVVUQRFBN","url":"https://arbiscan.io/address/0x19254A4dFbD855E11cC9DEF57cC7844ff8Fa4088","type":"smart_contract","addedAt":"2024-11-06T07:35:50.194Z","revision":1,"description":"GlvUtils","isPrimacyOfImpact":null},{"id":"4ogDOPvfnNfXbtwFtt8xdK","url":"https://arbiscan.io/address/0x393053B58f9678C9c28c2cE941fF6cac49C3F8f9","type":"smart_contract","addedAt":"2024-11-06T07:35:50.697Z","revision":1,"description":"GlvVault","isPrimacyOfImpact":null},{"id":"4YTuTKwIupou8UyAK1eRZt","url":"https://arbiscan.io/address/0xEb77B660cCa2e5110d9cA473E38dd213cd35aAFB","type":"smart_contract","addedAt":"2024-11-06T07:35:51.201Z","revision":1,"description":"GlvWithdrawalEventUtils","isPrimacyOfImpact":null},{"id":"2X3CsDfLXvrO8NsubpESPL","url":"https://arbiscan.io/address/0x926d812d8fba03764CabD60A8dC09ecb2DffF44e","type":"smart_contract","addedAt":"2024-11-06T07:35:51.664Z","revision":1,"description":"GlvWithdrawalStoreUtils","isPrimacyOfImpact":null},{"id":"691js4Qn3r2Gnv3sBwa0BC","url":"https://arbiscan.io/address/0x65d5ED986Fd27f427DE0EfA4Cda558319a7f7C3D","type":"smart_contract","addedAt":"2024-11-06T07:35:52.108Z","revision":1,"description":"GlvWithdrawalUtils","isPrimacyOfImpact":null},{"id":"4MaFjif1bVhM3OyzjJLFlk","url":"https://arbiscan.io/address/0x5d6B84086DA6d4B0b6C0dF7E02f8a6A039226530","type":"smart_contract","addedAt":"2024-11-06T07:35:52.601Z","revision":1,"description":"GmOracleProvider","isPrimacyOfImpact":null},{"id":"3QFmdn5xPGuCcrW2xEhc2p","url":"https://arbiscan.io/address/0x4bd1cdAab4254fC43ef6424653cA2375b4C94C0E","type":"smart_contract","addedAt":"2024-11-06T07:35:53.088Z","revision":1,"description":"GovTimelockController","isPrimacyOfImpact":null},{"id":"4QdbW5aydkACkOWgJD4fbA","url":"https://arbiscan.io/address/0x2A29D3a792000750807cc401806d6fd539928481","type":"smart_contract","addedAt":"2024-11-06T07:35:53.693Z","revision":1,"description":"GovToken","isPrimacyOfImpact":null},{"id":"1L0qnbOo2eiJPVP8kXWgAc","url":"https://arbiscan.io/address/0x70406fB299F00F8aEB66E37Da079b496Dbd2b1fF","type":"smart_contract","addedAt":"2024-11-06T07:35:54.116Z","revision":1,"description":"IncreaseOrderUtils","isPrimacyOfImpact":null},{"id":"2pMSq1kOuivPsoRpPgvOLm","url":"https://arbiscan.io/address/0xCC6e13d6A6e8D314d62456C2422E12Da683A3cAc","type":"smart_contract","addedAt":"2024-11-06T07:35:54.551Z","revision":1,"description":"IncreasePositionUtils","isPrimacyOfImpact":null},{"id":"4CfuZy5uqCdSlE7rtJYPTo","url":"https://arbiscan.io/address/0xdAb9bA9e3a301CCb353f18B4C8542BA2149E4010","type":"smart_contract","addedAt":"2024-11-06T07:35:54.955Z","revision":1,"description":"LiquidationHandler","isPrimacyOfImpact":null},{"id":"56JOFMKxcb1xdyNyxjLPxg","url":"https://arbiscan.io/address/0xBD219aADaFe3AD8c8F570b204B99cb4aDbe9983E","type":"smart_contract","addedAt":"2024-11-06T07:35:55.419Z","revision":1,"description":"LiquidationUtils","isPrimacyOfImpact":null},{"id":"1lLnm0nkfuaUAeC30rf65F","url":"https://arbiscan.io/address/0x5D4520aB45b635b1B9E83B4890e7b87Bc0A45b04","type":"smart_contract","addedAt":"2024-11-06T07:35:55.921Z","revision":1,"description":"MarketEventUtils","isPrimacyOfImpact":null},{"id":"6GWfXwZno5DLfFQ8jOGETn","url":"https://arbiscan.io/address/0xf5F30B10141E1F63FC11eD772931A8294a591996","type":"smart_contract","addedAt":"2024-11-06T07:35:56.438Z","revision":1,"description":"MarketFactory","isPrimacyOfImpact":null},{"id":"2NeeGvJWWf7sJyVCRj4yeu","url":"https://arbiscan.io/address/0x7F9d94e918985beE91A712c4Ae26dC46F24c6583","type":"smart_contract","addedAt":"2024-11-06T07:35:56.940Z","revision":1,"description":"MarketStoreUtils","isPrimacyOfImpact":null},{"id":"4kqIv96P3yK2p4WfCFoZ4l","url":"https://arbiscan.io/address/0x9214a5C4065CAa10e259fA4a0D89439eB4005690","type":"smart_contract","addedAt":"2024-11-06T07:35:57.460Z","revision":1,"description":"MarketUtils","isPrimacyOfImpact":null},{"id":"55UVC5X11QBuUF2y8SoF6z","url":"https://arbiscan.io/address/0xFf1B35C888F548C77755939118e71ae2408F6516","type":"smart_contract","addedAt":"2024-11-06T07:35:57.975Z","revision":1,"description":"MockPriceFeed","isPrimacyOfImpact":null},{"id":"5uzvkDM1X9SRbi6zgvmOh2","url":"https://arbiscan.io/address/0xe79118d6D92a4b23369ba356C90b9A7ABf1CB961","type":"smart_contract","addedAt":"2024-11-06T07:35:58.491Z","revision":1,"description":"Multicall3","isPrimacyOfImpact":null},{"id":"1l4sgWYnopOMLar8a0yvv7","url":"https://arbiscan.io/address/0xb8fc96d7a413C462F611A7aC0C912c2FE26EAbC4","type":"smart_contract","addedAt":"2024-11-06T07:35:59.008Z","revision":1,"description":"Oracle","isPrimacyOfImpact":null},{"id":"vspHd8AiixhwzJddeDYfh","url":"https://arbiscan.io/address/0x2e246061BE08DC56d33E03Dc0cb962C2155722b5","type":"smart_contract","addedAt":"2024-11-06T07:35:59.508Z","revision":1,"description":"OracleModuleTest","isPrimacyOfImpact":null},{"id":"50U5iRQ0Wg5wYJZGtC8c9l","url":"https://arbiscan.io/address/0xA8AF9B86fC47deAde1bc66B12673706615E2B011","type":"smart_contract","addedAt":"2024-11-06T07:36:00.188Z","revision":1,"description":"OracleStore","isPrimacyOfImpact":null},{"id":"318uadTGsyT7IDWOsoBjAt","url":"https://arbiscan.io/address/0xDdCC32312792c0cb9735b290458CeEe1d57E07D0","type":"smart_contract","addedAt":"2024-11-06T07:36:00.687Z","revision":1,"description":"OrderEventUtils","isPrimacyOfImpact":null},{"id":"15YYN5Hr2UYcqBDOOnX61z","url":"https://arbiscan.io/address/0xe68CAAACdf6439628DFD2fe624847602991A31eB","type":"smart_contract","addedAt":"2024-11-06T07:36:01.149Z","revision":1,"description":"OrderHandler","isPrimacyOfImpact":null},{"id":"7i2rZ6bS5Iv6K8pjKai4e","url":"https://arbiscan.io/address/0x3C2233B0CaA8437827f03366556186f5e5899FA8","type":"smart_contract","addedAt":"2024-11-06T07:36:01.631Z","revision":1,"description":"OrderStoreUtils","isPrimacyOfImpact":null},{"id":"5fJVWt7cjfywKmXmVE0wUn","url":"https://arbiscan.io/address/0x93c316CA7708101Ad6169A5e2c86570Af5652d9d","type":"smart_contract","addedAt":"2024-11-06T07:36:02.134Z","revision":1,"description":"OrderUtils","isPrimacyOfImpact":null},{"id":"t5KXqgxF6JExkNk9DPQD4","url":"https://arbiscan.io/address/0x31eF83a530Fde1B38EE9A18093A333D8Bbbc40D5","type":"smart_contract","addedAt":"2024-11-06T07:36:02.683Z","revision":1,"description":"OrderVault","isPrimacyOfImpact":null},{"id":"Uku5w13KipsIeRxhspMij","url":"https://arbiscan.io/address/0x04a7c49b83FDDb35Df6b142717A1737ACf052f76","type":"smart_contract","addedAt":"2024-11-06T07:36:03.185Z","revision":1,"description":"PositionEventUtils","isPrimacyOfImpact":null},{"id":"3zSnoI6LhG3FQDNHEB9et3","url":"https://arbiscan.io/address/0xD5955B44BdF643209A18ddE0ACd410E6C6B16F5a","type":"smart_contract","addedAt":"2024-11-06T07:36:03.718Z","revision":1,"description":"PositionPricingUtils","isPrimacyOfImpact":null},{"id":"5apPgycBnjvXqWhTTSDbGa","url":"https://arbiscan.io/address/0xDA8030E31f29F9083825837C4860538DDA7414D4","type":"smart_contract","addedAt":"2024-11-06T07:36:04.129Z","revision":1,"description":"PositionStoreUtils","isPrimacyOfImpact":null},{"id":"1NIBetAgGSW7LOGWrFHYWI","url":"https://arbiscan.io/address/0x8903de973bC60A1B2CFf2F657D46e65f92A5f172","type":"smart_contract","addedAt":"2024-11-06T07:36:04.667Z","revision":1,"description":"PositionUtils","isPrimacyOfImpact":null},{"id":"FAqPkj5ZtOI7dnR2tOZ3I","url":"https://arbiscan.io/address/0xD064a53B5fC178AA6137553F67940EFc1D8a30A6","type":"smart_contract","addedAt":"2024-11-06T07:36:05.356Z","revision":1,"description":"Printer","isPrimacyOfImpact":null},{"id":"6rduGS5ghLMydKYJy0BOp6","url":"https://arbiscan.io/address/0x03e8f708e9C85EDCEaa6AD7Cd06824CeB82A7E68","type":"smart_contract","addedAt":"2024-11-06T07:36:05.929Z","revision":1,"description":"ProtocolGovernor","isPrimacyOfImpact":null},{"id":"n72LvDUWZsK1PGdsuWmN4","url":"https://arbiscan.io/address/0x0537C767cDAC0726c76Bb89e92904fe28fd02fE1","type":"smart_contract","addedAt":"2024-11-06T07:36:06.490Z","revision":1,"description":"Reader","isPrimacyOfImpact":null},{"id":"3xgyE905Elph8ZfoE1OMHL","url":"https://arbiscan.io/address/0xE971b9D5eA8Ab28bF3639069CF7a91E5dA7b7015","type":"smart_contract","addedAt":"2024-11-06T07:36:07.053Z","revision":1,"description":"ReaderDepositUtils","isPrimacyOfImpact":null},{"id":"4oQSu25XSP75FTeitqiQ2I","url":"https://arbiscan.io/address/0x98fbd63aF0b20810A6eA163a7621F7336dA84F36","type":"smart_contract","addedAt":"2024-11-06T07:36:07.563Z","revision":1,"description":"ReaderPositionUtils","isPrimacyOfImpact":null},{"id":"32F0dR8xQdjjlZ0SwOSSx5","url":"https://arbiscan.io/address/0x7D9E403F82b59e7fF5F7A37a9bf4A8df914352A1","type":"smart_contract","addedAt":"2024-11-06T07:36:08.092Z","revision":1,"description":"ReaderPricingUtils","isPrimacyOfImpact":null},{"id":"1qk8IIzzOEroLj7x0MTzgD","url":"https://arbiscan.io/address/0x694F0eadBbBb25D9D640a393800bcAB613f027dc","type":"smart_contract","addedAt":"2024-11-06T07:36:08.554Z","revision":1,"description":"ReaderUtils","isPrimacyOfImpact":null},{"id":"e9v8dr9yoTSKZAO21yxKK","url":"https://arbiscan.io/address/0xF44893f529FB4b6769CEadD079a1053Bcaf9e3fC","type":"smart_contract","addedAt":"2024-11-06T07:36:08.990Z","revision":1,"description":"ReaderWithdrawalUtils","isPrimacyOfImpact":null},{"id":"74mOxUjDBipIz08DJ6v8cu","url":"https://arbiscan.io/address/0x584933A3e87c7E68E842C4B6106cf73021343d34","type":"smart_contract","addedAt":"2024-11-06T07:36:09.703Z","revision":1,"description":"ReferralEventUtils","isPrimacyOfImpact":null},{"id":"4KUomu7zEW8bmqXGrVhTwq","url":"https://arbiscan.io/address/0x4904C431efFc77fAa547789F0895Ca9f93940E74","type":"smart_contract","addedAt":"2024-11-06T07:36:10.220Z","revision":1,"description":"ReferralUtils","isPrimacyOfImpact":null},{"id":"3azaPHt9FSFQxJzDiwtGf1","url":"https://arbiscan.io/address/0x3c3d99FD298f679DBC2CEcd132b4eC4d0F5e6e72","type":"smart_contract","addedAt":"2024-11-06T07:36:10.652Z","revision":1,"description":"RoleStore","isPrimacyOfImpact":null},{"id":"5Of1s1z4F7TXCZB8PNCbJ","url":"https://arbiscan.io/address/0x7452c558d45f8afC8c83dAe62C3f8A5BE19c71f6","type":"smart_contract","addedAt":"2024-11-06T07:36:11.175Z","revision":1,"description":"Router","isPrimacyOfImpact":null},{"id":"7gkAU0lbiPakPundckUlUD","url":"https://arbiscan.io/address/0x1b3d1d98B310fA509Fc0BA387E0310AC6676aB61","type":"smart_contract","addedAt":"2024-11-06T07:36:11.808Z","revision":1,"description":"ShiftEventUtils","isPrimacyOfImpact":null},{"id":"5iequoSNCx3i0qM7kevX0y","url":"https://arbiscan.io/address/0x48787F7847068f9Cc1398e5f589BEf9744730C8D","type":"smart_contract","addedAt":"2024-11-06T07:36:12.321Z","revision":1,"description":"ShiftHandler","isPrimacyOfImpact":null},{"id":"47zE4QaETLXxDJfO4U8Z1n","url":"https://arbiscan.io/address/0xAb27c2a82D89b545a53a4f13F9Dd42B70D4655DF","type":"smart_contract","addedAt":"2024-11-06T07:36:12.837Z","revision":1,"description":"ShiftStoreUtils","isPrimacyOfImpact":null},{"id":"1eFN4eIOWBZdaz7erZ6yFb","url":"https://arbiscan.io/address/0xcb6Bbd2614cccc0b5EB25328b0369fCe9439A33C","type":"smart_contract","addedAt":"2024-11-06T07:36:13.297Z","revision":1,"description":"ShiftUtils","isPrimacyOfImpact":null},{"id":"2d95Ybdz3WGlAftP95H9ri","url":"https://arbiscan.io/address/0xfe99609C4AA83ff6816b64563Bdffd7fa68753Ab","type":"smart_contract","addedAt":"2024-11-06T07:36:13.823Z","revision":1,"description":"ShiftVault","isPrimacyOfImpact":null},{"id":"2WMZMPTjPxRfbOGfSAaoVS","url":"https://arbiscan.io/address/0xa329221a77BE08485f59310b873b14815c82E10D","type":"smart_contract","addedAt":"2024-11-06T07:36:14.369Z","revision":1,"description":"SubaccountRouter","isPrimacyOfImpact":null},{"id":"ILhm4Y9XRCLDB1eeNeftO","url":"https://arbiscan.io/address/0x9CbB37630d65324af064F28CCD9dF6E667Cb16F1","type":"smart_contract","addedAt":"2024-11-06T07:36:14.954Z","revision":1,"description":"SwapHandler","isPrimacyOfImpact":null},{"id":"4ZvK2BbNik5MFL5evzg5g9","url":"https://arbiscan.io/address/0x5Ce5e2B1C44e0C0E79D6072e6bA57AC965d942e7","type":"smart_contract","addedAt":"2024-11-06T07:36:15.399Z","revision":1,"description":"SwapOrderUtils","isPrimacyOfImpact":null},{"id":"X60eNY8HSSHMN4bICar7g","url":"https://arbiscan.io/address/0xa07B749AF48Cf3d172D9A56a0C00c5239A92E519","type":"smart_contract","addedAt":"2024-11-06T07:36:15.939Z","revision":1,"description":"SwapPricingUtils","isPrimacyOfImpact":null},{"id":"5T0BQn96ibpe7tRKWObwbD","url":"https://arbiscan.io/address/0x9530Ad090569Fddc5472845d6226d6ac0d585db8","type":"smart_contract","addedAt":"2024-11-06T07:36:16.477Z","revision":1,"description":"SwapUtils","isPrimacyOfImpact":null},{"id":"7iByyuSzmKkiG0OKCB2RBf","url":"https://arbiscan.io/address/0x7A967D114B8676874FA2cFC1C14F3095C88418Eb","type":"smart_contract","addedAt":"2024-11-06T07:36:16.991Z","revision":1,"description":"Timelock","isPrimacyOfImpact":null},{"id":"5GJm199GCpvIntAsGybvlv","url":"https://arbiscan.io/address/0x74bc4F1EC38bf5C98b9E2Ffd9d1Ed3F54960CEBf","type":"smart_contract","addedAt":"2024-11-06T07:36:17.454Z","revision":1,"description":"TimestampInitializer","isPrimacyOfImpact":null},{"id":"4hyClx6XFZV1Y34VygNvrt","url":"https://arbiscan.io/address/0xF5BD6f70CE7Afa2c86bd47A60A7C58a42Ea2388D","type":"smart_contract","addedAt":"2024-11-06T07:36:17.902Z","revision":1,"description":"WithdrawalEventUtils","isPrimacyOfImpact":null},{"id":"65Y6Pv9cM2p9ZpmSLeNqCS","url":"https://arbiscan.io/address/0x64fbD82d9F987baF5A59401c64e823232182E8Ed","type":"smart_contract","addedAt":"2024-11-06T07:36:18.375Z","revision":1,"description":"WithdrawalHandler","isPrimacyOfImpact":null},{"id":"7b2FNgYPgVGvTCBIP9zrjV","url":"https://arbiscan.io/address/0x41194c86Fc1A915d568D79067A9BCCc7D47d499A","type":"smart_contract","addedAt":"2024-11-06T07:36:18.893Z","revision":1,"description":"WithdrawalStoreUtils","isPrimacyOfImpact":null},{"id":"5DXCT5uqhT2c9aQwbSbjTQ","url":"https://arbiscan.io/address/0x112292FBCdCAd1AbE411a966313Bc7031a516300","type":"smart_contract","addedAt":"2024-11-06T07:36:19.402Z","revision":1,"description":"WithdrawalUtils","isPrimacyOfImpact":null},{"id":"5aFWI00btWr0y0P46ogTqY","url":"https://arbiscan.io/address/0x0628D46b5D145f183AdB6Ef1f2c97eD1C4701C55","type":"smart_contract","addedAt":"2024-11-06T07:36:19.868Z","revision":1,"description":"WithdrawalVault","isPrimacyOfImpact":null},{"id":"6M7WASnheHHapHKM6V5mDH","url":"https://snowtrace.io/address/0x129174043B134aD27eaE552D6BEA08f23f771205","type":"smart_contract","addedAt":"2024-11-06T07:36:20.381Z","revision":1,"description":"AdlHandler","isPrimacyOfImpact":null},{"id":"4mkpuhqeifJlNun0DhlpZe","url":"https://snowtrace.io/address/0x949FF0357eC250A6b1BcFE9B9E36822B8Bc2Eabf","type":"smart_contract","addedAt":"2024-11-06T07:36:20.907Z","revision":1,"description":"AdlUtils","isPrimacyOfImpact":null},{"id":"4QaC0laeguYXmU2QqQ15TW","url":"https://snowtrace.io/address/0x2B4FCd7552c53f56891100D6E584633C7E5a9078","type":"smart_contract","addedAt":"2024-11-06T07:36:21.435Z","revision":1,"description":"AutoCancelSyncer","isPrimacyOfImpact":null},{"id":"vXtedPNJDWddmzeJjMII3","url":"https://snowtrace.io/address/0xD382216A61745bdBD0E73A59D7c4e5aAb2b547ab","type":"smart_contract","addedAt":"2024-11-06T07:36:21.943Z","revision":1,"description":"BaseOrderUtils","isPrimacyOfImpact":null},{"id":"27YGrJbDRQtlMp9Rvqrtvd","url":"https://snowtrace.io/address/0xA6A8713E85e1b5Fa72b6687A19EA7090cBcB43a5","type":"smart_contract","addedAt":"2024-11-06T07:36:22.476Z","revision":1,"description":"CallbackUtils","isPrimacyOfImpact":null},{"id":"76JgRHIGCwyrr8EnpF2bdN","url":"https://snowtrace.io/address/0x7C68C7866A64FA2160F78EEaE12217FFbf871fa8","type":"smart_contract","addedAt":"2024-11-06T07:36:22.979Z","revision":1,"description":"ChainReader","isPrimacyOfImpact":null},{"id":"6DBnePN3YDhTec6HTrpwYR","url":"https://snowtrace.io/address/0x46088fA22988c40CE5aBC0647a7638D27A8bF7d1","type":"smart_contract","addedAt":"2024-11-06T07:36:23.504Z","revision":1,"description":"ChainlinkDataStreamProvider","isPrimacyOfImpact":null},{"id":"hunWKHnKlJO6XDnQtMNVQ","url":"https://snowtrace.io/address/0x713c6a2479f6C079055A6AD3690D95dEDCEf9e1e","type":"smart_contract","addedAt":"2024-11-06T07:36:23.969Z","revision":1,"description":"ChainlinkPriceFeedProvider","isPrimacyOfImpact":null},{"id":"6ELh7ahbMEExRBR33GgRk0","url":"https://snowtrace.io/address/0x1Ad2560bD34D17A413e4eb9420643d1782466dDA","type":"smart_contract","addedAt":"2024-11-06T07:36:24.494Z","revision":1,"description":"Config","isPrimacyOfImpact":null},{"id":"2sjDQmtnZlLqP4qjuLToIO","url":"https://snowtrace.io/address/0xcF71721924c312374bF8366c3f60a127A1e80e3C","type":"smart_contract","addedAt":"2024-11-06T07:36:25.095Z","revision":1,"description":"ConfigSyncer","isPrimacyOfImpact":null},{"id":"4lFgGMkDyoDzHv0kmLjOuT","url":"https://snowtrace.io/address/0x2F0b22339414ADeD7D5F06f9D604c7fF5b2fe3f6","type":"smart_contract","addedAt":"2024-11-06T07:36:25.637Z","revision":1,"description":"DataStore","isPrimacyOfImpact":null},{"id":"5tPnizRlWXN7CU7foxEHJW","url":"https://snowtrace.io/address/0x5B6856a9E427BE70B19BBF7BAbb5A6aDB36a2716","type":"smart_contract","addedAt":"2024-11-06T07:36:26.187Z","revision":1,"description":"DecreaseOrderUtils","isPrimacyOfImpact":null},{"id":"4QceC5ZoEDWBqJAEvdeDsV","url":"https://snowtrace.io/address/0x0b7E3E946Fd9aFF1b103810C36B610ad9D4Cb7d0","type":"smart_contract","addedAt":"2024-11-06T07:36:26.749Z","revision":1,"description":"DecreasePositionCollateralUtils","isPrimacyOfImpact":null},{"id":"7kxUQsmcv4ztVNWkl32INA","url":"https://snowtrace.io/address/0xB85d6625D36411d136e83941a122f7DA12C14279","type":"smart_contract","addedAt":"2024-11-06T07:36:27.237Z","revision":1,"description":"DecreasePositionSwapUtils","isPrimacyOfImpact":null},{"id":"4xHaEXgHu8vGUcjAYYSa1j","url":"https://snowtrace.io/address/0x9901D033dBDdFACBb82B768Bb913186E54F5EEd4","type":"smart_contract","addedAt":"2024-11-06T07:36:27.772Z","revision":1,"description":"DecreasePositionUtils","isPrimacyOfImpact":null},{"id":"2ymdC8PYXnzhMUzqEefST9","url":"https://snowtrace.io/address/0x05DC08259f1E511541f553617BAE6D4465C93355","type":"smart_contract","addedAt":"2024-11-06T07:36:28.245Z","revision":1,"description":"DepositEventUtils","isPrimacyOfImpact":null},{"id":"464qlY4X7GBMmhuf8b4I4U","url":"https://snowtrace.io/address/0x8AE344DEeD1526B1772adDF78718722A169288Dc","type":"smart_contract","addedAt":"2024-11-06T07:36:28.783Z","revision":1,"description":"DepositHandler","isPrimacyOfImpact":null},{"id":"3Phw1oqCADRgIj1KhfOEpe","url":"https://snowtrace.io/address/0xd43fF770f43Ae90b6aADa70a57341D3dfB73252e","type":"smart_contract","addedAt":"2024-11-06T07:36:29.682Z","revision":1,"description":"DepositStoreUtils","isPrimacyOfImpact":null},{"id":"7986IoK0bYOgLUTobIBShJ","url":"https://snowtrace.io/address/0x76fCBAF92eA8F9Fc2c21Ef785F37C52095F76DCC","type":"smart_contract","addedAt":"2024-11-06T07:36:30.274Z","revision":1,"description":"DepositUtils","isPrimacyOfImpact":null},{"id":"41jM5xeXzGSemFtsXYjIKw","url":"https://snowtrace.io/address/0x90c670825d0C62ede1c5ee9571d6d9a17A722DFF","type":"smart_contract","addedAt":"2024-11-06T07:36:30.796Z","revision":1,"description":"DepositVault","isPrimacyOfImpact":null},{"id":"6BMt5tSFEQozZOXnjLFVpW","url":"https://snowtrace.io/address/0xDb17B211c34240B014ab6d61d4A31FA0C0e20c26","type":"smart_contract","addedAt":"2024-11-06T07:36:31.358Z","revision":1,"description":"EventEmitter","isPrimacyOfImpact":null},{"id":"7MFg8nAgTbw30AwUYqOtAV","url":"https://snowtrace.io/address/0xe60B7526e05d8D8aEA17607245fd6D7C9953A1CA","type":"smart_contract","addedAt":"2024-11-06T07:36:31.873Z","revision":1,"description":"ExchangeRouter","isPrimacyOfImpact":null},{"id":"7DaCn5OhOYEYIaY915V1Cd","url":"https://snowtrace.io/address/0xe58Ce07a0e9B42b2a2E0D423365C8Db64272d3b6","type":"smart_contract","addedAt":"2024-11-06T07:36:32.392Z","revision":1,"description":"ExecuteDepositUtils","isPrimacyOfImpact":null},{"id":"5Ll1nSb13V5RSZPsKkHSWD","url":"https://snowtrace.io/address/0x70205d90Ba4017e98aA0b95EB3d3E8a0DBb2021E","type":"smart_contract","addedAt":"2024-11-06T07:36:32.923Z","revision":1,"description":"ExecuteOrderUtils","isPrimacyOfImpact":null},{"id":"4fNeuBtsSMgQX9M842pcQ5","url":"https://snowtrace.io/address/0x377D0e11Bb5F4a97275C16EB2FcBeb157B8c3697","type":"smart_contract","addedAt":"2024-11-06T07:36:33.510Z","revision":1,"description":"ExecuteWithdrawalUtils","isPrimacyOfImpact":null},{"id":"5UTU5KMf78Bu5yO6OcubcZ","url":"https://snowtrace.io/address/0xD149573a098223a9185433290a5A5CDbFa54a8A9","type":"smart_contract","addedAt":"2024-11-06T07:36:34.041Z","revision":1,"description":"ExternalHandler","isPrimacyOfImpact":null},{"id":"1Jmn8aJrYE8KZwVC13JwPM","url":"https://snowtrace.io/address/0x1A3A103F9F536a0456C9b205152A3ac2b3c54490","type":"smart_contract","addedAt":"2024-11-06T07:36:34.557Z","revision":1,"description":"FeeHandler","isPrimacyOfImpact":null},{"id":"3ni2akEPeKA1boGwy975yI","url":"https://snowtrace.io/address/0x8C75f9905a9fD94A0D95cb0801d7De33A432667C","type":"smart_contract","addedAt":"2024-11-06T07:36:35.119Z","revision":1,"description":"FeeUtils","isPrimacyOfImpact":null},{"id":"2L35cfSmmoWX7SmSb7g6HA","url":"https://snowtrace.io/address/0xe045f6B2a4d615C185f332C0a4Fed4D6Aa46c090","type":"smart_contract","addedAt":"2024-11-06T07:36:35.641Z","revision":1,"description":"GasUtils","isPrimacyOfImpact":null},{"id":"4h6MPPWL6KI6vEhYqRouCS","url":"https://snowtrace.io/address/0xb6ED1df6914a6d8714b76E76663d5138e7099C02","type":"smart_contract","addedAt":"2024-11-06T07:36:36.149Z","revision":1,"description":"GlvDepositEventUtils","isPrimacyOfImpact":null},{"id":"35w916Lm1sWmcYdo6IDszO","url":"https://snowtrace.io/address/0xe4c9B8d007Dfa2E1DCA47703321Db26506444745","type":"smart_contract","addedAt":"2024-11-06T07:36:36.806Z","revision":1,"description":"GlvDepositStoreUtils","isPrimacyOfImpact":null},{"id":"5adVxt4mJy2XBjrm3usRp3","url":"https://snowtrace.io/address/0xf4b315c591B7F62B7ed988342aFc91d2bea352b2","type":"smart_contract","addedAt":"2024-11-06T07:36:37.288Z","revision":1,"description":"GlvDepositUtils","isPrimacyOfImpact":null},{"id":"7u0FnwD3cElUiBZA3jMdqB","url":"https://snowtrace.io/address/0x5d6B84086DA6d4B0b6C0dF7E02f8a6A039226530","type":"smart_contract","addedAt":"2024-11-06T07:36:37.817Z","revision":1,"description":"GlvFactory","isPrimacyOfImpact":null},{"id":"474uHqjBYVNITp2H7PXjFR","url":"https://snowtrace.io/address/0x48486CaF8851ed0085432789D28A8820bEcbfd45","type":"smart_contract","addedAt":"2024-11-06T07:36:38.272Z","revision":1,"description":"GlvHandler","isPrimacyOfImpact":null},{"id":"1PHOKJGUf0UTxF9YwrR9kp","url":"https://snowtrace.io/address/0xae9596a1C438675AcC75f69d32E21Ac9c8fF99bD","type":"smart_contract","addedAt":"2024-11-06T07:36:38.810Z","revision":1,"description":"GlvReader","isPrimacyOfImpact":null},{"id":"42aC7YFTik1a65nNaTuQ9K","url":"https://snowtrace.io/address/0x2098465FC0329C4d2F3B266190a6A664fBC6E0Db","type":"smart_contract","addedAt":"2024-11-06T07:36:39.296Z","revision":1,"description":"GlvRouter","isPrimacyOfImpact":null},{"id":"4e4urMNWAnHo994gEHhHHU","url":"https://snowtrace.io/address/0x21A2253c136042075b15CD44846A5fF89F06662c","type":"smart_contract","addedAt":"2024-11-06T07:36:39.786Z","revision":1,"description":"GlvShiftEventUtils","isPrimacyOfImpact":null},{"id":"5GEC4UEUzUKIhu3skK6MMA","url":"https://snowtrace.io/address/0x25e6385C1b4CE6B80928Ef2406EcE24D2319D191","type":"smart_contract","addedAt":"2024-11-06T07:36:40.314Z","revision":1,"description":"GlvShiftStoreUtils","isPrimacyOfImpact":null},{"id":"7GN5BlpyagWhQvpmHcE3QF","url":"https://snowtrace.io/address/0x470b40dc22D7a4974b199E13e4A00893EB140479","type":"smart_contract","addedAt":"2024-11-06T07:36:40.806Z","revision":1,"description":"GlvShiftUtils","isPrimacyOfImpact":null},{"id":"4t3HB9DIBVCDJ3zSXl1pQJ","url":"https://snowtrace.io/address/0xE62A5966664adff03841bB87b6d0BAb18f2408F0","type":"smart_contract","addedAt":"2024-11-06T07:36:41.239Z","revision":1,"description":"GlvStoreUtils","isPrimacyOfImpact":null},{"id":"1XIXAKoo7QMvlOtWdFJ7aB","url":"https://snowtrace.io/address/0xF7FFc26351154A151127Ea0C993867FC2DfC9374","type":"smart_contract","addedAt":"2024-11-06T07:36:41.652Z","revision":1,"description":"GlvUtils","isPrimacyOfImpact":null},{"id":"5pI7rV7VYXk06YP1It9zxu","url":"https://snowtrace.io/address/0x527FB0bCfF63C47761039bB386cFE181A92a4701","type":"smart_contract","addedAt":"2024-11-06T07:36:42.113Z","revision":1,"description":"GlvVault","isPrimacyOfImpact":null},{"id":"6I9LVmwlBCKsfQC4RtEZcc","url":"https://snowtrace.io/address/0x036E2e8Eae7C647C580BCCe5aC9224e487721280","type":"smart_contract","addedAt":"2024-11-06T07:36:42.656Z","revision":1,"description":"GlvWithdrawalEventUtils","isPrimacyOfImpact":null},{"id":"4XiiYV5oqo0e7zuKu5ISqc","url":"https://snowtrace.io/address/0xf0028eCA8Dd5152d7dbFB421746aE6E30BAD91b3","type":"smart_contract","addedAt":"2024-11-06T07:36:43.325Z","revision":1,"description":"GlvWithdrawalStoreUtils","isPrimacyOfImpact":null},{"id":"35mpy1fnSxG9SLXumq1gDe","url":"https://snowtrace.io/address/0x51e42dd437aBfF9E715f8C5853F42cB1597A1ea0","type":"smart_contract","addedAt":"2024-11-06T07:36:43.877Z","revision":1,"description":"GlvWithdrawalUtils","isPrimacyOfImpact":null},{"id":"3TCSmTPAtxI8QZIdNh9ZtF","url":"https://snowtrace.io/address/0x9Dc4f12Eb2d8405b499FB5B8AF79a5f64aB8a457","type":"smart_contract","addedAt":"2024-11-06T07:36:44.425Z","revision":1,"description":"GmOracleProvider","isPrimacyOfImpact":null},{"id":"4W2ovnDmXrKh2ajPU5Bt56","url":"https://snowtrace.io/address/0xC55e165Bf9247256DBeCA8DDE892aE9a7B271b2D","type":"smart_contract","addedAt":"2024-11-06T07:36:44.984Z","revision":1,"description":"GovTimelockController","isPrimacyOfImpact":null},{"id":"3EWuEkVtVChW5vboJ6M9zo","url":"https://snowtrace.io/address/0x0ff183E29f1924ad10475506D7722169010CecCb","type":"smart_contract","addedAt":"2024-11-06T07:36:45.516Z","revision":1,"description":"GovToken","isPrimacyOfImpact":null},{"id":"TzbUsMdIpXhJnX6WJ5Ftb","url":"https://snowtrace.io/address/0x26d2D37567c4944d3EC867f693b40c8063A4B4F9","type":"smart_contract","addedAt":"2024-11-06T07:36:46.041Z","revision":1,"description":"IncreaseOrderUtils","isPrimacyOfImpact":null},{"id":"7lek14RphIeb1S6nPUwbxq","url":"https://snowtrace.io/address/0x0885bcf264Fb71518443A3b2Cd87466036f222Bc","type":"smart_contract","addedAt":"2024-11-06T07:36:46.566Z","revision":1,"description":"IncreasePositionUtils","isPrimacyOfImpact":null},{"id":"6BW9cjTyZ0mpYKFYyMdqOz","url":"https://snowtrace.io/address/0x34acBf9Fb2f0dDAB489F6B75FBf394C240b97276","type":"smart_contract","addedAt":"2024-11-06T07:36:47.160Z","revision":1,"description":"LiquidationHandler","isPrimacyOfImpact":null},{"id":"780WW5BLPMZc9yPvmrFnkl","url":"https://snowtrace.io/address/0x85d2B53cE13f2A2e2be7F95E3A26d265301a0B49","type":"smart_contract","addedAt":"2024-11-06T07:36:47.698Z","revision":1,"description":"LiquidationUtils","isPrimacyOfImpact":null},{"id":"3tcytPsZwsI8wD807RgrGd","url":"https://snowtrace.io/address/0x69C527fC77291722b52649E45c838e41be8Bf5d5","type":"smart_contract","addedAt":"2024-11-06T07:36:48.213Z","revision":1,"description":"MarketEventUtils","isPrimacyOfImpact":null},{"id":"6Rj9o9sjCwJCmk4Ppx7EXc","url":"https://snowtrace.io/address/0xc57C155FacCd93F62546F329D1483E0E5b9C1241","type":"smart_contract","addedAt":"2024-11-06T07:36:48.768Z","revision":1,"description":"MarketFactory","isPrimacyOfImpact":null},{"id":"1C50keFopa19qwlDfsfXUq","url":"https://snowtrace.io/address/0x27346Fdab142e2b8B6C6d2ecFe73e75B5e249A57","type":"smart_contract","addedAt":"2024-11-06T07:36:49.386Z","revision":1,"description":"MarketStoreUtils","isPrimacyOfImpact":null},{"id":"kEUx3ibxAkcaxzIClrLzx","url":"https://snowtrace.io/address/0x55E9A5E1Aed46500F746F7683e87F3D9f3C1E14E","type":"smart_contract","addedAt":"2024-11-06T07:36:49.887Z","revision":1,"description":"MarketUtils","isPrimacyOfImpact":null},{"id":"6A5M746suC3XV9zU1yz263","url":"https://snowtrace.io/address/0x5AF9de15Bc0E332622f6dFE77fC489d709CE12fE","type":"smart_contract","addedAt":"2024-11-06T07:36:50.513Z","revision":1,"description":"MockPriceFeed","isPrimacyOfImpact":null},{"id":"5moIFiW5YszBxwP7EG5cpi","url":"https://snowtrace.io/address/0x50474CAe810B316c294111807F94F9f48527e7F8","type":"smart_contract","addedAt":"2024-11-06T07:36:51.069Z","revision":1,"description":"Multicall3","isPrimacyOfImpact":null},{"id":"3RiJgkhXDXKRFqFCKdps1l","url":"https://snowtrace.io/address/0xAd7a7568F500F65AEA3D9417A210CBc5dcD7b273","type":"smart_contract","addedAt":"2024-11-06T07:36:51.604Z","revision":1,"description":"Oracle","isPrimacyOfImpact":null},{"id":"3x77sS6TOxLbXqIaWM9Fo9","url":"https://snowtrace.io/address/0xED467Ce941BA9ec2aa74DCDAea7A53995840a79d","type":"smart_contract","addedAt":"2024-11-06T07:36:52.083Z","revision":1,"description":"OracleModuleTest","isPrimacyOfImpact":null},{"id":"1GX1FB7YH33TLHMulaxA0n","url":"https://snowtrace.io/address/0xA6aC2e08C6d6bbD9B237e0DaaEcd7577996f4e84","type":"smart_contract","addedAt":"2024-11-06T07:36:52.547Z","revision":1,"description":"OracleStore","isPrimacyOfImpact":null},{"id":"5NbuieViYQANq0v6ORqsEA","url":"https://snowtrace.io/address/0x08A902113F7F41a8658eBB1175f9c847bf4fB9D8","type":"smart_contract","addedAt":"2024-11-06T07:36:53.070Z","revision":1,"description":"OrderEventUtils","isPrimacyOfImpact":null},{"id":"f297fjVoAVSVHA4RPElF4","url":"https://snowtrace.io/address/0x088711C3d2FA992188125e009E65c726bA090AD6","type":"smart_contract","addedAt":"2024-11-06T07:36:53.597Z","revision":1,"description":"OrderHandler","isPrimacyOfImpact":null},{"id":"3RZRbkZ3bBU8y9YEeyUHxw","url":"https://snowtrace.io/address/0xb3Ecc8Db8d58363B7C0E2094CdDe72EC0222A614","type":"smart_contract","addedAt":"2024-11-06T07:36:54.297Z","revision":1,"description":"OrderStoreUtils","isPrimacyOfImpact":null},{"id":"4AnE8txXszQyvjg3tp5Gi8","url":"https://snowtrace.io/address/0xA1Bc5A861F55ccd79CEBb07De6120C6356C2a356","type":"smart_contract","addedAt":"2024-11-06T07:36:54.849Z","revision":1,"description":"OrderUtils","isPrimacyOfImpact":null},{"id":"3JGUpROKwBeXFVbFBGQ9DI","url":"https://snowtrace.io/address/0xD3D60D22d415aD43b7e64b510D86A30f19B1B12C","type":"smart_contract","addedAt":"2024-11-06T07:36:55.336Z","revision":1,"description":"OrderVault","isPrimacyOfImpact":null},{"id":"7wmsL30YkA9tt7i4g3UZOL","url":"https://snowtrace.io/address/0x2ECB664e934aCd5DF1EE889Dbb2E7D6C1d7CE3Cb","type":"smart_contract","addedAt":"2024-11-06T07:36:55.819Z","revision":1,"description":"PositionEventUtils","isPrimacyOfImpact":null},{"id":"5RWL0iYK2OEYBNpiJpfSxZ","url":"https://snowtrace.io/address/0x5Ca84c34a381434786738735265b9f3FD814b824","type":"smart_contract","addedAt":"2024-11-06T07:36:56.350Z","revision":1,"description":"PositionPricingUtils","isPrimacyOfImpact":null},{"id":"1QQIIOkkxnth3WTvmMeJxH","url":"https://snowtrace.io/address/0xFe1531c3b27E9E882881D9917B9cae9f2082c6dF","type":"smart_contract","addedAt":"2024-11-06T07:36:56.908Z","revision":1,"description":"PositionStoreUtils","isPrimacyOfImpact":null},{"id":"4Ob7FefT9tB1CEWRo4GKPy","url":"https://snowtrace.io/address/0x9F48160eDc3Ad78F4cA0E3FDF54A75D8FB228452","type":"smart_contract","addedAt":"2024-11-06T07:36:57.426Z","revision":1,"description":"PositionUtils","isPrimacyOfImpact":null},{"id":"1SycII9dhJt67RrpcWEV5n","url":"https://snowtrace.io/address/0x41613136174912714faF4cF0680fB1Acbe0cC7D1","type":"smart_contract","addedAt":"2024-11-06T07:36:57.965Z","revision":1,"description":"Printer","isPrimacyOfImpact":null},{"id":"5kssvdIsif03qBC0C2lh6N","url":"https://snowtrace.io/address/0x226ED647C6eA2C0cE4C08578e2F37b8c2F922849","type":"smart_contract","addedAt":"2024-11-06T07:36:58.442Z","revision":1,"description":"ProtocolGovernor","isPrimacyOfImpact":null},{"id":"A8i4636yUdgwzT38YLVX9","url":"https://snowtrace.io/address/0x618fCEe30D9A26e8533C3B244CAd2D6486AFf655","type":"smart_contract","addedAt":"2024-11-06T07:36:59.007Z","revision":1,"description":"Reader","isPrimacyOfImpact":null},{"id":"71XpyK5BSv3gTzeAH4QvAE","url":"https://snowtrace.io/address/0x393053B58f9678C9c28c2cE941fF6cac49C3F8f9","type":"smart_contract","addedAt":"2024-11-06T07:36:59.481Z","revision":1,"description":"ReaderDepositUtils","isPrimacyOfImpact":null},{"id":"LoyMw0ii5eOlmNym8rxTP","url":"https://snowtrace.io/address/0x8410C65EA0fE4533492f2D4a2FB045F0072059ea","type":"smart_contract","addedAt":"2024-11-06T07:37:00.077Z","revision":1,"description":"ReaderPositionUtils","isPrimacyOfImpact":null},{"id":"5fdjVn4PzvxHOnbNS6KxHM","url":"https://snowtrace.io/address/0xeA05c84336E53e7C954776200A9f0Ca7e7879a4F","type":"smart_contract","addedAt":"2024-11-06T07:37:00.616Z","revision":1,"description":"ReaderPricingUtils","isPrimacyOfImpact":null},{"id":"23yZK5lVqDrbkwbGYHJRhv","url":"https://snowtrace.io/address/0x2CdA6CF21aFA4A8ff61a888865E26231fA0bd565","type":"smart_contract","addedAt":"2024-11-06T07:37:01.143Z","revision":1,"description":"ReaderUtils","isPrimacyOfImpact":null},{"id":"6kPA2n0eESbJkY3GLD7Sy5","url":"https://snowtrace.io/address/0x56AEd6EA2538487603EC56417d44379A921a5b48","type":"smart_contract","addedAt":"2024-11-06T07:37:01.677Z","revision":1,"description":"ReaderWithdrawalUtils","isPrimacyOfImpact":null},{"id":"6VxDMaM7nIuW2K6s8H5djB","url":"https://snowtrace.io/address/0x4895170e184441da9BD2bF95c120c07ba628eeF0","type":"smart_contract","addedAt":"2024-11-06T07:37:02.195Z","revision":1,"description":"ReferralEventUtils","isPrimacyOfImpact":null},{"id":"Dco0k2NdbEx4u0awvQUwZ","url":"https://snowtrace.io/address/0x8BFB5291eEd1535B50ee6F1B8a8CEFc374FC49c5","type":"smart_contract","addedAt":"2024-11-06T07:37:02.764Z","revision":1,"description":"ReferralUtils","isPrimacyOfImpact":null},{"id":"2g46W2HTOVLp94eUaCq1UB","url":"https://snowtrace.io/address/0xA44F830B6a2B6fa76657a3B92C1fe74fcB7C6AfD","type":"smart_contract","addedAt":"2024-11-06T07:37:03.309Z","revision":1,"description":"RoleStore","isPrimacyOfImpact":null},{"id":"3M3wRqiwshLqOqkknwwtGY","url":"https://snowtrace.io/address/0x820F5FfC5b525cD4d88Cd91aCf2c28F16530Cc68","type":"smart_contract","addedAt":"2024-11-06T07:37:03.852Z","revision":1,"description":"Router","isPrimacyOfImpact":null},{"id":"6gX2aL6zKG20YlP0aUrTOG","url":"https://snowtrace.io/address/0x3b944bda5521C2eCE014CF1E4717ce130266c0Db","type":"smart_contract","addedAt":"2024-11-06T07:37:04.606Z","revision":1,"description":"ShiftEventUtils","isPrimacyOfImpact":null},{"id":"GwhxPTI8WEaVCuRtOpBWg","url":"https://snowtrace.io/address/0x418F9CC6cA4870be1088Ce03CC48985B145c79a8","type":"smart_contract","addedAt":"2024-11-06T07:37:05.109Z","revision":1,"description":"ShiftHandler","isPrimacyOfImpact":null},{"id":"1VGMZB4ZSafOFbfwHFOV6O","url":"https://snowtrace.io/address/0x857aA530f3EaC0a5a4fE7628012ccAC7FaF54eEf","type":"smart_contract","addedAt":"2024-11-06T07:37:05.560Z","revision":1,"description":"ShiftStoreUtils","isPrimacyOfImpact":null},{"id":"45GjLPL1vWWgMH9ddnI15d","url":"https://snowtrace.io/address/0x0747e9641549690Ed9f0FB89B519AA3e57354203","type":"smart_contract","addedAt":"2024-11-06T07:37:06.081Z","revision":1,"description":"ShiftUtils","isPrimacyOfImpact":null},{"id":"x8jled1N2YUhSJk6IgnHe","url":"https://snowtrace.io/address/0x7fC46CCb386e9bbBFB49A2639002734C3Ec52b39","type":"smart_contract","addedAt":"2024-11-06T07:37:06.566Z","revision":1,"description":"ShiftVault","isPrimacyOfImpact":null},{"id":"3khWzDnoofgtuFZZ1lBal5","url":"https://snowtrace.io/address/0x5aEb6AD978f59e220aA9099e09574e1c5E03AafD","type":"smart_contract","addedAt":"2024-11-06T07:37:07.007Z","revision":1,"description":"SubaccountRouter","isPrimacyOfImpact":null},{"id":"2YLT248lezgE3FdQpVvtU5","url":"https://snowtrace.io/address/0x81d8B0F2FD89D31728E8fe36fa3C9aD8BAcF10DC","type":"smart_contract","addedAt":"2024-11-06T07:37:07.491Z","revision":1,"description":"SwapHandler","isPrimacyOfImpact":null},{"id":"7g3gOCjmrOOlTG7D0AVHIX","url":"https://snowtrace.io/address/0x97c067B65AC815c08d73B867fe32F61Ce772468F","type":"smart_contract","addedAt":"2024-11-06T07:37:07.969Z","revision":1,"description":"SwapOrderUtils","isPrimacyOfImpact":null},{"id":"6bSOPvZO8wtQ4o4V1zYLED","url":"https://snowtrace.io/address/0xe14f1a0387A76C6427F22945246acD40E3f59aE0","type":"smart_contract","addedAt":"2024-11-06T07:37:08.398Z","revision":1,"description":"SwapPricingUtils","isPrimacyOfImpact":null},{"id":"6PKbPsF3VNiTpOx5YEG22j","url":"https://snowtrace.io/address/0x85Fcd569577A0bb52abF9D9E691F69D94dD61aF8","type":"smart_contract","addedAt":"2024-11-06T07:37:08.813Z","revision":1,"description":"SwapUtils","isPrimacyOfImpact":null},{"id":"14M8GlJtDZ9azmHGuHZpid","url":"https://snowtrace.io/address/0xdF23692341538340db0ff04C65017F51b69a29f6","type":"smart_contract","addedAt":"2024-11-06T07:37:09.320Z","revision":1,"description":"Timelock","isPrimacyOfImpact":null},{"id":"7LEeXne7gI0g5hf2trUULq","url":"https://snowtrace.io/address/0x4FB4e6db5738709490856ecE38EcEcf264F2a97F","type":"smart_contract","addedAt":"2024-11-06T07:37:09.774Z","revision":1,"description":"TimestampInitializer","isPrimacyOfImpact":null},{"id":"7e6yPnaA6cuLXXqui2VHNT","url":"https://snowtrace.io/address/0x8583b878DA0844B7f59974069f00D3A9eaE0F4ae","type":"smart_contract","addedAt":"2024-11-06T07:37:10.291Z","revision":1,"description":"WithdrawalEventUtils","isPrimacyOfImpact":null},{"id":"3HNo9OFt6hvjaXCrYz3kg8","url":"https://snowtrace.io/address/0x1b0a44dD3bCCC2Ddae33921694EBc34E3ECC1415","type":"smart_contract","addedAt":"2024-11-06T07:37:10.733Z","revision":1,"description":"WithdrawalHandler","isPrimacyOfImpact":null},{"id":"7eckuPNVkLgRGb4VnjystS","url":"https://snowtrace.io/address/0xDD88C6E2C28e3974aDd060eB2Bc918AA9f186bB1","type":"smart_contract","addedAt":"2024-11-06T07:37:11.213Z","revision":1,"description":"WithdrawalStoreUtils","isPrimacyOfImpact":null},{"id":"22WJ1WdLiR09T16JKwyrVp","url":"https://snowtrace.io/address/0xf32b417A93Acc039B236F1eCC86B56bd3cB8E698","type":"smart_contract","addedAt":"2024-11-06T07:37:11.694Z","revision":1,"description":"WithdrawalUtils","isPrimacyOfImpact":null},{"id":"1ljS4wPnZwPsJ0BzdYfXsQ","url":"https://snowtrace.io/address/0xf5F30B10141E1F63FC11eD772931A8294a591996","type":"smart_contract","addedAt":"2024-11-06T07:37:12.336Z","revision":1,"description":"WithdrawalVault","isPrimacyOfImpact":null},{"id":"o4jJA7hPLpnJql4MPIvv7","url":"https://gmx.io","type":"websites_and_applications","addedAt":"2024-11-06T07:37:12.860Z","revision":1,"description":"App","isPrimacyOfImpact":null},{"id":"2QnYJbTUKFhn4k51cZtCck","url":"https://app.gmx.io","type":"websites_and_applications","addedAt":"2024-11-06T07:37:13.335Z","revision":1,"description":"App","isPrimacyOfImpact":null}],"assetsBodyV2":"Please note that all contracts listed in the Assets in Scope table, as well as those found in the following repositories, are in scope for the GMX program:\n\n- https://github.com/gmx-io/gmx-contracts \n- http://github.com/gmx-io/gmx-synthetics \n- https://github.com/gmx-io/gmx-synthetics/tree/updates/deployments/arbitrum \n- https://github.com/gmx-io/gmx-synthetics/tree/updates/deployments/avalanche \n\n\nIf an impact can be caused to any other asset managed by GMX that isn’t on this table but for which the impact is in the Impacts in Scope section, you are encouraged to submit it for the consideration of the project. \n\nDetection of malicious Timelock transactions will be eligible for a bounty if it is submitted 1 hour after the malicious transaction was sent, this is to allow time for the GMX team to self-report based on their own monitoring. An exception to this would be if the Timelock transaction is able to cause losses in less than an hour’s time due to any misconfiguration of the Timelock, in which case it would be preferred that the report be submitted as early as possible.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","Avalanche"],"endDate":null,"evaluationEndDate":null,"features":["Managed Triage: Signal Booster"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["JavaScript","Solidity","Typescript"],"launchDate":"2021-10-20T12:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3MNDLo0J4LVTW2PgGVCsrb/1b8813ff88a37704386e3c81237dfbbc/GMX_logo.jpeg","maxBounty":5000000,"pocPerTypeAndSeverity":["websites_and_applications - medium","websites_and_applications - high","websites_and_applications - critical","smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["AMM","DEX"],"programOverview":"GMX is a decentralized spot and perpetual exchange that supports low swap fees and zero price impact trades.\n\nTrading is supported by a unique multi-asset pool that earns liquidity providers fees from market making, swap fees, leverage trading (spreads, funding fees & liquidations) and asset rebalancing.\n\nFor more information about GMX, please visit [https://gmx.io/](https://gmx.io/). \n\nThis bug bounty program is focused on their smart contracts and app and is focused on preventing:\n\n  - Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield\n  - Permanent freezing of funds\n  - Insolvency\n  - Loss of user funds by freezing, theft, or manipulation of the price of GLP\n  - Unable to call smart contract\n  - Thefts and freezing of principal of any amount\n  - Thefts and freezing of unclaimed yield of any amount\n  - Theft of governance funds","programType":["Smart Contract","Websites and Applications"],"project":"GMX","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. \n\nAll web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nCritical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of __USD 50 000__.\n\nThe following vulnerabilities are not eligible for a reward:\n\n  - Exploits that require access to the Timelock admin keys or Fast Price Feed admin keys\n  - Cases involving risks of losses to the GLP pool in case the assets in the pool decrease in price\n  - Cases involving price manipulation on exchanges\n  - Vesting schedules might be slightly faster for multiple deposits\n  - Vault.includeAmmPrice and Vault.useSwapPricing are not reset to default values for certain cases, these variables will not be used\n  - Vault.liquidatePosition does not pay the transaction sender for certain cases, this is intentional\n  - Exploits that are not economically practical to execute\n  - Exploits due to delays or sizes of price feed updates\n  - In general, we assume that the fees earned from swaps and leverage trading over a period of a few months will be larger than any potential losses from price updates, we will be analyzing past data to adjust the fees and parameters for this. Additionally, any changes relating to the minimum price movement for profit as well as the cooldown duration for redeeming GLP will only be done after this analysis.  This analysis will also consider cases where opening both a long and short position within the minimum price movement may result in a higher probability of profit. Reports relating to these should be excluded.\n  - Calling Vault.setTokenConfig, Vault.clearTokenConfig, Vault.setTokenConfig on the same token would lead to double counting of the token amounts in GlpManager, Vault.clearTokenConfig will not be used\n  - GlpManager.getAum may return a slightly higher value until a liquidation occurs\n  - GlpManager.getAum may return a slightly lower value when there are shorts in profit but the price movement is below the 1.5% threshold\n  - It is possible for a user to burn and then mint GLP to frontrun price movements, the fees are assumed to be sufficient to prevent this from being profitable\n  - There will be some deviation of Vault.globalShortAveragePrices from the true average price if users increase their short position while the mark price is within 1.5% of their position’s average price, it is evaluated to not be economical for users to do this intentionally whether in combination with GLP minting or otherwise, GlpManager.setAumAdjustment can be used to correct this drift if required\n  - Vault.CollectSwapFees (_ token, feeAmount, tokenToUsdMin ( _ token, feeAmount))\n  - It is expected that liquidators, order executors and other keepers will validate that transactions succeed before sending them to avoid gas griefing attacks\n  - Exploits due to issues with hosting providers e.g. Netlify, Cloudflare Pages, IPFS and which cannot be fixed by changing any configuration on our side will be given an Informational classification, these exploits should be reported using the bug bounty program of the hosting providers instead\n\nPayouts are handled by the __GMX__ team directly and are denominated in USD. However, payouts are done in __ETH__ or __USDC__","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"ETH or USDC","slug":"gmx","tenPercentEconomicRule":true,"updatedDate":"2026-01-22T11:50:24.377Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"GMX is a decentralized spot and perpetual exchange that supports low swap fees and zero price impact trades.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"**Smart Contracts and Blockchain**\n  - Best practice critiques\n  - If the GLP pool has a high utilization not all GLP tokens will be immediately redeemable, the borrowing fee should increase in this case and is \n    considered regular operation\n  - Denial of service attacks are out of scope if the attack can be bypassed, for example, an attacker can front-run a user proposal with identical \n    parameters to ProtocolGovernor, this can be bypassed by ending the proposal with #proposer=0x…, these kinds of attacks are out of scope\n\n\n**Websites and Apps**\n  - Attacks requiring privileged access from within the organization\n  - Feature requests\n  - Best practices\n  - Vulnerabilities primarily caused by browser/plugin defects\n  - Any vulnerability exploit requiring CSP bypass resulting from a browser bug\n  - Vulnerabilities that require compromise of the user’s machine / browser \n  - Community-developed applications such as those on the ecosystem page\n  - Clickjacking Vulnerabilities\n  - Denial of service attacks on services used by the interface will be given a low classification unless the attack prevents trading or withdrawal of \n    liquidity using the interface\n","customProhibitedActivities":[],"impacts":[{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":48,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:\n- Email address\n- Phone number\n- Physical address, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":5178,"type":"smart_contract","severity":"critical","title":"Loss of user funds by freezing, theft, or manipulation of the price of GLP"},{"id":50,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Changing the first/last name of user\n- Enabling/disabling notifications"},{"id":46,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:\n- HTML injection without JavaScript\n- Replacing existing text with arbitrary text\n- Arbitrary file uploads, etc."},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":43,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:\n- Modifying transaction arguments or parameters\n- Substituting contract addresses\n- Submitting malicious transactions"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":5179,"type":"smart_contract","severity":"critical","title":"Theft of governance funds"},{"id":5180,"type":"smart_contract","severity":"medium","title":"Temporary freezing of fund for any amount of time"},{"id":5181,"type":"websites_and_applications","severity":"critical","title":"Redirected funds by address modification"},{"id":5182,"type":"websites_and_applications","severity":"critical","title":"Shell access on server"},{"id":5183,"type":"websites_and_applications","severity":"critical","title":"Bypassing Authentication"},{"id":5184,"type":"websites_and_applications","severity":"critical","title":"Signing transactions for other users"},{"id":5185,"type":"websites_and_applications","severity":"critical","title":"Redirection of user deposits and withdrawals"},{"id":5186,"type":"websites_and_applications","severity":"critical","title":"Wallet interaction modification resulting in financial loss"},{"id":5187,"type":"websites_and_applications","severity":"critical","title":"Tampering with transactions submitted to the user’s wallet"},{"id":5188,"type":"websites_and_applications","severity":"high","title":"Privilege escalation to access unauthorized functionalities"},{"id":5189,"type":"websites_and_applications","severity":"medium","title":"Third-Party API keys leakage that demonstrates loss of funds or modification on the website"}],"rewards":[{"id":39586,"severity":"critical","assetType":"smart_contract","maxReward":5000000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":39587,"severity":"high","assetType":"smart_contract","fixedReward":25000,"rewardModel":"fixed"},{"id":39588,"severity":"medium","assetType":"smart_contract","fixedReward":10000,"rewardModel":"fixed"},{"id":39589,"severity":"critical","assetType":"websites_and_applications","fixedReward":50000,"rewardModel":"fixed","otherImpactMaxReward":0},{"id":39590,"severity":"high","assetType":"websites_and_applications","fixedReward":25000,"rewardModel":"fixed"},{"id":39591,"severity":"medium","assetType":"websites_and_applications","fixedReward":10000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"1y5Q7V3ihNEYZpfNAHYbgp","url":"https://avax.network/","type":"websites_and_applications","addedAt":"2023-12-04T12:36:14.905Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"296w1CC14yqg7Q1FdKDSe","url":"https://github.com/ava-labs/Avalanche-Wallet-SDK","type":"websites_and_applications","addedAt":"2023-12-04T12:36:23.014Z","revision":2,"description":"Avalanche-Wallet-SDK","isPrimacyOfImpact":null},{"id":"2oduvI9kPjEZpwz2I6PgNt","url":"https://chrome.google.com/webstore/detail/core-crypto-wallet-nft-ex/agoakfejjabomempkjlepdflaleeobhb","type":"websites_and_applications","addedAt":"2023-12-04T12:30:28.479Z","revision":3,"description":"Core Browser Extension","isPrimacyOfImpact":null},{"id":"2vrQzcAFgkY11Y4BXQXvKK","url":"https://subnets.avax.network/","type":"websites_and_applications","addedAt":"2023-12-04T12:36:12.238Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"3Uaaz4J4sB1r9bzRIWO6s7","url":"https://explorer.avax.network/","type":"websites_and_applications","addedAt":"2023-12-04T12:35:57.112Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"3VeXgQ2adC6A48ATj3OaEe","url":"https://api.avax.network/","type":"websites_and_applications","addedAt":"2023-12-04T12:36:06.681Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"3YSPRoDhooKq0Nie1ZXGen","url":"https://notify.avax.network/","type":"websites_and_applications","addedAt":"2023-12-04T12:36:04.073Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"42oJfGPBcmhNVs5THjSCOu","url":"https://github.com/ava-labs/AvalancheJS","type":"websites_and_applications","addedAt":"2023-12-04T12:36:25.162Z","revision":2,"description":"AvalancheJS","isPrimacyOfImpact":null},{"id":"4DUpdIr4KbjuvxTNd7TJ66","url":"https://apps.apple.com/ng/app/core-crypto-wallet-nfts/id6443685999","type":"websites_and_applications","addedAt":"2023-12-04T12:36:29.648Z","revision":2,"description":"Core iOS App","isPrimacyOfImpact":null},{"id":"4yIZ6dssse2YVMFBtt1y9I","url":"https://backstage.avax-dev.network/","type":"websites_and_applications","addedAt":"2023-12-04T12:35:46.033Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"4zl0CCv3k01f4SPcKpf2Sg","url":"https://faucet.avax-test.network/","type":"websites_and_applications","addedAt":"2023-12-04T12:35:59.079Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"5UblHOvfx9DmIDDSATshBb","url":"https://core.app/","type":"websites_and_applications","addedAt":"2023-12-04T12:36:34.831Z","revision":2,"description":"Core Web Wallet","isPrimacyOfImpact":null},{"id":"5iAbyNBREhejfznVlqVSLA","url":"https://bridge.avax-test.network/","type":"websites_and_applications","addedAt":"2023-12-04T12:35:50.184Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"63gdGZuAPaTkDFneSxdYwA","url":"https://api.avax-test.network/","type":"websites_and_applications","addedAt":"2023-12-04T12:35:54.952Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"69qZ733vMDQ7c3W8SG35D4","url":"https://play.google.com/store/apps/details?id=com.avaxwallet","type":"websites_and_applications","addedAt":"2023-12-04T12:36:31.994Z","revision":2,"description":"Core Android App","isPrimacyOfImpact":null},{"id":"6aSUUh78GzAdkWBbcUfN5b","url":"https://stats.avax.network/","type":"websites_and_applications","addedAt":"2023-12-04T12:36:01.223Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"6d37tkcOOkVGc55O9P94dT","url":"https://www.avax.network/","type":"websites_and_applications","addedAt":"2023-12-04T12:36:17.526Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"YfHduIMZyArmKUH8djz7o","url":"https://www.avalabs.org/","type":"websites_and_applications","addedAt":"2023-12-04T12:36:20.875Z","revision":3,"description":null,"isPrimacyOfImpact":null}],"assetsBodyV2":"Ava Labs’s codebase can be found at [https://github.com/ava-labs](https://github.com/ava-labs). Documentation and further resources can be found on [https://docs.avax.network/](https://docs.avax.network/). For details on standing up a local test network, sees [https://docs.avax.network/tooling/network-runner](https://docs.avax.network/tooling/network-runner).\n\nWhilst this program adheres to Primacy of Rules, the following assets are excluded and are considered out of scope for this program. \n\n  - chat.avax.network\n  - docs.avax.network\n  - chat.avalabs.org\n  - buy.avax.network\n  - *.snowtrace.io\n  - community.avax.network\n  - test*.avax.network\n  - forum.avax.netowrk\n  - avalanche-hub.com\n  - academy.avax.network\n  - support.avax.network\n  - *.avacloud.io\n  - Status.avax.network\n  - [www.gamingonavax.com](https://www.gamingonavax.com/)\n  - [www.artonavalanche.com](http://www.artonavalanche.com)\n  - [www.avalanchesummit.com/](https://www.avalanchesummit.com/)\n  - Broken links to third-parties from [http://www.avax.network/blog](http://www.avax.network/blog)\n  - Broken links within third-party project content under [https://core.app/discover](https://core.app/discover)","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Avalanche"],"endDate":null,"evaluationEndDate":null,"features":["Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Go","JavaScript","Solidity"],"launchDate":"2023-12-04T09:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/62GmRlVFu7IOBMrAAXOlu6/50a7afd87333d0f62be3123093e2ec78/Avalanche_AVAX_Black__1_.png","maxBounty":10000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["L1","Wallet"],"programOverview":"Ava Labs __Core, Web, APIs__\n\nAva Labs makes it simple to deploy high-performance solutions for Web3, led by innovations on Avalanche. The company was founded by Cornell computer scientists, who partnered with Wall Street veterans and early Web3 leaders to execute a promising vision for redefining the way people build and use open, permissionless networks. Ava Labs is redefining the way people create value with Web3.\n\nFor more information about Ava Labs, please visit [https://www.avalabs.org/](https://www.avalabs.org/)\n\nAva Labs provides rewards in __USDC__ and locked __AVAX__, denominated in __USD__. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__\n\nAva Labs will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n  - Full name \n  - Date of birth\n  - Proof of address (either a redacted bank statement with address or a recent utility bill)\n  - Copy of Passport or other Government issued ID\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nAva Labs adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms stated in this page.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Known Issue Assurance__\n\nAva Labs commits to providing Known Issue Assurance to bug submissions through their program. This means that Ava Labs will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission. \n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.\n\n__Previous Audits__\n\nAva Labs’s completed audit reports can be found in the following link:\n\n  - [https://github.com/ava-labs/audits](https://github.com/ava-labs/audits)\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Ava Labs has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","programType":["Websites and Applications"],"project":"Ava Labs","projectType":["Blockchain"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Repeatable Attack Limitations__\n\n  - If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attacks within the first hour will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n  - For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\n  - High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are considered at the full amount of funds at risk, capped at the maximum high reward. This is to incentivize security researchers to uncover and responsibly disclose vulnerabilities that may have not have significant monetary value today, but could still be damaging to the project if it goes unaddressed.   \n\n  - In the event of temporary freezing, the reward increases at a multiplier of two from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lenghents, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.    \n\nFor critical web/apps bug reports will be rewarded with USD $10,000, only if the impact leads to:\n\n  - A loss of funds involving an attack that does not require any user action\n  - Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of USD 5 000. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Reward Payment Terms__\n\nPayouts are handled by the __Ava Labs__ team directly and are denominated in __USD__.\n\nPlease note: In cases where the size of the reward exceeds an equivalent of 10 000 USD, Ava Labs is entitled to make the payment in one-year locked AVAX at the rate calculated based on the VWAP of AVAX during 90 calendar days preceding the date of the respective validated report.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"AVAX","slug":"avalabs","updatedDate":"2026-01-22T11:49:58.705Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Ava Labs makes it simple to deploy high-performance solutions for Web3, led byAva Labs is redefining the way people create value with Web3.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Dependency confusion attacks on NPM","customProhibitedActivities":[],"impacts":[{"id":4599,"type":"websites_and_applications","severity":"low","title":"Changing details of users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction, such as: Iframing leading to modifying the backend/browser state (must demonstrate impact with PoC)"},{"id":4600,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links, such as:  social media handles, etc"},{"id":4601,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as: locking up the victim from login, cookie bombing, etc"},{"id":4602,"type":"websites_and_applications","severity":"low","title":"Subdomain takeover without already-connected wallet interaction"},{"id":4603,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:  HTML injection without JavaScript, replacing existing text with arbitrary text, arbitrary file uploads, etc"},{"id":4604,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:  email, password of the victim etc."},{"id":4605,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:  email address, phone number, physical address, etc."},{"id":4606,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: changing the name of user, enabling/disabling notifications"},{"id":4607,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as: reflected HTML injection, loading external site data"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":4608,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:  /etc/shadow database passwords blockchain keys (does not include non-sensitive environment variables, open source code, usernames), taking down the application/website, taking down the NFT URI"},{"id":4609,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:  changing registration information, commenting, voting, making trades, withdrawals, etc."},{"id":40,"type":"websites_and_applications","severity":"critical","title":"Changing NFT metadata"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":4610,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as: modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"}],"rewards":[{"id":39599,"severity":"critical","assetType":"websites_and_applications","maxReward":10000,"minReward":5000,"rewardModel":"range","otherImpactMaxReward":0},{"id":39600,"severity":"high","assetType":"websites_and_applications","maxReward":5000,"minReward":2500,"rewardModel":"range"},{"id":39601,"severity":"medium","assetType":"websites_and_applications","maxReward":2500,"minReward":1000,"rewardModel":"range"},{"id":39602,"severity":"low","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"4qZ7w9kPd6Avqh6goz5mzw","url":"https://explorer.hiro.so/txid/SP2C2YFP12AJZB4MABJBAJ55XECVS7E4PMMZ89YZR.arkadiko-vaults-manager-v1-2?chain=mainnet","type":"smart_contract","addedAt":"2026-01-15T15:57:41.160Z","revision":1,"description":"Vaults Manager","isPrimacyOfImpact":null},{"id":"2vGdxcXZspBwuBWciG5uT6","url":"https://app.arkadiko.finance","type":"websites_and_applications","addedAt":"2024-06-03T02:44:00.000Z","revision":2,"description":"Arakdiko App","isPrimacyOfImpact":null},{"id":"34lR4pbQ7QVcjt3FXxmiHY","url":"https://explorer.hiro.so/txid/SP2C2YFP12AJZB4MABJBAJ55XECVS7E4PMMZ89YZR.arkadiko-vaults-pool-active-v1-1?chain=mainnet","type":"smart_contract","addedAt":"2024-06-03T02:44:00.000Z","revision":2,"description":"Vaults Pool Active","isPrimacyOfImpact":null},{"id":"3bEVChlkzdUq8CibGvYLI3","url":"https://explorer.hiro.so/txid/SP2C2YFP12AJZB4MABJBAJ55XECVS7E4PMMZ89YZR.usda-token?chain=mainnet","type":"smart_contract","addedAt":"2024-06-03T02:44:00.000Z","revision":2,"description":"USDA","isPrimacyOfImpact":null},{"id":"5X40ykHEE8p6Xe7lDNMtJh","url":"https://explorer.hiro.so/txid/SP2C2YFP12AJZB4MABJBAJ55XECVS7E4PMMZ89YZR.arkadiko-token?chain=mainnet","type":"smart_contract","addedAt":"2024-06-03T02:44:00.000Z","revision":2,"description":"DIKO","isPrimacyOfImpact":null},{"id":"5shtYXhYBvwBwLaDTKquAZ","url":"https://explorer.hiro.so/txid/SP2C2YFP12AJZB4MABJBAJ55XECVS7E4PMMZ89YZR.arkadiko-vaults-helpers-v1-1?chain=mainnet","type":"smart_contract","addedAt":"2024-06-03T02:44:00.000Z","revision":2,"description":"Vaults Helpers","isPrimacyOfImpact":null},{"id":"5wAMtZMh6xHvhzQCJ0XbXR","url":"https://explorer.hiro.so/txid/SP2C2YFP12AJZB4MABJBAJ55XECVS7E4PMMZ89YZR.arkadiko-vaults-tokens-v1-1?chain=mainnet","type":"smart_contract","addedAt":"2024-06-03T02:44:00.000Z","revision":2,"description":"Vaults Token","isPrimacyOfImpact":null},{"id":"6CTBPRdGr3joW5BwLocfaV","url":"https://explorer.hiro.so/txid/SP2C2YFP12AJZB4MABJBAJ55XECVS7E4PMMZ89YZR.arkadiko-vaults-pool-liq-v1-2?chain=mainnet","type":"smart_contract","addedAt":"2024-06-03T02:44:00.000Z","revision":3,"description":"Vaults Pool Liq","isPrimacyOfImpact":null},{"id":"6icpdu7e54Fe9XczAtrEiC","url":"https://explorer.hiro.so/txid/SP2C2YFP12AJZB4MABJBAJ55XECVS7E4PMMZ89YZR.arkadiko-vaults-pool-fees-v1-1?chain=mainnet","type":"smart_contract","addedAt":"2024-06-03T02:44:00.000Z","revision":2,"description":"Vaults Pool Fees","isPrimacyOfImpact":null},{"id":"6yx7YMJYB2UaLadySrFr1h","url":"https://explorer.hiro.so/txid/SP2C2YFP12AJZB4MABJBAJ55XECVS7E4PMMZ89YZR.arkadiko-vaults-operations-v1-3?chain=mainnet","type":"smart_contract","addedAt":"2024-06-03T02:44:00.000Z","revision":4,"description":"Vaults Operations","isPrimacyOfImpact":null},{"id":"7LSwPeW5RLWZlUFtaCM7dG","url":"https://explorer.hiro.so/txid/SP2C2YFP12AJZB4MABJBAJ55XECVS7E4PMMZ89YZR.wstx-token?chain=mainnet","type":"smart_contract","addedAt":"2024-06-03T02:44:00.000Z","revision":2,"description":"WSTX","isPrimacyOfImpact":null},{"id":"oREL8KvyT9ReyXV3657NG","url":"https://explorer.hiro.so/txid/SP2C2YFP12AJZB4MABJBAJ55XECVS7E4PMMZ89YZR.arkadiko-vaults-data-v1-1?chain=mainnet","type":"smart_contract","addedAt":"2024-06-03T02:44:00.000Z","revision":2,"description":"Vaults data","isPrimacyOfImpact":null},{"id":"ysNZG8P8srAD9SgbZKqhr","url":"https://explorer.hiro.so/txid/SP2C2YFP12AJZB4MABJBAJ55XECVS7E4PMMZ89YZR.arkadiko-vaults-sorted-v1-1?chain=mainnet","type":"smart_contract","addedAt":"2024-06-03T02:44:00.000Z","revision":2,"description":"Vaults Sorted","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Essential","Arbitration"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Clarity"],"launchDate":"2024-06-03T02:44:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5jrH7DqiZ86zEEUx473Bit/6a9e7bfe578a231c669df87b47ccb06a/iXZxqXae_400x400.png","maxBounty":100000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","websites_and_applications - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Stablecoin"],"programOverview":"Arkadiko is a decentralized, non-custodial liquidity protocol where users can collateralize their assets and mint a stablecoin called USDA. \n\nLaunched in October 2021, Arkadiko was the first Decentralized Finance protocol on Stacks, bringing native stablecoin liquidity to the on-chain ecosystem. \n\nArkadiko 2.0 is the next-generation iteration of Arkadiko, introducing several improvements to the core protocol.\n\nFor more information about Arkadiko, please visit https://arkadiko.finance/\n\nArkadiko provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__Primacy of Impact vs Primacy of Rules__\n\nArkadiko adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms stated in this page.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n__Known Issue Assurance__\n\nArkadiko commits to providing Known Issue Assurance to bug submissions through their program. This means that Arkadiko will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission. \n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.\n\n\n__Previous Audits__\n\nArkadiko’s completed audit reports can be found at https://www.coinfabrik.com/blog/arkadiko-audit/. Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Arkadiko has satisfied the requirements for the[ Immunefi Standard Badge.](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209)","programType":["Smart Contract","Websites and Applications"],"project":"Arkadiko","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the[ Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 100 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 20 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n\nFor critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 1 000 to USD 20 000 depending on the funds at risk, capped at the maximum high reward.  \n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional [24h] that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\nFor critical web/apps bug reports will be rewarded with USD 25 000, only if the impact leads to:\n\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of USD 5 000. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Reward Payment Terms__\n\nPayouts are handled by the Arkadiko team directly and are denominated in USD. However, payments are done in USDC on Ethereum\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"arkadiko","tenPercentEconomicRule":false,"updatedDate":"2026-01-22T11:49:05.608Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Arkadiko is a decentralized, non-custodial liquidity protocol where users can collateralize their assets and mint a stablecoin called USDA. ","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":28,"type":"smart_contract","severity":"high","title":"Temporary freezing of NFTs"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":4919,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:   Changing registration information, Commenting, Voting, Making trades, Withdrawals, etc."},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":4920,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:  Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions"}],"rewards":[{"id":10611,"severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":10612,"severity":"high","assetType":"smart_contract","maxReward":20000,"minReward":1000,"rewardModel":"range"},{"id":10613,"severity":"critical","assetType":"websites_and_applications","maxReward":25000,"minReward":5000,"rewardModel":"range","otherImpactMaxReward":0}],"audits":[]},{"assets":[{"id":"1MI7AIu2n24fsx0HxlfVl4","url":"https://github.com/vesuxyz/vesu-v1.1/blob/main/src/extension/components/position_hooks.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:31.977Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"1Q6qBVVm3cpYMyK7qzX9p9","url":"https://github.com/vesuxyz/vesu-v1.1/blob/main/src/extension/components/fee_model.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:32.557Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"1b8XNC6VT3qzW1Xi8QfLKc","url":"https://github.com/vesuxyz/vesu-v2/blob/main/src/interest_rate_model.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:30.661Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"1qRQFHjIweSSnK5edlq4iS","url":"https://github.com/vesuxyz/vesu-v1.1/blob/main/src/v_token_v2.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:30.891Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"2cTIFJpzNy2Wqd5anflsuz","url":"https://github.com/vesuxyz/vesu-v1.1/blob/main/src/math.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:31.346Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"2cfWxaGhrHcrRR9NPqdjBR","url":"https://github.com/vesuxyz/vesu-v2/blob/main/src/units.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:29.947Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"2xPwrqgJigVhuK93VV9W7Z","url":"https://github.com/vesuxyz/vesu-v1.1/blob/main/src/units.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:32.706Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"33l6c0n0fwOTxqhL8nI4XG","url":"https://github.com/vesuxyz/vesu-v2/blob/main/src/common.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:30.590Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"3KdfAsxbMRsA9HHf7qzLm","url":"https://github.com/vesuxyz/vesu-v1.1/blob/main/src/extension/components/tokenization.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:31.821Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"4k1rzqIsOq4KKSaoLo5dSk","url":"https://github.com/vesuxyz/vesu-v1.1/blob/main/src/singleton_v2.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:32.771Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"57gao9TRukV1TXImZ26WA7","url":"https://github.com/vesuxyz/vesu-v2/blob/main/src/data_model.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:30.672Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"5mQnXT9sXSZP1M5y0qUMOI","url":"https://github.com/vesuxyz/vesu-v2/blob/main/src/pool.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:31.733Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"5oJUXhCCY9e3uV78IetyIm","url":"https://github.com/vesuxyz/vesu-v2/blob/main/src/v_token.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:29.903Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"64ZBoIT2BYFOp2jTDuwPGt","url":"https://github.com/vesuxyz/vesu-v2/blob/main/src/packing.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:30.179Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"6dWHJx7cq1d1jnp7PvQrqO","url":"https://github.com/vesuxyz/vesu-v1.1/blob/main/src/extension/components/interest_rate_model.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:32.394Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"6frjCPzzFtojKHHsxyl8dr","url":"https://github.com/vesuxyz/vesu-v2/blob/main/src/pool_factory.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:30.169Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"6tB06QjLbSMWbhBMbgFmST","url":"https://github.com/vesuxyz/vesu-v1.1/blob/main/src/packing.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:31.108Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"76aU8Goy7AzHMSH8QPy4MP","url":"https://github.com/vesuxyz/vesu-v1.1/blob/main/src/extension/components/pragma_oracle.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:32.189Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"79BQ9OtrZT9sKRBxWz88xT","url":"https://github.com/vesuxyz/vesu-v2/blob/main/src/lib.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:30.446Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"7gbz9gR0TQiPdI3LMMTsF7","url":"https://github.com/vesuxyz/vesu-v1.1/blob/main/src/lib.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:32.059Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"7imBKevlL1XMKOSj06F4jH","url":"https://github.com/vesuxyz/vesu-v2/blob/main/src/math.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:30.424Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"7pL7rfV0au8Gpu5lm5Thkx","url":"https://github.com/vesuxyz/vesu-v2/blob/main/src/oracle.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:30.337Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"QX5Bk3wIlumPyoz06FucC","url":"https://github.com/vesuxyz/vesu-v1.1/blob/main/src/common.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:32.310Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"RtQVLUvYJo318xM4buiQB","url":"https://github.com/vesuxyz/vesu-v1.1/blob/main/src/v_token.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:30.828Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"lpRN4IDtXrpZqOV1LQs1Y","url":"https://github.com/vesuxyz/vesu-v1.1/blob/main/src/extension/default_extension_po_v2.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:31.584Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"qxWfYS4JRNaX5VA3Rz7YN","url":"https://github.com/vesuxyz/vesu-v1.1/blob/main/src/data_model.cairo","type":"smart_contract","addedAt":"2025-11-20T09:07:32.612Z","revision":3,"description":null,"isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Starknet"],"endDate":null,"evaluationEndDate":null,"features":["Managed Triage: Time Saver","Arbitration"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Cairo"],"launchDate":"2024-07-10T14:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4bZnUNgmQOUv5WMlx0358S/8890b3afddc4a6dda01e4dc483e8f1b8/Vesu.png","maxBounty":100000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"OtherNonEVML1","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Lending"],"programOverview":"Vesu is a modular and permissionless lending protocol allowing anyone to earn, borrow and create markets. Vesu aims to offer superior UX comparable to FinTech apps while leveraging the power of DeFi \"under the hood\". To achieve this, Vesu has partnered with Argent , the leading Wallet on Starknet.\n\nFor more information about Vesu, please visit [https://vesu.xyz](https://vesu.xyz).\n\nVesu provides rewards in STRK on Starknet, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n__Primacy of Impact vs Primacy of Rules__\n\nVesu adheres to the Primacy of Impact for the following impacts:\n- Smart Contract / Critical\n- Smart Contract / High\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi [PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n- https://github.com/vesuxyz/security/blob/main/disclosures/disclosures.md https://github.com/vesuxyz/security/tree/main/disclosures\n\n__Previous Audits__\n\nVesu’s completed audit reports can be found at [https://github.com/vesuxyz/security](https://github.com/vesuxyz/security). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Vesu has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","programType":["Smart Contract"],"project":"Vesu","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 100,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 10,000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n- For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\n- High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 1,000 to USD 10,000 depending on the funds at risk, capped at the maximum high reward.  \n- In the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Vesu team directly and are denominated in USD. However, payments are done in STRK on Starknet.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"STRK","slug":"vesu","tenPercentEconomicRule":false,"updatedDate":"2026-01-22T11:45:37.997Z","impactsBody":null,"websiteUrl":"https://vesu.xyz","githubUrl":"https://github.com/vesuxyz","eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Vesu is a modular and permissionless lending protocol allowing anyone to earn, borrow and create markets. Vesu aims to offer superior UX comparable to FinTech apps while leveraging the power of DeFi \"under the hood\". To achieve this, Vesu has partnered with Argent , the leading Wallet on Starknet.","knownIssues":[{"id":1218,"link":"https://docs.vesu.xyz/security/disclosures","description":"Various disclosures","lastUpdatedAt":"2025-06-04T03:00:00.000Z","relatedImpactInScope":"smart_contract"}],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":17912,"severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":17913,"severity":"high","assetType":"smart_contract","maxReward":10000,"minReward":1000,"rewardModel":"range"}],"audits":[{"id":"7DI940p4EKDAGUEbnqZurS","url":"https://github.com/zenith-security/reports/blob/main/reports/Vesu%20V1%20-%20Zenith%20Audit%20Report.pdf","auditor":"Zenith","date":"2025-10-13T03:00:00.000Z"},{"id":"7cdWV2ljN2qM48l7MFOFmb","url":"https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2025.10.31%20-%20Final%20-%20Vesu%20Vaults%20Collaborative%20Audit%20Report%201761914943.pdf","auditor":"Sherlock","date":"2025-10-01T03:00:00.000Z"},{"id":"3OMsQEsZsjq9lZ24VgnVcG","url":"https://www.chainsecurity.com/security-audit/vesu-v2","auditor":"ChainSecurity","date":"2025-09-30T03:00:00.000Z"},{"id":"19vNPIVJURYjKUXMkZISAd","url":"https://www.openzeppelin.com/news/vesu-v2-differential-audit","auditor":"OpenZeppelin","date":"2025-09-26T03:00:00.000Z"},{"id":"6D3N5ceCQafKVmGOtA0Ccd","url":"https://github.com/zenith-security/reports/blob/main/reports/Vesu%20V2%20-%20Zenith%20Audit%20Report.pdf","auditor":"Zenith","date":"2025-09-25T03:00:00.000Z"},{"id":"18wxroIaQ1bMPfSCjS4e0A","url":"https://github.com/Cairo-Security-Clan/Audit-Portfolio/blob/main/Vesu_Audit_Report_Final.pdf","auditor":"Cairo Security Clan","date":"2024-07-01T22:00:00.000Z"},{"id":"6iS36VCkNIZarmXn9FQFDW","url":"https://www.chainsecurity.com/security-audit/vesu-protocol-smart-contracts","auditor":"ChainSecurity","date":"2024-08-07T22:00:00.000Z"}]},{"assets":[{"id":"46LutaGTp0BmlpTFVxm3eu","url":"https://checker.berachain.com","type":"websites_and_applications","addedAt":"2025-03-18T09:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"5eCf4Atva5XjZXH0ncWrSs","url":"https://honeypaper.berachain.com","type":"websites_and_applications","addedAt":"2025-03-18T09:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"74gNN2OmLTOqRGZ9tsSmpm","url":"https://ecosystem.berachain.com","type":"websites_and_applications","addedAt":"2025-03-18T09:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"1aL75W7AMWx03gMOV1DgIu","url":"https://rfb.berachain.com","type":"websites_and_applications","addedAt":"2025-03-18T09:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"67fFrGHEDvyq8IvcCtIaSJ","url":"https://buildabera.xyz","type":"websites_and_applications","addedAt":"2025-03-18T09:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"3MPdqtnEP3SJUB7S2IpORJ","url":"https://safe.berachain.com","type":"websites_and_applications","addedAt":"2025-03-18T09:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"7qk3xfAlYTK2h64C6ayKTR","url":"https://berachain.com","type":"websites_and_applications","addedAt":"2025-03-18T09:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"2eazUKBwB8niEhN0wnjh4A","url":"https://ambassador.berachain.com","type":"websites_and_applications","addedAt":"2025-03-18T09:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"YLUjbiZ3DmUWX2KbgZCNv","url":"https://hub.berachain.com","type":"websites_and_applications","addedAt":"2025-03-18T09:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"3lscj3JPLMuzmYUTGlehYL","url":"https://honey.berachain.com","type":"websites_and_applications","addedAt":"2025-03-18T09:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"3kXPWs7fJ1r4hovIpGHppQ","url":"https://nftbridge.berachain.com","type":"websites_and_applications","addedAt":"2025-03-18T09:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"18fu4OUqHYwNxuLd5VEqzo","url":"https://bridge.berachain.com","type":"websites_and_applications","addedAt":"2025-03-18T09:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"3FNMIfM6L8em7FpTMKVmc9","url":"https://sunset.bartio.berachain.com","type":"websites_and_applications","addedAt":"2025-03-18T09:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"7Hal3UJ9GjSj6tA9MW7hu5","url":"https://rpc.berachain.com","type":"websites_and_applications","addedAt":"2025-03-18T09:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"tqxOBBv29udx3DyAGlleY","url":"https://airdrop.berachain.com","type":"websites_and_applications","addedAt":"2025-03-18T09:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"6EqPoccYFxXr26ynXoQ8M7","url":"https://api.berachain.com/","type":"websites_and_applications","addedAt":"2025-04-02T15:49:37.280Z","revision":1,"description":null,"isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Essential","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":null,"launchDate":"2025-03-18T09:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2diXYoF3V6dLx321wM3wvg/bfb6686f0481055416ee5c2977a5a2a3/Berachain.png","maxBounty":10000,"pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["L1"],"programOverview":"Berachain is a high-performance EVM-Identical Layer 1 (L1) blockchain utilizing Proof-of-Liquidity (PoL) as a consensus mechanism and built on top of a modular EVM-focused consensus client framework named BeaconKit.\n\nBeaconKit is a modular framework for building EVM-based consensus clients. The framework offers the most user-friendly way to build and operate an EVM blockchain while ensuring a functionally identical execution environment to the Ethereum Mainnet.\n\nFor more information about Berachain, please visit our [docs](https://docs.berachain.com/) or our [code](https://github.com/berachain/beacon-kit).\n\nBerachain provides rewards in BERA on Berachain, denominated in USD. Please see the **Rewards by Threat Level** section below for more details about the payment process. \n\n__KYC Requirement__\n\nBerachain will be requesting KYC information to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with the address or a recent utility bill)\n- Copy of Passport or other Government ID\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement outlined in this program and cannot be:\n\n- On OFAC SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors who directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nBerachain adheres to **category 3 - Approval Required**. This Policy determines what information researchers can make public from their submitted bug reports. For more details on the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\nBerachain adheres to the Primacy of Rules, meaning the whole bug bounty program is run strictly under the terms and conditions stated on this page. \n\n__Proof of Concept (PoC) Requirements__\n\nA PoC demonstrating the bug's impact is required for this program and must comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously discovered bugs are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk.  \n\n__Previous Audits__\n\nBerachain’s completed audit reports will be available soon. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\n__Feasibility Limitations__\n\nThe project may receive valid reports (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack is. Conversely, there may also be mitigation measures that projects can take to prevent the bug's impact, which are not viable or would require unconventional action.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) that, by default, state what security researchers and projects can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Berachain has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","programType":["Websites and Applications"],"project":"Berachain (Web/Apps)","projectType":["Blockchain","Infrastructure"],"rewardsBody":"***STOP!*** **Is your report `Blockchain/DLT` or `Smart Contracts` related?**\n\n**If yes, please visit:** https://immunefi.com/bug-bounty/berachain/information/\n\n___\n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/).  \n\n__Reward Calculation for High-Level Reports__\n \nFor critical web/apps bug reports will be rewarded with USD 10 000, only if the impact leads to:\n\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of USD 5 000. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Reward Payment Terms__\n\nPayouts are handled by the Berachain team directly and are denominated in USD. However, payments are made in BERA on Berachain.\n\nThe net amount rewarded is calculated based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"","slug":"berachain-webapps","tenPercentEconomicRule":false,"updatedDate":"2026-01-16T15:32:06.779Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Berachain is a high-performance EVM-Identical Layer 1 (L1) blockchain utilizing Proof-of-Liquidity (PoL) as a consensus mechanism and built on top of a modular EVM-focused consensus client framework named BeaconKit.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- DoS attacks due to a lack of rate limits and improper handling of large HTTP request data or queries are not eligible for the reward.\n\n\n","customProhibitedActivities":[],"impacts":[{"id":5437,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website - Causing the application/website to enter an unrecoverable failure state, rendering it permanently unresponsive until explicitly restarted."},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":38,"type":"websites_and_applications","severity":"critical","title":"Taking down the NFT URI"},{"id":39,"type":"websites_and_applications","severity":"critical","title":"Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:\n- Changing registration information\n- Commenting\n- Voting\n- Making trades\n- Withdrawals, etc."},{"id":40,"type":"websites_and_applications","severity":"critical","title":"Changing NFT metadata"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":43,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:\n- Modifying transaction arguments or parameters\n- Substituting contract addresses\n- Submitting malicious transactions"},{"id":44,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user NFTs"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"},{"id":46,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:\n- HTML injection without JavaScript\n- Replacing existing text with arbitrary text\n- Arbitrary file uploads, etc."},{"id":47,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Email\n- Password of the victim etc."},{"id":48,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:\n- Email address\n- Phone number\n- Physical address, etc."},{"id":50,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Changing the first/last name of user\n- Enabling/disabling notifications"},{"id":51,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as:\n- Reflected HTML Injection\n- Loading external site data"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":53,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction, such as:\n- Iframing leading to modifying the backend/browser state (must demonstrate impact with PoC)"},{"id":55,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as:\n- Locking up the victim from login\n- Cookie bombing, etc."},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":5356,"type":"websites_and_applications","severity":"low","title":"Subdomain takeover without already-connected wallet interaction"}],"rewards":[{"id":39810,"severity":"critical","assetType":"websites_and_applications","maxReward":10000,"minReward":5000,"rewardModel":"range","otherImpactMaxReward":0},{"id":39811,"severity":"high","assetType":"websites_and_applications","fixedReward":5000,"rewardModel":"fixed"},{"id":39812,"severity":"medium","assetType":"websites_and_applications","fixedReward":2500,"rewardModel":"fixed"},{"id":39813,"severity":"low","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"15iAOy1deWFKNbPdx2aypi","url":"https://github.com/firedancer-io/firedancer/tree/e60d9a6206efaceac65a5a2c3a9e387a79d1d096","type":"blockchain_dlt","addedAt":"2024-07-10T17:00:00.000Z","revision":6,"description":"Firedancer v0.1 Testnet (only directory and file listed in this file [https://asymmetric-assets.s3.amazonaws.com/fdctl-scope.txt?utm_source=immunefi] are within the scope)","isPrimacyOfImpact":null}],"assetsBodyV2":"The Firedancer validator builds as a single binary: `fdctl`.  All code and functionality linked and reachable by the main function of this binary is in scope, including from the primary `run` command, but also `configure`, `monitor`, and others. Bugs in linked but unreachable code (for example: cryptography implementations that are behind a development flag or library utility code that is never called) are in scope but are not exploitable and will be considered informational (aka insight reports).\n\nThe Firedancer repository contains code for two validators:\n\n- Firedancer v0.1, lovingly nicknamed “Frankendancer”, a split between Firedancer and the existing Agave validator written in Rust\n- A full C-only Firedancer completely replacing the existing Agave validator.\n\nThe full Firedancer code is behind a development flag, and findings in code that is only reachable in full Firedancer will be considered informational (aka insight reports).\n\nThe Firedancer v0.1 validator interfaces with the existing Agave validator written in Rust via an FFI interface. This FFI interface and the modifications to Agave to support such FFI are in scope, but bugs in the Agave validator itself that would impact existing Solana validators should be reported to the [Agave bug bounty](https://github.com/anza-xyz/agave/security#bounty) and are not considered in scope for the contest.\n\nThe [directory and file listing](https://asymmetric-assets.s3.amazonaws.com/fdctl-scope.txt) are provided to help navigate the codebase and determine what is in scope. The ground truth for scope and impact will follow the production binary.\n\nThe Firedancer v0.1 sandbox (and machine model) are explicitly **in-scope**. This means that a researcher could **assume** a tile’s already been breached, and any findings downstream of that “contrived” tile breach are valid. As an example: Assume the “Net” tile has been breached, such that the researcher has full RCE within the sandbox of the Net tile. If the attacker is able to cause malicious effects in any of the “downstream” tiles or on the system itself, these findings would also be in scope.\n\n__Mid-Contest Code Updates__\n\nIn this contest bug fixes may be applied mid-contest.\n\nThe project is to keep changes private as far as possible. When changes need to be made public, then the changelog will be updated here & in the [Firedancer Audit Competition Discord channel](https://discord.com/invite/immunefi?utm_source=immunefi). Publicly fixed bugs are invalid and the scope is updated to the new code.\n\nAll bug reports before the fix was public will earn a reward. All bug reports after are invalid. If a new bug is introduced by their fix then it is valid for a reward.\n\n__Mid-Contest Changelog__\n\n- July 16 :: improve balance between votes and non-votes https://github.com/firedancer-io/firedancer/pull/2404\n\nAsset in scope link updated from https://github.com/firedancer-io/firedancer/tree/v0.106.11814 to https://github.com/firedancer-io/firedancer/tree/e60d9a6206efaceac65a5a2c3a9e387a79d1d096\n\n__Asset Accuracy Assurance__\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Reward Policy__\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are **not** valid for a reward.\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nFiredancer adheres to the Primacy of Rules, meaning the whole bug bounty program is run strictly under the terms and conditions stated on this page.\n\n__KYC Requirement__\n\nImmunefi will be requesting KYC information to pay for successful bug submissions. The following information will be required:\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with the address or a recent utility bill)\n- Copy of Passport or other Government ID\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement outlined in this program and cannot be:\n- On OFAC SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Employees of Solana Foundation or any other Solana client project\n- Security auditors who directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid or closed as invalid, with the following exceptions:\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this program and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\nThe project may receive valid reports (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the bug's impact, which are not feasible or would require unconventional action and, hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) that, by default, state what security researchers and projects can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Firedancer has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"","boostedIntroFinished":"Boost cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/11pdF_-XieyxWF1Z1Nyr7Jq2SYWS7SLSA)\n\nAll paid bug reports are available in orginal format [here](https://github.com/immunefi-team/Bounty_Boosts/tree/main/Firedancer%20v0.1)","boostedIntroLive":"$1,000,000 USD is available in rewards for finding bugs in Firedancer v0.1 codebase of about 200,000 nSLOC. KYC is required.\n\nFiredancer v0.1 team will respond within 24 hours on weekdays to all bug reports. Any technical questions and support requests can be asked directly to Firedancer v0.1 or Immunefi in the [Firedancer v0.1 Boost Discord channel](https://discord.com/invite/immunefi).\n\nIn this contest bug fixes may be applied mid-contest. Further details are in the 'Assets In Scope' section.\n\nWhen the Boost has ended Immunefi will publish an event-specific leaderboard and bug reports from the event.","boostedIntroStartingIn":"$1,000,000 USD in rewards is available for finding bugs on Firedancer v0.1 which is a new validator client for Solana.\n\nKYC is required.\n\nFiredancer v0.1 will respond within 24 hours on weekdays to all bug reports. Any technical questions can be asked directly to the Firedancer v0.1 technical team on [Immunefi’s Discord](https://discord.com/invite/immunefi) in the \"firedancer-v0.1-boost\" channel.\n\nWhen the Boost has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nIn a few days after the launch, Firedancer v0.1 will give a live technical walkthrough, hosted in the Immunefi Discord. \n\nJoin our Discord for more updates.","boostedLeaderboard":[{"high":0,"name":"c4a4dda89","critical":0,"earnings":105558,"insights":1,"mediumLow":6,"totalValidBugs":6},{"high":0,"name":"gln","critical":0,"earnings":82541,"insights":1,"mediumLow":5,"totalValidBugs":5},{"high":0,"name":"Swift77057","critical":0,"earnings":52285,"insights":0,"mediumLow":3,"totalValidBugs":3},{"high":0,"name":"[redacted]","critical":0,"earnings":9615,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"ret2happy","critical":0,"earnings":0,"insights":1,"mediumLow":1,"totalValidBugs":1}],"boostedSummaryReport":"https://drive.google.com/file/d/1x0fZ0jFWcbXE7-41-atdA74XweSZeSSK/view","ecosystem":["Solana"],"endDate":"2024-08-21T08:00:00.000Z","evaluationEndDate":"2024-10-10T08:00:00.000Z","features":["Boost","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["C/C++"],"launchDate":"2024-07-10T17:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6abbRPq25ZJAZ0KbG5mgCL/42f2a899c65754988546c1f445f4f27f/image__16_.png","maxBounty":1000000,"outOfScopeAndRules":"These impacts are out of scope for this bug bounty program. \n\n__All Categories:__\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n\n__Websites and Apps__\n\n- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n    - This does not exclude reflected HTML injection with or without JavaScript\n    - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering\n\n__Blockchain/DLT & Smart Contract Specific:__\n\n- Incorrect data supplied by third party oracles\n    - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n\n__Prohibited Activities:__\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["Validator"],"programOverview":"Firedancer is a new validator client for Solana.\n\n- **Fast** - Designed from the ground up to be fast. The concurrency model is borrowed from the low-latency trading space, and the code contains many novel high-performance reimplementations of core Solana primitives.\n- **Secure** -The validator's architecture allows it to run with a highly restrictive sandbox and almost no system calls.\n- **Independent** - Firedancer is written from scratch. This brings client diversity to the Solana network and helps it stay resilient to supply chain attacks in building tooling or dependencies.\n\nFor more information about Firedancer, please visit [https://firedancer-io.github.io/firedancer/](https://firedancer-io.github.io/firedancer/)\n\nFiredancer provides rewards in USDC on Solana, which are denominated in USD.","programType":["Blockchain/DLT"],"project":"Audit Comp | Firedancer v0.1","projectType":["Infrastructure"],"rewardsBody":"The following reward terms are a summary; read our [Firedancer v0.1 Reward Distribution Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/26610998104465-Firedancer-v0-1-Audit-Competition-Reward-Terms) for the full details.\n\nThe reward pool will be entirely distributed among participants. The size depends on the bugs found:\n- If no valid bugs are found, the reward pool will be **$50,000 USD**\n- If no High or Critical severity bugs are found, the reward pool will be **$250,000 USD**\n- If one or more High severity bugs are found, the reward pool will be **$500,000 USD**\n- If 1 Critical severity bug is found, the reward pool will be **$700,000 USD**\n- If 2 Critical severity bugs are found, the reward pool will be **$800,000 USD**\n- If 3 or more Critical severity bugs are found, the reward pool will be **$1,000,000 USD**\n\nFor this Audit Competition, duplicates are valid for a reward. Private known issues are **not** valid.\n\nRewards are distributed according to the impact of the vulnerability based on the Immunefi [Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Payment Terms__\n\nPayouts are handled by the Firedancer team directly and are denominated in USD. However, payments are done in USDC on Solana.\n\nAfter the event has concluded and the final bug reports have been resolved, rewards will be distributed all at once based on Immunefi’s distribution formula.\n\n__Insight Rewards Payment Terms__\n\nInsight Rewards: Portion of the Rewards Pool\n\nThe \"Insight\" severity was introduced on Audit Competition & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi).","rewardsPool":1000000,"primaryPool":1000000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"firedancer-boost","tenPercentEconomicRule":false,"updatedDate":"2026-01-14T14:40:30.903Z","impactsBody":"__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Whitehat Educational Resources & Technical Info__\n\n- Documentation: [https://firedancer-io.github.io/firedancer/](https://firedancer-io.github.io/firedancer/)\n- Technical education: \n     - [https://github.com/firedancer-io/firedancer/blob/main/README.md](https://github.com/firedancer-io/firedancer/blob/main/README.md)\n     - [https://github.com/firedancer-io/firedancer/blob/main/src/disco/README.md](https://github.com/firedancer-io/firedancer/blob/main/src/disco/README.md)\n     - All header files contain sufficient documentation about each component's function\n- Non-technical education:\n     - Solana Docs: https://solana.com/docs\n\n__Is this an upgrade of an existing system? If so, which? And what are the main differences?__\n\nThis is a complete ground-up implementation of a Solana protocol client. It was based on the Agave client ([https://github.com/anza-xyz/agave](https://github.com/anza-xyz/agave)), which is written in Rust, but this implementation is written from scratch in C.\n\n__Where do you suspect there may be bugs? Valuable aspects of this question are:__\n\n**Which parts of the code are you most concerned about?**\n- Signing Tile ([https://github.com/firedancer-io/firedancer/tree/v0.106.11814/src/disco/keyguard](https://github.com/firedancer-io/firedancer/tree/v0.106.11814/src/disco/keyguard)) \n- QUIC Tile ([https://github.com/firedancer-io/firedancer/tree/v0.106.11814/src/waltz/quic](https://github.com/firedancer-io/firedancer/tree/v0.106.11814/src/waltz/quic)) \n- Sandbox ([https://github.com/firedancer-io/firedancer/tree/v0.106.11814/src/util/sandbox](https://github.com/firedancer-io/firedancer/tree/v0.106.11814/src/util/sandbox)) \n\n**What attack vectors are you most concerned about?**\n- Any attack vector that results in the loss of funds\n- Remote Code Execution, leading to compromise of validator key material or arbitrary transaction signing\n- Denial of Service, leading to degradation or loss of service availability\n- Global Denial of Service, leading to consensus failure, excessive forking, or chain halts\n\n**Which part(s) of the system do you want whitehats to attempt to break the most?**\n- Signature Verification Tile (Denial of Service / RCE / Arbitrary Signing)\n- Network and QUIC Tiles (Denial of Service / RCE)\n- Sandbox Escape or Violation (Abusing the sandbox or violation of sandbox policies for unexpected outcomes)\n- Inconsistencies between Firedancer / Agave behavior that lead to unsafe outcomes.\n\n**Are there any assumed invariants that you want whitehats to attempt to break?**\n- If any tile is compromised, the sandbox should contain its effects on that tile. It should not allow the compromise to significantly impact other tiles and/or the system.\n\n__Would you consider any bug report requiring their involvement to be out of scope as long as they operate within the privileges attributed to them?__\n\n- Any bug reports that assume a pre-existing compromise of the validator operating system, applications, or any administrative control over the operating system.\n- Any bug dependent on exploiting vulnerabilities in the agave client codebase. \n- Any bug reports that require social engineering or physical attack on a person or the system.\n- Any bug reports that assume a malicious operator or the like.\n- Any bug that is not exploitable on the latest stable and supported Linux distributions ([Ubuntu](https://ubuntu.com/about/release-cycle), [Debian](https://www.debian.org/releases/), [Fedora](https://docs.fedoraproject.org/en-US/releases/), or [Red Hat](https://access.redhat.com/support/policy/updates/errata) Distributions).\n- Any bug that is not focused on x86 architecture.\n- Any bug that is not exploitable on the latest stable and supported GCC versions.\n- Any bug that has an initial vector of compromise in a dependency.\n- Any bug in a dependency that is not exclusive to Firedancer should instead be reported to the upstream repo. (For example, If you find a bug in Agave that also affects Agave, you should report it to the [Agave bug bounty program](https://github.com/anza-xyz/agave/security#bounty) instead).\n\n__What external dependencies are there?__\n\n**Build Dependencies:** perl, autoconf, gettext, automake, autopoint, flex, bison, build-essential, gcc-multilib, protobuf-compiler, llvm, lcov, libgmp-dev, cmake.\n\n__Where might whitehats confuse out-of-scope code to be in-scope?__\n\nCode exists in the repository, which is in development but not yet executed by the validator, while it currently leverages the Agave client for these functions - for example, `src/flamenco/runtime/`, `src/ballet/sbpf/`.  Attempts have been made above to make this very clear in the file dump listing at the bottom of the scope table, but there may be some minor exceptions that we can clear up if there are questions.\n\n__Are there any unusual points about your protocol that may confuse whitehats?__\n\nTLS stack handwritten only contains the parts absolutely necessary for Firedancer\n\n__What is the test suite setup information?__\n\n- GitHub Actions: [https://github.com/firedancer-io/firedancer/tree/main/.github/workflows](https://github.com/firedancer-io/firedancer/tree/main/.github/workflows)\n- Additionally, M1 fuzzing harnesses do exist in the main repo, you can find them with this command: find . -type f -name 'fuzz_*.c' -path './src/*'\n- Fuzzing harnesses can be built with a modern Clang compiler (recommended: 17): `MACHINE=linux_clang_x86_64 EXTRAS=\"asan fuzz\" make -j fuzz-test`\n\n__How to build and run the node?__\n\n[https://firedancer-io.github.io/firedancer/guide/getting-started.html](https://firedancer-io.github.io/firedancer/guide/getting-started.html)\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix,” necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n- [https://github.com/firedancer-io/firedancer/issues](https://github.com/firedancer-io/firedancer/issues) (any public issues before submission)\n- [https://github.com/firedancer-io/firedancer](https://github.com/firedancer-io/firedancer) (any fixes in the main repo before submission)\n\n__Previous Audits__\n\nFiredancer v0.1 completed audit reports can be found at [https://github.com/firedancer-io/audits](https://github.com/firedancer-io/audits). Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Firedancer is a new validator client for Solana.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":4980,"type":"blockchain_dlt","severity":"high","title":"Process to process RCE between sandboxed tiles"},{"id":4981,"type":"blockchain_dlt","severity":"medium","title":"Any bug leading Firedancer v0.1 to produce an invalid block or skip its leader slot"},{"id":4982,"type":"blockchain_dlt","severity":"medium","title":"Consensus issues causing Firedancer v0.1 validators to fork"},{"id":4983,"type":"blockchain_dlt","severity":"medium","title":"Liveness issues that cause Firedancer v0.1 validators to crash or be unavailable"},{"id":4984,"type":"blockchain_dlt","severity":"critical","title":"Any sandbox escape"},{"id":4985,"type":"blockchain_dlt","severity":"critical","title":"Any bug leading to loss of funds or acceptance of forged / invalid signatures"},{"id":4986,"type":"blockchain_dlt","severity":"critical","title":"Key compromise/exfiltration exploit chain"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true}],"audits":[]},{"assets":[{"id":"4ndFfaa7pRJWE1JfJ8Pgrl","url":"https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/tree/main/packages/contracts/contracts/Stargate.sol","type":"smart_contract","addedAt":"2025-11-10T10:00:00.000Z","revision":2,"description":"Stargate.sol - Entrypoint to the protocol - 640 lines","isPrimacyOfImpact":null},{"id":"5YxGQdHxdZmnbkhYPHoqB7","url":"https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/tree/main/packages/contracts/contracts/StargateProxy.sol","type":"smart_contract","addedAt":"2025-11-10T10:00:00.000Z","revision":2,"description":"StargateProxy - Proxy for upgradeability - 11 lines","isPrimacyOfImpact":null},{"id":"79RXAl91s0yFTx4YFhfAWG","url":"https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/tree/main/packages/contracts/contracts/StargateNFT/StargateNFT.sol","type":"smart_contract","addedAt":"2025-11-10T10:00:00.000Z","revision":2,"description":"StargateNFT/StargateNFT.sol - ERC721 with extra functionality - 373 lines","isPrimacyOfImpact":null},{"id":"6Z44gaUvtZLJ4WwlXMcCJx","url":"https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/tree/main/packages/contracts/contracts/StargateNFT/libraries/Clock.sol","type":"smart_contract","addedAt":"2025-11-10T10:00:00.000Z","revision":2,"description":"StargateNFT/libraries/Clock.sol - Library for handling time - 22 lines","isPrimacyOfImpact":null},{"id":"57m3yIgKEsRKxixYjzoux2","url":"https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/tree/main/packages/contracts/contracts/StargateNFT/libraries/DataTypes.sol","type":"smart_contract","addedAt":"2025-11-10T10:00:00.000Z","revision":2,"description":"StargateNFT/libraries/DataTypes.sol - Types used across the project - 79 lines","isPrimacyOfImpact":null},{"id":"nbJgXlt2rD2i9QTrqECVN","url":"https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/tree/main/packages/contracts/contracts/StargateNFT/libraries/Errors.sol","type":"smart_contract","addedAt":"2025-11-10T10:00:00.000Z","revision":2,"description":"StargateNFT/libraries/Errors.sol - Errors used in StargateNFT - 37 lines","isPrimacyOfImpact":null},{"id":"4F3aWxL8GWo09FY9iLPA4S","url":"https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/tree/main/packages/contracts/contracts/StargateNFT/libraries/Levels.sol","type":"smart_contract","addedAt":"2025-11-10T10:00:00.000Z","revision":2,"description":"StargateNFT/libraries/Levels.sol - Library that handles NFT levels - 237 lines","isPrimacyOfImpact":null},{"id":"68RzDEDlEKVQoTCVFcu4xq","url":"https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/tree/main/packages/contracts/contracts/StargateNFT/libraries/MintingLogic.sol","type":"smart_contract","addedAt":"2025-11-10T10:00:00.000Z","revision":2,"description":"StargateNFT/libraries/MintingLogic.sol - Library that takes care of minting, burning and migrating NFTs - 177 lines","isPrimacyOfImpact":null},{"id":"6dG7AJmrmgtMmICtjmsRB7","url":"https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/tree/main/packages/contracts/contracts/StargateNFT/libraries/Settings.sol","type":"smart_contract","addedAt":"2025-11-10T10:00:00.000Z","revision":2,"description":"StargateNFT/libraries/Settings.sol - NFT settings - 13 lines","isPrimacyOfImpact":null},{"id":"3UOsp16vUV3bxB5fzuCL6n","url":"https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/tree/main/packages/contracts/contracts/StargateNFT/libraries/Token.sol","type":"smart_contract","addedAt":"2025-11-10T10:00:00.000Z","revision":2,"description":"StargateNFT/libraries/Token.sol - Handles token maturity and getters - 141 lines","isPrimacyOfImpact":null},{"id":"6YJU99bnrCqTKHdqUbEoja","url":"https://github.com/immunefi-team/audit-comp-vechain-stargate-hayabusa/tree/main/packages/contracts/contracts/StargateNFT/libraries/TokenManager.sol","type":"smart_contract","addedAt":"2025-11-10T10:00:00.000Z","revision":2,"description":"StargateNFT/libraries/TokenManager.sol - Library for handling Token Managers - 190 lines","isPrimacyOfImpact":null}],"assetsBodyV2":"**Insight Reporting** \n\nInsight reports may be reported to this program and require a PoC. Insights are rewarded in accordance with [Immunefi’s Standardized Competition Reward Terms.](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms)\n\n**Dispute Resolution**\n\nIf there is any dispute over bug reports between projects and security researchers, Immunefi has the final say on validity and severity based on the terms of this program.\n\n**Responsible Publication Policy**\n\n- Immunefi will publish bug reports, earnings, and a leaderboard for this Audit Competition.\n- Security Researchers may publish their bug reports as well, but only after Immunefi has published the valid bug reports as part of the competition results.\n\n**Eligibility Criteria**\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in an audit review of the code in scope (Such auditors may still participate in this program only if they receive project permission)","boostedIntroEvaluating":"### Thank You to All Participating Security Researchers!\n\nThe audit competition has now concluded and is currently in the evaluation phase. During this period, all submitted reports are being carefully reviewed by the Immunefi triage team and the project team.","boostedIntroFinished":"### Thank You to All Participating Security Researchers!\n\nYour valuable contributions played a crucial role in identifying and resolving critical vulnerabilities, helping to strengthen and secure the platform for all users.","boostedIntroLive":"### **$40,000 USD** in rewards is available for finding bugs on VeChain's Stargate contracts. \n\nFor more information about the project, please visit https://vechain.org/.\n- KYC is required.\n\n- Flat Reward Pool\n\n**Proof of Concept (PoC) Requirements**\n\n- A **runnable PoC**, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n- Any technical questions and support requests can be asked directly to the VeChain team or Immunefi in the [#vechain-stargate-audit-competition](https://discord.com/channels/787092485969150012/1436371776182554705) discord channel.","boostedIntroStartingIn":"### **$40,000 USD** in rewards is available for finding bugs on VeChain's Stargate contracts. \n\nFor more information about the project, please visit https://vechain.org/.\n\nAny technical questions and support requests can be asked directly to the Vechain team or Immunefi in the [#vechain-stargate-audit-competition](https://discord.com/channels/787092485969150012/1436371776182554705) discord channel. \n\nWhen the Audit Competition ends, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nA few days after the launch, Immunefi will publish VeChain's technical walkthrough on our official [YouTube channel](https://www.youtube.com/@immunefi).\n\n**A runnable PoC is required**. For more information, please read [Immunefi Proof of Concept (PoC) Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules?utm_source=immunefi)\n\nInsight reports can be submitted. Read our [Insight validity rules](https://immunefisupport.zendesk.com/hc/en-us/articles/34179768760337-Insight-Severity-Level)","boostedLeaderboard":[{"high":4,"name":"danvinci_20","aspRank":1,"critical":0,"earnings":9975,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":11335,"totalValidBugs":5,"aspPoolEarnings":0,"podiumPoolEarnings":1360},{"high":3,"name":"shaflow1","aspRank":2,"critical":0,"earnings":7902,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":9222,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":1320},{"high":2,"name":"Paludo0x","aspRank":5,"critical":0,"earnings":801,"insights":0,"mediumLow":1,"allStarTier":"SENIOR (ACTIVE)","totalEarnings":8801,"totalValidBugs":3,"aspPoolEarnings":8000,"podiumPoolEarnings":0},{"high":0,"name":"Brainiac5","aspRank":3,"critical":0,"earnings":2210,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":3530,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":1320},{"high":0,"name":"hunraj","aspRank":4,"critical":0,"earnings":1177,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":1177,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"arunabha003","aspRank":6,"critical":0,"earnings":770,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":770,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Pelican26237","aspRank":7,"critical":0,"earnings":756,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":756,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"uzemy","aspRank":8,"critical":0,"earnings":756,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":756,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"blackgrease","aspRank":56,"critical":0,"earnings":375,"insights":2,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":375,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"akioniace","aspRank":55,"critical":0,"earnings":312,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":312,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Oxb4b","aspRank":58,"critical":0,"earnings":312,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":312,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"KKam86","aspRank":59,"critical":0,"earnings":250,"insights":2,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":250,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"Rhaydden","aspRank":25,"critical":0,"earnings":232,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":232,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"OxPrince","aspRank":9,"critical":0,"earnings":202,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":202,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"JJSOnChain","aspRank":57,"critical":0,"earnings":188,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":188,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"flora","aspRank":10,"critical":0,"earnings":146,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":146,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":3,"name":"Oxodus","aspRank":14,"critical":0,"earnings":139,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":139,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"dray","aspRank":11,"critical":0,"earnings":106,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":106,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"aman","aspRank":12,"critical":0,"earnings":106,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":106,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"unineko","aspRank":13,"critical":0,"earnings":88,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":88,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"ox9527","aspRank":15,"critical":0,"earnings":74,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":74,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"MoZi","aspRank":16,"critical":0,"earnings":74,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":74,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"sedare","aspRank":17,"critical":0,"earnings":74,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":74,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"humanitia","aspRank":18,"critical":0,"earnings":67,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":67,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"yesofcourse","aspRank":19,"critical":0,"earnings":45,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":45,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"xKeywordx","aspRank":20,"critical":0,"earnings":45,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":45,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"jo13","aspRank":21,"critical":0,"earnings":45,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":45,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"rzizah","aspRank":22,"critical":0,"earnings":45,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":45,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"Bizarro","aspRank":23,"critical":0,"earnings":45,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":45,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"Diavol0","aspRank":24,"critical":0,"earnings":45,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":45,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"Dliteofficial","aspRank":26,"critical":0,"earnings":45,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":45,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Tomioka","aspRank":27,"critical":0,"earnings":31,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":31,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"daxun","aspRank":28,"critical":0,"earnings":31,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":31,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"oxadwa","aspRank":29,"critical":0,"earnings":31,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":31,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"csanuragjain","aspRank":30,"critical":0,"earnings":31,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":31,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Queerantagonism","aspRank":31,"critical":0,"earnings":31,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":31,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"jayx","aspRank":32,"critical":0,"earnings":31,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":31,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"incogknito","aspRank":33,"critical":0,"earnings":31,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":31,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"ihtishamsudo","aspRank":34,"critical":0,"earnings":31,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":31,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"XDZIBECX","aspRank":35,"critical":0,"earnings":31,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":31,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"AgentJacker","aspRank":36,"critical":0,"earnings":31,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":31,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"decabrsky02","aspRank":37,"critical":0,"earnings":31,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":31,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"oxrex","aspRank":38,"critical":0,"earnings":27,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":27,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"niffylord","aspRank":39,"critical":0,"earnings":14,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":14,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"flacko","aspRank":40,"critical":0,"earnings":14,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":14,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"hrmneffdii","aspRank":41,"critical":0,"earnings":14,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":14,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Johnyfwesh","aspRank":42,"critical":0,"earnings":14,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":14,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"n0fr33w1f14u","aspRank":43,"critical":0,"earnings":14,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":14,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"prk0","aspRank":44,"critical":0,"earnings":14,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":14,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"TianYu4n","aspRank":45,"critical":0,"earnings":14,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":14,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"x0xmechanic","aspRank":46,"critical":0,"earnings":14,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":14,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"FrontRunner","aspRank":47,"critical":0,"earnings":14,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":14,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"cmds","aspRank":48,"critical":0,"earnings":14,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":14,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"demonhat","aspRank":49,"critical":0,"earnings":14,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":14,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"HalalAudits","aspRank":50,"critical":0,"earnings":14,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":14,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"frolic","aspRank":51,"critical":0,"earnings":14,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":14,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"xanony","aspRank":52,"critical":0,"earnings":14,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":14,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"T0nraq","aspRank":53,"critical":0,"earnings":14,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":14,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Filippo","aspRank":54,"critical":0,"earnings":14,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":14,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1w-tLKXJfnRN9OEbvBb4LsqPghxj_sLLr/view?usp=sharing","ecosystem":null,"endDate":"2025-11-24T10:00:00.000Z","evaluationEndDate":"2026-01-02T10:00:00.000Z","features":["Boost","Vault","Managed Triage: Signal Booster"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2025-11-10T10:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7q4VEwyYrIzlUZx9hVaL79/0ef8226fec777e8be7c4564fd615398c/vechain__1_.png","maxBounty":40000,"outOfScopeAndRules":"To be determined","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":null,"programOverview":"StarGate is the gateway to staking in the next era of the VeChainThor blockchain, marking a major milestone in the Hayabusa upgrade under the VeChain Renaissance initiative. It’s a next-generation staking protocol designed to give VET holders an active role in securing the network and earning rewards through NFT-based staking and delegation.\n\n**Key Features**\n- NFT-Based Staking: Users stake VET to mint unique staking NFTs, which represent their locked position and can be delegated to validator nodes.\n- Earn VTHO: Delegators earn a share of block rewards (in VTHO) every time their selected validator produces a block, based on the amount and type of NFT staked.\n- Decentralized Access: Any VET holder can participate in the network by staking and delegating to validators—no need to run a full node.\n\n**Powering Hayabusa's Delegated Proof of Stake**\n\nThe Hayabusa hard fork introduces Delegated Proof of Stake (dPoS) to VeChainThor, enabling a network of 101 validators who rotate to produce blocks and secure the chain. StarGate integrates directly with this system, serving as the onboarding layer for validators and delegators alike.\nWhether you're running a validator machine or holding VET, StarGate turns every user into a contributor to network security—bringing performance, transparency, and reward opportunities to all.\n\nThe Hayabusa hard fork introduces Delegated Proof of Stake (dPoS) to VeChainThor, enabling a network of 101 validators who rotate to produce blocks and secure the chain. StarGate integrates directly with this system, serving as the onboarding layer for validators and delegators alike.\nWhether you're running a validator machine or holding VET, StarGate turns every user into a contributor to network security—bringing performance, transparency, and reward opportunities to all.\n\nFor more information about VeChain, please visit https://vechain.org/. \n\nVeChain is running an audit in parallel. However, submitted reports depicting the same issues raised in the audit will be confirmed.","programType":["Smart Contract"],"project":"Audit Comp | Vechain | Stargate Hayabusa","projectType":null,"rewardsBody":"Rewards are distributed among SRs according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms) and includes All Star Pool and Podium Pool reserved for [All Star Program ](https://immunefi.com/allstars/) participants. \n\nRewards are denominated in USD and distributed in USDT on Ethereum.\n\nThe reward pool is $40,000 USD if any bug is found. That means that even if 1 Low severity bug is found, the whole reward pool is unlocked and has to be fully distributed between security researchers. \n\nIf not a single bug is found (Insights do not count as bugs) the reward pool is $6,000 USD.\n\nKYC Requirement\n\nVeChain requires KYC information to pay for bug submissions. The following information will be required:\nFull name \nDate of birth\nProof of address (either a redacted bank statement with address or a recent utility bill)\nCopy of Passport or other Government issued ID\nSecurity researchers are required to submit KYC within 14 days of KYC being requested, else their rewards may be forfeited. Immunefi may make exceptions due to extenuating circumstances.","rewardsPool":40000,"primaryPool":28000,"allStarsPool":8000,"podiumPool":4000,"rewardsToken":"USDT","slug":"audit-comp-vechain-stargate-hayabusa","tenPercentEconomicRule":false,"updatedDate":"2026-01-13T20:47:09.488Z","impactsBody":"**VeChain is running an audit in parallel. However, submitted reports depicting the same issues raised in the audit will be confirmed.**\n\n------------------\n\n**Build Commands, Test Commands, and How to Run Them**\n\nThe repo is a monorepo. Every command is in the readme. The most relevant ones:\n- Build Contracts: yarn contracts:compile\n- Unit Tests: yarn contracts:test:unit\n- Integration Tests: yarn contracts:test:integration\n- Coverage: yarn contracts:test:unit:coverage\n- Deploy locally: yarn:contracts:deploy\n- Deploy on other networks: yarn:contracts:deploy:{network}\n- Spin a solo network locally: make solo-up\n\n**Asset Accuracy Assurance**\n\nBugs found on assets incorrectly listed in-scope are valid.\n\n**Code Freeze Assurance**\n\nCode of the assets in scope is frozen while the program is live.\n\nDuplicate submissions of bugs are valid. Duplicate submissions of Insights are invalid.\n\nThe project commits to keeping private all info related to bug findings until this program is over. This means the project will not leak info about any bug findings or planned bug fixes, including bug findings found independently by the project or from concurrent private audits.\n\n--------------------\n\n**Previous Audits**\n\nVeChain’s completed audit reports can be found at [https://docs.stargate.vechain.org/hayabusa/for-developers/contracts](https://docs.stargate.vechain.org/hayabusa/for-developers/contracts). Unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n**Public Disclosure of Known Issues**\n\nBug reports for publicly disclosed bugs are not eligible for a reward. \n\n- There are some functions that can run out of gas due to excessive looping, most of them are getters so we are not really worried about them. In the cases there are not getters we implemented mechanisms to avoid running out of gas like in the claimRewards function.\n- There is a style choice in the _burnCallback and _safeMintCallback to precede the functions with an underscore even though they are external. This functions can only be called by the own StargateNFT contract and we want to discourage the usage of them from external developers.\nWe are not checking address zero when granting or revoking roles\n- The boostOnBehalfOf function uses an arbitrary _sender parameter instead of msg.sender, which deviates from standard patterns but is intentional. The Stargate contract calls this function during stakeAndDelegate flows. Since msg.sender would be the Stargate contract (no VTHO), _sender specifies which user's VTHO to use. This is protected by the onlyStargate modifier ensuring only the Stargate contract can set an arbitrary _sender\n- There can be breaks of the check-effects pattern in some functions but they are using the nonReentrant modifier\n- We can assume the IProtocolStaker interface is correct\n\n**Private Known Issues Reward Policy**\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n-------------------------\n\n**Where might Security Researchers confuse out-of-scope code to be in-scope?**\n\nOnly Solidity is in-scope, external tools like the scripts written in Typescript are out of scope.\nAlso the project contains a `deprecated` folder with the previous versions of the contracts, those contracts can be useful to understand some of the decisions taken in the new contracts but they are out-of-scope.\nOnly the specified contracts are in-scope\n\n\n**Is this an upgrade of an existing system? If so, which? And what are the main differences?**\n\nThis is the second part of Vechain dPoS strategy.\n\nIn the first phase was a bootstrapping phase where we allowed users to stake their VET and get VTHO rewards from a pool allocated by Vechain. This was done so users are familiar with the language and the flows before the second phase.\n\nThe  3 main contracts from this bootstrapping phase are\n\n- StargateNFT\n- StargateDelegation\n- NodeManagementV3\n\nBoth NodeManagement and StargateDelegation will be deprecated and paused for this second phase.\n\nNodeManagement functionality now will live in the TokenManager.sol library. StargateDelegation was totally deprecated since it simulated the delegation and rewards that now will be handled by Stargate.sol and the thor protocol.\n\nStargateNFT is upgraded so it can interact with Stargate, this means that all the NFTs minted and migrated in the bootstrapping phase should be compatible with this new phase.\n\nAlso in this new phase the funds are moved to Stargate rather than StargateNFT, so we can have a single entrypoint to the protocol.\n\nSo as a summary\n\nBootstrapping Phase:\n\n- StargateNFT\n- NodeManagement\n- StargateDelegation\n\nSecond phase (hayabusa):\n\n- StargateNFT\n- Stargate\n\n**Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?**\n\nIn the bootstrapping phase we had a bug related to rewards calculation that we had to fix and took us some time to reimburse all the affected users.\n\nSo calculating the rewards given to users is a key operation, since for example giving less rewards can be fixable giving extra rewards can cause a mismatch with what the protocol gives stargate and run the contract out of VTHO. Check that rewards calculations are correctly handled after rewards are claimed, and if rewards are not claimed.\n\nAlso minting, burning and migrating tokens since they have a fixed VET amount linked to them an unexpected mint of a token without paying the correct amount can have critical results in the protocol.\n\nOther key operations are moving the VET from StargateNFT to Stargate, and ensuring those funds are secure.\n\n**What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?**\n\nStargateNFT contract is an extension of the ERC721 standard\n\n**What emergency actions may you want to use as a reason to downgrade an otherwise valid bug report?**\n\nPause Stargate or StargateNFT\n\n**What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?**\n\nAny requiring an address with the DEFAULT_ADMIN_ROLE or any other role, we can assume that the addresses that have this roles are secure\n\n**What addresses would you consider any bug report requiring their involvement be out of scope, even if they exceed the privileges attributed to them?**\n\nThe ProtocolStaker is a third party address that we trust for our operations of delegating, staking... we can assume the ProtocolStaker contract is not malicious and will perform as intended\n\n**Which chains and/or networks will the code in scope be deployed to?**\n\nVeChain Testnet, VeChain Mainnet\n\n**What external dependencies are there?**\n\n@openzeppelin/contracts\n@openzeppelin/contracts-upgradeable\n\n**Are there any unusual points about your protocol that may confuse Security Researchers?**\n\nThis is going to be deployed in the vechain network.\n\nThe vechain network is an EVM-like network with some extra features like multiclause. \n\nThe major difference with other EVM networks is that it does not have a traditional JSON-RPC API instead it uses an HTTPS API, this is relevant because most of the tooling developed for Ethereum is not directly compatible with vechain.\n\nWe use Hardhat with an adapter that intercepts the RPC calls and translates them to HTTPS so we can perform integration tests against the vechain network but this is not available for other frameworks like foundry.\n\nPerforming integration tests against the vechain network should be easy because we have a beforeEach hook that sets up an environment with docker and deploys the contract on each test.\n\nFor unit tests we use the hardhat chain but we mock the interaction with the protocol (setting delegations, giving rewards, adding validators...)\n\n**What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)**\n\n- Bootstrapping phase: https://docs.stargate.vechain.org\n- Hayabusa phase: https://docs.stargate.vechain.org/hayabusa \n- VeChain Docs: https://docs.vechain.org/","websiteUrl":"https://vechain.org/","githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_auditor","no_employee"],"responsiblePublicationCategory":null,"description":"StarGate is the gateway to staking in the next era of the VeChainThor blockchain, marking a major milestone in the Hayabusa upgrade under the VeChain Renaissance initiative. It’s a next-generation staking protocol designed to give VET holders an active role in securing the network and earning rewards through NFT-based staking and delegation.\n","knownIssues":[{"id":1207,"link":"https://vechain.org/","description":"We can assume the IProtocolStaker interface is correct","lastUpdatedAt":"2025-11-07T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1206,"link":"https://vechain.org/","description":"There can be breaks of the check-effects pattern in some functions but they are using the nonReentrant modifier","lastUpdatedAt":"2025-11-07T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1205,"link":"https://vechain.org/","description":"The boostOnBehalfOf function uses an arbitrary _sender parameter instead of msg.sender, which deviates from standard patterns but is intentional. The Stargate contract calls this function during stakeAndDelegate flows. Since msg.sender would be the Stargate contract (no VTHO), _sender specifies which user's VTHO to use. This is protected by the onlyStargate modifier ensuring only the Stargate contract can set an arbitrary _sender","lastUpdatedAt":"2025-11-07T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1204,"link":"https://vechain.org/","description":"We are not checking address zero when granting or revoking roles","lastUpdatedAt":"2025-11-07T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1203,"link":"https://vechain.org/","description":"There is a style choice in the _burnCallback and _safeMintCallback to precede the functions with an underscore even though they are external. This functions can only be called by the own StargateNFT contract and we want to discourage the usage of them from external developers.","lastUpdatedAt":"2025-11-07T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1202,"link":"https://vechain.org/","description":"There are some functions that can run out of gas due to excessive looping, most of them are getters so we are not really worried about them. In the cases there are not getters we implemented mechanisms to avoid running out of gas like in the claimRewards function.","lastUpdatedAt":"2025-11-07T00:00:00.000Z","relatedImpactInScope":"smart_contract"}],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":5807,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 24 hour"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":5808,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds for at least 1 hour"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[{"id":"1t0nAXeHw1tEpoy3tu09tH","url":"https://explorer.lyra.finance/address/0x9B3FE5E5a3bcEa5df4E08c41Ce89C4e3Ff01Ace3","type":"smart_contract","addedAt":"2024-01-11T08:51:20.074Z","revision":1,"description":"DepositModule","isPrimacyOfImpact":null},{"id":"wjz2OuICuYH8sENpSYMll","url":"https://explorer.lyra.finance/address/0xeB8d770ec18DB98Db922E9D83260A585b9F0DeAD","type":"smart_contract","addedAt":"2024-01-11T08:51:36.920Z","revision":1,"description":"Matching","isPrimacyOfImpact":null},{"id":"2ij1ceIiGKxXw3uGqa7I6T","url":"https://explorer.lyra.finance/address/0xB8D20c2B7a1Ad2EE33Bc50eF10876eD3035b5e7b","type":"smart_contract","addedAt":"2024-01-11T08:51:51.232Z","revision":1,"description":"TradeModule","isPrimacyOfImpact":null},{"id":"73nB71eGC9Zh7WjRaPvIXf","url":"https://explorer.lyra.finance/address/0x01259207A40925b794C8ac320456F7F6c8FE2636","type":"smart_contract","addedAt":"2024-01-11T08:52:04.878Z","revision":1,"description":"TransferModule","isPrimacyOfImpact":null},{"id":"44RmXgrS2nyPUbGuerCWBB","url":"https://explorer.lyra.finance/address/0x9d0E8f5b25384C7310CB8C6aE32C8fbeb645d083","type":"smart_contract","addedAt":"2024-01-11T08:52:17.956Z","revision":1,"description":"WithdrawalModule","isPrimacyOfImpact":null},{"id":"StmidN3FH28k2aBQZ42B8","url":"https://explorer.lyra.finance/address/0xC51E95b72e116020B138cd5D97Ed4A72DE8Dc48B","type":"smart_contract","addedAt":"2024-01-11T08:52:31.339Z","revision":1,"description":"DutchAuction","isPrimacyOfImpact":null},{"id":"7A6c8upnFqxfBl4LO0RH4s","url":"https://explorer.lyra.finance/address/0x57B03E14d409ADC7fAb6CFc44b5886CAD2D5f02b","type":"smart_contract","addedAt":"2024-01-11T08:52:43.822Z","revision":1,"description":"CashAsset","isPrimacyOfImpact":null},{"id":"6Vw2NgDlLM2n70ujvWmHYd","url":"https://explorer.lyra.finance/address/0x4e798659b9846F1da7B6D6B5d09d581270aB6FEC","type":"smart_contract","addedAt":"2024-01-11T08:52:56.400Z","revision":1,"description":"InterestRateModel","isPrimacyOfImpact":null},{"id":"3s6TP7aCuTFnCcrqL0xQwa","url":"https://explorer.lyra.finance/address/0x8dC92fB0e1C1F1Def6e424E50aaA66dbB124eb54","type":"smart_contract","addedAt":"2024-01-11T08:53:09.104Z","revision":1,"description":"SecurityModule","isPrimacyOfImpact":null},{"id":"adxWNafBQbnyAWcPam50w","url":"https://explorer.lyra.finance/address/0x28c9ddF9A3B29c2E6a561c1BC520954e5A33de5D","type":"smart_contract","addedAt":"2024-01-11T08:53:22.502Z","revision":1,"description":"StandardManager","isPrimacyOfImpact":null},{"id":"79wPrKE3yHcXBym5I6Kbmp","url":"https://explorer.lyra.finance/address/0xAA8f9D05599F1a5d5929c40342c06a5Da063a4dE","type":"smart_contract","addedAt":"2024-01-11T08:53:35.398Z","revision":1,"description":"StandardManagerViewer","isPrimacyOfImpact":null},{"id":"5UIo2BvV3wcSdwFQeOJpCo","url":"https://explorer.lyra.finance/address/0x9C61888497D716f5bBd93D5e13d443cC375f1424","type":"smart_contract","addedAt":"2024-01-11T08:53:50.254Z","revision":1,"description":"LyraSpotFeed","isPrimacyOfImpact":null},{"id":"5o02DGu56nzpFWyFTka8UG","url":"https://explorer.lyra.finance/address/0xE7603DF191D699d8BD9891b821347dbAb889E5a5","type":"smart_contract","addedAt":"2024-01-11T08:54:03.291Z","revision":1,"description":"SubAccounts","isPrimacyOfImpact":null},{"id":"4xfb9vzhEH8Wr29subCcdC","url":"https://explorer.lyra.finance/address/0xE201fCEfD4852f96810C069f66560dc25B2C7A55","type":"smart_contract","addedAt":"2024-01-11T08:54:16.901Z","revision":1,"description":"BaseAsset","isPrimacyOfImpact":null},{"id":"7H3eSUdGUimzENz1VnP73N","url":"https://explorer.lyra.finance/address/0x791A570F5785FBdb02EA5C7a794c43111ae2f948","type":"smart_contract","addedAt":"2024-01-11T08:54:29.857Z","revision":1,"description":"ForwardFeed","isPrimacyOfImpact":null},{"id":"4XIQco5NfCB1sOvhT4k9Da","url":"https://explorer.lyra.finance/address/0xd464170afe0eE2a4865B2ca6dBcc6dfB8f4Bf125","type":"smart_contract","addedAt":"2024-01-11T08:54:43.156Z","revision":1,"description":"LyraSpotDiffFeed","isPrimacyOfImpact":null},{"id":"2AFkLviRAcZ4KxRpfurMKE","url":"https://explorer.lyra.finance/address/0xbfe7Cd69d3983299D3d18D1Ae5C411e1FF61A993","type":"smart_contract","addedAt":"2024-01-11T08:54:55.915Z","revision":1,"description":"LyraSpotDiffFeed","isPrimacyOfImpact":null},{"id":"lHeiBHzK051vNjNzg0F1Y","url":"https://explorer.lyra.finance/address/0x4BB4C3CDc7562f08e9910A0C7D8bB7e108861eB4","type":"smart_contract","addedAt":"2024-01-11T08:55:09.586Z","revision":1,"description":"OptionAsset","isPrimacyOfImpact":null},{"id":"3AhPAH4Jufpq04QcwyHFFs","url":"https://explorer.lyra.finance/address/0xAf65752C4643E25C02F693f9D4FE19cF23a095E3","type":"smart_contract","addedAt":"2024-01-11T08:55:22.578Z","revision":1,"description":"PerpAsset","isPrimacyOfImpact":null},{"id":"2ZcNiimklfFfBTxf3VUh0v","url":"https://explorer.lyra.finance/address/0x33E18F4f508d7aD3e958aA2DCf4b3eCAec38D7c6","type":"smart_contract","addedAt":"2024-01-11T08:55:36.909Z","revision":1,"description":"LyraSpotDiffFeed","isPrimacyOfImpact":null},{"id":"38Bn2FZ6eHeL1slTiIa08D","url":"https://explorer.lyra.finance/address/0xe7cD9370CdE6C9b5eAbCe8f86d01822d3de205A0","type":"smart_contract","addedAt":"2024-01-11T08:55:50.912Z","revision":1,"description":"PMRM","isPrimacyOfImpact":null},{"id":"7AMtZhfOKivTmB8RQwpzie","url":"https://explorer.lyra.finance/address/0x81ed5Dc90F708Dd908DccFfd5128B5C3405f74c5","type":"smart_contract","addedAt":"2024-01-11T08:56:03.952Z","revision":1,"description":"PMRMLib","isPrimacyOfImpact":null},{"id":"0ZlFLK2vuJ6XAdr4hoNqA","url":"https://explorer.lyra.finance/address/0xcAe44C93f7B3b519Fc28f9d4F7Ae22dE770a907b","type":"smart_contract","addedAt":"2024-01-11T08:56:17.863Z","revision":1,"description":"BasePortfolioViewer","isPrimacyOfImpact":null},{"id":"5rJDSe8Okysqf1Lv60QMNj","url":"https://explorer.lyra.finance/address/0x30A6E6A3851c18aa67429ACC8a1DfAFE20A29FEb","type":"smart_contract","addedAt":"2024-01-11T08:56:30.985Z","revision":1,"description":"LyraRateFeedStatic","isPrimacyOfImpact":null},{"id":"1GtWts9mp446fDjoYgA5tc","url":"https://explorer.lyra.finance/address/0x727aD65db6aE99DB5Dbee8F202846DD6009bf6D5","type":"smart_contract","addedAt":"2024-01-11T08:56:44.302Z","revision":1,"description":"LyraSpotFeed","isPrimacyOfImpact":null},{"id":"3GS72VvbUUUgpFhAdbQIqc","url":"https://explorer.lyra.finance/address/0xb27cb6b08e6c298C8634D73D5F6649665e90d160","type":"smart_contract","addedAt":"2024-01-11T08:57:00.164Z","revision":1,"description":"LyraVolFeed","isPrimacyOfImpact":null},{"id":"4r9jxxu8BvFcjOICTBK56J","url":"https://explorer.lyra.finance/address/0x7da2D398dddDfC946Efd2C758c4688D21887790d","type":"smart_contract","addedAt":"2024-01-11T08:57:15.212Z","revision":1,"description":"BaseAsset","isPrimacyOfImpact":null},{"id":"4nhA5PjfnUKoblGoJ1qUM9","url":"https://explorer.lyra.finance/address/0x958c54bFACc0E2dee586564B31Bf3F171f256279","type":"smart_contract","addedAt":"2024-01-11T08:57:28.509Z","revision":1,"description":"ForwardFeed","isPrimacyOfImpact":null},{"id":"44oVptEUcA2CB32lgfZizv","url":"https://explorer.lyra.finance/address/0x4d6e33bf88Ab44212B10bAc4DA448E41a191cb4C","type":"smart_contract","addedAt":"2024-01-11T08:57:41.660Z","revision":1,"description":"LyraSpotDiffFeed","isPrimacyOfImpact":null},{"id":"soOMeMeQnmPOYZw9edWYL","url":"https://explorer.lyra.finance/address/0x35d4D9bc79B0a543934b1769304B90d752691caD","type":"smart_contract","addedAt":"2024-01-11T08:57:54.331Z","revision":1,"description":"LyraSpotDiffFeed","isPrimacyOfImpact":null},{"id":"2CL5FDclGnUeAOlvLSTkiq","url":"https://explorer.lyra.finance/address/0xd0711b9eBE84b778483709CDe62BacFDBAE13623","type":"smart_contract","addedAt":"2024-01-11T08:58:07.408Z","revision":1,"description":"OptionAsset","isPrimacyOfImpact":null},{"id":"7k0Nq0wOffasQi4S0t18vW","url":"https://explorer.lyra.finance/address/0xDBa83C0C654DB1cd914FA2710bA743e925B53086","type":"smart_contract","addedAt":"2024-01-11T08:58:19.473Z","revision":1,"description":"PerpAsset","isPrimacyOfImpact":null},{"id":"2AqmpsaDegygVCGDHQKbR1","url":"https://explorer.lyra.finance/address/0x34BC7Fe1965B4E9f4071B69f2E60b8dC88f34475","type":"smart_contract","addedAt":"2024-01-11T08:58:32.273Z","revision":1,"description":"LyraSpotDiffFeed","isPrimacyOfImpact":null},{"id":"48eSnqnMfILWJVkOnVLT1B","url":"https://explorer.lyra.finance/address/0x45DA02B9cCF384d7DbDD7b2b13e705BADB43Db0D","type":"smart_contract","addedAt":"2024-01-11T08:58:46.885Z","revision":1,"description":"PMRM","isPrimacyOfImpact":null},{"id":"1S5C14NLjZqwB4kdsXnwXD","url":"https://explorer.lyra.finance/address/0xFa7f1a242b819A8EC97FD92674C3f0868395B0d3","type":"smart_contract","addedAt":"2024-01-11T08:58:59.952Z","revision":1,"description":"PMRMLib","isPrimacyOfImpact":null},{"id":"xvzStiLaCcNbBnEWOiw07","url":"https://explorer.lyra.finance/address/0xa364498b361d563921C9A144264205CdaAF1B5E0","type":"smart_contract","addedAt":"2024-01-11T08:59:12.312Z","revision":1,"description":"BasePortfolioViewer","isPrimacyOfImpact":null},{"id":"1f3MSY4TFMLXqMHLCHAf94","url":"https://explorer.lyra.finance/address/0x6FEf1bb8Ade9A836663d4c15AFd5985Fb545004f","type":"smart_contract","addedAt":"2024-01-11T08:59:25.519Z","revision":1,"description":"LyraRateFeedStatic","isPrimacyOfImpact":null},{"id":"5JM7JnIHE1u8AC7q6HvsjD","url":"https://explorer.lyra.finance/address/0x5Eb59391e7870807aD2C8792E8c5e75838E0fdb0","type":"smart_contract","addedAt":"2024-01-11T08:59:39.025Z","revision":1,"description":"LyraSpotFeed","isPrimacyOfImpact":null},{"id":"5lddbKEYyBJxwRip4aSHDm","url":"https://explorer.lyra.finance/address/0x388341d9E5A7D7d5accD738B2a31b0622E0c1b87","type":"smart_contract","addedAt":"2024-01-11T08:59:50.859Z","revision":1,"description":"LyraVolFeed","isPrimacyOfImpact":null}],"assetsBodyV2":"Contracts in scope are found on the Lyra Chain (https://rpc.lyra.finance; chainId: 957; https://explorer.lyra.finance/), as well as any libraries they inherit.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Optimism"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-08-23T14:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/60S3l21WgTXVpkeEf6mRBO/3ca066168039dc5319d5b6d972300617/derive__1_.png","maxBounty":50000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["DEX","Options","Perpetuals"],"programOverview":"Lyra V2 is a self-custodial protocol layer built to enable the trading of derivative products in a permissionless way. The component of the Lyra V2 stack covered by this bug bounty program is the **[Lyra Protocol:]([https://docs.lyra.finance/docs/protocol-overview](https://docs.lyra.finance/docs/protocol-overview))** A protocol that enables the margining and settlement of perpetuals, options and spot.\n\nFor more information about Lyra, please visit [https://www.lyra.finance/](https://www.lyra.finance/).","programType":["Smart Contract"],"project":"Derive","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nAll High and Critical Smart Contract bug reports require a PoC to be eligible for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nCritical smart contract vulnerabilities are capped at __10%__ of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. There is a maximum reward of __USD 50 000__, but more could be paid out at the discretion of the team.\n\nAny vulnerability already disclosed in the [audits that have been performed ](https://github.com/sigp/public-audits/blob/master/lyra-finance/review-round2.pdf)are not able to receive a reward.\n\nIssues identified in previous audit reports may not be eligible for payout. \n\nTo be eligible for reward, impact from table below must be demonstrated where all thefts must be profitable and all freezing must be reasonably priced for the impact.\n\nPayouts up to USD __50,000__ are handled by the __Lyra__ team directly and are denominated in USD. However, payouts are done in __USDC__ or __ETH__, at the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC or ETH","slug":"derive","tenPercentEconomicRule":false,"updatedDate":"2026-01-12T09:47:48.867Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Lyra V2 is a self-custodial protocol layer built to enable the trading of derivative products in a permissionless way.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":868,"type":"smart_contract","severity":"low","title":"Smart contract fails to deliver promised returns"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":869,"type":"smart_contract","severity":"high","title":"Freezing of unclaimed yield"},{"id":870,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for any amount of time"},{"id":871,"type":"smart_contract","severity":"medium","title":"Unable to call smart contract"},{"id":872,"type":"smart_contract","severity":"medium","title":"Smart contract gas drainage"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":873,"type":"smart_contract","severity":"critical","title":"Theft of unclaimed yield"},{"id":874,"type":"smart_contract","severity":"critical","title":"Permanent freezing of unclaimed yield"}],"rewards":[{"id":39652,"severity":"critical","assetType":"smart_contract","maxReward":50000,"minReward":5000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":39653,"severity":"high","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":39654,"severity":"medium","assetType":"smart_contract","fixedReward":2000,"rewardModel":"fixed"},{"id":39655,"severity":"low","assetType":"smart_contract","fixedReward":500,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"27sVtrJRQEFDettJ84lagu","url":"https://github.com/AstarNetwork/Astar","type":"blockchain_dlt","addedAt":"2022-05-31T16:30:00.000Z","revision":2,"description":"Mainnet Astar (Included subfolders: runtime/)","isPrimacyOfImpact":null},{"id":"6rJLhVifUyzzcnPytYfSrV","url":"https://github.com/AstarNetwork/astar-apps","type":"websites_and_applications","addedAt":"2022-05-31T16:30:00.000Z","revision":2,"description":"Astar Portal (Included subfolders: src/)","isPrimacyOfImpact":null}],"assetsBodyV2":"Astar parachain on Polkadot are both included in the assets-in-scope.\n\nHowever, only those explicitly listed in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nIf an impact can be caused to any other asset managed by Astar Network that isn’t on this table but for which the impact is in the Impacts in Scope section, you are encouraged to submit it for the consideration of the project. This only applies to Critical impacts.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH","Polkadot"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["JavaScript","Rust","Solidity","Typescript"],"launchDate":"2022-05-31T16:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/14P174mW7atHe0iqI2UmE8/b47c08fa562ebe74aaff6b179e371d00/Astar_Network_logo.jpeg","maxBounty":250000,"pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","blockchain_dlt - critical","blockchain_dlt - high"],"primaryPaymentWallet":"Polkadot","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Crosschain Liquidity","L2","Staking"],"programOverview":"[Astar Network](https://astar.network/) – __The Future of Multichain Smart Contracts__.\n\nAstar Network supports the building of dApps with EVM and WASM smart contracts and offers developers true interoperability with cross-consensus messaging and cross-virtual machines. Astar’s unique Build2Earn model empowers developers to get paid through a dApp staking mechanism for the code they write and dApps they build.\nAstar’s vibrant ecosystem has become Polkadot’s leading Parachain globally, supported by all major exchanges and Tier 1 VCs. Astar offers the flexibility of all Ethereum and WASM toolings for developers to start building their dApps\n\nFor more information about Astar, please visit [https://astar.network/](https://astar.network/).","programType":["Blockchain/DLT","Websites and Applications"],"project":"Astar Network","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. All High and Critical Blockchain bug reports require a PoC and a suggestion for a fix to be eligible for a reward. All Medium and Low Blockchain bug reports require a suggestion for a fix to be eligible for a reward. Explanations and statements are not accepted as PoC and code is required. In specific cases, we keep the right to ask the whitehat to demonstrate PoC on the test environment provided by the Astar team to validate the impact of the report.\n\nCritical vulnerabilities involving a direct loss of user funds, double spending, or the minting of tokens are capped at 10% of the economic damage, taking primarily into consideration the funds at risk or the amount of tokens that can be minted but also branding and PR considerations, at the discretion of the team. However, there is a minimum reward of __USD 50 000__. Consensus manipulation or governance compromise results in the full __USD 250 000__.\n\nThe final severity and reward amount are determined at the discretion of the Astar team by evaluating the funds at risk, possible impact, likelihood of attack, and other factors. If there are no funds at risk, the level of the bug may be downgraded or rejected.\n\nA reward can only be provided if:\n  - The bug wasn't reported before.\n  - You do not disclose the bug to other parties or publicity until it's fixed by the Astar dev Team.\n  - You didn't exploit the vulnerability or allow anyone else to profit from it.\n  - You report a bug without any additional conditions or threats.\n  - The investigation was NOT conducted with Ineligible methods or Prohibited Activities, as defined in this document.\n  - You should reply to our additional questions regarding the reproduction of the reported bug (if they follow) within a reasonable time (up to 24h for Critical and up to 48hours for other levels of vulnerability)\n  - When duplicate bug reports occur, we reward only the first one if it's provided with enough information for reproduction.\n  - When multiple vulnerabilities are caused by one underlying issue, we will reward only the first reported.\n  - The vulnerability is found in the runtime pallet of Astar (no tests, or modules that aren’t in runtime, e.g. live, can be considered as vulnerability).\n\nAstar requires KYC and an invoice to be done for all bug bounty hunters submitting a report and wanting a reward. The information needed are Name, Address, Email. The collection of this information will be done by the Astar team. Astar may require additional KYC verification to be completed before payment can be released. Some countries are restricted when it comes to payments. This bug bounty program is only open to individuals who reside outside of the countries that are restricted by OFAC and by UNSC resolutions.\n\nPayouts are handled by the __Astar Network__ team directly and are denominated in __USD__. However, payouts are done in __ASTR, SDN, USDC-ERC20, or USDT-ERC20__, subjected to Astar Network discretion.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"ASTR, SDN, USDC-ERC20, or USDT-ERC20","slug":"astarnetwork","updatedDate":"2026-01-08T09:24:06.293Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Astar Network supports the building of dApps with EVM and WASM smart contracts and offers developers true interoperability with cross-consensus messaging and cross-virtual machines. Astar’s unique Build2Earn model empowers developers to get paid through a dApp staking mechanism for the code they write and dApps they build.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Spamming\n  - Any physical attacks against Astar property, or employees\n  - Phishing or other social engineering attacks against our Astar’s employees\n  - Any attack requiring successful phishing or another scam to be executed\n  - Astar network footprints such as employee email addresses, subdomains, whois info\n\n  - GitHub and other cloud platforms misconfiguration are considered web/app vulnerabilities. \n  - All vulnerabilities and attack methods that are listed in OWASP [https://owasp.org/www-community/attacks/](https://owasp.org/www-community/attacks/)\n","customProhibitedActivities":[],"impacts":[{"id":5845,"type":"blockchain_dlt","severity":"high","title":"Vulnerabilities that allow an attacker to abuse the system by blocking or modifying protocol-level processes like governance or disrupt other users from performing their tasks."},{"id":1,"type":"blockchain_dlt","severity":"critical","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":2,"type":"blockchain_dlt","severity":"critical","title":"Unintended permanent chain split requiring hard fork (network partition requiring hard fork)"},{"id":4,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":5,"type":"blockchain_dlt","severity":"high","title":"Unintended chain split (network partition)"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":46,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:\n- HTML injection without JavaScript\n- Replacing existing text with arbitrary text\n- Arbitrary file uploads, etc."},{"id":47,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Email\n- Password of the victim etc."},{"id":48,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:\n- Email address\n- Phone number\n- Physical address, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":2695,"type":"blockchain_dlt","severity":"low","title":"DoS of greater than 10% but less than 30% of validator or miner nodes and does not shut down the network"},{"id":2696,"type":"blockchain_dlt","severity":"low","title":"Underpricing transaction fees relative to computation time"},{"id":2704,"type":"blockchain_dlt","severity":"high","title":"Token holders temporarily unable to transfer holdings"},{"id":2705,"type":"blockchain_dlt","severity":"high","title":"Transient consensus failures"},{"id":2709,"type":"blockchain_dlt","severity":"medium","title":"High compute consumption by validator/mining nodes"},{"id":2711,"type":"blockchain_dlt","severity":"medium","title":"DoS of greater than 30% of validator or miner nodes and does not shut down the network"},{"id":2712,"type":"blockchain_dlt","severity":"medium","title":"Putting on-chain data into an unexpected state without interrupting the system or users from performing their tasks, e.g. generating redundant events, logs, etc"},{"id":2713,"type":"blockchain_dlt","severity":"medium","title":"Block stuffing"},{"id":2718,"type":"blockchain_dlt","severity":"critical","title":"Transaction/consensus manipulation"},{"id":2719,"type":"blockchain_dlt","severity":"critical","title":"Unauthorized token minting"},{"id":2720,"type":"blockchain_dlt","severity":"critical","title":"Governance compromise"},{"id":2721,"type":"blockchain_dlt","severity":"critical","title":"Getting access to an identity that can lead to unauthorized access to system’s or user’s assets"},{"id":2722,"type":"blockchain_dlt","severity":"critical","title":"Empty or freeze the contract's holdings (e.g. economic attacks, flash loans, reentrancy, MEV, logic errors, integer over-/under-flow)"},{"id":5394,"type":"blockchain_dlt","severity":"critical","title":"Direct theft or loss of any user or funds, whether at-rest or in-motion"},{"id":5407,"type":"blockchain_dlt","severity":"medium","title":"Attacks against thin clients"},{"id":5408,"type":"websites_and_applications","severity":"critical","title":"GitHub misconfiguration leading to unauthorized change"}],"rewards":[{"id":14652,"severity":"critical","assetType":"blockchain_dlt","maxReward":250000,"minReward":7500,"rewardModel":"range","rewardCalculationPercentage":10},{"id":14653,"severity":"high","assetType":"blockchain_dlt","maxReward":50000,"minReward":3000,"rewardModel":"range"},{"id":14654,"severity":"medium","assetType":"blockchain_dlt","fixedReward":3000,"rewardModel":"fixed"},{"id":14655,"severity":"low","assetType":"blockchain_dlt","fixedReward":1000,"rewardModel":"fixed"},{"id":14656,"severity":"critical","assetType":"websites_and_applications","maxReward":15000,"minReward":7500,"rewardModel":"range","otherImpactMaxReward":0},{"id":14657,"severity":"high","assetType":"websites_and_applications","maxReward":7500,"minReward":2500,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"5GqtMqeW4q31b6gOZBfTrJ","url":"https://solscan.io/account/StaKE6XNKVVhG8Qu9hDJBqCW3eRe7MDGLz17nJZetLT","type":"smart_contract","addedAt":"2026-01-08T09:23:34.322Z","revision":1,"description":"xORCA","isPrimacyOfImpact":null},{"id":"3eLgXbnQaKA6kNzm6CeYYJ","url":"https://solscan.io/account/whirLbMiicVdio4qvUfM5KAg6Ct8VwpYzGff3uctyCc","type":"smart_contract","addedAt":"2025-08-12T07:01:19.077Z","revision":1,"description":"Orca Whirlpools","isPrimacyOfImpact":null},{"id":"6hBuRvw4FZlEeUIqZLuDL5","url":"https://solscan.io/account/waveQX2yP3H1pVU8djGvEHmYg8uamQ84AuyGtpsrXTF","type":"smart_contract","addedAt":"2025-08-12T07:01:19.086Z","revision":1,"description":"Orca Wavebreak","isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nIf any Critical/High severity impact can be caused to any other asset managed by Orca that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Solana"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Rust"],"launchDate":"2022-05-19T17:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6p07t55yWuOlsHLiQV9xsM/61c489fc59e7233557039a6965c76000/Screenshot_2024-11-11_at_11.35.18___PM.png","maxBounty":500000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"Solana","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["AMM","Crosschain Liquidity"],"programOverview":"Orca is one of the first general-purpose AMMs launched on Solana. Users can swap assets, provide liquidity, and earn yield through an easy-to-use interface. Orca has created custom smart contracts for its concentrated liquidity product, [Whirlpools](https://www.orca.so/whirlpools). In traditional AMM liquidity pools, a user provides liquidity across the entire continuous price curve. With Whirlpools, each user can specify the price range where they will provide liquidity.\n\nFor more information on Orca, please visit [https://orca.so/](https://orca.so/) or [Orca’s Twitter](https://twitter.com/orca_so).","programType":["Smart Contract"],"project":"Orca","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nRewards for critical smart contract vulnerabilities can be further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of __USD 100 000__ for Critical smart contract bug reports. \n\nPayouts are handled by the __Orca__ team directly and are denominated in USD. Payouts of up to __USD 250 000__ are done in __ORCA__ or __USDC__ (SPL Version) at the discretion of the team. Payouts above __USD 250 000__ will be done in __ORCA__ and will be vested monthly over a 12-month period.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC, ORCA","slug":"orca","updatedDate":"2026-01-08T09:23:39.950Z","impactsBody":null,"websiteUrl":"https://orca.so","githubUrl":"https://github.com/orca-so","eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Orca is one of the first general-purpose AMMs launched on Solana. Users can swap assets, provide liquidity, and earn yield through an easy-to-use interface. Orca has created custom smart contracts for its concentrated liquidity product, [Whirlpools](https://www.orca.so/whirlpools). In traditional AMM liquidity pools, a user provides liquidity across the entire continuous price curve.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":2676,"type":"smart_contract","severity":"high","title":"Bugs that could temporarily freeze user funds or incorrectly assign value to user funds"},{"id":2677,"type":"smart_contract","severity":"high","title":"Temporary freezing of unclaimed yield for any amount of time"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":2678,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":2679,"type":"smart_contract","severity":"critical","title":"Bugs that freeze user funds or drain the contract's holdings or involve theft of funds without user signatures"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"}],"rewards":[{"id":34301,"severity":"critical","assetType":"smart_contract","maxReward":500000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":34302,"severity":"high","assetType":"smart_contract","fixedReward":50000,"rewardModel":"fixed"},{"id":34303,"severity":"medium","assetType":"smart_contract","fixedReward":10000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"3FHC6OVn4PYpqTyvH9C1go","url":"https://passkeys.foundation/","type":"websites_and_applications","addedAt":"2025-12-30T10:00:00.000Z","revision":1,"description":"Passkey Wallet","isPrimacyOfImpact":null},{"id":"5m3Gwx75Jt38K0PTYmbRen","url":"https://www.exodus.io/","type":"websites_and_applications","addedAt":"2025-12-30T10:00:00.000Z","revision":2,"description":"*.a.exodus.io","isPrimacyOfImpact":null},{"id":"7ofpXVjftm4rn6LFZ96lt6","url":"https://exodus.com/","type":"websites_and_applications","addedAt":"2025-12-30T10:00:00.000Z","revision":2,"description":"*.a.exodus.com","isPrimacyOfImpact":null},{"id":"72oKPEU27MZBG8P90I6vN7","url":"https://www.exodus.com/desktop","type":"websites_and_applications","addedAt":"2025-12-30T10:00:00.000Z","revision":1,"description":"Exodus Desktop Wallet","isPrimacyOfImpact":null},{"id":"1qPX6mP08FL73W8n77J8Rh","url":"https://play.google.com/store/apps/details?id=exodusmovement.exodus&hl=en_IN","type":"websites_and_applications","addedAt":"2025-12-30T10:00:00.000Z","revision":1,"description":"Exodus Android Mobile Wallet","isPrimacyOfImpact":null},{"id":"5FNtBlNpzHEonkrvO3giP","url":"https://apps.apple.com/us/app/exodus-crypto-bitcoin-wallet/id1414384820","type":"websites_and_applications","addedAt":"2025-12-30T10:00:00.000Z","revision":1,"description":"Exodus IOS Mobile Wallet","isPrimacyOfImpact":null},{"id":"1zUOJgvxz94a8Ln1OXvxGQ","url":"http://a.exodus.io","type":"websites_and_applications","addedAt":"2025-12-30T10:00:00.000Z","revision":1,"description":"*.a.exodus.io","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":["Arbitration","Subscription Plan: Essential","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":true,"language":null,"launchDate":"2025-12-30T10:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6jSWqO85JxgkH0iBYbbZjy/9d0e1d65deee581154270c5856e55a99/Exodus.png","maxBounty":18000,"pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":null,"programOverview":"Exodus Movement, Inc., founded in 2015, develops the Exodus Wallet, a beautifully designed, non-custodial multi-asset software wallet available on desktop, mobile, and browser platforms that supports over 100,000 asset pairs while keeping users’ private keys encrypted and stored locally on their own devices.\n\nFor more information about Exodus, please visit [https://www.exodus.com/](https://www.exodus.com/).\n\nExodus provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n__KYC Requirement__ \n\nExodus will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n\n- On OFACs SDN list \n- A contracted technical contributor who is being directly compensated by the project or directly compensated by a contracted organization providing technical services to the project\n- A former contracted technical contributor who, for the past year from the date of the bug report submission, was directly compensated by the project or was compensated by a contracted organization to the project. In the case of the latter, the status of the organization’s contract with the project is irrelevant.\n\n__Responsible Publication__\n\nExodus adheres to **Category 2: Notice Required** . This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nExodus adheres to the Primacy of Impact for the following impacts:\n\n- Website & Application  —  Critical\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- In-App web3 browser findings except sandbox bypassing affecting wallets directly.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.","programType":["Websites and Applications"],"project":"Exodus","projectType":null,"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical web/apps bugs, reports will be rewarded with Max Critical only if the impact leads to:\n\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of minimum reward as per the table below. The rest of the severity levels are paid out according to the Impact in Scope table and according to the rewards table below per the asset that was impacted.  \n\nEach of the assets have their own specific rewards which will be used instead of the reward table.\nHere is the information formatted as a clean Markdown table:\n\n| Asset                  | Low    | Medium | High   | Critical          |\n| ---------------------- | ------ | ------ | ------ | ----------------- |\n| Passkey Wallet         | $1,500 | $3,750 | $7,500 | $12,000 – $18,000 |\n| `*.exodus.io`          | $300   | $1,125 | $3,750 | $7,500 – $10,000  |\n| `*.exodus.com`         | $300   | $1,125 | $3,750 | $7,500 – $10,000  |\n| Exodus Desktop Wallet  | $300   | $1,125 | $3,750 | $7,500 – $10,000  |\n| `exodusmovement.ex...` | $300   | $1,125 | $3,750 | $7,500 – $10,000  |\n| `*.a.exodus.io`        | $500   | $2,250 | $6,250 | $10,000 – $15,000 |\n\n__Reward Payment Terms__\n\nPayouts are handled by the Exodus team directly and are denominated in USD. However, payments are done in USDC on Ethereum.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"exodus","tenPercentEconomicRule":false,"updatedDate":"2026-01-07T14:16:46.770Z","impactsBody":null,"websiteUrl":"https://www.exodus.com/","githubUrl":"https://github.com/ExodusMovement","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_auditor","no_employee"],"responsiblePublicationCategory":"category_2","description":"Exodus Movement, Inc., founded in 2015, develops the Exodus Wallet, a beautifully designed, non-custodial multi-asset software wallet available on desktop, mobile, and browser platforms that supports over 100,000 asset pairs while keeping users’ private keys encrypted and stored locally on their own devices.\n","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"\"support.exodus.com\" is out of scope for the testing.\n\nTo request permission, please email bugbounty@exodus.com and mention the details of your test including what endpoint(s) you will be hitting, what type of scan/attack/etc you would like to try, and what you're trying to achieve. We will respond within 2 working days, ideally less to your request. As long as it is reasonably well thought out and we don't see a risk on our end, we will approve the request.","customProhibitedActivities":[],"impacts":[{"id":5787,"type":"websites_and_applications","severity":"critical","title":"Price manipulation results in the alteration of the perceived value of cryptocurrencies by either tampering with price feeds or tampering marketplace prices to acquire items at lower costs."},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":5788,"type":"websites_and_applications","severity":"critical","title":"Improperly disclosing confidential user information without any user interaction such as: Email address, Phone number, SSN, DOB"},{"id":5789,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":5790,"type":"websites_and_applications","severity":"high","title":"Taking state-modifying authenticated actions on behalf of other users without any interaction by that user, such as: Changing sensitive information, Deleting wallet, Displaying an attacker-controlled wallet address on user accounts as the designated deposit wallet"},{"id":5791,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application with Javascript without unrealistic user interaction such as:  Initiating malicious transaction, Stealing secret phrase, Client side RCE, Retrieving sensitive information such as user’s email address, SSN"},{"id":5792,"type":"websites_and_applications","severity":"medium","title":"Changing sensitive details of other users (including modifying browser local storage) with up to one click of user interaction"},{"id":5793,"type":"websites_and_applications","severity":"medium","title":"Sitewide disruption of core services"},{"id":5794,"type":"websites_and_applications","severity":"medium","title":"Subdomain takeover without already-connected wallet interaction"},{"id":5795,"type":"websites_and_applications","severity":"low","title":"Injecting/modifying the static content on the target application without Javascript such as: Stored/Reflected HTML, Loading external site data, Redirecting to malicious website (Without requiring user to manually enter website on the in-app browser)"},{"id":5796,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links"},{"id":5797,"type":"websites_and_applications","severity":"low","title":"Bypass in-app passlock without bruteforcing or installing malicious app"},{"id":5798,"type":"websites_and_applications","severity":"low","title":"Any impact involving a publicly released CVE related to In-App Browser and Wallet Connect"}],"rewards":[{"id":39582,"severity":"critical","assetType":"websites_and_applications","maxReward":18000,"minReward":7500,"rewardModel":"range","otherImpactMaxReward":0},{"id":39583,"severity":"high","assetType":"websites_and_applications","maxReward":9000,"minReward":2500,"rewardModel":"range"},{"id":39584,"severity":"medium","assetType":"websites_and_applications","maxReward":5000,"minReward":1500,"rewardModel":"range"},{"id":39585,"severity":"low","assetType":"websites_and_applications","fixedReward":500,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"21nVxUhdniuAHHv5svjnx0","url":"https://hoodi.etherscan.io/address/0xe2EF9536DAAAEBFf5b1c130957AB3E80056b06D8","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"LidoLocator.sol","isPrimacyOfImpact":null},{"id":"5VQXLu6QvDoBfTstTktqwA","url":"https://hoodi.etherscan.io/address/0x3508A952176b3c15387C97BE809eaffB1982176a","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"Lido.sol","isPrimacyOfImpact":null},{"id":"2YwMdIgyQ4TVD0zXFbWvoR","url":"https://hoodi.etherscan.io/address/0x7E99eE3C66636DE415D2d7C880938F2f40f94De4","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"wstETH.sol","isPrimacyOfImpact":null},{"id":"6dmxQMtnGYpp3EnhmvkH6S","url":"https://hoodi.etherscan.io/address/0x2A1d51BF3aAA7A7D027C8f561e5f579876a17B0a","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"EIP712StETH.sol","isPrimacyOfImpact":null},{"id":"4RXCQFFr8NTFxa7fS3Eodg","url":"https://hoodi.etherscan.io/address/0xCc820558B39ee15C7C45B59390B503b83fb499A8","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"StakingRouter.sol","isPrimacyOfImpact":null},{"id":"2yKpuZ9Rn0dZbPUKN1uKkz","url":"https://hoodi.etherscan.io/address/0x2F0303F20E0795E6CCd17BD5efE791A586f28E03","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"DepositSecurityModule.sol","isPrimacyOfImpact":null},{"id":"1Zeh9Bsg3YVHOhVhHqFjdc","url":"https://hoodi.etherscan.io/address/0x9b108015fe433F173696Af3Aa0CF7CDb3E104258","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"LidoExecutionLayerRewardsVault.sol","isPrimacyOfImpact":null},{"id":"RKGemcy46V6V6AXxr74h0","url":"https://hoodi.etherscan.io/address/0xfe56573178f1bcdf53F01A6E9977670dcBBD9186","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"WithdrawalQueueERC721.sol","isPrimacyOfImpact":null},{"id":"2BYOCaMQmPv0RyDwliZyr6","url":"https://hoodi.etherscan.io/address/0x4473dCDDbf77679A643BdB654dbd86D67F8d32f2","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"WithdrawalVault.sol","isPrimacyOfImpact":null},{"id":"5yeyqOIc7Rn0ieI5QO9cuK","url":"https://hoodi.etherscan.io/address/0x9b5b78D1C9A3238bF24662067e34c57c83E8c354","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"Accounting.sol","isPrimacyOfImpact":null},{"id":"223rpTNqXhHrYT4g1BHk0M","url":"https://hoodi.etherscan.io/address/0xb2c99cd38a2636a6281a849C8de938B3eF4A7C3D","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"Burner.sol","isPrimacyOfImpact":null},{"id":"eHZL4U9qdJlfNiHatEw7v","url":"https://hoodi.etherscan.io/address/0x6d1a9bBFF97f7565e9532FEB7b499982848E5e07","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"MinFirstAllocationStrategy.sol","isPrimacyOfImpact":null},{"id":"vWYz4JE0EW0k02ylFoE20","url":"https://hoodi.etherscan.io/address/0x6679090D92b08a2a686eF8614feECD8cDFE209db","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"TriggerableWithdrawalsGateway.sol","isPrimacyOfImpact":null},{"id":"RGLwH1JiMNv91DGaCrCPA","url":"https://hoodi.etherscan.io/address/0xa5F5A9360275390fF9728262a29384399f38d2f0","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"ValidatorExitDelayVerifier.sol","isPrimacyOfImpact":null},{"id":"6SfA3hBsPe57dg4ICShrcm","url":"https://hoodi.etherscan.io/address/0x4C9fFC325392090F789255b9948Ab1659b797964","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"VaultHub.sol","isPrimacyOfImpact":null},{"id":"2WNmpQMSh5LH8WXnuewxjn","url":"https://hoodi.etherscan.io/address/0xa5F55f3402beA2B14AE15Dae1b6811457D43581d","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"PredepositGuarantee.sol","isPrimacyOfImpact":null},{"id":"Qr2bvSQqCoAJNv2N2tLFi","url":"https://hoodi.etherscan.io/address/0x501e678182bB5dF3f733281521D3f3D1aDe69917","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"OperatorGrid.sol","isPrimacyOfImpact":null},{"id":"41CUK6PMpMCTDbxwnQIOT6","url":"https://hoodi.etherscan.io/address/0x1d10DB6a66EF8D2A6f6D36Ad4dc7092Ef7C12569","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"VaultFactory.sol","isPrimacyOfImpact":null},{"id":"5xoRUpIqN5BRIyhfh19u2g","url":"https://hoodi.etherscan.io/address/0xE96BE4FB723e68e7b96244b7399C64a58bcD0062","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"StakingVault.sol","isPrimacyOfImpact":null},{"id":"5aUFCGamsfKT56co4b7hl5","url":"https://hoodi.etherscan.io/address/0x3e144aEd003b5AE6953A99B78dD34154CF3F8c76","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"PinnedBeaconProxy.sol","isPrimacyOfImpact":null},{"id":"1QgvBEBhZxlTUIvhNxGZ7f","url":"https://hoodi.etherscan.io/address/0x7D25D43D5a69ae0521440211C655C11840aF0FD6","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"Dashboard.sol","isPrimacyOfImpact":null},{"id":"1bX3fQjdrfXqFrenhIqpAo","url":"https://hoodi.etherscan.io/address/0xbf95Cd394cC03cD03fEA62A435ac347314877f1d","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"ValidatorConsolidationRequests.sol","isPrimacyOfImpact":null},{"id":"lQxWP9vTxa16wdFMfE2Ix","url":"https://hoodi.etherscan.io/address/0xcb883B1bD0a41512b42D2dB267F2A2cd919FB216","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"AccountingOracle.sol","isPrimacyOfImpact":null},{"id":"5zbfRaDOHVptngjnXeYQHz","url":"https://hoodi.etherscan.io/address/0x32EC59a78abaca3f91527aeB2008925D5AaC1eFC","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"HashConsensus.sol for AccountingOracle","isPrimacyOfImpact":null},{"id":"518D4wdVNue5XPasVCaXcc","url":"https://hoodi.etherscan.io/address/0x8664d394C2B3278F26A1B44B967aEf99707eeAB2","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"ValidatorsExitBusOracle.sol","isPrimacyOfImpact":null},{"id":"5SlM5UiUPwbG82bjQVebuY","url":"https://hoodi.etherscan.io/address/0x30308CD8844fb2DB3ec4D056F1d475a802DCA07c","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"HashConsensus.sol for ValidatorsExitBusOracle","isPrimacyOfImpact":null},{"id":"6nlUCaIC7AtfJFHdPusGgS","url":"https://hoodi.etherscan.io/address/0x53417BA942bC86492bAF46FAbA8769f246422388","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"OracleReportSanityChecker.sol","isPrimacyOfImpact":null},{"id":"3e3krGoUYcNUfOrU41xgoA","url":"https://hoodi.etherscan.io/address/0x2a833402e3F46fFC1ecAb3598c599147a78731a9","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"OracleDaemonConfig.sol","isPrimacyOfImpact":null},{"id":"3dAul032DAbh75fIiJndxm","url":"https://hoodi.etherscan.io/address/0x4e3b9fd9f713e5dba86255febd4c402794135095","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":2,"description":"LazyOracle.sol","isPrimacyOfImpact":null},{"id":"4owIteWPgL0qqElIxMGrvp","url":"https://github.com/lidofinance/lido-oracle/releases/tag/7.0.0-beta.3","type":"smart_contract","addedAt":"2025-11-12T13:00:00.000Z","revision":1,"description":"[off-chain] Lido Accounting Oracle","isPrimacyOfImpact":null}],"assetsBodyV2":"__Proof of Concept (PoC) Requirements__\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n__Asset Accuracy Assurance__\n\n- Bugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Code Freeze Assurance__\n\nThis competition is running on testnet.\n\nCode of the assets in scope is frozen while the program is live.\n\nDuplicate submissions of bugs are **invalid**. \n\nThe project commits to keeping private all info related to bug findings until this program is over. This means the project will not leak info about any bug findings or planned bug fixes, including bug findings found independently by the project or from concurrent private audits.\n\n__Private Known Issues Rewards Policy__\n\n- Private known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n__Primacy of Impact vs Primacy of Rules__\n\n- Lido adheres to the Primacy of Rules, which means that the whole program is run strictly under the terms and conditions stated within this page.\n\n__KYC Requirement__\n\n- No KYC is required for the Lido Bug Bounty Competition\n\n__Eligibility Criteria__\n\n- Security researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n   - On OFACs SDN list \n   - Official contributor, both past or present\n   - Employees and/or individuals closely associated with the project \n   - Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\n- Whitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n   - Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\n- Immunefi may publish bug reports submitted to this Bug Bounty Competition and a leaderboard of the participants and their earnings.\n\n__Proof of Concept (PoC) Requirements__\n- A PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Feasibility Limitations__\n\n- The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed in the \"Scope\" section) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n__Immunefi Standard Badge__\n\n- By adhering to Immunefi’s best practice recommendations, Lido has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"## Thank You to All Participating Security Researchers!\n\nThe bug bounty competition has now concluded and is currently in the evaluation phase. During this period, all submitted reports are being carefully reviewed by the Immunefi triage team and the project team.","boostedIntroFinished":"### Thank You to All Participating Security Researchers!\n\nYour valuable contributions played a crucial role in identifying and resolving critical vulnerabilities, helping to strengthen and secure the Lido platform for all users.","boostedIntroLive":"## $2,000,000 USD in Max Bounty + $200,000 Bonus Rewards Pool \navailable for finding bugs on the Lido V3 codebase. \n\nIn addition to the regular [Lido Bug Bounty Program](https://immunefi.com/bug-bounty/lido/information/), this competition offers a $200,000 bonus rewards pool for valid, non-duplicate reports on the assets in scope. This $200,000 bonus pool will be distributed among researchers based on the severity of their valid, unique submissions, as determined at the end of the competition.\n\n- Rewards are denominated in USD and distributed in USDC on Ethereum.\n\n- KYC is not required.\n\n- Proof of Concept (PoC) Requirements: A PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n- **Insights are out of scope** for this Bug Bounty Competition.\n\n- **Duplicate submissions** of bugs are **not valid**. \n\n\nFor more information about Lido V3, please visit https://v3.lido.fi/\n\n\n### What is a Bug Bounty Competition?\nA Bug Bounty Competition is a unique blend between a traditional bug bounty program and an audit competition, offering the best of both worlds.\n\nLet’s break it down: In the case of Lido’s V3, security researchers are invited to hunt for vulnerabilities in specific assets. Just like a regular Bug Bounty Program (BBP), valid submissions are eligible for core BBP rewards. But here’s the exciting part, there’s also a bonus reward pool of $200,000 up for grabs, on top of the usual BBP payouts. This bonus is only available during the limited competition period.","boostedIntroStartingIn":"## $2,000,000 USD in Max Bounty + $200,000 Bonus Rewards Pool \navailable for finding bugs on the Lido V3 codebase. \n\nIn addition to the regular [Lido Bug Bounty Program](https://immunefi.com/bug-bounty/lido/information/), this competition offers a $200,000 bonus rewards pool for valid, non-duplicate reports on the assets in scope. This $200,000 bonus pool will be distributed among researchers based on the severity of their valid, unique submissions, as determined at the end of the competition.\n\n- Rewards are denominated in USD and distributed in USDC on Ethereum.\n\n- KYC is not required.\n\n- Proof of Concept (PoC) Requirements: A PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n- **Insights are out of scope** for this Bug Bounty Competition.\n\n- **Duplicate submissions** of bugs are **not valid**. \n\n\nFor more information about Lido V3, please visit https://v3.lido.fi/","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":"2025-12-09T12:00:00.000Z","evaluationEndDate":"2026-01-12T12:49:06.757Z","features":["Boost","Vault","Managed Triage: Signal Booster"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2025-11-12T13:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/25vjaKqCFqumtpux0GO4Ea/cdc3c46d3201ed31c9e194f5f1792939/Lido_Sign_11zon_500x500.png","maxBounty":2000000,"outOfScopeAndRules":"To be determined","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":null,"programOverview":"Lido is a liquid staking solution for Ethereum backed by industry-leading staking providers. Lido lets users stake their ETH - without locking assets or maintaining infrastructure - whilst participating in on-chain activities, e.g. lending.\n\nLido V3 represents a fundamental expansion of the Lido staking protocol through the introduction of Staking Vaults (stVaults) – isolated vault contracts that enable specialized staking arrangements between stakers and node operators. stVaults allow stETH to be minted not only from the main Lido pool but also from ETH held in these external contracts. All stVaults are coordinated and monitored by a central VaultHub contract that ensures proper collateralization and operational health.\n\nThe upgrade implements EIP-7002 support for triggerable withdrawals for stVaults, enabling more flexible exit mechanisms for staked ETH. \nTo handle the increased complexity of managing multiple isolated vaults, the oracle system has been significantly enhanced with a \"Lazy Oracle\" design that reports vault-specific data and processes updates asynchronously rather than requiring synchronous updates for all vaults simultaneously, improving scalability and reducing on-chain overhead.\n\nNew Node Operator Predeposit Guarantee mechanism addresses deposit frontrunning vulnerabilities by requiring node operators to pre-commit their deposit data on-chain before actual deposits occur. This system includes on-chain BLS signature verification to cryptographically validate the deposit credentials, ensuring that operators cannot substitute malicious validator keys at deposit time. \n\nAll new components – core protocol accounting upgrade, stVaults architecture, oracle enhancements, and predeposit guarantees are included within the competition scope.","programType":["Smart Contract"],"project":"Bug Bounty Comp | Lido V3","projectType":null,"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/) \n\nIn addition to the regular [Lido Bug Bounty Competition](https://immunefi.com/bug-bounty/lido/information/) rewards per severity, this competition offers a **$200,000 bonus rewards pool** for valid, non-duplicate reports on the assets in scope on this program.\n\nThis **$200,000 bonus pool** will be distributed among researchers based on the severity of their valid, unique submissions, as determined at the end of the competition.\n\nBonus rewards are paid out in the following **priority order**:\n\n1. Critical vulnerabilities\n2. High vulnerabilities\n3. Medium vulnerabilities\n\nThe **pool is allocated top-down**, meaning bonuses are paid to higher severity submissions first. If sufficient funds remain after paying critical submissions, bonuses will be issued to high severity findings, and so on.\n\n**If fewer vulnerabilities are found than the total size of the pool, the full pool will not be spent.**\n\nFor example, if only a single valid Critical is found, the bonus paid will be **$75,000**, and the remaining **$125,000 will go unused**.\n\nBonus amounts for each unique, valid report are:\n\n- Critical: $75,000\n- High: $20,000\n- Medium: $5,000\n\nIf the number of valid submissions in a given severity exceeds the available bonus pool for that severity category, then the funds will be **evenly split among all eligible submissions** in that category. For example, if 4 criticals are found, each critical severity report will be rewarded $50,000. \n\n##### *Note:\n\n1. The **bonus rewards pool is limited to $200,000**.\n2. If the bonus rewards pool is exhausted, **reports will still be rewarded** under the regular Bug Bounty Program reward terms.\n3. Bug reports will be paid after the Bug Bounty Competition ends and rewards are calculated. \n4.** Insights are out of scope** for this Bug Bounty Competition.\n5. Any reports on Lido assets that are NOT in scope for this Bug Bounty Competition should be submitted to [Lido Bug Bounty Program](https://immunefi.com/bug-bounty/lido/information/).\n6. **Duplicate** submissions of bugs are **not valid**. \n7. Rewards are denominated in USD and distributed in USDC on Ethereum.\n8. Reports submitted via the regular Bug Bounty Program page will not be eligible for bonus rewards.\n9. If the same bug is submitted separately to both the Bug Bounty Program and the Bug Bounty Competition, the report will be eligible for rewards only under the program where it was submitted first. For example:\n- If Security Researcher A submits a valid bug to the Bug Bounty Program, and Security Researcher B submits the same bug to the Bug Bounty Competition, then only Security Researcher A is eligible, under Bug Bounty Program terms.\n- If the reverse happens, only Security Researcher B qualifies, under Bug Bounty Competition terms.\n\n__Impacts Clarifications__\n\n**Critical**\n\nLoss of user funds:\n- When a minimum of 2,000,000 USD of assets is at risk\n- Reward: *Minimum 100,000 USD*, *Maximum 2,000,000 USD*\n\nLoss of non-user funds (e.g., treasury):\n- When a minimum of 1,000,000 USD of assets is at risk\n- Reward: *Minimum 50,000 USD*, *Maximum 1,000,000 USD*\n\n**High**\n\n- When a minimum of 250,000 USD of assets is at risk\n- Reward: *Minimum 10,000 USD*, *Maximum 250,000 USD*\n\n**Medium**\n\n- When a minimum of 50,000 USD of assets is at risk\n- Reward: *Minimum 1,000 USD*, *Maximum 50,000 USD*\n\n__Impact Estimation__\n\nImpact estimation must correspond to the first phase of Lido V3 launch: https://research.lido.fi/t/lido-v3-design-implementation-proposal/10665#p-22926-rollout-plan-9\n\ni.e., \n- Lido Core works as of now on mainnet\n- stVaults global minting cap is 3% of TVL\n- permissionned node operators\n- each node operator has 50k mintable\n- emergency msigs attached according to the post\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be paused, only the initial attack window of 1-hour will be considered for a reward. This is because the project can mitigate the risk of further exploitation by pausing the component where the vulnerability exists.\n- If the smart contract where the vulnerability exists can only be upgraded, only the initial attack window of 5-days for Critical issues and 9 days for other issues will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading the component where the vulnerability exists.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"lido-v3-bug-bounty-competition","tenPercentEconomicRule":true,"updatedDate":"2025-12-30T14:10:08.947Z","impactsBody":"**Build Commands, Test Commands, and How to Run Them**\n\nhttps://github.com/lidofinance/core/blob/feat/vaults/CONTRIBUTING.md\n\n\n**Is this an upgrade of an existing system? If so, which? And what are the main differences?**\n\nLido V3 represents a fundamental expansion of the Lido staking protocol through the introduction of Staking Vaults (stVaults) – isolated vault contracts that enable specialized staking arrangements between stakers and node operators. stVaults allow stETH to be minted not only from the main Lido pool but also from ETH held in these external contracts. All stVaults are coordinated and monitored by a central VaultHub contract that ensures proper collateralization and operational health.\n\nThe upgrade implements EIP-7002 support for triggerable withdrawals for stVaults, enabling more flexible exit mechanisms for staked ETH. \n\nTo handle the increased complexity of managing multiple isolated vaults, the oracle system has been significantly enhanced with a \"Lazy Oracle\" design that reports vault-specific data and processes updates asynchronously rather than requiring synchronous updates for all vaults simultaneously, improving scalability and reducing on-chain overhead.\n\nNew Node Operator Predeposit Guarantee mechanism addresses deposit frontrunning vulnerabilities by requiring node operators to pre-commit their deposit data on-chain before actual deposits occur. This system includes on-chain BLS signature verification to cryptographically validate the deposit credentials, ensuring that operators cannot substitute malicious validator keys at deposit time. \n\nAll new components – core protocol accounting upgrade, stVaults architecture, oracle enhancements, and predeposit guarantees are included within the competition scope.\n\n**What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?**\n\n- Hoodi tokens: \n   - [ERC20] stETH\n      - https://hoodi.etherscan.io/token/0x3508A952176b3c15387C97BE809eaffB1982176a \n   - [ERC20] wstETH\n      - https://hoodi.etherscan.io/token/0x7E99eE3C66636DE415D2d7C880938F2f40f94De4 \n   - [ERC721] unstETH\n      - https://hoodi.etherscan.io/token/0xfe56573178f1bcdf53F01A6E9977670dcBBD9186 \n\n- Mainnet tokens:\n   - [ERC20] stETH\n      - https://etherscan.io/token/0xae7ab96520DE3A18E5e111B5EaAb095312D7fE84 \n   - [ERC20] wstETH\n      - https://etherscan.io/token/0x7f39c581f595b53c5cb19bd0b3f8da6c935e2ca0 \n   - [ERC721] unstETH\n      - https://etherscan.io/token/0x889edC2eDab5f40e902b864aD4d7AdE8E412F9B1 \n\n**Which chains and/or networks will the code in scope be deployed to?**\n\n- Ethereum Hoodi Testnet (chainId: 560048)\n- Ethereum Mainned (chainId: 1)\n\n**What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)**\n\nLido’s codebase can be found at\n- Smart contracts:  https://github.com/lidofinance/core/releases/tag/v3.0.0-rc.4\n- Oracle: https://github.com/lidofinance/lido-oracle/releases/tag/7.0.0-beta.3\n\nDocumentation and further resources can be found on: \n- Lido V3 Hoodi Testnet contracts: https://docs.lido.fi/deployed-contracts/hoodi\n- Lido V3 Whitepaper: https://hackmd.io/@lido/B1NuB15-gx \n- Lido V3 Technical Design: https://hackmd.io/@lido/stVaults-design \n- Lido V3 — Design & Implementation Proposal\n   - https://research.lido.fi/t/lido-v3-design-implementation-proposal/10665 \n- Risk Assessment Framework for stVaults\n   - https://research.lido.fi/t/risk-assessment-framework-for-stvaults/9978 \n- Default risk assessment framework and fee parameters for stVaults\n   - https://research.lido.fi/t/default-risk-assessment-framework-and-fees-parameters-for-lido-v3-stvaults/10504","websiteUrl":"https://v3.lido.fi/","githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Lido is a liquid staking solution for Ethereum backed by industry-leading staking providers. Lido lets users stake their ETH - without locking assets or maintaining infrastructure - whilst participating in on-chain activities, e.g. lending.","knownIssues":[{"id":1217,"link":"https://github.com/lidofinance/audits/blob/317dc39fb8b7d97e10fd7d22099fdcc2c1ac7cd2/%5BDraft%5D%20Certora%20Lido%20Oracle%20v7%20Audit%20Report%2011-2025.pdf","description":"Certora Lido Oracle v7 Audit Report","lastUpdatedAt":"2025-11-01T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1216,"link":"https://github.com/lidofinance/audits/blob/2b9ae85e6ca269736ccb5426f7ea8152b625eebc/%5BDraft%5D%20Composable%20Security%20Lido%20Oracle%20V7%20(Lido%20V3)%2011-2025.pdf","description":"Composable Security Lido Oracle V7 (Lido V3)","lastUpdatedAt":"2025-11-01T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1215,"link":"https://github.com/orgs/lidofinance/projects/9/views/8","description":"Public V3 audit findings log (known issues)","lastUpdatedAt":"2025-11-01T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1214,"link":"https://github.com/lidofinance/audits/blob/317dc39fb8b7d97e10fd7d22099fdcc2c1ac7cd2/%5BDraft%5D%20MixBytes%20Lido%20V3%20Security%20Audit%20Report%2011-2025.pdf","description":"MixBytes Lido V3 Security Audit Report","lastUpdatedAt":"2025-11-01T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1213,"link":"https://github.com/lidofinance/audits/blob/317dc39fb8b7d97e10fd7d22099fdcc2c1ac7cd2/%5BDraft%5D%20Consensys%E2%80%A9Diligence%20Lido%20V3%20Security%20Audit%20-%2011-2025.pdf","description":"Consensys Diligence Lido V3 Security Audit","lastUpdatedAt":"2025-11-01T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1211,"link":"https://github.com/lidofinance/audits/blob/317dc39fb8b7d97e10fd7d22099fdcc2c1ac7cd2/%5BDraft%5D%20Certora%20Lido%20V3%20Audit%20Report%20-%2011-2025.pdf","description":"Certora Lido V3 Audit Report","lastUpdatedAt":"2025-11-01T00:00:00.000Z","relatedImpactInScope":"smart_contract"}],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":null,"defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":5816,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":5817,"type":"smart_contract","severity":"high","title":"Theft of tokenized staking yield"},{"id":5818,"type":"smart_contract","severity":"high","title":"Permanent freezing of tokenized staking yield"},{"id":5819,"type":"smart_contract","severity":"high","title":"Acquiring owner/admin rights or roles without contract’s owner/admin action"},{"id":5820,"type":"smart_contract","severity":"high","title":"Missing access controls / unprotected internal interfaces"},{"id":5821,"type":"smart_contract","severity":"high","title":"Economic/financial attacks"},{"id":5822,"type":"smart_contract","severity":"high","title":"Reversible freezing of funds"},{"id":5823,"type":"smart_contract","severity":"high","title":"Off-chain apps sensitive data extraction (e.g. Oracle private keys)"},{"id":5824,"type":"smart_contract","severity":"high","title":"Theft or loss of funds from a treasury"},{"id":5825,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":5826,"type":"smart_contract","severity":"medium","title":"Susceptibility to frontrunning"}],"rewards":[{"level":"critical","payout":"Max: $2,000,000 - Min: 50,000 + *Portion of the bonus reward pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Max: $250,000 - Min: 10,000 + *Portion of the bonus reward pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Max: $50,000 - Min: 1,000 + *Portion of the bonus reward pool","assetType":"smart_contract","pocRequired":true}],"audits":[{"id":"78fIHC5RLl3ajzqxSEd3cY","url":"https://docs.lido.fi/security/audits","auditor":"Aggregation of all previous audits","date":"2025-11-10"}]},{"assets":[{"id":"3VqlL7wSvPDTuD58N1to2G","url":"https://immunefi.com","type":"smart_contract","addedAt":"2023-10-05T15:28:45.462Z","revision":2,"description":"Primacy of Impact (only Critical and High)","isPrimacyOfImpact":true},{"id":"47y4tnq0IUVsi2UDZDXV1Y","url":"https://sns.id","type":"websites_and_applications","addedAt":"2023-08-04T12:00:00.000Z","revision":2,"description":"SNS Website","isPrimacyOfImpact":null},{"id":"6pTYRvJwLn6VBqzn2tPEBF","url":"https://immunefi.com","type":"websites_and_applications","addedAt":"2023-10-05T15:28:47.461Z","revision":2,"description":"Primacy of Impact (only Critical and High)","isPrimacyOfImpact":true}],"assetsBodyV2":"Unless explicitly listed, only pages of the web/app assets in addition to the direct link are considered in-scope of the bug bounty program. Other subdomains are not considered as in-scope. However, for subdomain takeovers that lead to an impact on the in-scope asset, please refer to our page about [Reported Subdomain Takeovers.](https://immunefisupport.zendesk.com/hc/en-us/articles/14352199704593-Reported-Subdomain-Takeovers)","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Solana"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Rust"],"launchDate":"2023-08-04T12:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1kEyT5bORMraZGNMuv44VH/40ed6657d9aaaf73946ff4a0660590b7/SNS_Color_logomark_on_Black_200px__1_.png","maxBounty":20000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"Solana","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Services"],"programOverview":"Developer of blockchain technologies intended to provide consumers with a Web 3.0 identity. The company's primary product, Solana Name Service (SNS) provides a human-readable name that maps to an SOL address, thereby removing the barrier to entry and providing an identifiable address that can facilitate payments, efficiency, and overall user experience in the sphere.\n\nFor more information about SNS, please visit [https://sns.id](https://sns.id) \n\nSNS provides rewards in FIDA or USDC on Solana, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__\n\nThe provision of KYC is required to receive a reward for this bug bounty program where the following information will be required to be provided:\n\n- Wallet address where you’ll receive payment;\n- Proof of address (either a redacted bank statement with your address or a recent utility bill with your name, address, and issuer of the bill);\n- Copy of your passport will be required.\n\nKYC information is only required on confirmation of the validity of a bug report.   \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nSNS adheres to the Primacy of Impact for the following impacts:\n- Smart Contract - Critical\n- Smart Contract - High\n- Websites & Applications - Critical\n- Websites & Applications - High\n\n\nIf an impact is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program. When submitting a report, just select the Primacy of Impact asset placeholder. If the team behind this project has multiple projects, those other projects are not covered under the Primacy of Impact of this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nPlease note that, regardless of what is displayed in the Rewards table, Medium and Low severity impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\nAdditionally, *.bonfida.org assets are excluded from the Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program.\n\nAll other severity levels not listed here are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program.\n\n\n__Immunefi Standard Badge__\n\nSNS has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/6427157117713-The-Immunefi-Standard-Badge-), which is given to projects that adhere to our best practices. \n\n__Repeatable Attack Limitations__\n\nIn cases of repeatable attacks for smart contract bugs, only the first attack will be counted, regardless of whether the smart contract is upgradable, pausable, or killable.\n\n__Restrictions on Security Researcher Eligibility__\n\nSecurity researchers who fall under any of the following are ineligible for a reward\n- OFAC-sanctioned countries residents are ineligible \n- OFAC-sanctioned individuals are ineligible\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n- Smart Contract - Critical - PoC Required \n- Smart Contract - High - PoC Required \n- Smart Contract - Medium - PoC Required \n- Smart Contract - Low - PoC Required \n- Website & Applications - Critical - PoC Required\n- Website & Applications - High - PoC Required\n- Website & Applications - Medium - PoC Required\n- Website & Applications - Low - PoC Required\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules). Bug report submissions without a PoC when a PoC is required will not be provided with a reward","programType":["Smart Contract","Websites and Applications"],"project":"SNS","projectType":["Infrastructure"],"rewardsBody":"Payouts are managed directly by the SNS team and are denominated in USD. Payments are made in either SNS or USDC, depending on the team's discretion. \n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability. For avoidance of doubt, if the reward amount is USD 5 000 and the average price is USD 1.75 per token, then the reward will be 2857.142857 units of that token.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"SNS or USDC","slug":"sns","updatedDate":"2025-12-30T09:22:19.589Z","impactsBody":null,"websiteUrl":"https://www.sns.id","githubUrl":"https://github.com/SolanaNameService","eligibilityCriteria":["no_ofac_sdn"],"responsiblePublicationCategory":"category_3","description":"Developer of blockchain technologies intended to provide consumers with a Web 3.0 identity. The company's primary product, Solana Name Service (SNS) provides a human-readable name that maps to an SOL address, thereby removing the barrier to entry and providing an identifiable address that can facilitate payments, efficiency, and overall user experience in the sphere.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":4383,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction such as: Iframing leading to modifying the backend/browser state (demonstrate impact with PoC)"},{"id":4384,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as: Locking up the victim from login, Cookie bombing, etc."},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":4385,"type":"smart_contract","severity":"high","title":"Temporary freezing NFTs"},{"id":4386,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as: HTML injection without Javascript, Replacing existing text with arbitrary text, Arbitrary file uploads, etc."},{"id":4387,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: Email or password of the victim, etc."},{"id":4388,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information such as: Email address, Phone number, Physical address, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":4389,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without Javascript (Reflected) such as: Reflected HTML injection, Loading external site data"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":4390,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as: /etc/shadow, database passwords, blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":38,"type":"websites_and_applications","severity":"critical","title":"Taking down the NFT URI"},{"id":4391,"type":"websites_and_applications","severity":"critical","title":"Changing the NFT metadata"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":4392,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet such as: Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions"},{"id":44,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user NFTs"},{"id":4393,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through NFT metadata"}],"rewards":[{"id":39568,"severity":"critical","assetType":"smart_contract","fixedReward":20000,"rewardModel":"fixed","rewardCalculationPercentage":0},{"id":39569,"severity":"high","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":39570,"severity":"medium","assetType":"smart_contract","fixedReward":2000,"rewardModel":"fixed"},{"id":39571,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":39572,"severity":"critical","assetType":"websites_and_applications","fixedReward":5000,"rewardModel":"fixed"},{"id":39573,"severity":"high","assetType":"websites_and_applications","fixedReward":2000,"rewardModel":"fixed"},{"id":39574,"severity":"medium","assetType":"websites_and_applications","fixedReward":1500,"rewardModel":"fixed"},{"id":39575,"severity":"low","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"1RUPFMhzvVcFkzoFCtoEfD","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/rules/HardTransferLimitRule.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:10.786Z","revision":2,"description":"HardTransferLimitRule.sol","isPrimacyOfImpact":null},{"id":"1SEDEZ0qv1lkCgKlxt7P79","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/rules/UserValidRule.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:20.833Z","revision":2,"description":"UserValidRule.sol","isPrimacyOfImpact":null},{"id":"1muiIqmc8buNPEaNKI3rsW","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/sale/TokenSale.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:24.913Z","revision":2,"description":"TokenSale.sol","isPrimacyOfImpact":null},{"id":"1mvZtrB5vQGuHbaHXLCVY2","url":"https://www.mtpelerin.com","type":"websites_and_applications","addedAt":"2022-05-13T15:12:51.430Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"2pw0y7pNc9c1DqjL033bM5","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/token/BondBridgeToken.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:25.940Z","revision":2,"description":"BondBridgeToken.sol","isPrimacyOfImpact":null},{"id":"2w40zhhEiB5zXAMuFXbQHF","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/token/BridgeToken.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:26.988Z","revision":2,"description":"BridgeToken.sol","isPrimacyOfImpact":null},{"id":"2xzQTvmerVfIyVi7sXAzZU","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/token/abstract/SeizableBridgeERC20.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:31.632Z","revision":2,"description":"SeizableBridgeERC20.sol","isPrimacyOfImpact":null},{"id":"3LPq7vtWVf0aelBR0AXPq1","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/token/CoinBridgeToken.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:28.181Z","revision":2,"description":"CoinBridgeToken.sol","isPrimacyOfImpact":null},{"id":"3TqTOUYxZVbxaVPqpgvsaX","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/rules/MinTransferRule.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:13.459Z","revision":2,"description":"MinTransferRule.sol","isPrimacyOfImpact":null},{"id":"3erYW9ykamK8lIRoIpFdU0","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/rules/YesNoUpdateRule.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:22.946Z","revision":2,"description":"YesNoUpdateRule.sol","isPrimacyOfImpact":null},{"id":"3oIlXIpoXJPGHjjL86F5B6","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/rules/AddressThresholdLockRule.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:08.766Z","revision":2,"description":"AddressThresholdLockRule.sol","isPrimacyOfImpact":null},{"id":"3t69M0o6tDXMVagXQi9YfZ","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/rules/UserKycThresholdToRule.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:19.640Z","revision":2,"description":"UserKycThresholdToRule.sol","isPrimacyOfImpact":null},{"id":"4UeW4FpLHQPxJexCfXXatb","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/operating/ComplianceRegistry.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:03.366Z","revision":2,"description":"ComplianceRegistry.sol","isPrimacyOfImpact":null},{"id":"4cuGzIaPzDGZHx80cir32","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/access/Roles.sol","type":"smart_contract","addedAt":"2022-05-10T16:17:32.425Z","revision":2,"description":"Roles.sol","isPrimacyOfImpact":null},{"id":"4eA1oqITUyQGuKHIvlKhxC","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/token/ShareBridgeToken.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:29.601Z","revision":2,"description":"ShareBridgeToken.sol","isPrimacyOfImpact":null},{"id":"4mJWbeVVF1b5eNq20MK8dq","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/rules/UserFreezeRule.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:16.438Z","revision":2,"description":"UserFreezeRule.sol","isPrimacyOfImpact":null},{"id":"4sAOjes3KTpWUD4WS2wON3","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/voting/ShareholderMeeting.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:40.139Z","revision":2,"description":"ShareholderMeeting.sol","isPrimacyOfImpact":null},{"id":"5IyKgwlj83wmBQ20JJAnbq","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/token/abstract/BridgeERC20.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:30.604Z","revision":2,"description":"BridgeERC20.sol","isPrimacyOfImpact":null},{"id":"6An7SLCJw7nHUsAu1gRg5I","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/rules/UserKycThresholdBothRule.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:17.432Z","revision":2,"description":"UserKycThresholdBothRule.sol","isPrimacyOfImpact":null},{"id":"6Iy1Hw3zVCglBGhAQEJL31","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/rules/YesNoRule.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:21.922Z","revision":2,"description":"YesNoRule.sol","isPrimacyOfImpact":null},{"id":"6Nk5fl1fBgH4T1VUcqNPM2","url":"https://play.google.com/store/apps/details?id=com.mtpelerin.bridge","type":"websites_and_applications","addedAt":"2022-05-13T13:22:53.744Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"6VgT62FAIZIoiuZ0gIRD1t","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/access/Operator.sol","type":"smart_contract","addedAt":"2022-05-10T16:17:31.457Z","revision":2,"description":"Operator.sol","isPrimacyOfImpact":null},{"id":"6XbxjHg07hErtMFY5QnKI5","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/rules/UserAttributeValidToRule.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:15.447Z","revision":2,"description":"UserAttributeValidToRule.sol","isPrimacyOfImpact":null},{"id":"6fMifOxgZm8RE4F34N1POh","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/rules/UserKycThresholdFromRule.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:18.628Z","revision":2,"description":"UserKycThresholdFromRule.sol","isPrimacyOfImpact":null},{"id":"6zeeupgzRQu136U55bGVm8","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/operating/Processor.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:05.740Z","revision":2,"description":"Processor.sol","isPrimacyOfImpact":null},{"id":"7Hm7x1dCdQABc4N8YwvWH0","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/operating/PriceOracle.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:04.727Z","revision":2,"description":"PriceOracle.sol","isPrimacyOfImpact":null},{"id":"7MTff8UxhMnGuGEdXGKRqV","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/rules/SoftTransferLimitRule.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:14.454Z","revision":2,"description":"SoftTransferLimitRule.sol","isPrimacyOfImpact":null},{"id":"7tSPWLnWUI1lYT5atyLgnR","url":"https://apps.apple.com/us/app/bridge-wallet/id1481859680","type":"websites_and_applications","addedAt":"2022-05-13T13:22:30.356Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"7zVNOOeY7cJkx5Vh3Sod9Y","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/rules/MaxTransferRule.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:12.435Z","revision":2,"description":"MaxTransferRule.sol","isPrimacyOfImpact":null},{"id":"AOsbwM5d5yQJZy01JJipk","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/rules/GlobalFreezeRule.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:09.764Z","revision":2,"description":"GlobalFreezeRule.sol","isPrimacyOfImpact":null},{"id":"WskxgDVQBjP38SHu70644","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/operating/RuleEngine.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:06.762Z","revision":2,"description":"RuleEngine.sol","isPrimacyOfImpact":null},{"id":"bwIamkHUjewMqWgbmTUyY","url":"https://github.com/MtPelerin/bridge-v2/blob/master/contracts/utils/TokenDispenserQueue.sol","type":"smart_contract","addedAt":"2022-05-10T16:18:38.006Z","revision":2,"description":"TokenDispenserQueue.sol","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","Avalanche","BSC","Base","Bitcoin","ETH","Gnosis","Optimism","Polygon","Rootstock","Tezos","Celo","zkSync","Lightning","Sonic","xDAI / Gnosis Chain"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-02-08T07:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6tsDyr3ikdFL8rLa53IcOZ/e249b3d566eee170e2b73a37d6666f2f/Mtpelerin-logo.png","maxBounty":5000,"pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["Bridge","CEX","Wallet"],"programOverview":"Mt Pelerin is a Swiss fintech company specialized in solutions to bridge the\ncrypto economy with traditional banking and finance. Today it offers two key\nproducts: Bridge Protocol, an open-source ERC20 asset tokenization platform\nwith related tech, financial, legal and compliance services, as well as Bridge\nWallet, a non-custodial Bitcoin and Ethereum mobile wallet with live\ncrypto-fiat on/off-ramp.\n\nThe bug bounty program is focused around its smart contracts, mobile apps and\nwebsite, and is mostly aimed at addressing serious security issues directly\naffecting fund safety and user data protection.","programType":["Smart Contract","Websites and Applications"],"project":"Mt Pelerin","projectType":["Defi","Exchange"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nAdditionally, all bug reports without proof of concept exploits with\ndemonstrated impact, as well as recommendations for new features, are not\naccepted.\n\nPayouts are handled by **Mt Pelerin** directly and are estimated in\n**USD**. However, payouts are done in **ETH, BTC, USDT, USDC, or DAI**.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"ETH, BTC, USDT, USDC, or DAI","slug":"mtpelerin","tenPercentEconomicRule":false,"updatedDate":"2025-12-23T11:07:55.397Z","impactsBody":null,"websiteUrl":"https://www.mtpelerin.com/","githubUrl":"https://github.com/MtPelerin","eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Mt Pelerin is a regulated Swiss company specialized in cryptocurrency exchange, mobile wallet and asset tokenization services.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques\n- Attacks requiring privileged access from within the organization\n- Bugs without proof-of-concept exploits showing impact","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":204,"type":"smart_contract","severity":"high","title":"Freezing of unclaimed yield"},{"id":205,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for any amount of time"},{"id":206,"type":"websites_and_applications","severity":"high","title":"Data deletion"},{"id":207,"type":"smart_contract","severity":"critical","title":"Loss of user funds staked (principal) by freezing or theft"},{"id":208,"type":"websites_and_applications","severity":"critical","title":"Data theft"}],"rewards":[{"id":39387,"severity":"critical","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed","rewardCalculationPercentage":10},{"id":39388,"severity":"high","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":39389,"severity":"critical","assetType":"websites_and_applications","fixedReward":5000,"rewardModel":"fixed","otherImpactMaxReward":0},{"id":39390,"severity":"high","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"2MrR0aYeScBqXO7FlTDhyW","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/misc/src/Plume.sol","type":"smart_contract","addedAt":"2025-07-17T18:18:21.292Z","revision":1,"description":"Plume.Sol - [68]","isPrimacyOfImpact":null},{"id":"6Hbd5UdYUwvWafPlItFoeL","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/misc/src/WPLUME.sol","type":"smart_contract","addedAt":"2025-07-17T18:18:31.004Z","revision":1,"description":"WPLUME.sol - [10]","isPrimacyOfImpact":null},{"id":"5qgLm0wHSpES8Dead0kqYj","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/PlumeStaking.sol","type":"smart_contract","addedAt":"2025-07-17T18:18:40.162Z","revision":1,"description":"PlumeStaking.sol - [44]","isPrimacyOfImpact":null},{"id":"7M5NWPTyvL633Iyf82EBn3","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/PlumeStakingRewardTreasury.sol","type":"smart_contract","addedAt":"2025-07-17T18:18:50.372Z","revision":1,"description":"PlumeStakingRewardTreasury.sol - [127]","isPrimacyOfImpact":null},{"id":"4wfyQmglnI8iDMPlWhp9jy","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/AccessControlFacet.sol","type":"smart_contract","addedAt":"2025-07-17T18:18:58.430Z","revision":1,"description":"AccessControlFacet.sol - [49]","isPrimacyOfImpact":null},{"id":"6TvhNuKTqHQkJ6QVtflnEP","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/ManagementFacet.sol","type":"smart_contract","addedAt":"2025-07-17T18:19:06.618Z","revision":1,"description":"ManagementFacet.sol - [412]","isPrimacyOfImpact":null},{"id":"2nEk6csx4NeC1bGy2dMvFt","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/RewardsFacet.sol","type":"smart_contract","addedAt":"2025-07-17T18:19:22.251Z","revision":1,"description":"RewardsFacet.sol - [509]","isPrimacyOfImpact":null},{"id":"1kztG0NR2HuF1NJOprao12","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/StakingFacet.sol","type":"smart_contract","addedAt":"2025-07-17T18:19:30.576Z","revision":1,"description":"StakingFacet.sol - [649]","isPrimacyOfImpact":null},{"id":"nStXwzmjSMOAo51tNUsmG","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/facets/ValidatorFacet.sol","type":"smart_contract","addedAt":"2025-07-17T18:19:54.929Z","revision":1,"description":"ValidatorFacet.sol - [659]","isPrimacyOfImpact":null},{"id":"A5myOQ0bV7tfflwqFYh2x","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/lib/PlumeErrors.sol","type":"smart_contract","addedAt":"2025-07-17T18:20:03.119Z","revision":1,"description":"PlumeErrors.sol - [82]","isPrimacyOfImpact":null},{"id":"1ClP7ChWDmKqwrd6fYoord","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/lib/PlumeEvents.sol","type":"smart_contract","addedAt":"2025-07-17T18:20:12.127Z","revision":1,"description":"PlumeEvents.sol - [109]","isPrimacyOfImpact":null},{"id":"27EUfTs2hjGDMhlSNxXGYW","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/lib/PlumeRewardLogic.sol","type":"smart_contract","addedAt":"2025-07-17T18:20:35.422Z","revision":1,"description":"PlumeRewardLogic.sol - [539]","isPrimacyOfImpact":null},{"id":"2t6AhZTCn9IzmRd5bN6k9o","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/lib/PlumeRoles.sol","type":"smart_contract","addedAt":"2025-07-17T18:20:44.677Z","revision":1,"description":"PlumeRoles.sol - [8]","isPrimacyOfImpact":null},{"id":"7d2f8wiXJVS4b3EoSCQ3bd","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/lib/PlumeStakingStorage.sol","type":"smart_contract","addedAt":"2025-07-17T18:20:53.640Z","revision":1,"description":"PlumeStakingStorage.sol - [106]","isPrimacyOfImpact":null},{"id":"1bNMc2gq1gWNwDe9rccKZS","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/lib/PlumeValidatorLogic.sol","type":"smart_contract","addedAt":"2025-07-17T18:21:02.554Z","revision":1,"description":"PlumeValidatorLogic.sol - [84]","isPrimacyOfImpact":null},{"id":"6Ovb2g5pyoPzkSRwATz3lZ","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/spin/DateTime.sol","type":"smart_contract","addedAt":"2025-07-17T18:21:12.151Z","revision":1,"description":"DateTime.sol - [209]","isPrimacyOfImpact":null},{"id":"3UO2IbhECXaS6eXSufQCGR","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/spin/Raffle.sol","type":"smart_contract","addedAt":"2025-07-17T18:21:22.309Z","revision":1,"description":"Raffle.sol - [307]","isPrimacyOfImpact":null},{"id":"6K6YSv13rvL9ISOx3YKBVj","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/plume/src/spin/Spin.sol","type":"smart_contract","addedAt":"2025-07-17T18:21:30.100Z","revision":1,"description":"Spin.sol - [392]","isPrimacyOfImpact":null},{"id":"1hx8uNtQ2Za1HdLG0aQM4Y","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/arc/src/ArcToken.sol","type":"smart_contract","addedAt":"2025-07-17T18:21:38.894Z","revision":1,"description":"ArcToken.sol - [486]","isPrimacyOfImpact":null},{"id":"7KPz7U8LVrGiTekFyOjRTK","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/arc/src/ArcTokenFactory.sol","type":"smart_contract","addedAt":"2025-07-17T18:21:49.590Z","revision":1,"description":"ArcTokenFactory.sol - [187]","isPrimacyOfImpact":null},{"id":"6KSLT5v7a1gJ8lpJkgRKce","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/arc/src/ArcTokenPurchase.sol","type":"smart_contract","addedAt":"2025-07-17T18:21:57.474Z","revision":1,"description":"ArcTokenPurchase.sol - [324]","isPrimacyOfImpact":null},{"id":"5ziBG44GrwCJ6TJu1XLEsK","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/arc/src/restrictions/RestrictionTypes.sol","type":"smart_contract","addedAt":"2025-07-17T18:22:05.238Z","revision":1,"description":"RestrictionTypes.sol - [6]","isPrimacyOfImpact":null},{"id":"3HOffVYbinfbnCDLbteHlq","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/arc/src/restrictions/RestrictionsFactory.sol","type":"smart_contract","addedAt":"2025-07-17T18:22:17.238Z","revision":1,"description":"RestrictionsFactory.sol - [93]","isPrimacyOfImpact":null},{"id":"361GXgs3hXJMINVG8R3Yxm","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/arc/src/restrictions/RestrictionsRouter.sol","type":"smart_contract","addedAt":"2025-07-17T18:22:27.482Z","revision":1,"description":"RestrictionsRouter.sol - [97]","isPrimacyOfImpact":null},{"id":"4PohHjZNWcqctPuyvTtBa8","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/arc/src/restrictions/WhitelistRestrictions.sol","type":"smart_contract","addedAt":"2025-07-17T18:22:37.691Z","revision":1,"description":"WhitelistRestrictions.sol - [159]","isPrimacyOfImpact":null},{"id":"2HoLZgZbWtFPaaVrXy72B2","url":"https://github.com/immunefi-team/attackathon-plume-network/blob/main/arc/src/restrictions/YieldBlacklistRestrictions.sol","type":"smart_contract","addedAt":"2025-07-17T18:22:52.339Z","revision":1,"description":"YieldBlacklistRestrictions.sol - [71]","isPrimacyOfImpact":null},{"id":"463xwCyFba3LxCUY6qLGp","url":"https://github.com/immunefi-team/attackathon-plume-network-nucleus-boring-vault/blob/main/src/base/Roles/TellerWithMultiAssetSupportPredicateProxy.sol","type":"smart_contract","addedAt":"2025-07-17T18:23:02.202Z","revision":1,"description":"TellerWithMultiAssetSupportPredicateProxy.sol - [138]","isPrimacyOfImpact":null},{"id":"2Ry1XeHtovPRd8R6BOrrIj","url":"https://github.com/immunefi-team/attackathon-plume-network-nucleus-boring-vault/blob/main/src/helper/DexAggregatorWrapperWithPredicateProxy.sol","type":"smart_contract","addedAt":"2025-07-17T18:23:14.685Z","revision":1,"description":"DexAggregatorWrapperWithPredicateProxy.sol - [301]","isPrimacyOfImpact":null}],"assetsBodyV2":"__Insight Reporting__\n\nInsight reports may be reported to this program and do not require a PoC. Insights are rewarded according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms).\n\n__Dispute Resolution__\n\nIf there is any dispute over bug reports between projects and security researchers, Immunefi has final say on validity and severity based on the terms of this program.\n\n__Asset Accuracy Assurance__\n\n- Bugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Reward Policy__\n\n- Private known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n__Primacy of Impact vs Primacy of Rules__\n\n- Plume Network adheres to the Primacy of Rules, which means that the whole Attackathon program is run strictly under the terms and conditions stated within this page.\n\n__KYC Requirement__\n\nPlume Network requires KYC information to pay for bug submissions. The following information will be required:\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\nSecurity researchers are required to submit KYC within 14 days of KYC being requested, else their rewards may be forfeited. Immunefi may make exceptions due to extenuating circumstances.\n\n__Responsible Publication__\n\n- Whitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n   - Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\n- Immunefi may publish bug reports submitted to this Audit Competition and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\n- When there is uncertainty about how feasible an attack is Immunefi will use our feasibility limitation standards to determine the severity of the report.\n\n__Immunefi Standard Badge__\n\n- By adhering to Immunefi’s best practice recommendations, Plume Network has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"### **Thank You to All Participating Security Researchers!**\n\nThe Attackathon has now concluded and is currently in the evaluation phase. During this period, all submitted reports are being carefully reviewed by the Immunefi triage team and the project team.","boostedIntroFinished":"### Thank You to All Participating Security Researchers!\n\nYour valuable contributions played a crucial role in identifying and resolving critical vulnerabilities, helping to strengthen and secure the platform for all users.","boostedIntroLive":"A conditional **$200,000 USD** is in rewards for finding bugs on Plume Network's code.\n\nYou can ask technical questions to the Plume Network Team directly in the #plume-network-attackathon channel in [Immunefi's Discord](https://discord.com/invite/immunefi).\n\nWhen the Plume Network Attackathon ends, Immunefi will publish a leaderboard and Attackathon findings report.","boostedIntroStartingIn":"A conditional $200,000 USD pot is in rewards for finding bugs on Plume Network code.\n\nJuly 8th the **Plume Network Attackathon Education Period** begins — launching the ‘Plume Network Academy’, and opening direct access to the Plume Network’s team for ongoing technical Q&A on [Immunefi's Discord](https://discord.com/invite/immunefi) in the “plume-network-attackathon\" channel.","boostedLeaderboard":[{"high":2,"name":"Blobism","aspRank":1,"critical":2,"earnings":26094,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":32894,"totalValidBugs":5,"aspPoolEarnings":0,"podiumPoolEarnings":6800},{"high":3,"name":"shadowHunter","aspRank":11,"critical":0,"earnings":2882,"insights":0,"mediumLow":2,"allStarTier":"ELITE (ACTIVE)","totalEarnings":25739,"totalValidBugs":5,"aspPoolEarnings":22857,"podiumPoolEarnings":0},{"high":4,"name":"holydevoti0n","aspRank":2,"critical":2,"earnings":14589,"insights":7,"mediumLow":11,"allStarTier":"Non-ASP","totalEarnings":21189,"totalValidBugs":17,"aspPoolEarnings":0,"podiumPoolEarnings":6600},{"high":11,"name":"KlosMitSoss","aspRank":3,"critical":0,"earnings":11842,"insights":2,"mediumLow":9,"allStarTier":"Non-ASP","totalEarnings":18442,"totalValidBugs":20,"aspPoolEarnings":0,"podiumPoolEarnings":6600},{"high":7,"name":"Paludo0x","aspRank":5,"critical":0,"earnings":7030,"insights":7,"mediumLow":7,"allStarTier":"SENIOR (ACTIVE)","totalEarnings":12744,"totalValidBugs":14,"aspPoolEarnings":5714,"podiumPoolEarnings":0},{"high":3,"name":"WinSec","aspRank":4,"critical":0,"earnings":7521,"insights":1,"mediumLow":6,"allStarTier":"Non-ASP","totalEarnings":7521,"totalValidBugs":9,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"perseverance","aspRank":20,"critical":1,"earnings":1075,"insights":0,"mediumLow":3,"allStarTier":"SENIOR (ACTIVE)","totalEarnings":6789,"totalValidBugs":5,"aspPoolEarnings":5714,"podiumPoolEarnings":0},{"high":4,"name":"oxrex","aspRank":6,"critical":0,"earnings":6388,"insights":2,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":6388,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":3,"name":"Rhaydden","aspRank":7,"critical":0,"earnings":5564,"insights":1,"mediumLow":4,"allStarTier":"Non-ASP","totalEarnings":5564,"totalValidBugs":7,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":4,"name":"a16","aspRank":8,"critical":1,"earnings":4952,"insights":1,"mediumLow":4,"allStarTier":"Non-ASP","totalEarnings":4952,"totalValidBugs":9,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":4,"name":"jovi","aspRank":23,"critical":0,"earnings":973,"insights":0,"mediumLow":2,"allStarTier":"ASSOCIATE (ACTIVE)","totalEarnings":3831,"totalValidBugs":6,"aspPoolEarnings":2857,"podiumPoolEarnings":0},{"high":5,"name":"vivekd","aspRank":9,"critical":1,"earnings":3733,"insights":0,"mediumLow":5,"allStarTier":"Non-ASP","totalEarnings":3733,"totalValidBugs":11,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":5,"name":"valkvalue","aspRank":10,"critical":1,"earnings":3510,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":3510,"totalValidBugs":7,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"pks271","aspRank":35,"critical":0,"earnings":638,"insights":0,"mediumLow":3,"allStarTier":"ASSOCIATE (ACTIVE)","totalEarnings":3495,"totalValidBugs":4,"aspPoolEarnings":2857,"podiumPoolEarnings":0},{"high":5,"name":"farman1094","aspRank":12,"critical":0,"earnings":2795,"insights":1,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":2795,"totalValidBugs":8,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":6,"name":"silver_eth","aspRank":13,"critical":0,"earnings":2721,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":2721,"totalValidBugs":7,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":3,"name":"jasonxiale","aspRank":14,"critical":0,"earnings":2188,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":2188,"totalValidBugs":5,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"TeamJosh","aspRank":15,"critical":0,"earnings":1992,"insights":0,"mediumLow":4,"allStarTier":"Non-ASP","totalEarnings":1992,"totalValidBugs":6,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":4,"name":"kaysoft","aspRank":16,"critical":0,"earnings":1842,"insights":2,"mediumLow":4,"allStarTier":"Non-ASP","totalEarnings":1842,"totalValidBugs":8,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":4,"name":"IronsideSec","aspRank":17,"critical":0,"earnings":1672,"insights":0,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":1672,"totalValidBugs":7,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":6,"name":"light279","aspRank":19,"critical":0,"earnings":1610,"insights":2,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":1610,"totalValidBugs":8,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"blackgrease","aspRank":22,"critical":0,"earnings":1598,"insights":8,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":1598,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":4,"name":"max10afternoon","aspRank":18,"critical":0,"earnings":1547,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":1547,"totalValidBugs":5,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Am3nh3l","aspRank":25,"critical":0,"earnings":1066,"insights":4,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":1066,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":3,"name":"ZeroExRes","aspRank":21,"critical":0,"earnings":1033,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":1033,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"avoloder","aspRank":31,"critical":0,"earnings":942,"insights":3,"mediumLow":4,"allStarTier":"Non-ASP","totalEarnings":942,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"Afriauditor","aspRank":24,"critical":0,"earnings":885,"insights":1,"mediumLow":5,"allStarTier":"Non-ASP","totalEarnings":885,"totalValidBugs":7,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"XDZIBECX","aspRank":26,"critical":0,"earnings":815,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":815,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"funkornaut","aspRank":27,"critical":0,"earnings":804,"insights":0,"mediumLow":6,"allStarTier":"Non-ASP","totalEarnings":804,"totalValidBugs":6,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"drdee","aspRank":28,"critical":0,"earnings":801,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":801,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":3,"name":"ihtishamsudo","aspRank":30,"critical":0,"earnings":799,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":799,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Finlooz4","aspRank":29,"critical":0,"earnings":784,"insights":1,"mediumLow":4,"allStarTier":"Non-ASP","totalEarnings":784,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"AasifUsmani","aspRank":53,"critical":0,"earnings":765,"insights":7,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":765,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Lock0down","aspRank":32,"critical":0,"earnings":718,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":718,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":5,"name":"swarun","aspRank":33,"critical":0,"earnings":654,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":654,"totalValidBugs":6,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"manvi","aspRank":34,"critical":0,"earnings":639,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":639,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"frolic","aspRank":37,"critical":0,"earnings":639,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":639,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"wellbyt3","aspRank":36,"critical":0,"earnings":624,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":624,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"tansegv","aspRank":38,"critical":0,"earnings":597,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":597,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"PotEater","aspRank":59,"critical":0,"earnings":582,"insights":5,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":582,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"ubl4nk","aspRank":45,"critical":0,"earnings":534,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":534,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"flora","aspRank":46,"critical":0,"earnings":534,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":534,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"aksoy","aspRank":39,"critical":0,"earnings":494,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":494,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"Outliers","aspRank":42,"critical":0,"earnings":484,"insights":1,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":484,"totalValidBugs":5,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Killua","aspRank":40,"critical":0,"earnings":463,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":463,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"arnie","aspRank":41,"critical":0,"earnings":458,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":458,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"r1ver","aspRank":43,"critical":0,"earnings":436,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":436,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"oswald23321","aspRank":44,"critical":0,"earnings":430,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":430,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"hulkvision","aspRank":50,"critical":0,"earnings":404,"insights":1,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":404,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":2,"name":"spongebob","aspRank":47,"critical":0,"earnings":379,"insights":0,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":379,"totalValidBugs":5,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"maggie","aspRank":48,"critical":0,"earnings":361,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":361,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"pirex","aspRank":49,"critical":0,"earnings":357,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":357,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"godwinudo","aspRank":54,"critical":0,"earnings":337,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":337,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Boraicho","aspRank":51,"critical":0,"earnings":323,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":323,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"wylis","aspRank":60,"critical":0,"earnings":313,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":313,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Oppi992","aspRank":52,"critical":0,"earnings":311,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":311,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"demonhat","aspRank":55,"critical":0,"earnings":267,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":267,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Bug82427","aspRank":56,"critical":0,"earnings":259,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":259,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Ambitious_DyDx","aspRank":64,"critical":0,"earnings":257,"insights":1,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":257,"totalValidBugs":4,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"SAAJ","aspRank":57,"critical":0,"earnings":237,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":237,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"GeorgeMichael","aspRank":58,"critical":0,"earnings":232,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":232,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"bl4ck4non","aspRank":61,"critical":0,"earnings":209,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":209,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Slayer","aspRank":62,"critical":0,"earnings":209,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":209,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"axolot","aspRank":63,"critical":0,"earnings":209,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":209,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"heavyw8t","aspRank":77,"critical":0,"earnings":205,"insights":2,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":205,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"ZeroXGondar","aspRank":76,"critical":0,"earnings":192,"insights":1,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":192,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"rilwan99","aspRank":69,"critical":0,"earnings":179,"insights":1,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":179,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"ladboy233","aspRank":81,"critical":0,"earnings":161,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":161,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Vanshika","aspRank":98,"critical":0,"earnings":160,"insights":3,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":160,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"magtentic","aspRank":65,"critical":0,"earnings":155,"insights":0,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":155,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"daxun","aspRank":66,"critical":0,"earnings":145,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":145,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"p1ranh4","aspRank":67,"critical":0,"earnings":131,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":131,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"rajkaur","aspRank":68,"critical":0,"earnings":128,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":128,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Opzteam","aspRank":106,"critical":0,"earnings":125,"insights":2,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":125,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Khay3","aspRank":80,"critical":0,"earnings":119,"insights":1,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":119,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"OxPrince","aspRank":70,"critical":0,"earnings":113,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":113,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"vargalove","aspRank":108,"critical":0,"earnings":104,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":104,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"InquisitorScythe","aspRank":112,"critical":0,"earnings":104,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":104,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"DSbeX","aspRank":71,"critical":0,"earnings":102,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":102,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"KKam86","aspRank":88,"critical":0,"earnings":102,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":102,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"honey0x0","aspRank":72,"critical":0,"earnings":88,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":88,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"vielite","aspRank":73,"critical":0,"earnings":88,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":88,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"psb01","aspRank":74,"critical":0,"earnings":88,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":88,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"heeze","aspRank":75,"critical":0,"earnings":88,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":88,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"EFCCWEB3","aspRank":78,"critical":0,"earnings":76,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":76,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"thesvn","aspRank":79,"critical":0,"earnings":72,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":72,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"ghufran","aspRank":110,"critical":0,"earnings":62,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":62,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"zbugs","aspRank":111,"critical":0,"earnings":62,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":62,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"TheCarrot","aspRank":113,"critical":0,"earnings":62,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":62,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Purpledragon","aspRank":114,"critical":0,"earnings":62,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":62,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"AlertBasilisk56249","aspRank":82,"critical":0,"earnings":56,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":56,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"a090325","aspRank":83,"critical":0,"earnings":53,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":53,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Orionn","aspRank":84,"critical":0,"earnings":48,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":48,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"forgebyola","aspRank":85,"critical":0,"earnings":48,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":48,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Tomioka","aspRank":86,"critical":0,"earnings":46,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":46,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"jpmendes","aspRank":87,"critical":0,"earnings":46,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":46,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"rajaroy43","aspRank":89,"critical":0,"earnings":40,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":40,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"ciphermalware","aspRank":90,"critical":0,"earnings":30,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":30,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Oxgritty","aspRank":91,"critical":0,"earnings":29,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":29,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"itsravin0x","aspRank":92,"critical":0,"earnings":29,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":29,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"pxng0lin","aspRank":109,"critical":0,"earnings":21,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":21,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"MMophule","aspRank":93,"critical":0,"earnings":19,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":19,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Santi","aspRank":94,"critical":0,"earnings":19,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":19,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"ZanyBonzy","aspRank":95,"critical":0,"earnings":19,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":19,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"nitinaimshigh","aspRank":96,"critical":0,"earnings":19,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":19,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"New5paceXyz","aspRank":97,"critical":0,"earnings":15,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":15,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"oluwaseyisekoni","aspRank":99,"critical":0,"earnings":14,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":14,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"lirezarazavi","aspRank":100,"critical":0,"earnings":14,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":14,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"Nuesayo","aspRank":101,"critical":0,"earnings":14,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":14,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Bluedragon","aspRank":102,"critical":0,"earnings":13,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":13,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Lin511","aspRank":103,"critical":0,"earnings":13,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":13,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"harrySR","aspRank":104,"critical":0,"earnings":13,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":13,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"soloi","aspRank":105,"critical":0,"earnings":11,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":11,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"ShabihEthSec","aspRank":107,"critical":0,"earnings":0,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"[redacted]","aspRank":"disqualified","critical":0,"earnings":0,"insights":2,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":5,"name":"[redacted]","aspRank":"disqualified","critical":1,"earnings":0,"insights":2,"mediumLow":3,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":9,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"[redacted]","aspRank":"disqualified","critical":0,"earnings":0,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"[redacted]","aspRank":"disqualified","critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"[redacted]","aspRank":"disqualified","critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"[redacted]","aspRank":"disqualified","critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"[redacted]","aspRank":"disqualified","critical":1,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":2,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"[redacted]","aspRank":"disqualified","critical":1,"earnings":0,"insights":0,"mediumLow":2,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":3,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":1,"name":"[redacted]","aspRank":"disqualified","critical":0,"earnings":0,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0}],"boostedSummaryReport":"https://drive.google.com/file/d/18d2IXnGAEk3ievLk5h4LG2B9M1DaQEhz/view?usp=sharing","ecosystem":null,"endDate":"2025-08-14T19:00:00.000Z","evaluationEndDate":"2025-11-07T20:00:00.000Z","features":["Attackathon","Managed Triage: Signal Booster","Vault"],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2025-07-17T18:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6GhS39Mt2KXgB4VxBjDHmx/e513dd84210b34afbb72b65835187c95/Logomark-BG-Black_cropped.png","maxBounty":200000,"outOfScopeAndRules":"To be determined","pocPerTypeAndSeverity":["smart_contract - low","smart_contract - medium","smart_contract - high","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":null,"programOverview":"Plume is a public, EVM-compatible blockchain optimized for the rapid adoption and demand-driven integration of real world assets (RWAs).\n\nFor more information about Plume Network, please visit [https://plume.org/](https://plume.org/).","programType":["Smart Contract"],"project":"Attackathon | Plume Network","projectType":null,"rewardsBody":"__Reward Terms__\n\nRewards are distributed among SRs according to Immunefi’s [Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms) and includes All Star Pool and Podium Pool reserved for [All Star Program](https://immunefi.com/allstars/) participants. \n\nRewards are denominated in USD and distributed in USDC on Ethereum.\n\nThe reward pool is determined by the greatest severity bug found.\n\n- A Critical is found - **$200,000 USD**\n- A High is found - **$150,000 USD**\n- A Medium is found - **$100,000 USD**\n- A Low is found \t- **$50,000 USD**\n- If none of the above conditions apply then the reward pool is - **$30,000 USD**\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid and unlock the corresponding reward pool.\n\n__Code Freeze Assurance__\n\nCode of the assets in scope is frozen while the program is live.\n\nDuplicate submissions of bugs are valid. Duplicate submissions of Insights are invalid.\n\nThe project commits to keeping private all info related to bug findings until this program is over. This means the project will not leak info about any bug findings or planned bug fixes, including bug findings found independently by the project or from concurrent private audits.\n\n__Insight Rewards Payment Terms__\n\n*Insight Rewards*: Portion of the Rewards Pool\n\n*The \"Insight\" severity was introduced on Boost (Audit Competitions) & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi)\n\n**Duplicates of Insight reports are not eligible for a reward.**\n\n__Proof of Concept (PoC) Requirements__\n\nFor this program, runnable PoC code is not required. Whitehats are instead required to write a step-by-step explanation of the PoC and impact.\nFor unclear reports or to resolve disputes Immunefi may still require a runnable PoC.Read more about it in [Audit Competition Proof-of-Concept Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/33260632501777-Audit-Competition-Proof-of-Concept-Rules)","rewardsPool":200000,"primaryPool":140000,"allStarsPool":40000,"podiumPool":20000,"rewardsToken":"USDC","slug":"plume-network-attackathon","tenPercentEconomicRule":false,"updatedDate":"2025-12-16T14:33:59.639Z","impactsBody":"**Build commands, Test commands, and instructions on how to run them:**\n\n- [https://github.com/plumenetwork/contracts/blob/main/plume/README.md](https://github.com/plumenetwork/contracts/blob/main/plume/README.md) - Staking\n- [https://github.com/plumenetwork/contracts/blob/main/plume/SPIN.md](https://github.com/plumenetwork/contracts/blob/main/plume/SPIN.md) - Daily Spin\n- [https://github.com/plumenetwork/contracts/blob/main/arc/README.md](https://github.com/plumenetwork/contracts/blob/main/arc/README.md) - Arc Token\n\n**Previous Audits**\n\nPlume Network’s completed audit reports can be found at [https://github.com/plumenetwork/contracts/blob/main/plume/audit/immunefi.pdf](https://github.com/plumenetwork/contracts/blob/main/plume/audit/immunefi.pdf) & [https://github.com/plumenetwork/contracts/blob/main/plume/audit/ottersec.pdf](https://github.com/plumenetwork/contracts/blob/main/plume/audit/ottersec.pdf). Unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n**Public Disclosure of Known Issues**\n\nBug reports for publicly disclosed bugs are not eligible for a reward. \n- None\n\n**Is this an upgrade of an existing system? If so, which? And what are the main differences?**\n\nNo – from the security-reviewer’s perspective this should be treated as a fresh, stand-alone system.\n\n**What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?**\n\n- ERC-20 –\n     - The native stake/reward token $PLUME functions like an ERC-20 (plus an “ETH-style” 0xEeee… sentinel for native transfers).\n     - Any ERC-20 can be added as a reward token via addRewardToken.\n- No support for ERC-721, ERC-777, ERC-1155 in the staking contracts themselves.\n\n**What emergency actions may you want to use as a reason to downgrade an otherwise valid bug report?**\n\n- The bug requires privileged roles (TIMELOCK_ROLE / ADMIN_ROLE) to mis-configure a contract in a way that is already disallowed by policy.\n- The issue is a gas-optimisation or low-severity DOS that does not cause loss of funds or permanent unavailability.\n- Attacks that rely on an external system (e.g. the treasury implementation, oracle feeds, validators’ off-chain behaviour) operating maliciously within their allowed privileges.\n- Issues that only affect test / script code or out-of-scope directories.\n- Findings that depend on the administrator intentionally doing things.\n\n**What addresses would you consider any bug report requiring their involvement be out of scope, even if they exceed the privileges attributed to them?**\n\nThe addresses holding the following roles are considered trusted, and their actions, when performed within the defined capabilities of their roles, are out of scope:\n- ADMIN_ROLE / TIMELOCK_ROLE: The system's highest-level administrators.\n- VALIDATOR_ROLE: The role responsible for adding and removing validators from the set.\n- REWARD_MANAGER_ROLE: The role responsible for managing reward tokens and their emission rates.\n- l2AdminAddress (Validator Admin): The address that manages a specific validator's commission and other settings.\n\n**What external dependencies are there?**\n\nThe project has the following key external dependencies:\n- solidstate-solidity: Used for the core Diamond Proxy architecture.\n- @openzeppelin/contracts-upgradeable: Used for standard, secure, and upgradeable components like ReentrancyGuardUpgradeable and SafeERC20.\n\n**What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)**\n\n- https://github.com/plumenetwork/contracts/blob/main/plume/SPIN.md <- Daily Spin & Raffle Contracts high level overview\n- https://github.com/plumenetwork/contracts/tree/main/plume <- Plume’s staking contracts overview\n- https://github.com/plumenetwork/contracts/tree/main/arc <- Arc explanations","websiteUrl":"https://plumenetwork.xyz/","githubUrl":null,"eligibilityCriteria":["no_official_contributor","no_employee","no_auditor","no_ofac_sdn"],"responsiblePublicationCategory":null,"description":"Plume is a public, EVM-compatible blockchain optimized for the rapid adoption and demand-driven integration of real world assets (RWAs).","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":null,"defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":5659,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 24 hours"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":5660,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds for at least 1 hour"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[{"id":"4zNz5jgaUE0i4aA8acqs86","url":"https://scrollscan.com/address/0xF4e147Db314947fC1275a8CbB6Cde48c510cd8CF","type":"smart_contract","addedAt":"2025-12-15T11:39:45.860Z","revision":1,"description":"EtherFiSafeFactory","isPrimacyOfImpact":null},{"id":"3Y3KY8G7j3PCjIzw6ZsXc0","url":"https://scrollscan.com/address/0xc5F2764383f93259Fba1D820b894B1DE0d47937e","type":"smart_contract","addedAt":"2025-12-15T11:39:45.918Z","revision":1,"description":"SettlementDispatcherPix","isPrimacyOfImpact":null},{"id":"2zKyeCHltV6Sg958ogD46S","url":"https://scrollscan.com/address/0xC1ab383b81fD81803a54c4d50A7b7d4A31a317b4","type":"smart_contract","addedAt":"2025-12-15T11:39:45.838Z","revision":1,"description":"StargateModule","isPrimacyOfImpact":null},{"id":"oxgUUBaFGwnTHwTqqlrB6","url":"https://scrollscan.com/address/0x96bae80F91DA04a59CeF9dCE3bB1081De041C1d5","type":"smart_contract","addedAt":"2025-12-15T11:39:45.858Z","revision":1,"description":"WormholeModule","isPrimacyOfImpact":null},{"id":"1Ku2TARJcxyKedCy9I1zxy","url":"https://scrollscan.com/address/0x9623e86Df854FF3b48F7B4079a516a4F64861Db2","type":"smart_contract","addedAt":"2025-12-15T11:39:46.100Z","revision":1,"description":"SettlementDispatcherReap","isPrimacyOfImpact":null},{"id":"11zY8GfTiSn5rWsXNopwPO","url":"https://scrollscan.com/address/0x83393192c7e8B3b9250312387f7C6B26495736aA","type":"smart_contract","addedAt":"2025-12-15T11:39:46.203Z","revision":1,"description":"TopUpDestNativeGateway","isPrimacyOfImpact":null},{"id":"3uVHHh3DlVzz0e4rXbv9Ri","url":"https://scrollscan.com/address/0x7DA874f3BacA1A8F0af27E5ceE1b8C66A772F84E","type":"smart_contract","addedAt":"2025-12-15T11:39:46.152Z","revision":1,"description":"CashLens","isPrimacyOfImpact":null},{"id":"2STXQ0LG5Yq08ijNotefzY","url":"https://scrollscan.com/address/0x7Ca0b75E67E33c0014325B739A8d019C4FE445F0","type":"smart_contract","addedAt":"2025-12-15T11:39:46.204Z","revision":1,"description":"CashModule","isPrimacyOfImpact":null},{"id":"tZLbcMk555SEuIwupWuuf","url":"https://scrollscan.com/address/0x5D3c4f5CF2208bB54e8fd129730d01D82d4611b3","type":"smart_contract","addedAt":"2025-12-15T11:39:46.337Z","revision":1,"description":"EtherFiHook","isPrimacyOfImpact":null},{"id":"kRCvTXJVFunKMZld1srxS","url":"https://scrollscan.com/address/0x5C1E3D653fcbC54Ae25c2AD9d59548D2082C687B","type":"smart_contract","addedAt":"2025-12-15T11:39:46.427Z","revision":1,"description":"RoleRegistry","isPrimacyOfImpact":null},{"id":"2VSC5ooJ9l0ErTCkYSS2my","url":"https://scrollscan.com/address/0x51142BC586A7b4cbECDCD5B0C68064714B322CBC","type":"smart_contract","addedAt":"2025-12-15T11:39:46.465Z","revision":1,"description":"BeHYPEStakeModule","isPrimacyOfImpact":null},{"id":"6Ww36c6LDuEuFhhdMyJUAG","url":"https://scrollscan.com/address/0x50A233C4a0Bb1d7124b0224880037d35767a501C","type":"smart_contract","addedAt":"2025-12-15T11:39:46.472Z","revision":1,"description":"SettlementDispatcherRain","isPrimacyOfImpact":null},{"id":"2I46GcEZOuw1WoqtN2x6hj","url":"https://scrollscan.com/address/0x4dEAa5f2e1CD1A792304d1649EdfA35D565F9346","type":"smart_contract","addedAt":"2025-12-15T11:39:46.678Z","revision":1,"description":"OpenOceanSwapModule","isPrimacyOfImpact":null},{"id":"3mQp3dvPMpoqPUBpjGOBlt","url":"https://scrollscan.com/address/0x44dd2372FE7B97C4B4D6a7d4DeCf72466485BAcB","type":"smart_contract","addedAt":"2025-12-15T11:39:46.607Z","revision":1,"description":"PriceProvider","isPrimacyOfImpact":null},{"id":"wgAYdHvq1aJSxqcQPkyjp","url":"https://scrollscan.com/address/0x40c8438e9cc3B7817aeb117cd0d7B829c32bfEd8","type":"smart_contract","addedAt":"2025-12-15T11:39:48.461Z","revision":1,"description":"EtherFiStakeModule","isPrimacyOfImpact":null},{"id":"1In2G92gz2IMbe4ykQJyst","url":"https://scrollscan.com/address/0x3a6A724595184dda4be69dB1Ce726F2Ac3D66B87","type":"smart_contract","addedAt":"2025-12-15T11:39:48.460Z","revision":1,"description":"TopUpDest","isPrimacyOfImpact":null},{"id":"5K0zK0BwYZAITRhzGQUN9L","url":"https://scrollscan.com/address/0x2A0E60E26a118fF6F181B98666E6FD6BBf3e1826","type":"smart_contract","addedAt":"2025-12-15T11:39:48.701Z","revision":1,"description":"EtherFiLiquidModule","isPrimacyOfImpact":null},{"id":"4MT33D3DXrrgfD0zPHcGlm","url":"https://scrollscan.com/address/0x2539031cD38e98317Cd246c8ED36F31117e6725b","type":"smart_contract","addedAt":"2025-12-15T11:39:48.556Z","revision":1,"description":"SettlementDispatcherCardOrder","isPrimacyOfImpact":null},{"id":"1KRi5oqM9XgngBLnbWpnqm","url":"https://scrollscan.com/address/0x23C4dc847Cd876D4ca2C15b4a1EAD349dC705082","type":"smart_contract","addedAt":"2025-12-15T11:39:48.609Z","revision":1,"description":"LiquidUSDLiquifierModule","isPrimacyOfImpact":null},{"id":"3RFjeDBWASNBVmbfFSySRI","url":"https://scrollscan.com/address/0x0078C5a459132e279056B2371fE8A8eC973A9553","type":"smart_contract","addedAt":"2025-12-15T11:39:48.763Z","revision":1,"description":"DebtManager","isPrimacyOfImpact":null},{"id":"01rqgWcnACkwsrRosRQrFI","url":"https://etherscan.io/address/0xf76f1bea29b5f63409a9d9797540A8E7934B52ea","type":"smart_contract","addedAt":"2025-12-15T11:39:48.767Z","revision":1,"description":"PixWalletAutoTopup","isPrimacyOfImpact":null},{"id":"2GeQalgLdlpaEV0IEnBEV0","url":"https://etherscan.io/address/0xF4e147Db314947fC1275a8CbB6Cde48c510cd8CF","type":"smart_contract","addedAt":"2025-12-15T11:39:48.851Z","revision":1,"description":"TopUpSourceFactory","isPrimacyOfImpact":null},{"id":"7gmhiXCUlKQeINbL95asN7","url":"https://etherscan.io/address/0xeb39db7a020DB2ac0890d51F9d5b817e7ef2b1A3","type":"smart_contract","addedAt":"2025-12-15T11:39:48.926Z","revision":1,"description":"StargateAdapter","isPrimacyOfImpact":null},{"id":"2NsAhwlGoFHhl0PFs1wJcN","url":"https://etherscan.io/address/0x86016539796E660d4cD333459378763FaFFa6Eee","type":"smart_contract","addedAt":"2025-12-15T11:39:48.983Z","revision":1,"description":"EtherFiLiquidBridgeAdapter","isPrimacyOfImpact":null},{"id":"18JJ7f3vNjIsWfdWwsCjJx","url":"https://etherscan.io/address/0x55963de88267Aa3D1D995c359e8068D0Df34BEBb","type":"smart_contract","addedAt":"2025-12-15T11:39:49.230Z","revision":1,"description":"RoleRegistry","isPrimacyOfImpact":null},{"id":"1p9VkFaXP1Fph6U14o8upw","url":"https://etherscan.io/address/0x3E0ccbce6c3beC4826397005c877BE66C39D9912","type":"smart_contract","addedAt":"2025-12-15T11:39:49.094Z","revision":1,"description":"EtherFiOFTBridgeAdapter","isPrimacyOfImpact":null},{"id":"3MSsRdziPsyu1ki9pHDSqB","url":"https://etherscan.io/address/0x319a33b9A3080c17A825E3A539c49A60bbB2E793","type":"smart_contract","addedAt":"2025-12-15T11:39:50.753Z","revision":1,"description":"ScrollERC20BridgeAdapter","isPrimacyOfImpact":null},{"id":"1DjrhlVlPPDGITC54sXF3G","url":"https://etherscan.io/address/0x16B4AE4D4c96793524084A22E6f4c160cad08975","type":"smart_contract","addedAt":"2025-12-15T11:39:49.158Z","revision":1,"description":"NTTAdapter","isPrimacyOfImpact":null},{"id":"120CLvIbCI0GfZsRbSfzdn","url":"https://etherscan.io/address/0x1b7a4c3797236a1c37f8741c0be35c2c72736fff","type":"smart_contract","addedAt":"2025-11-25T09:45:28.779Z","revision":1,"description":"EtherFiRestaker","isPrimacyOfImpact":null},{"id":"1303lLlHGA687XTXJhYv74","url":"https://etherscan.io/address/0x9ffdf407cde9a93c47611799da23924af3ef764f","type":"smart_contract","addedAt":"2024-03-27T14:08:17.092Z","revision":2,"description":"Liquifier","isPrimacyOfImpact":null},{"id":"1Ll7vI3rYsrru9vCBHItK5","url":"https://optimistic.etherscan.io/address/0x346e03F8Cce9fE01dCB3d0Da3e9D00dC2c0E08f0","type":"smart_contract","addedAt":"2024-03-27T14:09:42.893Z","revision":2,"description":"weETH","isPrimacyOfImpact":null},{"id":"1wOyq4VRUMY8OkzPUPutpp","url":"https://etherscan.io/address/0x9f26d4C958fD811A1F59B01B86Be7dFFc9d20761","type":"smart_contract","addedAt":"2024-03-27T14:08:59.246Z","revision":2,"description":"EtherFiTimelock","isPrimacyOfImpact":null},{"id":"1yIAVv8N9v078R61CgflhL","url":"https://etherscan.io/address/0x6599861e55abd28b91dd9d86A826eC0cC8D72c2c","type":"smart_contract","addedAt":"2024-03-27T14:06:10.761Z","revision":2,"description":"BNFT","isPrimacyOfImpact":null},{"id":"2D4yzSdYpzGe4gJQ6VPQ7T","url":"https://www.ether.fi/","type":"websites_and_applications","addedAt":"2024-03-27T14:10:12.383Z","revision":2,"description":"Home Page","isPrimacyOfImpact":null},{"id":"2FeXdNPYmVwhq5t74zIy3Q","url":"https://etherscan.io/address/0x7B5ae07E2AF1C861BcC4736D23f5f66A61E0cA5e","type":"smart_contract","addedAt":"2024-03-27T14:06:24.426Z","revision":2,"description":"TNFT","isPrimacyOfImpact":null},{"id":"2aEaLiPdYdbH7g3B4DrZT7","url":"https://etherscan.io/address/0xcd2eb13D6831d4602D80E5db9230A57596CDCA63","type":"smart_contract","addedAt":"2025-11-25T09:45:28.550Z","revision":1,"description":"EtherFiOFTAdapter","isPrimacyOfImpact":null},{"id":"2htamZLzaAjq5vDOlyc71T","url":"https://etherscan.io/address/0x2093Bbb221f1d8C7c932c32ee28Be6dEe4a37A6a","type":"smart_contract","addedAt":"2025-11-25T09:45:28.835Z","revision":1,"description":"EtherFiAvsOperatorsManager","isPrimacyOfImpact":null},{"id":"2xCLowHsFcqBIJP8oqjd6k","url":"https://etherscan.io/address/0x25e821b7197B146F7713C3b89B6A4D83516B912d","type":"smart_contract","addedAt":"2024-03-27T14:03:36.585Z","revision":2,"description":"Staking Manager","isPrimacyOfImpact":null},{"id":"2zh0vxsLNibjito6kBu52K","url":"https://etherscan.io/address/0x00C452aFFee3a17d9Cecc1Bcd2B8d5C7635C4CB9","type":"smart_contract","addedAt":"2024-03-27T14:03:18.574Z","revision":2,"description":"Auction Manager","isPrimacyOfImpact":null},{"id":"3ChX1nvW26FKIHmL9NxNeZ","url":"https://etherscan.io/address/0xD789870beA40D056A4d26055d0bEFcC8755DA146","type":"smart_contract","addedAt":"2025-11-25T09:45:28.507Z","revision":1,"description":"EtherfiL1SyncPoolETH","isPrimacyOfImpact":null},{"id":"42RlSJJZcfIjDqYmX7SjOG","url":"https://etherscan.io/address/0xeA1A6307D9b18F8d1cbf1c3Dd6aad8416C06a221","type":"smart_contract","addedAt":"2024-03-27T14:09:15.058Z","revision":2,"description":"Liquid Vault","isPrimacyOfImpact":null},{"id":"4NoMPMpcJfCeu1C2ZRxOPG","url":"https://etherscan.io/address/0xCd5fE23C85820F7B72D0926FC9b05b43E359b7ee","type":"smart_contract","addedAt":"2024-03-27T14:06:52.935Z","revision":2,"description":"WeETH","isPrimacyOfImpact":null},{"id":"4uVgQGXhcot3l2QrgZ4UYd","url":"https://arbiscan.io/address/0x35751007a407ca6FEFfE80b3cB397736D2cf4dbe","type":"smart_contract","addedAt":"2024-03-27T14:09:56.488Z","revision":2,"description":"weETH","isPrimacyOfImpact":null},{"id":"53Nsmha6jTe7arK3MKMlYn","url":"https://etherscan.io/address/0xDadEf1fFBFeaAB4f68A9fD181395F68b4e4E7Ae0","type":"smart_contract","addedAt":"2025-11-25T09:45:28.630Z","revision":1,"description":"EtherFiRedemptionManager","isPrimacyOfImpact":null},{"id":"5Grjt7AezPToeAWD9F61LU","url":"https://etherscan.io/address/0x57AaF0004C716388B21795431CD7D5f9D3Bb6a41","type":"smart_contract","addedAt":"2024-03-27T14:08:30.678Z","revision":2,"description":"EtherFiOracle","isPrimacyOfImpact":null},{"id":"5xTZ7xC0uueFcUsXsqSBPi","url":"https://etherscan.io/address/0x9A8c5046a290664Bf42D065d33512fe403484534","type":"smart_contract","addedAt":"2025-11-25T09:45:28.795Z","revision":1,"description":"CumulativeMerkleRewardsDistributor","isPrimacyOfImpact":null},{"id":"5yl0inwORMkKxzOzdp8H2O","url":"https://etherscan.io/address/0x308861A430be4cce5502d0A12724771Fc6DaF216","type":"smart_contract","addedAt":"2024-03-27T14:07:22.048Z","revision":2,"description":"Liquidity Pool","isPrimacyOfImpact":null},{"id":"6AkBTkY7O9NjCTHaeQmqgx","url":"https://etherscan.io/address/0xd5edf7730ABAd812247F6F54D7bd31a52554e35E","type":"smart_contract","addedAt":"2024-03-27T14:07:37.476Z","revision":2,"description":"Node Operator Manager","isPrimacyOfImpact":null},{"id":"6Vy2o5DP1kA4RIcHGw5SP5","url":"https://etherscan.io/address/0x8B71140AD2e5d1E7018d2a7f8a288BD3CD38916F","type":"smart_contract","addedAt":"2024-03-27T14:03:50.338Z","revision":2,"description":"EtherFiNodesManager","isPrimacyOfImpact":null},{"id":"6eUqLBCo0SwwI58H5VHqf6","url":"https://etherscan.io/address/0x7d5706f6ef3F89B3951E23e557CDFBC3239D4E2c","type":"smart_contract","addedAt":"2024-03-27T14:07:06.411Z","revision":2,"description":"WithdrawRequestNFT","isPrimacyOfImpact":null},{"id":"6gl1agKHPCnpIK4iqjuotT","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2024-03-27T14:11:09.064Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true},{"id":"6sCC8aO9rTumD4JAsncKro","url":"https://etherscan.io/address/0xFe0c30065B384F05761f15d0CC899D4F9F9Cc0eB","type":"smart_contract","addedAt":"2024-03-27T14:07:51.213Z","revision":2,"description":"ETHFI","isPrimacyOfImpact":null},{"id":"6w9axojYwpcf2rfXlEKR0h","url":"https://zkevm.polygonscan.com/address/0xcD68DFf4415358c35a28f96Fd5bF7083B22De1D6","type":"smart_contract","addedAt":"2024-03-27T14:09:29.421Z","revision":2,"description":"weETH","isPrimacyOfImpact":null},{"id":"7HDFKeWKojcNzkGhunYfC2","url":"https://etherscan.io/address/0x3c55986Cfee455E2533F4D29006634EcF9B7c03F","type":"smart_contract","addedAt":"2025-11-25T09:45:28.772Z","revision":1,"description":"EtherFi Node Beacon","isPrimacyOfImpact":null},{"id":"7f19AEpUHbVjeUTrWOjOwp","url":"https://etherscan.io/address/0x0EF8fa4760Db8f5Cd4d993f3e3416f30f942D705","type":"smart_contract","addedAt":"2024-03-27T14:08:45.288Z","revision":2,"description":"EtherFiAdmin","isPrimacyOfImpact":null},{"id":"7jdeAVtrt34MgO9btIwFIh","url":"https://etherscan.io/address/0x35fA164735182de50811E8e2E824cFb9B6118ac2","type":"smart_contract","addedAt":"2024-03-27T14:06:38.339Z","revision":2,"description":"eETH","isPrimacyOfImpact":null},{"id":"7k97nFCtfbGt0Ow9PeBxfb","url":"https://etherscan.io/address/0x6329004E903B7F420245E7aF3f355186f2432466","type":"smart_contract","addedAt":"2024-03-27T14:08:04.011Z","revision":2,"description":"Treasury","isPrimacyOfImpact":null},{"id":"T49I7xj0FRn1me4rCnzqv","url":"https://etherscan.io/address/0x52bbF281fbcFa7cF3e9101A52aF5dCb32754E3c0","type":"smart_contract","addedAt":"2024-03-27T14:04:33.906Z","revision":2,"description":"EtherFiNode","isPrimacyOfImpact":null},{"id":"aRGGpIyN6x7L7GOvhRxjD","url":"https://etherscan.io/address/0xcfC6d9Bd7411962Bfe7145451A7EF71A24b6A7A2","type":"smart_contract","addedAt":"2025-11-25T09:45:28.502Z","revision":1,"description":"Deposit Adapter","isPrimacyOfImpact":null},{"id":"yyUTcnCSt45l7OECclB21","url":"https://app.ether.fi","type":"websites_and_applications","addedAt":"2024-03-27T14:10:26.037Z","revision":2,"description":"etherfi dapp","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":["Managed Triage: Time Saver","Subscription Plan: Essential"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity","NextJS"],"launchDate":"2024-03-27T01:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6uARdqsJxpv7UY78Xbg27/bce4b93c8e971a1a55315d80310f1b9f/ether_fi1677585111698.png","maxBounty":300000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Yield Aggregator","Liquid Restaking"],"programOverview":"ether.fi is a decentralized, non-custodial delegated staking protocol with a Liquid Staking token. One of the distinguishing characteristics of ether.fi is that stakers control their keys. The ether.fi mechanism also allows for the creation of a node services marketplace where stakers and node operators can enroll nodes to provide infrastructure services.\n\nFor more information about ether.fi, please visit https://www.ether.fi/\n\nether.fi provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__ \n\nether.fi will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nether.fi adheres to the Primacy of Impact for the following level:\n\n- Smart contract - Critical\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- All issues covered by previous audits.\n- All issues previously reported via bug bounty or audit competitions.\n- Anything related to the ether.fan project.\n- https://github.com/etherfi-protocol/smart-contracts/issues/25\n\n__Previous Audits__\n\nether.fi’s completed audit reports can be found at https://etherfi.gitbook.io/etherfi/security/audits. Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, ether.fi has satisfied the requirements for the [Immunefi Standard Badge.](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209)","programType":["Smart Contract","Websites and Applications"],"project":"Ether.fi","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 300 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD USD 15 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\nPermanent freezing of funds impact\n\n- Funds affected > 3% is considered a critical severity bug\n- Funds affected > 0.5% but < 3%  is considered a high severity bug\n- Anything below 0.5% is considered a medium severity bug\n\nProtocol permanent insolvency impact\n\n- If the bug affects > 3% of the debt/collateral, it is considered a critical severity bug\n- If the bug affects  > 0.5% but < 3% of the debt/collateral, it is considered a high severity bug\n- Anything below 0.5% is considered a medium severity bug\n\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\nFor critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within the specified range depending on the funds at risk, capped at the maximum high reward.  \n\n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional [24h] that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Calculation for Medium Level Reports__\n\nMedium vulnerabilities concerning theft/temporary freezing of unclaimed yield/royalties are rewarded within the specified range depending on the funds at risk, depth of the analysis, capped at the maximum high reward.  \n\nFor critical web/apps bug reports will be rewarded with USD 25 000, only if the impact leads to:\n\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of USD 5 000. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Reward Payment Terms__\n\nPayouts are handled by the ether.fi team directly and are denominated in USD. However, payments are done in USDC on Ethereum\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"etherfi","updatedDate":"2025-12-15T11:39:59.841Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"# ether.fi ~ DefiBank\n\nether.fi is building the future of decentralized financial banking through innovative staking solutions, automated DeFi strategies, and secure financial primitives.\n\n## 🌊 Liquid Re-Staking\n- Efficient ETH staking with automated staking and restaking management\n- Most widely adopted liquid staking solution in the DeFi ecosystem\n- Strictly controlled AVS Restaking by Protocol\nSecurity through - comprehensive audits and formal verification\n- Seamless Cross-chain bridge support\n\n\n## 💳 Cash\n-Credit Card powered by ether.fi's non-custodial solution featuring:\n- Key management via secure enclave architecture through TEE\n- Universal cross-chain addressing for the best on-ramp experience\n- Modular security design with role-based access control\n- Seamless DeFi banking experience\n- Advanced hook system for transaction","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Issues that are discovered by the previous audits\n- Anything related to the ether.fan project.","customProhibitedActivities":[],"impacts":[{"id":4775,"type":"smart_contract","severity":"low","title":"Block stuffing that results in material freezing or loss of funds or significantly impedes the operation of the protocol"},{"id":4776,"type":"smart_contract","severity":"low","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol) that results in material freezing or loss of funds or significantly impedes operation of the protocol"},{"id":4777,"type":"smart_contract","severity":"low","title":"Theft of gas"},{"id":4778,"type":"smart_contract","severity":"low","title":"Unbounded gas consumption"},{"id":4779,"type":"websites_and_applications","severity":"low","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as:  Reflected HTML injection, Loading external site data"},{"id":4780,"type":"websites_and_applications","severity":"low","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:  Changing the name of user, Enabling/disabling notifications"},{"id":4781,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction, such as:  Iframing leading to modifying the backend/browser state (demonstrate impact with PoC)"},{"id":4782,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links, such as:  Social media handles, etc."},{"id":4783,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as:  Locking up the victim from login, Cookie bombing, etc."},{"id":4784,"type":"smart_contract","severity":"high","title":"Manipulation of on-chain governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":4785,"type":"smart_contract","severity":"high","title":"Theft of material unclaimed yield"},{"id":4786,"type":"smart_contract","severity":"high","title":"Permanent freezing of material unclaimed yield"},{"id":4787,"type":"smart_contract","severity":"high","title":"Permanent freezing of material unclaimed royalties"},{"id":4788,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:  HTML injection without JavaScript, Replacing existing text with arbitrary text, Arbitrary file uploads, etc"},{"id":4789,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:  Email, Password of the victim etc."},{"id":4790,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:  Email address, Phone number, Physical address, etc."},{"id":4791,"type":"smart_contract","severity":"medium","title":"Temporary freezing of material funds"},{"id":4792,"type":"smart_contract","severity":"critical","title":"Protocol permanent insolvency"},{"id":4793,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:   /etc/shadow, database passwords, blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":4794,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:   Changing registration information, Commenting, Voting, Making trades, Withdrawals, etc."},{"id":4795,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:  Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions"},{"id":5843,"type":"smart_contract","severity":"high","title":"Protocol insolvency that can be fixed"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"}],"rewards":[{"id":39464,"severity":"critical","assetType":"smart_contract","maxReward":300000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":39465,"severity":"high","assetType":"smart_contract","maxReward":15000,"minReward":5000,"rewardModel":"range"},{"id":39466,"severity":"medium","assetType":"smart_contract","maxReward":5000,"minReward":1000,"rewardModel":"range"},{"id":39467,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":39468,"severity":"critical","assetType":"websites_and_applications","maxReward":25000,"minReward":5000,"rewardModel":"range"},{"id":39469,"severity":"high","assetType":"websites_and_applications","fixedReward":5000,"rewardModel":"fixed"},{"id":39470,"severity":"medium","assetType":"websites_and_applications","fixedReward":3000,"rewardModel":"fixed"},{"id":39471,"severity":"low","assetType":"websites_and_applications","fixedReward":1500,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"18liAnHwE6kAUPXBNjvUqI","url":"https://bridge.availproject.org","type":"websites_and_applications","addedAt":"2024-07-23T02:00:00.000Z","revision":4,"description":"Bridge UI","isPrimacyOfImpact":null},{"id":"2H8B6VRAaNU6KqQ8JMd7JZ","url":"https://github.com/availproject/contracts","type":"smart_contract","addedAt":"2024-07-23T02:00:00.000Z","revision":2,"description":"Avail Bridge Smart Contracts","isPrimacyOfImpact":null}],"assetsBodyV2":"Fusion contracts (Fusion.sol,...) are out of scope as they are not in production.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":["Managed Triage: Time Saver","Subscription Plan: Essential"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2024-07-23T02:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/37wGk8Qz27HTCY0URGtIzR/3c3171085fec2e44832cc45a25326d09/avail.png","maxBounty":250000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Avail’s codebase can be found at [https://github.com/availproject](https://github.com/availproject). \n\nDocumentation and further resources can be found on [https://docs.availproject.org/docs/introduction-to-avail](https://docs.availproject.org/docs/introduction-to-avail).","productType":["L2"],"programOverview":"Avail is designed to be a platform that connects different ecosystems by providing a modular, scalable, and interoperable platform.\nAvail's vision is to provide a cohesive, unified user experience within a flexible and modular blockchain ecosystem, drawing on lessons from Web2 to innovate in Web3. Avail is not just building a product; we are pioneering a new category in the blockchain space, paving the way for an era of enhanced scalability and seamless integration.\n\n\nAvail aims to provide a cohesive platform that bridges the gaps between various blockchain ecosystems.\nBy implementing the right primitives and standards, Avail seeks to ensure interoperability and cooperation among diverse blockchain networks. This approach not only enhances the user experience but also fosters a more integrated and efficient blockchain ecosystem.\nWith Avail's foundational DA layer, different ecosystems can innovate on top freely, while leveraging Nexus for cross-ecosystem messaging.\nFor more information about Avail, please visit https://www.availproject.org/\n\nAvail provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__ \n\nAvail will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Previous Audits__\n\nAvail’s completed audit reports can be found at [https://github.com/availproject/audits](https://github.com/availproject/audits). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Avail has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","programType":["Smart Contract","Websites and Applications"],"project":"Avail","projectType":["Infrastructure"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical Blockchain/DLT bugs, the reward amount is 10% of the funds directly affected, capped at the maximum critical reward USD 250,000. However, a minimum reward of USD 25,000 is to be rewarded in order to incentivize security researchers against withholding on a bug report. Note that critical Blockchain/DLT bugs need to be able to exploit the runtime layer of the blockchain, as the critical chain logic is strictly part of the runtime.\n\nFor critical Blockchain/DLT bugs with a non-funds-at risk impact, the reward will be paid out as follows: \n\n- Network not being able to confirm new transactions (total network shutdown) - USD 30,000\n- Unintended permanent chain split requiring hard fork (network partition requiring hard fork) - USD 30,000\n- Permanent freezing of funds (fix requires hardfork) - USD 30,000\n\nFor high Blockchain/DLT non-funds-at risk impacts, the reward will be paid out as follows: \n\n- Unintended chain split (network partition) - USD 20,000\n- Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments - USD 20,000\n- Causing network processing nodes to process transactions from the mempool beyond set parameters - USD 20,000\n- RPC API crash affecting projects with greater than or equal to 25% of the market capitalization on top of the respective layer - USD 20,000\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 250,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 25,000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\nFor critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 5,000 to USD 20,000 depending on the funds at risk, capped at the maximum high reward.  \n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional [24h] that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\nFor critical web/apps bug reports will be rewarded with USD 20,000, only if the impact leads to:\nA loss of funds involving an attack that does not require any user action\nPrivate key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of USD 6,000. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Reward Payment Terms__\n\nPayouts are handled by the Avail team directly and are denominated in USD. However, payments are done in USDC on Ethereum.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"avail","tenPercentEconomicRule":false,"updatedDate":"2025-12-15T09:56:17.673Z","impactsBody":null,"websiteUrl":"https://www.availproject.org/","githubUrl":"https://github.com/availproject","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Avail is designed to be a platform that connects different ecosystems by providing a modular, scalable, and interoperable platform. Avail Nexus powers the new onchain world, beyond the boundaries of siloed blockchain networks. \nAvail's vision is to provide a cohesive, unified user experience within a flexible and modular blockchain ecosystem, drawing on lessons from Web2 to innovate in Web3. Avail is not just building a product; we are pioneering a new category in the blockchain space, paving the way for an era of enhanced scalability and seamless integration.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":4991,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as:  Locking up the victim from login Cookie bombing, etc."},{"id":4992,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links, such as:  Social media handles, etc."},{"id":4993,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction & with significant user interaction, such as: Iframing leading to modifying the backend/browser state(must demonstrate impact with POC)"},{"id":4995,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:  Email address, Phone number, Physical address, etc."},{"id":4996,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:  Email, Password of the victim etc."},{"id":4997,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:  HTML injection without JavaScript, Replacing existing text with arbitrary text, Arbitrary file uploads, etc"},{"id":5001,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as:  Reflected HTML injection, Loading external site data"},{"id":5002,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users(including modifying browser local storage)without already-connected wallet interaction & with up to one click of user interaction, such as: Changing the first/last name of user, Enabling/disabling notifications"},{"id":5005,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:  Modifying transaction arguments or parameters Substituting contract addresses Submitting malicious transactions"},{"id":5006,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:   Changing registration information, Commenting, Voting, Making trades, Withdrawals, etc."},{"id":5007,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:   /etc/shadow, database passwords, blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":5008,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"}],"rewards":[{"id":39457,"severity":"critical","assetType":"smart_contract","maxReward":250000,"minReward":25000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":39458,"severity":"high","assetType":"smart_contract","maxReward":40000,"minReward":5000,"rewardModel":"range"},{"id":39459,"severity":"medium","assetType":"smart_contract","fixedReward":4000,"rewardModel":"fixed"},{"id":39460,"severity":"critical","assetType":"websites_and_applications","maxReward":20000,"minReward":6000,"rewardModel":"range"},{"id":39461,"severity":"high","assetType":"websites_and_applications","fixedReward":5000,"rewardModel":"fixed"},{"id":39462,"severity":"medium","assetType":"websites_and_applications","fixedReward":2500,"rewardModel":"fixed"},{"id":39463,"severity":"low","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"1JfwFSpo0nZFAaI31LmARS","url":"https://github.com/matter-labs/zksync/tree/master/core/lib/circuit/src/witness/withdraw.rs","type":"blockchain_dlt","addedAt":"2022-05-10T16:07:44.174Z","revision":2,"description":"ZK-SNARK Circuits","isPrimacyOfImpact":null},{"id":"1RYmjqsF0z6qqdaMAwQ1WR","url":"https://github.com/matter-labs/zksync/tree/master/core/lib/circuit/src/witness/noop.rs","type":"blockchain_dlt","addedAt":"2022-05-10T16:07:43.111Z","revision":2,"description":"ZK-SNARK Circuits","isPrimacyOfImpact":null},{"id":"1oECMbQA4CS61pjw0aH16T","url":"https://github.com/matter-labs/zksync/tree/master/core/lib/circuit/src/serialization.rs","type":"blockchain_dlt","addedAt":"2022-05-10T16:08:00.603Z","revision":2,"description":"ZK-SNARK Circuits","isPrimacyOfImpact":null},{"id":"1uDwUySmV9zuWOowAZnLhr","url":"https://github.com/matter-labs/zksync/blob/breaking/contracts/contracts/ZkSyncNFTFactory.sol","type":"smart_contract","addedAt":"2022-05-10T16:07:36.557Z","revision":2,"description":"NFT factory","isPrimacyOfImpact":null},{"id":"2GMG2aB0EZT1XsdFBluTyL","url":"https://checkout.zksync.io/link","type":"websites_and_applications","addedAt":"2022-05-10T16:08:06.927Z","revision":2,"description":"zkCheckout","isPrimacyOfImpact":null},{"id":"2KIkMOMqHfrRygaP6eHH5A","url":"https://github.com/matter-labs/zksync/blob/breaking/contracts/contracts/UpgradeGatekeeper.sol","type":"smart_contract","addedAt":"2022-05-10T16:07:29.274Z","revision":2,"description":"Upgrade gatekeeper","isPrimacyOfImpact":null},{"id":"2OztY7xwi5PeNQz5pZP0OS","url":"https://github.com/matter-labs/zksync/tree/master/core/lib/circuit","type":"blockchain_dlt","addedAt":"2022-05-10T16:07:37.610Z","revision":2,"description":"ZK-SNARK Circuits","isPrimacyOfImpact":null},{"id":"36qsWHPQflEewdpMXYPHam","url":"https://github.com/matter-labs/zksync/tree/master/core/lib/circuit/src/witness/forced_exit.rs","type":"blockchain_dlt","addedAt":"2022-05-10T16:07:50.781Z","revision":2,"description":"ZK-SNARK Circuits","isPrimacyOfImpact":null},{"id":"3BxO6MQ4XJWrBWsz1Y2KeS","url":"https://github.com/matter-labs/zksync/tree/master/core/lib/circuit/src/witness/change_pubkey_offchain.rs","type":"blockchain_dlt","addedAt":"2022-05-10T16:07:51.820Z","revision":2,"description":"ZK-SNARK Circuits","isPrimacyOfImpact":null},{"id":"44bGdVLHU8UZjxsh3H06p7","url":"https://withdraw.zksync.io","type":"websites_and_applications","addedAt":"2022-05-10T16:08:05.908Z","revision":2,"description":"Alternative Withdrawal","isPrimacyOfImpact":null},{"id":"4C0B7klZkXWUphPVs79fzF","url":"https://github.com/matter-labs/zksync/blob/breaking/contracts/contracts/Proxy.sol","type":"smart_contract","addedAt":"2022-05-10T16:07:30.436Z","revision":2,"description":"Proxy","isPrimacyOfImpact":null},{"id":"4JahbPWXIwardoVadby6gh","url":"https://github.com/matter-labs/zksync/tree/master/core/lib/circuit/src/circuit.rs","type":"blockchain_dlt","addedAt":"2022-05-10T16:07:38.610Z","revision":2,"description":"ZK-SNARK Circuits","isPrimacyOfImpact":null},{"id":"4UHNPtw6ufUcfeVQ88OgW7","url":"https://github.com/matter-labs/zksync/blob/breaking/contracts/contracts/Verifier.sol","type":"smart_contract","addedAt":"2022-05-10T16:07:33.559Z","revision":2,"description":"Verifier target","isPrimacyOfImpact":null},{"id":"4mTbtkI5tfjsPfydLUHnIA","url":"https://github.com/matter-labs/zksync/blob/breaking/contracts/contracts/Governance.sol","type":"smart_contract","addedAt":"2022-05-10T16:07:34.542Z","revision":2,"description":"Governance target","isPrimacyOfImpact":null},{"id":"5CiD7r99UHKoxzvwAeI6HK","url":"https://github.com/matter-labs/zksync/tree/master/core/lib/circuit/src/witness/deposit.rs","type":"blockchain_dlt","addedAt":"2022-05-10T16:07:47.631Z","revision":2,"description":"ZK-SNARK Circuits","isPrimacyOfImpact":null},{"id":"5EfG8quE7pbkGrDCuG3L96","url":"https://github.com/matter-labs/zksync/tree/master/core/lib/circuit/src/witness/mint_nft.rs","type":"blockchain_dlt","addedAt":"2022-05-10T16:07:42.080Z","revision":2,"description":"ZK-SNARK Circuits","isPrimacyOfImpact":null},{"id":"5EkDJ1rwEHDKUE3yCyTpgX","url":"https://github.com/matter-labs/zksync/tree/master/core/lib/circuit/src/witness/swap.rs","type":"blockchain_dlt","addedAt":"2022-05-10T16:07:45.382Z","revision":2,"description":"ZK-SNARK Circuits","isPrimacyOfImpact":null},{"id":"5I2br5038sEjWevoKJ87i5","url":"https://github.com/matter-labs/zksync/tree/master/core/lib/circuit/src/account.rs","type":"blockchain_dlt","addedAt":"2022-05-10T16:07:57.021Z","revision":2,"description":"ZK-SNARK Circuits","isPrimacyOfImpact":null},{"id":"5RYerJsPzZLx0syF4mvqht","url":"https://github.com/matter-labs/zksync/tree/master/core/lib/circuit/src/witness/mod.rs","type":"blockchain_dlt","addedAt":"2022-05-10T16:07:40.847Z","revision":2,"description":"ZK-SNARK Circuits","isPrimacyOfImpact":null},{"id":"5WI2Iepavdz2X4XRvjId8O","url":"https://github.com/matter-labs/zksync/tree/master/core/lib/circuit/src/witness/transfer.rs","type":"blockchain_dlt","addedAt":"2022-05-10T16:07:48.717Z","revision":2,"description":"ZK-SNARK Circuits","isPrimacyOfImpact":null},{"id":"5yTzCjWeVTSPgR434FcTKG","url":"https://github.com/matter-labs/zksync/blob/breaking/contracts/contracts/ZkSync.sol","type":"smart_contract","addedAt":"2022-05-10T16:07:31.463Z","revision":2,"description":"zkSync target","isPrimacyOfImpact":null},{"id":"6AHcklgjq2jIsATRjDhumE","url":"https://github.com/matter-labs/zksync/tree/master/core/lib/circuit/src/witness/transfer_to_new.rs","type":"blockchain_dlt","addedAt":"2022-05-10T16:07:49.721Z","revision":2,"description":"ZK-SNARK Circuits","isPrimacyOfImpact":null},{"id":"6bilf9U9vhoGcUVDpx5XNq","url":"https://github.com/matter-labs/zksync/blob/breaking/contracts/contracts/AdditionalZkSync.sol","type":"smart_contract","addedAt":"2022-05-10T16:07:32.562Z","revision":2,"description":"Additional zkSync target","isPrimacyOfImpact":null},{"id":"6d0J797FXHjD3qRtQ4H9cP","url":"https://github.com/matter-labs/zksync/tree/master/core/lib/circuit/src/signature.rs","type":"blockchain_dlt","addedAt":"2022-05-10T16:07:59.337Z","revision":2,"description":"ZK-SNARK Circuits","isPrimacyOfImpact":null},{"id":"6gAAQCY9OAWOzpW2FHwbD8","url":"https://github.com/matter-labs/zksync/tree/master/core/lib/circuit/src/utils.rs","type":"blockchain_dlt","addedAt":"2022-05-10T16:07:55.959Z","revision":2,"description":"ZK-SNARK Circuits","isPrimacyOfImpact":null},{"id":"6oVV69FWRXUkOIFVJuxFV5","url":"https://github.com/matter-labs/zksync/tree/master/core/lib/circuit/src/exit_circuit.rs","type":"blockchain_dlt","addedAt":"2022-05-10T16:07:39.607Z","revision":2,"description":"ZK-SNARK Circuits","isPrimacyOfImpact":null},{"id":"6r4fRTPM73OkXX5cbXIz71","url":"https://github.com/matter-labs/zksync/tree/master/core/lib/circuit/src/witness/utils.rs","type":"blockchain_dlt","addedAt":"2022-05-10T16:07:53.873Z","revision":2,"description":"ZK-SNARK Circuits","isPrimacyOfImpact":null},{"id":"6xYJbiwS5eOU5aUCKYyYZu","url":"https://zkscan.io","type":"websites_and_applications","addedAt":"2022-05-10T16:08:03.770Z","revision":2,"description":"Explorer","isPrimacyOfImpact":null},{"id":"72BDZbEm3YAf9VOIzXXCNq","url":"https://github.com/matter-labs/zksync/tree/master/core/lib/circuit/src/witness/withdraw_nft.rs","type":"blockchain_dlt","addedAt":"2022-05-10T16:07:46.460Z","revision":2,"description":"ZK-SNARK Circuits","isPrimacyOfImpact":null},{"id":"7GylRhl6TyNj150NCvGLz1","url":"https://github.com/matter-labs/zksync/tree/master/core/lib/circuit/src/allocated_structures.rs","type":"blockchain_dlt","addedAt":"2022-05-10T16:07:54.908Z","revision":2,"description":"ZK-SNARK Circuits","isPrimacyOfImpact":null},{"id":"7fsNul1Ses423mqv2jnrAu","url":"https://github.com/matter-labs/zksync/tree/master/core/lib/circuit/src/operation.rs","type":"blockchain_dlt","addedAt":"2022-05-10T16:08:01.580Z","revision":2,"description":"ZK-SNARK Circuits","isPrimacyOfImpact":null},{"id":"7gG9olyUZTFlcTC60BB0Yn","url":"https://github.com/matter-labs/zksync/tree/master/core/lib/circuit/src/element.rs","type":"blockchain_dlt","addedAt":"2022-05-10T16:07:58.315Z","revision":2,"description":"ZK-SNARK Circuits","isPrimacyOfImpact":null},{"id":"EtXyKEyMS3O6qZeSdBPtU","url":"https://github.com/matter-labs/zksync/blob/breaking/contracts/contracts/TokenGovernance.sol","type":"smart_contract","addedAt":"2022-05-10T16:07:35.529Z","revision":2,"description":"Token governance","isPrimacyOfImpact":null},{"id":"UMHLvLHfxnobjF926EqW9","url":"https://github.com/matter-labs/zksync/tree/master/core/lib/circuit/src/witness/full_exit.rs","type":"blockchain_dlt","addedAt":"2022-05-10T16:07:52.848Z","revision":2,"description":"ZK-SNARK Circuits","isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program. \n\n__Note__ that the bug bounty program includes contracts from the currently active version o ZKsync target/governance target/additional ZKsync.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH","zkSync"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Rust","Solidity"],"launchDate":"2022-03-15T21:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/BVBU3VYmZ7reZRrExTrGp/ba2e745ef785db7f3bae88ea8ba8523f/ZKTokenBlack.png","maxBounty":2300000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","websites_and_applications - critical","blockchain_dlt - critical","blockchain_dlt - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\nThe Blockchain/DLT impacts are only applicable for the ZK-SNARK Circuits assets in scope.\n\n__Smart Contracts__\n\n__Critical__\n  - Loss of user funds by permanent burning, freezing or direct theft\n  - Network shutdown\n\n__High__\n  - Temporary freezing of funds for at least 24 hours\n  - Forceful activation of exodus mode\n  - Blocking of upgrade system\n\n__Medium__\n  - Smart contract gas drainage\n  - Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)\n\n__Low__\n  - Smart contract fails to deliver promised returns, but doesn’t lose value \n\n__Blockchain/DLT ZK-SNARK Circuits__\n\n__Critical__\n  - Double spending\n  - Inability to generate a block for a priority operation that is added through a smart contract\n  - Minting fungible tokens not through a deposit\n  - Ability to steal/burn/freeze other people's tokens\n\n__High__\n  - Ability to execute a transaction with changed signed parameters (e.g. sender/recipient/amount/tokenId/feeToken/...)\n  - Ability to create a block with public input information that is not enough to restore state transition\n\n__Web/App__\n\n__Critical__\n  - Leak of user data\n  - Redirected funds by address modification\n  - Site goes down","productType":["L2","Zero-Knowledge Proofs"],"programOverview":"ZKsync Lite is a scaling engine for Ethereum. Its current functionality scope includes low gas transfers of ETH and ERC20 tokens, atomic swaps & limit orders as well as native L2 NFT support. \n\nZKsync Lite is built on ZK Rollup architecture. ZK Rollup is an L2 scaling solution in which all funds are held by a smart contract on the mainchain, while computation and storage are performed off-chain. For every Rollup block, a state transition zero-knowledge proof (SNARK) is generated and verified by the mainchain contract. This SNARK includes the proof of the validity of every single transaction in the Rollup block. Additionally, the public data update for every block is published over the mainchain network as cheap calldata.\n\nFor more information about ZKsync Lite, please visit [https://zksync.io/](https://zksync.io/).  \n\nThis bug bounty program is focused on their smart contracts, ZK-SNARK circuits, web and app and is focused on preventing:\n\n  - Loss of user funds by permanent freezing or direct theft\n  - Temporary freezing of funds\n  - Smart contract destruction\n  - Double spending\n  - Ability to execute a transaction with changed signed parameters","programType":["Blockchain/DLT","Smart Contract","Websites and Applications"],"project":"ZKsync Lite","projectType":["Blockchain","Infrastructure"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. For the ZK-SNARK Circuits, the classification will be based on the impacts listed on the Impacts in Scope section below\n\nAll critical and high severity bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nRewards for critical smart contract vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of __USD 50 000__ for Critical bug reports. \n\n__KYC__\n\nZKsync has a Know Your Customer (KYC) requirement for bug bounty payouts. Government identification is required for the KYC process.\n\nPayouts are handled by the __ZKsync__ Lite team directly and are denominated in USD. However, payouts are done in __USDC__ via ZKsync Era.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"zksync","updatedDate":"2025-12-15T09:53:34.504Z","impactsBody":null,"websiteUrl":null,"githubUrl":"https://github.com/matter-labs/zksync","eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"ZKsync Lite is a scaling engine for Ethereum. Its current functionality scope includes low gas transfers of ETH and ERC20 tokens, atomic swaps & limit orders as well as native L2 NFT support. ","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques\n\n  - Vulnerabilities that require physical access to a user’s device\n  - Issues that have no security impact (E.g. Failure to load a web page)\n  - Phishing (E.g. HTTP Basic Authentication Phishing)\n  - Attacks requiring MITM or physical access to a user’s device.\n  - Missing best practices without a working video Proof of Concept.\n\n","customProhibitedActivities":[],"impacts":[{"id":2083,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 24 hours"},{"id":2084,"type":"smart_contract","severity":"high","title":"Forceful activation of exodus mode"},{"id":2085,"type":"smart_contract","severity":"high","title":"Blocking of upgrade system"},{"id":2086,"type":"blockchain_dlt","severity":"high","title":"Ability to execute a transaction with changed signed parameters (e.g. sender/recipient/amount/tokenId/feeToken/...)"},{"id":2087,"type":"blockchain_dlt","severity":"high","title":"Ability to create a block with public input information that is not enough to restore state transition"},{"id":2088,"type":"smart_contract","severity":"medium","title":"Smart contract gas drainage"},{"id":2089,"type":"smart_contract","severity":"critical","title":"Loss of user funds by permanent burning, freezing or direct theft"},{"id":2090,"type":"smart_contract","severity":"critical","title":"Network shutdown"},{"id":2091,"type":"blockchain_dlt","severity":"critical","title":"Double spending"},{"id":2093,"type":"blockchain_dlt","severity":"critical","title":"Minting fungible tokens not through a deposit"},{"id":2094,"type":"blockchain_dlt","severity":"critical","title":"Ability to steal/burn/freeze other people's tokens"},{"id":2095,"type":"websites_and_applications","severity":"critical","title":"Leak of user data"},{"id":2096,"type":"websites_and_applications","severity":"critical","title":"Redirected funds by address modification"},{"id":2097,"type":"websites_and_applications","severity":"critical","title":"Site goes down"},{"id":5727,"type":"blockchain_dlt","severity":"high","title":"Inability to generate a block for a priority operation that is added through a smart contract"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"}],"rewards":[{"id":39450,"severity":"critical","assetType":"blockchain_dlt","fixedReward":20000,"rewardModel":"fixed","rewardCalculationPercentage":10},{"id":39451,"severity":"high","assetType":"blockchain_dlt","fixedReward":10000,"rewardModel":"fixed"},{"id":39452,"severity":"critical","assetType":"smart_contract","maxReward":2300000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":39453,"severity":"high","assetType":"smart_contract","fixedReward":50000,"rewardModel":"fixed"},{"id":39454,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":39455,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":39456,"severity":"critical","assetType":"websites_and_applications","fixedReward":25000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"5WzZBvhcZews4sgRe10OYU","url":"https://github.com/firelight-protocol/firelight-core/blob/main/contracts/FirelightVault.sol","type":"smart_contract","addedAt":"2025-11-07T14:00:00.000Z","revision":1,"description":"FirelightVault.sol - Upgradeable ERC4626-compatible vault -  [500]","isPrimacyOfImpact":null},{"id":"2e5HUtmCpLNIrQb9PuY88i","url":"https://github.com/firelight-protocol/firelight-core/blob/main/contracts/FirelightVaultStorage.sol","type":"smart_contract","addedAt":"2025-11-07T14:00:00.000Z","revision":1,"description":"FirelightVaultStorage.sol - Storage layout for FirelightVault- [28]","isPrimacyOfImpact":null}],"assetsBodyV2":"**Insight Reporting** \n\nInsight reports may be reported to this program and require a PoC. Insights are rewarded in accordance with [Immunefi’s Standardized Competition Reward Terms.](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms)\n\n**Dispute Resolution**\n\nIf there is any dispute over bug reports between projects and security researchers, Immunefi has the final say on validity and severity based on the terms of this program.\n\n**Responsible Publication Policy**\n\n- Immunefi will publish bug reports, earnings, and a leaderboard for this Audit Competition.\n- Security Researchers may publish their bug reports as well, but only after Immunefi has published the valid bug reports as part of the competition results.\n\n**Eligibility Criteria**\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in an audit review of the code in scope (Such auditors may still participate in this program only if they receive project permission)","boostedIntroEvaluating":"### Thank You to All Participating Security Researchers!\n\nThe audit competition has now concluded and is currently in the evaluation phase. During this period, all submitted reports are being carefully reviewed by the Immunefi triage team and the project team.","boostedIntroFinished":"### Thank You to All Participating Security Researchers!\n\nYour valuable contributions played a crucial role in identifying and resolving critical vulnerabilities, helping to strengthen and secure the platform for all users.","boostedIntroLive":"### **$15,000 USD** in rewards is available for finding bugs on Firelight's contracts. \n\nFor more information about the project, please visit about [Firelight](https://firelight.finance/)\n\n- KYC is not required.\n\n- Flat Reward Pool\n\n**Proof of Concept (PoC) Requirements**\n\n- A **runnable PoC**, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n- Any technical questions and support requests can be asked directly to the Firelight team or Immunefi in the [#firelight-audit-competition](https://discord.com/channels/787092485969150012/1435885611859836971) discord channel.","boostedIntroStartingIn":"### **$15,000 USD** in rewards is available for finding bugs on Firelight's contracts. \n\nFor more information about the project, please visit https://firelight.finance/ \n\nAny technical questions and support requests can be asked directly to the Firelight team or Immunefi in the [#firelight-audit-competition](https://discord.com/channels/787092485969150012/1435885611859836971) discord channel. \n\nWhen the Audit Competition ends, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nA few days after the launch, Immunefi will publish Firelight's technical walkthrough on our official [YouTube channel](https://www.youtube.com/@immunefi).\n\n**A runnable PoC is required**. For more information, please read [Immunefi Proof of Concept (PoC) Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules?utm_source=immunefi)\n\nInsight reports can be submitted. Read our [Insight validity rules](https://immunefisupport.zendesk.com/hc/en-us/articles/34179768760337-Insight-Severity-Level)","boostedLeaderboard":[{"high":0,"name":"chief_hunter888","aspRank":1,"critical":0,"earnings":2036,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":2546,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":510},{"high":0,"name":"EagleEye","aspRank":2,"critical":0,"earnings":1145,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":1640,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":495},{"high":0,"name":"piyushmali","aspRank":3,"critical":0,"earnings":1145,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":1640,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":495},{"high":0,"name":"Paludo0x","aspRank":19,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"SENIOR (ACTIVE)","totalEarnings":1516,"totalValidBugs":1,"aspPoolEarnings":1500,"podiumPoolEarnings":0},{"high":0,"name":"perseverance","aspRank":20,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"SENIOR (ACTIVE)","totalEarnings":1516,"totalValidBugs":1,"aspPoolEarnings":1500,"podiumPoolEarnings":0},{"high":0,"name":"blackgrease","aspRank":4,"critical":0,"earnings":1145,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":1145,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"emilesean_es","aspRank":5,"critical":0,"earnings":1145,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":1145,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Flare0x","aspRank":6,"critical":0,"earnings":1145,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":1145,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"gklptrgt","aspRank":7,"critical":0,"earnings":1145,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":1145,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Le_Rems","aspRank":37,"critical":0,"earnings":213,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":213,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Tadev","aspRank":11,"critical":0,"earnings":213,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":213,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"ZenHunter","aspRank":40,"critical":0,"earnings":197,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":197,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"hunterKing","aspRank":41,"critical":0,"earnings":197,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":197,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"VinayVig","aspRank":42,"critical":0,"earnings":197,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":197,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"dobrevaleri","aspRank":8,"critical":0,"earnings":73,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":73,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"a16","aspRank":39,"critical":0,"earnings":66,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":66,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Tomioka","aspRank":9,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Falendar","aspRank":10,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"dldLambda","aspRank":12,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"jayx","aspRank":13,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Arkindyo","aspRank":14,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"coinsspor","aspRank":15,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"theboiledcorn","aspRank":16,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"axolot","aspRank":17,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"edantes","aspRank":18,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"legion","aspRank":21,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Diavol0","aspRank":22,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Y4nhu1","aspRank":23,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"jesse03","aspRank":24,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"zeroK","aspRank":25,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"ASSOCIATE (ACTIVE)","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Orionn","aspRank":26,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"maggie","aspRank":27,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"sahuang","aspRank":28,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"zcai","aspRank":29,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"vivekd","aspRank":30,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"y4y","aspRank":31,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"sol_4th05","aspRank":32,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"redbeans","aspRank":33,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Pro_King","aspRank":34,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"hcrlen","aspRank":35,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Immanux2160","aspRank":36,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"IronsideSec","aspRank":38,"critical":0,"earnings":16,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":16,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"[redacted]","aspRank":"disqualified","critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"[redacted]","aspRank":"disqualified","critical":0,"earnings":0,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":0,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1aYeTxEA7RMmaFtWkKJtFeWWocYEtJk1W/view?usp=sharing","ecosystem":null,"endDate":"2025-11-17T10:00:00.000Z","evaluationEndDate":"2025-12-11T16:07:22.467Z","features":["Boost","Managed Triage: Signal Booster","Vault"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2025-11-07T14:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5hyBrrn4sBaeEmyYA7Vxm3/11c3efa07397064a595a000d6ca1f9f3/firelight.png","maxBounty":15000,"outOfScopeAndRules":"To be determined","pocPerTypeAndSeverity":["smart_contract - low","smart_contract - medium","smart_contract - high","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":null,"programOverview":"The Firelight Vault is an upgradeable ERC‑4626 compatible vault with additional features.","programType":["Smart Contract"],"project":"Audit Comp | Firelight","projectType":null,"rewardsBody":"Rewards are distributed among SRs according to Immunefi’s Standardized Competition Reward Terms and includes All Star Pool and Podium Pool reserved for All Star Program participants. \n\nRewards are denominated in USD and distributed in USDC on Ethereum.\n\nThe reward pool is $15,000 for any bug found. That means that even if 1lLow severity bug is found, the whole reward pool is unlocked and has to be fully distributed between security researchers. \n\nIf not a single bug is found (Insights do not count as bugs) the reward pool is $2,250 of Max SR Rewards.","rewardsPool":15000,"primaryPool":10500,"allStarsPool":3000,"podiumPool":1500,"rewardsToken":"USDC","slug":"audit-comp-firelight","tenPercentEconomicRule":false,"updatedDate":"2025-12-11T16:07:16.795Z","impactsBody":"**Build Commands, Test Commands, and How to Run Them**\n\nInstallation:\ngit clone https://github.com/firelight-protocol/firelight-core.git\ncd firelight-core\nnpm install\nCreate your .env file using .env.sample as a reference.\n\nRun tests:\nnpx hardhat test\n\nOptional:\nFor faster test execution, comment out the forking configuration on line 29 of hardhat.config.js.\n\n**Asset Accuracy Assurance**\n\nBugs found on assets incorrectly listed in-scope are valid.\n\n**Code Freeze Assurance**\n\nCode of the assets in scope is frozen while the program is live.\n\nDuplicate submissions of bugs are valid. Duplicate submissions of Insights are invalid.\n\nThe project commits to keeping all info related to bug findings private until this program is over. This means the project will not leak info about any bug findings or planned bug fixes, including bug findings found independently by the project or from concurrent private audits.\n\n------------------\n\n**Previous Audits**\n\nFirelight’s completed audit reports can be found at https://firelight.finance/audit.pdf. Unfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\n**Public Disclosure of Known Issues**\n\nBug reports for publicly disclosed bugs are not eligible for a reward. \n\nInflation attack: This is a known issue with ERC-4626 described at https://docs.openzeppelin.com/contracts/5.x/erc4626#security-concern-inflation-attack We'll take care of this at the time of deployment.\n\n**Private Known Issues Reward Policy**\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n-----------------------\n\n**Where might Security Researchers confuse out-of-scope code to be in-scope?**\nThere should be no confusion. Only one smart contract and its storage contract are in scope.\n\n**Is this an upgrade of an existing system? If so, which? And what are the main differences?**\n\nNo, this is not an upgrade of an existing system and will be a first-time deployment.\n\n**Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?**\n\nOverall security and correctness are especially important.\n\n\n**What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?**\n\nThe vault is ERC-4626 compliant and holds/transfers ERC-20 tokens. No ERC-721, ERC-777, or ERC-1155 tokens are supported.\n\n**What emergency actions may you want to use as a reason to downgrade an otherwise valid bug report?**\n\nNone.\nWe do not use emergency actions as a basis to downgrade severity.\n\n**What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?**\n\nThe role-based administrative addresses are considered trusted.These roles are intentionally authorized to modify configurations or perform emergency actions. Their intended permissions are not considered vulnerabilities.\nThis includes: DEPOSIT_LIMIT_UPDATE_ROLE, RESCUER_ROLE, BLOCKLIST_ROLE, PAUSE_ROLE,  PERIOD_CONFIGURATION_UPDATE_ROLE\n\n\n**What addresses would you consider any bug report requiring their involvement be out of scope, even if they exceed the privileges attributed to them?**\nNone. \n\n**Which chains and/or networks will the code in scope be deployed to?**\n\nFlare Network. https://flare-explorer.flare.network/\n\n**What external dependencies are there?**\nThere are no external dependencies. The system does not rely on oracles, price feeds, or external protocol integrations.\n\n**Are there any unusual points about your protocol that may confuse Security Researchers?**\n\nWe do not think so. The time-based period configuration may be slightly unusual, but the implementation is straightforward and self-explanatory in the code.\n\n**What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)**\n\nhttps://github.com/firelight-protocol/firelight-core/blob/main/README.md","websiteUrl":"https://firelight.finance/","githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"The Firelight Vault is an upgradeable ERC‑4626 compatible vault with additional features.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":28,"type":"smart_contract","severity":"high","title":"Temporary freezing of NFTs"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[{"id":"7EnNCp1GsSY9VGOzFAArqs","url":"https://firelight.finance/audit.pdf","auditor":"OpenZeppelin","date":"2025-07-21"}]},{"assets":[{"id":"1b0RqlxSmzajKDfSXpp5Bk","url":"https://explorer.hiro.so/txid/SP3ESW1QCNQPVXJDGQWT7E45RDCH38QBK9HEJSX4X.dlmm-pool-c-v-0-1?chain=mainnet","type":"smart_contract","addedAt":"2025-11-26T19:06:25.718Z","revision":2,"description":"dlmm-pool-c-v-0-1","isPrimacyOfImpact":null},{"id":"36Z6Bp60qppHT4kyUyAiy5","url":"https://explorer.hiro.so/txid/SP3ESW1QCNQPVXJDGQWT7E45RDCH38QBK9HEJSX4X.dlmm-swap-router-v-0-1?chain=mainnet","type":"smart_contract","addedAt":"2025-11-26T19:04:08.891Z","revision":2,"description":"dlmm-swap-router-v-0-1","isPrimacyOfImpact":null},{"id":"3qOmBxFJeHHHlAIRRyGSMe","url":"https://explorer.hiro.so/txid/SP3ESW1QCNQPVXJDGQWT7E45RDCH38QBK9HEJSX4X.dlmm-pool-h-v-0-1?chain=mainnet","type":"smart_contract","addedAt":"2025-11-26T19:07:15.930Z","revision":2,"description":"dlmm-pool-h-v-0-1","isPrimacyOfImpact":null},{"id":"4cxcJZzAiUpQdH0DOX4Ex7","url":"https://explorer.hiro.so/txid/SM1793C4R5PZ4NS4VQ4WMP7SKKYVH8JZEWSZ9HCCR.token-stx-v-1-2?chain=mainnet","type":"smart_contract","addedAt":"2025-11-26T19:07:28.905Z","revision":2,"description":"token-stx-v-1-2","isPrimacyOfImpact":null},{"id":"5XJ3M6ggPAFXJarQjtFq4V","url":"https://explorer.hiro.so/txid/SP3ESW1QCNQPVXJDGQWT7E45RDCH38QBK9HEJSX4X.dlmm-pool-d-v-0-1?chain=mainnet","type":"smart_contract","addedAt":"2025-11-26T19:06:46.024Z","revision":2,"description":"dlmm-pool-d-v-0-1","isPrimacyOfImpact":null},{"id":"5jFioauR92OFCIWEnsfRjH","url":"https://explorer.hiro.so/txid/SP3ESW1QCNQPVXJDGQWT7E45RDCH38QBK9HEJSX4X.dlmm-core-v-0-1?chain=mainnet","type":"smart_contract","addedAt":"2025-11-26T18:51:59.491Z","revision":2,"description":"dlmm-core-v-0-1","isPrimacyOfImpact":null},{"id":"64dQuPCxJ3DkjvYY848Nba","url":"https://hodlmm.bitflow.finance/","type":"websites_and_applications","addedAt":"2025-11-26T04:27:00.000Z","revision":3,"description":"App","isPrimacyOfImpact":null},{"id":"6HRjrhKCx1FiuIZDraYsav","url":"https://explorer.hiro.so/txid/SP3ESW1QCNQPVXJDGQWT7E45RDCH38QBK9HEJSX4X.dlmm-pool-g-v-0-1?chain=mainnet","type":"smart_contract","addedAt":"2025-11-26T19:06:59.316Z","revision":2,"description":"dlmm-pool-g-v-0-1","isPrimacyOfImpact":null},{"id":"B4HmB2UqxIdiAWWf23Wg2","url":"https://explorer.hiro.so/txid/SP3ESW1QCNQPVXJDGQWT7E45RDCH38QBK9HEJSX4X.dlmm-pool-b-v-0-1?chain=mainnet","type":"smart_contract","addedAt":"2025-11-26T19:05:56.681Z","revision":2,"description":"dlmm-pool-b-v-0-1","isPrimacyOfImpact":null},{"id":"XZDaemW2QQ0cCkOF1Wpai","url":"https://explorer.hiro.so/txid/SP3ESW1QCNQPVXJDGQWT7E45RDCH38QBK9HEJSX4X.dlmm-pool-trait-v-0-1?chain=mainnet","type":"smart_contract","addedAt":"2025-11-26T19:05:40.932Z","revision":2,"description":"dlmm-pool-trait-v-0-1","isPrimacyOfImpact":null},{"id":"srMsB8Pvy6mT6v2BA7KdA","url":"https://explorer.hiro.so/txid/SP3ESW1QCNQPVXJDGQWT7E45RDCH38QBK9HEJSX4X.dlmm-liquidity-router-v-0-1?chain=mainnet","type":"smart_contract","addedAt":"2025-11-26T19:05:26.373Z","revision":2,"description":"dlmm-liquidity-router-v-0-1","isPrimacyOfImpact":null}],"assetsBodyV2":"Bitflow’s latest contract codebase and test-suite for the “HODLMM” can be found here: https://github.com/BitflowFinance/bitflow-dlmm. \nWhitelisted early access to HODLMM with mock tokens: [https://hodlmm.bitflow.finance](https://hodlmm.bitflow.finance)\n\n**Note:** You’ll need to be whitelisted to access the dapp ahead of public release. Use this link to get access: [https://waitlist.bitflow.finance](https://waitlist.bitflow.finance) \n\nFor any issues with expedited access, try to DM [@bitflow](https://x.com/bitflow) or [@StacksDeveloper](https://x.com/dylan_) on X.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Stacks"],"endDate":null,"evaluationEndDate":null,"features":["Arbitration","Subscription Plan: Essential"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Clarity","NextJS"],"launchDate":"2025-11-26T04:27:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1wBdOtq6xoBJTdPjGbJmiq/8165a74640386a368784458f72749f7f/tq71coRV_400x400.png","maxBounty":100000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low","websites_and_applications - critical"],"primaryPaymentWallet":"Stacks","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["DEX","Liquid Staking"],"programOverview":"Bitflow, a decentralized exchange (DEX) built on the Stacks blockchain, positioning itself as a key liquidity hub for Bitcoin DeFi users (traders, liquidity providers, and developers). Bitflow has a history of recreating battle tested DEX smart contracts in the Clarity smart contract language, as well as innovating with new designs such as the variable midpoint stableswap. In the past, Bitflow has delivered Curve style pools, Uniswap V2 style pools, and Jupiter style aggregator contracts for multi-dex swaps. \n\nThis BBP (bug bounty program) however will initially focus exclusively on a new orderbook style AMM that unlocks concentrated liquidity in the Stacks ecosystem. Bitflow calls this the HODLMM – High-throughput, Orderbook-style, Decentralized Liquidity Market Maker. Concentrated liquidity is much more efficient for traders and liquidity providers compared to legacy AMMs like the Uniswap V2 design, and this implementation draws inspiration from Trader Joe’s Liquidity Book AMM and Meteora’s DLMM designs. Over time, the scope may expand to include contracts for legacy AMMs and more peripheral contracts built on HODLMM\n\nFor more information about Bitflow, please visit [https://www.bitflow.finance/](https://www.bitflow.finance/)\n\nBitflow provides rewards in **STX** on Stacks, denominated in **USD**. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nBitflow adheres to the Primacy of Impact for the following impacts:\n\n- Smart Contract - Critical\n- Smart Contract - High\n- Web/App - Critical\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the[ Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n **Bitflow HODLMM Known Issues (Most here were acknowledged during Completed Audits)**\n- Pool Operations Lack Deadline Checks \n  - Deadlines allow users to specify the time by which the operation must be executed otherwise it would be invalid.\n\n- Pool verification status set during pool creation, and allows unverified pools to exist\n  - Even though they can’t be verified, in theory malicious pools contracts can still be deployed and swapped through via core. This is intentional to ensure that permissionless pool creation is possible when public pool creation is enabled. Note that liquidity remains isolated in each pool contract.\n\n- Verified pools can still contain malicious tokens\n  - Malicious tokens can therefore be swapped through core or peripheral routers\n  - At scale, there is no way to check on-chain for whether or not a token is malicious during pool creation (unlike template pool contracts that can be compared to a hash of the code body). \n  - Peripheral router contracts could be built on top to maintain a list of verified tokens (separate from core) to add more protection to user’s swaps and liquidity provision. \n \n - Avoid using ‘tx-sender’ for Caller Authorization\n  - Throughout the codebase there are instances where `tx-sender` is used instead of `contract-caller` or passing the caller address. By doing this, users that fall to phishing scams and interact with malicious contracts can unwittingly interact with the codebase and execute sensitive operations. By using contract-caller, we lose composability for more peripheral contracts to be built on top; tx-sender allows for that which means that phishing is possible. Users looking out for post conditions will also help mitigate risk of phishing attacks.\n\n- Variable Fee Design Choices\n  - The current variable fee is intended to serve as a volatility fee, where many bin changes in recent blocks will result in increased variable fee, which can also be reset or reduced.\n  - The pool uses specific data points to calculate the fee. Admins can calculate off-chain the fee and set the fees via a set-variable-fees call, with the intent that in the future, a peripheral contract will update these via asynchronous calls. \n  - With this design, multi-bin swaps can often precede a fee adjustment\n  - Lower fee swaps can be frontrun if users see a fee-increase transaction in the mempool.\n  - Users may be charged more than needed if the transactions to reset or lower the variable fees do not get confirmed before more swaps get confirmed\n  - Users could be charged too high of a variable fee by a malicious admin that also deploys liquidity into a bin\n\n- Absence of Preview Functions for Key Operations\n  - Current implementation does not offer any mechanism of previewing operation results. \n  - Intention is to create a peripheral contract with preview functions, one for each major operation in the core contract: swap-x-for-y, swap-y-for-x, add-liquidity, withdraw-liquidity, and move-liquidity\n\n- Remove Redundant begin Blocks\n  - Throughout the codebase, after let declarations, the implementation redundantly adds a begin block instead of just writing the next statements as it is normally allowed by the let block. This is done, redundantly in almost all contracts, all instances of begin code blocks can be removed.\n\n- Bin steps can be added with wrong values and they cannot be updated/removed\n  - With the ability to migrate to new core contracts, admins can upgrade with the corrected bin factors.\n\n- Multi-bin swaps using favorable bins can actually lead to worse outcomes\n  - A user can actually do worse when favorable bins are available because the capacity of those bins is not as high as they expected. The result is unexpected funds loss for the user. However, the user can prevent this by setting min-received correctly for each swap step.  The unfavorable bin logic only compares the active bin ID to the expected bin ID, not bin balances or other factors. Bitflow calculates min-received per swap off-chain and enforces it on-chain. Thus, this was assessed by auditors as informational.\n\n- Malicious core contract upgradability if an admin is compromised\n  - A malicious admin could attempt to upgrade pools to use a new core contract \n  - if original deployer or admin hasn’t frozen migration and hasn’t noticed within the cooldown period of at least 1 week.\n  - In a previous design, Bitflow had no way to upgrade the core contract. The likelihood of needing to roll out a new version is eventually high.\n\n- Implement Timelocks for Sensitive Configuration Changes\n  - Admins can modify some configuration parameters at any time and changes take place immediately. This creates risk for existing users (including but not limited to: higher fees, disabling of swaps, etc)\n\n\n__Previous Audits__\n\nBitflow’s completed audit reports can be found at https://docs.Bitflow.finance/Bitflow-documentation/resources/audits. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.","programType":["Smart Contract","Websites and Applications"],"project":"Bitflow","projectType":["Exchange","Defi"],"rewardsBody":"__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 100 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 20 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. \n\nThe amount of funds at risk will be calculated with the impact of the first attack being at 100% and then a reduction of 25% from the amount of the first attack for every [720 blocks] the attack needs for subsequent attacks from the first attack, rounded down.\n\n__Reward Calculation for High Level Reports__\n\nHigh impacts concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 2 500 to USD 20 000 with the reward calculated based on 100% of the funds at risk, though capped at the maximum high.\n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional [24h] that the funds are temporarily frozen, up until a max cap of the high reward. \n\nFor critical web/apps bug reports will be rewarded with USD 25 000, only if the impact leads to:\n\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of USD 5 000. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\nThe SIP10 implementation of STX we deployed for use across legacy DEXs and soon with the HODLMM (SM1793C4R5PZ4NS4VQ4WMP7SKKYVH8JZEWSZ9HCCR.token-stx-v-1-2) is within scope, and all other fungible tokens are not in scope. Other contracts deployed by SM1793C4R5PZ4NS4VQ4WMP7SKKYVH8JZEWSZ9HCCR or SPQC38PW542EQJ5M11CR25P7BS1CA6QT4TBXGB3M are not in scope.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Bitflow team directly and are denominated in USD. However, payments are done in USDC on Ethereum.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"bitflow","updatedDate":"2025-12-08T07:57:57.211Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Bitflow, a decentralized exchange (DEX) built on the Stacks blockchain, positioning itself as a key liquidity hub for Bitcoin DeFi users (traders, liquidity providers, and developers).","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Tokens not deployed from SPQC38PW542EQJ5M11CR25P7BS1CA6QT4TBXGB3M\n- Impacts relying on theoretical user interactions without any demonstration of regular or significant occurrence","customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":4823,"type":"smart_contract","severity":"high","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":4824,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:   /etc/shadow, database passwords, blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":4825,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:   Changing registration information, Commenting, Voting, Making trades, Withdrawals, etc."},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":4826,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:  Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions"}],"rewards":[{"id":39100,"severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":39101,"severity":"high","assetType":"smart_contract","maxReward":20000,"minReward":2500,"rewardModel":"range"},{"id":39102,"severity":"medium","assetType":"smart_contract","fixedReward":2000,"rewardModel":"fixed"},{"id":39103,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":39104,"severity":"critical","assetType":"websites_and_applications","maxReward":25000,"minReward":5000,"rewardModel":"range","otherImpactMaxReward":5000}],"audits":[]},{"assets":[{"id":"4VbhYMw35Qz9S0Fhjqtl8S","url":"https://github.com/vechain/thor/compare/v2.3.2...release/hayabusa","type":"blockchain_dlt","addedAt":"2025-10-01T13:00:00.000Z","revision":4,"description":"VeChain Hayabusa Release Branch - [8855 Go]","isPrimacyOfImpact":null},{"id":"6nP5i2Xa7OVmIqI6GkfSlj","url":"https://github.com/vechain/thor/blob/release/hayabusa/builtin/gen/staker.sol","type":"smart_contract","addedAt":"2025-10-01T13:00:00.000Z","revision":3,"description":"builtin - [389 Sol]","isPrimacyOfImpact":null}],"assetsBodyV2":"**Build Commands, Test Commands, and How to Run Them**\n\n[https://github.com/vechain/thor-hayabusa](https://github.com/vechain/thor-hayabusa) provides some information in operating a public or validator node in the Hayabusa network and provides access to additional tools, faucet for funds, an explorer and inspector a tool that allows for easy interaction with deployed smart contracts.\n\n**Where might Security Researchers confuse out-of-scope code to be in-scope?**\n\nThe scope is limited to a particular release branch of code so the scope is very clear, see scope above.\n\n\n**Is this an upgrade of an existing system? If so, which? And what are the main differences?**\n\nYes, upgrading the consensus mechanism of VeChainThor from Proof of Authority (PoA) to Delegated Proof of Stake (DPoS). See the provided VIPs for details of the changes. \n\n**Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?**\n\nThe change in the consensus mechanism and the distribution of rewards\n\n**What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?**\n\nAll of the above listed standards are implemented on chain but do not form part of the upgrade.\n\n**What emergency actions may you want to use as a reason to downgrade an otherwise valid bug report?**\n\nThe fact that two traditional audits are taking place in parallel with this Attackathon.\n\n**What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?**\n\nThere is the executor address and stargate address which have privileged roles in the network and their actions so long as they operate within the privileges attributed to them are expected.\n\n**What addresses would you consider any bug report requiring their involvement be out of scope, even if they exceed the privileges attributed to them?**\n\nBoth the executor and stargate address are essentially out of scope as they are known addresses and operated by trusted third parties.\n\n**Which chains and/or networks is and will the code in scope be deployed to?**\n\nVeChainThor\n\n**What external dependencies are there?**\n\nThere are no new dependencies. All of the old dependencies are out of scope. \n\n**What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)**\n\nFor more information about the VeChain Hayabusa upgrade refer to, please visit the following resources:\n- https://docs.vechain.org/ \n- VeChainThor Hayabusa Upgrade Release Branch\n    - https://github.com/vechain/thor/tree/release/hayabusa \n- VeChain Hayabusa E2E Tests Repo\n    - https://github.com/vechain/hayabusa-e2e \n- VeChain Hayabusa Upgrade VIPs\n    - https://github.com/vechain/VIPs/blob/master/vips/VIP-253.md\n    - https://github.com/vechain/VIPs/blob/master/vips/VIP-254.md","boostedIntroEvaluating":"### **Thank You to All Participating Security Researchers!**\n\nThe Attackathon has now concluded and is currently in the evaluation phase. During this period, all submitted reports are being carefully reviewed by the Immunefi triage team and the project team.","boostedIntroFinished":"### Thank You to All Participating Security Researchers!\n\nYour valuable contributions played a crucial role in identifying and resolving critical vulnerabilities, helping to strengthen and secure the platform for all users.","boostedIntroLive":"### **$160,000 USD** in conditional rewards are available for finding bugs on the VeChain Hayabusa Upgrade. \n\n- Rewards are distributed among SRs according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms) and includes **All Star Pool** and **Podium Pool** reserved for [All Star Program](https://immunefi.com/allstars/) participants. \n\n- KYC is required.\n\n- Conditional Reward Pool \n\n- Any technical questions and support requests can be asked directly to VeChain or Immunefi in the [VeChain Hayabusa Upgrade Attackathon Discord channel](https://discord.com/channels/787092485969150012/1369326485659189259).\n\n- When the Attackathon has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\n- **Runnable POCs are required**. Read our [Proof-of-Concept Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n- Insight reports can be submitted. Read our [Insight validity rules](https://immunefisupport.zendesk.com/hc/en-us/articles/34179768760337-Insight-Severity-Level)","boostedIntroStartingIn":"### **$160,000 USD** in conditional rewards are available for finding bugs on the VeChain Hayabusa Upgrade. \n\n- Rewards are distributed among SRs according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms) and includes **All Star Pool** and **Podium Pool** reserved for [All Star Program](https://immunefi.com/allstars/) participants. \n\n- KYC is required.\n\n- Conditional Reward Pool \n\n- Any technical questions and support requests can be asked directly to VeChain or Immunefi in the [VeChain Hayabusa Upgrade Attackathon Discord channel](https://discord.com/channels/787092485969150012/1369326485659189259).\n\n- When the Attackathon has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\n- **Runnable POCs are required**. Read our [Proof-of-Concept Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n- Insight reports can be submitted. Read our [Insight validity rules](https://immunefisupport.zendesk.com/hc/en-us/articles/34179768760337-Insight-Severity-Level)","boostedLeaderboard":[{"high":0,"name":"Haxatron","aspRank":1,"critical":1,"earnings":88174,"insights":0,"mediumLow":1,"allStarTier":"ELITE (ACTIVE)","totalEarnings":126254,"totalValidBugs":2,"aspPoolEarnings":32000,"podiumPoolEarnings":6080},{"high":0,"name":"emarai","aspRank":2,"critical":0,"earnings":7944,"insights":3,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":12904,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":4960},{"high":0,"name":"notGoku","aspRank":3,"critical":0,"earnings":6783,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":11743,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":4960},{"high":0,"name":"v_c0d35","aspRank":4,"critical":0,"earnings":2261,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":2261,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Orionn","aspRank":6,"critical":0,"earnings":1677,"insights":4,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":1677,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"spongebob","aspRank":8,"critical":0,"earnings":774,"insights":2,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":774,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"XDZIBECX","aspRank":10,"critical":0,"earnings":774,"insights":4,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":774,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Angry_Mustache_Man","aspRank":12,"critical":0,"earnings":516,"insights":2,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":516,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"humanitia","aspRank":5,"critical":0,"earnings":387,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":387,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"cryptoWhale","aspRank":7,"critical":0,"earnings":387,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":387,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"OxPrince","aspRank":9,"critical":0,"earnings":387,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":387,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"caslo","aspRank":11,"critical":0,"earnings":387,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":387,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"OadeHack","aspRank":13,"critical":0,"earnings":387,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":387,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"LeoFlint","aspRank":14,"critical":0,"earnings":387,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":387,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"jesse03","aspRank":15,"critical":0,"earnings":387,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":387,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"chief_hunter888","aspRank":16,"critical":0,"earnings":387,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":387,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0}],"boostedSummaryReport":null,"ecosystem":null,"endDate":"2025-10-26T14:00:00.000Z","evaluationEndDate":"2025-12-01T14:00:00.000Z","features":["Attackathon","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":null,"launchDate":"2025-10-01T13:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/14YpZX2KbZt4mnWVA3zpqm/d0ab4e49c091c556684d0c8791555d93/id8TScG3E5_1758538733668.png","maxBounty":160000,"outOfScopeAndRules":"To be determined","pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - medium","blockchain_dlt - low","smart_contract - low","smart_contract - medium","smart_contract - high","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":null,"programOverview":"For more information about VeChain Foundation, please visit [https://vechain.org/](https://vechain.org/). \n\nThis is a **mainnet AC (audit competition)** and the project may fix bugs mid-competition. The more bugs a project fixes the more rewards will be unlocked for a simultaneously running **mitigation competition** with up to $40,000 USD in rewards that is open for everyone to participate in. Read our full [mainnet AC rules](https://immunefisupport.zendesk.com/hc/en-us/articles/33256328266769-Mainnet-Audit-Competition-Rules) for more info.\n\n**VeChain is running 2 audits in parallel with the Attackathon. Due to this, some findings could be invalidated as duplicates from the ongoing audits.**\n\n**Responsible Publication**\n\nImmunefi will publish bug reports, earnings, and a leaderboard for this Attackathon.\n\nSecurity Researchers may publish their bug reports as well, but only after Immunefi has published the valid bug reports as part of the competition results.\n\n**Dispute Resolution**\n\nIf there is any dispute over bug reports between projects and security researchers, Immunefi has final say on validity and severity based on the terms of this program.","programType":["Blockchain/DLT","Smart Contract"],"project":"Attackathon | VeChain Hayabusa Upgrade","projectType":null,"rewardsBody":"Rewards are distributed among SRs according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms).\n\nRewards are denominated in USD and distributed in USDT on Ethereum.\n\nThe reward pool is determined by the greatest severity bug found.\n\n- A Critical is found \t- **$160,000 USD**\n- A High is found \t- **$100,000 USD**\n- A Medium is found \t- **$70,000 USD**\n- A Low is found \t- **$40,000 USD**\n\nIf none of the above conditions apply then the reward pool is - **$24,000 USD**\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid and unlock the corresponding reward pool.\n\n__Mitigation Competition Rewards__\n\nThe maximum reward pool for the mitigation competition is **$40,000 USD**.\n\nIf any bug in scope is fixed during the mainnet AC then a mitigation competition will begin immediately, run simultaneously, and end 5 days after the mainnet AC has ended.\n\nThe mitigation competition’s reward pool is based on how many bugs are fixed while the competitions are live relative to how many bugs are found in the mainnet AC. So if projects make more bug fixes mid-competition then the size of the mitigation competition reward pool increases up to the maximum.\n\nThe full mitigation competition reward terms can be [read here](https://immunefisupport.zendesk.com/hc/en-us/articles/33256328266769-Mainnet-Audit-Competition-Rules).\n\n__Code Updates Log__\n- Fix hayabusa solo mode for executor actions - https://github.com/vechain/thor/commit/6d29c7513818d515f4ad9f8f18d92d79e03d145c\n- remove redundant gas consumption call - https://github.com/vechain/thor/commit/f08442278f1eb45bae74f1fe922955c8e2f1d367\n- Authority isEndorsed now accounts for Staker Transition - https://github.com/vechain/thor/commit/c3a28e55c3bc5a6c2ae96178c9a8124178bff5ca\n- Improve customnet for Hayabusa - https://github.com/vechain/thor/commit/cdc9c606c4e1c8fc9bad23472198d6e6dcb4e434\n- chore: removed TODOs - https://github.com/vechain/thor/commit/4084a8e3d7301b33e7fde8fda9c0db5640a310e1\n- fix: test - https://github.com/vechain/thor/commit/aaad156e7cecf54c289e96134513f6d74b632882\n- chore: add comment - https://github.com/vechain/thor/commit/b58d9efd4ed35eb397dad40b7493d437e59b76bd\n- fix: delegation withdrawal while validator pending - https://github.com/vechain/thor/commit/038e406d4eb247e44675933b2d3ed3809b3943d8\n- fix: delegation withdrawal while validator pending - https://github.com/vechain/thor/commit/12d7e1b252756ea4ebb14f2c7ab9519e75f3bcec\n- fix: delegation withdrawal while validator pending - https://github.com/vechain/thor/commit/a28869da0aed1b102c2a9b3a80523bd5a05e7519\n- chore(staker): reduce housekeepnig logs\" - https://github.com/vechain/thor/commit/8a12e30656c7626f3ccb94f10dfa63b6b1ae7d9b\n- fix stater - https://github.com/vechain/thor/commit/3ad5e1805c778a070e27d0d0293f335a256c235e\n- Resolved merge conflicts - https://github.com/vechain/thor/commit/8ff104a3fb1ee5f39c6be5e54cb262bf10100063\n- Merge master - https://github.com/vechain/thor/commit/d087893b1f1c93e9fcf29e60928ffe73c95909be\n- chore(energy): cap validator rewards to 100% - https://github.com/vechain/thor/commit/91597ce1daf3064e2298a0606798030d43a90c1c\n- chore(test): verify issued - https://github.com/vechain/thor/commit/4bfef54f7013b89943f8de86d9b02db828b7a715\n- Error handling - https://github.com/vechain/thor/commit/2595b990a842662cd476007ea838c9ac10d1d956\n- TP set to 7 days - https://github.com/vechain/thor/commit/f040eed7f30d8256c959a7c7ee2d2a97816f45e7\n- Increase and Decrease are only on active validators - https://github.com/vechain/thor/commit/016c22992e5939e7ed12a93edd2e87c2ceafdb2b\n- chore: set testnet/ mainnet hayabusa block - https://github.com/vechain/thor/commit/b4c914fe573ed6141daa159fa293e9193a96d74f\n- chore(staker): make all methods external to reduce gas costs - https://github.com/vechain/thor/commit/b42b73f58d93c677a0e8085ba1f901ef7aaf2682\n- chore(energy): Add an inline comment to clarify that totalSupply does - https://github.com/vechain/thor/commit/6387d5ef68f834000088325ddb00fa884dd8c8ff\n- move ascii art out of post-block handler - https://github.com/vechain/thor/commit/b3634c2c16d5988101aae5447ab9a3700f2e59c5\n- chore: squash commits - https://github.com/vechain/thor/commit/13b241e9129233135d63edcf381de9d7e6bf990d\n- Custom encoding for Energy Stop Growth Time - https://github.com/vechain/thor/commit/ce5c407c4cfddd92ec89c065915f9f05d3624faf\n- Merge aikido updates - https://github.com/vechain/thor/commit/706bee9e6693244a6ddac17f883c7b09c6c63852\n- Charge extra sload -https://github.com/vechain/thor/commit/c1a18885ef673dfd9bfff48ff89dc15e30bb833f\n- fix(authority): charge gas if fetching validation - https://github.com/vechain/thor/commit/7391a7dd97b8840827b59d4aaf802f7732713953\n- custom genesis: error when external executor and builtin executor are - https://github.com/vechain/thor/commit/55dfff0c869801d9c02f50780b15f9b153953970","rewardsPool":160000,"primaryPool":112000,"allStarsPool":32000,"podiumPool":16000,"rewardsToken":"USDT","slug":"vechain-hayabusa-upgrade-attackathon","tenPercentEconomicRule":false,"updatedDate":"2025-12-04T05:36:02.644Z","impactsBody":"**Proof of Concept (PoC) Requirements** \n\nA runnable PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules?utm_source=immunefi).\n\n**Asset Accuracy Assurance**\n\nBugs found on assets incorrectly listed in-scope are valid.\n\n**Previous Audits**\n\nVeChain’s completed audit reports can be found:\n\n- [https://github.com/slowmist/Knowledge-Base/blob/master/open-report/VeChainThorNodeToken-Smart-Contract-Security-Audit-Report.md](https://github.com/slowmist/Knowledge-Base/blob/master/open-report/VeChainThorNodeToken-Smart-Contract-Security-Audit-Report.md)\n- [https://www.nccgroup.com/media/f05ojmp4/ncc_group_vechainfoundationsanmarinosrl_e0237_.pdf](https://www.nccgroup.com/media/f05ojmp4/ncc_group_vechainfoundationsanmarinosrl_e0237_.pdf)\n- [https://www.coinspect.com/doc/Coinspect%20-%20Source%20Code%20Audit%20-%20VeChainThor%20Galactica%20V250512.pdf](https://www.coinspect.com/doc/Coinspect%20-%20Source%20Code%20Audit%20-%20VeChainThor%20Galactica%20V250512.pdf)\n\nUnfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n**Public Disclosure of Known Issues**\n\nBug reports for publicly disclosed bugs are not eligible for a reward. \n- Underflow enables contract drain, [https://github.com/vechain/thor/pull/1348](https://github.com/vechain/thor/pull/1348).\n- No delegations allowed in Exiting Validator, [https://github.com/vechain/thor/pull/1384](https://github.com/vechain/thor/pull/1384)\n\n**Private Known Issues Reward Policy**\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n**Mainnet AC (Audit Competition) Bug Fix Policy**\n\nThe project may make bug fixes during the competition.\n- Fixed bugs immediately become out of scope once the fix is public.\n- Duplicate submissions of a bug are only valid if they’re submitted before the fix is public.\t\n\nAll project made bug fixes immediately become in scope for the mitigation competition once the fix is public, including fixes to bugs found independently of SRs.\n\nRead our full [mainnet AC rules](https://immunefisupport.zendesk.com/hc/en-us/articles/33256328266769-Mainnet-Audit-Competition-Rules) for more info.\n\n**Insight Reporting**\n\nInsight reports may be reported to this program and do not require a PoC. Insights are rewarded according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms).","websiteUrl":"https://vechain.org/","githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":null,"description":"The VeChain Hayabusa upgrade is the second phase of the VeChain Renaissance. The Hayabusa upgrade will\nupgrade VeChainThor’s consensus mechanism, tokenomics and degree of decentralization.​\n​\nKey Highlights:​\n- **Upgrade to Delegated Proof of Stake (DPoS)**: VeChainThor will migrate from PoA to DPoS, a more\ndecentralized consensus mechanism, while maintaining strong security and performance.​\n- **Enhanced VTHO Tokenomics**: A dynamic VTHO generation rate will be distributed as a block reward to\nvalidators and delegators that contribute to securing the VeChainThor network.​","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":2,"type":"blockchain_dlt","severity":"critical","title":"Unintended permanent chain split requiring hard fork (network partition requiring hard fork)"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":4,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":5,"type":"blockchain_dlt","severity":"high","title":"Unintended chain split (network partition)"},{"id":6,"type":"blockchain_dlt","severity":"high","title":"Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments"},{"id":7,"type":"blockchain_dlt","severity":"high","title":"Causing network processing nodes to process transactions from the mempool beyond set parameters"},{"id":8,"type":"blockchain_dlt","severity":"high","title":"RPC API crash affecting programs with greater than or equal to 25% of the market capitalization on top of the respective layer"},{"id":13,"type":"blockchain_dlt","severity":"low","title":"Modification of transaction fees outside of design parameters"},{"id":11,"type":"blockchain_dlt","severity":"medium","title":"A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk"},{"id":10,"type":"blockchain_dlt","severity":"medium","title":"Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":9,"type":"blockchain_dlt","severity":"medium","title":"Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours"},{"id":12,"type":"blockchain_dlt","severity":"low","title":"Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":5728,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 24 hours"},{"id":1,"type":"blockchain_dlt","severity":"critical","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":5729,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds for at least 1 hour"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"critical","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[{"id":"5ELAeizHSBci6YTyzDo4Tt","url":"https://github.com/sora-xor/sora2-network/tree/audit","type":"blockchain_dlt","addedAt":"2022-07-07T16:30:00.000Z","revision":2,"description":"Blockchain/DLT","isPrimacyOfImpact":null},{"id":"1g6C5tulO7qK8zPFgTuiLk","url":"https://polkaswap.io/","type":"websites_and_applications","addedAt":"2022-07-07T16:30:00.000Z","revision":1,"description":"Web/App","isPrimacyOfImpact":null},{"id":"5MYODg3HoTk8kxtkW7Kbth","url":"https://github.com/sora-xor/polkaswap-exchange-web","type":"websites_and_applications","addedAt":"2022-07-07T16:30:00.000Z","revision":1,"description":"Web/App (applicable to latest release tag)","isPrimacyOfImpact":null}],"assetsBodyV2":"If an impact can be caused to any other asset managed by SORA that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.\n\nThe latest release tag for the asset “[https://github.com/sora-xor/polkaswap-exchange-web](https://github.com/sora-xor/polkaswap-exchange-web)“ can be found here - [https://github.com/sora-xor/polkaswap-exchange-web/tags](https://github.com/sora-xor/polkaswap-exchange-web/tags)","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Kusama","Polkadot"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Rust","Typescript"],"launchDate":"2022-07-07T16:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6qpqPgUPj8U2AK6dpBmbDh/3458554f53f2e37bf19718938bb0d81c/SORA_Logo.svg","maxBounty":2000,"pocPerTypeAndSeverity":["blockchain_dlt - critical","websites_and_applications - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["DEX","L2"],"programOverview":"The SORA community envisions a new economic world order — one that is truly decentralized and democratic. SORA is building to deliver financial inclusion for all without discrimination and provide a better method to manage day-to-day finances.\n\nSORA is both a supranational world economic system that decentralizes the concept of a central bank as well as a network in the Polkadot ecosystem that will connect to the Polkadot relay chain and the parachains with built-in tools focused on DeFi.\n\nThe SORA network excels at providing tools for decentralized applications that use digital assets, such as atomic token swaps, bridging tokens to other blockchains, and creating programmatic rules involving digital assets. Besides Polkaswap, one of the main applications running on the SORA network is the SORA decentralized economic system itself.\n\nFor more information about Sora, please visit [https://sora.org](https://sora.org)","programType":["Blockchain/DLT","Websites and Applications"],"project":"SORA","projectType":["Blockchain","Exchange"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate classifications for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll bug reports must come with a Proof of Concept (PoC) with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nPayouts are handled by the __SORA__ team directly and are denominated in __USD__. However, payouts are done in [__KUSD__](https://www.livecoinwatch.com/price/KensetsuStableDollar-__KUSD) and can be vested with the choice of the ratio at the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"KUSD","slug":"sora","updatedDate":"2025-12-02T09:05:29.638Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"The SORA community envisions a new economic world order — one that is truly decentralized and democratic. SORA is building to deliver financial inclusion for all without discrimination and provide a better method to manage day-to-day finances.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques\n  - Issues related to the frontend without concrete impact and PoC\n  - Best practices issues without concrete impact and PoC\n\n\nKnown issues here are out of scope for this program [https://github.com/sora-xor/sora2-evm-contracts/commit/1e13152b7f7cf25abf8f6d44837bcd891a736b94/](https://github.com/sora-xor/sora2-evm-contracts/commit/1e13152b7f7cf25abf8f6d44837bcd891a736b94/)","customProhibitedActivities":[],"impacts":[{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":4,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":2902,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions, etc."}],"rewards":[{"id":39254,"severity":"critical","assetType":"blockchain_dlt","fixedReward":2000,"rewardModel":"fixed","rewardCalculationPercentage":0},{"id":39255,"severity":"critical","assetType":"websites_and_applications","fixedReward":2000,"rewardModel":"fixed","otherImpactMaxReward":0}],"audits":[]},{"assets":[{"id":"3pXn8DK5rwTJZA8mrsv0oJ","url":"https://etherscan.io/address/0xa2091116649b070D2a27Fc5C85c9820302114c63","type":"smart_contract","addedAt":"2022-12-15T19:52:53.456Z","revision":1,"description":"LiquidatorFactory","isPrimacyOfImpact":null},{"id":"1OvkwMf2OGQSr9uX1K403f","url":"https://etherscan.io/address/0xe6a03Ba967172a1FF218FEE686445f444258021A","type":"smart_contract","addedAt":"2022-12-15T19:53:10.885Z","revision":1,"description":"LiquidatorImplementation (v200)","isPrimacyOfImpact":null},{"id":"7tNfaJ2REGVpyUONNfD0Q1","url":"https://etherscan.io/address/0xED9D14F83eddd08572c403175FFf41c42a35a149","type":"smart_contract","addedAt":"2022-12-15T19:53:31.136Z","revision":1,"description":"LiquidatorInitializer (v200)","isPrimacyOfImpact":null},{"id":"H4nFfmWgqFNhWSNREhVhZ","url":"https://etherscan.io/address/0x1551717AE4FdCB65ed028F7fB7abA39908f6A7A6","type":"smart_contract","addedAt":"2022-12-15T19:53:49.076Z","revision":2,"description":"LoanManagerFactory (Fixed Term)","isPrimacyOfImpact":null},{"id":"1Ef8Ueo0qLKlvNC4jJjGg7","url":"https://etherscan.io/address/0x5b97c9DccE2693844b90Cea40ba1fD15Bf99Eb01","type":"smart_contract","addedAt":"2022-12-15T19:54:08.725Z","revision":2,"description":"LoanManagerImplementation (v301 Fixed Term)","isPrimacyOfImpact":null},{"id":"6NfbTZ7qBY8V593A5Au8YJ","url":"https://etherscan.io/address/0xcbe920B1931DA57069b12A19Bc6d11Ad7B5adaBD","type":"smart_contract","addedAt":"2022-12-15T19:54:48.542Z","revision":2,"description":" LoanManagerInitializer (v300 Fixed Term)","isPrimacyOfImpact":null},{"id":"1mwtKthXApSUrLTGbJeW7x","url":"https://etherscan.io/address/0x90b14505221a24039a2d11ad5862339db97cc160","type":"smart_contract","addedAt":"2023-06-21T00:36:13.620Z","revision":1,"description":"LoanManagerFactory (Open-Term)","isPrimacyOfImpact":null},{"id":"2UsRMYhruhxgst0PO9ePb6","url":"https://etherscan.io/address/0xbad003da1e107f537ae2f687f5fe7a7affe9b241","type":"smart_contract","addedAt":"2023-06-21T00:36:11.815Z","revision":1,"description":"LoanManagerImplementation (v100 - Open-Term)","isPrimacyOfImpact":null},{"id":"2R5lWAmysmgok0bdoKjx5i","url":"https://etherscan.io/address/0x20d0b31c2620c28d22489babfef9445c7d952921","type":"smart_contract","addedAt":"2023-06-21T00:36:09.982Z","revision":1,"description":"LoanManagerInitializer (v100 - Open-Term)","isPrimacyOfImpact":null},{"id":"9d2hxKltMKALJuNMyn4SX","url":"https://etherscan.io/address/0x9BeAbb1B6F3ad1DdB87b65148BA5Eb6102334956","type":"smart_contract","addedAt":"2022-12-15T19:55:05.887Z","revision":5,"description":"MapleGlobalsImplementation (v301)","isPrimacyOfImpact":null},{"id":"5YnTMI5eTkZ0guhcNf43w","url":"https://etherscan.io/address/0x804a6F5F667170F545Bf14e5DDB48C70B788390C","type":"smart_contract","addedAt":"2022-12-15T19:55:22.102Z","revision":1,"description":"MapleGlobalsProxy (v2)","isPrimacyOfImpact":null},{"id":"1eU5tiZl6DuZIUuNTZ1y4y","url":"https://etherscan.io/address/0xea067db5b32ce036ee5d8607dbb02f544768dbc6","type":"smart_contract","addedAt":"2022-12-15T19:55:39.158Z","revision":2,"description":"MapleLoanFactory (Fixed-Term)","isPrimacyOfImpact":null},{"id":"7mMY9rE4LlbCPg19jAqjQX","url":"https://etherscan.io/address/0xe1714CEEB10683448E40bFE73c9F493662ff5b7e","type":"smart_contract","addedAt":"2022-12-15T19:56:12.582Z","revision":4,"description":"MapleLoanImplementation (v602 - Fixed Term)","isPrimacyOfImpact":null},{"id":"3PIh2hDoWlzuBKXgFpNod4","url":"https://etherscan.io/address/0xC43e722A0F9432609a96Df0cF1aFA99556532F18","type":"smart_contract","addedAt":"2022-12-15T19:56:47.092Z","revision":3,"description":"MapleLoanInitializer (v602 Fixed Term)","isPrimacyOfImpact":null},{"id":"6qoD5sd2EqQDoHA4D2XYzy","url":"https://etherscan.io/address/0x6fad515fc046dd17166453a79725f50b917b7cf6","type":"smart_contract","addedAt":"2023-06-21T00:36:07.592Z","revision":1,"description":"MapleLoanFactory (Open-Term)","isPrimacyOfImpact":null},{"id":"59csNYCrTXEG1D1RDW9kfp","url":"https://etherscan.io/address/0xEeaDb66693d63cFCF3E4D942D2812D4aE9443Fc1","type":"smart_contract","addedAt":"2023-06-21T00:36:05.327Z","revision":2,"description":"MapleLoanImplementation (v201 - Open-Term)","isPrimacyOfImpact":null},{"id":"3DiXvDrfRuuCL9mrRf3MeK","url":"https://etherscan.io/address/0x9385A0F681c3D4b39c2780cD69777Dd97a681485","type":"smart_contract","addedAt":"2023-06-21T00:36:03.286Z","revision":2,"description":"MapleLoanInitializer (v201 - Open-Term)","isPrimacyOfImpact":null},{"id":"160zkbYMKpLuDLPXedOOTU","url":"https://etherscan.io/address/0x12fB5dbBDB06ab973f047cC46D6bB33ba4d03b96","type":"smart_contract","addedAt":"2022-12-15T19:57:18.944Z","revision":4,"description":"PoolDeployer","isPrimacyOfImpact":null},{"id":"6sfynQqD9eeVYejIRFd5lJ","url":"https://etherscan.io/address/0xE463cD473EcC1d1A4ecF20b62624D84DD20a8339","type":"smart_contract","addedAt":"2022-12-15T19:57:36.299Z","revision":1,"description":"PoolManagerFactory","isPrimacyOfImpact":null},{"id":"4Bd4fINcMsDtRFL0T36g8I","url":"https://etherscan.io/address/0xfE02Be1aD28EdFd8e3dD6F29C402B244C2A258B8","type":"smart_contract","addedAt":"2022-12-15T19:57:52.815Z","revision":4,"description":"PoolManagerImplementation (v400)","isPrimacyOfImpact":null},{"id":"6pnkAa6b49S3HIQOgFLKZY","url":"https://etherscan.io/address/0xB33Bfa00E1d92fDaC5AeCB2976d6998C2ecca759","type":"smart_contract","addedAt":"2022-12-15T19:58:09.893Z","revision":3,"description":"PoolManagerInitializer (v400)","isPrimacyOfImpact":null},{"id":"1zPXahMTPe6oIpiaPrJohr","url":"https://etherscan.io/address/0x27ea6e67FB62AB2A603d4ACBc9377D7a9A0fd5e3","type":"smart_contract","addedAt":"2022-12-15T19:58:24.751Z","revision":2,"description":"Refinancer (Fixed term)","isPrimacyOfImpact":null},{"id":"1MnvtMd7kz85xvN4lBzDVJ","url":"https://etherscan.io/address/0x653D4947620B73a433cAbBc9DFb068c3e9c18984","type":"smart_contract","addedAt":"2023-06-21T00:36:01.207Z","revision":1,"description":"MapleRefinancer (Open-Term)","isPrimacyOfImpact":null},{"id":"1QOVfpby5sGGdidr7VvJpr","url":"https://etherscan.io/address/0xbe10adce8b6e3e02db384e7fada5395dd113d8b3","type":"smart_contract","addedAt":"2023-12-22T13:15:35.365Z","revision":1,"description":"MaplePoolPermissionManagerProxy (v100)","isPrimacyOfImpact":null},{"id":"5in1AsxsJFoxVHn4vGC6hl","url":"https://etherscan.io/address/0xc3530358e54bc81efce4a2e12a898e996b091753","type":"smart_contract","addedAt":"2023-12-22T13:15:33.173Z","revision":1,"description":"MaplePoolPermissionManagerImplementation (v100)","isPrimacyOfImpact":null},{"id":"2HVu74dJWFwPb7ivQDUDf1","url":"https://etherscan.io/address/0xb9e25B584dc4a7C9d47aEF577f111fBE5705773B","type":"smart_contract","addedAt":"2022-12-15T19:59:45.727Z","revision":2,"description":"WithdrawalManagerFactory (Cyclical)","isPrimacyOfImpact":null},{"id":"4glVzFa41n1f8gegoi5YTl","url":"https://etherscan.io/address/0xcc4e684916aa7fa0e4faef2359b49a755f89c75b","type":"smart_contract","addedAt":"2022-12-15T20:00:02.802Z","revision":2,"description":"WithdrawalManagerImplementation (v110) (Cyclical)","isPrimacyOfImpact":null},{"id":"20wiRBiL3TaHehJMQ6euSK","url":"https://etherscan.io/address/0x485ba3f5235f150bf8e4afbd3a25c266cdadd9dd","type":"smart_contract","addedAt":"2022-12-15T20:00:18.011Z","revision":2,"description":"WithdrawalManagerInitializer (v110) (Cyclical)","isPrimacyOfImpact":null},{"id":"2OUXFySgQZW2uXLTtN4sI8","url":"https://etherscan.io/address/0xca33105902e8d232ddfb9f71ff3d79c7e7f2c4e5","type":"smart_contract","addedAt":"2023-12-22T13:15:05.019Z","revision":1,"description":"WithdrawalManagerFactory (Queue)","isPrimacyOfImpact":null},{"id":"6A1H45S5uPOOg7Wp2S6qrd","url":"https://etherscan.io/address/0x899b57bbd8597aa2d1898476504f479c982c5c2c","type":"smart_contract","addedAt":"2023-12-22T13:15:07.397Z","revision":1,"description":"WithdrawalManagerImplementation (v100) (Queue)","isPrimacyOfImpact":null},{"id":"yp0kaZkyVDfdHpUljYHYc","url":"https://etherscan.io/address/0x637f8dc4c4d07d1cc30ae131fa94a060dee6be96","type":"smart_contract","addedAt":"2023-12-22T13:15:09.527Z","revision":1,"description":"WithdrawalManagerInitializer (v100) (Queue)","isPrimacyOfImpact":null},{"id":"4JgBfyYFAAhWErU6LRLuuu","url":"https://etherscan.io/address/0x80ac24aA929eaF5013f6436cdA2a7ba190f5Cc0b","type":"smart_contract","addedAt":"2022-12-15T20:00:39.708Z","revision":2,"description":"Pool (For reference)","isPrimacyOfImpact":null},{"id":"2C62990I4hf3aBf4y4sjOR","url":"https://etherscan.io/address/0x7aD5fFa5fdF509E30186F4609c2f6269f4B6158F","type":"smart_contract","addedAt":"2022-12-15T20:00:57.557Z","revision":2,"description":"PoolManager (For reference)","isPrimacyOfImpact":null},{"id":"5O3M7z8zOUduwnrpIfCVYA","url":"https://etherscan.io/address/0x4A1c3F0D9aD0b3f9dA085bEBfc22dEA54263371b","type":"smart_contract","addedAt":"2022-12-15T20:01:12.565Z","revision":3,"description":"LoanManager ( Fixed-Term for reference)","isPrimacyOfImpact":null},{"id":"6ZFl96enBCqSui4SSaQiEy","url":"https://etherscan.io/address/0x1bc47a0Dd0FdaB96E9eF982fdf1F34DC6207cfE3","type":"smart_contract","addedAt":"2022-12-15T20:01:27.022Z","revision":3,"description":"WithdrawalManager Queue (For reference)","isPrimacyOfImpact":null},{"id":"3GrDvpMygNUgwwspDUbZng","url":"https://etherscan.io/address/0x9e62FE15d0E99cE2b30CE0D256e9Ab7b6893AfF5","type":"smart_contract","addedAt":"2022-12-15T20:01:43.727Z","revision":2,"description":"PoolDelegateCover (For reference)","isPrimacyOfImpact":null},{"id":"5UCiK5lWrvLMQA6YTQnwq1","url":"https://etherscan.io/address/0x3F542d451344Ea0Cb58323d049033Fd46Ae56Ec3","type":"smart_contract","addedAt":"2022-12-15T20:02:29.947Z","revision":2,"description":"Loan (Fixed-Term for reference)","isPrimacyOfImpact":null},{"id":"zr5NtZOZ1OJEmtv0gV9mD","url":"https://etherscan.io/address/0x6ACEb4cAbA81Fa6a8065059f3A944fb066A10fAc","type":"smart_contract","addedAt":"2023-06-21T00:35:58.409Z","revision":2,"description":"LoanManager (Open-Term For reference)","isPrimacyOfImpact":null},{"id":"1ktKZdjIDSSpLOSPN12fTi","url":"https://etherscan.io/address/0xDA8f7941192590408DCe701A60FB3892455669Ce","type":"smart_contract","addedAt":"2023-06-21T00:35:56.188Z","revision":1,"description":"Loan (Open-Term For reference)","isPrimacyOfImpact":null},{"id":"1qejdvUrtlEL0AcMOfMthu","url":"https://etherscan.io/address/0x134ccaaa4f1e4552ec8aecb9e4a2360ddcf8df76","type":"smart_contract","addedAt":"2024-05-29T15:46:51.026Z","revision":1,"description":"SyrupRouter","isPrimacyOfImpact":null},{"id":"6npS4lI3vG0H3RKjJNw0fF","url":"https://etherscan.io/address/0x01ab799f77F9a9f4dd0D2b6E7C83DCF3F48D5650","type":"smart_contract","addedAt":"2025-04-09T09:00:10.854Z","revision":1,"description":"Aave Strategy Factory","isPrimacyOfImpact":null},{"id":"6p40p41IGDtNIIKHs40DM8","url":"https://etherscan.io/address/0xFc8F7F97165d446B02Cc95363d2cA31154BBe9F9","type":"smart_contract","addedAt":"2025-04-09T09:00:29.801Z","revision":1,"description":"Aave Strategy Implementation (V100)","isPrimacyOfImpact":null},{"id":"6KP8Jd5yV3YkjD0MfrzUVO","url":"https://etherscan.io/address/0x0d2dBb28B1c7d225132722FAdb2402E93A35c1Be","type":"smart_contract","addedAt":"2025-04-09T09:00:44.835Z","revision":1,"description":"Aave Strategy Initializer (V100)","isPrimacyOfImpact":null},{"id":"2vAlUx86zaS6aMgahVKxiP","url":"https://etherscan.io/address/0x27327E08de810c687687F95bfCE92088089b56dB","type":"smart_contract","addedAt":"2025-04-09T09:01:01.275Z","revision":1,"description":"Sky Strategy Factory","isPrimacyOfImpact":null},{"id":"5dfechoA5x8eryMGW3D5g5","url":"https://etherscan.io/address/0xBBEe42621499005Ff0dDEF947BBDeFfBBeE77730","type":"smart_contract","addedAt":"2025-04-09T09:01:17.726Z","revision":1,"description":"Sky Strategy Implementation (V100)","isPrimacyOfImpact":null},{"id":"3PkeBU9ktN2yrt7gCgrpqL","url":"https://etherscan.io/address/0x29199d071717c72baab50eEf9adD6736A18A1d1d","type":"smart_contract","addedAt":"2025-04-09T09:01:33.178Z","revision":1,"description":"Sky Strategy Initializer (V100)","isPrimacyOfImpact":null},{"id":"1hFd476mncfyN0tCYnEICK","url":"https://etherscan.io/address/0x876D54DBF61473cA169b89B95344A14E81F37afe","type":"smart_contract","addedAt":"2025-04-09T09:01:51.970Z","revision":1,"description":"Basic Strategy Factory","isPrimacyOfImpact":null},{"id":"4DEdqNQGrH0bpMDR86NOAZ","url":"https://etherscan.io/address/0x7a1E281Ec29F3A861f211a28a23161762BD55B73","type":"smart_contract","addedAt":"2025-04-09T09:02:07.335Z","revision":1,"description":"Basic Strategy Implementation (V100)","isPrimacyOfImpact":null},{"id":"4sidOlWsCPjXrxgiN6JPUt","url":"https://etherscan.io/address/0x2b9aDDb5244548f126e59FA5483040efc102f69e","type":"smart_contract","addedAt":"2025-04-09T09:02:24.139Z","revision":1,"description":"Basic Strategy Initializer (V100)","isPrimacyOfImpact":null},{"id":"6hW1uoAD4x1k12fGYcI7xW","url":"https://etherscan.io/address/0x78c5f240A1150c3c2ebDBDe559d04a0418DFCFF3","type":"smart_contract","addedAt":"2025-04-09T09:03:04.489Z","revision":1,"description":"BorrowerActions (v1)","isPrimacyOfImpact":null},{"id":"59m2K16hK7WrA6u0sSvOWX","url":"https://etherscan.io/address/0x560B3A85Af1cEF113BB60105d0Cf21e1d05F91d4","type":"smart_contract","addedAt":"2025-04-09T09:05:43.724Z","revision":1,"description":"Aave Strategy","isPrimacyOfImpact":null},{"id":"7dQQNMuG6IA3S41mTVBtzi","url":"https://etherscan.io/address/0x859C9980931fa0A63765fD8EF2e29918Af5b038C","type":"smart_contract","addedAt":"2025-04-09T09:05:59.874Z","revision":1,"description":"Sky Strategy","isPrimacyOfImpact":null},{"id":"6v9IrgadrFJ9WbVRc6oQIv","url":"https://etherscan.io/address/0xF95E5722226a1018d058CD757B75F1D10289e967","type":"smart_contract","addedAt":"2025-11-28T15:35:43.102Z","revision":1,"description":"WithdrawalManagerImplementation (v200) (Queue)","isPrimacyOfImpact":null},{"id":"CaaKodnihWSVYraNTrFm5","url":"https://etherscan.io/address/0xD389BFE4A129525b486B098411336a4fCecF3024","type":"smart_contract","addedAt":"2025-11-28T15:36:15.822Z","revision":1,"description":"WithdrawalManagerInitializer (v200)","isPrimacyOfImpact":null},{"id":"5eKZwqD12kewqXK4Dx3wFz","url":"https://etherscan.io/address/0x2eFFf88747EB5a3FF00d4d8d0f0800E306C0426b","type":"smart_contract","addedAt":"2025-11-28T15:39:26.814Z","revision":1,"description":"GovernorTimelock","isPrimacyOfImpact":null}],"assetsBodyV2":"All contracts listed above are in scope, as well as all proxy and contract instances deployed from all factories. Though only the proxy contracts are listed as in-scope, current implementation and any further updates to the implementation contracts are considered in scope. When reporting a bug, please make sure to select the relevant proxy smart contract as the target.\n\nAll contracts that are marked as “(*For reference*)” are instances of contracts that have been deployed by protocol factories and are in scope for the audit. All other instances that are deployed in the same fashion are in scope of the audit, including:\n- Liquidator (Not deployed currently, deployed during loan liquidations of collateral)\n- Loan (Fixed-Term & Open-Term)\n- LoanManager (Fixed-Term & Open-Term)\n- Pool\n- PoolManager\n- PoolDelegateCover\n- WithdrawalManager (Cyclical)\n- WithdrawalManager (Queue)\n- Liquid DeFi strategies such as Aave and Sky","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["JavaScript","Solidity"],"launchDate":"2022-01-25T21:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/eUOQ1h8f4Rp7j6crz0YSq/669fab983d425d27fad87560219065a5/Maple_Logo.jpg","maxBounty":500000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Lending"],"programOverview":"Founded in 2019 and led by a team of former bankers and credit investment professionals aiming to improve upon legacy capital markets, Maple is an institutional capital network that provides the infrastructure for credit experts to run on-chain lending businesses and connects institutional lenders and borrowers. Built with both traditional financial institutions and decentralized finance leaders, Maple is transforming capital markets by combining industry-standard compliance and due diligence with the transparent and frictionless lending enabled by smart contracts and blockchain technology. Maple is the gateway to growth for financial institutions, pool delegates and companies seeking capital on-chain.\n\nFor more information about Maple, please visit [https://maple.finance/](https://maple.finance/).","programType":["Smart Contract"],"project":"Maple","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nAll bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward.\n\nRewards for critical smart contract vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of __USD 50 000__ and a maximum reward of __USD 500 000__.\n\nMaple requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. The information needed is a government-issued photo ID as well as a proof of address issued within the last 3 months (eg. utility bill). \n\nAll known issues highlighted in the following audit reports are considered to be out-of-scope:\n- [https://github.com/maple-labs/maple-v2-audits/blob/main/README.md](https://github.com/maple-labs/maple-v2-audits/blob/main/README.md) \n\nIn addition, all issues related to 4626 compliance are considered out of scope of this program. \n\nPayouts are handled by the __Maple__ team directly and are denominated in USD. However, payouts are done in __USDC__ or __MPL__, at the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC, MPL","slug":"maple","updatedDate":"2025-11-28T15:40:33.159Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Founded in 2019 and led by a team of former bankers and credit investment professionals aiming to improve upon legacy capital markets, Maple is an institutional capital network that provides the infrastructure for credit experts to run on-chain lending businesses and connects institutional lenders and borrowers.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":3726,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 24 hours"},{"id":3727,"type":"smart_contract","severity":"high","title":"Unintended changes in smart contract permissioning"},{"id":3728,"type":"smart_contract","severity":"high","title":"Unintended changes in proxy/upgradeability functionality"},{"id":3729,"type":"smart_contract","severity":"high","title":"Unfair liquidations of collateral"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":3730,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":39121,"severity":"critical","assetType":"smart_contract","maxReward":500000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":39122,"severity":"high","assetType":"smart_contract","fixedReward":25000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"14sxV3LxRhvFxw0TxD4QLK","url":"https://snowtrace.io/address/0x872670CcAe8C19557cC9443Eff587D7086b8043A","type":"smart_contract","addedAt":"2025-11-27T17:14:46.172Z","revision":1,"description":"qiBUSD","isPrimacyOfImpact":null},{"id":"15azVGiZEOtjrTQIfjbrDY","url":"https://snowtrace.io/address/0x4036cb0D6BF6b5F17Aa4e05191F86D4b1655b0d9","type":"smart_contract","addedAt":"2025-11-27T17:14:47.096Z","revision":1,"description":"qiAvalancheEcosystemMarketsJOE","isPrimacyOfImpact":null},{"id":"1OkVa5ar4hQdZlhaWeiAJC","url":"https://snowtrace.io/address/0x0fFAc5aae14E28E79C5CCc7a335D8C70Ee458A3A","type":"smart_contract","addedAt":"2025-11-27T17:14:48.575Z","revision":1,"description":"qiAvalancheEcosystemMarketsSolvBTC","isPrimacyOfImpact":null},{"id":"1RmJZBhy6NzkfR6ofPXEvv","url":"https://snowtrace.io/address/0x77533A0b34cd9Aa135EBE795dc40666Ca295C16D","type":"smart_contract","addedAt":"2022-05-10T15:42:53.760Z","revision":3,"description":"QiTokenSaleDistributorProxy","isPrimacyOfImpact":null},{"id":"1wH1YfQ1Z3cYMmBQZyz0nV","url":"https://snowtrace.io/address/0x0eBfebD41e1eA83Be5e911cDCd2730a0CCEE344d","type":"smart_contract","addedAt":"2025-11-27T17:14:46.851Z","revision":1,"description":"qiAvalancheEcosystemMarketsCOQ","isPrimacyOfImpact":null},{"id":"289eHURMLwVyqnm70iGIbw","url":"https://snowtrace.io/address/0xb7CfB8Ae67E20059021A0D20fc30311a6c67C734","type":"smart_contract","addedAt":"2025-11-27T17:14:45.444Z","revision":1,"description":"qiAvalancheEcosystemMarketsAUSD","isPrimacyOfImpact":null},{"id":"2AB5KY8DhS64f2WTslCo9n","url":"https://snowtrace.io/address/0x8729438EB15e2C8B576fCc6AeCdA6A148776C0F5","type":"smart_contract","addedAt":"2025-11-27T17:14:45.917Z","revision":1,"description":"QI","isPrimacyOfImpact":null},{"id":"2YbqYxKfUeGExaz1v3yu23","url":"https://snowtrace.io/address/0xBEb5d47A3f720Ec0a390d04b4d41ED7d9688bC7F","type":"smart_contract","addedAt":"2025-11-27T17:14:44.898Z","revision":1,"description":"qiUSDC","isPrimacyOfImpact":null},{"id":"2mnyYSbMU3XgLEdrNDYeF6","url":"https://snowtrace.io/address/0x4e9f683A27a6BdAD3FC2764003759277e93696e6","type":"smart_contract","addedAt":"2025-11-27T17:14:46.423Z","revision":1,"description":"qiLINK","isPrimacyOfImpact":null},{"id":"2uxxnGllXIDXcnCrizLz5l","url":"https://snowtrace.io/address/0x334AD834Cd4481BB02d09615E7c11a00579A7909","type":"smart_contract","addedAt":"2025-11-27T17:14:47.637Z","revision":1,"description":"qiETH","isPrimacyOfImpact":null},{"id":"2xzwHsdn1nsSrPRRTb8DSl","url":"https://snowtrace.io/address/0xF362feA9659cf036792c9cb02f8ff8198E21B4cB","type":"smart_contract","addedAt":"2025-11-27T17:14:44.841Z","revision":1,"description":"qisAVAX","isPrimacyOfImpact":null},{"id":"3MobJIXqRUK7iiaDlgMbyZ","url":"https://snowtrace.io/address/0xd8fcDa6ec4Bdc547C0827B8804e89aCd817d56EF","type":"smart_contract","addedAt":"2025-11-27T17:14:44.608Z","revision":1,"description":"qiUSDTn","isPrimacyOfImpact":null},{"id":"3cgWRqS4X6GbNsgcyRRz7s","url":"https://snowtrace.io/address/0xd78DEd803b28A5A9C860c2cc7A4d84F611aA4Ef8","type":"smart_contract","addedAt":"2025-11-27T17:14:45.133Z","revision":1,"description":"Maximillion","isPrimacyOfImpact":null},{"id":"44Ezj5kkw4B9Hkrb7bDVyi","url":"https://snowtrace.io/address/0x09C1E991870cbC01009a4b49397A4f2a127D3784","type":"smart_contract","addedAt":"2025-11-27T17:14:48.507Z","revision":2,"description":" sAVAX reward timelock","isPrimacyOfImpact":null},{"id":"4GsdsToKXWl9p3NJgFl8Kx","url":"https://snowtrace.io/address/0xe194c4c5aC32a3C9ffDb358d9Bfd523a0B6d1568","type":"smart_contract","addedAt":"2025-11-27T17:14:44.853Z","revision":1,"description":"qiBTC","isPrimacyOfImpact":null},{"id":"4JWu5vKWfWjdRFTdWJXVC8","url":"https://snowtrace.io/address/0x14593cb3Ffe270a72862Eb08CeB57Bc3D4DdC16C","type":"smart_contract","addedAt":"2025-11-27T17:14:46.669Z","revision":1,"description":"GaugeController","isPrimacyOfImpact":null},{"id":"4WgoVKj9GFeJ0G1ilF30po","url":"https://snowtrace.io/address/0xc436f5bc8a8bd9c9e240a2a83d44705ec87a9d55","type":"smart_contract","addedAt":"2022-05-10T15:42:47.158Z","revision":2,"description":"JumpRateModel","isPrimacyOfImpact":null},{"id":"4xImVKvpMFpRLLspYA4nJB","url":"https://benqi.fi","type":"websites_and_applications","addedAt":"2022-05-10T15:42:54.778Z","revision":3,"description":"Website/App","isPrimacyOfImpact":null},{"id":"55zD1Ldjqi7gA9Ek4X641S","url":"https://snowtrace.io/address/0x5C0401e81Bc07Ca70fAD469b451682c0d747Ef1c","type":"smart_contract","addedAt":"2025-11-27T17:14:46.234Z","revision":1,"description":"qiAVAX","isPrimacyOfImpact":null},{"id":"5HrftjHWZJhTcODOqzJsms","url":"https://snowtrace.io/address/0x2b2C81e08f1Af8835a78Bb2A90AE924ACE0eA4bE","type":"smart_contract","addedAt":"2022-05-10T15:42:51.756Z","revision":3,"description":"StakedAvax","isPrimacyOfImpact":null},{"id":"5Ij7al6RDW38MIVaoesaeH","url":"https://snowtrace.io/address/0xD7c4006d33DA2A0A8525791ed212bbCD7Aca763F","type":"smart_contract","addedAt":"2025-11-27T17:14:45.200Z","revision":1,"description":"Isolated Markets Unitroller","isPrimacyOfImpact":null},{"id":"5RxhgueaEceQnUCWMvcZdI","url":"https://snowtrace.io/address/0x784DA19e61cf348a8c54547531795ECfee2AfFd1","type":"smart_contract","addedAt":"2022-05-10T15:42:52.800Z","revision":3,"description":"PglStakingContractProxy","isPrimacyOfImpact":null},{"id":"5wwssFSTNRJjb8eDKQZOtV","url":"https://snowtrace.io/address/0x10f3dd258707A398964a286D9F2EF556C6Ad82E6/","type":"smart_contract","addedAt":"2025-11-27T17:14:48.605Z","revision":1,"description":"Pause Guardian","isPrimacyOfImpact":null},{"id":"6KFaHPl6ZXqOXsy8cKW7j2","url":"https://snowtrace.io/address/0x89a415b3D20098E6A6C8f7a59001C67BD3129821","type":"smart_contract","addedAt":"2025-11-27T17:14:45.875Z","revision":1,"description":"qiBTC.b","isPrimacyOfImpact":null},{"id":"6QdNzBlzHO8e0m9FfBThtT","url":"https://snowtrace.io/address/0x6B35Eb18BCA06bD7d66a428eeb45aC7d200C1e4E","type":"smart_contract","addedAt":"2025-11-27T17:14:46.335Z","revision":1,"description":"qiAvalancheEcosystemMarketsUSDC","isPrimacyOfImpact":null},{"id":"6VRm960UTXxKl1ky3CJrZk","url":"https://snowtrace.io/address/0x926C0857bcB6b109C1260c3b6660EfA8E633d73A","type":"smart_contract","addedAt":"2025-11-27T17:14:45.968Z","revision":1,"description":"Benqi Dual Oracle","isPrimacyOfImpact":null},{"id":"6XTC6a6Dx0XUDsUGmrqEHT","url":"https://snowtrace.io/address/0xbAA9Ae3370Ba3804619ea75979C56D1137a904A5","type":"smart_contract","addedAt":"2025-11-27T17:14:45.616Z","revision":1,"description":"JlpStakingContractProxy","isPrimacyOfImpact":null},{"id":"6r5kO5TN6DTCl7EA0JkgAu","url":"https://snowtrace.io/address/0x545356e396350D40cDEa888ad73534517399BF96","type":"smart_contract","addedAt":"2025-11-27T17:14:46.442Z","revision":1,"description":"qiAvalancheEcosystemMarketsQI","isPrimacyOfImpact":null},{"id":"7CBWqNh1LS9tHbP1bP8j6N","url":"https://snowtrace.io/address/0x35Bd6aedA81a7E5FC7A7832490e71F757b0cD9Ce","type":"smart_contract","addedAt":"2025-11-27T17:14:47.351Z","revision":1,"description":"qiQi","isPrimacyOfImpact":null},{"id":"7KTOCexRkaXmkhwqgSeNig","url":"https://snowtrace.io/address/0x486Af39519B4Dc9a7fCcd318217352830E8AD9b4","type":"smart_contract","addedAt":"2025-11-27T17:14:46.510Z","revision":1,"description":"BENQI Core Markets Unitroller","isPrimacyOfImpact":null},{"id":"7fxef80EVPAOTN5yPXURLm","url":"https://snowtrace.io/address/0x835866d37AFB8CB8F8334dCCdaf66cf01832Ff5D","type":"smart_contract","addedAt":"2025-11-27T17:14:46.164Z","revision":1,"description":"qiDAI","isPrimacyOfImpact":null},{"id":"7mIWaeVdKRcoeSGOCNKFC3","url":"https://snowtrace.io/address/0x9F21eB10b7Bc56a7d7879E67fB7BAC415EaFb973","type":"smart_contract","addedAt":"2025-11-27T17:14:45.833Z","revision":1,"description":"MultiRewardDistributor","isPrimacyOfImpact":null},{"id":"7pJODdJ8HpWNOpNBMdE7yf","url":"https://snowtrace.io/address/0xB71a820d80189073F69498010cb67bDDAe050633","type":"smart_contract","addedAt":"2025-11-27T17:14:45.557Z","revision":1,"description":"Ignite","isPrimacyOfImpact":null},{"id":"GuWkA3fz0fd00wI8cb7KV","url":"https://snowtrace.io/address/0x7Ee65Fdc1C534A6b4f9ea2Cc3ca9aC8d6c602aBd","type":"smart_contract","addedAt":"2025-11-27T17:14:46.098Z","revision":1,"description":"veQI","isPrimacyOfImpact":null},{"id":"SetPZfCilVtwA2PT5gY63","url":"https://snowtrace.io/address/0xf81B4C4abf7de8B8FC560D66F0eB70598D8BF15e","type":"smart_contract","addedAt":"2025-11-27T17:14:44.269Z","revision":1,"description":"BenqiDualOracle","isPrimacyOfImpact":null},{"id":"Ykbhu0Dy5MRbsadCYHqTf","url":"https://snowtrace.io/address/0xc9e5999b8e75C3fEB117F6f73E664b9f3C8ca65C","type":"smart_contract","addedAt":"2025-11-27T17:14:44.946Z","revision":1,"description":"qiUSDT","isPrimacyOfImpact":null},{"id":"nBeNC6W4lRQwSSZHoOBQC","url":"https://app.benqi.fi","type":"websites_and_applications","addedAt":"2022-06-21T23:20:35.494Z","revision":2,"description":"Website/App","isPrimacyOfImpact":null},{"id":"p5V92PkQjU1MdDhPQyKGl","url":"https://snowtrace.io/address/0xB715808a78F6041E46d61Cb123C9B4A27056AE9C","type":"smart_contract","addedAt":"2025-11-27T17:14:45.644Z","revision":1,"description":"qiUSDCn","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Avalanche"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["ReactJS","Solidity"],"launchDate":"2021-08-19T12:00:00.000Z","logo":"https://qn5bmgziiocgawpp.public.blob.vercel-storage.com/14300-nU4DSeZAHougwVPw4q-SQ-Wooj2YwSfUcpv5Msnb6tyrMGQU4XKm.png","maxBounty":500000,"pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the following types:\n\n__Smart Contracts and Blockchain__ \n\n  - Re-entrancy\n  - Logic errors\n    - including user authentication errors\n  - Solidity/EVM details not considered\n    - including integer over-/under-flow\n    - including rounding errors that could lead to a bricking of the contract\n    - including unhandled exceptions\n  - Trusting trust/dependency vulnerabilities\n    - including composability vulnerabilities\n  - Economic/financial attacks\n    - including flash loan attacks\n  - Congestion and scalability\n    - including running out of gas\n    - including block stuffing\n    - including susceptibility to frontrunning\n  - Consensus failures\n  - Cryptography problems\n    - Signature malleability\n    - Susceptibility to replay attacks\n    - Weak randomness\n    - Weak encryption\n  - Susceptibility to block timestamp manipulation\n  - Missing access controls / unprotected internal or debugging interfaces\n\n__Websites and Apps__\n\n  - Remote Code Execution\n  - Trusting trust/dependency vulnerabilities\n  - Vertical Privilege Escalation\n  - XML External Entities Injection\n  - SQL Injection\n  - LFI/RFI\n  - Horizontal Privilege Escalation\n  - Stored XSS\n  - Reflective XSS with impact\n  - CSRF with impact\n  - Internal SSRF\n  - Session fixation\n  - Insecure Deserialization\n  - Direct object reference\n  - DOM XSS\n  - SSL misconfigurations\n  - SSL/TLS issues (weak crypto, improper setup)\n  - URL redirect\n  - Clickjacking (must include PoC to be considered)\n  - Misleading Unicode text (e.g. using right to left override characters)","productType":["Lending","Liquid Staking"],"programOverview":"__BENQI Liquidity Market__\n\nBENQI Liquidity Market is a decentralized non-custodial liquidity market protocol, built on Avalanche. The protocol enables users to effortlessly lend, borrow, and earn interest with their digital assets. Depositors providing liquidity to the protocol may earn passive income, while borrowers are able to borrow in an over-collateralized manner.\n\nBENQI aims to alleviate common DeFi problems by providing a Liquidity Market Protocol on a highly scalable and decentralized platform. With a focus on approachability, ease of use, and low fees, BENQI will democratize access to decentralized financial products by providing permissionless lending and borrowing where users can:\n\n  - Instantly supply to and withdraw liquidity from a shared liquidity market\n  - Instantly borrow from a liquidity market using their supplied assets as collateral\n  - Have a live and transparent view of interest rates around the clock based on the asset's market supply and demand\n\n__BENQI Liquid Staking__\n\nBENQI Liquid Staking (BLS) is a liquid staking protocol built on Avalanche. It tokenizes staked AVAX and allows users to freely use it within Decentralized Finance dApps such as Automated Market Makers (AMMs), Lending & Borrowing Protocols, Yield Aggregators, etc.\n\nBLS allows users to stake AVAX on the Avalanche C-Chain* without needing to stake on the Avalanche P-Chain*. This allows users to earn validating rewards from the P-Chain without running a full node or locking up AVAX on a validating node.\n\nFor more information about BENQI, please visit [https://docs.benqi.fi/](https://docs.benqi.fi/). \n\nThe bug bounty program is focused around its smart contracts and the prevention of loss of user funds, thefts and freezing of principal of any amount, thefts and freezing of unclaimed yield of any amount, theft of governance funds, denial of service, DNS hijack attacks, and social media administrative control breaches.","programType":["Smart Contract","Websites and Applications"],"project":"BENQI","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nThe final reward amount for critical smart contract and blockchain vulnerabilities is capped at 10% of the economic damage funds at risk based on the vulnerability reported with a payout floor of __USD 50 000__.  All smart contract reports must come with a Proof of Concept (PoC) showing impact. Reports without a PoC will be automatically rejected.\n\nAll web and app bug reports must come with a Proof of Concept (PoC) showing impact. Reports without a PoC will be automatically rejected.\n\nPayouts are handled by the __BENQI__ team directly and are denominated in USD. Payouts are done in __USDC__ or __USDT__ for High level bug reports. For payouts __USD 50 000__ and above, up to 80% of the payout may be done in __$Qi__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"QI","slug":"benqi","tenPercentEconomicRule":true,"updatedDate":"2025-11-27T17:24:07.607Z","impactsBody":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table. All reports must come with a Proof of Concept (PoC) showing impact. Reports without a PoC will be automatically rejected.","websiteUrl":"https://benqi.fi/","githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"BENQI is a decentralized finance protocol on Avalanche that lets users lend, borrow, stake, and earn yield — either by supplying assets for interest or by staking AVAX to get a liquid staking token sAVAX, which remains usable in DeFi.  Since its 2021 launch, it has grown into a full DeFi ecosystem combining liquidity markets, liquid staking, and validator bootstrapping.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques\n  - ERC-777 re-entrancy\n  - Reward distribution bugs affecting early borrowers in markets with zero distribution rewards\n  - Reward distribution bugs resulting from temporarily disabling distribution rewards","customProhibitedActivities":[],"impacts":[{"id":842,"type":"smart_contract","severity":"high","title":"Complete theft of unclaimed yield"},{"id":843,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc."},{"id":851,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and blockchain keys(this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":852,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc."},{"id":853,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"}],"rewards":[{"id":39117,"severity":"critical","assetType":"smart_contract","maxReward":500000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":39118,"severity":"high","assetType":"smart_contract","maxReward":20000,"rewardModel":"up_to"},{"id":39119,"severity":"critical","assetType":"websites_and_applications","fixedReward":10000,"rewardModel":"fixed"},{"id":39120,"severity":"high","assetType":"websites_and_applications","fixedReward":5000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"11kKQnvCt9ZZvI4YVSepkI","url":"https://zkevm.polygonscan.com/address/0x65A4b8A0927c7FD899aed24356BF83810f7b9A3f#code","type":"smart_contract","addedAt":"2023-06-30T13:00:00.000Z","revision":2,"description":"zkEVM Bridge","isPrimacyOfImpact":null},{"id":"1c3z6QzY7kUACCIoLFzyHq","url":"https://optimistic.etherscan.io/address/0x0bCa65bf4b4c8803d2f0B49353ed57CAAF3d66Dc","type":"smart_contract","addedAt":"2023-06-30T13:00:00.000Z","revision":2,"description":"Smart-Contract Optimism Bridge","isPrimacyOfImpact":null},{"id":"21DBbBcRNpBAmN64sFcBAE","url":"https://bscscan.com/address/0xB80A582fa430645A043bB4f6135321ee01005fEf#code","type":"smart_contract","addedAt":"2023-06-30T13:00:00.000Z","revision":2,"description":"BSC Bridge","isPrimacyOfImpact":null},{"id":"3SIts2pddMPOuty6A2BLCu","url":"https://arbiscan.io/address/0x15ca1fC728Cce7cd06151C8007e89dEe70260228#code","type":"smart_contract","addedAt":"2023-06-30T13:00:00.000Z","revision":2,"description":"ARB MultiSig","isPrimacyOfImpact":null},{"id":"3xJyY5g7IPtz3OpzdfD8OB","url":"https://polygonscan.com/address/0xba4eee20f434bc3908a0b18da496348657133a7e#code","type":"smart_contract","addedAt":"2023-06-30T13:00:00.000Z","revision":2,"description":"MATIC Bridge","isPrimacyOfImpact":null},{"id":"4dtEb9jtLvGO8DLmAZW1Lx","url":"https://arbiscan.io/address/0x10417734001162ea139e8b044dfe28dbb8b28ad0#code","type":"smart_contract","addedAt":"2023-06-30T13:00:00.000Z","revision":2,"description":"ARB Bridge","isPrimacyOfImpact":null},{"id":"5F7bhJfwUWWGlER4Ry9F3O","url":"https://explorer.zksync.io/address/0x1fa66e2B38d0cC496ec51F81c3e05E6A6708986F#contract","type":"smart_contract","addedAt":"2023-06-30T13:00:00.000Z","revision":2,"description":"zkSync Bridge","isPrimacyOfImpact":null},{"id":"5gJATr8exUbC9z5V2FZo9T","url":"https://bscscan.com/address/0x7Af3828c0B061552AF3479806Add982eEf04f0c8#code","type":"smart_contract","addedAt":"2023-06-30T13:00:00.000Z","revision":2,"description":"BSC MultiSig","isPrimacyOfImpact":null},{"id":"7wH8DkerwixlrxesBoqZnW","url":"https://polygonscan.com/address/0x249aAbb1d67A76404Cc1197fa37ADAf358B1E212#code","type":"smart_contract","addedAt":"2023-06-30T13:00:00.000Z","revision":2,"description":"MATIC MultiSig","isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nThough only the proxy contracts are listed as in-scope, current implementation and any further updates to the implementation contracts are considered in scope. When reporting a bug, please make sure to select the relevant proxy smart contract as the target. \n\nIf an impact can be caused to any other asset managed by Rhino.fi that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project. This only applies to Critical impacts.\n\nNo assumption can be made of access to authorized accounts. Such assumption will nullify the report","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","BSC","ETH","Optimism","Polygon","Polygon zkEVM","zkSync","Starknet","Tron","Base"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2023-06-30T13:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/25ePrKVjMVEAkF7o1FWQYk/ca279ddf668dfa794424e918034346a5/rhino.fi_logo.jpeg","maxBounty":2000000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Bridge","Crosschain Liquidity"],"programOverview":"rhino.fi is a multi-chain DeFi aggregator platform, bringing you the best DeFi opportunities in one place.\nThe company began by pioneering the development of instant, gas-free spot trading on Ethereum layer 2 (powered by StarkEx). Now, they want to unlock the full potential of multi-chain and allow the next million users to enjoy everything DeFi has to offer, through a self-custodial UX that rivals the best centralised exchanges.\n\nFor more information about rhino.fi, please visit [https://rhino.fi/.](https://rhino.fi/)","programType":["Smart Contract"],"project":"Rhino.fi","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the  [Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported. \n\nAll Smart Contract bug reports require a PoC to be eligible for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nFor critical Smart Contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 2,000,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 100,000 is to be rewarded in order to incentivize security researchers against withholding a bug report.  \nAll High and Medium rewards for the project bug bounty program are scaled based on an internally established team criteria, taking into account the exploitability of the bug, the impact it causes, and the likelihood of the vulnerability presenting itself, which is especially factored in with bug reports requiring multiple conditions to be met that are currently not in-place. However, there is a minimum reward for each severity level, rewards will be provided at the determined fair value by the team depending on these conditions, assuming that the bug report is in-scope of the bug bounty program.\n\nThe following vulnerabilities relating to those contracts are not eligible from this specific bounty, but can be submitted instead to [https://immunefi.com/bounty/starkex/](https://immunefi.com/bounty/starkex/):\n\n- [https://github.com/starkware-libs/starkex-contracts/tree/master/audit](https://github.com/starkware-libs/starkex-contracts/tree/master/audit) \n- All vulnerabilities found in any audit documents in [https://github.com/rhinofi/contracts_public](https://github.com/rhinofi/contracts_public)\n\nPayouts are handled by the __rhino.fi__ team directly and are denominated in USD. However, payouts are done in __USDT__ and __USDC__, with the choice of the ratio at the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC or USDT","slug":"rhinofi","updatedDate":"2025-11-25T09:48:05.429Z","impactsBody":"No assumption can be made of access to authorized accounts. Such assumption will nullify the report","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Rhino.fi is the lightening fast stablecoin liquidity layer powering instant, scalable, cross-chain liquidity all through a single API.\nWe operate our own internal solver and pre-funded liquidity network, enabling guaranteed stablecoin pricing, minimal slippage, and near-instant settlement across 35+ chains, including Ethereum, Solana, Tron, TON, BNB and specialised Appchains.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques\n- Miner-extractable value (MEV)\n- Smart contract unable to operate due to lack of token funds \n- Non-exploitable re-entrancy (no state change)\n- Defects not exploitable in compiler version\n","customProhibitedActivities":[],"impacts":[{"id":4323,"type":"smart_contract","severity":"low","title":"Denial of service preventing Operator interaction with smart contracts"},{"id":4324,"type":"smart_contract","severity":"low","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":4325,"type":"smart_contract","severity":"low","title":"Block stuffing for profit"},{"id":4326,"type":"smart_contract","severity":"low","title":"Theft of gas"},{"id":4328,"type":"smart_contract","severity":"high","title":"Direct theft of a user funds"},{"id":4329,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds for other users for at least 28 days"},{"id":4330,"type":"smart_contract","severity":"medium","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":4331,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation that could lead to theft of funds"},{"id":4332,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield. This must be an exploit which can be applied to steal funds from any user under normal circumstances."},{"id":4333,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties. This must be an exploit which can be applied to steal funds from any user under normal circumstances."},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"}],"rewards":[{"id":8321,"severity":"critical","assetType":"smart_contract","maxReward":2000000,"minReward":100000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":6486,"severity":"high","assetType":"smart_contract","maxReward":100000,"minReward":20000,"rewardModel":"range"},{"id":6487,"severity":"medium","assetType":"smart_contract","maxReward":10000,"minReward":5000,"rewardModel":"range"},{"id":6488,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"6uaSUciBHd5C6FNu67SSmL","url":"https://github.com/ProvableHQ/snarkVM","type":"blockchain_dlt","addedAt":"2025-11-24T10:00:00.000Z","revision":1,"description":"snarkVM","isPrimacyOfImpact":null},{"id":"29ksQjldSYCeY0RaqV8VY5","url":"https://github.com/ProvableHQ/snarkOS","type":"blockchain_dlt","addedAt":"2025-11-24T10:00:00.000Z","revision":1,"description":"snarkOS","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":["Managed Triage: Time Saver","Subscription Plan: Essential"],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":true,"language":null,"launchDate":"2025-11-24T10:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3fyZzC5R5CYmGB1rEUFd9S/6ad350030b7a5a30bb964ba0d73d8ef6/Aleo.png","maxBounty":65000,"pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":null,"programOverview":"Welcome to the Aleo Bug Bounty Program! We care deeply about the security of the Aleo network and want to incentivize white hat hackers and security researchers to find vulnerabilities in our core protocol.\n\nAleo is a developer platform that uses zero-knowledge technology to enable decentralized apps that are private, programmable, secure, and scalable. We are launching a fully permissionless, next-generation blockchain & new consensus protocol that is faster, more efficient, and more decentralized than traditional models. Aleo is more than a blockchain. It’s a new computing paradigm defined by client-side execution & cutting-edge cryptography designed for the web.\n\nFor more information about Aleo, please visit [https://aleo.org/](https://aleo.org/).\n\nAleo provides rewards in **ALEO** on **Aleo Network**, denominated in **USD**. For more details about the payment process, please view the **Rewards by Threat Level** section.\n\n__KYC Requirement__\n\nAleo will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nAleo adheres to **Category 3: Approval Required**. This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nAleo adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page. \n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Previous Audits__\n\nAleo’s completed audit reports can be found at [https://aleo.org/post/aleo-completes-security-audits-of-snarkos-and-snarkvm/](https://aleo.org/post/aleo-completes-security-audits-of-snarkos-and-snarkvm/). Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.","programType":["Blockchain/DLT"],"project":"Aleo","projectType":["Blockchain"],"rewardsBody":"__Reward Calculation for Critical Level Reports__\n\nFor Critical Blockchain/DLT bugs, the reward amount is 10% of the funds directly affected, capped at the maximum critical reward USD 65 000. However, a minimum reward of USD 10 000 is to be rewarded in order to incentivize security researchers against withholding on a bug report.\n\nFor critical Blockchain/DLT bugs with a non-funds-at risk impact, the reward will be paid out as follows: \n\n- Network not being able to confirm new transactions (total network shutdown): USD 25 000\n- Unintended permanent chain split requiring hard fork (network partition requiring hard fork): USD 25 000\n- Permanent freezing of funds (fix requires hardfork): USD 10 000 - USD 25 000\n\n__Reward Calculation for High Level Reports__\n\nFor High Blockchain/DLT non-funds-at risk impacts, the reward will be paid out as follows: \n\n- Unintended chain split (network partition): USD 10 000\n- Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments: USD 10 000\n- Causing network processing nodes to process transactions from the mempool beyond set parameters: USD 10 000\n\n__Reward Payment Terms__\n\nPayouts are handled by the Aleo team directly and are denominated in **USD**. However, payments are done in **ALEO** on **Aleo Network**.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"ALEO","slug":"aleo","tenPercentEconomicRule":false,"updatedDate":"2025-11-24T14:01:14.636Z","impactsBody":null,"websiteUrl":"https://aleo.org/","githubUrl":"https://github.com/ProvableHQ","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Aleo is a developer platform that uses zero-knowledge technology to enable decentralized apps that are private, programmable, secure, and scalable.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":1,"type":"blockchain_dlt","severity":"critical","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":2,"type":"blockchain_dlt","severity":"critical","title":"Unintended permanent chain split requiring hard fork (network partition requiring hard fork)"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":4,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":5,"type":"blockchain_dlt","severity":"high","title":"Unintended chain split (network partition)"},{"id":6,"type":"blockchain_dlt","severity":"high","title":"Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments"},{"id":7,"type":"blockchain_dlt","severity":"high","title":"Causing network processing nodes to process transactions from the mempool beyond set parameters"}],"rewards":[{"id":38729,"severity":"critical","assetType":"blockchain_dlt","maxReward":65000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":38730,"severity":"high","assetType":"blockchain_dlt","maxReward":10000,"minReward":5000,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"2mJiB4dGRNoacGhY1Yx33c","url":"https://github.com/Folks-Finance/algorand-ntt-contracts/blob/main/ntt_contracts/constants.py","type":"smart_contract","addedAt":"2025-10-16T10:00:00.000Z","revision":2,"description":"constants.py","isPrimacyOfImpact":null},{"id":"5mX8PolBLrz8vAl1UvIElg","url":"https://github.com/Folks-Finance/algorand-ntt-contracts/blob/main/ntt_contracts/errors.py","type":"smart_contract","addedAt":"2025-10-16T10:00:00.000Z","revision":1,"description":"errors.py","isPrimacyOfImpact":null},{"id":"3ABDrwqgHednf8OU4lnc41","url":"https://github.com/Folks-Finance/algorand-ntt-contracts/blob/main/ntt_contracts/types.py","type":"smart_contract","addedAt":"2025-10-16T10:00:00.000Z","revision":1,"description":"types.py","isPrimacyOfImpact":null},{"id":"1h611wgAZjcbCeaZaJYdMb","url":"https://github.com/Folks-Finance/algorand-ntt-contracts/blob/main/ntt_contracts/library/MathLib.py","type":"smart_contract","addedAt":"2025-10-16T10:00:00.000Z","revision":1,"description":"MathLib.py","isPrimacyOfImpact":null},{"id":"76Ay3w3UbL57nD56GvfOIf","url":"https://github.com/Folks-Finance/algorand-ntt-contracts/blob/main/ntt_contracts/library/TrimmedAmountLib.py","type":"smart_contract","addedAt":"2025-10-16T10:00:00.000Z","revision":1,"description":"TrimmedAmountLib.py","isPrimacyOfImpact":null},{"id":"1fCePy0JJN5rDuZKMpexZr","url":"https://github.com/Folks-Finance/algorand-ntt-contracts/blob/main/ntt_contracts/ntt_manager/interfaces/INttManager.py","type":"smart_contract","addedAt":"2025-10-16T10:00:00.000Z","revision":1,"description":"INttManager.py","isPrimacyOfImpact":null},{"id":"7gZvmua51ewWh6pIqpZKYq","url":"https://github.com/Folks-Finance/algorand-ntt-contracts/blob/main/ntt_contracts/ntt_manager/NttManager.py","type":"smart_contract","addedAt":"2025-10-16T10:00:00.000Z","revision":1,"description":"NttManager.py","isPrimacyOfImpact":null},{"id":"uq6yMSNaHQKNoKzXwThLe","url":"https://github.com/Folks-Finance/algorand-ntt-contracts/blob/main/ntt_contracts/ntt_manager/NttRateLimiter.py","type":"smart_contract","addedAt":"2025-10-16T10:00:00.000Z","revision":1,"description":"NttRateLimiter.py","isPrimacyOfImpact":null},{"id":"3CJnNwEvoz12XiCM8GHvC","url":"https://github.com/Folks-Finance/algorand-ntt-contracts/blob/main/ntt_contracts/ntt_token/interfaces/INttToken.py","type":"smart_contract","addedAt":"2025-10-16T10:00:00.000Z","revision":1,"description":"INttToken.py","isPrimacyOfImpact":null},{"id":"4eL3iUw5kxuc7HZNgWtApw","url":"https://github.com/Folks-Finance/algorand-ntt-contracts/blob/main/ntt_contracts/ntt_token/NttToken.py","type":"smart_contract","addedAt":"2025-10-16T10:00:00.000Z","revision":1,"description":"NttToken.py","isPrimacyOfImpact":null},{"id":"5UzGE05MqdKYhq38Repy3Y","url":"https://github.com/Folks-Finance/algorand-ntt-contracts/blob/main/ntt_contracts/ntt_token/NttTokenExisting.py","type":"smart_contract","addedAt":"2025-10-16T10:00:00.000Z","revision":1,"description":"NttTokenExisting.py","isPrimacyOfImpact":null},{"id":"2khr9oV3IXOpyclbmxHLOf","url":"https://github.com/Folks-Finance/algorand-ntt-contracts/blob/main/ntt_contracts/ntt_token/NttTokenNew.py","type":"smart_contract","addedAt":"2025-10-16T10:00:00.000Z","revision":1,"description":"NttTokenNew.py","isPrimacyOfImpact":null},{"id":"7x4CPmrCQS6ZX5aMjXFvCB","url":"https://github.com/Folks-Finance/algorand-ntt-contracts/blob/main/ntt_contracts/transceiver/interfaces/ITransceiver.py","type":"smart_contract","addedAt":"2025-10-16T10:00:00.000Z","revision":1,"description":"ITransceiver.py","isPrimacyOfImpact":null},{"id":"4RaJ69xarb8JcNG7CjnJhh","url":"https://github.com/Folks-Finance/algorand-ntt-contracts/blob/main/ntt_contracts/transceiver/interfaces/ITransceiverManager.py","type":"smart_contract","addedAt":"2025-10-16T10:00:00.000Z","revision":1,"description":"ITransceiverManager.py","isPrimacyOfImpact":null},{"id":"1I3vykQDhENP14q2SOKA17","url":"https://github.com/Folks-Finance/algorand-ntt-contracts/blob/main/ntt_contracts/transceiver/MessageHandler.py","type":"smart_contract","addedAt":"2025-10-16T10:00:00.000Z","revision":1,"description":"MessageHandler.py","isPrimacyOfImpact":null},{"id":"3IGTL4KGvAXesXCf9Aovjw","url":"https://github.com/Folks-Finance/algorand-ntt-contracts/blob/main/ntt_contracts/transceiver/Transceiver.py","type":"smart_contract","addedAt":"2025-10-16T10:00:00.000Z","revision":1,"description":"Transceiver.py","isPrimacyOfImpact":null},{"id":"2UqblpbYJsFH2B5RNzcEUX","url":"https://github.com/Folks-Finance/algorand-ntt-contracts/blob/main/ntt_contracts/transceiver/TransceiverManager.py","type":"smart_contract","addedAt":"2025-10-16T10:00:00.000Z","revision":1,"description":"TransceiverManager.py","isPrimacyOfImpact":null},{"id":"7xFYpyOUKivF4MCYiORvZJ","url":"https://github.com/Folks-Finance/algorand-ntt-contracts/blob/main/ntt_contracts/transceiver/WormholeTransceiver.py","type":"smart_contract","addedAt":"2025-10-16T10:00:00.000Z","revision":1,"description":"WormholeTransceiver.py","isPrimacyOfImpact":null}],"assetsBodyV2":"**Insight Reporting**\n\nInsight reports may be reported to this program and require a PoC. Insights are rewarded according to [Immunefi’s Standardized Competition Reward Terms.](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms)\n\n**Dispute Resolution**\n\nIf there is any dispute over bug reports between projects and security researchers, Immunefi has final say on validity and severity based on the terms of this program.\n\n**Responsible Publication Policy**\n\n- Immunefi will publish bug reports, earnings, and a leaderboard for this Audit Competition.\n- Security Researchers may publish their bug reports as well, but only after Immunefi has published the valid bug reports as part of the competition results.\n\n**Eligibility Criteria**\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in an audit review of the code in scope (Such auditors may still participate in this program only if they receive project permission)","boostedIntroEvaluating":"### Thank You to All Participating Security Researchers!\n\nThe audit competition has now concluded and is currently in the evaluation phase. During this period, all submitted reports are being carefully reviewed by the Immunefi triage team and the project team.","boostedIntroFinished":"### Thank You to All Participating Security Researchers!\n\nYour valuable contributions played a crucial role in identifying and resolving critical vulnerabilities, helping to strengthen and secure the platform for all users.","boostedIntroLive":"### **$30,000 USD** in rewards is available for finding bugs on Folks Finance's Wormhole NTT contracts. \n\nFor more information about the project, please visit about [Folks Finance](https://folks.finance)\n\n- KYC is not required.\n\n- Flat Reward Pool\n\n**Proof of Concept (PoC) Requirements**\n\n- A **runnable PoC**, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n- Any technical questions and support requests can be asked directly to Folks Finance team or Immunefi in the [#folks-finance-wormhole-NTT-audit-competition](https://discord.com/channels/787092485969150012/1427261722120421376) discord channel.","boostedIntroStartingIn":"### **$30,000 USD** in rewards is available for finding bugs on Folks Finance's Wormhole's NTT on Algorand Implementation contracts. \n\nFor more information about the project, please visit about [Folks Finance](https://folks.finance)\n\nAny technical questions and support requests can be asked directly to Folks Finance team or Immunefi in the [#folks-finance-wormhole-NTT-audit-competition](https://discord.com/channels/787092485969150012/1427261722120421376) discord channel. \n\nWhen the Audit Competition ends, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nA few days after the launch, Immunefi will publish Folks Finance's technical walkthrough on our official [YouTube channel](https://www.youtube.com/@immunefi).\n\n**A runnable PoC is required**. For more information, please read [Immunefi Proof of Concept (PoC) Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules?utm_source=immunefi)\n\nInsight reports can be submitted. Read our [Insight validity rules](https://immunefisupport.zendesk.com/hc/en-us/articles/34179768760337-Insight-Severity-Level)","boostedLeaderboard":[{"high":1,"name":"Ambitious_DyDx","aspRank":1,"critical":0,"earnings":9960,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":10980,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":1020},{"high":1,"name":"uhudo","aspRank":3,"critical":0,"earnings":8425,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":9415,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":990},{"high":1,"name":"Rhaydden","aspRank":2,"critical":0,"earnings":7470,"insights":0,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":8460,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":990},{"high":0,"name":"yashar","aspRank":4,"critical":0,"earnings":573,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":573,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Afriauditor","aspRank":5,"critical":0,"earnings":573,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":573,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0}],"boostedSummaryReport":null,"ecosystem":["Algorand"],"endDate":"2025-10-27T10:00:00.000Z","evaluationEndDate":"2025-11-20T15:09:16.891Z","features":["Boost","Managed Triage: Signal Booster","Vault"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Python"],"launchDate":"2025-10-16T10:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5mX1G6Exm4R5kKfzK9oqcp/5e96776a0c3a91f9e51f2e543fff76e5/folks_finance.png","maxBounty":30000,"outOfScopeAndRules":"To be determined","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":null,"programOverview":"Folks Finance is a leading DeFi platform providing innovative tools for lending, borrowing, trading and managing digital assets, all in one place.\n\nFolks Finance has built an implementation of Wormhole’s Native Token Transfers (NTT) for Algorand. Wormhole NTT is a framework for transferring tokens across blockchains without liquidity pools. Unlike traditional wrapped assets, NTT maintains your token's native properties on every chain. This ensures that you retain complete control over crucial aspects, such as metadata, ownership, upgradeability, and custom features. \n\nFor more information about Folks Finance and their existing products, please visit https://folks.finance.","programType":["Smart Contract"],"project":"Audit Comp | Folks Finance: Wormhole NTT on Algorand","projectType":["Infrastructure"],"rewardsBody":"Rewards are distributed among SRs according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms) and includes All Star Pool and Podium Pool reserved for [All Star Program](https://immunefi.com/allstars/) participants. \n\nRewards are denominated in USD and distributed in USDC on Ethereum.\n\nFlat Rewards:\nThe reward pool is **$30,000 USD** if any bug is found. That means that even if 1 Low severity bug is found, the whole reward pool is unlocked and has to be fully distributed between security researchers. \n\nIf not a single bug is found (Insights do not count as bugs) the reward pool is **$4,500 USD**.\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid and unlock the corresponding reward pool.\n\n**Proof of Concept (PoC) Requirements**\nA **runnable PoC**, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)","rewardsPool":30000,"primaryPool":21000,"allStarsPool":6000,"podiumPool":3000,"rewardsToken":"USDC","slug":"audit-comp--folks-finance-wormhole-ntt-on-algorand","tenPercentEconomicRule":false,"updatedDate":"2025-11-24T06:57:30.360Z","impactsBody":"**Build Commands, Test Commands, and How to Run Them** \nFollow the setup, build and test commands in the repo README https://github.com/Folks-Finance/algorand-ntt-contracts/blob/main/README.md. \n\n**Asset Accuracy Assurance**\nBugs found on assets incorrectly listed in-scope are valid.\n\n**Code Freeze Assurance**\nCode of the assets in scope is frozen while the program is live.\n\n**Duplicate submissions of bugs are valid. Duplicate submissions of Insights are invalid.**\n\nThe project commits to keeping private all info related to bug findings until this program is over. This means the project will not leak info about any bug findings or planned bug fixes, including bug findings found independently by the project or from concurrent private audits.\n\n---\n\n**Previous Audits**\n\nFolks Finance’s completed audit reports can be found at https://github.com/Folks-Finance/audits/blob/bb69a84b2015280e903ee5b55e2bbbc5b880e54f/Adevar%20-%20Algorand%20Wormhole%20NTT%20-%20October%202025.pdf ]. Unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n**Public Disclosure of Known Issues**\n\n- Bug reports for publicly disclosed bugs are not eligible for a reward. \n- The Algorand Wormhole NTT implementation doesn’t have the exact same behaviour/specification as the EVM/Solana/Sui Wormhole NTT implementation. \n- There is no support for the NTT Global Accountant.\n- There is no support for “additional payload” in NttManager.\n- There is no support for automatic relaying in WormholeTransceiver.\n- It is the responsibility of the integrator to prevent overflow risk in TrimmedAmount by setting appropriate decimals.\n- It is the responsibility of the integrator to set an appropriate threshold for attestations in the NttManager.\n- It is the responsibility of the integrator to set appropriate rate limits in the NttManager.\n- It is the responsibility of the integrator to add and manage appropriately the configured Transceivers e.g. consider the foreign reference limitations, opcode costs etc. \n- An ASA may have their clawback/freeze set.\n- The NttToken, NttTokenNew and NttTokenExisting are provided as reference implementations. A project is able to implement their own concrete INttToken if needed to fit their custom needs.\n- In general, Wormhole NTT is a framework so if X behaviour is not supported then integrators are recommended to modify the smart contracts for themselves.\n- Opcode optimisation when prioritising clean and readable code.\n- Not checking for rekey and close-to\n- Some box storage cannot be deleted\n- Box MBR funding is implicitly required\n- Some box storage costs are not refunded after box deletion\n- Block timestamp manipulation by block proposer\n\n\n**Private Known Issues Reward Policy**\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n\n---\n\n\n**Where might Security Researchers confuse out-of-scope code to be in-scope?**\n\nAlthough the smart contract code for all the following is out-of-scope, their impact and how they are used is in scope. Namely, on other chains, the Wormhole NTT implementation. On Algorand, the Wormhole Core smart contract, VaaVerify logic signature and TmplSig logic signature. \nIf the rate limit is exceeded, the transfer is only delayed from completing. This is the intended design as it follows the equivalent EVM implementation. \n\n\n**Is this an upgrade of an existing system? If so, which? And what are the main differences?**\n\nIt’s an extension to the existing Wormhole NTT framework, adding support for Algorand. The main differences between the Algorand and EVM implementation for Wormhole NTT is the introduction of a generic MessageHandler and a global TransceiverManager. \n\n**Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?**\n\nAssumptions made about the compiled TEAL code when in reality it does something else. You can view what the Algorand Python compiles into by looking at the build folder generated named “specs/teal”.\n\nReplay attacks where you can receive or execute the same message multiple times.\n\n**What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?**\n\nAlgorand Standard Assets (ASAs)\n\n**What emergency actions may you want to use as a reason to downgrade an otherwise valid bug report?**\n\nThe integrator has the ability to pause certain functionality in the NttManager and TransceiverManager. A rate limit can be configured for outbound and inbound transfer amounts. Configured Transceivers can be removed and added.\n\n**What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?**\n\nIn the NttManager: default admin, upgradeable admin, ntt manager admin. In the NttTokenNew and NttTokenExisting: default admin, upgradeable admin. In the TransceiverManager: message handler admin. In the WormholeTransceiver: default admin, upgradeable admin, manager. \n\n**What addresses would you consider any bug report requiring their involvement be out of scope, even if they exceed the privileges attributed to them?**\n\nNone\n\n**Which chains and/or networks will the code in scope be deployed to?**\n\nAlgorand\n\n**What external dependencies are there?**\n\n- Algorand smart contract library https://github.com/Folks-Finance/algorand-smart-contract-library. \n- The Wormhole NTT implementation on other chains https://github.com/wormhole-foundation/native-token-transfers. \n- The Wormhole Core implementation on Algorand https://github.com/wormhole-foundation/wormhole/tree/main/algorand. \n\n**Are there any unusual points about your protocol that may confuse Security Researchers?**\n\nThe external dependency of the Wormhole Core implementation on Algorand https://github.com/wormhole-foundation/wormhole/tree/main/algorand was written a long time ago so uses old outdated standards for Algorand development. \n\n**What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)**\n\n- Algorand NTT Design - https://docs.google.com/document/d/1eli_csvdUgOrrE75dbtoSZQDxv-zAjZyBo61wyaN7jQ/edit?usp=sharing \n- Wormhole NTT explainer video https://youtu.be/Od5cTaxjTiw?si=WtT5MzZvrGMEwMrZ \n- Wormhole NTT Docs - https://wormhole.com/docs/products/token-transfers/native-token-transfers/overview/ \n- Algorand Python Docs - https://algorandfoundation.github.io/puya/ \n- Algorand Developer Portal - https://dev.algorand.co/","websiteUrl":"https://folks.finance","githubUrl":"https://github.com/Folks-Finance/algorand-ntt-contracts","eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Folks Finance is a leading DeFi platform providing innovative tools for lending, borrowing, trading and managing digital assets, all in one place.\n","knownIssues":[{"id":1188,"link":"https://github.com/Folks-Finance/algorand-ntt-contracts","description":"Block timestamp manipulation by block proposer","lastUpdatedAt":"2025-10-16T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1187,"link":"https://github.com/Folks-Finance/algorand-ntt-contracts","description":"Some box storage costs are not refunded after box deletion","lastUpdatedAt":"2025-10-16T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1186,"link":"https://github.com/Folks-Finance/algorand-ntt-contracts","description":"Box MBR funding is implicitly required","lastUpdatedAt":"2025-10-16T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1185,"link":"https://github.com/Folks-Finance/algorand-ntt-contracts","description":"Some box storage cannot be deleted","lastUpdatedAt":"2025-10-16T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1184,"link":"https://github.com/Folks-Finance/algorand-ntt-contracts","description":"Not checking for rekey and close-to","lastUpdatedAt":"2025-10-16T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1183,"link":"https://github.com/Folks-Finance/algorand-ntt-contracts","description":"Opcode optimisation when prioritising clean and readable code.","lastUpdatedAt":"2025-10-16T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1182,"link":"https://github.com/Folks-Finance/algorand-ntt-contracts","description":"In general, Wormhole NTT is a framework so if X behaviour is not supported then integrators are recommended to modify the smart contracts for themselves","lastUpdatedAt":"2025-10-16T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1181,"link":"https://github.com/Folks-Finance/algorand-ntt-contracts","description":"The NttToken, NttTokenNew and NttTokenExisting are provided as reference implementations. A project is able to implement their own concrete INttToken if needed to fit their custom needs.","lastUpdatedAt":"2025-10-16T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1180,"link":"https://github.com/Folks-Finance/algorand-ntt-contracts","description":"An ASA may have their clawback/freeze set.","lastUpdatedAt":"2025-10-16T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1179,"link":"https://github.com/Folks-Finance/algorand-ntt-contracts","description":"It is the responsibility of the integrator to add and manage appropriately the configured Transceivers e.g. consider the foreign reference limitations, opcode costs etc. ","lastUpdatedAt":"2025-10-16T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1178,"link":"https://github.com/Folks-Finance/algorand-ntt-contracts","description":"It is the responsibility of the integrator to set appropriate rate limits in the NttManager.","lastUpdatedAt":"2025-10-16T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1177,"link":"https://github.com/Folks-Finance/algorand-ntt-contracts","description":"It is the responsibility of the integrator to set an appropriate threshold for attestations in the NttManager.","lastUpdatedAt":"2025-10-16T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1176,"link":"https://github.com/Folks-Finance/algorand-ntt-contracts","description":"It is the responsibility of the integrator to prevent overflow risk in TrimmedAmount by setting appropriate decimals.","lastUpdatedAt":"2025-10-16T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1175,"link":"https://github.com/Folks-Finance/algorand-ntt-contracts","description":"There is no support for automatic relaying in WormholeTransceiver.","lastUpdatedAt":"2025-10-16T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1174,"link":"https://github.com/Folks-Finance/algorand-ntt-contracts","description":"There is no support for “additional payload” in NttManager.","lastUpdatedAt":"2025-10-16T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1173,"link":"https://github.com/Folks-Finance/algorand-ntt-contracts","description":"There is no support for the NTT Global Accountant - https://github.com/wormhole-foundation/wormhole/tree/main/cosmwasm/contracts/ntt-global-accountant","lastUpdatedAt":"2025-10-16T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":1172,"link":"https://github.com/Folks-Finance/algorand-ntt-contracts","description":"The Algorand Wormhole NTT implementation doesn’t have the exact same behaviour/specification as the EVM/Solana/Sui Wormhole NTT implementation. ","lastUpdatedAt":"2025-10-16T00:00:00.000Z","relatedImpactInScope":"smart_contract"}],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":5748,"type":"smart_contract","severity":"high","title":"Bypass of rate limiting mechanism"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":5749,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 24 hour"},{"id":5750,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds for at least 1 hour"}],"rewards":[{"level":"critical","payout":"Portion of Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[{"id":"5Wn2JTZfNkWEv9NPNepnfF","url":"https://github.com/Folks-Finance/audits/blob/bb69a84b2015280e903ee5b55e2bbbc5b880e54f/Adevar%20-%20Algorand%20Wormhole%20NTT%20-%20October%202025.pdf","auditor":"Adevar Labs","date":"2025-10-10"}]},{"assets":[{"id":"2Ww79tsQT2sDV7vwuDGWNU","url":"https://immunefi.com","type":"websites_and_applications","addedAt":"2022-05-13T15:12:33.524Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"6ulUHkIZi3O4ORQzLyH260","url":"https://bugs.immunefi.com","type":"websites_and_applications","addedAt":"2022-05-13T15:12:34.617Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"3uM1WWFJS6LHgOHJVvdzWg","url":"https://etherscan.io/address/0x03fd3d61423e6d46dcc3917862fbc57653dc3eb0","type":"smart_contract","addedAt":"2023-02-15T13:34:12.753Z","revision":4,"description":"Vault","isPrimacyOfImpact":null},{"id":"5ho3AW1FVHUYxbt6f9kaJN","url":"https://immunefi.com","type":"smart_contract","addedAt":"2023-10-05T15:19:37.876Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true},{"id":"5vtuiHuCDur920MFNS9DjW","url":"https://immunefi.com","type":"websites_and_applications","addedAt":"2023-10-05T15:19:39.457Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true},{"id":"3lztDrIG0wkcVoCi76zcJz","url":"https://etherscan.io/address/0x323498d3fb02594ac3e0a11b2dea337893ecabbe","type":"smart_contract","addedAt":"2024-03-11T15:01:18.872Z","revision":2,"description":"Splitter","isPrimacyOfImpact":null},{"id":"4rD5qW7kpheMb7O4EJXss4","url":"https://shieldmybags.immunefi.com/","type":"websites_and_applications","addedAt":"2025-11-17T09:38:29.330Z","revision":1,"description":"Shield My Bags","isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nUnless explicitly listed, only pages of the web/app assets in addition to the direct link are considered in-scope of the bug bounty program. Other subdomains are not considered as in-scope. However, for subdomain takeovers that lead to an impact on the in-scope asset, please refer to our page about [Reported Subdomain Takeovers](https://immunefisupport.zendesk.com/hc/en-us/articles/14352199704593-Reported-Subdomain-Takeovers).","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH","Optimism"],"endDate":null,"evaluationEndDate":null,"features":["Safe Harbor Documents Signed","Managed Triage: Expert Assessment","Arbitration"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2020-12-02T05:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1XjTFUMSo1pLNrTF0aIH4U/353cf547e2cd9dcfc4e464ce9c328c07/Logo_square.png","maxBounty":50000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Bug bounty"],"programOverview":"Immunefi is the leading bug bounty platform on web3 with the world’s largest bounties. \n\nImmunefi is interested in securing their beta release Vaults System and website. Primary areas of concern are around the modification of information on the website, leakage and loss of client data, leakage of communicated information from clients to the company, and loss of assets in the vaults.\n\nImmunefi is aiming to decentralize the bug bounty space to provide more trust between whitehats and projects through releasing a smart contract Vaults System.\n\nThe first iteration of this Vaults System contains two features: 1) projects on Immunefi can demonstrate proof-of-assets by depositing assets into vaults that are ready to be used to pay out bounties, and 2) projects can conduct payments to whitehats fully on-chain within the Immunefi dashboard. \n\nFor more information about Immunefi, please visit [www.immunefi.com](https://www.immunefi.com) \n\nImmunefi provides rewards in __USDC__. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__\n\nThe provision of KYC is required to receive a reward for this bug bounty program where the following information will be required to be provided:\n\n  - For all submissions, Immunefi may request the researcher's country of residence before releasing payment. Some countries are restricted when it comes to payments. This bug bounty program is only open to individuals who reside outside of the countries that are restricted by OFAC and by UNSC resolutions.\n\nFor critical submissions, Immunefi will request government identification. KYC verification will be completed by an external service before payment can be released.\n\nKYC information is only required on confirmation of the validity of a bug report.  \n\n__Primacy of Impact vs Primacy of Rules__\n\nImmunefi adheres to the Primacy of Impact for the following severity levels:\n\n  - Smart Contract Critical \n  - Smart Contract High \n  - Smart Contract Medium\n  - Smart Contract Low\n  - Web/App Critical\n  - Web/App High\n  - Web/App Medium\n  - Web/App Low\n\nIf a category’s severity level is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program as long as it involves an impact under that respective severity level. When submitting a report, just select the Primacy of Impact asset placeholder. If the team behind this project has multiple projects, those other projects are not covered under the Primacy of Impact of this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nTestnet and mock files are not covered under the Primacy of Impact.\n\nAll other severity levels not listed here are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program.\n\n__Immunefi Standard Badge__\nImmunefi has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209), which is given to projects that adhere to our best practices. \n\n__Invoicing Information__\nIf needed by the security researcher, Immunefi is able to provide the necessary information for the proper issuance of an invoice. This includes:\n  - Name of company\n  - Address\n  - Comp reg./taxpayer nr\n  - Email to send invoice\n\nTo request this information, please send a query in the bugs.dashboard in the bug report that has been confirmed to be paid. Immunefi will then provide all necessary information for an invoice to be made.","programType":["Smart Contract","Websites and Applications"],"project":"Immunefi","projectType":["Infrastructure"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below. \n\nFor critical Smart Contract bugs, the reward amount is __10%__ of the funds directly affected up to a maximum of __USD 50 000__. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of __USD 10 000__ is to be rewarded in order to incentivize security researchers against withholding a bug report.\n\nCritical website and application bug reports will be rewarded with __USD 10 000__, only if the impact leads to a direct loss in funds involving an attack that does not require any user action at all. Additionally any impact that leads to “Retrieve sensitive data/files from a running server such as: database passwords,blockchain keys, etc (this does not include non-sensitive environment variables, open source code, or usernames” and to “Execute arbitrary system commands” would be rewarded  USD 10 000 USD, which is 2x the standard amount for Web/App critical impact. All other impacts that would be classified as Critical, or an impact resulting in a theft of funds that does not fall under this definition, would be rewarded __USD 5 000__.\n\n__Repeatable Attack Limitations__\n\nIn cases of repeatable attacks for smart contract bugs, only the first attack is considered if the smart contracts where the vulnerability exists can be upgraded, paused, or killed. If the attack impacts a smart contract directly holding funds that cannot be upgraded or paused, the amount of funds at risk will be calculated with the first attack being at 100% of the funds that could be stolen and then a reduction of 25% from the amount of the first attack for every 300 blocks the attack needs for subsequent attacks from the first attack, rounded down. For avoidance of doubt, if a second attack would happen at 600 blocks and then a third at 900 blocks, the funds at risk would be counted at 50% and 25% of the reward from the first attack, respectively.\n\n__Reward Calculation for High Level Reports__\nHigh smart contract vulnerabilities will be capped at up to 100% of the funds affected. In the event of temporary freezing, the reward doubles for every additional 5 blocks that the funds could be temporarily frozen, rounded down to the nearest multiple of 5, up to the hard cap of USD 10 000 USD. \n\n__Restrictions on Security Researcher Eligibility__\n\nSecurity researchers who fall under any of the following are ineligible for a reward\n\n  - Countries that are restricted by OFAC and by UNSC resolutions.\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs acknowledged below are not eligible for any reward through the bug bounty program. \n\n  - Any well-known issues related to Gnosis Safe: [https://docs.gnosis-safe.io/learn/security/security-audits ](https://docs.gnosis-safe.io/learn/security/security-audits)\n\n__Previous Audits__\nImmunefi has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.\n\n  - Here’s the [internal audit](https://github.com/immunefi-team/vaults-splitter/blob/main/audits/2023-02-03%20-%20Immunefi%20-%20Internal%20Audit%20of%20the%20Vaults%20system.pdf) of the Vaults System \n  - Here’s the [Ourovoros audit](https://github.com/immunefi-team/vaults-splitter/blob/main/audits/2023-02-13%20-%20Ourovoros%20Audit.md) of the Vaults System \n\n__Feasibility Limitations__\n\nBug reports that require an attack that involve one or more other protocols (e.g. utilizing flash loans from a margin protocol or manipulating the spot prices on a DEX), either to make an attack more severe than it would be in isolation, or to achieve an attack that would otherwise be impossible or infeasible, would be downgrade by one severity level. However, they will be considered as in-scope and categorized according to the program rules as long as all of the following are true:\n\n  - Losses or other negative effects of the attack are inflicted upon Immunefi ecosystem participants (including Immunefi’s customers) \n\n  - The additional protocols used must have enough liquidity in various assets to allow the attack to succeed at the time of bug report submission. For example: if an attack requires an ETH flash loan, but the amount is larger than all the ETH available for loan across the ecosystem\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n\n  - All Smart Contract bug reports\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules). Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Other Terms and Information__\n\n\nBroken link hijacking of social handles on any social media website will be downgraded to Informational, and a goodwill payout will be rewarded by Immunefi.\n\nBug reports covering previously-discovered bugs are not eligible for the program. If a bug report covers a known issue, it may be rejected, and Immunefi will provide proof that the issue is already known.  \n\n__Reward Payment Terms__\n\nPayouts are handled by the Immunefi team directly and are denominated in USD. However, payments are done in USDC","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"immunefi","updatedDate":"2025-11-17T09:39:05.072Z","impactsBody":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\nThese accepted impacts are then based on the severity classification system of this bug bounty program. When submitting a bug report, please select the severity level you feel best corresponds to the severity classification system as long as the impact itself is one of the listed items. \n\nIf an impact can be caused to any other asset managed by Immunefi that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for consideration by Immunefi.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn"],"responsiblePublicationCategory":"category_1","description":"Immunefi is Web3's leading crowdsourced security platform, protecting over $190 billion in user funds. Trusted by over 330 projects like ChainLink, SushiSwap, MakerDAO, Wormhole, and many others, Immunefi works with DeFi’s leading security talent to protect projects against catastrophic exploits.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":423,"type":"websites_and_applications","severity":"low","title":"Changing other users details (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction such as: iframing leading to modifying the backend/browser state"},{"id":424,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links such as: social media handles, etc"},{"id":425,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as: locking up the victim from login, cookie bombing, etc"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":426,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as: HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc"},{"id":427,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: email or password of the victim, etc"},{"id":428,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information such as: email address, phone number, physical address, etc"},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":429,"type":"smart_contract","severity":"high","title":"Theft of fee or royalties"},{"id":430,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: changing the name of user, enabling/disabling notifications"},{"id":431,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without Javascript (Reflected) such as: reflected HTML injection, loading external site data"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":432,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":433,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the smart contracts)"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":434,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as: database passwords,blockchain keys, etc (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":435,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as: changing registration information, commenting, voting, making trades, withdrawals, etc"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":436,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet such as: modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"}],"rewards":[{"id":35145,"severity":"critical","assetType":"smart_contract","maxReward":50000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":35146,"severity":"high","assetType":"smart_contract","maxReward":10000,"minReward":5000,"rewardModel":"range"},{"id":35147,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":35148,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":35149,"severity":"critical","assetType":"websites_and_applications","maxReward":10000,"minReward":5000,"rewardModel":"range","otherImpactMaxReward":0},{"id":35150,"severity":"high","assetType":"websites_and_applications","maxReward":5000,"minReward":2000,"rewardModel":"range"},{"id":35151,"severity":"medium","assetType":"websites_and_applications","fixedReward":2000,"rewardModel":"fixed"},{"id":35152,"severity":"low","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"4zkcqX60zYLkJhMcQPapOl","url":"https://github.com/NexusMutual/smart-contracts/tree/master","type":"smart_contract","addedAt":"2023-11-11T15:36:00.457Z","revision":3,"description":"Master candidate Branch - excluding /contracts/modules/assessment and /contracts/modules/governance","isPrimacyOfImpact":null},{"id":"CePIxGjswXK11sBTMvml2","url":"https://www.immunefi.com","type":"smart_contract","addedAt":"2023-11-11T15:38:41.935Z","revision":2,"description":"Primacy of Impact","isPrimacyOfImpact":true},{"id":"JswVTgOdPyrES6gW33bvg","url":"https://github.com/NexusMutual/smart-contracts/tree/release-candidate","type":"smart_contract","addedAt":"2022-02-18T11:19:45.718Z","revision":4,"description":"Release candidate Branch - excluding /contracts/modules/assessment and /contracts/modules/governance ","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-02-23T07:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7EnL7ZjXRSux9PUrPA8rJ6/2e8adefab735fed30e37d2d744b20964/NXM_Token_Logo.svg","maxBounty":25000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Insurance"],"programOverview":"Nexus Mutual is a cutting-edge decentralized insurance alternative that operates on the Ethereum blockchain. It serves as a groundbreaking community-led protocol that offers transparent and flexible options for its members to buy cover, underwrite risk, assess claims, and build risk management businesses.\n\nWith a primary focus on securing smart contracts and protecting against economic attacks, Nexus Mutual provides safeguards for both the capital pool and user funds. This ensures that members have peace of mind and confidence in the platform's security measures, as well as accessibility and user action security.\n\nFor more information about Nexus Mutual, please visit [nexusmutual.io](http://nexusmutual.io) \n\nNexus Mutual provides rewards in __USDC__, denominated in __USD__. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nNexus Mutual adheres to the Primacy of Impact for the following impacts:\n\n  - Smart Contract – Critical\n    - Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield\n   - Permanent freezing of funds\n   - Protocol insolvency\n\n  - Smart Contract – High\n    - Theft of unclaimed yield\n    - Permanent freezing of unclaimed yield\n    - Temporary freezing of funds\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact) \n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n\n__Previous Audits__\n\nAll Nexus Mutual security audits can be accessed on: [https://docs.nexusmutual.io/overview/resources/audits-and-security](https://docs.nexusmutual.io/overview/resources/audits-and-security). Any unfixed vulnerability mentioned in these reports are not eligible for a reward.\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Nexus Mutual has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/6427157117713-The-Immunefi-Standard-Badge-).","programType":["Smart Contract"],"project":"Nexus Mutual","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\nFor critical smart contract bugs, the reward amount is __10%__ of the funds directly affected up to a maximum of __USD 25 000__.  The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. A minimum reward of __USD 5 000__ is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n  - If the smart contract where the vulnerability exists can be upgraded/paused/killed, only the initial attacks within the first hour will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading, pausing, or in some cases, killing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n  - For critical repeatable attacks on smart contracts that can not be upgraded/paused/killed, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\n  - High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are considered at the full amount of funds at risk, capped at the maximum high reward. This is to incentivize security researchers to uncover and responsibly disclose vulnerabilities that may have not have significant monetary value today, but could still be damaging to the project if it goes unaddressed.   \n\n  - In the event of temporary freezing, the reward increases at a multiplier of two from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lenghents, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Payment Terms__\n\nPayouts are handled by __Nexus Mutual__ directly and are denominated in __USD__. However, payouts are done in __USDC__.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"nexusmutual","tenPercentEconomicRule":false,"updatedDate":"2025-11-14T12:09:41.156Z","impactsBody":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Nexus Mutual is a cutting-edge decentralized insurance alternative that operates on the Ethereum blockchain. It serves as a groundbreaking community-led protocol that offers transparent and flexible options for its members to buy cover, underwrite risk, assess claims, and build risk management businesses.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":209,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting, resulting in deviation from voted outcome - must bypass Advisory Board privileges that could otherwise mitigate the situation"},{"id":5743,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"}],"rewards":[{"id":38105,"severity":"critical","assetType":"smart_contract","maxReward":25000,"minReward":5000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":38106,"severity":"high","assetType":"smart_contract","maxReward":10000,"minReward":3000,"rewardModel":"range"},{"id":38107,"severity":"medium","assetType":"smart_contract","maxReward":3000,"minReward":1000,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"5qwYobxzDk4FFHNdDhw9Oe","url":"https://purrsec.com/address/0x02c6a2fa58cc01a18b8d9e00ea48d65e4df26c70","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"feUSD","isPrimacyOfImpact":null},{"id":"2E8AisrFAOsTys82XGMUo2","url":"https://purrsec.com/address/0x9de1e57049c475736289cb006212f3e1dce4711b","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":2,"description":"Collateral Registry","isPrimacyOfImpact":null},{"id":"oxGhTJ6AMSbvrm9EpFOrV","url":"https://purrsec.com/address/0xa32e89c658f7fdcc0bdb2717f253bacd99f864d4","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"Hint Helpers","isPrimacyOfImpact":null},{"id":"2C0WvZmQ2bOY9GP4BJMXrD","url":"https://purrsec.com/address/0x5555555555555555555555555555555555555555","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"WHYPE","isPrimacyOfImpact":null},{"id":"26vhKLnqbFQMHHvszfQAq3","url":"https://purrsec.com/address/0xd389c600B302C05e619a25112B27eA07C62A6c8c","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"WHYPE Zapper (For Native Hype)","isPrimacyOfImpact":null},{"id":"4RP7KbSBSmsjrOJxHkliqQ","url":"https://purrsec.com/address/0x39ebba742b6917d49d4a9ac7cf5c70f84d34cc9e","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"Active Pool","isPrimacyOfImpact":null},{"id":"61JqYLjkb9LkozhrtI9LPB","url":"https://purrsec.com/address/0x7201fb5c3ba06f10a858819f62221ae2f473815d","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"Address Registry","isPrimacyOfImpact":null},{"id":"11WS4aEjaroPEQoLOAjPWL","url":"https://purrsec.com/address/0x5b271dc20ba7beb8eee276eb4f1644b6a217f0a3","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"Borrower Operations","isPrimacyOfImpact":null},{"id":"7AOq4ZVoJo0zpRV5w9pvHV","url":"https://purrsec.com/address/0x9182e36bd7cceb71812c766c4464208ad9c122ca","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"Collateral Surplus Pool","isPrimacyOfImpact":null},{"id":"22oKg1TqDjKAqs7SOkUrqx","url":"https://purrsec.com/address/0xa1e95e74d07fec324a82cd2ef19ebcb33907c605","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"Default Pool","isPrimacyOfImpact":null},{"id":"3jLZTkdB7MymGAWHf8JJqG","url":"https://purrsec.com/address/0x7560059081ede2ff6c6b980fd1ee9a53df4e9935","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"Gas Pool","isPrimacyOfImpact":null},{"id":"46jmfceZi3rQGhz1zLtW4e","url":"https://purrsec.com/address/0x12a1868b89789900e413a6241ca9032dd1873a51","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"Price Feed","isPrimacyOfImpact":null},{"id":"jWaJCuQwlV2gXvBM30xXU","url":"https://purrsec.com/address/0xd1caa4218808eb94d36e1df7247f7406f43f2ef6","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"Sorted Troves","isPrimacyOfImpact":null},{"id":"7aH4dOgxdnUxowKc8aO1oO","url":"https://purrsec.com/address/0x576c9c501473e01ae23748de28415a74425efd6b","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"Stability Pool","isPrimacyOfImpact":null},{"id":"XXBx4rSdk93qZYmRcufTd","url":"https://purrsec.com/address/0x3100f4e7bda2ed2452d9a57eb30260ab071bbe62","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"Trove Manager","isPrimacyOfImpact":null},{"id":"1xQMVwbrLXoJBLXGXmypix","url":"https://purrsec.com/address/0x5ad1512e7006fdbd0f3ebb8aa35c5e9234a03aa7","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"Trove NFT","isPrimacyOfImpact":null},{"id":"2WnmG2bxvxR1Tv0VREkGq2","url":"https://purrsec.com/address/0x9fdbda0a5e284c32744d2f17ee5c74b284993463","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"UBTC","isPrimacyOfImpact":null},{"id":"2TIEoKfEKsKGjstP657a29","url":"https://purrsec.com/address/0xefbd9cfe88235f0e648aefb52c8e8dc152a9ad6f","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"feUBTC (Felix UBTC Wrapper for Decimals)","isPrimacyOfImpact":null},{"id":"3QS5L3CbsZ0CIvc17iiQYc","url":"https://purrsec.com/address/0x8d99575ebbbda038a626ca769561c16fdd7a5939","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"Active Pool","isPrimacyOfImpact":null},{"id":"2qfiBeJaXw3rT62YY7LN7M","url":"https://purrsec.com/address/0xfc4e20bd9f0e4f8782bea92a7bd8002367882407","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"Address Registry","isPrimacyOfImpact":null},{"id":"39tlvkqA2JZPqSBzCOr0wq","url":"https://purrsec.com/address/0x36b7bd65276eda7cdc5f730da5cdb7ee7736672e","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"Borrower Operations","isPrimacyOfImpact":null},{"id":"44bvOPpxrqqpljwxLgEc4r","url":"https://purrsec.com/address/0xe7aba857f8e2c95462e69b93c7ea78ac19aafe38","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"Collateral Surplus Pool","isPrimacyOfImpact":null},{"id":"7C6RKSskhv2jNIgRKhCFLn","url":"https://purrsec.com/address/0x50743a84c68a9d14d93364ed31afa4012183df1c","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"Default Pool","isPrimacyOfImpact":null},{"id":"347QXkbXTq7Juv60ie0E71","url":"https://purrsec.com/address/0x8b71c92edf02dff693042e4e808d0568ccf0a137","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"Gas Pool","isPrimacyOfImpact":null},{"id":"NaAucDsaFkN0NOGgdGsJ4","url":"https://purrsec.com/address/0xf59f338424062dd1d44a9b4dd2721128a45358ab","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"Price Feed","isPrimacyOfImpact":null},{"id":"1bviVJkbwRPIj5MixfMU28","url":"https://purrsec.com/address/0x642d979341eaac9c10623f5a58283aa72f6e2fa9","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"Sorted Troves","isPrimacyOfImpact":null},{"id":"YXvBDQ2ZFgXRJeGFpsGX6","url":"https://purrsec.com/address/0xabf0369530205ae56dd4c49629474c65d1168924","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"Stability Pool","isPrimacyOfImpact":null},{"id":"1dS8mAMh0KvoyIJXzzkZXi","url":"https://purrsec.com/address/0xbbe5f227275f24b64bd290a91f55723a00214885","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"Trove Manager","isPrimacyOfImpact":null},{"id":"1GdkpxnETEBOCLSuFj68pS","url":"https://purrsec.com/address/0xad8a43ac8da98990efa4d5ec7b91135965d5846b","type":"smart_contract","addedAt":"2025-10-02T05:00:00.000Z","revision":1,"description":"Trove NFT","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":["Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":true,"language":null,"launchDate":"2025-10-02T05:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4BS96MKj8tAsSeXuOSQJ7f/99b997f0a0e0b8e3aecbd046b330a152/mx8MTMca_400x400_Small_Small.png","maxBounty":100000,"pocPerTypeAndSeverity":[],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":null,"programOverview":"Felix is collateralized debt position protocol running on Hyperliquid L1. Our goal is to let anyone unlock liquidity or earn yield in a secure, risk‑adjusted, and friction‑free way.\n\nThe feUSD CDP Market is a money market that brings together feUSD borrowers / minters and Stability Pool depositors. It uses the Liquity v2 architecture\n\nFor more information about Felix Protocol, please visit https://usefelix.xyz/.\n\nFelix Protocol provides rewards in **USDC** on **Ethereum**, denominated in **USD**. For more details about the payment process, please view the **Rewards by Threat Level** section further below.\n>\n>\n\n__Primacy of Impact vs Primacy of Rules__\n\nFelix Protocol adheres to the Primacy of Impact for the following impacts:\n\n- Smart Contract  —  Critical\n- Smart Contract  —  High\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. \n\nFor more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact?utm_source=immunefi)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- ETH_GAS_COMPENSATION set to 0. Due to the nature of the HyperEVM chain, this gas compensation is not required to still keep liquidations incentivised also considering that the COLL_GAS_COMPENSATION is not capped at 2 ether anymore.\n- Currently we are not including LST tokens therefore the fetchRedemption price mechanism has been excluded by the code. In case we’ll include LSTs we will proceed with reintegrating this price logic.\n\nThe list below includes the issues arisen from Liquity V2 audits. The ones closed as accepted can be considered accepted by us as well. For what concerns the Cantina competition audit, it is assumed that we acknowledge all the findings.\n\n- Dedaub - [Core Protocol Audit Report I](https://dedaub.com/audits/liquity/liquity-v2-aug-28-2024/), August 2024\n- Dedaub - [Core Protocol Audit Report II](https://dedaub.com/audits/liquity/liquity-v2-second-audit-nov-11-2024/), November 2024\n- Coinspect - [Bold Core Smart Contract Audit](https://www.coinspect.com/doc/Coinspect%20-%20Smart%20Contract%20Audit%20-%20Liquity%20-%20Bold%20-%20v241231.pdf), December 2024\n- Recon - [Liquity Security Review](https://github.com/GalloDaSballo/bold-review), October 2024\n- [Cantina Competition](https://cantina.xyz/portfolio/fca4f98a-7d24-49f1-9a3b-80e5e65b2b30), March-April 2025\n\nThe list below includes the security assessments performed directly on Felix itself. Also in this case, what is considered acknowledged does not represent a valid finding for the bug bounty program. \n\n- Dedaub - [Core Protocol Audit I](https://docs.google.com/document/d/1P6PAdIP3bU7b16IK1AAbZEWFXbPhIxwMP3FGhoot06Q/edit?tab=t.0), December 2024\n- Dedaub - [Core Protocol Audit II](https://dedaub.com/audits/felix/felix-2nd-audit-january-21-2025/), January 2025\n- CoinSpect - [Core Protocol Audit I](https://drive.google.com/file/d/1gvt0_YKOi71qNtJ6MrVd3icsv81u0zCl/view), January 2025 \n- Coinspect - [Core Protocol Audit II](https://drive.google.com/file/d/1VGBabQwisA4fj83MaXVx7NyL4KPkfTg0/view), April 2025\n- 0x73696d616f - [Price Feed and Interest Router Audit](https://github.com/0x73696d616f/felix-issues/issues), March 2025\n\n__Previous Audits__\n\nFelix Protocol’s completed audit reports can be found at [https://usefelix.gitbook.io/felix-docs/advanced/smart-contract-audits](https://usefelix.gitbook.io/felix-docs/advanced/smart-contract-audits). Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.","programType":["Smart Contract"],"project":"Felix","projectType":null,"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 100 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 20 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n- For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward.\n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 4 000 to USD 10 000 depending on the funds at risk, capped at the maximum high reward.  \n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Felix Protocol team directly and are denominated in USD. However, payments are done in USDC on Ethereum.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"felix","tenPercentEconomicRule":false,"updatedDate":"2025-11-14T12:01:47.195Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Felix is a suite of on‑chain borrowing and lending products running on Hyperliquid L1. Our goal is to let anyone unlock liquidity or earn yield in a secure, risk‑adjusted, and friction‑free way.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":28,"type":"smart_contract","severity":"high","title":"Temporary freezing of NFTs"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"}],"rewards":[{"id":38090,"severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":38091,"severity":"high","assetType":"smart_contract","maxReward":10000,"minReward":4000,"rewardModel":"range"},{"id":38092,"severity":"medium","assetType":"smart_contract","fixedReward":2000,"rewardModel":"fixed"},{"id":38093,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"5jGp7rJ8ISt7yT1fg4YihL","url":"https://github.com/AcalaNetwork/Acala","type":"blockchain_dlt","addedAt":"2022-02-11T09:46:19.201Z","revision":1,"description":"Main Network ","isPrimacyOfImpact":null},{"id":"4ICBfjRxAFKyE9yz8poEP3","url":"https://github.com/open-web3-stack/open-runtime-module-library","type":"blockchain_dlt","addedAt":"2022-02-11T09:45:26.118Z","revision":2,"description":"Open Runtime Module Library","isPrimacyOfImpact":null}],"assetsBodyV2":"Only code involving runtime pallets of Acala are considered as in-scope of the bug bounty program. Modules that are not in runtime pallets like tests, those under development, and those that are not live, are considered as out-of-scope of the bug bounty program. \n\nHowever, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH","Polkadot"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Rust"],"launchDate":"2021-12-14T02:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2yQpKoZm8AOR2wLqYzZa9j/fd4701886536ad5828e0ff05edd4771d/acala_logo.png","maxBounty":200000,"pocPerTypeAndSeverity":["blockchain_dlt - medium","blockchain_dlt - high","blockchain_dlt - critical"],"primaryPaymentWallet":"Polkadot","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the following types:\n\n__Smart Contracts and Blockchain__ \n\nAll those that lead to the impacts stated in the Impacts in Scope section","productType":["Stablecoin","Staking"],"programOverview":"Acala is the decentralized finance network and liquidity hub of Polkadot. It’s a layer-1 smart contract platform that’s scalable, Ethereum-compatible, and optimized for DeFi with built-in liquidity and ready-made financial applications. With its trustless exchange, decentralized stablecoin (aUSD), DOT Liquid Staking (LDOT), and EVM+, Acala lets developers access the best of Ethereum and the full power of Substrate.\n\nFor more information about Acala, please visit [https://acala.network/](https://acala.network/).","programType":["Blockchain/DLT"],"project":"Acala","projectType":["Blockchain","Defi"],"rewardsBody":"__Reward Calculation for Critical Level Reports__\n\nFor critical Blockchain/DLT bugs, the reward amount is 10% of the funds directly affected, capped at the maximum critical reward USD $200,000. However, a minimum reward of USD USD $40,000 is to be rewarded in order to incentivize security researchers against withholding on a bug report.\n\nFor critical Blockchain/DLT bugs with a non-funds-at risk impact, the reward will be paid out as follows: \n- Network not being able to confirm new transactions (total network shutdown) - [50,000 USD] \n- Unintended permanent chain split requiring hard fork (network partition requiring hard fork) - [50,000 USD] \n- For critical Blockchain/DLT bugs, the reward is dependent on the ratio between the funds at risk, which includes all affected projects on top of the respective blockchain/DLT, and the market cap according to the average between CoinMarketCap.com and CoinGecko.com, calculated at the time the bug report is submitted. \n\n__Reward Calculation for High Level Reports__\n\nFor high Blockchain/DLT non-funds-at risk impacts, the reward will be paid out as follows: \n- Unintended chain split (network partition) - [20,000 USD]\n- Temporary freezing of network transactions by reducing number of blocks produced in an hour to be less than 60. I.e. average block time > 60s. - [10,000 USD] \n- Causing network processing nodes to process transactions from the mempool beyond set parameters - [10,000 USD]\n- RPC API crash affecting projects with greater than or equal to 25% of the market capitalization on top of the respective layer - [10,000 USD]\n\n\n__Reward Payment Terms__\n\nPayouts are handled by the Acala team directly in crypto tokens of their choices, valued at the US dollar market rates, e.g. DOT, ACA, USDT, USDC. \n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"DOT, ACA, aUSD","slug":"acala","tenPercentEconomicRule":true,"updatedDate":"2025-11-13T22:34:38.927Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Acala is the decentralized finance network and liquidity hub of Polkadot. It’s a layer-1 smart contract platform that’s scalable, Ethereum-compatible, and optimized for DeFi with built-in liquidity and ready-made financial applications. With its trustless exchange, DOT Liquid Staking (LDOT), and EVM+, Acala lets developers access the best of Ethereum and the full power of Substrate.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"","customProhibitedActivities":[],"impacts":[{"id":1,"type":"blockchain_dlt","severity":"critical","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":2,"type":"blockchain_dlt","severity":"critical","title":"Unintended permanent chain split requiring hard fork (network partition requiring hard fork)"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":4,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":5,"type":"blockchain_dlt","severity":"high","title":"Unintended chain split (network partition)"},{"id":7,"type":"blockchain_dlt","severity":"high","title":"Causing network processing nodes to process transactions from the mempool beyond set parameters"},{"id":8,"type":"blockchain_dlt","severity":"high","title":"RPC API crash affecting programs with greater than or equal to 25% of the market capitalization on top of the respective layer"},{"id":9,"type":"blockchain_dlt","severity":"medium","title":"Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours"},{"id":10,"type":"blockchain_dlt","severity":"medium","title":"Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":11,"type":"blockchain_dlt","severity":"medium","title":"A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk"},{"id":5357,"type":"blockchain_dlt","severity":"high","title":"Temporary freezing of network transactions by reducing number of blocks produced in an hour to be less than 60. I.e. average block time > 60s."}],"rewards":[{"id":38053,"severity":"critical","assetType":"blockchain_dlt","maxReward":200000,"minReward":40000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":38054,"severity":"high","assetType":"blockchain_dlt","maxReward":40000,"minReward":5000,"rewardModel":"range"},{"id":38055,"severity":"medium","assetType":"blockchain_dlt","maxReward":5000,"minReward":1000,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"3lXJ1Y1yB1zgW3zmNPrAVJ","url":"https://etherscan.io/address/0xc24A365A870821EB83Fd216c9596eDD89479d8d7#code","type":"smart_contract","addedAt":"2022-02-11T12:24:36.288Z","revision":1,"description":"PolsStake (ETH)","isPrimacyOfImpact":null},{"id":"3N0x1xGvtJRRxojVlFn3sl","url":"https://bscscan.com/address/0xD558675a8c8E1fd45002010BaC970B115163dE3a#code","type":"smart_contract","addedAt":"2022-02-11T12:25:19.197Z","revision":1,"description":"PolsStake (BSC)","isPrimacyOfImpact":null},{"id":"3TOv5Zp9pjRm5gzaA2FN7z","url":"https://www.polkastarter.com","type":"websites_and_applications","addedAt":"2022-02-11T12:27:17.391Z","revision":1,"description":null,"isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Avalanche","BSC","ETH","Polkadot","Polygon","Solana"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["NextJS","Solidity"],"launchDate":"2021-10-12T11:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/QhL5Cn1GfQrsM8DYKpHyO/c25573012e6228e53c98ead992ff93b8/Screenshot_2021-10-09_at_10.01.32_PM.png","maxBounty":1000,"pocPerTypeAndSeverity":["websites_and_applications - critical","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the following types:\n\nSmart Contracts and Blockchain \n\n  - Re-entrancy\n  - Logic errors\n    - including user authentication errors\n  - Solidity/EVM details not considered\n    - including integer over-/under-flow\n    - including rounding errors\n    - including unhandled exceptions\n  - Trusting trust/dependency vulnerabilities\n    - including composability vulnerabilities\n  - Oracle failure/manipulation\n  - Novel governance attacks\n  - Economic/financial attacks\n    - including flash loan attacks\n  - Congestion and scalability\n    - including running out of gas\n    - including block stuffing\n    - including susceptibility to frontrunning\n  - Consensus failures\n  - Cryptography problems\n    - Signature malleability\n    - Susceptibility to replay attacks\n    - Weak randomness\n    - Weak encryption\n  - Susceptibility to block timestamp manipulation\n  - Missing access controls / unprotected internal or debugging interfaces\n\n__Websites and Apps__\n\n  - Remote Code Execution\n  - Trusting trust/dependency vulnerabilities\n  - Vertical Privilege Escalation\n  - XML External Entities Injection\n  - SQL Injection\n  - LFI/RFI\n  - Horizontal Privilege Escalation\n  - Stored XSS\n  - Reflective XSS with impact\n  - CSRF with impact\n  - Direct object reference\n  - Internal SSRF\n  - Session fixation\n  - Insecure Deserialization\n  - DOM XSS\n  - SSL misconfigurations\n  - SSL/TLS issues (weak crypto, improper setup)\n  - URL redirect\n  - Clickjacking (must be accompanied with PoC)\n  - Misleading Unicode text (e.g. using right to left override characters)","productType":["Launchpad","Staking"],"programOverview":"Polkastarter is a protocol built for cross-chain token pools and auctions, enabling projects to raise capital in a decentralized, permissionless and interoperable environment based on Polkadot.\n\nThe platform allows cryptocurrency projects to raise funds by setting up a swap pool based on a fixed purchase rate for tokens. These so-called “Fixed Swap Pools” have many advantages for token sale investors over traditional fundraising models like ICOs, IEOs and IDOs (Initial DEX Offerings). Fixed Swap Pools will maintain the token price throughout the sale until the initial supply is bought.\n\nWith Polkastarter, decentralized projects will be able to raise and exchange capital cheap and fast. Users will be able to participate in a secure and compliant environment and to use assets that go way beyond the current ERC20 standard.\n\nFor more information about Polkastarter, please visit [https://polkastarter.com/ ](https://polkastarter.com/) \n\nThis bug bounty program is focused on their smart contracts and app and is focused on preventing:\n\nAny unintentional withdrawing/draining of funds from the staking contract on ETH and BSC (i.e. theft of the POLS staked)","programType":["Smart Contract","Websites and Applications"],"project":"Polkastarter","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nAll critical bug reports must come with a PoC in order to be considered for a reward.\n\nCritical vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum of __USD 50 000__ for Critical bug reports. \n\nPayouts are handled by the __Polkastarter__ team directly and are denominated in USD. Payouts are done in __USDC__ or __USDT__, up to the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC or USDT","slug":"polkastarter","tenPercentEconomicRule":true,"updatedDate":"2025-11-13T17:30:49.746Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Polkastarter is a protocol built for cross-chain token pools and auctions, enabling projects to raise capital in a decentralized, permissionless and interoperable environment based on Polkadot.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques\n  - URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)\n  - Attacks requiring privileged access from within the organization","customProhibitedActivities":[],"impacts":[{"id":1109,"type":"smart_contract","severity":"critical","title":"Loss of user funds staked (principal) by freezing or theft"},{"id":1110,"type":"websites_and_applications","severity":"critical","title":"Anything that can lead to loss of user funds"}],"rewards":[{"id":38033,"severity":"critical","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed","rewardCalculationPercentage":10},{"id":38034,"severity":"critical","assetType":"websites_and_applications","fixedReward":750,"rewardModel":"fixed","otherImpactMaxReward":0}],"audits":[]},{"assets":[{"id":"4wmJ2zZ4zjfAcP6F2EUlV9","url":"https://arbiscan.io/address/0xEE9deC2712cCE65174B561151701Bf54b99C24C8","type":"smart_contract","addedAt":"2023-02-03T20:17:56.076Z","revision":1,"description":"Connext.sol","isPrimacyOfImpact":null},{"id":"4F7Xv0klBcMBRIqlmhI5sk","url":"https://bscscan.com/address/0xCd401c10afa37d641d2F594852DA94C700e4F2CE","type":"smart_contract","addedAt":"2023-02-03T20:17:58.334Z","revision":1,"description":"Connext.sol","isPrimacyOfImpact":null},{"id":"6Mj0Eygpm36Xhsa2hTC8FR","url":"https://etherscan.io/address/0x8898B472C54c31894e3B9bb83cEA802a5d0e63C6","type":"smart_contract","addedAt":"2023-02-03T20:18:00.928Z","revision":1,"description":"Connext.sol","isPrimacyOfImpact":null},{"id":"4SdZ6J8n9u1FzCczGWB5v1","url":"https://polygonscan.com/address/0x11984dc4465481512eb5b777e44061c158cf2259","type":"smart_contract","addedAt":"2023-02-03T20:18:04.873Z","revision":1,"description":"Connext.sol","isPrimacyOfImpact":null},{"id":"2MRwB7JY7McrrbXUPJ3z2F","url":"https://optimistic.etherscan.io/address/0x8f7492DE823025b4CfaAB1D34c58963F2af5DEDA","type":"smart_contract","addedAt":"2023-02-03T20:18:07.700Z","revision":1,"description":"Connext.sol","isPrimacyOfImpact":null},{"id":"4ezfRcmjp46wY9RyvC68in","url":"https://gnosisscan.io/address/0x5bB83e95f63217CDa6aE3D181BA580Ef377D2109","type":"smart_contract","addedAt":"2023-02-03T20:18:10.230Z","revision":1,"description":"Connext.sol","isPrimacyOfImpact":null},{"id":"iZW68k1KPtP7q5K1fP1Wm","url":"https://lineascan.build/address/0xa05eF29e9aC8C75c530c2795Fa6A800e188dE0a9","type":"smart_contract","addedAt":"2023-12-22T15:32:17.913Z","revision":1,"description":"Connext.sol","isPrimacyOfImpact":null},{"id":"6zQjer00PlC4RYXnDiEKHV","url":"https://basescan.org/address/0xB8448C6f7f7887D36DcA487370778e419e9ebE3F","type":"smart_contract","addedAt":"2023-12-22T15:32:16.070Z","revision":1,"description":"Connext.sol","isPrimacyOfImpact":null},{"id":"1P4WWuBu9uUJd2Mm2dG0rS","url":"https://arbiscan.io/address/0x5f0F58c8939565C0C553303849Bc5Bf7c530e816","type":"smart_contract","addedAt":"2023-02-03T20:18:12.492Z","revision":2,"description":"ArbitrumSpokeConnector.sol","isPrimacyOfImpact":null},{"id":"5ZBQBy25AMBAXkg3cz68LC","url":"https://bscscan.com/address/0x779D30a8BDD8f8A1cEC0292d7799350a8cCef119","type":"smart_contract","addedAt":"2023-02-03T20:18:14.892Z","revision":2,"description":"WormholeSpokeConnector.sol","isPrimacyOfImpact":null},{"id":"14qi2KOYtBUWz7YzzuOeM6","url":"https://etherscan.io/address/0x02fdF04AF077687CDA03Bd3162388b7972A4a1Cc","type":"smart_contract","addedAt":"2023-02-03T20:18:17.337Z","revision":2,"description":"MainnetSpokeConnector.sol","isPrimacyOfImpact":null},{"id":"4ld7phRzl1BSHCVriBoF7a","url":"https://polygonscan.com/address/0xa052EF2D4Eb460c3886B0fd687FA33D3dc8b15EE","type":"smart_contract","addedAt":"2023-02-03T20:18:19.706Z","revision":2,"description":"PolygonSpokeConnector.sol","isPrimacyOfImpact":null},{"id":"2prSPP52Vqe7kxQ2Px1lWV","url":"https://optimistic.etherscan.io/address/0x432006CEd3BBa818e3D0d8730426B32Bb34a42aB","type":"smart_contract","addedAt":"2023-02-03T20:18:22.267Z","revision":2,"description":"OptimismSpokeConnector.sol","isPrimacyOfImpact":null},{"id":"jZNcfyCdmjfRKsEXBNWgE","url":"https://gnosisscan.io/address/0xDF97CadbcCeE9cfdB12A3e9BB7663E6753A71a0C","type":"smart_contract","addedAt":"2023-02-03T20:18:24.786Z","revision":2,"description":"GnosisSpokeConnector.sol","isPrimacyOfImpact":null},{"id":"5gD2LSZnSe1wBGTCPqVB7e","url":"https://basescan.org/address/0x6E3f48301C13d31fC4448039c8F82EB99C2714b4","type":"smart_contract","addedAt":"2023-12-22T15:32:03.812Z","revision":1,"description":"BaseSpokeConnector.sol","isPrimacyOfImpact":null},{"id":"1fw7Ib59QLQx2j41q0Sfzm","url":"https://lineascan.build/address/0xA401e30E6b7Eb50e9355a4FA8F29118d28386E33","type":"smart_contract","addedAt":"2023-12-22T15:32:01.925Z","revision":1,"description":"LineaSpokeConnector.sol","isPrimacyOfImpact":null},{"id":"5MGYu6BW2PFB7XoDXLiP13","url":"https://etherscan.io/address/0x83096c7455f24E593aaC9A7c73f849d36d3EEb82","type":"smart_contract","addedAt":"2023-02-03T20:18:27.101Z","revision":2,"description":"ArbitrumHubConnector.sol","isPrimacyOfImpact":null},{"id":"2HbkfZXuxHGyEyZU0ChY0F","url":"https://etherscan.io/address/0xae6B9cDE6191b710F5A18D82f751Ba52B78a99DA","type":"smart_contract","addedAt":"2023-02-03T20:18:31.102Z","revision":3,"description":"WormholeHubConnector.sol","isPrimacyOfImpact":null},{"id":"3aPod8ek1kGur4fbF4prKW","url":"https://etherscan.io/address/0xE8cF9EbB1cFB137c692a0a4E470E257B9417d116","type":"smart_contract","addedAt":"2023-02-03T20:18:33.587Z","revision":2,"description":"PolygonHubConnector.sol","isPrimacyOfImpact":null},{"id":"7j7wTDUfR5ZdXgERPeVdcf","url":"https://etherscan.io/address/0x5c2149869146DeA55cDD1CF2DD828e4e1548bb2A","type":"smart_contract","addedAt":"2023-02-03T20:18:36.536Z","revision":3,"description":"OptimismHubConnector.sol","isPrimacyOfImpact":null},{"id":"7g4Jb59O9MYDQw5W7IfIww","url":"https://etherscan.io/address/0xF1c78967584D5E0ffF66dA103b8eb06c82EC020d","type":"smart_contract","addedAt":"2023-02-03T20:18:39.217Z","revision":2,"description":"GnosisHubConnector.sol","isPrimacyOfImpact":null},{"id":"3Yw2xpc403Hh4fVUf5zNsZ","url":"https://etherscan.io/address/0x56Ab287e5c33Ee70158c951f34818bd095446255","type":"smart_contract","addedAt":"2023-12-22T15:31:51.033Z","revision":1,"description":"LineaHubConnector.sol","isPrimacyOfImpact":null},{"id":"3LryFoamHi5YjsJwLcc5Ll","url":"https://etherscan.io/address/0x2d4C375Bc12292A339524fbcBa35D2a9F27f6C93","type":"smart_contract","addedAt":"2023-12-22T15:31:48.765Z","revision":1,"description":"BaseHubConnector.sol","isPrimacyOfImpact":null},{"id":"649dOCMz9qFqaLOsgSghOv","url":"https://etherscan.io/address/0x523AB7424AD126809b1d7A134eb6E0ee414C9B3A","type":"smart_contract","addedAt":"2023-02-03T20:18:42.325Z","revision":2,"description":"RootManager.sol","isPrimacyOfImpact":null},{"id":"sAisJ4pevtwi07x4c6SfM","url":"https://arbiscan.io/address/0xEb12993c0c280782C3Ca4Ad27d690a2CD8507fc6","type":"smart_contract","addedAt":"2023-02-03T20:18:45.652Z","revision":3,"description":"RelayerProxy.sol","isPrimacyOfImpact":null},{"id":"3mLkKXZV3LSZCiVwybRFa5","url":"https://bscscan.com/address/0x3Aa5171f747591Ae8914acE179f23187B534D7b1","type":"smart_contract","addedAt":"2023-02-03T20:18:47.101Z","revision":3,"description":"RelayerProxy.sol","isPrimacyOfImpact":null},{"id":"53pRREVF0G9O6MJxHfrZt4","url":"https://polygonscan.com/address/0xAFCE6eAc6CdcEd6a54d367E1271C10d6595aE78C","type":"smart_contract","addedAt":"2023-02-03T20:18:50.011Z","revision":3,"description":"RelayerProxy.sol","isPrimacyOfImpact":null},{"id":"29DZn8FJDFw2IaNBDTOGwZ","url":"https://optimistic.etherscan.io/address/0x4778170Ff14883A8e0dC0313E303dCB6B4dAD493","type":"smart_contract","addedAt":"2023-02-03T20:18:52.257Z","revision":3,"description":"RelayerProxy.sol","isPrimacyOfImpact":null},{"id":"5RGP2cCiUal0S91REoJtWt","url":"https://gnosisscan.io/address/0xCbd3E4b6e152a80d701c3Db6c212709610BE1835","type":"smart_contract","addedAt":"2023-02-03T20:18:54.802Z","revision":3,"description":"RelayerProxy.sol","isPrimacyOfImpact":null},{"id":"2YKBfM5v1po8K8lgsD2vXo","url":"https://lineascan.build/address/0x1b0e5e507f26F2c14839ABE6831dC36e09C7e41b","type":"smart_contract","addedAt":"2023-12-22T15:31:35.628Z","revision":1,"description":"RelayerProxy.sol","isPrimacyOfImpact":null},{"id":"3MSO2NtQUBCKjyyQTFcKPb","url":"https://basescan.org/address/0x43Add7f520Cc35e5DbF04f5426a03EA8Ca052c98","type":"smart_contract","addedAt":"2023-12-22T15:31:33.376Z","revision":1,"description":"RelayerProxy.sol","isPrimacyOfImpact":null},{"id":"3UPJC1GbO3AAQRSArnkfMf","url":"https://etherscan.io/address/0xB4F8D176466f5F544bAd53737bffAaeA17185c05","type":"smart_contract","addedAt":"2023-02-03T20:18:57.093Z","revision":3,"description":"RelayerProxyHub.sol","isPrimacyOfImpact":null},{"id":"5mzAUxRt7etAnxuWwa39AQ","url":"https://arbiscan.io/address/0x298e43d40CdFa29c80A2cDaf741648b68B03cD0e","type":"smart_contract","addedAt":"2023-02-03T20:18:59.312Z","revision":2,"description":"WatcherManager.sol","isPrimacyOfImpact":null},{"id":"7j3ZngVNOD2SFJeVF8jdVm","url":"https://bscscan.com/address/0x5543EAFD20e25fBBBd66E2c154fF8FF8407e3a57","type":"smart_contract","addedAt":"2023-02-03T20:19:01.391Z","revision":2,"description":"WatcherManager.sol","isPrimacyOfImpact":null},{"id":"3J8tdDbdBbyt8zPOFNT3Vt","url":"https://polygonscan.com/address/0xa448365fe1Eb7bf09172860Eecc7A9EDaCCabEb4","type":"smart_contract","addedAt":"2023-02-03T20:19:04.399Z","revision":2,"description":"WatcherManager.sol","isPrimacyOfImpact":null},{"id":"42kqg0uFioQj5XmwEv9JFV","url":"https://optimistic.etherscan.io/address/0x9fc0124db7F203EBECd44d77548c35e17d7822b2","type":"smart_contract","addedAt":"2023-02-03T20:19:06.841Z","revision":2,"description":"WatcherManager.sol","isPrimacyOfImpact":null},{"id":"44XDCu54sK6Fabt7pbXK4i","url":"https://gnosisscan.io/address/0xeC345E9be52f0Fca8aAd6aec3254Ed86151b060d","type":"smart_contract","addedAt":"2023-02-03T20:19:09.552Z","revision":2,"description":"WatcherManager.sol","isPrimacyOfImpact":null},{"id":"3eNaKaO5hkkpWRQ2TWB3wn","url":"https://etherscan.io/address/0x79e6E0242405A66B2dd8B96DEd3b2F0216Fd417d","type":"smart_contract","addedAt":"2023-02-03T20:19:11.900Z","revision":2,"description":"WatcherManager.sol","isPrimacyOfImpact":null},{"id":"2q2WinFyCM5JKiPyQxIss1","url":"https://lineascan.build/address/0x51E6cAB281aAC8e4d984ccfFf4ECe5b7352b0B5c","type":"smart_contract","addedAt":"2023-12-22T15:31:16.665Z","revision":1,"description":"WatcherManager.sol","isPrimacyOfImpact":null},{"id":"747H4MUxb0QLsGfYBoqblO","url":"https://basescan.org/address/0xaFb88881e53589f5E6eb1cc27E9207cC7f03023F","type":"smart_contract","addedAt":"2023-12-22T15:31:14.717Z","revision":1,"description":"WatcherManager.sol","isPrimacyOfImpact":null},{"id":"4tI1liAWGQd9HH8Eytuai8","url":"https://arbiscan.io/address/0x8533004Ecb90151cD821dc2Fafb78797d8fdd085","type":"smart_contract","addedAt":"2023-02-03T20:19:14.105Z","revision":1,"description":"MerkleTreeManager.sol","isPrimacyOfImpact":null},{"id":"6QREXwcBgKocLYvJmY5QsS","url":"https://bscscan.com/address/0x995dfd686f4953B059355Df769cc4CE672983aF1","type":"smart_contract","addedAt":"2023-02-03T20:19:17.171Z","revision":1,"description":"MerkleTreeManager.sol","isPrimacyOfImpact":null},{"id":"717wPyLW3J3a4jRwmahlwb","url":"https://polygonscan.com/address/0x73B1d7aE726919Dd4B6f50d7c3EBF3660F253f82","type":"smart_contract","addedAt":"2023-02-03T20:19:19.730Z","revision":1,"description":"MerkleTreeManager.sol","isPrimacyOfImpact":null},{"id":"2VJAXoTFArND8IgO5A8qeI","url":"https://optimistic.etherscan.io/address/0x88483b3e3b4dd7cedb8efcef81f6dc9adb6292d5","type":"smart_contract","addedAt":"2023-02-03T20:19:21.853Z","revision":1,"description":"MerkleTreeManager.sol","isPrimacyOfImpact":null},{"id":"6BgthqXNV4bF3ulYN4tQWi","url":"https://gnosisscan.io/address/0x32155c9d39084f040ba17890fe8134dbe2a0453f","type":"smart_contract","addedAt":"2023-02-03T20:19:24.685Z","revision":1,"description":"MerkleTreeManager.sol","isPrimacyOfImpact":null},{"id":"4F5IaMdsZM6IU57ozdD4g0","url":"https://etherscan.io/address/0x28a9e7bbed277092e2431f186e1af898962d4e92","type":"smart_contract","addedAt":"2023-02-03T20:19:27.572Z","revision":1,"description":"MerkleTreeManager.sol","isPrimacyOfImpact":null},{"id":"7E4iD4CrlQi5lBjpI7Db74","url":"https://lineascan.build/address/0xA3E91AeFAdEcb8919180F581f5Be897c763be593#code","type":"smart_contract","addedAt":"2023-12-22T15:31:09.010Z","revision":1,"description":"MerkleTreeManager.sol","isPrimacyOfImpact":null},{"id":"4hG39LpsceWBRY8ko3A1Vl","url":"https://basescan.org/address/0xEc2140EB4A23e36ff676E18626A8652Ea2be47FB","type":"smart_contract","addedAt":"2023-12-22T15:31:07.216Z","revision":1,"description":"MerkleTreeManager.sol","isPrimacyOfImpact":null},{"id":"7tP5BwqfNSWgTA6kzaToOG","url":"https://arbiscan.io/address/0x1aC32215b08806A5Bc5271D7FD77919C3C8ca84E","type":"smart_contract","addedAt":"2023-02-03T20:19:29.905Z","revision":1,"description":"UpgradeBeaconController.sol","isPrimacyOfImpact":null},{"id":"7ixJjsTCYJoskgwG8fQkJq","url":"https://bscscan.com/address/0x8d5A6BE033d6Aec504F87c8be946aE9B6b1f2dD7","type":"smart_contract","addedAt":"2023-02-03T20:19:32.242Z","revision":1,"description":"UpgradeBeaconController.sol","isPrimacyOfImpact":null},{"id":"4nXBhGjZLK8M79Gyja4rja","url":"https://polygonscan.com/address/0x75bded539f905411a19b2e9f8c7b21c25f77a7bb#code","type":"smart_contract","addedAt":"2023-02-03T20:19:35.018Z","revision":1,"description":"UpgradeBeaconController.sol","isPrimacyOfImpact":null},{"id":"42v7UKhjL3JBKQ4QrFpaoJ","url":"https://optimistic.etherscan.io/address/0xa28DE94d2e6F84659c2C32dF14334Daa08DD6461","type":"smart_contract","addedAt":"2023-02-03T20:19:37.608Z","revision":1,"description":"UpgradeBeaconController.sol","isPrimacyOfImpact":null},{"id":"wfKnT2AjSWJKUO0tSFtJV","url":"https://gnosisscan.io/address/0x0f219898699b3f8008d9f05fac10bd08d4d6c65d","type":"smart_contract","addedAt":"2023-02-03T20:19:40.715Z","revision":1,"description":"UpgradeBeaconController.sol","isPrimacyOfImpact":null},{"id":"5uR3mahdPRgwKaEfIb297D","url":"https://etherscan.io/address/0x9283c1fb0d69a737b766ef1c15833358e01ac620","type":"smart_contract","addedAt":"2023-02-03T20:19:43.373Z","revision":1,"description":"UpgradeBeaconController.sol","isPrimacyOfImpact":null},{"id":"1kDG1dCkCfHbQQ6GXGC3uJ","url":"https://lineascan.build/address/0xDFa5FAfac70a610E4224B85b7FC4764a0b90d2eA","type":"smart_contract","addedAt":"2023-12-22T15:31:01.764Z","revision":1,"description":"UpgradeBeaconController","isPrimacyOfImpact":null},{"id":"5MbQYnzSotz7kFKKcHIjFu","url":"https://basescan.org/address/0x69Dd4385EdC7BDBe221159278981dD81ff792247","type":"smart_contract","addedAt":"2023-12-22T15:30:59.836Z","revision":1,"description":"UpgradeBeaconController","isPrimacyOfImpact":null},{"id":"18SnXEXwIzwvwz5vfF8ir9","url":"https://arbiscan.io/address/0xF659A7b83Fd9f69B52F4BCF9389991515acf4Fd0","type":"smart_contract","addedAt":"2023-02-03T20:19:46.133Z","revision":1,"description":"LPToken.sol","isPrimacyOfImpact":null},{"id":"45tbxEFvWPDh833wzd9vxb","url":"https://bscscan.com/address/0x9cb50C61DFf68fcEe18Fe3AfeFbbF086778a53c0","type":"smart_contract","addedAt":"2023-02-03T20:19:48.816Z","revision":1,"description":"LPToken.sol","isPrimacyOfImpact":null},{"id":"5ymSjQarMGZhJFbfErS2gV","url":"https://polygonscan.com/address/0x0c2a20338910ac902e109a939e58fd17b0402905","type":"smart_contract","addedAt":"2023-02-03T20:19:52.702Z","revision":1,"description":"LPToken.sol","isPrimacyOfImpact":null},{"id":"74mQuAgYXbCpwiuFw3AmuD","url":"https://optimistic.etherscan.io/address/0x60dcBC3BB9EAc7264A2D279f790969CcDE61F4CF","type":"smart_contract","addedAt":"2023-02-03T20:19:55.340Z","revision":1,"description":"LPToken.sol","isPrimacyOfImpact":null},{"id":"2OZLAmhMKUOvLugmdTmbMy","url":"https://gnosisscan.io/address/0x7a76e7874f3c2222352386e9a2fc8922c2f3032b","type":"smart_contract","addedAt":"2023-02-03T20:19:57.848Z","revision":1,"description":"LPToken.sol","isPrimacyOfImpact":null},{"id":"4CeOutHSNVTekoVFozBJtX","url":"https://etherscan.io/address/0xf7DE5aCeEeE6091d1103209C337fA00D0B4b9092","type":"smart_contract","addedAt":"2023-02-03T20:20:00.433Z","revision":1,"description":"LPToken.sol","isPrimacyOfImpact":null},{"id":"2K2Ifer3GIJjawF5N616fL","url":"https://lineascan.build/address/0x20098c6d481225fF5D9b2ca84cF68FC683e21031","type":"smart_contract","addedAt":"2023-12-22T15:30:53.429Z","revision":1,"description":"LPToken.sol","isPrimacyOfImpact":null},{"id":"3WGs1CGRkqgp5Pb2I8V0lg","url":"https://basescan.org/address/0x0296da2Ce82eb3B98eB05925bC5777C7dA0d0F09","type":"smart_contract","addedAt":"2023-12-22T15:30:51.537Z","revision":1,"description":"LPToken.sol","isPrimacyOfImpact":null}],"assetsBodyV2":"All open-source smart contracts of Connext can be found at [https://github.com/connext/monorepo/tree/main/packages/deployments/contracts/contracts](https://github.com/connext/monorepo/tree/main/packages/deployments/contracts/contracts). with recent deployments in the `deployments` directory. For similar contracts (multiple instances on different chains), there will not be duplicated counting of bugs. One bug that exists in all contracts will be counted as a single bug.\n\nIf a High or Critical impact can be caused to any other asset managed by Connext that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","BSC","Base","ETH","Gnosis","Linea","Metis","Mode","Optimism","Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-12-21T15:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1bzzh4XoaNOkOzFZTqff24/6a60319ea667ba1d02a52e0fe386fce6/Connext_logo.png","maxBounty":50000,"outOfScopeAndRules":"The following vulnerabilities are excluded from the rewards for this bug bounty program:\n\n  - Attacks that the reporter has already exploited themselves, leading to damage\n  - Attacks requiring access to leaked keys/credentials\n  - Attacks requiring access to privileged addresses (governance, strategist)\n  - Attacks that could be mitigated with cooperation of other protocols\n\n__Smart Contracts and Blockchain__\n\n  - Incorrect data supplied by third party oracles\n    - Not to exclude oracle manipulation/flash loan attacks\n  - Basic economic governance attacks (e.g. 51% attack)\n  - Lack of liquidity\n  - Best practice critiques\n  - Sybil attacks\n  - Centralization risks\n\nThe following activities are prohibited by this bug bounty program:\n\n  - Any testing with mainnet or public testnet contracts; all testing should be done on private testnets\n  - Any testing with pricing oracles or third party smart contracts\n  - Attempting phishing or other social engineering attacks against our employees and/or customers\n  - Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n  - Any denial of service attacks\n  - Automated testing of services that generates significant amounts of traffic\n  - Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the following types:\n\n__Smart Contracts and Blockchain__ \n\n  - Re-entrancy\n  - Logic errors\n    - including user authentication errors\n  - Solidity/EVM details not considered\n    - including integer over-/under-flow\n    - including rounding errors\n    - including unhandled exceptions\n  - Trusting trust/dependency vulnerabilities\n    - including composability vulnerabilities\n  - Oracle failure/manipulation\n  - Novel governance attacks\n  - Economic/financial attacks\n    - including flash loan attacks\n  - Congestion and scalability\n    - including running out of gas\n    - including block stuffing\n    - including susceptibility to frontrunning\n  - Consensus failures\n  - Cryptography problems\n    - Signature malleability\n    - Susceptibility to replay attacks\n    - Weak randomness\n    - Weak encryption\n  - Susceptibility to block timestamp manipulation\n  - Missing access controls / unprotected internal or debugging interfaces\n  - All smart contract vulnerabilities\n  - Double-spends from faulty off-chain logic\n  - Creating fraudulent slashing conditions","productType":["Bridge","DEX","L2","Liquid Staking"],"programOverview":"Connext is a modular protocol for securely passing funds and data between chains. Developers can use Connext to build crosschain apps (__xApps__) - applications that interact with multiple domains (blockchains and/or rollups) simultaneously.\n\nFor more information about Connext, please visit [https://connext.network/](https://connext.network/).  \n\nThis bug bounty program is focused on their smart contracts and is focused on preventing:\n\n  - Thefts and freezing of user funds\n  - Thefts and freezing of liquidity on the contract\n  - Network shutdown\n  - Abuse of auction process\n  - Abuse of AMM pricing\n  - Abuse of system to create fraudulent slashing conditions","programType":["Smart Contract"],"project":"Connext","projectType":["Defi","Exchange"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nAll Critical smart contract bug reports must come with a detailed written explanation in order to be considered for a reward. \n\nRewards for valid bug reports are paid at the dollar amount displayed in the rewards table or __10%__ of the USD value at risk, whichever of the two is less. \n\nVulnerabilities marked in the following audits are not eligible for a reward.\n  - [Consensys Diligence Audit ](https://consensys.net/diligence/audits/private/rrcm4t83gvyj6a/)\n  - [https://github.com/connext/audits](https://github.com/connext/audits)\n  - [https://github.com/everclearorg/audits](https://github.com/everclearorg/audits)\n\nPayouts are handled by the __Connext__ team directly and are denominated in USD. However, payouts are done in __USDC__, __USDT__, __DAI__, with the choice of the ratio at the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC, USDT, DAI","slug":"connext","tenPercentEconomicRule":false,"updatedDate":"2025-11-11T23:11:20.953Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Connext is a modular protocol for securely passing funds and data between chains. Developers can use Connext to build crosschain apps (__xApps__) - applications that interact with multiple domains (blockchains and/or rollups) simultaneously.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":1500,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":1501,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"}],"rewards":[{"id":37910,"severity":"critical","assetType":"smart_contract","maxReward":50000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":37911,"severity":"high","assetType":"smart_contract","maxReward":25000,"rewardModel":"up_to"}],"audits":[]},{"assets":[{"id":"5PoSo8DMwYptZ41w7ykPzg","url":"https://github.com/bifrost-io/bifrost/tree/develop/pallets/slpx","type":"blockchain_dlt","addedAt":"2022-06-29T03:00:00.000Z","revision":2,"description":"Bifrost","isPrimacyOfImpact":null},{"id":"3akNiUsOvUT5JIzxhmqmZ5","url":"https://github.com/bifrost-io/bifrost/tree/develop/pallets/vtoken-minting","type":"blockchain_dlt","addedAt":"2022-06-29T03:00:00.000Z","revision":2,"description":"Bifrost","isPrimacyOfImpact":null},{"id":"3DFODIaCq6KO2RMoNnUF8v","url":"https://github.com/bifrost-io/bifrost/tree/develop/pallets/stable-pool","type":"blockchain_dlt","addedAt":"2022-06-29T03:00:00.000Z","revision":2,"description":"Bifrost","isPrimacyOfImpact":null},{"id":"7CyW6BDbRITtYEr4nVhoY0","url":"https://github.com/bifrost-io/bifrost/tree/develop/pallets/leverage-staking","type":"blockchain_dlt","addedAt":"2022-06-29T03:00:00.000Z","revision":3,"description":"Bifrost","isPrimacyOfImpact":null},{"id":"6zgVAxyG87FvEv2aE4gqEy","url":"https://app.bifrost.io","type":"websites_and_applications","addedAt":"2025-07-23T06:54:08.178Z","revision":1,"description":"Web/App Main Web App","isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Polkadot"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Rust"],"launchDate":"2022-06-29T03:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1tNOIPGrvNlWWhK1FBWj8w/c7bc0dad9e9b986ff06d577092790508/Bifrost_logo.jpeg","maxBounty":500000,"pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium"],"primaryPaymentWallet":"Polkadot","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Crosschain Liquidity","Lending","Staking"],"programOverview":"Bifrost is a Liquid Staking app-chain tailored for all blockchains, utilizing decentralized cross-chain interoperability to empower users to earn staking rewards and DeFi yields with flexibility, liquidity, and high security across multiple chains.\n\nFor more information about Bifrost, please visit https://bifrost.io","programType":["Blockchain/DLT","Websites and Applications"],"project":"Bifrost","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3). This is a simplified 4-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nPayouts are handled by the __Bifrost Finance__ team directly and are denominated in USD. However, payouts are done in __BNC__.\n\n__Reward Calculation for Critical Level Reports__\n\nReward amount is 10% of the funds directly affected, capped at the maximum critical reward of: $500,000\n\nFor critical Blockchain/DLT bugs, the reward is dependent on the ratio between the funds at risk, which includes all affected projects on top of the respective blockchain/DLT, and the market cap according to the average between CoinMarketCap.com and CoinGecko.com, calculated at the time the bug report is submitted.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"BNC","slug":"bifrostfinance","tenPercentEconomicRule":false,"updatedDate":"2025-11-11T12:17:49.083Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Bifrost is a Liquid Staking app-chain tailored for all blockchains, utilizing decentralized cross-chain interoperability to empower users to earn staking rewards and DeFi yields with flexibility, liquidity, and high security across multiple chains.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":2863,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc."},{"id":6,"type":"blockchain_dlt","severity":"high","title":"Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments"},{"id":7,"type":"blockchain_dlt","severity":"high","title":"Causing network processing nodes to process transactions from the mempool beyond set parameters"},{"id":8,"type":"blockchain_dlt","severity":"high","title":"RPC API crash affecting programs with greater than or equal to 25% of the market capitalization on top of the respective layer"},{"id":10,"type":"blockchain_dlt","severity":"medium","title":"Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":9,"type":"blockchain_dlt","severity":"medium","title":"Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours"},{"id":11,"type":"blockchain_dlt","severity":"medium","title":"A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":5,"type":"blockchain_dlt","severity":"high","title":"Unintended chain split (network partition)"},{"id":2864,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as email or password of the victim, etc."},{"id":2869,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) w/o already-connected wallet interaction and w/ up to one click of user interaction, such as changing the first/last name of user, or enabling/disabling notifications"},{"id":2870,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without Javascript (Reflected) such as reflected HTML injection or loading external site data"},{"id":2873,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc."},{"id":5631,"type":"blockchain_dlt","severity":"critical","title":"Direct fund losses caused by additional issuance of vTokens (e.g., vDOT, vKSM)"},{"id":5632,"type":"blockchain_dlt","severity":"high","title":"Direct fund losses caused by non-vToken additional issuance"},{"id":5661,"type":"blockchain_dlt","severity":"high","title":"Network not being able to confirm new transactions (Total network shutdown)"},{"id":5662,"type":"blockchain_dlt","severity":"high","title":"Unintended permanent chain split requiring hard fork (Network partition requiring hard fork)"},{"id":5663,"type":"blockchain_dlt","severity":"high","title":"Permanent freezing of funds (fix requires hardfork)"}],"rewards":[{"id":37896,"severity":"critical","assetType":"blockchain_dlt","maxReward":500000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":0},{"id":37897,"severity":"high","assetType":"blockchain_dlt","maxReward":20000,"minReward":5000,"rewardModel":"range"},{"id":37898,"severity":"medium","assetType":"blockchain_dlt","maxReward":5000,"minReward":1000,"rewardModel":"range"},{"id":37899,"severity":"critical","assetType":"websites_and_applications","maxReward":5000,"minReward":2000,"rewardModel":"range","otherImpactMaxReward":0},{"id":37900,"severity":"high","assetType":"websites_and_applications","maxReward":2000,"minReward":1000,"rewardModel":"range"},{"id":37901,"severity":"medium","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"1AvnTSvbtUxxvYcp9OfsJr","url":"https://etherscan.io/address/0x4d73adb72bc3dd368966edd0f0b2148401a178e2#code","type":"smart_contract","addedAt":"2023-05-17T17:00:00.000Z","revision":1,"description":"UltraLightNodeV2.sol","isPrimacyOfImpact":null},{"id":"3jRvKowncWDepaN7o3VSLK","url":"https://etherscan.io/address/0x07245eEa05826F5984c7c3C8F478b04892e4df89","type":"smart_contract","addedAt":"2023-05-17T17:00:00.000Z","revision":1,"description":"FPValidator.sol","isPrimacyOfImpact":null},{"id":"6Itr1QUL53zDVYAvPk96O4","url":"https://etherscan.io/address/0x66A71Dcef29A0fFBDBE3c6a460a3B5BC225Cd675#code","type":"smart_contract","addedAt":"2023-05-17T17:00:00.000Z","revision":2,"description":"Endpoint (EVM)","isPrimacyOfImpact":null},{"id":"7hELKX2uQQzAMjvmsbie4T","url":"https://aptoscan.com/account/0x54ad3d30af77b60d939ae356e6606de9a4da67583f02b962d2d3f2e481484e90","type":"smart_contract","addedAt":"2024-10-29T17:50:35.573Z","revision":1,"description":"Endpoint (Aptos)","isPrimacyOfImpact":null},{"id":"7FeS0awcjrIfyzba238uEv","url":"https://github.com/LayerZero-Labs/solidity-examples/blob/main/contracts/token/oft/v1/OFT.sol","type":"smart_contract","addedAt":"2023-05-17T17:00:00.000Z","revision":3,"description":"OFT (EVM)","isPrimacyOfImpact":null},{"id":"16ifjbsTu7mBK21fEUgze7","url":"https://github.com/LayerZero-Labs/solidity-examples/blob/main/contracts/token/oft/v2/OFTV2.sol","type":"smart_contract","addedAt":"2023-05-17T17:00:00.000Z","revision":2,"description":"OFTv1.2 (EVM)","isPrimacyOfImpact":null},{"id":"53l6TK3bLcSHYiovX9S7sB","url":"https://github.com/LayerZero-Labs/solidity-examples/blob/main/contracts/token/onft721/ONFT721.sol","type":"smart_contract","addedAt":"2023-05-17T17:00:00.000Z","revision":3,"description":"ONFT721 (EVM)","isPrimacyOfImpact":null},{"id":"6x2Vg1PG1pkdiij36fU1E","url":"https://github.com/LayerZero-Labs/solidity-examples/blob/main/contracts/token/onft1155/ONFT1155.sol","type":"smart_contract","addedAt":"2023-05-17T17:00:00.000Z","revision":3,"description":"ONFT1155 (EVM)","isPrimacyOfImpact":null},{"id":"39mhMVaavajninZUnYIsWt","url":"https://etherscan.io/address/0x1a44076050125825900e736c501f859c50fe728c#code","type":"smart_contract","addedAt":"2024-02-13T14:18:59.415Z","revision":3,"description":"EndpointV2 (EVM)","isPrimacyOfImpact":null},{"id":"4qHzyZk8pdkDrHnXabgZOA","url":"https://etherscan.io/address/0xD231084BfB234C107D3eE2b22F97F3346fDAF705#code","type":"smart_contract","addedAt":"2024-02-13T14:18:56.439Z","revision":2,"description":"SendULN301 (EVM)","isPrimacyOfImpact":null},{"id":"5NL1BFF6ZBHCKCwWENtxsf","url":"https://etherscan.io/address/0x245b6e8ffe9ea5fc301e32d16f66bd4c2123eefc#code","type":"smart_contract","addedAt":"2024-02-13T14:18:54.282Z","revision":2,"description":"ReceiveULN301 (EVM)","isPrimacyOfImpact":null},{"id":"73gh3Q3hRSDfgDW3V6LSsv","url":"https://etherscan.io/address/0xbb2ea70c9e858123480642cf96acbcce1372dce1#code","type":"smart_contract","addedAt":"2024-02-13T14:18:51.689Z","revision":4,"description":"SendULN302 (EVM)","isPrimacyOfImpact":null},{"id":"4dhDu7eD44fZOPAUuiJT8B","url":"https://explorer.solana.com/address/6doghB248px58JSSwG4qejQ46kFMW4AMj7vzJnWZHNZn","type":"smart_contract","addedAt":"2024-10-29T17:58:09.748Z","revision":1,"description":"SendULN302 (Solana)","isPrimacyOfImpact":null},{"id":"7wsMXOnjGGFwLAwT2eaT93","url":"https://etherscan.io/address/0xc02ab410f0734efa3f14628780e6e695156024c2#code","type":"smart_contract","addedAt":"2024-02-13T14:18:49.342Z","revision":2,"description":"ReceiveULN302 (EVM)","isPrimacyOfImpact":null},{"id":"5wKvMXcRSj44t16OphKoPB","url":"https://explorer.solana.com/address/7a4WjyR8VZ7yZz5XJAKm39BUGn5iT9CKcv2pmG9tdXVH","type":"smart_contract","addedAt":"2024-10-29T17:59:29.233Z","revision":1,"description":"ReceiveULN302 (Solana)","isPrimacyOfImpact":null},{"id":"67VGceeWmaO3RcsGxclNMq","url":"https://etherscan.io/address/0x589dedbd617e0cbcb916a9223f4d1300c294236b#code","type":"smart_contract","addedAt":"2024-02-13T14:18:47.416Z","revision":2,"description":"DVN (EVM)","isPrimacyOfImpact":null},{"id":"3lZ2f8YqtQwEe5ds0xRQVu","url":"https://explorer.solana.com/address/76y77prsiCMvXMjuoZ5VRrhG5qYBrUMYTE5WgHqgjEn6","type":"smart_contract","addedAt":"2024-10-29T17:53:30.105Z","revision":1,"description":"EndpointV2 (Solana)","isPrimacyOfImpact":null},{"id":"MFubTqaCBhTMChd0CGl4l","url":"https://explorer.solana.com/address/4VDjp6XQaxoZf5RGwiPU9NR1EXSZn2TP4ATMmiSzLfhb","type":"smart_contract","addedAt":"2024-10-29T18:00:29.218Z","revision":1,"description":"DVN (Solana)","isPrimacyOfImpact":null},{"id":"5fPFIFy9loK7maViGCvECQ","url":"https://github.com/LayerZero-Labs/devtools/tree/main/packages/oapp-evm/contracts/oapp","type":"smart_contract","addedAt":"2024-10-29T18:00:56.043Z","revision":1,"description":"OApp (EVM)","isPrimacyOfImpact":null},{"id":"7uML0p7A3oVKrzVhZjVfFc","url":"https://github.com/LayerZero-Labs/devtools/tree/main/packages/oft-evm/contracts","type":"smart_contract","addedAt":"2024-10-29T18:01:14.662Z","revision":1,"description":"OFT (EVM)","isPrimacyOfImpact":null},{"id":"5uOaRHMVp3PJ8pZLkYelXc","url":"https://github.com/LayerZero-Labs/devtools/tree/main/examples/oft-solana","type":"smart_contract","addedAt":"2024-10-29T18:01:32.797Z","revision":1,"description":"OFT (Solana)","isPrimacyOfImpact":null},{"id":"2vw89vfXrWz6hlzx22YokT","url":"https://tonviewer.com/0:1eb2bbea3d8c0d42ff7fd60f0264c866c934bbff727526ca759e7374cae0c166","type":"smart_contract","addedAt":"2025-02-12T08:46:05.702Z","revision":1,"description":"Controller (TON)","isPrimacyOfImpact":null},{"id":"4efqenGLEmbiVxNEVM0xXC","url":"https://tonviewer.com/0:150645746e25be5486eb3b2f5d98b44c6b324697c48d495d059f96fc9d3ec368","type":"smart_contract","addedAt":"2025-02-12T08:47:25.348Z","revision":1,"description":"ULNManager (TON)","isPrimacyOfImpact":null},{"id":"4KLM0tcNJ1RN2voy642jCE","url":"https://tonviewer.com/0:0d122dec4ec8bd66c68344faf0dd471d727a7d57a21b62051705bbe2e4c272a7","type":"smart_contract","addedAt":"2025-02-12T08:47:46.149Z","revision":1,"description":"DVNProxy (TON)","isPrimacyOfImpact":null},{"id":"6dHbnS8CIh77iim2v7SzrO","url":"https://immunefi.com","type":"smart_contract","addedAt":"2025-11-11T09:37:09.759Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true}],"assetsBodyV2":"All smart contracts of LayerZero can be found at [https://github.com/LayerZero-Labs.](https://github.com/LayerZero-Labs) However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nImpacts found in contracts which are deployed to multiple chains will be treated as one singular issue.\n\nDocumentation and instruction for PoC can be found here:\n- GitHub README:[ https://github.com/LayerZero-Labs/LayerZero](https://github.com/LayerZero-Labs/LayerZero)\n- Gitbook: [https://layerzero.gitbook.io/docs/](https://layerzero.gitbook.io/docs/)\n- V2 Docs: [https://docs.layerzero.network](https://docs.layerzero.network)\n\nIf an impact can be caused to any other asset managed by LayerZero that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project. The vulnerability will then be evaluated by LayerZero Labs in good faith to determine where it would lie on the vulnerability scale.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","Astar zkEVM","Aurora","Avalanche","BSC","Base","Blast","Canto","Celo","Conflux","DOS","ETH","Fantom","Fraxtal","Fuse","Gnosis","Harmony","Horizen EON","Injective","Kava","Linea","Manta","Mantle","Merit Circle","Metis","Mode","Moonbeam","Moonriver","Optimism","Orderly","Polygon","Polygon zkEVM","Scroll","ShimmerEVM","Telos","Tenet","Viction","XPLA","Xai","Zora","opBNB","Aptos","Cronos","Rootstock","Sei","TON"],"endDate":null,"evaluationEndDate":null,"features":["Managed Triage: Expert Assessment","Arbitration"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2023-05-17T17:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3UXQcPOIAaOkE2QBCasSKa/14893bedf55bdb191e4cf99a67203e85/LayerZero_logo.jpeg","maxBounty":15000000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Bridge","Crosschain Liquidity"],"programOverview":"LayerZero is an omnichain interoperability protocol that allows developers to seamlessly interact with contracts across dozens of blockchains. \n\nFor more information about LayerZero, please visit [https://layerzero.network/](https://layerzero.network/).\n\n__Primacy of Impact vs Primacy of Rules__\n\nLayerzero adheres to the Primacy of Impact for the following impacts:\n\n- Smart Contract - Critical\n- Smart Contract - High\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact).\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact. All other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.","programType":["Smart Contract"],"project":"LayerZero","projectType":["Infrastructure"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the  [Immunefi Vulnerability Severity Classification System V2.2. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/)This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported. \n\nV1 Smart Contract rewards are classified by Group 1 and Group 2. Group 1 consists of: Ethereum, BNB Chain, Avalanche, Polygon, Arbitrum, Optimism, Fantom. Group 2 consists of all other chains. Group 1 rewards are notated in the rewards table by the higher ranges listed by severity level, while Group 2 rewards are notated by the lower ranges listed by severity level. \n\nAll bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. Bug reports are required to include a runnable PoC in order to prove impact. Exceptions may be made in cases where the vulnerability is objectively evident from simply mentioning the vulnerability and where it exists. However, the bug reporter may be required to provide a PoC at any point in time.\n\nAll vulnerabilities marked in the [https://github.com/LayerZero-Labs/Audits ](https://github.com/LayerZero-Labs/Audits) are not eligible for a reward.\n\nAll Impacts for OFT and [ONFT](https://github.com/LayerZero-Labs/solidity-examples/tree/main/contracts/token/onft) related contracts will be treated as low severity classifications and respective rewards. \n\nCritical V1 smart contract vulnerability payouts for Group 1 are a minimum of __USD $250,000__, or 10% of the value at risk at the time of report submission, with a hard cap of __USD $15,000,000__, whichever is larger. Value at risk should be calculated primarily (though not exclusively) based on concrete and demonstrable funds at risk. Any supplementary reward beyond the minimum USD $250,000 or 10% of value at risk is at the discretion of the team.\n\nCritical V1 smart contract vulnerability payouts for Group 2 are a minimum of __USD $25,000__, or 10% of the value at risk at the time of report submission, with a hard cap of __USD $1,500,000__, whichever is larger. Value at risk should be calculated primarily (though not exclusively) based on concrete and demonstrable funds at risk. Any supplementary reward beyond the minimum USD $25,000 or 10% of value at risk is at the discretion of the team.\n\nCritical V2 smart contract vulnerability payouts are a minimum of __USD $100,000__, or __10%__ of the value at risk at the time of report submission, with a hard cap of __$2,000,000__, whichever is larger. Value at risk should be calculated primarily (though not exclusively) based on concrete and demonstrable funds at risk. Any supplementary reward beyond the minimum __USD $100,000__ or __10%__ of value at risk is at the discretion of the team.\n\nAll non-critical rewards for the project bug bounty program are scaled based on an internally established team criteria, taking into account the exploitability of the bug, the impact it causes, and the likelihood of the vulnerability presenting itself, which is especially factored in with bug reports requiring multiple conditions to be met that are currently not in-place. Rewards will be provided at the determined fair value by the team depending on these conditions, assuming that the bug report is in-scope of the bug bounty program.\n\nLayerZero requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. The information needed are: \n- Invoice is required with Name, Address, and Payment Instructions\n- Proof of address (either a redacted bank statement with your address or a recent utility bill with your name, address, and issuer of the bill)\n- Copy of your passport or other Government ID will be required\n- Bounty hunters must pass OFAC Screening. Rewards cannot be paid out if hunters are on the OFAC SDN list \n\nThe collection of this information will be done by the project team.\n\nPayouts are handled by __LayerZero Labs__  directly and are denominated in USD. However, payouts are done in __Fiat USD via wire transfer, or USDC, USDT and BUSD__, with the choice of ratio at the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC, USDT and BUSD","slug":"layerzero","updatedDate":"2025-11-11T09:44:54.638Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn"],"responsiblePublicationCategory":null,"description":"LayerZero is an omnichain interoperability protocol that allows developers to seamlessly interact with contracts across dozens of blockchains. ","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Sybil attacks\n- Impacts to OApps themselves as a result of their own misconfiguration (including but not limited to eg. configuring bad libraries, verifier networks, executors…).\n- DoS of LayerZero infrastructure is not eligible for bug bounty rewards\n- Reports regarding bugs that LayerZero Labs was previously aware of are not eligible for a reward\n- Dependencies & Third Party Code\n- Temporary impacts resulting from configuration adjustment race-conditions","customProhibitedActivities":[],"impacts":[{"id":4079,"type":"smart_contract","severity":"low","title":"All above impacts for OApp, OFT & ONFT related contracts"},{"id":4080,"type":"smart_contract","severity":"high","title":"Any governance voting result manipulation"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":4081,"type":"smart_contract","severity":"critical","title":"Exploits resulting in the permanent locking or theft of user funds"},{"id":4082,"type":"smart_contract","severity":"critical","title":"Permanent DoS attacks (excluding volumetric attacks)"}],"rewards":[{"id":37886,"severity":"critical","assetType":"smart_contract","maxReward":15000000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":37887,"severity":"high","assetType":"smart_contract","maxReward":250000,"rewardModel":"up_to"},{"id":37888,"severity":"medium","assetType":"smart_contract","maxReward":25000,"rewardModel":"up_to"},{"id":37889,"severity":"low","assetType":"smart_contract","maxReward":10000,"rewardModel":"up_to"}],"audits":[]},{"assets":[{"id":"6UjSAYUSIZI99NDCddVRZe","url":"https://etherscan.io/address/0x3E368B6C95c6fEfB7A16dCc0D756389F3c658a06","type":"smart_contract","addedAt":"2024-09-24T18:00:00.000Z","revision":1,"description":"FeeLibV1ETH","isPrimacyOfImpact":null},{"id":"21pbi36gz1fNOHnvCTGuhj","url":"https://etherscan.io/address/0x52B35406CB2FB5e0038EdEcFc129A152a1f74087","type":"smart_contract","addedAt":"2024-09-24T18:00:00.000Z","revision":1,"description":"FeeLibV1USDC","isPrimacyOfImpact":null},{"id":"4VGH7W1a1ZWdulIKy9hZYW","url":"https://etherscan.io/address/0xe171AFcd1E0394b3312e68ca823D5BC87F3Db311","type":"smart_contract","addedAt":"2024-09-24T18:00:00.000Z","revision":1,"description":"FeeLibV1USDT","isPrimacyOfImpact":null},{"id":"5ZzA3qAkCUgfbBgL2IOQsM","url":"https://etherscan.io/address/0x6Dd69717B1194B81A92105B7e0F94cb40f68A3e3","type":"smart_contract","addedAt":"2024-09-24T18:00:00.000Z","revision":1,"description":"FeeLibV1METIS","isPrimacyOfImpact":null},{"id":"4MeAKLQ7S0HAniCgzrlOyW","url":"https://etherscan.io/address/0x6D5521F46b2cba9443feFC09cBaC3B15AE0F73eB","type":"smart_contract","addedAt":"2024-09-24T18:00:00.000Z","revision":1,"description":"FeeLibV1mETH","isPrimacyOfImpact":null},{"id":"Pe9YFl3PBTZPXzLzX86Nk","url":"https://etherscan.io/address/0x5871A7f88b0f3F5143Bf599Fd45F8C0Dc237E881","type":"smart_contract","addedAt":"2024-09-24T18:00:00.000Z","revision":1,"description":"StargateMultiRewarder","isPrimacyOfImpact":null},{"id":"3fYTGSAy73mGE1UTPmSMbR","url":"https://etherscan.io/address/0x77b2043768d28E9C9aB44E1aBfC95944bcE57931","type":"smart_contract","addedAt":"2024-09-24T18:00:00.000Z","revision":1,"description":"StargatePoolNative","isPrimacyOfImpact":null},{"id":"1LU9KtyMSmhyxY44GeMXW8","url":"https://etherscan.io/address/0xc026395860Db2d07ee33e05fE50ed7bD583189C7","type":"smart_contract","addedAt":"2024-09-24T18:00:00.000Z","revision":1,"description":"StargatePoolUSDC","isPrimacyOfImpact":null},{"id":"3aFEUTCnKGFaSdSKat7nkt","url":"https://etherscan.io/address/0x933597a323Eb81cAe705C5bC29985172fd5A3973","type":"smart_contract","addedAt":"2024-09-24T18:00:00.000Z","revision":1,"description":"StargatePoolUSDT","isPrimacyOfImpact":null},{"id":"1AOjIOA13hCqbOSChiOkrh","url":"https://etherscan.io/address/0xcDafB1b2dB43f366E48e6F614b8DCCBFeeFEEcD3","type":"smart_contract","addedAt":"2024-09-24T18:00:00.000Z","revision":1,"description":"StargatePoolMETIS","isPrimacyOfImpact":null},{"id":"3oDZk2hEtqcEpKo3SEDPpl","url":"https://etherscan.io/address/0x268Ca24DAefF1FaC2ed883c598200CcbB79E931D","type":"smart_contract","addedAt":"2024-09-24T18:00:00.000Z","revision":1,"description":"StargatePoolmETH","isPrimacyOfImpact":null},{"id":"7wm5NwFMURhqXbNePIOsFF","url":"https://etherscan.io/address/0xFF551fEDdbeDC0AeE764139cCD9Cb644Bb04A6BD","type":"smart_contract","addedAt":"2024-09-24T18:00:00.000Z","revision":1,"description":"StargateStaking","isPrimacyOfImpact":null},{"id":"6R24eeZ00mv2UqL4Gn2N7S","url":"https://etherscan.io/address/0x6d6620eFa72948C5f68A3C8646d58C00d3f4A980","type":"smart_contract","addedAt":"2024-09-24T18:00:00.000Z","revision":1,"description":"TokenMessaging","isPrimacyOfImpact":null},{"id":"4pMNZufTADKzOo2XDW5pLJ","url":"https://etherscan.io/address/0x1041D127b2d4BC700F0F563883bC689502606918","type":"smart_contract","addedAt":"2024-09-24T18:00:00.000Z","revision":1,"description":"Treasurer","isPrimacyOfImpact":null},{"id":"1RyVYHXUl91hV20DhYQyyy","url":"https://immunefi.com","type":"smart_contract","addedAt":"2025-11-10T16:00:43.302Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Elite","Managed Triage: Expert Assessment","Arbitration"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2024-09-24T18:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7LX3n66MkHEBIYLZtNzQTA/811af3d0f225034e794af65976ba5d19/Stargate_logo.png","maxBounty":10000000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Crosschain Liquidity"],"programOverview":"Stargate is a community-driven organization building the first fully composable native asset bridge, and the first dApp built on LayerZero.\n\nStargate's vision is to make cross-chain liquidity transfer a seamless, single transaction process.\n\nFor more information about Stargate, please visit [https://stargate.finance/](https://stargate.finance/) and [https://stargateprotocol.gitbook.io/stargate](https://stargateprotocol.gitbook.io/stargate).\n\nStargate provides rewards in __USDC__ on __Ethereum__, denominated in __USD__. For more details about the payment process, please view the __Rewards by Threat Level__ section.\n\n__KYC Requirement__\n\nStargate will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n- Eligibility Criteria \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nStargate adheres to the Primacy of Impact for the following impacts:\n\n- Smart Contract - Critical\n- Smart Contract - High\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact). \n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Previous Audits__\n\nStargate’s completed audit reports can be found at [https://stargateprotocol.gitbook.io/stargate/v2-developer-docs/security/audit](https://stargateprotocol.gitbook.io/stargate/v2-developer-docs/security/audit). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Stargate has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","programType":["Smart Contract"],"project":"Stargate","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of __USD 10 000 000__. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of __USD 100 000__ is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n- For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\n- High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 10 000 to USD 100 000 depending on the funds at risk, capped at the maximum high reward.  \n\n- In the event of temporary freezing, the reward doubles from the full frozen value for every additional [24h] that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Stargate Foundation team directly, on behalf of the StargateDAO, and are denominated in __USD__. However, payments are done in __USDC__ on __Ethereum__.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"stargate","tenPercentEconomicRule":false,"updatedDate":"2025-11-11T09:38:54.284Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":37867,"severity":"critical","assetType":"smart_contract","maxReward":10000000,"minReward":100000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":37868,"severity":"high","assetType":"smart_contract","maxReward":100000,"minReward":10000,"rewardModel":"range"},{"id":37869,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"1GaekPpcasmQoMvCRus97Q","url":"https://etherscan.io/address/0x7127f0FEaEF8143241A5FaC62aC5b7be02Ef26A9","type":"smart_contract","addedAt":"2024-07-08T10:30:00.000Z","revision":2,"description":"TokenGateway","isPrimacyOfImpact":null},{"id":"2OrnBv1r3TUdgSjatQsa0y","url":"https://basescan.org/address/0xFC1759E75180aeE982DC08D0d6D365ebFA0296a7","type":"smart_contract","addedAt":"2024-07-08T10:30:00.000Z","revision":2,"description":"MarketplaceV2","isPrimacyOfImpact":null},{"id":"2gDyNUJTDBXD7AE7yaIuaR","url":"https://etherscan.io/address/0xFC1759E75180aeE982DC08D0d6D365ebFA0296a7","type":"smart_contract","addedAt":"2024-07-08T10:30:00.000Z","revision":2,"description":"MarketplaceV2","isPrimacyOfImpact":null},{"id":"2xwaWcEoXO4rHsOFdsb1Ni","url":"https://bscscan.com/address/0xFC1759E75180aeE982DC08D0d6D365ebFA0296a7","type":"smart_contract","addedAt":"2024-07-08T10:30:00.000Z","revision":2,"description":"MarketplaceV2","isPrimacyOfImpact":null},{"id":"4D9uoLdS36uSBNxbOmMGEh","url":"https://bscscan.com/address/0x7127f0FEaEF8143241A5FaC62aC5b7be02Ef26A9","type":"smart_contract","addedAt":"2024-07-08T10:30:00.000Z","revision":2,"description":"TokenGateway","isPrimacyOfImpact":null},{"id":"4qs0volKOzcfr1grBVwCuZ","url":"https://polygonscan.com/address/0xFC1759E75180aeE982DC08D0d6D365ebFA0296a7","type":"smart_contract","addedAt":"2024-07-08T10:30:00.000Z","revision":2,"description":"MarketplaceV2","isPrimacyOfImpact":null},{"id":"5f0JVjhYhqVkfHXMCHJDlR","url":"https://opbnbscan.com/address/0x7127f0FEaEF8143241A5FaC62aC5b7be02Ef26A9","type":"smart_contract","addedAt":"2024-07-08T10:30:00.000Z","revision":2,"description":"TokenGateway","isPrimacyOfImpact":null},{"id":"5s0vRyQmF1uKWLfoQYfsl8","url":"https://eth.xterscan.io/address/0x7127f0FEaEF8143241A5FaC62aC5b7be02Ef26A9","type":"smart_contract","addedAt":"2024-07-08T10:30:00.000Z","revision":2,"description":"TokenGateway","isPrimacyOfImpact":null},{"id":"5ybAvFAbPxtC5zfByaQvgx","url":"https://bnb.xterscan.io/address/0xFC1759E75180aeE982DC08D0d6D365ebFA0296a7","type":"smart_contract","addedAt":"2024-07-08T10:30:00.000Z","revision":2,"description":"MarketplaceV2","isPrimacyOfImpact":null},{"id":"5z3LtZrQSWyJ9cburKJYbl","url":"https://opbnbscan.com/address/0xFC1759E75180aeE982DC08D0d6D365ebFA0296a7","type":"smart_contract","addedAt":"2024-07-08T10:30:00.000Z","revision":2,"description":"MarketplaceV2","isPrimacyOfImpact":null},{"id":"6JpHQvKEFxniJKPioJQz2E","url":"https://bnb.xterscan.io/address/0x7127f0FEaEF8143241A5FaC62aC5b7be02Ef26A9","type":"smart_contract","addedAt":"2024-07-08T10:30:00.000Z","revision":2,"description":"TokenGateway","isPrimacyOfImpact":null},{"id":"72eAq3DUVDhnIEpkxRUEuJ","url":"https://polygonscan.com/address/0x7127f0FEaEF8143241A5FaC62aC5b7be02Ef26A9","type":"smart_contract","addedAt":"2024-07-08T10:30:00.000Z","revision":2,"description":"TokenGateway","isPrimacyOfImpact":null},{"id":"7At0K17vLCloNv57RdXalG","url":"https://immunefi.com","type":"smart_contract","addedAt":"2025-01-28T11:36:10.466Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true},{"id":"7xLkkza8yKparZFxxIZFFb","url":"https://eth.xterscan.io/address/0xFC1759E75180aeE982DC08D0d6D365ebFA0296a7","type":"smart_contract","addedAt":"2024-07-08T10:30:00.000Z","revision":2,"description":"MarketplaceV2","isPrimacyOfImpact":null},{"id":"oL3AFypUJj5ssNlGJ4ikW","url":"https://basescan.org/address/0x7127f0FEaEF8143241A5FaC62aC5b7be02Ef26A9","type":"smart_contract","addedAt":"2024-07-08T10:30:00.000Z","revision":2,"description":"TokenGateway","isPrimacyOfImpact":null},{"id":"oTRHWu6ocWK2B0nIwaaEO","url":"https://app.xter.io/","type":"websites_and_applications","addedAt":"2024-07-08T10:30:00.000Z","revision":2,"description":"Xterio App","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Essential"],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2024-07-08T10:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2V51mPozlf2ns8PH0fal6o/b329a8cb6021badc1abdaa99fe48f18e/xterio.png","maxBounty":80000,"pocPerTypeAndSeverity":["smart_contract - high","smart_contract - medium","smart_contract - critical","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Gaming"],"programOverview":"Established in 2022, Xterio is a Web3 gaming ecosystem & infrastructure, distinguishing itself as a gaming publisher with top-notch development skills and unparalleled distribution expertise. Xterio is driven by a bold vision – to reshape entertainment and gaming through the strength of digital collectibles. These non-fungible assets hold the power to redefine how we experience joy. By embracing the limitless potential of digital collectibles, we empower individuals to be not just spectators but active participants, collectors, and creators in dynamic virtual universes.\n\nFor more information about Xterio, please visit [https://xter.io/](https://xter.io/)\n\nXterio provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__ \n\nXterio will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nXterio adheres to the Primacy of Impact for the following impacts:\n- Smart Contract - Critical \n- Smart Contract - High \n- Web/App - Critical\n- Web/App - High\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see Best Practices: Primacy of Impact \n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nPlease note that, regardless of what is displayed in the Rewards table, Medium severity impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.\n\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- Vulnerable JS Library: The identified library nextjs, version 12.2.0 is vulnerable.\n- RaffleAuctionMinter and DepositRaffleMinter smart contracts use an on-chain randomness generator, which could be leveraged by potential attackers. But we believe the value of the attack is less than the cost.\n- The signature for `WhitelistMinter.mintWithSig` can be used repeatedly. It's a designed feature to allow frontend apps reuse the signature to lower signature and API calling pressure. The mint limit for each address lies on the signed array parameter - limits\n- The `MarketplaceV2` smart contract does not include chainId in the signature, which is because we currently do not support collections with identical addresses across different chains. We will update this together with other features in the future.\n\n\n__Previous Audits__\n\nXterio’s completed audit reports can be found at [https://github.com/peckshield/publications/blob/master/audit_reports/PeckShield-Audit-Report-Xterio-v1.0.pdf](https://github.com/peckshield/publications/blob/master/audit_reports/PeckShield-Audit-Report-Xterio-v1.0.pdf) and \n[https://github.com/peckshield/publications/tree/master/audit_reports/PeckShield-Audit-Report-FansCreate-v1.0.pdf](https://github.com/peckshield/publications/tree/master/audit_reports/PeckShield-Audit-Report-FansCreate-v1.0.pdf)\n\nAny unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Xterio has satisfied the requirements for the Immunefi Standard Badge.","programType":["Smart Contract","Websites and Applications"],"project":"Xterio","projectType":["NFT"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3.](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/) \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 80 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 50 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n- For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\n- High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 20 000 to USD 50 000 depending on the funds at risk, capped at the maximum high reward.  \n\n- In the event of temporary freezing, the reward doubles from the full frozen value for every additional [24h] that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\nFor critical web/apps bug reports will be rewarded with USD 5 000, only if the impact leads to:\n\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of USD 2 500. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Reward Payment Terms__\n\nPayouts are handled by the Xterio team directly and are denominated in USD. However, payments are done in USDC on Ethereum.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"xterio","tenPercentEconomicRule":false,"updatedDate":"2025-11-06T07:38:48.441Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Established in 2022, Xterio is a Web3 gaming ecosystem & infrastructure, distinguishing itself as a gaming publisher with top-notch development skills and unparalleled distribution expertise. Xterio is driven by a bold vision – to reshape entertainment and gaming through the strength of digital collectibles. These non-fungible assets hold the power to redefine how we experience joy.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":4972,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:HTML injection without JavaScript, Replacing existing text with arbitrary text, Arbitrary file uploads, etc"},{"id":4973,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: Email, Password of the victim etc."},{"id":4974,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:  Email address, Phone number, Physical address, etc."},{"id":4975,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users(including modifying browser local storage) without already-connected wallet interaction & with up to one click of user interaction, such as:Changing the first/last name of user, Enabling/disabling notifications"},{"id":4976,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as: Reflected HTML injection, Loading external site data"},{"id":4977,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:/etc/shadow, database passwords, blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":4978,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as: Changing registration information, Commenting, Voting, Making trades, Withdrawals, etc."},{"id":4979,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":38,"type":"websites_and_applications","severity":"critical","title":"Taking down the NFT URI"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":44,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user NFTs"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"}],"rewards":[{"id":15603,"severity":"critical","assetType":"smart_contract","maxReward":80000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":15604,"severity":"high","assetType":"smart_contract","maxReward":50000,"minReward":21000,"rewardModel":"range"},{"id":15605,"severity":"medium","assetType":"smart_contract","fixedReward":20000,"rewardModel":"fixed"},{"id":15606,"severity":"critical","assetType":"websites_and_applications","maxReward":5000,"minReward":2500,"rewardModel":"range","otherImpactMaxReward":2500},{"id":15607,"severity":"high","assetType":"websites_and_applications","fixedReward":2000,"rewardModel":"fixed"},{"id":15608,"severity":"medium","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"2KgOb8ZdwJTCTO9MFXLmoS","url":"https://github.com/jito-labs/bam-client","type":"blockchain_dlt","addedAt":"2025-10-22T05:09:00.000Z","revision":1,"description":"BAM Validator Client","isPrimacyOfImpact":null},{"id":"7fRTSAfjjGvjIH6JJhKE5A","url":"https://github.com/jito-labs/bam-protos","type":"blockchain_dlt","addedAt":"2025-10-22T05:09:00.000Z","revision":2,"description":"BAM Proto Definitions","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Solana"],"endDate":null,"evaluationEndDate":null,"features":["Arbitration","Subscription Plan: Essential"],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":true,"language":["Rust"],"launchDate":"2025-10-22T05:09:00.000Z","logo":"https://qn5bmgziiocgawpp.public.blob.vercel-storage.com/81827-EFKkAPtlzFSCPCHnExIME-ihtNok5k80uzmjBTSBiC4lDFtE3Zif.png","maxBounty":100000,"pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - medium","blockchain_dlt - low"],"primaryPaymentWallet":"Solana","prioritizedVulnerabilities":"_blank_","productType":["Validator"],"programOverview":"For more information about the Jito -  BAM Client, please visit https://bam.dev.\n\nAny Bug Bounty relating to the BAM client will be provided in JTO, denominated in USD and pursuant to payment terms below.\n\nFor more details about the payment process, please view the Rewards by Threat Level section.\n\n__BAM Client__\n\nThe BAM Client extends the Jito-Solana client to interface with external schedulers (BAM Nodes) that run inside Trusted Execution Environments (TEEs) via gRPC, receiving pre-sequenced transaction bundles and executing them in FIFO order with respect to account locks. This design maintains network security while enabling sophisticated transaction ordering strategies.\n\nThe validator client supports traditional Solanar transactions as well as Jito Bundles on Solana. You can download the validator client [here](https://github.com/jito-labs/bam-client) and pass a the closest BAM Node URL on the command line.\n\nThe BAM Validator operates in one of three distinct modes:\n\n| Mode | Description | Scheduler | Bundle/Txn Source | \n|--------|--------|--------|--------|\n| Normal Agave | Standard Solana Validator | Internal Agave Scheduler | TPU Ingestion |\n| Block Engine | Jito enhanced operation | Internal with Block Engine | Jito Block Engine & (Relayer TPU or TPU) |\n| BAM | External scheduler Delegation | External BAM Scheduler | BAM Node via gRPC |\n\n__KYC Requirement__\n\nJito - BAM Client will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n- Likeness test to verify identity\n\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n\n- On OFAC's SDN list or the sanctions list of the United Kingdom or European Union or pursuant to sanctions imposed by the United Nations\n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nJito - BAM Client adheres to  **Category 3: Approval Required** . This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nJito - BAM Client adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page.","programType":["Blockchain/DLT"],"project":"Jito - BAM Client","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical Blockchain/DLT bugs, the reward amount is 10% of the funds directly affected, capped at the maximum critical reward $100,000. However, a minimum reward of USD $50,000 is to be rewarded in order to incentivize security researchers against withholding on a bug report.\n\nFor critical Blockchain/DLT bugs with a non-funds-at risk impact, the reward will be paid out as follows: \n\n- Network not being able to confirm new transactions (total network shutdown) - $100,000\n- Unintended permanent chain split requiring hard fork (network partition requiring hard fork) - $100,000\n- Permanent freezing of funds (fix requires hardfork) - $100,000\n\nFor critical Blockchain/DLT bugs, the reward is dependent on the ratio between the funds at risk, which includes all affected projects on top of the respective blockchain/DLT, and the market cap according to the average between CoinMarketCap.com and CoinGecko.com, calculated at the time the bug report is submitted. \n\n__Reward Calculation for High Level Reports__\n\nFor high Blockchain/DLT non-funds-at risk impacts, the reward will be paid out as follows: \n\n- Unintended chain split (network partition) - $50,000\n- Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments - $50,000\n\nPayouts are handled by the Jito Foundation directly and reward amounts are denominated in USD. However, payments are made in JTO on Solana.\n\nThe calculation of the net amount rewarded is based on the 7-day [TWAP](https://en.wikipedia.org/wiki/Time-weighted_average_price?utm_source=immunefi) of JTO at the time of settlement. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"JTO","slug":"jito-bam-client","tenPercentEconomicRule":false,"updatedDate":"2025-11-05T07:30:42.563Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"The BAM Client extends the Jito-Solana client to interface with external schedulers (BAM Nodes) that run inside Trusted Execution Environments (TEEs) via gRPC, receiving pre-sequenced transaction bundles and executing them in FIFO order with respect to account locks. This design maintains network security while enabling sophisticated transaction ordering strategies.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"Bounties apply only to vulnerabilities discovered in the listed repositories and code maintained by Jito Labs/Jito Foundation. This project is a fork of https://github.com/anza-xyz/agave; vulnerabilities that are present only in the upstream project and are not introduced or affected by the BAM Client fork are out of scope for rewards under this Bug Bounty Program. If a reported issue exists both in the BAM client fork and upstream please also report that to the agave bug bounty program.\n\nThe BAM node, which communicates with the BAM Client, is also out of scope and should be assumed as trusted for purposes of any submission. However if there are vulnerabilities that can impact the BAM Client which assume a malicious, misconfigured, or misbehaving BAM node, rewards may be considered on a discretionary basis. Note that since the BAM node code is closed source, at this time, submissions exploring a malicious BAM node may not be possible based on how the software is architected and therefore will not or may not require or result in any changes to the code for the BAM Client to remediate theoretical vulnerabilities.","customProhibitedActivities":[],"impacts":[{"id":1,"type":"blockchain_dlt","severity":"critical","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":2,"type":"blockchain_dlt","severity":"critical","title":"Unintended permanent chain split requiring hard fork (network partition requiring hard fork)"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":4,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":5,"type":"blockchain_dlt","severity":"high","title":"Unintended chain split (network partition)"},{"id":6,"type":"blockchain_dlt","severity":"high","title":"Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments"},{"id":7,"type":"blockchain_dlt","severity":"high","title":"Causing network processing nodes to process transactions from the mempool beyond set parameters"},{"id":8,"type":"blockchain_dlt","severity":"high","title":"RPC API crash affecting programs with greater than or equal to 25% of the market capitalization on top of the respective layer"},{"id":9,"type":"blockchain_dlt","severity":"medium","title":"Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours"},{"id":10,"type":"blockchain_dlt","severity":"medium","title":"Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":11,"type":"blockchain_dlt","severity":"medium","title":"A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk"},{"id":12,"type":"blockchain_dlt","severity":"low","title":"Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":13,"type":"blockchain_dlt","severity":"low","title":"Modification of transaction fees outside of design parameters"}],"rewards":[{"id":37765,"severity":"critical","assetType":"blockchain_dlt","maxReward":100000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":0},{"id":37766,"severity":"high","assetType":"blockchain_dlt","maxReward":50000,"minReward":25000,"rewardModel":"range"},{"id":37767,"severity":"medium","assetType":"blockchain_dlt","maxReward":25000,"minReward":5000,"rewardModel":"range"},{"id":37768,"severity":"low","assetType":"blockchain_dlt","maxReward":5000,"minReward":1000,"rewardModel":"range"}],"audits":[{"id":"n3ZQ9UWhuB29M13bCoZxI","url":"https://bam.dev/bam_client_audit_draft-09-29.pdf","auditor":"OtterSec","date":"2025-08-08"}]},{"assets":[{"id":"5dTgq7fNG1mhCb2je0GwNZ","url":"http://kiln.fi","type":"websites_and_applications","addedAt":"2025-10-30T00:15:42.000Z","revision":1,"description":"Home Page","isPrimacyOfImpact":null},{"id":"1NljAPnu8iejUIqZkkZepB","url":"http://dashboard.kiln.fi","type":"websites_and_applications","addedAt":"2025-10-30T00:15:42.000Z","revision":1,"description":"Dashboard","isPrimacyOfImpact":null},{"id":"4izU4HOBQ2Q2UMkwIa2yya","url":"http://gateway.kiln.fi","type":"websites_and_applications","addedAt":"2025-10-30T00:15:42.000Z","revision":1,"description":"Gateway","isPrimacyOfImpact":null},{"id":"7dJnyyCB6zzHAzSUlfdIEg","url":"http://ledger-live-app.kiln.fi","type":"websites_and_applications","addedAt":"2025-10-30T00:15:42.000Z","revision":1,"description":"Ledger Live","isPrimacyOfImpact":null},{"id":"UwNfrHu1R6VysYqZBXp9n","url":"http://ledger-vault-gateway.kiln.fi","type":"websites_and_applications","addedAt":"2025-10-30T00:15:42.000Z","revision":1,"description":"Ledger Vault","isPrimacyOfImpact":null},{"id":"7BtJ8MyZqn1S0Q4yRByeYj","url":"http://vault.kiln.fi","type":"websites_and_applications","addedAt":"2025-10-30T00:15:42.000Z","revision":1,"description":"Vault","isPrimacyOfImpact":null},{"id":"6TbQ3vPwDP9Vhk2CQuxf3G","url":"http://sqlpad.kiln.fi","type":"websites_and_applications","addedAt":"2025-10-30T00:15:42.000Z","revision":1,"description":"SQL Pad","isPrimacyOfImpact":null},{"id":"6Adrkh8Y1IrvHdAilh0A7p","url":"http://api.kiln.fi","type":"websites_and_applications","addedAt":"2025-10-30T00:15:42.000Z","revision":1,"description":"API","isPrimacyOfImpact":null},{"id":"L7Zr0OSjRifWqqQqzrs1s","url":"http://stake.kiln.fi","type":"websites_and_applications","addedAt":"2025-10-30T00:15:42.000Z","revision":1,"description":"Staking","isPrimacyOfImpact":null},{"id":"2CfJF6cr4KMAXb9STU9fNz","url":"http://widget.kiln.fi","type":"websites_and_applications","addedAt":"2025-10-30T00:15:42.000Z","revision":1,"description":"Widget","isPrimacyOfImpact":null},{"id":"59uebYEipTchif3dYBKjzR","url":"http://thegraph.kiln.fi","type":"websites_and_applications","addedAt":"2025-10-30T00:15:42.000Z","revision":1,"description":"The Graph","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":["Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":true,"language":null,"launchDate":"2025-10-30T00:15:42.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7qC5RfXIrWxxlMjY6JlcQR/79d179f842a963925b979faeede67b82/U_4upYP6_400x400_Small.png","maxBounty":100000,"pocPerTypeAndSeverity":[],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":null,"programOverview":"Kiln is a yield product platform you can use to stake or deposit into defi directly, wether you are custodian of your funds or you integrate us in your non-custodial platform.\n\nWe enable you or your clients to deposit crypto assets, manually or programmatically, while maintaining custody of your funds in your existing solution, such Fireblocks, Copper, or Ledger.\n\nThis program is for Kiln’s Web/App and Infrastructure assets. For bug reports for their Smart Contracts, please visit their other program:\n - Kiln DeFi: https://immunefi.com/bug-bounty/kiln-defi/information/\n - Kiln On-Chain V1: https://immunefi.com/bug-bounty/kiln-on-chain-v1/information/#top\n - Kiln On-Chain V2: https://immunefi.com/bug-bounty/kiln/information/\n\n\nFor more information about Kiln Infrastructure + Web, please visit [https://www.kiln.fi/](https://www.kiln.fi/). \n\nKiln Infrastructure + Web provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n__KYC Requirement __\n\nKiln Infrastructure + Web will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\nIf the claim comes from an individual:\n - The first names, surnames, date and place of birth of the person concerned\n - A Valid ID\n\nIf the claim comes from a business:\n - Legal form, name, registration number and address of the registered office\n - Valid certificate of incorporation\n - List of shareholders/directors\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nKiln Infrastructure + Web adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page.\n\n\n__Proof of Concept (PoC) Requirements__\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.","programType":["Websites and Applications"],"project":"Kiln (dApp/Infra)","projectType":null,"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.3. \nReward Calculation for Critical Level Reports\n\nFor critical web/apps bugs, reports will be rewarded to 10% of the impacted TVL, up to a maximum of USD 100 000, only if the impact leads to:\n - A loss of funds involving an attack that does not require any user action\n - Private key or private key generation leakage leading to unauthorized access to user funds or stake\n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of USD 8 000. The rest of the severity levels are paid out according to the Impact in Scope table.\n\n\n__Reward Payment Terms__\n\nPayouts are handled by the Kiln Infrastructure + Web team directly and are denominated in USD. However, payments are done in USDC on Ethereum.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"kiln-webapp","tenPercentEconomicRule":false,"updatedDate":"2025-10-30T17:17:14.549Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Kiln is a yield product platform you can use to stake or deposit into defi directly, wether you are custodian of your funds or you integrate us in your non-custodial platform.\n","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"Out of Scope & Rules \nThese impacts are out of scope for this bug bounty program. \n\n__Websites and Apps__\n- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n- This does not exclude reflected HTML injection with or without JavaScript\n- This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n>\n>\n\n__All Categories:__\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended   to have no privileged access to functions that make the attack possible\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers\n","customProhibitedActivities":[],"impacts":[{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":43,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:\n- Modifying transaction arguments or parameters\n- Substituting contract addresses\n- Submitting malicious transactions"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":51,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as:\n- Reflected HTML Injection\n- Loading external site data"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":5799,"type":"websites_and_applications","severity":"critical","title":"Remote access to execute arbitrary code on the server, leading to full control of server operations."},{"id":5800,"type":"websites_and_applications","severity":"critical","title":"SQL injection resulting in full database compromise, unauthorized data manipulation, or leakage."},{"id":5801,"type":"websites_and_applications","severity":"critical","title":"Exploiting misconfigured IAM policies to gain unauthorized access to cloud infrastructure (e.g., virtual machines, storage buckets)."},{"id":5802,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:  HTML injection without JavaScript, Arbitrary file uploads, etc"},{"id":5803,"type":"websites_and_applications","severity":"high","title":"Disruption of critical services such as oracles, validators."},{"id":5804,"type":"websites_and_applications","severity":"medium","title":"Disruption where disruption does not lead to high issues like dapps being down or non-critical data apis."},{"id":5806,"type":"websites_and_applications","severity":"medium","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:   Changing registration information Performing actions that can lead to a loss of funds / stake"}],"rewards":[{"id":37739,"severity":"critical","assetType":"websites_and_applications","maxReward":100000,"minReward":20000,"rewardModel":"range","otherImpactMaxReward":0},{"id":37740,"severity":"high","assetType":"websites_and_applications","maxReward":8000,"minReward":2500,"rewardModel":"range"},{"id":37741,"severity":"medium","assetType":"websites_and_applications","maxReward":2500,"minReward":1000,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"17CiH3PAbbDZeNAb8KT6bL","url":"https://github.com/Synthetixio/synthetix-v3/blob/main/markets/legacy-market/contracts/Proxy.sol","type":"smart_contract","addedAt":"2025-07-15T04:57:02.807Z","revision":2,"description":"markets/legacy-market/contracts/Proxy.sol","isPrimacyOfImpact":null},{"id":"1DjxReBhQn6PTN4o8O2Ghk","url":"https://github.com/Synthetixio/synthetix-v3/blob/main/markets/treasury-market/contracts/TreasuryStakingRewards.sol","type":"smart_contract","addedAt":"2025-07-15T04:56:22.003Z","revision":2,"description":"markets/treasury-market/contracts/TreasuryStakingRewards.sol","isPrimacyOfImpact":null},{"id":"1w01vaTjBeBoNFYRmy4QS8","url":"https://legacy-staking.synthetix.io/","type":"websites_and_applications","addedAt":"2025-07-15T04:46:56.454Z","revision":2,"description":"Legacy Staking","isPrimacyOfImpact":null},{"id":"28FR8FYXM29SYi0MqdsvBf","url":"https://github.com/Synthetixio/synthetix-v3/blob/main/markets/treasury-market/contracts/SynthetixTreasuryProxy.sol","type":"smart_contract","addedAt":"2025-07-15T04:55:56.282Z","revision":2,"description":"markets/treasury-market/contracts/SynthetixTreasuryProxy.sol","isPrimacyOfImpact":null},{"id":"2TM0qserpzgj6BmjxYLabV","url":"https://github.com/Synthetixio/synthetix-v3/blob/main/protocol/synthetix/contracts/modules/account/AccountTokenModule.sol","type":"smart_contract","addedAt":"2025-07-15T04:55:29.680Z","revision":2,"description":"protocol/synthetix/contracts/modules/account/AccountTokenModule.sol","isPrimacyOfImpact":null},{"id":"2eMVvBqO3NNERPyCABkac4","url":"https://github.com/Synthetixio/synthetix-v3/blob/main/protocol/synthetix/contracts/modules/usd/USDTokenModule.sol","type":"smart_contract","addedAt":"2025-07-15T04:55:17.435Z","revision":2,"description":"protocol/synthetix/contracts/modules/usd/USDTokenModule.sol","isPrimacyOfImpact":null},{"id":"3s8s7JVtSVM5H5hA1v5q00","url":"https://github.com/Synthetixio/synthetix-v3/blob/main/markets/treasury-market/contracts/InitialModuleBundle.sol","type":"smart_contract","addedAt":"2025-07-15T04:55:42.263Z","revision":2,"description":"markets/treasury-market/contracts/InitialModuleBundle.sol","isPrimacyOfImpact":null},{"id":"4YRM26IBJyV8zLa9mBGUsW","url":"https://github.com/Synthetixio/synthetix-v3/blob/main/markets/legacy-market/contracts/InitialModuleBundle.sol","type":"smart_contract","addedAt":"2025-07-15T04:56:35.638Z","revision":2,"description":"markets/legacy-market/contracts/InitialModuleBundle.sol","isPrimacyOfImpact":null},{"id":"5RO0AcDuXigvbt52yIxiTi","url":"https://synthetix.io/","type":"websites_and_applications","addedAt":"2025-07-15T04:47:11.921Z","revision":2,"description":"Synthetix","isPrimacyOfImpact":null},{"id":"69iJrbpKzQrhv2EivWfI8G","url":"https://github.com/Synthetixio/synthetix-v3/blob/main/markets/legacy-market/contracts/SNXDistributor.sol","type":"smart_contract","addedAt":"2025-07-15T04:57:16.308Z","revision":2,"description":"markets/legacy-market/contracts/SNXDistributor.sol","isPrimacyOfImpact":null},{"id":"7igmAeaS7AcSBRo76f80M9","url":"https://github.com/Synthetixio/synthetix-v3/blob/main/markets/treasury-market/contracts/TreasuryMarket.sol","type":"smart_contract","addedAt":"2025-07-15T04:56:08.803Z","revision":2,"description":"markets/treasury-market/contracts/TreasuryMarket.sol","isPrimacyOfImpact":null},{"id":"7wsI4VLrT3GKY7MDCbI88F","url":"https://github.com/Synthetixio/synthetix-v3/blob/main/markets/legacy-market/contracts/LegacyMarket.sol","type":"smart_contract","addedAt":"2025-07-15T04:56:49.775Z","revision":2,"description":"markets/legacy-market/contracts/LegacyMarket.sol","isPrimacyOfImpact":null},{"id":"EQ10DfyPTgqfrwzdjI4FG","url":"https://420.synthetix.io/","type":"websites_and_applications","addedAt":"2025-07-15T04:46:41.982Z","revision":2,"description":"Staking","isPrimacyOfImpact":null}],"assetsBodyV2":"Unless explicitly listed, only pages of the web/app assets in addition to the direct link are considered in-scope of the bug bounty program. Other subdomains are not considered as in-scope. However, for subdomain takeovers that lead to an impact on the in-scope asset, please refer to our page about [Reported Subdomain Takeovers](https://immunefisupport.zendesk.com/hc/en-us/articles/14352199704593-Reported-Subdomain-Takeovers).","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity","JavaScript"],"launchDate":"2021-03-05T07:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3GJoatBuqt8RlBr5f1yRa1/6f37cd51feefc6382e47d61e93a612e3/Synthetix-logo.png","maxBounty":100000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","websites_and_applications - critical","websites_and_applications - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the\nfollowing types:\n\n**Smart Contracts/Blockchain:**\n\n- Re-entrancy\n- Logic errors\n  - including user authentication errors\n- Solidity/EVM details not considered\n  - including integer over-/under-flow\n  - including unhandled exceptions\n- Trusting trust/dependency vulnerabilities\n  - including composability vulnerabilities\n- Oracle failure/manipulation\n- Novel governance attacks\n- Economic/financial attacks\n  - including flash loan attacks\n- Congestion and scalability\n  - including running out of gas\n  - including block stuffing\n  - including susceptibility to frontrunning\n- Consensus failures\n- Cryptography problems\n  - Signature malleability\n  - Susceptibility to replay attacks\n  - Weak randomness\n  - Weak encryption\n- Susceptibility to block timestamp manipulation\n- Missing access controls / unprotected internal or debugging interfaces","productType":["DAO","DEX","Perpetuals","Staking"],"programOverview":"Synthetix provides a building layer that allows other protocols to tap into it’s universal liquidity pool, offering derivative exposure on an EVM compatible chain.\n\nResources regarding Synthetix contracts can be found on at the bottom of the program, where v2x perp trading is still covered and v3 snx/susd staking. All other v3 contracts that are not related to snx/susd staking,  as well spot markets on v2x are not covered in this bounty program\n\nFor more information about Synthetix, please visit [https://synthetix.io/](https://synthetix.io/).\n\n\nSynthetix provides rewards in __USDC__. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nSynthetix adheres to the Primacy of Rules\n\n\n__Immunefi Standard Badge__\n\nSynthetix has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/6427157117713-The-Immunefi-Standard-Badge-), which is given to projects that adhere to our best practices","programType":["Smart Contract","Websites and Applications"],"project":"Synthetix","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below. \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical Smart Contract bugs, the reward amount is __10%__ of the funds directly affected up to a maximum of __USD $100,000__. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of __USD $10,000__ is to be rewarded in order to incentivize security researchers against withholding a bug report.   \nFor critical web/app bugs, the reward amount is __10%__ of the funds directly affected up to a maximum of __USD $30,000__. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of __USD $1,000__ is to be rewarded in order to incentivize security researchers against withholding a bug report.   \n\n__Repeatable Attack Limitations__\n\nIn cases of smart contract vulnerabilities whereby the attacks can be repeated at certain time intervals, if the attack can be stopped by a configuration change, the total value-at-risk from the consecutive attacks is computed by adding up the losses incurred and applying the below discount factors:\n\n| Time Since Attack 1     | Discount Factor     |\n| ---------- | ---------- |\n| 0 to 15 minutes       | 0%       |\n| 15 to 30 minutes       | 25%       |\n| 30 to 60 minutes       | 50%       |\n| 60 to 120 minutes       | 75%       |\n| > 120 minutes       | 100%       |\n\nIf the attack cannot be stopped by configuration changes, the discount factors are adjusted by 50% (i.e. 0% / 12.5% / 25% … ), with the terminal discount factor being 100% at 4 hours (from the initial attack).\n\n__Previous Audits__\n\nSynthetix has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.\n  - [https://github.com/Synthetixio/synthetix-docs/blob/master/content/releases.md](https://github.com/Synthetixio/synthetix-docs/blob/master/content/releases.md)\n  -[ https://docs.synthetix.io/v/v3/for-developers/smart-contract-audits](https://docs.synthetix.io/v/v3/for-developers/smart-contract-audits)\n\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n  - Critical\n  - High\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules). Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Reward Payment Terms__\n\nAs part of the bug bounty matching program, Optimism will contribute __52,500 OP__ tokens to match the rewards offered by Synthetix. This means that for every reward paid out by Synthetix to a security researcher, Optimism will provide an additional, matching reward, in OP tokens. The total reward pool for this program is __52,500 OP tokens__. The other 50% of the reward (if applicable for matching) will be paid by __Synthetix__ in __USDC__. \n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System v. 2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). This is a simplified 4-level scale. The development of this scale took into consideration multiple factors that may affect a vulnerability and its likelihood of exploitation, but finalizes them largely by the impact that they cause.\n\nThe table below is mostly concerned with the consequence of a successful exploit. Keep in mind that if the exploit requires elevated privileges or uncommon user interaction, the level of the bug may be downgraded to reflect that or rejected. \n\n__Goodwill Payments__ \n\nThis applies to the following severity and asset levels: \n  - Smart Contract - Low\n  - Web/App - Medium\n  - Web/App - Low\n\nSynthetix is willing to offer discretionary “Goodwill Payments” for any bugs that fall under these categories and affect __TVL <$1,000__, \n\nFurthermore, if the value of the assets at risk cannot be estimated, then the bounty payment would be discretionary based on goodwill terms.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USD","slug":"synthetix","tenPercentEconomicRule":false,"updatedDate":"2025-10-27T07:36:41.306Z","impactsBody":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","websiteUrl":"https://synthetix.io","githubUrl":"https://github.com/Synthetixio","eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Onchain custody. Offchain performance.\n\nPerpetual futures that don't make you choose between security and speed.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":" - Attacks that require altering the configurations of the protocol from the time the vulnerability disclosure is submitted (i.e. listing new assets / changing parameters). However, changes in configuration that are staged to be implemented and have been voted on by [governance](https://sips.synthetix.io/) are considered to be in scope.\n  - Security researchers from restricted countries, reference to the [terms](https://staking.synthetix.io/terms/), are not eligible for bounties regardless of the scope of the vulnerability disclosure\n  - Activities that violate the whitehat [rules of engagement](https://immunefi.com/rules/) would result in revocation of the bounty regardless of the disclosure merit.","customProhibitedActivities":[],"impacts":[{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":43,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:\n- Modifying transaction arguments or parameters\n- Substituting contract addresses\n- Submitting malicious transactions"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":330,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Reflected) such as: reflected HTML injection, loading external site data"},{"id":331,"type":"websites_and_applications","severity":"high","title":"Redirecting users to malicious websites (Open Redirect)"},{"id":329,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: email or password of the victim, etc"},{"id":5636,"type":"smart_contract","severity":"critical","title":"Direct theft of collateral from liquidity providers and borrowers (i.e. staked assets)"},{"id":5638,"type":"smart_contract","severity":"critical","title":"Permanent bricking of staking or trading contracts resulting in losses to owners, where the assets can’t be recovered by any means"},{"id":5640,"type":"smart_contract","severity":"critical","title":"Immediate manipulation of the debt of the protocol,  not related to oracle price changes, nor related to debt fluctuations from interactions that are within the intended design. Immediate protocol Insolvency of liquidity providers"},{"id":5641,"type":"smart_contract","severity":"critical","title":"Theft of unclaimed yield that can be become claimable by the attacker immediately (i.e. swapped to external assets), or claimable after a period of time where the protocol is unable to safeguard the funds at risk via code updates"},{"id":5642,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield that can be become claimable by the attacker within 24 hours of the attack"},{"id":5643,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":5644,"type":"smart_contract","severity":"high","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":5645,"type":"smart_contract","severity":"high","title":"Insolvency of liquidity providers and generation of bad debt, where the attack spans multiple transactions over an extended period of time"},{"id":5647,"type":"smart_contract","severity":"medium","title":"Other governance voting result manipulation"},{"id":5648,"type":"smart_contract","severity":"medium","title":"Theft of unclaimed yield that can be become claimable by the attacker"},{"id":5635,"type":"websites_and_applications","severity":"medium","title":"Any vulnerability that allows an attacker to prevent users from accessing websites or services included in the program, excluding traditional DDoS attacks"},{"id":5649,"type":"smart_contract","severity":"low","title":"Minor accounting miscalculations for staking accrual"},{"id":5650,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:  HTML injection without JavaScript Replacing existing text with arbitrary text Arbitrary file uploads, etc."},{"id":5651,"type":"websites_and_applications","severity":"high","title":"Redirecting users to malicious websites (Open Redirect)"},{"id":5652,"type":"websites_and_applications","severity":"high","title":"Manipulation of the governance voting UI with the intent of luring votes into voting for the wrong candidate"}],"rewards":[{"id":32306,"severity":"critical","assetType":"smart_contract","fixedReward":100000,"rewardModel":"fixed","rewardCalculationPercentage":10},{"id":32307,"severity":"high","assetType":"smart_contract","fixedReward":50000,"rewardModel":"fixed"},{"id":32308,"severity":"medium","assetType":"smart_contract","fixedReward":10000,"rewardModel":"fixed"},{"id":32309,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":32310,"severity":"critical","assetType":"websites_and_applications","fixedReward":30000,"rewardModel":"fixed","otherImpactMaxReward":3000},{"id":32311,"severity":"high","assetType":"websites_and_applications","fixedReward":10000,"rewardModel":"fixed"},{"id":32312,"severity":"medium","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[{"id":"7HyxFsesRvaQI87jC5dB0B","url":"https://iosiro.com/audits","auditor":"iosiro","date":"2024-11-23T23:00:00.000Z"}]},{"assets":[{"id":"4JRnHNvEcZazurK6bbkPXE","url":"https://github.com/FuelLabs/fuel-bridge/tree/e3e673e31f9e72d757d68979bb6796a0b7f9c8bc/packages/solidity-contracts","type":"smart_contract","addedAt":"2024-06-17T08:00:00.000Z","revision":3,"description":"solidity-contracts :: The L1 contracts for the Fuel bridge that handle deposits and withdrawals on Ethereum","isPrimacyOfImpact":null},{"id":"3foLVodloGQF4yZ8A5rUu","url":"https://github.com/FuelLabs/fuel-bridge/tree/e3e673e31f9e72d757d68979bb6796a0b7f9c8bc/packages/message-predicates","type":"smart_contract","addedAt":"2024-06-17T08:00:00.000Z","revision":3,"description":"message-predicates :: The L2 deposit receiver which enables minting of funds on Fuel from the bridge","isPrimacyOfImpact":null},{"id":"5v6wCTEcJNcFRaB6qXa1dS","url":"https://github.com/FuelLabs/fuel-bridge/tree/e3e673e31f9e72d757d68979bb6796a0b7f9c8bc/packages/fungible-token","type":"smart_contract","addedAt":"2024-06-17T08:00:00.000Z","revision":2,"description":"fungible-token :: The L2 contract on fuel which verifies the deposit receiver and mints the actual tokens","isPrimacyOfImpact":null},{"id":"69e7Qn7Id02kpCp50HRMHM","url":"https://github.com/FuelLabs/sway/tree/v0.61.2","type":"smart_contract","addedAt":"2024-06-17T08:00:00.000Z","revision":2,"description":"sway :: The sway compiler and most Sway tooling (ie. forc, standard library, etc)  *Note: Only the fuelvm target is in scope. The evm and midenVM target are out of scope","isPrimacyOfImpact":null},{"id":"3NcjwyABqObkPbVbvUXJU9","url":"https://github.com/FuelLabs/sway-libs/tree/0f47d33d6e5da25f782fc117d4be15b7b12d291b","type":"smart_contract","addedAt":"2024-06-17T08:00:00.000Z","revision":1,"description":"sway-libs :: Common Sway libraries","isPrimacyOfImpact":null},{"id":"37ncSFKri7RN4wgPbLkwUv","url":"https://github.com/FuelLabs/sway-standards/tree/v0.5.1","type":"smart_contract","addedAt":"2024-06-17T08:00:00.000Z","revision":2,"description":"sway-standards","isPrimacyOfImpact":null},{"id":"62kTkAwZ5e2Zx4Q18xcTed","url":"https://github.com/FuelLabs/fuel-core/tree/v0.31.0","type":"blockchain_dlt","addedAt":"2024-06-17T08:00:00.000Z","revision":2,"description":"fuel-core :: The blockchain client for the L2","isPrimacyOfImpact":null},{"id":"1rZx2dz6hbUBxTl9r30S0d","url":"https://github.com/FuelLabs/fuel-vm/tree/v0.55.0","type":"blockchain_dlt","addedAt":"2024-06-17T08:00:00.000Z","revision":2,"description":"fuel-vm :: The fuelvm and the low level shared libraries with Fuel (ie. tx types, assembly code, etc)","isPrimacyOfImpact":null},{"id":"5f1YB44kCyRIP6nmguHkRY","url":"https://github.com/FuelLabs/fuels-ts/tree/v0.91.0","type":"blockchain_dlt","addedAt":"2024-06-17T08:00:00.000Z","revision":2,"description":"fuel-ts :: The typescript sdk which interacts with the blockchain client and compiler","isPrimacyOfImpact":null},{"id":"2GSKwdNNEvuWNpVIlG6JTg","url":"https://github.com/fuellabs/fuels-rs/tree/d3ac1d3f8910cc12c662ccbe5ff51d9e9354ed1a","type":"blockchain_dlt","addedAt":"2024-06-17T08:00:00.000Z","revision":1,"description":"fuel-rs :: The rust sdk which interacts with the blockchain client and compiler","isPrimacyOfImpact":null},{"id":"1wsELLBzCfhofJB8ivLw7O","url":"https://github.com/FuelLabs/fuel-connectors/tree/v0.8.1","type":"websites_and_applications","addedAt":"2024-06-17T08:00:00.000Z","revision":2,"description":"fuel-connectors :: Web2 library that enables apps to connect to fuel supported wallets","isPrimacyOfImpact":null},{"id":"kyrcWoqp0TJ1cfIrS6KJL","url":"https://github.com/FuelLabs/fuels-wallet/tree/v0.22.0","type":"websites_and_applications","addedAt":"2024-06-17T08:00:00.000Z","revision":2,"description":"fuel-wallet :: Web2 Fuel Wallet extension that allows users to interact with fuel network and stores the private keys / seed phrase of the user","isPrimacyOfImpact":null},{"id":"54H6SSuhafL6uTfjoWv6av","url":"https://github.com/fuellabs/fuel-explorer/tree/3af2f6dd3dea07ed071858b07378fba1c24d2f77","type":"websites_and_applications","addedAt":"2024-06-17T08:00:00.000Z","revision":1,"description":"fuel-explorer :: Web2 bridge and explorer UI, that allows users to bridge funds from sepolia to the Fuel Network and also visualize the transactions of the network","isPrimacyOfImpact":null}],"assetsBodyV2":"**Fuel's changelog per repo at the end of the code update period is:**\n- Fuel Bridge : https://github.com/FuelLabs/fuel-bridge/commit/e3e673e31f9e72d757d68979bb6796a0b7f9c8bc \n- sway : https://github.com/FuelLabs/sway/releases/tag/v0.61.2\n- sway-libs : Unchanged\n- sway-standards : https://github.com/FuelLabs/sway-standards/releases/tag/v0.5.1\n- fuel-core : https://github.com/FuelLabs/fuel-core/blob/2faae02d57be88d271893c822c781f34e5f445bc/CHANGELOG.md#version-0310\n- fuel-vm : https://github.com/FuelLabs/fuel-vm/blob/2604237c9ff4a755e48b40b2c006711d22cff19f/CHANGELOG.md#version-0550\n- fuel-ts : https://github.com/FuelLabs/fuels-ts/releases/tag/v0.91.0 \n- fuel-rs : Unchanged\n- fuel-connectors: https://github.com/FuelLabs/fuel-connectors/releases/tag/v0.8.1 \n- fuel-wallet : https://github.com/FuelLabs/fuels-wallet/releases/tag/v0.22.0\n- fuel-explorer : Unchanged\n\nAdditional Known Issues have also been added to the section 'Post Code Update Period Known Issues'. When these issues are fixed they will no longer be considerd known issues and the code will be brought back into scope to find bugs in the fixes. All intended fixes are included in the 'Known Issues' section.\n\n\nFuel Network’s codebase can be found here https://github.com/FuelLabs/ . Each asset in scope listed above is of a given hash which is the source of truth of what’s in scope.\n\nFuel Network will strive to have the Testnet match their Github assets. In cases where they differ, the links in the assets in-scope table will be the source-of-truth as to what’s in-scope. \n\n**Out of Scope Assets:**\n- Only the fuelvm target is in scope for the asset: https://github.com/FuelLabs/sway/tree/7b56ec734d4a4fda550313d448f7f20dba818b59 . The evm and midenVM target are out of scope\n- Any smart contract with text stating that THIS CONTRACT IS DEPRECATED is out of scope.\n- FuelERC721Gateway contracts are also out of scope because they are pending development of a new version.\n\n**The Testnet deployment can be found here:**\n\n- FuelChainState - https://sepolia.etherscan.io/address/0x404F391F96798B14C5e99BBB4a9C858da9Cf63b5 \n- Fuel Message Portal - https://sepolia.etherscan.io/address/0x01855B78C1f8868DE70e84507ec735983bf262dA \n- FuelERC20GatewayV4 - https://sepolia.etherscan.io/address/0xa97200022c7aDb1b15f0f61f374E3A0c90e2Efa0\n\n\n**Previous Audits & Public Disclosure of Known Issues**\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\nFuel Network’s completed audit reports can be found at https://github.com/FuelLabs/audits . Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\n**Post Code Update Period Known Issues:**\n- P2P is doing a lot of database lookups - https://github.com/FuelLabs/fuel-core/issues/2023\n- Sequential opcodes return an error when touching the last storage key - https://github.com/FuelLabs/fuel-core/issues/2022\n- Unlimited spamming of TxPool - https://github.com/FuelLabs/fuel-core/issues/2021\n- Transaction pool can be manipulated to do a lot of cleanups - https://github.com/FuelLabs/fuel-core/issues/2020\n- The block production should take into account the available number of transactions - https://github.com/FuelLabs/fuel-core/issues/2019\n- During block production should modify the block after passing all checks - https://github.com/FuelLabs/fuel-core/issues/2018\n- Slow GraphQL request sender can drain resources of the node - https://github.com/FuelLabs/fuel-core/issues/2017\n- WDCM and WQCM implementation mismatch with the specification - https://github.com/FuelLabs/fuel-vm/issues/791\n\nThe following fixes will be deployed for the above known issues, at which point they'll no longer be known issues and will be brough back into scope to find bugs in again:\n- Optimize getting of transactions for blocks during network synchronization to decrease the load from p2p service.\n- Fix for the edge case for sequential opcodes to not return an error when the last key of operation is still in the range.\n- Handled the gas price and number of available transactions during the selection of the transaction in the TxPool.\n- Updated the executor's block production logic to modify the block only after transaction is valid.\n- Added increasing the base gas price based on the demand.\n- Optimize SMT updates within the transactions execution.\n- Fix 'WDCM' and `WQCM` to match the specification.\n\n**Miscellaneous issues:**\n\n- https://github.com/FuelLabs/fuels-rs/issues/1361\n- https://github.com/FuelLabs/sway/issues/6060\n- https://github.com/FuelLabs/sway-playground/issues/56\n- https://github.com/FuelLabs/sway/issues/5727\n- https://github.com/FuelLabs/fuels-wallet/issues/1322\n- https://github.com/FuelLabs/fuels-ts/issues/2443\n- https://github.com/FuelLabs/sway/issues/6091\n- https://github.com/FuelLabs/fuels-ts/issues/2492\n- https://github.com/FuelLabs/sway/issues/6118\n- https://github.com/FuelLabs/fuel-explorer/issues/366\n- https://github.com/FuelLabs/sway/issues/418\n- https://github.com/FuelLabs/sway/issues/5892\n- https://github.com/FuelLabs/sway/issues/5124\n- https://github.com/FuelLabs/sway/issues/15\n- https://github.com/FuelLabs/sway/issues/5886\n- https://github.com/FuelLabs/sway/issues/5049 \n- https://github.com/FuelLabs/fuel-core/issues/1961\n- https://github.com/FuelLabs/fuel-core/issues/1966\n- https://github.com/FuelLabs/fuel-core/issues/1967\n- https://github.com/FuelLabs/fuel-core/issues/1049\n- https://github.com/FuelLabs/fuel-core/issues/1968\n- https://github.com/FuelLabs/fuel-core/issues/1969\n- https://github.com/FuelLabs/fuel-core/issues/1970\n- https://github.com/FuelLabs/fuel-core/issues/1971\n- https://github.com/FuelLabs/fuel-vm/issues/764\n- https://github.com/FuelLabs/fuel-vm/issues/757\n\nThere may be other low severity findings tracked in these repos github issues which are not exhaustively listed here. You can check for publicly described issues on GitHub before sending the submission by using keywords from the finding.\n\n## Asset In Scope Policies\n\n**Asset Accuracy Assurance**\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n**Private Known Issues Reward Policy**\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n**Primacy of Impact vs Primacy of Rules**\n\nFuel Network adheres to the Primacy of Rules, which means that the whole Attackathon is run strictly under the terms and conditions stated within this page.","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Compeition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/1sVU8WjZ8Bav_pvi7s2248QKEswo8u6DB?usp=drive_link)\n\nAll paid bug reports are available in original format [here](https://reports.immunefi.com/fuel-network-or-attackathon)","boostedIntroLive":"$1.3 million USD is available in Attackathon rewards. With $1,000,000 for finding bugs on Fuel itself during June 17th to July 22nd. Plus a further $300,000 dedicated to Invite-Only programs on Fuel’s top 4 dApps which will run afterwards.\n\nAll security researchers who find a single valid bug in the $1 million Fuel Attackathon will be invited to all subsequent Invite-Only programs and receive NFT awards.\n\nYou can ask Fuel any questions directly in the [Fuel Attackathon Discord channel](https://discord.com/invite/immunefi?utm_source=immunefi) on Immunefi's Discord, or on the [Fuel Forum](https://forum.fuel.network/?utm_source=immunefi). During the Attackathon Fuel commits to responding within 48 hours on weekdays to all bug reports.\n\nAfter the Attackathon Immunefi will publish a leaderboard and Attackathon findings report, as well as whitehat spotlights and bugfix reviews for top placements.","boostedIntroStartingIn":"$1.3 million USD is available in Attackathon rewards. With $1,000,000 for finding bugs on Fuel itself during June 17th to July 22nd. Plus a further $300,000 dedicated to Invite-Only programs on Fuel’s top 4 dApps which will run afterwards.\n\nWhen the $1 million Fuel Attackathon has ended Immunefi will publish a leaderboard and Attackathon findings report, whitehat spotlights, bugfix reviews, and NFT awards.\n\nAll security researchers who find a single valid bug in the $1 million Fuel Attackathon will be invited to all subsequent Invite-Only programs.\n\n**June 3rd to June 17th:**\n\nThe Fuel Education Period is live. To help you learn Fuel quickly & deeply we'll be providing the Fuel Academy, a learning page designed for security researchers on the Immunefi website, as well as a series of live technical walkthroughs, and direct technical support from Fuel.\n\nYou can ask Fuel any questions directly in the [Fuel Attackathon Discord channel](https://discord.com/invite/immunefi) on Immunefi's Discord, or on the [Fuel Forum](https://forum.fuel.network/).\n\n**June 17th 8am UTC to July 22nd 8am UTC:**\n\nFuel’s Attackathon is live. Find bugs and earn rewards. Reward terms can be [read here](https://immunefisupport.zendesk.com/hc/en-us/articles/25655313192721-Fuel-Attackathon-Reward-Terms).\n\nAdditionally, a code update period will occur from July 1st 8am UTC to July 6th 8am UTC. During this the code in scope will be changing until it is re-finalized on July 6th 8am UTC. A changelog of all updates will be shared.\n\nDuring the Attackathon Fuel commits to responding within 48 hours on weekdays to all bug reports. \n\n[Sign up here for Fuel Attackathon Updates](https://forms.gle/XaXE4n7Gmvu48ZkE9).","boostedLeaderboard":[{"high":1,"name":"NinetyNineCrits","critical":1,"earnings":168502,"insights":1,"mediumLow":0,"totalValidBugs":2},{"high":2,"name":"anatomist","critical":0,"earnings":157812,"insights":2,"mediumLow":18,"totalValidBugs":20},{"high":2,"name":"Minato7namikazi","critical":1,"earnings":156085,"insights":0,"mediumLow":1,"totalValidBugs":4},{"high":0,"name":"cyberthirst","critical":1,"earnings":141458,"insights":4,"mediumLow":1,"totalValidBugs":2},{"high":3,"name":"zeroK","critical":0,"earnings":86661,"insights":4,"mediumLow":1,"totalValidBugs":4},{"high":4,"name":"Blockian","critical":0,"earnings":70876,"insights":2,"mediumLow":2,"totalValidBugs":6},{"high":1,"name":"ret2happy","critical":0,"earnings":39700,"insights":4,"mediumLow":0,"totalValidBugs":1},{"high":2,"name":"Schnilch","critical":0,"earnings":27366,"insights":2,"mediumLow":1,"totalValidBugs":3},{"high":1,"name":"shadowHunter","critical":0,"earnings":23748,"insights":0,"mediumLow":2,"totalValidBugs":3},{"high":0,"name":"Solosync6","critical":0,"earnings":18547,"insights":0,"mediumLow":3,"totalValidBugs":3},{"high":0,"name":"n4nika","critical":0,"earnings":14838,"insights":0,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"savi0ur","critical":0,"earnings":12707,"insights":1,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"LonelySloth","critical":0,"earnings":12334,"insights":0,"mediumLow":4,"totalValidBugs":4},{"high":0,"name":"jasonxiale","critical":0,"earnings":11128,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"nikitastupin","critical":0,"earnings":11128,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"jecikpo","critical":0,"earnings":6380,"insights":0,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"sventime","critical":0,"earnings":5620,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"bugtester","critical":0,"earnings":5263,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"InquisitorScythe","critical":0,"earnings":4737,"insights":3,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"xylix","critical":0,"earnings":4507,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"rbz","critical":0,"earnings":4236,"insights":1,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"blackgrease","critical":0,"earnings":3709,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"UGWST_COM","critical":0,"earnings":3709,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"fnmain","critical":0,"earnings":3158,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"shanb1605","critical":0,"earnings":2632,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Crab","critical":0,"earnings":2632,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"SimaoAmaro","critical":0,"earnings":526,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"[redacted]*","critical":0,"earnings":0,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"[redacted]**","critical":0,"earnings":0,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1L-8jHGhR8UqvRlHRhUXXreSRkGUVJsPU/view?usp=sharing","ecosystem":["Fuel Network"],"endDate":"2024-07-29T08:00:00.000Z","evaluationEndDate":"2024-11-06T12:01:06.194Z","features":["Attackathon","Vault","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Sway","Rust"],"launchDate":"2024-06-17T08:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2Fk02TUogACJYRTBgFHDjr/d34c2b33d5debf44e37143e6e4448b62/FUEL_Symbol_Circle_Green_RGB__1_.png","maxBounty":1000000,"outOfScopeAndRules":"**KYC Requirement**\n\nFuel Network will be requesting KYC information in order to pay for successful bug submissions to whitehats who earn $500 USD or more. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n**Eligibility Criteria**\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n\n- On OFACs SDN list \n- From a restricted country or territory: North Korea, Iran, Cuba, Syria, certain regions of Ukraine (Crimea, Donetsk and Luhansk), West Bank and Gaza regions of Israel, Venezuela, Afghanistan\n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review, or who work fo the company which did the audit review\n\n\n**Responsible Publication**\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n- Immunefi may publish bug reports submitted to this Attackathon and a leaderboard of the participants and their earnings.\n\n**Immunefi Standard Badge**\n\nBy adhering to Immunefi’s best practice recommendations, Fuel Network has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).\n\n## Out of Scope Impacts\n\n- Impacts on Example Code provided by Fuel Network or smart contract code that was deployed by the user.\n\n**All Categories:**\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the b\n\n**Blockchain/DLT & Smart Contract Specific:**\n\n- Incorrect data supplied by third party oracles\n- - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n\n**Websites and Apps:**\n\n\n- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n- This does not exclude reflected HTML injection with or without JavaScript\n- This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering\n\n## Prohibited Activities:\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - medium","blockchain_dlt - low","smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"To be determined  - prioritized vulns","productType":["L2"],"programOverview":"Fuel is an operating system purpose built for Ethereum Rollups. Fuel allows rollups to solve for PSI (parallelization, state minimized execution, interoperability) without making any sacrifices.\n\nFor more information about Fuel Network, please visit https://fuel.network/ \n\n**Code Update Period**\n\nFrom July 1st 8am UTC -to- July 6th 8am UTC the Fuel Attackathon will be in the “Code Update Period”.\n\n- During this time the assets in-scope will be changing.\n- Before this time (Epoch 1) and after this time (Epoch 2) the assets in-scope will NOT be changing. \n- Any bug reports submitted during the Code Update Period will be judged based on the assets in-scope as of July 6th 8am UTC.\n\nFuel Network will provide a changelog and give a live technical walkthrough of the changes, their effects, and answer whitehat questions on Immunefi’s Discord at the end of the code update period.\n\nThe changelog can be found on this page, as well as [in this article](https://immunefisupport.zendesk.com/hc/en-us/articles/26376321462417-Fuel-Attackathon-Code-Update-Changelog).","programType":["Blockchain/DLT","Smart Contract","Websites and Applications"],"project":"Attackathon | Fuel Network","projectType":["Infrastructure"],"rewardsBody":"The following reward terms are a summary, for the full details read our [Fuel Attackathon Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/25655313192721-Fuel-Attackathon-Reward-Terms).\n\nThe reward pool size varies based on the severity of bugs found:\n\n- If one or more Low severity bugs are found the reward pool will be $100,000 USD\n- If one or more Medium severity bugs are found the reward pool will be $250,000 USD\n- If one or more High severity bugs are found the reward pool will be $500,000 USD\n\n- If 1 Critical severity bug is found the reward pool will be $800,000 USD\n- If 2 Critical severity bugs are found the reward pool will be $900,000 USD\n- If 3 or more Critical severity bugs are found the reward pool will be $1,000,000 USD\n\nFor this Attackathon, duplicates and private known issues are valid for a reward.\n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n**Reward Payment Terms**\n\nPayouts are handled by the Fuel Network team directly and are denominated in USD. However, payments are done in USDC.\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.\n\n**Insight Rewards Payment Terms**\n\nInsight Rewards: Portion of the Rewards Pool\n\n* The \"Insight\" severity was introduced on Boost & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi)","rewardsPool":1000000,"primaryPool":1000000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"fuel-network-attackathon","tenPercentEconomicRule":false,"updatedDate":"2025-10-22T09:41:32.530Z","impactsBody":"Bugs in the Fuel VM and Compiler are the top priority for Fuel. Whitehats who focus here will earn the greatest rewards and acclaim from Fuel.\n\n**Proof of Concept (PoC) Requirements**\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n**Feasibility Limitations**\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Fuel is an operating system purpose built for Ethereum Rollups. Fuel allows rollups to solve for PSI (parallelization, state minimized execution, interoperability) without making any sacrifices.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":12,"type":"blockchain_dlt","severity":"low","title":"Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":4900,"type":"smart_contract","severity":"low","title":"Temporary freezing of funds up to 1 hour"},{"id":4901,"type":"smart_contract","severity":"low","title":"Temporary freezing of NFTs up to 1 hour"},{"id":4902,"type":"blockchain_dlt","severity":"low","title":"Compiler bug"},{"id":4903,"type":"smart_contract","severity":"low","title":"Compiler bug"},{"id":4904,"type":"blockchain_dlt","severity":"high","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":4905,"type":"blockchain_dlt","severity":"high","title":"Temporary freezing of network transactions by delaying one block by 3000% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":4906,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 1 hour"},{"id":4907,"type":"smart_contract","severity":"high","title":"Temporary freezing of NFTs for at least 1 hour"},{"id":4908,"type":"websites_and_applications","severity":"high","title":"Taking down the application/website"},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":4909,"type":"blockchain_dlt","severity":"high","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":4910,"type":"blockchain_dlt","severity":"medium","title":"Causing network processing nodes to process transactions from the mempool beyond set parameters (e.g. prevents processing transactions from the mempool)"},{"id":9,"type":"blockchain_dlt","severity":"medium","title":"Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours"},{"id":10,"type":"blockchain_dlt","severity":"medium","title":"Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":11,"type":"blockchain_dlt","severity":"medium","title":"A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk"},{"id":4911,"type":"blockchain_dlt","severity":"medium","title":"Modification of transaction fees outside of design parameters"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":4912,"type":"websites_and_applications","severity":"medium","title":"Retrieve sensitive data/files from a running server, such as:   /etc/shadow, database passwords, blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":4913,"type":"websites_and_applications","severity":"medium","title":"Malicious interactions with an already-connected wallet, such as:  Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions"},{"id":4914,"type":"websites_and_applications","severity":"medium","title":"Injection of malicious HTML or XSS through metadata"},{"id":4915,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:  HTML injection without JavaScript, Replacing existing text with arbitrary text, Arbitrary file uploads, etc"},{"id":4916,"type":"blockchain_dlt","severity":"medium","title":"RPC API crash affecting projects with greater than or equal to 25% of the market capitalization on top of the respective layer"},{"id":2,"type":"blockchain_dlt","severity":"critical","title":"Unintended permanent chain split requiring hard fork (network partition requiring hard fork)"},{"id":4917,"type":"blockchain_dlt","severity":"critical","title":"Bypassing the bridge timelock"},{"id":4918,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds on the L1 Bridge side"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"critical","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"critical","payout":"Portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":true}],"audits":[]},{"assets":[{"id":"5TFgF2NoKSQeWTEdlpUGzk","url":"https://docs.sushi.com/contracts/red-snwapper#deployments","type":"smart_contract","addedAt":"2025-10-07T15:42:32.045Z","revision":2,"description":"Red Snwapper","isPrimacyOfImpact":null},{"id":"6B4xxxhUuHtuPjrOciREcp","url":"https://docs.sushi.com/contracts/cpamm#deployments","type":"smart_contract","addedAt":"2025-10-07T15:43:02.712Z","revision":1,"description":"cpAMM (SuhiSwap V2)","isPrimacyOfImpact":null},{"id":"2ZofOr0vchGeyPipicfqKv","url":"https://docs.sushi.com/contracts/clamm#deployments","type":"smart_contract","addedAt":"2025-10-07T15:43:26.110Z","revision":1,"description":"clAMM (SuhiSwap V3)","isPrimacyOfImpact":null}],"assetsBodyV2":"__Submission Requirements__\n\nIn order to be considered for a reward, all bug reports must contain the following:\n  - Description of suspected vulnerability\n  - POC demonstrating the vulnerability for reproduction, can be a high-level POC\n  - Steps to reproduce the issue\n  - Your name and/or colleagues if you wish to be later recognized\n  - (Optional) A patch and/or suggestions to resolve the vulnerability\n\n__Ethical Behavior Requirements__\n\nResponsible disclosure is predicated on ethical behavior. These guidelines outline best practices for the community as whole, whether you are reporting, or the recipient of a report. By stating that you adhere to this policy, you’re claiming to handle vulnerability information ethically, and abide by the following:\n\n  - Do not attempt to leverage a vulnerability, or information of its existence as part of a financial trading strategy or otherwise for financial gain.\n  - Do not attempt to compromise systems upon which development of a product relies; including but not limited to compromising development systems, accounts, domains, email, etc..\n  - Do not attempt to sell vulnerability information or exploits.\n  - Do not ask for any form of compensation from an affected party. You may compensate a disclosing party if you would like to after all known vulnerability details have been disclosed.\n  - Do not disclose a bug or vulnerability on mailing lists, public boards, forums, social media or any other channel prior to Responsibly Disclosing to the organizations you have a published relationship with\n  - Do not attempt any illegal acts, including phishing, physical attacks, DDoS, or any attempt to gain access without authorization.\n\n__3rd Party Affected Projects__\n\nIn the case where we become aware of security issues affecting other projects that have never affected SushiSwap, our intention is to inform those projects of security issues on a best effort basis.\n\nIn the case where we fix a security issue in SushiSwap that also affects the following neighboring projects, our intention is to engage in responsible disclosures with them as described in the adopted standard, subject to the deviations described in the deviations section below.\n\n__Deviations from the Standard__\n\nIn the case of a counterfeiting or fund-stealing bug affecting SushiSwap, however, we might decide not to include those details with our reports to partners ahead of coordinated release, as long as we are sure that they are not vulnerable.\n\n__Notes on Expected Behaviors__\n\n  - Any reports that involve tokens outside of ERC20s will not be considered in scope. (i.e. ERC777 tokens)","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","Avalanche","BSC","Celo","ETH","Fantom","Gnosis","Harmony","Heco","Kava","Linea","Metis","Moonbeam","Optimism","Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-03-26T07:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/ktA91VW40fkAtwAT2Ygs9/4bccd7ed0e2b2b2ef8f27e783801273e/Sushiswap-logo.png","maxBounty":200000,"pocPerTypeAndSeverity":["smart_contract - low","smart_contract - medium","smart_contract - high","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the\nfollowing types:\n\n**Smart Contracts/Blockchain:**\n\n- Re-entrancy\n- Logic errors\n  - including user authentication errors\n- Solidity/EVM details not considered\n  - including integer over-/under-flow\n  - including unhandled exceptions\n- Trusting trust/dependency vulnerabilities\n  - including composability vulnerabilities\n- Oracle failure/manipulation\n  - excluding real market activity\n  - excluding external oracle manipulation\n- Novel governance attacks\n- Congestion and scalability\n  - including running out of gas\n  - including block stuffing\n  - including susceptibility to frontrunning\n- Consensus failures\n- Cryptography problems\n  - Signature malleability\n  - Susceptibility to replay attacks\n  - Weak randomness\n  - Weak encryption\n- Susceptibility to block timestamp manipulation\n- Missing access controls / unprotected internal or debugging interfaces\n\n**Web/App**\n\n- For web vulnerabilities, Sushiswap is strictly interested in those that cause\n  direct and unequivocal loss or permanent locking of user funds\n- An example would be a vulnerability that lets an attacker spoof transactions\n  on Sushi web applications, leading to theft of funds","productType":["AMM","DEX","Staking"],"programOverview":"SushiSwap is an automated market-making (AMM) decentralized exchange (DEX) that allows users to provide liquidity for token swaps.\n\nFurther resources regarding SushiSwap can be found on their website, [https://sushi.com](https://sushi.com).\n\nProgram focuses on three sets of contracts:\n  - Constant Product AMM\n  - Concentrated Liquidity AMM\n  - RedSnwapper\n\n\nThe bug bounty program is focused around it's smart contracts for the purpose of preventing the loss of user funds.","programType":["Smart Contract"],"project":"SushiSwap","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on\nthe [Immunefi Vulnerability Severity Classification System](/severity-system/). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nReports involving **RedSwanpper** about executing any arbitrary executions would be considered **out of scope** as this is working as per design.\n\nTheft of Yield vulnerability reports are temporarily not in scope for this bug bounty program, though this attack may be in the future.\n\nAll bug reports must come with a PoC. All bug reports without a PoC will not be accepted under this bug bounty program.\n\nAll critical payments for smart contracts are capped at 10% of economic damage. \n\nSushiswap is open to rewarding bounties beyond the critical cap for\nvulnerabilities with extreme impact.\n\nPayouts are handled by the **SushiSwap** team directly and are denominated in **USD**. Payouts worth USD $100,000 and below are done in **USDC**. Payouts beyond USD $100,000 up to USD 200,000 are made in **SUSHI**, though the first $100,000 can be made in **USDC** if requested.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC. SUSHI","slug":"sushiswap","updatedDate":"2025-10-16T22:38:56.122Z","impactsBody":"When submitting a bug report, please select the severity level you feel best corresponds to the severity classification system.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"SushiSwap is an automated market-making (AMM) decentralized exchange (DEX) that allows users to provide liquidity for token swaps.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Loss of positive slippage through Sandwich Attacks  \n  - Best practice critiques\n  - Attacks that rely on social engineering\n\n__Bug Bounty FAQ__\n\n__Q:__ Is there a time limit for the Bug Bounty program? \n__A:__ No, the Bug Bounty program currently has no end date, but this can be changed at any time at the discretion of SushiSwap.\n\n__Q:__ Can I submit bugs anonymously and still receive payment? \n__A:__ Yes, if you wish to remain anonymous you can do so and still be eligible for rewards as long as they are for valid bugs. Rewards will be sent to the valid Ethereum address that you provide.","customProhibitedActivities":["- Bug has not been publicly disclosed.","- Vulnerabilities that have been previously submitted by another contributor or already known by the SushiSwap development team are not eligible for rewards.","- Bugs must be reproducible in order for us to verify the vulnerability.","- Rewards and the validity of bugs are determined by the SushiSwap development team and any payouts are made at their sole discretion.","- Terms and conditions of the Bug Bounty program can be changed at any time at the discretion of SushiSwap."],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":322,"type":"smart_contract","severity":"high","title":"Theft of unclaimed inflation"},{"id":323,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed inflation"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":324,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":37400,"severity":"critical","assetType":"smart_contract","maxReward":200000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":37401,"severity":"high","assetType":"smart_contract","maxReward":20000,"minReward":5000,"rewardModel":"range"},{"id":37402,"severity":"medium","assetType":"smart_contract","maxReward":5000,"minReward":1000,"rewardModel":"range"},{"id":37403,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"1gwE8XXvB8kICxAu1LHghh","url":"https://github.com/Kamino-Finance/klend","type":"smart_contract","addedAt":"2025-10-06T12:39:00.000Z","revision":1,"description":"KLend - Kamino Lending Program","isPrimacyOfImpact":null},{"id":"4ujNYucn33A7ivPb3h39nh","url":"https://github.com/Kamino-Finance/kvault","type":"smart_contract","addedAt":"2025-10-06T12:39:00.000Z","revision":1,"description":"Kvault - Kamino Lending Vault Program","isPrimacyOfImpact":null},{"id":"21j9hGuHsG1olD49bKN3hh","url":"https://github.com/Kamino-Finance/scope","type":"smart_contract","addedAt":"2025-10-06T12:39:00.000Z","revision":1,"description":"Kamino's Price Oracle Aggregator","isPrimacyOfImpact":null},{"id":"6VnvBlNWpzq8QLCQtapXlY","url":"https://github.com/Kamino-Finance/kfarms","type":"smart_contract","addedAt":"2025-10-06T12:39:00.000Z","revision":1,"description":"KFarms - Kamino Farms Program","isPrimacyOfImpact":null},{"id":"6uEOviIJRUSRye2Uu6foO1","url":"https://app.kamino.finance/","type":"websites_and_applications","addedAt":"2025-10-06T12:39:00.000Z","revision":2,"description":"Kamino App","isPrimacyOfImpact":null},{"id":"3XOqamQgezE555UpiEbLch","url":"https://solscan.io/account/KLend2g3cP87fffoy8q1mQqGKjrxjC8boSyAYavgmjD","type":"smart_contract","addedAt":"2025-10-06T12:39:00.000Z","revision":1,"description":"Kamino Lending Program - KLend","isPrimacyOfImpact":null},{"id":"7zbqHblMarIE5cqpztUnTU","url":"https://solscan.io/account/KvauGMspG5k6rtzrqqn7WNn3oZdyKqLKwK2XWQ8FLjd","type":"smart_contract","addedAt":"2025-10-06T12:39:00.000Z","revision":1,"description":"Kamino Lending Vault Program - KVault","isPrimacyOfImpact":null},{"id":"7Cb1pFQVPcNLrjxA3qHafl","url":"https://solscan.io/account/HFn8GnPADiny6XqUoWE8uRPPxb29ikn4yTuPa9MF2fWJ","type":"smart_contract","addedAt":"2025-10-06T12:39:00.000Z","revision":1,"description":"Kamino's Price Oracle Aggregator - Onchain program","isPrimacyOfImpact":null},{"id":"1JyZQ9vqkpcJ3UsZbAgCIL","url":"https://solscan.io/account/SBondMDrcV3K4kxZR1HNVT7osZxAHVHgYXL5Ze1oMUv","type":"smart_contract","addedAt":"2025-10-06T12:39:00.000Z","revision":1,"description":"Kamino's Price Oracle Aggregator - SBoD","isPrimacyOfImpact":null},{"id":"67GBSTzopY8qbkXWcAY9KH","url":"https://solscan.io/account/LBUZKhRxPF3XUpBCjp4YzTKgLccjZhTSDM9YuVaPwxo","type":"smart_contract","addedAt":"2025-10-06T12:39:00.000Z","revision":1,"description":"Kamino's Price Oracle Aggregator - Meteora's interface","isPrimacyOfImpact":null},{"id":"71AcE2aID8y5qxgcuu3IRC","url":"https://solscan.io/account/PERPHjGBqRHArX4DySjwM6UJHiR3sWAatqfdBS2qQJu","type":"smart_contract","addedAt":"2025-10-06T12:39:00.000Z","revision":1,"description":"Kamino's Price Oracle Aggregator - JUP's Perp Interface","isPrimacyOfImpact":null},{"id":"5Jd6M1z4UDZ67J93Ambl1Q","url":"https://solscan.io/account/REDSTBDUecGjwXd6YGPzHSvEUBHQqVRfCcjUVgPiHsr","type":"smart_contract","addedAt":"2025-10-06T12:39:00.000Z","revision":1,"description":"Kamino's Price Oracle Aggregator - RedStone's Interface","isPrimacyOfImpact":null},{"id":"71GrATbkxX12w1hNaC7mh1","url":"https://solscan.io/account/9N3yqarWXmXJ9NQBGgN47JXV82smby8nSMffkwetgYov","type":"smart_contract","addedAt":"2025-10-06T12:39:00.000Z","revision":1,"description":"Kamino's Price Oracle Aggregator - Securitize's Interface","isPrimacyOfImpact":null},{"id":"1lkv8bOJkT22Xp9hUcf5UQ","url":"https://solscan.io/account/SW1TCH7qEPTdLsDHRgPuMQjbQxKdH2aBStViMFnt64f","type":"smart_contract","addedAt":"2025-10-06T12:39:00.000Z","revision":2,"description":"Kamino's Price Oracle Aggregator - Switchboard's Interface","isPrimacyOfImpact":null},{"id":"7tnHPTqQjeUwJGyw32njLe","url":"https://solscan.io/account/13gDzEXCdocbj8iAiqrScGo47NiSuYENGsRqi3SEAwet","type":"smart_contract","addedAt":"2025-10-06T12:39:00.000Z","revision":1,"description":"Kamino's Price Oracle Aggregator - Adrena's Perp Interface","isPrimacyOfImpact":null},{"id":"s8NMZco1lO2ZoxIxOyKzt","url":"https://solscan.io/account/FarmsPZpWu9i7Kky8tPN37rs2TpmMrAZrC7S7vJa91Hr","type":"smart_contract","addedAt":"2025-10-06T12:39:00.000Z","revision":1,"description":"Kamino Farms Program - KFarms","isPrimacyOfImpact":null},{"id":"2OigWYWYzRcE5Ta2cDUnkt","url":"https://solscan.io/account/6LtLpnUFNByNXLyCoK9wA2MykKAmQNZKBdY8s47dehDc","type":"smart_contract","addedAt":"2025-10-06T12:39:00.000Z","revision":1,"description":"Kamino Liquidity Program","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Solana"],"endDate":null,"evaluationEndDate":null,"features":["Managed Triage: Signal Booster"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":null,"launchDate":"2025-10-06T12:39:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5ihJVSKL2zDj7D7tTDzXBA/b293116bce7222a8cdbe0d2b03295a09/8bUg0jRH_400x400.png","maxBounty":1500000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["Lending"],"programOverview":"Kamino is a first-of-its-kind DeFi protocol that unifies Lending, Liquidity, and Leverage into a single, secure DeFi product suite.\n\nFor more information about Kamino, please visit https://kamino.finance/.\n\nKamino provides rewards in USDC on SOL, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n__KYC Requirement__ \n\nKamino will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nKamino adheres to the Primacy of Impact for the following impacts:\n\n- Smart Contract  —  Critical\n- Smart Contract  —  High\n- Website & Application  —  Critical\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. \n\nFor more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact) \n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Previous Audits__\n\nKamino’s completed audit reports can be found at [https://github.com/Kamino-Finance/audits](https://github.com/Kamino-Finance/audits). Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.","programType":["Smart Contract","Websites and Applications"],"project":"Kamino","projectType":["Defi"],"rewardsBody":"__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD $1,500,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD $150,000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report. There needs to be an absolute minimum of USD 50 000 at risk in order to be considered `Critical`. In any other case the impact will be downgraded to `High`.\n\nFor critical web/apps bugs, reports will be rewarded with $50,000, only if the impact leads to:\n\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of $20,000. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward.\n\n__Reward Calculation for High Level Reports__\n\nHigh impacts concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of $10,000 to $100,000 with the reward calculated based on 100% of the funds at risk, though capped at the maximum high reward. \n\nIf the duration of temporary freezing is 9,000 blocks or less, then the severity level will be reduced to `Medium` if the amount is equal to or greater than **USD 100 000**. If not, the severity level will be downgraded to `Low`. There needs to be a minimum of **USD 5 000** at risk in order for a report to be considered `High`.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Kamino team directly and are denominated in **USD**. However, payments are done in **USDC** on **SOL**.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"kamino","tenPercentEconomicRule":false,"updatedDate":"2025-10-16T11:44:05.009Z","impactsBody":null,"websiteUrl":"https://kamino.finance/","githubUrl":"https://github.com/Kamino-Finance","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Kamino is a first-of-its-kind DeFi protocol that unifies Lending, Liquidity, and Leverage into a single, secure DeFi product suite.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Token 22 issues that do not result in irrecoverable loss of funds. As there are many combinations of t22 with configurations that can change over time by their admin, the smart contract admin (of the market instance, the vault instance, the limit orders, etc) is willingly taking the risk of onboarding tokens with extensions.\n- Vulnerabilities requiring the user to manipulate supply and borrow levels to disturb borrow and supply interest rates\n- Vulnerabilities resulting in loss of fees for the protocol (e.g. bypassing origination, flash borrow fees, etc.)\n- Vulnerabilities related to issues with referral fees (e.g. deadlock or DoS) as referral fees are fully disabled on mainnet and there are no plans to reenable them\n- Vulnerabilities related to issues triggered by the underlying infrastructure (e.g. Solana outages, RPC issues, etc.)\n- Bugs in dependencies — please take them upstream\n- Impacts on configuration states that are neither default configurations nor the deployed configuration currently in use are out of scope.","customProhibitedActivities":[],"impacts":[{"id":5591,"type":"smart_contract","severity":"medium","title":"Impacts caused by griefing with no economic damage other than transaction fees where fix requires a change or a pause of a smart contract"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":39,"type":"websites_and_applications","severity":"critical","title":"Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:\n- Changing registration information\n- Commenting\n- Voting\n- Making trades\n- Withdrawals, etc."},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":46,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:\n- HTML injection without JavaScript\n- Replacing existing text with arbitrary text\n- Arbitrary file uploads, etc."},{"id":47,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Email\n- Password of the victim etc."},{"id":43,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:\n- Modifying transaction arguments or parameters\n- Substituting contract addresses\n- Submitting malicious transactions"},{"id":48,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:\n- Email address\n- Phone number\n- Physical address, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"}],"rewards":[{"id":37379,"severity":"critical","assetType":"smart_contract","maxReward":1500000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":37380,"severity":"high","assetType":"smart_contract","maxReward":100000,"rewardModel":"up_to"},{"id":37381,"severity":"medium","assetType":"smart_contract","fixedReward":10000,"rewardModel":"fixed"},{"id":37382,"severity":"critical","assetType":"websites_and_applications","maxReward":50000,"rewardModel":"up_to","otherImpactMaxReward":0},{"id":37383,"severity":"high","assetType":"websites_and_applications","maxReward":10000,"rewardModel":"up_to"}],"audits":[]},{"assets":[{"id":"17ePtnBmDS6ZLaj0ml4VCI","url":"https://film.gala.com/","type":"websites_and_applications","addedAt":"2023-05-23T13:00:00.000Z","revision":2,"description":"Film domain & APIs","isPrimacyOfImpact":null},{"id":"2JDylBt4lfBvwdg7WSxsC7","url":"https://walletsrv.gala.games/","type":"websites_and_applications","addedAt":"2023-05-23T13:00:00.000Z","revision":2,"description":"Wallet server","isPrimacyOfImpact":null},{"id":"4UbynSY4I5yCdu5PonqbTx","url":"https://app.gala.games/","type":"websites_and_applications","addedAt":"2023-05-23T13:00:00.000Z","revision":3,"description":"Game domain & APIs","isPrimacyOfImpact":null},{"id":"4dMArG8cpMDqw3IT06Ggvx","url":"https://etherscan.io/token/0xcd17fa52528f37facb3028688e62ec82d9417581#code","type":"smart_contract","addedAt":"2023-05-23T13:00:00.000Z","revision":2,"description":"MTRM","isPrimacyOfImpact":null},{"id":"5crzV87QCDBVEQKJbnyKkj","url":"https://gala.com/","type":"websites_and_applications","addedAt":"2023-05-23T13:00:00.000Z","revision":2,"description":"Main domain & APIs","isPrimacyOfImpact":null},{"id":"67ITLkh6UwxREe0DdWeB0D","url":"https://app.gala.games/games","type":"websites_and_applications","addedAt":"2023-05-23T13:00:00.000Z","revision":2,"description":"Desktop launcher","isPrimacyOfImpact":null},{"id":"6ggdzflF1cvQyUjCMqNtzE","url":"https://app.gala.games/nodes","type":"websites_and_applications","addedAt":"2023-05-23T13:00:00.000Z","revision":2,"description":"Node network","isPrimacyOfImpact":null},{"id":"7fjq0nQlH6uYIPuVNBXbBA","url":"https://etherscan.io/token/0xd1d2eb1b1e90b638588728b4130137d262c87cae#code","type":"smart_contract","addedAt":"2023-05-23T13:00:00.000Z","revision":2,"description":"GALA","isPrimacyOfImpact":null},{"id":"JsN2jiCbVizb6XLhk1You","url":"https://music.gala.com/","type":"websites_and_applications","addedAt":"2023-05-23T13:00:00.000Z","revision":3,"description":"Music domain & APIs","isPrimacyOfImpact":null},{"id":"OFTHIYyd1FOQcPENZFVHu","url":"https://node.gala.games/","type":"websites_and_applications","addedAt":"2023-05-23T16:50:22.289Z","revision":2,"description":"Node dashboard","isPrimacyOfImpact":null},{"id":"meopvdOnWJa7Jl8nBkhsO","url":"https://etherscan.io/token/0xb045f7f363fe4949954811b113bd56d208c67b23#code","type":"smart_contract","addedAt":"2023-05-23T13:00:00.000Z","revision":2,"description":"SILK","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":true,"language":["JavaScript","Solidity"],"launchDate":"2023-05-23T13:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6nciXw1iCQlQbBpXt9TzXr/272c5767841fe5888ee360c81d414db7/Gala_logo.jpeg","maxBounty":50000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Gaming","Wallet"],"programOverview":"The decentralized Gala Games entertainment ecosystem uses web3 to allow user ownership of tokens and in-game items. Because cryptocurrency wallets and digital asset ownership are part of the Gala Games experience, security is of utmost importance.\n\nFor more information about Gala Games entertainment ecosystem, please visit [https://gala.com/.](https://gala.com/)\n\nGala Games provides bounty rewards in __$GALA__. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__\n\nThe provision of KYC and KYT is required to receive a reward for this bug bounty program, where the following information will be required to be provided:\n- Identity Proof (Passport, / National ID).\n- Legitimacy of the wallet on which they would like to receive their bounty payment.\n\nKYC and KYT information is only required on confirmation of the validity of a bug report and is mandatory to be eligible for a bug bounty payout.   \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nGala Games adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms stated in this page.","programType":["Smart Contract","Websites and Applications"],"project":"Gala Games","projectType":["Blockchain","Infrastructure","NFT"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below. \n\n__Restrictions on Security Researcher Eligibility__\n\nSecurity researchers who fall under any of the following are ineligible for a reward:\n- KYC blocked security researchers - Gala Games cannot pay bounties to individuals that take part in criminal or illegal activities. Therefore, Gala Games must perform KYC and wallet verification due to rules & regulations.\n- KYT blocked wallets - the identity of the individual must be verified as well as the legitimacy of the wallet on which they would like to receive their bounty payment due to rules & regulations.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n- Smart contract, Critical severity\n- Smart contract, High severity\n- Smart contract, Medium severity\n- Websites & applications, Critical severity\n- Websites & applications, High severity\n- Websites & applications, Medium severity\n\nAll PoCs submitted must comply with the [Immunefi-wide PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules). Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Reward Payment Terms__\n\nPayouts are handled by the __Gala Games__ team directly and are denominated in USD. However, payments are done in __$GALA__. \n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability. For avoidance of doubt, if the reward amount is USD 5 000 and the average price is USD 1.75 per token, then the reward will be 2857.142857 units of that token.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"GALA","slug":"galagames","updatedDate":"2025-10-16T10:47:23.877Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"The decentralized Gala Games entertainment ecosystem uses web3 to allow user ownership of tokens and in-game items. Because cryptocurrency wallets and digital asset ownership are part of the Gala Games experience, security is of utmost importance.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":" Physical or social engineering attempts (including phishing attacks)\n- Ability to take over external tools or social media accounts\n- Vulnerabilities that have already been reported or are already known at Gala\n- Vulnerabilities caused by a lack of encryption or by using weak encryption methods\n- Subdomain takeover\n\n- CSV injection\n- Protocol mismatch\n- Rate limiting\n- Exposed login panels\n- Dangling IPs\n- Reports that affect only outdated user agents or app versions\n- Stack traces\n- Path disclosure\n- Directory listings\n- Breach of our privacy statement","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":4248,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds (>24 hours)"},{"id":4249,"type":"smart_contract","severity":"high","title":"Temporary freezing NFTs (>24 hours)"},{"id":4250,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as: HTML injection without Javascript, Replacing existing text with arbitrary text, Arbitrary file uploads, etc."},{"id":4251,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: Email or password of the victim, etc."},{"id":4252,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information such as: Email address, Phone number, Physical address, etc."},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":4253,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: Changing the name of user, Enabling/disabling notifications"},{"id":4254,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without Javascript (Reflected) such as: Reflected HTML injection, Loading external site data"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":4255,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as: /etc/shadow, database passwords, blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":38,"type":"websites_and_applications","severity":"critical","title":"Taking down the NFT URI"},{"id":4256,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as: Changing registration information, Commenting, Voting, Making trades, Withdrawals, etc."},{"id":4257,"type":"websites_and_applications","severity":"critical","title":"Changing the NFT metadata"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":4258,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet such as: Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions"},{"id":44,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user NFTs"},{"id":4259,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through NFT metadata"}],"rewards":[{"id":9538,"severity":"critical","assetType":"smart_contract","fixedReward":50000,"rewardModel":"fixed","rewardCalculationPercentage":10},{"id":9539,"severity":"high","assetType":"smart_contract","fixedReward":20000,"rewardModel":"fixed"},{"id":9540,"severity":"medium","assetType":"smart_contract","fixedReward":7500,"rewardModel":"fixed"},{"id":9541,"severity":"critical","assetType":"websites_and_applications","fixedReward":5000,"rewardModel":"fixed","otherImpactMaxReward":0},{"id":9542,"severity":"high","assetType":"websites_and_applications","fixedReward":2000,"rewardModel":"fixed"},{"id":9543,"severity":"medium","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"4UiuyAEHcDz1UsDw1EEqQm","url":"https://etherscan.io/address/0xE4427af3555CD9303D728C491364FAdFDD7494Fe","type":"smart_contract","addedAt":"2022-02-01T00:38:33.757Z","revision":1,"description":"ProxyAdmin ETH","isPrimacyOfImpact":null},{"id":"74827yr1jhDpxO0um5skyh","url":"https://bscscan.com/address/0xE4427af3555CD9303D728C491364FAdFDD7494Fe","type":"smart_contract","addedAt":"2022-02-04T09:14:20.927Z","revision":2,"description":"ProxyAdmin BSC","isPrimacyOfImpact":null},{"id":"4cVJzCPFMPsMuZZEOAdMXJ","url":"https://polygonscan.com/address/0xE4427af3555CD9303D728C491364FAdFDD7494Fe","type":"smart_contract","addedAt":"2022-02-04T09:39:35.273Z","revision":1,"description":"ProxyAdmin MATIC","isPrimacyOfImpact":null},{"id":"4xroe6GzIn8LA3QtKyXUAH","url":"https://hecoinfo.com/address/0xE4427af3555CD9303D728C491364FAdFDD7494Fe","type":"smart_contract","addedAt":"2022-02-04T09:39:38.743Z","revision":1,"description":"ProxyAdmin HECO","isPrimacyOfImpact":null},{"id":"4LzIuvqRL4Ak8OmALaxDqt","url":"https://arbiscan.io/address/0xE4427af3555CD9303D728C491364FAdFDD7494Fe","type":"smart_contract","addedAt":"2022-02-04T09:39:41.563Z","revision":1,"description":"ProxyAdmin ARBI","isPrimacyOfImpact":null},{"id":"Xr7aW80u5JRMIOQ9ZweCK","url":"https://snowtrace.io/address/0xE4427af3555CD9303D728C491364FAdFDD7494Fe","type":"smart_contract","addedAt":"2022-06-24T06:10:33.345Z","revision":2,"description":"ProxyAdmin AVAX","isPrimacyOfImpact":null},{"id":"DlIxlCljHE9RljjMEMRlK","url":"https://ftmscan.com/address/0xE4427af3555CD9303D728C491364FAdFDD7494Fe","type":"smart_contract","addedAt":"2022-06-24T06:12:06.101Z","revision":1,"description":"ProxyAdmin FTM","isPrimacyOfImpact":null},{"id":"6h2gJoOqAT92EjGCqmdUdQ","url":"https://etherscan.io/address/0x43dE2d77BF8027e25dBD179B491e8d64f38398aA","type":"smart_contract","addedAt":"2022-02-04T09:39:43.771Z","revision":1,"description":"deBridgeGate Proxy ETH","isPrimacyOfImpact":null},{"id":"ea7DhCiPmuf0837w5bw4P","url":"https://bscscan.com/address/0x43dE2d77BF8027e25dBD179B491e8d64f38398aA","type":"smart_contract","addedAt":"2022-02-04T09:39:46.900Z","revision":1,"description":"deBridgeGate Proxy BSC","isPrimacyOfImpact":null},{"id":"3x6agRjuMnvKKXpNpR7ZFS","url":"https://polygonscan.com/address/0x43dE2d77BF8027e25dBD179B491e8d64f38398aA","type":"smart_contract","addedAt":"2022-04-26T19:00:54.498Z","revision":2,"description":"deBridgeGate Proxy MATIC","isPrimacyOfImpact":null},{"id":"26T6lzDo7fkvYspDZtfn4u","url":"https://hecoinfo.com/address/0x43dE2d77BF8027e25dBD179B491e8d64f38398aA","type":"smart_contract","addedAt":"2022-04-26T19:01:17.942Z","revision":1,"description":"deBridgeGate Proxy HECO","isPrimacyOfImpact":null},{"id":"53r4vXDWd8gZ1irTgmtGED","url":"https://arbiscan.io/address/0x43dE2d77BF8027e25dBD179B491e8d64f38398aA","type":"smart_contract","addedAt":"2022-02-04T09:39:55.330Z","revision":1,"description":"deBridgeGate Proxy ARBI","isPrimacyOfImpact":null},{"id":"b88yiXBFEGgYXgwXbtKhW","url":"https://snowtrace.io/address/0x43dE2d77BF8027e25dBD179B491e8d64f38398aA","type":"smart_contract","addedAt":"2022-06-24T06:16:27.049Z","revision":1,"description":"deBridgeGate Proxy AVAX","isPrimacyOfImpact":null},{"id":"2KUdWwvxE9lml52UO3upho","url":"https://ftmscan.com/address/0x43dE2d77BF8027e25dBD179B491e8d64f38398aA","type":"smart_contract","addedAt":"2022-06-24T06:16:31.219Z","revision":1,"description":"deBridgeGate Proxy FTM","isPrimacyOfImpact":null},{"id":"6n1ToUsZOXVX7AjxvwDwL6","url":"https://etherscan.io/address/0x24455aa55ded7728783c9474be8ea2f5c935f8eb","type":"smart_contract","addedAt":"2022-02-04T09:39:58.851Z","revision":2,"description":"deBridgeGate ETH","isPrimacyOfImpact":null},{"id":"7bnp5ebzUZsyAzsN06bO68","url":"https://bscscan.com/address/0x24455aa55ded7728783c9474be8ea2f5c935f8eb","type":"smart_contract","addedAt":"2022-04-26T19:04:34.430Z","revision":2,"description":"deBridgeGate BSC","isPrimacyOfImpact":null},{"id":"4O4H3sll2sXmubAl99rhfW","url":"https://polygonscan.com/address/0xcc7571c12b6f4647c4b8c851b62721f6a373c695","type":"smart_contract","addedAt":"2022-02-04T09:40:06.661Z","revision":2,"description":"deBridgeGate MATIC","isPrimacyOfImpact":null},{"id":"42z8J6eQpZlakjb115cj8r","url":"https://hecoinfo.com/address/0x24455aa55ded7728783c9474be8ea2f5c935f8eb","type":"smart_contract","addedAt":"2022-02-04T09:40:10.147Z","revision":2,"description":"deBridgeGate HECO","isPrimacyOfImpact":null},{"id":"4OGhCrTGUdpL24WhAWkPBI","url":"https://arbiscan.io/address/0x24455aa55ded7728783c9474be8ea2f5c935f8eb","type":"smart_contract","addedAt":"2022-02-04T09:40:13.746Z","revision":2,"description":"deBridgeGate ARBI","isPrimacyOfImpact":null},{"id":"4HdfZySZEqZNQDLuP3v44H","url":"https://snowtrace.io/address/0xb1a20d1c885fd775df97396397d6f8f07abdd20d","type":"smart_contract","addedAt":"2022-06-24T07:08:21.872Z","revision":1,"description":"deBridgeGate AVAX","isPrimacyOfImpact":null},{"id":"6ow7J9lum2j6IxbxQehVqx","url":"https://ftmscan.com/address/0xb1a20d1c885fd775df97396397d6f8f07abdd20d","type":"smart_contract","addedAt":"2022-06-24T07:08:25.846Z","revision":1,"description":"deBridgeGate FTM","isPrimacyOfImpact":null},{"id":"01gW2Ehqm1ZhORb9VMos70","url":"https://etherscan.io/address/0x8244d6Ffe0695B30b2bAD424683Ee3bc534Ea464","type":"smart_contract","addedAt":"2022-02-04T09:43:33.877Z","revision":1,"description":"deBridgeToken Proxy ETH","isPrimacyOfImpact":null},{"id":"vz8NdY27pC8URxFFlBmvH","url":"https://bscscan.com/address/0x8244d6Ffe0695B30b2bAD424683Ee3bc534Ea464","type":"smart_contract","addedAt":"2022-02-04T09:45:10.651Z","revision":2,"description":"deBridgeToken Proxy BSC","isPrimacyOfImpact":null},{"id":"6RmpoLJWb8I2wjmxNrGnv1","url":"https://polygonscan.com/address/0x8244d6Ffe0695B30b2bAD424683Ee3bc534Ea464","type":"smart_contract","addedAt":"2022-02-04T09:48:58.319Z","revision":1,"description":"deBridgeToken Proxy MATIC","isPrimacyOfImpact":null},{"id":"2sYFG3m7A8Gl6pN4rtSW44","url":"https://hecoinfo.com/address/0x8244d6Ffe0695B30b2bAD424683Ee3bc534Ea464","type":"smart_contract","addedAt":"2022-02-04T09:56:42.330Z","revision":2,"description":"deBridgeToken Proxy HECO","isPrimacyOfImpact":null},{"id":"5AG6K4AVXwM079VsdjXePj","url":"https://arbiscan.io/address/0x8244d6Ffe0695B30b2bAD424683Ee3bc534Ea464","type":"smart_contract","addedAt":"2022-02-04T10:12:36.037Z","revision":1,"description":"deBridgeToken Proxy ARBI","isPrimacyOfImpact":null},{"id":"16R0V77cwdbehsfFvTEgZg","url":"https://snowtrace.io/address/0x8244d6Ffe0695B30b2bAD424683Ee3bc534Ea464","type":"smart_contract","addedAt":"2022-06-24T10:41:22.784Z","revision":1,"description":"deBridgeToken Proxy AVAX","isPrimacyOfImpact":null},{"id":"3jKEccTwnsn6HuTYCUGdyQ","url":"https://ftmscan.com/address/0x8244d6Ffe0695B30b2bAD424683Ee3bc534Ea464","type":"smart_contract","addedAt":"2022-06-24T07:08:29.988Z","revision":1,"description":"deBridgeToken Proxy FTM","isPrimacyOfImpact":null},{"id":"1q9SyWXi9BP7PQrrqwV9QB","url":"https://etherscan.io/address/0xf8A2902c0a5f817F5e22C82f453538d3f0734C2b","type":"smart_contract","addedAt":"2022-02-04T10:12:36.028Z","revision":1,"description":"deBridgeToken ETH","isPrimacyOfImpact":null},{"id":"P6fvtysbsBn7om05t6Nwg","url":"https://bscscan.com/address/0xf8A2902c0a5f817F5e22C82f453538d3f0734C2b","type":"smart_contract","addedAt":"2022-02-04T10:12:36.184Z","revision":1,"description":"deBridgeToken BSC","isPrimacyOfImpact":null},{"id":"sp8NoE5z3Hy08VBxIwRPI","url":"https://polygonscan.com/address/0xf8A2902c0a5f817F5e22C82f453538d3f0734C2b","type":"smart_contract","addedAt":"2022-02-04T10:13:54.115Z","revision":1,"description":"deBridgeToken MATIC","isPrimacyOfImpact":null},{"id":"3axjCcfOreJAqaIAzcB6WZ","url":"https://hecoinfo.com/address/0xf8A2902c0a5f817F5e22C82f453538d3f0734C2b","type":"smart_contract","addedAt":"2022-02-04T09:39:52.896Z","revision":1,"description":"deBridgeGate Proxy HECO","isPrimacyOfImpact":null},{"id":"5gqlCb5N0PdeQdKJncD9vM","url":"https://arbiscan.io/address/0xf8A2902c0a5f817F5e22C82f453538d3f0734C2b","type":"smart_contract","addedAt":"2022-02-04T10:21:01.277Z","revision":1,"description":"deBridgeToken ARBI","isPrimacyOfImpact":null},{"id":"3zsZiLPoDBeWza88heT1mF","url":"https://snowtrace.io/address/0xc1656B63D9EEBa6d114f6bE19565177893e5bCBF","type":"smart_contract","addedAt":"2022-06-24T07:08:32.952Z","revision":1,"description":"deBridgeToken AVAX","isPrimacyOfImpact":null},{"id":"2EJPCfHmiK0IBI4zXAqofV","url":"https://ftmscan.com/address/0xc1656B63D9EEBa6d114f6bE19565177893e5bCBF","type":"smart_contract","addedAt":"2022-06-24T07:08:37.415Z","revision":1,"description":"deBridgeToken FTM","isPrimacyOfImpact":null},{"id":"VvHo7I0DawDA9z9L9Bilb","url":"https://etherscan.io/address/0x4c7CA8fcFFE77281A8B81D4580CFf8257d785491","type":"smart_contract","addedAt":"2022-02-04T10:21:04.923Z","revision":1,"description":"deBridgeTokenDeployer ETH","isPrimacyOfImpact":null},{"id":"4LjHNsPKXwS5kHoH0xfc2R","url":"https://bscscan.com/address/0x4c7CA8fcFFE77281A8B81D4580CFf8257d785491","type":"smart_contract","addedAt":"2022-02-04T10:22:11.593Z","revision":1,"description":"deBridgeTokenDeployer BSC","isPrimacyOfImpact":null},{"id":"1a3q15jbAkHnU6zeLJ5vJJ","url":"https://polygonscan.com/address/0x4c7CA8fcFFE77281A8B81D4580CFf8257d785491","type":"smart_contract","addedAt":"2022-02-04T10:35:56.150Z","revision":1,"description":"deBridgeTokenDeployer MATIC","isPrimacyOfImpact":null},{"id":"2vq47IwfS1JMvXfdfcmVy3","url":"https://hecoinfo.com/address/0x4c7CA8fcFFE77281A8B81D4580CFf8257d785491","type":"smart_contract","addedAt":"2022-02-04T10:35:59.881Z","revision":1,"description":"deBridgeTokenDeployer HECO","isPrimacyOfImpact":null},{"id":"39PB5IlzrlE1jNR4HHFRZd","url":"https://arbiscan.io/address/0x4c7CA8fcFFE77281A8B81D4580CFf8257d785491","type":"smart_contract","addedAt":"2022-02-04T10:36:02.697Z","revision":1,"description":"deBridgeTokenDeployer ARBI","isPrimacyOfImpact":null},{"id":"5v9Hc4xFqYCHMh5DcBB6tf","url":"https://snowtrace.io/address/0x4c7CA8fcFFE77281A8B81D4580CFf8257d785491","type":"smart_contract","addedAt":"2022-06-24T10:44:30.092Z","revision":1,"description":"deBridgeTokenDeployer AVAX","isPrimacyOfImpact":null},{"id":"2n3WsIdbXtGnrPhr8x4C5i","url":"https://ftmscan.com/address/0x4c7CA8fcFFE77281A8B81D4580CFf8257d785491","type":"smart_contract","addedAt":"2022-06-24T07:08:40.788Z","revision":1,"description":"deBridgeTokenDeployer FTM","isPrimacyOfImpact":null},{"id":"5LVCl7OG0pjYsGsSpeYHZU","url":"https://etherscan.io/address/0x949b3B3c098348b879C9e4F15cecc8046d9C8A8c","type":"smart_contract","addedAt":"2022-02-04T10:39:28.323Z","revision":1,"description":"SignatureVerifier Proxy ETH","isPrimacyOfImpact":null},{"id":"21pyIF6Fy99grCjeM0stBa","url":"https://bscscan.com/address/0x949b3B3c098348b879C9e4F15cecc8046d9C8A8c","type":"smart_contract","addedAt":"2022-02-04T10:39:31.322Z","revision":1,"description":"SignatureVerifier Proxy BSC","isPrimacyOfImpact":null},{"id":"1WOww5wxjvXERAaQzSWnC4","url":"https://polygonscan.com/address/0x949b3B3c098348b879C9e4F15cecc8046d9C8A8c","type":"smart_contract","addedAt":"2022-02-04T10:42:23.539Z","revision":1,"description":"SignatureVerifier Proxy MATIC","isPrimacyOfImpact":null},{"id":"3et9QOeiAUkKLEb9qXQHJP","url":"https://hecoinfo.com/address/0x949b3B3c098348b879C9e4F15cecc8046d9C8A8c","type":"smart_contract","addedAt":"2022-02-04T10:44:03.243Z","revision":1,"description":"SignatureVerifier Proxy HECO","isPrimacyOfImpact":null},{"id":"5PFGEu06KgBjVYjZjANsXB","url":"https://arbiscan.io/address/0x949b3B3c098348b879C9e4F15cecc8046d9C8A8c","type":"smart_contract","addedAt":"2022-02-04T10:45:59.577Z","revision":1,"description":"SignatureVerifier Proxy ARBI","isPrimacyOfImpact":null},{"id":"4p6ykQWurLPdNSjAaGQZu8","url":"https://snowtrace.io/address/0x949b3B3c098348b879C9e4F15cecc8046d9C8A8c","type":"smart_contract","addedAt":"2022-06-24T07:08:44.029Z","revision":1,"description":"SignatureVerifier Proxy AVAX","isPrimacyOfImpact":null},{"id":"4Zf4nd2B0Wquvt8pcjkeRW","url":"https://ftmscan.com/address/0x949b3B3c098348b879C9e4F15cecc8046d9C8A8c","type":"smart_contract","addedAt":"2022-06-24T07:08:46.858Z","revision":1,"description":"SignatureVerifier Proxy FTM","isPrimacyOfImpact":null},{"id":"2H7gJ96iyQtZhG392mA6IM","url":"https://etherscan.io/address/0xfE7De3c1e1BD252C67667B56347cABFC6df08dF4","type":"smart_contract","addedAt":"2022-02-04T10:49:55.652Z","revision":1,"description":"SignatureVerifier ETH","isPrimacyOfImpact":null},{"id":"5KpelS5MeUjdkilPvl9TiL","url":"https://bscscan.com/address/0xfE7De3c1e1BD252C67667B56347cABFC6df08dF4","type":"smart_contract","addedAt":"2022-02-04T10:49:53.377Z","revision":1,"description":"SignatureVerifier BSC","isPrimacyOfImpact":null},{"id":"1xzyo0IGIukmCPgjRdkipR","url":"https://polygonscan.com/address/0xfE7De3c1e1BD252C67667B56347cABFC6df08dF4","type":"smart_contract","addedAt":"2022-02-04T10:49:51.381Z","revision":1,"description":"SignatureVerifier MATIC","isPrimacyOfImpact":null},{"id":"7bzwLQttTG6BiIFt3kshti","url":"https://hecoinfo.com/address/0xfE7De3c1e1BD252C67667B56347cABFC6df08dF4","type":"smart_contract","addedAt":"2022-02-04T10:51:35.510Z","revision":1,"description":"SignatureVerifier HECO","isPrimacyOfImpact":null},{"id":"4E8vuCGqadtFZVVpIg6WyQ","url":"https://arbiscan.io/address/0xfE7De3c1e1BD252C67667B56347cABFC6df08dF4","type":"smart_contract","addedAt":"2022-02-04T10:53:27.582Z","revision":1,"description":"SignatureVerifier ARBI","isPrimacyOfImpact":null},{"id":"5hzc2VLMNZKs1PDzJUibYC","url":"https://snowtrace.io/address/0x2a3e72ed893b5958690e16c3bbe1bd92137b6250","type":"smart_contract","addedAt":"2022-06-24T07:08:50.229Z","revision":1,"description":"SignatureVerifier AVAX","isPrimacyOfImpact":null},{"id":"11EWNolNpiTOl1K31ams4C","url":"https://ftmscan.com/address/0x2a3e72eD893b5958690e16c3BBe1BD92137b6250","type":"smart_contract","addedAt":"2022-06-24T07:08:53.260Z","revision":1,"description":"SignatureVerifier FTM","isPrimacyOfImpact":null},{"id":"35fxEuSrgp0kjmxpf8gd69","url":"https://etherscan.io/address/0x8a0C79F5532f3b2a16AD1E4282A5DAF81928a824","type":"smart_contract","addedAt":"2022-02-04T11:00:35.324Z","revision":1,"description":"CallProxy Proxy ETH","isPrimacyOfImpact":null},{"id":"MTa9BmTc5evqwyytkCXUp","url":"https://bscscan.com/address/0x8a0C79F5532f3b2a16AD1E4282A5DAF81928a824","type":"smart_contract","addedAt":"2022-02-04T11:00:15.512Z","revision":1,"description":"CallProxy Proxy BSC","isPrimacyOfImpact":null},{"id":"17aZyjfAPo3mH9AJvA5WUt","url":"https://polygonscan.com/address/0x8a0C79F5532f3b2a16AD1E4282A5DAF81928a824","type":"smart_contract","addedAt":"2022-02-13T14:06:04.720Z","revision":1,"description":"CallProxy Proxy MATIC","isPrimacyOfImpact":null},{"id":"2laYUQlUHj7jRu3m8HezYA","url":"https://hecoinfo.com/address/0x8a0C79F5532f3b2a16AD1E4282A5DAF81928a824","type":"smart_contract","addedAt":"2022-02-04T11:01:53.660Z","revision":1,"description":"CallProxy Proxy HECO","isPrimacyOfImpact":null},{"id":"6S8c1zJ2v9Z8xEKTTmZZph","url":"https://arbiscan.io/address/0x8a0C79F5532f3b2a16AD1E4282A5DAF81928a824","type":"smart_contract","addedAt":"2022-02-04T11:05:58.120Z","revision":1,"description":"CallProxy Proxy ARBI","isPrimacyOfImpact":null},{"id":"35X1eguTTwhgGtSOh5FoJk","url":"https://snowtrace.io/address/0x8a0C79F5532f3b2a16AD1E4282A5DAF81928a824","type":"smart_contract","addedAt":"2022-06-24T07:08:56.211Z","revision":1,"description":"CallProxy Proxy AVAX","isPrimacyOfImpact":null},{"id":"6vv1HL3hBWM8qJ642umgxp","url":"https://ftmscan.com/address/0x8a0C79F5532f3b2a16AD1E4282A5DAF81928a824","type":"smart_contract","addedAt":"2022-06-24T07:08:59.721Z","revision":1,"description":"CallProxy Proxy FTM","isPrimacyOfImpact":null},{"id":"3KvXHLFYhmgAofu5lKknZy","url":"https://etherscan.io/address/0xBd3d657AE87671eC6f8D6272A9f431a7c4a9B6f8","type":"smart_contract","addedAt":"2022-04-26T19:11:26.325Z","revision":2,"description":"CallProxy ETH","isPrimacyOfImpact":null},{"id":"50MLtBewRr6LlHQxnNLHVW","url":"https://bscscan.com/address/0xBd3d657AE87671eC6f8D6272A9f431a7c4a9B6f8","type":"smart_contract","addedAt":"2022-04-26T19:11:41.304Z","revision":2,"description":"CallProxy BSC","isPrimacyOfImpact":null},{"id":"MsdaFyTa5ppkT7imp9Ani","url":"https://polygonscan.com/address/0xBd3d657AE87671eC6f8D6272A9f431a7c4a9B6f8","type":"smart_contract","addedAt":"2022-04-26T19:11:58.518Z","revision":2,"description":"CallProxy MATIC","isPrimacyOfImpact":null},{"id":"5pLqkH5xeS92lAiVYX0Uj","url":"https://hecoinfo.com/address/0xBd3d657AE87671eC6f8D6272A9f431a7c4a9B6f8","type":"smart_contract","addedAt":"2022-04-26T19:12:14.263Z","revision":2,"description":"CallProxy HECO","isPrimacyOfImpact":null},{"id":"2ndmOCWaP7KPYETUMUM5IC","url":"https://arbiscan.io/address/0xBd3d657AE87671eC6f8D6272A9f431a7c4a9B6f8","type":"smart_contract","addedAt":"2022-02-04T11:13:25.113Z","revision":2,"description":"CallProxy ARBI","isPrimacyOfImpact":null},{"id":"4896yzJHPLtqcWRvk0KHxN","url":"https://snowtrace.io/address/0xD34c2302F497b8A7fe2d07865f31dBE04d5044d6","type":"smart_contract","addedAt":"2022-06-24T07:09:03.536Z","revision":1,"description":"CallProxy AVAX","isPrimacyOfImpact":null},{"id":"5HvZy6hAyzTwovj6hPdY6U","url":"https://ftmscan.com/address/0x55C93b20Dd2F790AC429D6341a022A781791654A","type":"smart_contract","addedAt":"2022-06-24T07:09:06.596Z","revision":1,"description":"CallProxy FTM","isPrimacyOfImpact":null},{"id":"7eYJqAWUH7txwE4brJXp2A","url":"https://etherscan.io/address/0xC2bAC0DB5B18B0c3225581Ba14BD0B448c623636","type":"smart_contract","addedAt":"2022-02-04T11:16:22.107Z","revision":1,"description":"SimpleFeeProxy Proxy ETH","isPrimacyOfImpact":null},{"id":"41DVDPBGCdcm89jKogzXB2","url":"https://bscscan.com/address/0xC2bAC0DB5B18B0c3225581Ba14BD0B448c623636","type":"smart_contract","addedAt":"2022-02-04T11:17:23.244Z","revision":1,"description":"SimpleFeeProxy Proxy BSC","isPrimacyOfImpact":null},{"id":"yCUZEm6KYztVOJb4DI3XV","url":"https://polygonscan.com/address/0xC2bAC0DB5B18B0c3225581Ba14BD0B448c623636","type":"smart_contract","addedAt":"2022-02-13T14:08:18.549Z","revision":1,"description":"SimpleFeeProxy Proxy MATIC","isPrimacyOfImpact":null},{"id":"35H3v4vQMTxMb0y69mp5jj","url":"https://hecoinfo.com/address/0xC2bAC0DB5B18B0c3225581Ba14BD0B448c623636","type":"smart_contract","addedAt":"2022-02-04T11:21:06.617Z","revision":1,"description":"SimpleFeeProxy Proxy HECO","isPrimacyOfImpact":null},{"id":"01tUTe5HorHaxAF7jjxJz8","url":"https://arbiscan.io/address/0xC2bAC0DB5B18B0c3225581Ba14BD0B448c623636","type":"smart_contract","addedAt":"2022-02-04T11:21:11.398Z","revision":1,"description":"SimpleFeeProxy Proxy HECO","isPrimacyOfImpact":null},{"id":"6MXDYquUzxrBoG5E32GJyY","url":"https://snowtrace.io/address/0xC2bAC0DB5B18B0c3225581Ba14BD0B448c623636","type":"smart_contract","addedAt":"2022-06-24T07:09:09.365Z","revision":1,"description":"SimpleFeeProxy Proxy AVAX","isPrimacyOfImpact":null},{"id":"ZDVludfYgv2FU5Q5axaZ0","url":"https://ftmscan.com/address/0xc2bac0db5b18b0c3225581ba14bd0b448c623636","type":"smart_contract","addedAt":"2022-06-24T07:09:12.019Z","revision":1,"description":"SimpleFeeProxy Proxy FTM","isPrimacyOfImpact":null},{"id":"7yLnXO0lsSJkXdd8InmurH","url":"https://etherscan.io/address/0x37a52ddb753c924f8c914de65ef00b5210caa83c","type":"smart_contract","addedAt":"2022-02-04T11:06:07.114Z","revision":2,"description":"SimpleFeeProxy ETH","isPrimacyOfImpact":null},{"id":"jASg6AVQhhchBbs67E9He","url":"https://bscscan.com/address/0x37a52ddb753c924f8c914de65ef00b5210caa83c","type":"smart_contract","addedAt":"2022-02-04T11:08:52.131Z","revision":2,"description":"SimpleFeeProxy BSC","isPrimacyOfImpact":null},{"id":"QQSRhmSEGHWHpq3zb1nDv","url":"https://polygonscan.com/address/0x37a52ddb753c924f8c914de65ef00b5210caa83c","type":"smart_contract","addedAt":"2022-02-04T11:25:09.604Z","revision":2,"description":"SimpleFeeProxy MATIC","isPrimacyOfImpact":null},{"id":"4hyuR38wZ54CIuggZTSblq","url":"https://hecoinfo.com/address/0x37a52ddb753c924f8C914de65ef00b5210Caa83C","type":"smart_contract","addedAt":"2022-02-04T11:10:24.146Z","revision":2,"description":"SimpleFeeProxy HECO","isPrimacyOfImpact":null},{"id":"F5mWSZYsnFGEKGuMapdEV","url":"https://arbiscan.io/address/0x37a52ddb753c924f8c914de65ef00b5210caa83c","type":"smart_contract","addedAt":"2022-02-04T11:26:52.116Z","revision":2,"description":"SimpleFeeProxy ARBI","isPrimacyOfImpact":null},{"id":"2Uyz7mg5XFxGBDuy4BYfHi","url":"https://snowtrace.io/address/0x27406ebf0b76923d93b4c6c6224bcab7fff11f87","type":"smart_contract","addedAt":"2022-06-24T07:09:14.660Z","revision":1,"description":"SimpleFeeProxy AVAX","isPrimacyOfImpact":null},{"id":"2cXnRJ2XfDPODgvndZFV7M","url":"https://ftmscan.com/address/0x27406EbF0b76923d93b4C6c6224bCaB7fFf11f87","type":"smart_contract","addedAt":"2022-06-24T07:09:17.551Z","revision":1,"description":"SimpleFeeProxy FTM","isPrimacyOfImpact":null},{"id":"3bXN14UQ1MmiIG9dCC8y9W","url":"https://etherscan.io/address/0xFCf83648b8cDeF62e5d03319a6f1FCE16e4D6A59","type":"smart_contract","addedAt":"2022-02-04T11:27:55.458Z","revision":1,"description":"WethGate ETH","isPrimacyOfImpact":null},{"id":"7kts316bjJKRxHIdHKq2mG","url":"https://bscscan.com/address/0xFCf83648b8cDeF62e5d03319a6f1FCE16e4D6A59","type":"smart_contract","addedAt":"2022-02-04T11:29:20.422Z","revision":1,"description":"WethGate BSC","isPrimacyOfImpact":null},{"id":"2ZlaeSF5eOK8KeFSTI9fju","url":"https://polygonscan.com/address/0xFCf83648b8cDeF62e5d03319a6f1FCE16e4D6A59","type":"smart_contract","addedAt":"2022-02-04T11:30:18.641Z","revision":1,"description":"WethGate MATIC","isPrimacyOfImpact":null},{"id":"4vPIfr0vjEYBvfDXgYK6Ax","url":"https://hecoinfo.com/address/0xFCf83648b8cDeF62e5d03319a6f1FCE16e4D6A59","type":"smart_contract","addedAt":"2022-02-04T11:31:15.096Z","revision":2,"description":"WethGate HECO","isPrimacyOfImpact":null},{"id":"6vA7MRoSts5sLkJqJ7SzDg","url":"https://snowtrace.io/address/0xFCf83648b8cDeF62e5d03319a6f1FCE16e4D6A59","type":"smart_contract","addedAt":"2022-06-24T07:09:20.295Z","revision":1,"description":"WethGate AVAX","isPrimacyOfImpact":null},{"id":"uubp7eTMRlANyOrT7WqhQ","url":"https://ftmscan.com/address/0xFCf83648b8cDeF62e5d03319a6f1FCE16e4D6A59","type":"smart_contract","addedAt":"2022-06-24T07:09:23.640Z","revision":1,"description":"WethGate FTM","isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program. For deBridge contracts (multiple instances on different chains), there will not be duplicated counting of bugs. One bug that exists in all contracts will be counted as a single bug.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","Avalanche","BSC","ETH","Fantom","Heco","Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2022-01-21T13:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4gJ8bOnkVhbdw5Q0ifWOts/e6a561b18bee2eaa58c815dd5de35591/deBridge_logo.jpeg","maxBounty":200000,"pocPerTypeAndSeverity":[],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__Smart Contracts/Blockchain__\n\n  - Loss of user funds locked (principal) by freezing or theft\n  - Loss of governance funds\n  - Theft of unclaimed assets\n  - Permanent freezing of unclaimed assets\n  - Smart contract fails to deliver promised returns\n  - Unauthorized minting of wrapped assets that will lead them to loosing peg","productType":["Bridge","Crosschain Liquidity","DEX"],"programOverview":"[deBridge](https://debridge.finance/) __is a cross-chain interoperability and liquidity transfer protocol__ that allows decentralized transfer of data and assets between various blockchains. The deBridge protocol is an infrastructure platform and hooking service for:\n\n  - cross-chain composability of smart contracts\n  - cross-chain swaps\n  - bridging of any arbitrary asset and data\n  - interoperability and bridging of NFTs\n\nMore information about the project can be also found in the [documentation portal](https://docs.debridge.finance/) or at the website \n[https://debridge.finance/](https://debridge.finance/).\n\nExamples of how users can interact with the protocol from the command line can be found in the repository: [https://github.com/debridge-finance/debridge-contracts-v1/tree/main/examples](https://github.com/debridge-finance/debridge-contracts-v1/tree/main/examples).\n\nStatus of transactions can be tracked through the [deBridge explorer](https://mainnet-explorer.debridge.finance/).\n\nThis bug bounty program is focused on their smart contracts and is focused on preventing:\n\n  - Loss of user funds locked (principal) by freezing or theft\n  - Loss of governance funds\n  - Theft of unclaimed assets\n  - Permanent freezing of unclaimed assets\n  - Smart contract fails to deliver promised returns\n  - Unauthorized minting of wrapped assets that will lead them to loosing peg","programType":["Smart Contract"],"project":"deBridge","projectType":["Defi","Infrastructure"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. \n\nIn addition to Immunefi’s Vulnerability Severity Classification System, deBridge classifies the following vulnerabilities as follows. In case of discrepancy, the one below will be followed.\n\nCritical\n  - More than 5% of the loss of TVL or an unauthorized minting of deAssets in an amount that leads to substantial loss of the peg of the wrapped asset (Total supply of deAsset exceeds amount of underlying collateral locked for more than 5%)\n\nHigh\n  - Up to 5% of the loss of TVL or an unauthorized minting of deAssets in an amount that leads to substantial loss of the peg of the wrapped asset (Total supply of deAsset is on up to 5% exceeds the amount of underlying collateral locked)\n\nThe following vulnerabilities/problems are not eligible for a reward:\n\n  - Default bridging functionality doesn’t support non-standard assets (e.g. rebase assets, assets with elastic supply or tokens with fees during transfer) \n  - If a user sets an incorrect receiver or fallback address he won’t be able to claim his transfer in the destination chain and funds might be locked forever\n  - If user passes ​​REVERT_IF_EXTERNAL_FAIL flag and specifies \"data\" and \"receiver address\" params that will lead to tx being constantly reverted\n  - Framework used by the deBridge node exploitation of which requires knowledge of IP address unless information about IP address was obtained during the attack\n  - Problem with the callProxy smart contract when gas limit specified by claimer is not enough for the proper execution of the externalCall that leads to externalCall being reverted even though transaction itself is completed\n\nPayouts are handled by the __deBridge__ team directly and are denominated in USD. However, payouts are done in __USDT and USDC__, with the choice of the ratio at the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC or USDT","slug":"debridge","tenPercentEconomicRule":false,"updatedDate":"2025-10-08T17:38:21.185Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"[deBridge](https://debridge.finance/) __is a cross-chain interoperability and liquidity transfer protocol__ that allows decentralized transfer of data and assets between various blockchains. The deBridge protocol is an infrastructure platform and hooking service for:","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques\n  - Centralization risks\n  - Gas optimizations","customProhibitedActivities":[],"impacts":[{"id":1715,"type":"smart_contract","severity":"high","title":"Theft of funds (<5% TVL impact)"},{"id":1716,"type":"smart_contract","severity":"high","title":"Permanent freezing of funds"},{"id":1717,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds (more than 1 day freeze)"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":1718,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":1719,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":1720,"type":"smart_contract","severity":"critical","title":"Forgery of the content of the cross-chain messages sent through the protocol"},{"id":1721,"type":"smart_contract","severity":"critical","title":"Forgery of the sender address or chain_id  of the cross-chain messages sent through the protocol"},{"id":1722,"type":"smart_contract","severity":"critical","title":"Unauthorized claim without valid signatures from deBridge validators"},{"id":1723,"type":"smart_contract","severity":"critical","title":"Unauthorized mint of the wrapped assets (deAssets)"}],"rewards":[{"id":37200,"severity":"critical","assetType":"smart_contract","fixedReward":200000,"rewardModel":"fixed","rewardCalculationPercentage":0},{"id":37201,"severity":"high","assetType":"smart_contract","fixedReward":40000,"rewardModel":"fixed"},{"id":37202,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"1Z39EvPMmhONwlnPD6MnSq","url":"https://github.com/ethereum-push-notification-service/push-smart-contracts/blob/bug_bounty_dev/contracts/EPNSCore/PushCoreV2.sol","type":"smart_contract","addedAt":"2023-06-21T14:00:00.000Z","revision":2,"description":"PushCoreV2.sol","isPrimacyOfImpact":null},{"id":"6wHBWDyY4P5yOZl1eryqEa","url":"https://github.com/ethereum-push-notification-service/push-smart-contracts/blob/bug_bounty_dev/contracts/EPNSCore/EPNSCoreStorageV2.sol","type":"smart_contract","addedAt":"2023-06-21T14:00:00.000Z","revision":2,"description":"EPNSCoreStorageV2.sol","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","BSC","ETH","Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2023-06-21T14:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4oEKDaXV0fcVaIbKKVllob/23d26db5de8b4405e0876b3b0a9c8c65/Push_protocol_logo.png","maxBounty":20000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Staking"],"programOverview":"Push Protocol is the communication protocol of web3. Push enables cross-chain notifications (on chain / off chain), messaging, video for dapps, wallets, and services tied to wallet addresses in an open, gasless, and platform-agnostic fashion. The open communication layer allows any crypto wallet / frontend to tap into the network and get the communication across.\n\nFor more information about Push Protocol, please visit [https://push.org/.](https://push.org/) \n\nPush Protocol provides rewards in PUSH. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__\n\nThe provision of KYC is required to receive a reward for this bug bounty program where the following information will be required to be provided:\n\n- Push Protocol requires a signup on [https://epns.synaps.me/signup](https://epns.synaps.me/signup)\n\nKYC information is only required on confirmation of the validity of a bug report.   \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nPush Protocol adheres to the Primacy of Impact for the following severity levels:\n\n- Smart Contracts, Critical Severity Level\n- Smart Contracts, High Severity Level\n- Smart Contracts, Medium Severity Level\n- Smart Contracts, Low Severity Level\n\nIf a category’s severity level is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program as long as it involves an impact under that respective severity level. When submitting a report, just select the Primacy of Impact asset placeholder. If the team behind this project has multiple projects, those other projects are not covered under the Primacy of Impact of this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nTestnet and mock files are not covered under the Primacy of Impact. \n\nAll other severity levels not listed here are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program.\n\n\n__Immunefi Standard Badge__\n\nPush Protocol has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/6427157117713-The-Immunefi-Standard-Badge-), which is given to projects that adhere to our best practices. \n\n__Invoicing Information__\n\nIf needed by the security researcher, Push Protocol is able to provide the necessary information for the proper issuance of an invoice. This includes:\n- Legal Entity Name\n- Registered Address","programType":["Smart Contract"],"project":"Push Protocol","projectType":["Infrastructure"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below. \n\n__Reward Calculation for Critical Level Reports__\n\nFor Critical Smart Contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 20,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 2,000 is to be rewarded in order to incentivize security researchers against withholding a bug report. \n\nFor High Smart Contract bugs, the reward amount is 100% of the funds directly affected up to a maximum of USD 2,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 1,000 is to be rewarded in order to incentivize security researchers against withholding a bug report.   \n\n__Restrictions on Security Researcher Eligibility__\n\nSecurity researchers who fall under any of the following are ineligible for a reward\n- Any country or government or international authority, including the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), the US Department of State, the United Nations Security Council, the European Union, Her Majesty's Treasury, the Hong Kong Monetary Authority or the Monetary Authority of Singapore.\n\n__Previous Audits__\n\nPush Protocol has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.\n- [Push Protocol V1 Audit Report](https://github.com/ChainSafe/audits/blob/main/EPNS/epns-protocol-10-2021.pdf)\n- [Push Protocol V1.5 Audit Report](https://github.com/ChainSafe/audits/blob/main/EPNS/epns-protocol-11-2022.pdf)\n- [Push Protocol V2 Audit Report](https://github.com/ChainSafe/audits/blob/main/EPNS/epns-protocol-05-2023.pdf)\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n\n- Smart Contract, Critical Severity Level\n- Smart Contract, High Severity Level\n- Smart Contract, Medium Severity Level\n- Smart Contract, Low Severity Level\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules). Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Push Protocol team directly and are denominated in USD. However, payments are done in PUSH.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability. For avoidance of doubt, if the reward amount is USD 5 000 and the average price is USD 1.75 per token, then the reward will be 2857.142857 units of that token.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"PUSH","slug":"pushprotocol","updatedDate":"2025-09-30T08:48:01.458Z","impactsBody":"Other helpful links include:\n- Push Smart Contracts - [https://docs.push.org/developers/developer-tooling/push-smart-contracts.](https://docs.push.org/developers/developer-tooling/push-smart-contracts)","websiteUrl":"https://push.org/","githubUrl":"https://github.com/pushchain/push-smart-contracts/tree/bug_bounty_dev","eligibilityCriteria":["no_ofac_sdn"],"responsiblePublicationCategory":"category_2","description":"Push Protocol is the communication protocol of web3. Push enables cross-chain notifications (on chain / off chain), messaging, video for dapps, wallets, and services tied to wallet addresses in an open, gasless, and platform-agnostic fashion. The open communication layer allows any crypto wallet / frontend to tap into the network and get the communication across.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":4299,"type":"smart_contract","severity":"high","title":"User/Stakers being able to harvest more tokens than they should be able to."},{"id":4300,"type":"smart_contract","severity":"high","title":"User/Stakers being able to harvest without staking for at least 1 complete epoch."},{"id":4301,"type":"smart_contract","severity":"medium","title":"Unfair reward distribution between users with equal staking details like token weight, stake duration etc."},{"id":4302,"type":"smart_contract","severity":"critical","title":"Drain of Funds from contract"},{"id":4303,"type":"smart_contract","severity":"critical","title":"Loss of funds due to bridging of tokens"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"}],"rewards":[{"id":35419,"severity":"critical","assetType":"smart_contract","maxReward":20000,"minReward":2000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":35420,"severity":"high","assetType":"smart_contract","maxReward":2000,"minReward":1000,"rewardModel":"range"},{"id":35421,"severity":"medium","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[{"id":"3bMcBB1Ef1sxFPGRKP1HKL","url":"https://comms.push.org/docs/notifications/push-smart-contracts/security-audits/","auditor":"Chainsafe","date":"2021-03-30T20:00:00.000Z"}]},{"assets":[{"id":"2wP8WOyFj1Wiv3k8KrUKJk","url":"https://etherscan.io/address/0xDD9BC35aE942eF0cFa76930954a156B3fF30a4E1","type":"smart_contract","addedAt":"2023-09-11T16:00:00.000Z","revision":1,"description":"SSV Network","isPrimacyOfImpact":null},{"id":"6qPKTaZD5Izg2h3RexSo5j","url":"https://etherscan.io/address/0xafE830B6Ee262ba11cce5F32fDCd760FFE6a66e4","type":"smart_contract","addedAt":"2023-09-11T16:00:00.000Z","revision":1,"description":"SSV Network View","isPrimacyOfImpact":null},{"id":"18f9V5EDdq2qTQqG3MihzT","url":"https://immunefi.com","type":"smart_contract","addedAt":"2023-10-05T15:28:17.516Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2023-09-11T16:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/66mTctNPGQxwpoc8NxKOzc/db72f4f7f79f09e6b26198097ee59b76/ssv.png","maxBounty":1000000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Staking"],"programOverview":"The ssv.network is a fully decentralized, open-source, and trustless DVT Network that provides a reusable infrastructure solution for decentralizing Ethereum validators.\n\nThe protocol supports Ethereum’s validation layer by distributing validator operations to the network’s multiple non-trusting nodes (a.k.a Operators). Clusters of operator nodes operate validators on behalf of the staker and simultaneously help solve the fundamental issues of centralization, redundancy, and security that exist within Ethereum’s PoS consensus.\n\nFor more information about ssv.network, please visit [https://ssv.network/ ](https://ssv.network/) \n\nssv.network provides rewards in SSV. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__\n\nThe provision of KYC is required to receive a reward for this bug bounty program where the following information will be required to be provided:\n- Official government identification document (Passport, ID Card) of the bounty’s recipient \n- Up to date proof of address document (utility bill, Bank statement etc) \n\nKYC information is only required on confirmation of the validity of a bug report.   \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nssv.network adheres to the Primacy of Impact for the following severity levels:\n- Smart Contract - Critical\n- Smart Contract - High\n- Smart Contract - Medium\n- Smart Contract - Low\n\nIf a category’s severity level is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program as long as it involves an impact under that respective severity level. When submitting a report, just select the Primacy of Impact asset placeholder. If the team behind this project has multiple projects, those other projects are not covered under the Primacy of Impact of this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nTestnet and mock files are not covered under the Primacy of Impact.\n\nAll other severity levels not listed here are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program.\n\n__Immunefi Standard Badge__\n\nssv.network has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/6427157117713-The-Immunefi-Standard-Badge-), which is given to projects that adhere to our best practices.","programType":["Smart Contract"],"project":"SSV Network","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below.\n\n__Reward Calculation for Critical Level Reports__\n\nFor critical Smart Contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 1 000 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 50 000 is to be rewarded in order to incentivize security researchers against withholding a bug report.  \n__Repeatable Attack Limitations__\n\nIn cases of repeatable attacks for smart contract bugs, only the first attack will be counted, regardless of whether the smart contract is upgradable, pausable, or killable.\n\n__Previous Audits__\n\nssv.network has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.\n- [https://github.com/bloxapp/ssv-network/tree/main/contracts/audits](https://github.com/bloxapp/ssv-network/tree/main/contracts/audits)\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n- Smart Contract - Critical\n- Smart Contract - High\n- Smart Contract - Medium\n- Smart Contract - Low\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules) Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Other Terms and Information__\n\n- Disclosure of vulnerabilities will require the approval of the SSV DAO Grants committee\n- Payments for approved reports will be sent on the first half of the month following the report approval \n- Up to 150 000 SSV token are available as a total reward pool for this BBP\n\n__Reward Payment Terms__\n\nPayouts are handled by the ssv.network team directly and are denominated in USD. However, payments are done in SSV.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability. For avoidance of doubt, if the reward amount is USD 5 000 and the average price is USD 1.75 per token, then the reward will be 2857.142857 units of that token.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"SSV","slug":"ssvnetwork","updatedDate":"2025-09-24T14:52:37.860Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_employee"],"responsiblePublicationCategory":"category_3","description":"The ssv.network is a fully decentralized, open-source, and trustless DVT Network that provides a reusable infrastructure solution for decentralizing Ethereum validators.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":35267,"severity":"critical","assetType":"smart_contract","maxReward":1000000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":35268,"severity":"high","assetType":"smart_contract","fixedReward":30000,"rewardModel":"fixed"},{"id":35269,"severity":"medium","assetType":"smart_contract","fixedReward":10000,"rewardModel":"fixed"},{"id":35270,"severity":"low","assetType":"smart_contract","fixedReward":1500,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"2Jpc2FZAnBUgdozLJLjMk3","url":"https://app.defisaver.com/","type":"websites_and_applications","addedAt":"2022-05-13T15:12:24.078Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"5zR61b653pJR7WyQicLBmT","url":"https://github.com/defisaver/defisaver-v3-contracts/tree/main/contracts","type":"smart_contract","addedAt":"2025-09-24T09:27:08.031Z","revision":1,"description":"Defi Saver V3 (excluding the 'mocks' and 'views' folders)","isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-04-21T07:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1S8ggfDmWMZTN2T6wcMNaS/b56ce9699295511536c8e970e550ee9c/Defisaver-logo.jpg","maxBounty":350000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","websites_and_applications - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__Smart Contracts/Blockchain__\n\n  - Any sort of loss of funds \n  - Temporary freezing of funds for any amount of time\n  - Unauthorized access\n  - Causing any sort of economical damage to the protocol or the users\n\n__Web/App__\n\n  - Site goes down\n  - XSS (injecting code into the website)\n  - Shell access on server\n  - Persistent injection of text\n  - Customer support pop-up (aka Helpcrunch integration)","productType":["Asset Management"],"programOverview":"DeFi Saver is an advanced management app for decentralized finance protocols such as MakerDAO, Compound, Aave and Reflexer, with a special focus on creating and managing leveraged positions.\n\nSome of the specific things you can use DeFi Saver for include:\n  - Creating and managing collateralized debt positions in any of the most popular DeFi lending protocols, with 1-tx instant leveraging and deleveraging options\n  - Automating your position for automatic liquidation protection, as well as automatic leverage management, based on market movements\n  - Refinancing your position with options to change collateral or debt assets, or to move to a different protocol altogether with the Loan Shifter\n  - Creating your own custom set of actions to execute within one transaction in their recently introduced Recipe Creator.\n\nFor more information about DeFi Saver, visit their website at [https://defisaver.com/](https://defisaver.com/). \n\nThe bug bounty program is focused around its smart contracts, website and app and is mostly concerned with the loss of user funds and approval/auth attacks.","programType":["Smart Contract","Websites and Applications"],"project":"DeFi Saver","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nAll web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. All High and Critical Smart Contract bug reports require a PoC to be eligible for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nCritical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of __USD 50 000__.\n\nAll vulnerabilities marked in the [security reviews](https://github.com/DecenterApps/defisaver-v3-contracts/tree/main/audits) are not eligible for a reward.\n\nPayouts are handled by the __Defi Saver__ team directly and are denominated in USD. However, payouts are done in __DAI and USDC__, with the choice of the ratio at the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC, DAI","slug":"defisaver","tenPercentEconomicRule":true,"updatedDate":"2025-09-24T13:20:19.707Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"DeFi Saver is an advanced management app for decentralized finance protocols such as MakerDAO, Compound, Aave and Reflexer, with a special focus on creating and managing leveraged positions.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":" - Lack of SSL/TLS best practices\n - DDoS vulnerabilities\n - Attacks requiring privileged access from within the organization\n - Feature requests\n - Best practice critiques\n - Customer support pop-up (aka Helpcrunch integration)","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":112,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":113,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":114,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":115,"type":"websites_and_applications","severity":"critical","title":"Ability to execute system commands"},{"id":116,"type":"websites_and_applications","severity":"critical","title":"Extract Sensitive data/files from the server such as /etc/passwd"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":117,"type":"websites_and_applications","severity":"critical","title":"Stealing User Cookies"},{"id":118,"type":"websites_and_applications","severity":"critical","title":"Bypassing Authentication"},{"id":119,"type":"websites_and_applications","severity":"critical","title":"Signing transactions for other users"},{"id":120,"type":"websites_and_applications","severity":"critical","title":"Redirection of user deposits and withdrawals"},{"id":121,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover resulting in financial loss (applicable for subdomains with addresses published)"},{"id":122,"type":"websites_and_applications","severity":"critical","title":"Wallet interaction modification resulting in financial loss"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":123,"type":"websites_and_applications","severity":"critical","title":"Tampering with transactions submitted to the user’s wallet"},{"id":124,"type":"websites_and_applications","severity":"critical","title":"Submitting malicious transactions to an already-connected wallet"}],"rewards":[{"id":20282,"severity":"critical","assetType":"smart_contract","maxReward":350000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":20283,"severity":"high","assetType":"smart_contract","fixedReward":30000,"rewardModel":"fixed"},{"id":20284,"severity":"medium","assetType":"smart_contract","fixedReward":10000,"rewardModel":"fixed"},{"id":20285,"severity":"critical","assetType":"websites_and_applications","fixedReward":20000,"rewardModel":"fixed","otherImpactMaxReward":0}],"audits":[]},{"assets":[{"id":"4GD8yyZFTv5IdcRu48ytwP","url":"https://github.com/XOXNO/rs-lending/tree/master/common","type":"smart_contract","addedAt":"2025-09-16T08:01:12.414Z","revision":2,"description":"Common Utils used across Controller and Liquidity Layer","isPrimacyOfImpact":null},{"id":"53VzX1llrZVKMeKGotjFxV","url":"https://github.com/XOXNO/rs-liquid-staking-sc/tree/main/liquid-staking/src","type":"smart_contract","addedAt":"2025-09-16T08:01:26.670Z","revision":2,"description":"Liquid Staking of $EGLD used in Lending","isPrimacyOfImpact":null},{"id":"6I49YgN4dPDMoPEzjGgahQ","url":"https://github.com/XOXNO/rs-lending/tree/master/controller/src","type":"smart_contract","addedAt":"2025-09-16T08:00:39.857Z","revision":2,"description":"Controller","isPrimacyOfImpact":null},{"id":"Vo7Zh2qAINPYTKwcD3faQ","url":"https://github.com/XOXNO/rs-lending/tree/master/liquidity_layer","type":"smart_contract","addedAt":"2025-09-16T08:00:55.767Z","revision":2,"description":"Liquidity Layer Template","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["MultiversX"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":true,"language":["Rust"],"launchDate":"2025-09-16T08:00:31.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5jY3HNj6JkKgJG8eVfrILY/bd62c19d04421265d5be2ad5ad4684f9/bTA7cvxE_400x400.png","maxBounty":50000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":["Lending","Liquid Staking","NFT Marketplace"],"programOverview":"XOXNO is an innovative DeFi protocol deployed on MultiversX, our suite of protocols combines a liquid staking contract for $EGLD as well as the newly deployed lending protocol.\n\nWe have started as an NFT marketplace and slowly leveraged our infrastructure into merging NFTs and DeFi via tokenization of lending accounts\nFor more information about XOXNO, please visit https://xoxno.com/\n\nXOXNO provides rewards in USDC on ETH, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__\n\nXOXNO will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nXOXNO adheres to **category 2 - Notice Required**. This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nXOXNO adheres to the Primacy of Impact for the following impacts:\n\n- Smart Contract / Critical\n- Smart Contract / High\n- Smart Contract / Medium\n- Smart Contract / Low\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.","programType":["Smart Contract"],"project":"XOXNO","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 20 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 5 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\nFor critical smart contract bugs on testnet assets, the reward is paid as a flat amount of USD 5 000. This is because there are no actual funds at risk on the testnet, hence limits objective calculation. \n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. \n- The amount of funds at risk will be calculated with the impact of the first attack being at 100% and then a reduction of 25% from the amount of the first attack for every [300 blocks] the attack needs for subsequent attacks from the first attack, rounded down.\n\n__Reward Calculation for High Level Reports__\n\n- High impacts concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 3500  to USD 5000  with the reward calculated based on 100% of the funds at risk, though capped at the maximum high reward. \n- In the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. \n\n__Reward Payment Terms__\n\nPayouts are handled by the XOXNO team directly and are denominated in USD. However, payments are done in USDC on ETH.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"","slug":"xoxno","tenPercentEconomicRule":false,"updatedDate":"2025-09-22T09:39:53.581Z","impactsBody":null,"websiteUrl":"https://xoxno.com","githubUrl":"https://github.com/xoxno","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_2","description":"XOXNO is a decentralized DeFi protocol on MultiversX, enabling liquid staking of $EGLD for tokenized issuance, alongside a lending and borrowing market where users supply liquidity to earn interest or borrow against collateral. It uniquely uses tokenized NFTs as user accounts, supports LP tokens, and features siloed markets, isolated markets, and eMode categories for advanced risk isolation.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":5723,"type":"smart_contract","severity":"low","title":"Imprecision on accounting (balances, rates)"},{"id":5724,"type":"smart_contract","severity":"medium","title":"Manipulation of interest rates (supply or borrow) with mechanisms not intended or limited by design"},{"id":5725,"type":"smart_contract","severity":"medium","title":"Loss of rewards-to-be-accrued"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":28,"type":"smart_contract","severity":"high","title":"Temporary freezing of NFTs"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"}],"rewards":[{"id":35212,"severity":"critical","assetType":"smart_contract","maxReward":50000,"minReward":5000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":35213,"severity":"high","assetType":"smart_contract","maxReward":5000,"minReward":3500,"rewardModel":"range"},{"id":35214,"severity":"medium","assetType":"smart_contract","maxReward":3500,"minReward":2000,"rewardModel":"range"},{"id":35215,"severity":"low","assetType":"smart_contract","maxReward":1500,"minReward":1000,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"30Mt1jdhiJ1BR0da5zH4bN","url":"https://gist.github.com/n1punp/e9d2961de5af69fbd9a39d0efbb77766","type":"smart_contract","addedAt":"2022-04-04T16:17:12.164Z","revision":1,"description":"Alpha Homora v1 (ETH)","isPrimacyOfImpact":null},{"id":"lOv5WTJMzjKiGgPRdBiW8","url":"https://gist.github.com/n1punp/afc21382eabf68a2a16a8f2947697338","type":"smart_contract","addedAt":"2022-04-04T16:17:10.456Z","revision":1,"description":"Alpha Homora v1 (BSC)","isPrimacyOfImpact":null},{"id":"11tpqmD7UxOdqdK3EvSekT","url":"https://gist.github.com/n1punp/3345d1bf6d159c7d4457b41656cd11f7","type":"smart_contract","addedAt":"2022-04-04T16:17:08.054Z","revision":1,"description":"Alpha Staking","isPrimacyOfImpact":null},{"id":"5EIVm6NbmzKr9Vuh7qMdnL","url":"https://gist.github.com/n1punp/707f1fa2632ae9e3651b3686ac68d197","type":"smart_contract","addedAt":"2022-04-04T16:17:05.951Z","revision":2,"description":"Homora v2","isPrimacyOfImpact":null},{"id":"7CT0nBSifMVVFDk6jjQQ6L","url":"https://gist.github.com/n1punp/66e994be78d5e303829f148feb96b0e8","type":"smart_contract","addedAt":"2022-04-04T16:17:04.333Z","revision":2,"description":"Homora v2 (AVAX)","isPrimacyOfImpact":null}],"assetsBodyV2":"In the Github link in the Assets in Scope table, only Exact Match Verified smart contracts are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Avalanche","BSC","ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-04-20T07:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/71pklpx3jRf9XgK7fxlT8n/c7c77d4bcca1ee5dd85284c4c1f95c01/Alphafinance-logo.png","maxBounty":500000,"pocPerTypeAndSeverity":[],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__Smart Contracts/Blockchain__\n\n  - Loss of user funds staked (principal) by freezing or theft\n  - Loss of governance funds\n  - Undesirable flashloan/sandwich exploits\n  - Theft of unclaimed yield\n  - Freezing of unclaimed yield\n  - Smart contract gas drainage\n  - Block stuffing without fund transfers blocked\n  - Smart contract fails to deliver promised returns, but doesn’t lose value\n\n__Web/App__\n\n  - Redirected funds by address modification\n  - Accessing sensitive pages without authorization\n  - Persistent injection of text or script\n  - Users spoofing other users\n  - Shell access on server\n  - Loss of treasury funds\n  - Loss of user funds\n  - Incorrect calculations e.g. slippage control that can lead to funds loss","productType":["Crosschain Liquidity","Lending","Staking","Yield Aggregator"],"programOverview":"Alpha Venture DAO is building an ecosystem of DeFi products (the Alpha ecosystem), consisting of innovative building blocks that capture unaddressed demand in key pillars of the financial system. These building blocks will interoperate, creating the Alpha ecosystem that will be an innovative and more capital efficient way to banking in DeFi. \n\nWe explore and innovate at the fringes of Web3 and drive significant value to Web3 users, and ultimately, alpha returns to the Alpha community.\n\nHomora V2 is Alpha Venture DAO’s first product and DeFi’s first leveraged yield farming product that captures the market gap in lending, one of the key pillars of the financial system.\n\nFurther information about Alpha Venture DAO can be found here \n[https://docs.alphaventuredao.io/](https://docs.alphaventuredao.io/).","programType":["Smart Contract"],"project":"Alpha Venture DAO","projectType":["Defi","Infrastructure"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. \n\nFor Smart Contract bug reports, PoCs and suggestions for a fix are not required but good to have and encouraged. Explanations and statements are not accepted as PoC and code is required.\n\nCritical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. This includes a bounty of up to USD 500,000 from the Alpha Venture DAO team.\n\nPayouts are handled by the __Alpha Venture DAO__ team directly and are denominated in USD. However, payouts are done in __ALPHA__ for payouts up to USD 500,000. For critical level smart contract vulnerabilities, payouts of up to USD 500,000 will take place with an upfront payout of up to USD 100,000 and USD 50,000 monthly vesting thereafter. .","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"ALPHA","slug":"AlphaVentureDAO","tenPercentEconomicRule":true,"updatedDate":"2025-09-19T13:28:17.902Z","impactsBody":"These accepted impacts are then based on the severity classification system of this bug bounty program. When submitting a bug report, please select the severity level you feel best corresponds to the severity classification system as long as the impact itself is one of the listed items.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Alpha Venture DAO is building an ecosystem of DeFi products (the Alpha ecosystem), consisting of innovative building blocks that capture unaddressed demand in key pillars of the financial system. These building blocks will interoperate, creating the Alpha ecosystem that will be an innovative and more capital efficient way to banking in DeFi. ","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":69,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":72,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":73,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":35198,"severity":"critical","assetType":"smart_contract","maxReward":500000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":35199,"severity":"high","assetType":"smart_contract","fixedReward":20000,"rewardModel":"fixed"},{"id":35200,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":35201,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"1qhmli2z5vjgYwce3kQCNf","url":"https://tronscan.org/#/contract/TGjYzgCyPobsNS9n6WcbdLVR9dH7mWqFx7/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"Unitroller","isPrimacyOfImpact":null},{"id":"7fNxM0QZsLGCUK6ziZ54Ym","url":"https://tronscan.org/#/contract/TCtzg2CQsAuLkSxrGjFGbHVwKvv95W9C8e/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":2,"description":"Comptroller","isPrimacyOfImpact":null},{"id":"6Oqtn6FNq0bDxuuvR8FYxd","url":"https://tronscan.org/#/contract/TEqiF5JbhDPD77yjEfnEMncGRZNDt2uogD/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":2,"description":"GovernorBravoDelegator","isPrimacyOfImpact":null},{"id":"5lpedMWKt7gtFgyH73AVyl","url":"https://tronscan.org/#/contract/TRWNvb15NmfNKNLhQpxefFz7cNjrYjEw7x/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"Timelock","isPrimacyOfImpact":null},{"id":"4gq88us3xKTjJQujE3jfaB","url":"https://tronscan.org/#/contract/TXk9LnTnLN7oH96H3sKxJayMxLxR9M4ZD6/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":2,"description":"WJST","isPrimacyOfImpact":null},{"id":"1nFzfvf1MEhGF5ESDhwOQ3","url":"https://tronscan.org/#/contract/TTetZxp98wcPaciyBMHYvQkS735RZ3tyXY/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"jumpRateUSDT","isPrimacyOfImpact":null},{"id":"3QDacV9rYCEF0mzLaOwdLI","url":"https://tronscan.org/#/contract/TLScd7kpWnKADtH7ZXKzrJHAxJUnjiiExq/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"jumpRateUSDJ","isPrimacyOfImpact":null},{"id":"1LPaqWT2YRHqIjDMBIXWic","url":"https://tronscan.org/#/contract/TK7WVRz34wUVRCpsgbW1wUCPmh5bSnCqg1/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"jumpRateSUN","isPrimacyOfImpact":null},{"id":"1YXpi0Z4Q2At3SXJzJSMNU","url":"https://tronscan.org/#/contract/TBtChPo34CGJkb1QVEwPhxS8HQE2Xp7ir2/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"jumpRateWIN","isPrimacyOfImpact":null},{"id":"7m43oUqEsRUyo61AE1RrmY","url":"https://tronscan.org/#/contract/TMNXjQTa8x4wNHBa3X647KRnkRQpSuXBRT/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"jumpRateJST","isPrimacyOfImpact":null},{"id":"3DpQTfzE8EIO7nBv96PCks","url":"https://tronscan.org/#/contract/TJAfCJdJZa44pG5adQGLMLh27hJqPeLxod/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"jumpRateWBTT","isPrimacyOfImpact":null},{"id":"5noZDjCweS3i3y8Zg4rwWg","url":"https://tronscan.org/#/contract/TBE9tkWYdZPEHLNeKC6Xn44YFLpieiM3xq/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"jumpRateNFT","isPrimacyOfImpact":null},{"id":"657sgxA4QzUSoYWh7SqXLj","url":"https://tronscan.org/#/contract/TF8B4iysAGfrssdQhMJGYsdd9SZoxGsH7M/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"WhitePaperModelTRX","isPrimacyOfImpact":null},{"id":"7sMzKuRexqlISVihsqZQHa","url":"https://tronscan.org/#/contract/TYJi9q4qLQWoBiKmMQY3Mn81tmhw7SeCmh/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"WhitePaperModelBTC","isPrimacyOfImpact":null},{"id":"6XlmfgVvcUGU94KPfcyU3m","url":"https://tronscan.org/#/contract/TE2RzoSV3wFK99w6J9UnnZ4vLfXYoxvRwP/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"TRX CEther","isPrimacyOfImpact":null},{"id":"33I74knMWUIx3xUUJ2fYWk","url":"https://tronscan.org/#/contract/TLjn59xNM7VEK6VZ3VQ8Y1ipxsdsFka5wZ/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"USDT CErc20Delegate","isPrimacyOfImpact":null},{"id":"35deCHTUAQw0XHg9voapkG","url":"https://tronscan.org/#/contract/TXJgMdjVX5dKiQaUi9QobwNxtSQaFqccvd/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"USDT CErc20Delegator","isPrimacyOfImpact":null},{"id":"3oAYPyh10vunTUS98yg7Fg","url":"https://tronscan.org/#/contract/TYSHTEq9NFSgst94saeRvt6rAYgWkqMFbj/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"USDJ CErc20Delegate","isPrimacyOfImpact":null},{"id":"1O62pIaZ2BiOaYB1zT3gpO","url":"https://tronscan.org/#/contract/TL5x9MtSnDy537FXKx53yAaHRRNdg9TkkA/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"USDJ CErc20Delegator","isPrimacyOfImpact":null},{"id":"1e3Le0akR1Pzpxd5O1jX5w","url":"https://tronscan.org/#/contract/TSCpzKvJfXHj1HW5jKg9dZA8z9aMxxGLd8/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"SUNOLD CErc20Delegate","isPrimacyOfImpact":null},{"id":"4yM9ekUpavOaELvcZ907Us","url":"https://tronscan.org/#/contract/TGBr8uh9jBVHJhhkwSJvQN2ZAKzVkxDmno/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"SUNOLD CErc20Delegator","isPrimacyOfImpact":null},{"id":"1dSvGYjHx6J1c3e1gl38oQ","url":"https://tronscan.org/#/contract/TW3GyD3hYkKwzSGytWwWGXpe2a93zCpRzJ/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"WIN CErc20Delegate","isPrimacyOfImpact":null},{"id":"5xece8AYyyq8dfjQISePmj","url":"https://tronscan.org/#/contract/TRg6MnpsFXc82ymUPgf5qbj59ibxiEDWvv/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"WIN CErc20Delegator","isPrimacyOfImpact":null},{"id":"7JhcjqasM0lzzcGZ21TnhL","url":"https://tronscan.org/#/contract/TVsKSRgRoMcCp798qqRGesXRfzy2MzRjkR/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"BTC CErc20Delegate","isPrimacyOfImpact":null},{"id":"603g43zjX4lQPPNUoG8qck","url":"https://tronscan.org/#/contract/TQ2sbnmxtR7jrNk4nxz2A8f9sneCqmk6SB/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"JST CErc20Delegate","isPrimacyOfImpact":null},{"id":"3DOHpYJStbeG7z8IagpqCV","url":"https://tronscan.org/#/contract/TWQhCXaWz4eHK4Kd1ErSDHjMFPoPc9czts/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"JST CErc20Delegator","isPrimacyOfImpact":null},{"id":"3KFJnEkjP8RV3wLN9W3eNq","url":"https://tronscan.org/#/contract/TV4WWBqBfn1kd4KmpYeSJpVAfybfrxEN9L/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"WBTT CErc20Delegate","isPrimacyOfImpact":null},{"id":"FTDpmH7fJfBo1k5qVihsh","url":"https://tronscan.org/#/contract/TUY54PVeH6WCcYCd6ZXXoBDsHytN9V5PXt/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"WBTT CErc20Delegator","isPrimacyOfImpact":null},{"id":"6VYtpXNzeRbuFdrWNYk9aj","url":"https://tronscan.org/#/contract/TLkUdtDBLMfJdXni2iTa4u2DKM53XmDJHi/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"NFT CErc20Delegate","isPrimacyOfImpact":null},{"id":"6EdSAmUw86eAvLf7r9dtky","url":"https://tronscan.org/#/contract/TFpPyDCKvNFgos3g3WVsAqMrdqhB81JXHE/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"NFT CErc20Delegator","isPrimacyOfImpact":null},{"id":"nfHsPDfgP6BQb2COQF37s","url":"https://tronscan.org/#/contract/TPXDpkg9e3eZzxqxAUyke9S4z4pGJBJw9e/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"SUN CErc20Delegator","isPrimacyOfImpact":null},{"id":"3nPqnwlUxUbw9wgDSQAZ0g","url":"https://tronscan.org/#/contract/TM82erAZJSP7NKc17JdTnzVC8WKJHismWB/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"SUN CErc20Delegate","isPrimacyOfImpact":null},{"id":"5CZJNoPnz6O8pRXTfUXZm9","url":"https://tronscan.org/#/contract/TSXv71Fy5XdL3Rh2QfBoUu3NAaM4sMif8R/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"TUSD CErc20Delegator","isPrimacyOfImpact":null},{"id":"4s7JckRfcMZyacmiMZI0yk","url":"https://tronscan.org/#/contract/THbrSjDsDA2KJRxx8K73tN7vLgaXSUNQFk/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"TUSD CErc20Delegate","isPrimacyOfImpact":null},{"id":"3Z5oSesWFiK3fpWEOigYLn","url":"https://tronscan.org/#/contract/TNSBA6KvSvMoTqQcEgpVK7VhHT3z7wifxy/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"USDC CErc20Delegator","isPrimacyOfImpact":null},{"id":"2NiRLAdrd9La4aToPpq5gg","url":"https://tronscan.org/#/contract/THQY8YX19jLFSFg1xhthM5wb7xZvKLCzgq/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"USDC CErc20Delegate","isPrimacyOfImpact":null},{"id":"6UsSA72tkCRf7Rz8oZVYC","url":"https://tronscan.org/#/contract/TR7BUFRQeq1w5jAZf1FKx85SHuX6PfMqsV/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"ETH CErc20Delegator","isPrimacyOfImpact":null},{"id":"2FvTFbawUD1KAgqLzwbkfc","url":"https://tronscan.org/#/contract/TQBvTVisiceDvsQVbLbcYyWQGWP7wtaQnc/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"ETH CErc20Delegate","isPrimacyOfImpact":null},{"id":"4PZyrEgAHeCR5mY6m0Rjig","url":"https://tronscan.org/#/contract/TX7kybeP6UwTBRHLNPYmswFESHfyjm9bAS/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"USDD CErc20Delegator","isPrimacyOfImpact":null},{"id":"2TnP6EnxmzztRljpXKopZ0","url":"https://tronscan.org/#/contract/TFdTqrMyb6PMMqTa9vnhmQHDFDU2oUhw9W/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"USDD CErc20Delegate","isPrimacyOfImpact":null},{"id":"6IC4aGBTGpBTWIVPI1wxGy","url":"https://tronscan.org/#/contract/TD8bq1aFY8yc9nsD2rfqqJGDtkh7aPpEpr/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"Oracle PriceOracle","isPrimacyOfImpact":null},{"id":"1js98DrA5UjYS717Hg5l38","url":"https://tronscan.org/#/contract/TCKp2AzuhzV4B4Ahx1ej4mvQgHZ1kH7F7k/code","type":"smart_contract","addedAt":"2022-08-31T03:00:00.000Z","revision":1,"description":"Oracle proxy PriceOracleProxy","isPrimacyOfImpact":null},{"id":"9WctWroNrTR7bAFR2dlmP","url":"https://tronscan.org/#/contract/TCiQTkxhzwSeXhRsNdHCvrxHRAvpjQn5Dt/code","type":"smart_contract","addedAt":"2022-11-02T22:46:45.983Z","revision":1,"description":"GovernorBravoDelegate","isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nIf an impact can be caused to any other asset managed by JustLend DAO that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project. This only applies to Critical impacts.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Tron"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2022-08-31T03:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1bDk6uC4OdDNpTT1tc49ew/05be446f35159bf6304b33933a4fe6b5/Justlend300_300.png","maxBounty":50000,"pocPerTypeAndSeverity":["smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Lending","Liquid Staking"],"programOverview":"JustLend DAO is a TRON-powered money market protocol aimed at establishing fund pools whose interest rates are determined by an algorithm based on the supply and demand of TRON assets. There are two roles within the protocol, namely suppliers and borrowers. Both of them interact directly with the protocol to earn or pay a floating interest rate. On JustLend DAO, each money market corresponds to a unique TRON asset such as TRX, TRC20 stablecoin (e.g. USDT) or other TRC20-based tokens, and entails an open and transparent ledger that records all transactions and historical interest rates.\n\nFor more information about JustLend DAO, please visit [https://justlend.org/#/home](https://justlend.org/#/home).","programType":["Smart Contract"],"project":"JustLend DAO","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll Critical Smart Contract bug reports require a PoC and a suggestion for a fix to be eligible for a reward. All High and Medium Smart Contract bug reports require a suggestion for a fix to be eligible for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nCritical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team.\n\nAll vulnerabilities marked in the [Certik security review](https://drive.google.com/file/d/1oQxMD3DY2VHodDVQKf2047hRg9PCMkG_/view?usp=sharing) are not eligible for a reward.\n\nPayouts are handled by the __JustLend DAO__ team directly and are denominated in USD. However, payouts are done in __USDD__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDD","slug":"justlenddao","updatedDate":"2025-09-16T22:35:10.430Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"JustLend DAO is a TRON-powered money market protocol aimed at establishing fund pools whose interest rates are determined by an algorithm based on the supply and demand of TRON assets. There are two roles within the protocol, namely suppliers and borrowers. Both of them interact directly with the protocol to earn or pay a floating interest rate. On JustLend DAO, each money market corresponds to a unique TRON asset such as TRX, TRC20 stablecoin","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":3138,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":35167,"severity":"critical","assetType":"smart_contract","maxReward":50000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":35168,"severity":"high","assetType":"smart_contract","maxReward":20000,"rewardModel":"up_to"},{"id":35169,"severity":"medium","assetType":"smart_contract","maxReward":10000,"rewardModel":"up_to"}],"audits":[]},{"assets":[{"id":"dWz1XcgnY7vBohzBQAWkS","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/DualGovernance.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"DualGovernance","isPrimacyOfImpact":null},{"id":"6fkJuUA8OKlLDt8nI9Te8T","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/EmergencyProtectedTimelock.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"EmergencyProtectedTimelock","isPrimacyOfImpact":null},{"id":"kvNESTkk4JDJ75Tpua4o6","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/Escrow.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"Escrow","isPrimacyOfImpact":null},{"id":"6CYCAH26PewqyBzARChP4U","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/Executor.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"Executor","isPrimacyOfImpact":null},{"id":"4IyIXuZ7kTRer9GeHo0un9","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/ImmutableDualGovernanceConfigProvider.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"ImmutableDualGovernanceConfigProvider","isPrimacyOfImpact":null},{"id":"10WLtujsyQdvHXBDdJx7up","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/ResealManager.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"ResealManager","isPrimacyOfImpact":null},{"id":"6Jqpsbjen0Eqs6uUap4piG","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/TimelockedGovernance.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"TimelockedGovernance","isPrimacyOfImpact":null},{"id":"7t0Fjqm1AMR3xTDpBMFkBc","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/committees/HashConsensus.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"HashConsensus","isPrimacyOfImpact":null},{"id":"6ZS0A0ueyFWzVZYJg0BEUx","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/committees/ProposalsList.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"ProposalsList","isPrimacyOfImpact":null},{"id":"4QvkFnT1cTGIYQGqef3Sbx","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/committees/TiebreakerCoreCommittee.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"TiebreakerCoreCommittee","isPrimacyOfImpact":null},{"id":"5XpdRqMtrx3DXdoiIRDn5Q","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/committees/TiebreakerSubCommittee.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"TiebreakerSubCommittee","isPrimacyOfImpact":null},{"id":"3JtICNxrWhvTrCiXq0FUt8","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/libraries/AssetsAccounting.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"AssetsAccounting","isPrimacyOfImpact":null},{"id":"5sPgTiM3YRMwF7DmstWJco","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/libraries/DualGovernanceConfig.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"DualGovernanceConfig","isPrimacyOfImpact":null},{"id":"6RXsHsl2frhY4mA00Cwklx","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/libraries/DualGovernanceStateMachine.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"DualGovernanceStateMachine","isPrimacyOfImpact":null},{"id":"54eQJLDs1BGhTCOzKKS0dE","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/libraries/DualGovernanceStateTransitions.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"DualGovernanceStateTransitions","isPrimacyOfImpact":null},{"id":"6e98suHH7q1L93JcpKnJBL","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/libraries/EmergencyProtection.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"EmergencyProtection","isPrimacyOfImpact":null},{"id":"1JLCmBOXXCsy8S52CH3VTz","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/libraries/EnumerableProposals.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"EnumerableProposals","isPrimacyOfImpact":null},{"id":"4gomwnKRNSS4AICubHj9NO","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/libraries/EscrowState.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"EscrowState","isPrimacyOfImpact":null},{"id":"6TbRIREQG82yQIdVKzjXFd","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/libraries/ExecutableProposals.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"ExecutableProposals","isPrimacyOfImpact":null},{"id":"4StnZpRgaLpdaulSSioRH8","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/libraries/ExternalCalls.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"ExternalCalls","isPrimacyOfImpact":null},{"id":"4q5FAmYTJZT55jJUtOctI","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/libraries/Proposers.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"Proposers","isPrimacyOfImpact":null},{"id":"5aNXxt3E6cxZ2Lfn2htlW1","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/libraries/Resealer.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"Resealer","isPrimacyOfImpact":null},{"id":"5Dxt7tz485rHAz6iBnTBEA","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/libraries/SealableCalls.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"SealableCalls","isPrimacyOfImpact":null},{"id":"3Cc1aV70vpbFozsycVsNtE","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/libraries/Tiebreaker.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"Tiebreaker","isPrimacyOfImpact":null},{"id":"6LSUTKJC1lkzEDehRUF9Vc","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/libraries/TimelockState.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"TimelockState","isPrimacyOfImpact":null},{"id":"7DpzqNIB0GdiE2patQhAjW","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/libraries/WithdrawalsBatchesQueue.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"WithdrawalsBatchesQueue","isPrimacyOfImpact":null},{"id":"4HRyCsyLMYlbIQyLS0WH5t","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/types/Duration.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"Duration","isPrimacyOfImpact":null},{"id":"4QSPRYx7MqRDG3sNGdpIXA","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/types/ETHValue.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"ETHValue","isPrimacyOfImpact":null},{"id":"3GUXgBQ1fKyDO36q5ofJo0","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/types/IndexOneBased.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"IndexOneBased","isPrimacyOfImpact":null},{"id":"5UU8N8YvkBuyl1V9dHpDMi","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/types/PercentD16.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"PercentD16","isPrimacyOfImpact":null},{"id":"5jikMbvfvBJB6rBl2A8u0F","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/types/SharesValue.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"SharesValue","isPrimacyOfImpact":null},{"id":"6Gzl8Zr1PjOi5k3S4dP6eQ","url":"https://github.com/lidofinance/dual-governance/tree/0d31f5b3dbe0a553887604a2d5755d14033b8e3d/contracts/types/Timestamp.sol","type":"smart_contract","addedAt":"2025-07-29T12:00:00.000Z","revision":1,"description":"Timestamp","isPrimacyOfImpact":null}],"assetsBodyV2":"__Proof of Concept (PoC) Requirements__\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n__Asset Accuracy Assurance__\n\n- Bugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Rewards Policy__\n\n- Private known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n__Primacy of Impact vs Primacy of Rules__\n\n- Lido adheres to the Primacy of Rules, which means that the whole program is run strictly under the terms and conditions stated within this page.\n\n__KYC Requirement__\n\n- No KYC is required for the Lido Bug Bounty Competition\n\n__Eligibility Criteria__\n\n- Security researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n   - On OFACs SDN list \n   - Official contributor, both past or present\n   - Employees and/or individuals closely associated with the project \n   - Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\n- Whitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n   - Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\n- Immunefi may publish bug reports submitted to this Bug Bounty Competition and a leaderboard of the participants and their earnings.\n\n__Proof of Concept (PoC) Requirements__\n- A PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Feasibility Limitations__\n\n- The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\n- By adhering to Immunefi’s best practice recommendations, Lido has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"## Thank You to All Participating Security Researchers!\n\nThe audit competition has now concluded and is currently in the evaluation phase. During this period, all submitted reports are being carefully reviewed by the Immunefi triage team and the project team.","boostedIntroFinished":"### Thank You to All Participating Security Researchers!\n\nYour valuable contributions played a crucial role in identifying and resolving critical vulnerabilities, helping to strengthen and secure the Lido platform for all users.","boostedIntroLive":"## $2,000,000 USD in Max Bounty + $100,000 Bonus Rewards Pool \navailable for finding bugs on the Lido Dual Governance codebase. \n\nIn addition to the regular [Lido Bug Bounty Program](https://immunefi.com/bug-bounty/lido/information/), this competition offers a $100,000 bonus rewards pool for valid, non-duplicate reports on the assets in scope. This $100,000 bonus pool will be distributed among researchers based on the severity of their valid, unique submissions, as determined at the end of the competition.\n\n- Rewards are denominated in USD and distributed in USDC on Ethereum.\n\n- KYC is not required.\n\n- Proof of Concept (PoC) Requirements: A PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n- **Insights are out of scope** for this Bug Bounty Competition.\n\n- **Duplicate submissions** of bugs are **not valid**. \n\n\nFor more information about Lido, please visit https://lido.fi/\n\n\n### What is a Bug Bounty Competition?\nA Bug Bounty Competition is a unique blend between a traditional bug bounty program and an audit competition, offering the best of both worlds.\n\nLet’s break it down: In the case of Lido’s Dual Governance program, security researchers are invited to hunt for vulnerabilities in specific assets. Just like a regular Bug Bounty Program (BBP), valid submissions are eligible for core BBP rewards. But here’s the exciting part, there’s also a bonus reward pool of $100,000 up for grabs, on top of the usual BBP payouts. This bonus is only available during the limited competition period.","boostedIntroStartingIn":"## $2,000,000 USD in Max Bounty + $100,000 Bonus Rewards Pool \navailable for finding bugs on the Lido Dual Governance codebase. \n\nIn addition to the regular [Lido Bug Bounty Program](https://immunefi.com/bug-bounty/lido/information/), this competition offers a $100,000 bonus rewards pool for valid, non-duplicate reports on the assets in scope. This $100,000 bonus pool will be distributed among researchers based on the severity of their valid, unique submissions, as determined at the end of the competition.\n\n- Rewards are denominated in USD and distributed in USDC on Ethereum.\n\n- KYC is not required.\n\n- Proof of Concept (PoC) Requirements: A PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n- **Insights are out of scope** for this Bug Bounty Competition.\n\n- **Duplicate submissions** of bugs are **not valid**. \n\n\nFor more information about Lido, please visit https://lido.fi/","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":"2025-08-12T12:00:00.000Z","evaluationEndDate":"2025-09-16T11:04:59.728Z","features":["Vault","Managed Triage: Signal Booster"],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":false,"language":null,"launchDate":"2025-07-29T12:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/R7v4MafpH4UpThowXGucN/16cd9089adc39cf245c7aba510a877b7/Lido_Sign.png","maxBounty":2000000,"outOfScopeAndRules":"To be determined","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":null,"programOverview":"Lido is a liquid staking solution for Ethereum backed by industry-leading staking providers. Lido lets users stake their ETH - without locking assets or maintaining infrastructure - whilst participating in on-chain activities, e.g. lending.\n\nDual Governance (DG) is a governance subsystem positioned between the Lido DAO (represented by various voting systems) and the protocol contracts it manages. It gives stakers a say by allowing them to block DAO decisions and providing a negotiation device between stakers and the DAO.\nAnother way of looking at Dual Governance is that it implements:\n1. A dynamic user-extensible timelock on DAO decisions\n2. A rage quit mechanism for stakers taking into account the specifics of how Ethereum withdrawals work.\n\nFor more information about Lido, please visit https://lido.fi/ \n\nLido provides rewards in USDC on Ethereum.","programType":["Smart Contract"],"project":"Bug Bounty Comp | Lido: Dual Governance","projectType":null,"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/) \n\nIn addition to the regular [Lido Bug Bounty Competition](https://immunefi.com/bug-bounty/lido/information/) rewards per severity, this competition offers a **$100,000 bonus rewards pool **for valid, non-duplicate reports on the assets in scope on this program.\n\nThis **$100,000 bonus pool** will be distributed among researchers based on the severity of their valid, unique submissions, as determined at the end of the competition.\n\nBonus rewards are paid out in the following **priority order**:\n\n1. Critical vulnerabilities\n2. High vulnerabilities\n3. Medium vulnerabilities\n4. Low vulnerabilities\n\nThe **pool is allocated top-down**, meaning bonuses are paid to higher severity submissions first. If sufficient funds remain after paying critical submissions, bonuses will be issued to high severity findings, and so on.\n\n**If fewer vulnerabilities are found than the total size of the pool, the full pool will not be spent.**\n\nFor example, if only a single valid Critical is found, the bonus paid will be **$50,000**, and the remaining **$50,000 will go unused**.\n\nBonus amounts for each unique, valid report are:\n\n- Critical: $50,000\n- High: $10,000\n- Medium: $2,000\n- Low: $1,000\n\n\nIf the number of valid submissions in a given severity exceeds the available bonus pool for that severity category, then the funds will be **evenly split among all eligible submissions** in that category. For example, if 4 criticals are found, each critical severity report will be rewarded $25,000. \n\n##### *Note:\n\n1. The **bonus rewards pool is limited to $100,000**.\n2. If the bonus rewards pool is exhausted, **reports will still be rewarded** under the regular Bug Bounty Program reward terms.\n3. Bug reports will be paid after the Bug Bounty Competition ends and rewards are calculated. \n4.** Insights are out of scope** for this Bug Bounty Competition.\n5. Any reports on Lido assets that are NOT in scope for this Bug Bounty Competition should be submitted to [Lido Bug Bounty Program](https://immunefi.com/bug-bounty/lido/information/).\n6. **Duplicate** submissions of bugs are **not valid**. \n7. Rewards are denominated in USD and distributed in USDC on Ethereum.\n8. Reports submitted via the regular Bug Bounty Program page will not be eligible for bonus rewards.\n9. If the same bug is submitted separately to both the Bug Bounty Program and the Bug Bounty Competition, the report will be eligible for rewards only under the program where it was submitted first. For example:\n- If Security Researcher A submits a valid bug to the Bug Bounty Program, and Security Researcher B submits the same bug to the Bug Bounty Competition, then only Security Researcher A is eligible, under Bug Bounty Program terms.\n- If the reverse happens, only Security Researcher B qualifies, under Bug Bounty Competition terms.\n\n__Repeatable Attack Limitations__\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. \nThe amount of funds at risk will be calculated with the impact of the first attack being at 100% and then a reduction of 25% from the amount of the first attack for every [300 blocks] the attack needs for subsequent attacks from the first attack, rounded down","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"lido-bug-bounty-competition","tenPercentEconomicRule":true,"updatedDate":"2025-09-16T11:04:48.516Z","impactsBody":"**Build Commands, Test Commands, and How to Run Them**\n\n- See README section for full guide: https://github.com/lidofinance/dual-governance/tree/v1.0.1-hotfix?tab=readme-ov-file#setup\n\n**Is this an upgrade of an existing system? If so, which? And what are the main differences?**\n\n- Yes, this is an upgrade of the previously deployed Dual Governance version: https://github.com/lidofinance/dual-governance/releases/tag/v1.0.0. The primary change is a fix for a vulnerability in the Escrow.startRageQuitExtensionPeriod() method. Additional details are available in the release notes: https://github.com/lidofinance/dual-governance/releases/tag/v1.0.1-hotfix.\n\n**Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?**\n\n- Attacks that result in indefinite blocking of governance decision execution.\n- Attacks that prevent the successful completion of the RageQuit process, potentially leading to permanent or temporary locking of users’ stETH/wstETH/unstETH/ETH in Escrow contracts.\n- Execution of proposals that bypass the enforced delays established by `DualGovernance` and `EmergencyProtectedTimelock`\n\n\n**What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?**\n\n- Only stETH and wstETH (ERC20), and unstETH (ERC721) tokens are supported.\n\n**What emergency actions may you want to use as a reason to downgrade an otherwise valid bug report?**\n\n- Dual Governance is launched under a Protected Deployment Mode (https://github.com/lidofinance/dual-governance/blob/main/docs/specification.md#protected-deployment-mode), which allows the dynamic timelock system to be fully disabled in case of a critical bug in the Dual Governance logic.\n- Additionally, the Tiebreaker mechanism (https://github.com/lidofinance/dual-governance/blob/main/docs/specification.md#tiebreaker-committee) can be activated to bypass the RageQuit timelock in the event of a system deadlock.\n\n**Which chains and/or networks will the code in scope be deployed to?**\n\n- hoodi/mainnet\n\n\n**What external dependencies are there?**\n\n- External dependencies can be found on https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v5.0.2","websiteUrl":"https://lido.fi/","githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Lido is a liquid staking solution for Ethereum backed by industry-leading staking providers. Lido lets users stake their ETH - without locking assets or maintaining infrastructure - whilst participating in on-chain activities, e.g. lending.","knownIssues":[{"id":66,"link":"https://github.com/lidofinance/dual-governance/blob/develop/docs/known-risks-and-limitations.md","description":"Dual Governance: Known Risks & Limitations","lastUpdatedAt":"2025-06-17T00:00:00.000Z","relatedImpactInScope":"smart_contract"}],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":5669,"type":"smart_contract","severity":"critical","title":"Incorrect calculation of multisig signers required for transaction processing"},{"id":5670,"type":"smart_contract","severity":"high","title":"Prevention of governance participation despite design parameters providing participation rights"},{"id":5671,"type":"smart_contract","severity":"medium","title":"Impacts caused by griefing with no economic damage other than transaction fees where fix requires a change or a pause of a smart contract"},{"id":5673,"type":"smart_contract","severity":"high","title":"Acquiring owner/admin rights or roles without contract’s owner/admin action"},{"id":5677,"type":"smart_contract","severity":"high","title":"Impact caused by missing access controls allowing to execute privileged actions (e.g., changing protocol parameters or upgrading contracts) without required privileged roles"}],"rewards":[{"level":"critical","payout":"Max: $2,000,000 - Min: 50,000 + *Portion of the bonus reward pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Max: $250,000 - Min: $10,000 + *Portion of the bonus reward pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Max: $50,000 - Min: $1,000 + *Portion of the bonus reward pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Flat: $1,000 + *Portion of the bonus reward pool","assetType":"smart_contract","pocRequired":true}],"audits":[{"id":"B1440DgcRBikpjLJuPh21","url":"https://github.com/lidofinance/audits?tab=readme-ov-file#09-2024-certora-dual-governance-draft-audit","auditor":"Certora","date":"2024-09-20"},{"id":"4uzdNrK2fmghZDYAE6Ol9Q","url":"https://github.com/lidofinance/audits?tab=readme-ov-file#02-2025-certora-dual-governance-audit","auditor":"Certora","date":"2025-02-12"},{"id":"7lhTmhjXBITA3UrGC4NgMf","url":"https://github.com/lidofinance/audits?tab=readme-ov-file#10-2024-statemind-dual-governance-audit","auditor":"Statemind","date":"2024-10-16"},{"id":"45yFUq5Naj2MMRIxfi40Ng","url":"https://github.com/lidofinance/audits?tab=readme-ov-file#11-2024-openzeppelin-dual-governance-audit","auditor":"OpenZeppelin","date":"2024-11-07"},{"id":"6Tte5LqTJ5iBJrJv5aZd7o","url":"https://github.com/lidofinance/audits?tab=readme-ov-file#02-2025-openzeppelin-dual-governance-re-audit","auditor":"OpenZeppelin","date":"2025-02-11"},{"id":"1QzxJrzTS8gdji8EM2DNPx","url":"https://github.com/lidofinance/audits?tab=readme-ov-file#02-2025-runtime-verification-dual-governance-formal-verification","auditor":"Runtime Verification","date":"2025-02-18"},{"id":"1TPpRZSeunikszBXtcpKbs","url":"https://github.com/lidofinance/audits?tab=readme-ov-file#06-2025-statemind-dual-governance-deployment-and-voting-script-review","auditor":"Statemind","date":"2025-06-17"}]},{"assets":[{"id":"jznTibbce9aRB5FvyawRM","url":"https://github.com/Folks-Finance/algorand-smart-contract-library/blob/main/contracts/library/AccessControl.py","type":"smart_contract","addedAt":"2025-07-07T10:00:00.000Z","revision":1,"description":"AccessControl - Contract module that allows children to implement role-based access control mechanisms.","isPrimacyOfImpact":null},{"id":"73p0FZJrl4Nqd6H4lEold9","url":"https://github.com/Folks-Finance/algorand-smart-contract-library/blob/main/contracts/library/Initialisable.py","type":"smart_contract","addedAt":"2025-07-07T10:00:00.000Z","revision":1,"description":"Initialisable - Contract that allows children to be initialisable","isPrimacyOfImpact":null},{"id":"7miv1A4tS1D6SPehkjwNHX","url":"https://github.com/Folks-Finance/algorand-smart-contract-library/blob/main/contracts/library/extensions/InitialisableWithCreator.py","type":"smart_contract","addedAt":"2025-07-07T10:00:00.000Z","revision":1,"description":"InitialisableWithCreator - Extension to Initialisable Contract which ensures caller of \"initialise\" method is contract creator.","isPrimacyOfImpact":null},{"id":"2BmQKrmaKD05oSzJnFGeN","url":"https://github.com/Folks-Finance/algorand-smart-contract-library/blob/main/contracts/library/Upgradeable.py","type":"smart_contract","addedAt":"2025-07-07T10:00:00.000Z","revision":1,"description":"Upgradeable - Contract module that allows children to implement scheduled upgrade mechanisms.","isPrimacyOfImpact":null},{"id":"17wtx0IMIoxsAas9Ybs0sG","url":"https://github.com/Folks-Finance/algorand-smart-contract-library/blob/main/contracts/library/RateLimiter.py","type":"smart_contract","addedAt":"2025-07-07T10:00:00.000Z","revision":1,"description":"RateLimiter - Contract module that allows children to implement rate limiting mechanisms.","isPrimacyOfImpact":null},{"id":"Pw6JrDTl18kiQDBfroQOR","url":"https://github.com/Folks-Finance/algorand-smart-contract-library/blob/main/contracts/library/UInt64SetLib.py","type":"smart_contract","addedAt":"2025-07-07T10:00:00.000Z","revision":1,"description":"UInt64SetLib - Subroutines to mimic the behaviour of a “set” data structure for uint64 values.","isPrimacyOfImpact":null}],"assetsBodyV2":"__Asset Accuracy Assurance__\n\n- Bugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Reward Policy__\n\n- Private known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n__Primacy of Impact vs Primacy of Rules__\n\n- Folks Finance adheres to the Primacy of Rules, which means that the whole Audit Competition program is run strictly under the terms and conditions stated within this page.\n\n__KYC Requirement__\n\n- No KYC is required for the Folks Smart Contract Library Audit Competition\n\n__Eligibility Criteria__\n\n- Security researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n   - On OFACs SDN list \n   - Official contributor, both past or present\n   - Employees and/or individuals closely associated with the project \n   - Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\n- Whitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n   - Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\n- Immunefi may publish bug reports submitted to this Audit Competition and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\n- When there is uncertainty about how feasible an attack is Immunefi will use our feasibility limitation standards to determine the severity of the report.\n\n__Immunefi Standard Badge__\n\n- By adhering to Immunefi’s best practice recommendations, Folks Finance has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"### **Thank You to All Participating Security Researchers!**\n\nThe audit competition has now concluded and is currently in the evaluation phase. During this period, all submitted reports are being carefully reviewed by the Immunefi triage team and the project team.","boostedIntroFinished":"### Thank You to All Participating Security Researchers!\n\nYour valuable contributions played a crucial role in identifying and resolving vulnerabilities, helping to strengthen and secure the platform for all users.","boostedIntroLive":"### **$30,000 USD** in flat rewards available for finding bugs on the Folks Smart Contract Library. \n\n- Rewards are distributed among SRs according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms) and includes **All Star Pool** and **Podium Pool** reserved for [All Star Program](https://immunefi.com/allstars/) participants. \n\n- Rewards are denominated in USD and distributed in USDC on Algorand.\n\n- KYC is not required.\n\nAny technical questions can be asked directly to the Folks Finance technical team on [Immunefi's Discord](https://discord.com/invite/immunefi) in the **folks-sc-library-audit-comp** channel.\n\nWhen the Audit Competition has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nFor more information, please visit [Folks Finance](https://folks.finance/)","boostedIntroStartingIn":"### **$30,000 USD** in flat rewards available for finding bugs on the Folks Smart Contract Library. \n\n- Rewards are distributed among SRs according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms) and includes **All Star Pool** and **Podium Pool** reserved for [All Star Program](https://immunefi.com/allstars/) participants. \n\n- Rewards are denominated in USD and distributed in USDC on Algorand.\n\n- KYC is not required.\n\nFor more information, please visit [Folks Finance](https://folks.finance/)","boostedLeaderboard":[{"high":0,"name":"pks271","aspRank":8,"critical":0,"earnings":1308,"insights":0,"mediumLow":1,"allStarTier":"ASSOCIATE (ACTIVE)","totalEarnings":7308,"totalValidBugs":1,"aspPoolEarnings":6000,"podiumPoolEarnings":0},{"high":0,"name":"j3x","aspRank":1,"critical":0,"earnings":3273,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":4413,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":1140},{"high":0,"name":"danvinci_20","aspRank":7,"critical":0,"earnings":1683,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":2613,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":930},{"high":0,"name":"uhudo","aspRank":2,"critical":0,"earnings":1383,"insights":1,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":2313,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":930},{"high":0,"name":"Oxenzo_eth","aspRank":3,"critical":0,"earnings":1308,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":1308,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Bug82427","aspRank":4,"critical":0,"earnings":1308,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":1308,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"DSbeX","aspRank":5,"critical":0,"earnings":1308,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":1308,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"HandsomeEarthworm6","aspRank":6,"critical":0,"earnings":1308,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":1308,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"hunter0xweb3","aspRank":9,"critical":0,"earnings":1308,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":1308,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"NHristov","aspRank":10,"critical":0,"earnings":1308,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":1308,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Immanux2160","aspRank":11,"critical":0,"earnings":1308,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":1308,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Opzteam","aspRank":12,"critical":0,"earnings":1308,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":1308,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Afriauditor","aspRank":13,"critical":0,"earnings":1308,"insights":0,"mediumLow":1,"allStarTier":"Non-ASP","totalEarnings":1308,"totalValidBugs":1,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"Blobism","aspRank":14,"critical":0,"earnings":675,"insights":3,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":675,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"ustas","aspRank":17,"critical":0,"earnings":450,"insights":2,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":450,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"perseverance","aspRank":19,"critical":0,"earnings":225,"insights":1,"mediumLow":0,"allStarTier":"SENIOR (ACTIVE)","totalEarnings":225,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"a090325","aspRank":15,"critical":0,"earnings":75,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":75,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"c3phas","aspRank":16,"critical":0,"earnings":75,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":75,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0},{"high":0,"name":"danial","aspRank":18,"critical":0,"earnings":75,"insights":1,"mediumLow":0,"allStarTier":"Non-ASP","totalEarnings":75,"totalValidBugs":0,"aspPoolEarnings":0,"podiumPoolEarnings":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1R7CJW2vf8s0cSeRNBS6v5vZvkai1bcun/view?usp=sharing","ecosystem":["Algorand"],"endDate":"2025-07-21T10:00:00.000Z","evaluationEndDate":"2025-09-05T10:00:00.000Z","features":["Boost","Vault","Managed Triage: Signal Booster"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Python"],"launchDate":"2025-07-07T10:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3dSmZSceT3gQBxUK58GG4y/e40e55bfc2c284e8c2ea1a11c89b837f/Folks-logo-icon-white__1_.png","maxBounty":30000,"outOfScopeAndRules":"To be determined","pocPerTypeAndSeverity":["smart_contract - medium","smart_contract - low","smart_contract - high","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":null,"programOverview":"Folks Finance is a leading DeFi platform providing innovative tools for lending, borrowing, trading and managing digital assets, all in one place.\n\nThe Folks Smart Contract Library is a curated, modular collection of audited, reusable smart contracts designed to accelerate development on the Algorand blockchain. The library allows you to focus on your business logic by abstracting away common patterns and security mechanisms.\n\nFor more information about Folks Finance and their existing products, please visit https://folks.finance.","programType":["Smart Contract"],"project":"Audit Comp | Folks Smart Contract Library","projectType":null,"rewardsBody":"__Audit Competition Flat Reward Pool__\n\nThe following reward terms are a summary. For the full details read our [Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms) and includes All Star Pool and Podium Pool reserved for [All Star Program](https://immunefi.com/allstars/) participants\n\nThe reward pool is **$30,000 USD** if any bug is found. That means that even if 1 Low severity bug is found, the whole reward pool is unlocked and has to be fully distributed between security researchers. \n\nIf not a single bug is found (Insights do not count as bugs) the reward pool is $4,500 USD.\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid and unlock the corresponding reward pool.\n\nDuplicates and private known issues are valid for a reward.\n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/).\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.\n\n__Insight Rewards Payment Terms__\n\n*Insight Rewards*: Portion of the Rewards Pool\n\n*The \"Insight\" severity was introduced on Boost (Audit Competitions) & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi)\n\n**Duplicates of Insight reports are not eligible for a reward.**\n\n__Proof of Concept (PoC) Requirements__\n\nFor this program, runnable PoC code is not required. Whitehats are instead required to write a step-by-step explanation of the PoC and impact.\nFor unclear reports or to resolve disputes Immunefi may still require a runnable PoC.Read more about it in [Audit Competition Proof-of-Concept Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/33260632501777-Audit-Competition-Proof-of-Concept-Rules)","rewardsPool":30000,"primaryPool":21000,"allStarsPool":6000,"podiumPool":3000,"rewardsToken":"USDC","slug":"folks-sc-library","tenPercentEconomicRule":false,"updatedDate":"2025-09-16T09:46:07.101Z","impactsBody":"**Build commands, Test commands, and instructions on how to run them:**\n\nFollow the setup instructions in the project README.\n\n- To generate the TEAL code and ARC56 specs for the contracts, run the command: npm run pre-build\n\n- To build the TS clients to interact with the contracts, run the command: npm run build\n\n- Start an Algorand localnet with AlgoKit and Docker using: algokit localnet start\n\n- Run all tests from root directory using: npm run test\n\n- Or single test file using: PYTHONPATH=\"./contracts\" npx jest <PATH_TO_TEST_FILE>\n\n\n**Where might Security Researchers confuse out-of-scope code to be in-scope?**\n\n- All the smart contracts in “contracts/library/test” are out of scope and only included to facilitate the unit testing. \n\n\n**Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?**\n\n- Ensuring addresses only operate within their assigned privileges. Also checking the logic of the smart contracts is sound. \n\n\n**Which chains and/or networks will the code in scope be deployed to?**\n\n- Algorand\n\n\n**What external dependencies are there?**\n\n- Algorand Python Compiler \n\n**What are the most valuable educational resources already available?**\n\n- Folks Smart Contract Library [Documentation](https://docs.google.com/document/d/1asxwEYzNtG2cTTvuTwBszMmEUKMtkL8s7bBROeD1LlU/edit?usp=sharing.)\n- Details of [Unit testing](https://github.com/Folks-Finance/algorand-smart-contract-library/tree/main/tests) which may help in understanding how the smart contracts are intended to be called and operate. \n- Algorand Python [Language Guide](https://algorandfoundation.github.io/puya/language-guide.html)\n\n\n**Previous Audits**\n\n- Folks Finance Smart Contract Library has no audit report as of 7 July 2025.","websiteUrl":"https://folks.finance/","githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Folks Finance is a leading DeFi platform providing innovative tools for lending, borrowing, trading and managing digital assets, all in one place. The Folks Smart Contract Library is a curated, modular collection of audited, reusable smart contracts designed to accelerate development on the Algorand blockchain. The library allows you to focus on your business logic by abstracting away common patterns and security mechanisms.\n\n","knownIssues":[{"id":62,"link":"https://docs.google.com/document/d/1asxwEYzNtG2cTTvuTwBszMmEUKMtkL8s7bBROeD1LlU/edit?tab=t.0","description":"Funds used for the minimum balance of a smart contract account are implicitly required and not refunded","lastUpdatedAt":"2025-07-01T00:00:00.000Z","relatedImpactInScope":"smart_contract"}],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":5629,"type":"smart_contract","severity":"critical","title":"Unauthorized escalation of privileged roles which deviate from the original permissions"},{"id":5623,"type":"smart_contract","severity":"critical","title":"Bypass of the address permissions during an upgrade"},{"id":5624,"type":"smart_contract","severity":"critical","title":"Bypass of the rate limit beyond set parameters"},{"id":5625,"type":"smart_contract","severity":"high","title":"Permanent denial of service of a smart contract functionality"},{"id":5626,"type":"smart_contract","severity":"medium","title":"Temporary denial of service for more than one block"},{"id":5627,"type":"smart_contract","severity":"medium","title":"Impacts caused by griefing with no economic damage other than transaction fees where fix requires a change or a pause of a smart contract"},{"id":5628,"type":"smart_contract","severity":"low","title":"Temporary denial of service (smart contract is made unable to operate for one block, functionality is restored in the next block)"}],"rewards":[{"level":"critical","payout":"Portion of Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[{"id":"5KJOScaF9U9sKtOv0c2aow","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/configuration/PoolAddressesProvider.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 PoolAddressesProvider","isPrimacyOfImpact":null},{"id":"7C7Tx0LZl2fS0E5TnNvl3x","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/configuration/ACLManager.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 ACLManager","isPrimacyOfImpact":null},{"id":"3zSvc3bdXmifUEB66gLg3v","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/pool/Pool.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 Pool","isPrimacyOfImpact":null},{"id":"7bEH2IORpyDaAXu5LaYHne","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/pool/L2Pool.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 L2Pool","isPrimacyOfImpact":null},{"id":"7jau9Wg6rEYaOswetYslEL","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/pool/PoolConfigurator.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 Pool Configurator","isPrimacyOfImpact":null},{"id":"4QB2VJgVn9bgu29mPFyqEH","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/misc/DefaultReserveInterestRateStrategyV2.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 DefaultReserveInterestRateStrategyV2","isPrimacyOfImpact":null},{"id":"b0V8XxttfTko28vx5PSTz","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/misc/aave-upgradeability/BaseImmutableAdminUpgradeabilityProxy.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 Upgradability - BaseImmutableAdminUpgradeabilityProxy","isPrimacyOfImpact":null},{"id":"3AwPSQP5UavowY5aBSLqsC","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/misc/aave-upgradeability/InitializableImmutableAdminUpgradeabilityProxy.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 Upgradability - InitializableImmutableAdminUpgradabilityProxy","isPrimacyOfImpact":null},{"id":"065ikuVi98NYBNmNjVPiR","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/misc/aave-upgradeability/VersionedInitializable.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 Upgradability - VersionedInitializable","isPrimacyOfImpact":null},{"id":"48zJoas3yZJ0snRjwujB1U","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/libraries/configuration/ReserveConfiguration.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 Global configurations - Reserve Configuration","isPrimacyOfImpact":null},{"id":"58O0qviI8bfTozeTmCgiv6","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/libraries/configuration/UserConfiguration.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 Global configurations - User Configuration","isPrimacyOfImpact":null},{"id":"tCx9ZFRByi1TqnQYtsKl6","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/libraries/logic/BorrowLogic.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 Logic Libraries - Borrow Logic","isPrimacyOfImpact":null},{"id":"6Fjq7oVvLjChNCcAlClXZM","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/libraries/logic/BridgeLogic.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 Logic Libraries - Bridge Logic","isPrimacyOfImpact":null},{"id":"4u1rb7Xjixg8hywhmWdFUn","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/libraries/logic/CalldataLogic.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 Logic Libraries - Calldata Logic","isPrimacyOfImpact":null},{"id":"zyJ3XGj7nzzLx5h35Y7sa","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/libraries/logic/ConfiguratorLogic.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 Logic Libraries - Configurator Logic","isPrimacyOfImpact":null},{"id":"50AsYdYZHPSHXW1RUbHa3I","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/libraries/logic/EModeLogic.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":4,"description":"Aave v3 Logic Libraries - EMode Logic","isPrimacyOfImpact":null},{"id":"3UalWfobegKE9Jx9Hajxrz","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/libraries/logic/FlashLoanLogic.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":2,"description":"Aave v3 Logic Libraries - Flash Loan Logic","isPrimacyOfImpact":null},{"id":"4otorlK5RWdqYuJyG7Tv3p","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/libraries/logic/GenericLogic.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 Logic Libraries - Generic Logic","isPrimacyOfImpact":null},{"id":"6xGsYNIMVow7boonhacqNx","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/libraries/logic/IsolationModeLogic.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 Logic Libraries - Isolation Mode Logic","isPrimacyOfImpact":null},{"id":"6zGSJMMBthxQZ745hRRuTF","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/libraries/logic/LiquidationLogic.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 Logic Libraries - Liquidation Logic","isPrimacyOfImpact":null},{"id":"46Zwo7MkNnfKd2BL7XsTKa","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/libraries/logic/PoolLogic.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 Logic Libraries - Pool Logic","isPrimacyOfImpact":null},{"id":"5yveXiwjC2AmcpLLhRj3OV","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/libraries/logic/ReserveLogic.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 Logic Libraries - Reserve Logic","isPrimacyOfImpact":null},{"id":"VNwFp1vd9zM1pgghQDakF","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/libraries/logic/SupplyLogic.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 Logic Libraries - Supply Logic","isPrimacyOfImpact":null},{"id":"1AEY1z2CurBaeLHJQL928f","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/libraries/logic/ValidationLogic.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 Logic Libraries - Validation Logic","isPrimacyOfImpact":null},{"id":"4pnglDiFQCR0iDES4vkVCQ","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/libraries/math/MathUtils.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":4,"description":"Aave v3 Math Libraries - Math Utils","isPrimacyOfImpact":null},{"id":"28yf4HxCAXBxiHUg1LpPwp","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/libraries/math/PercentageMath.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 Math Libraries - Percentage Math","isPrimacyOfImpact":null},{"id":"77vIabnp2SUqwbRSzocywC","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/libraries/math/WadRayMath.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 Math Libraries - WadRayMath","isPrimacyOfImpact":null},{"id":"3Md7NGVfqmi1zVclyZA9HJ","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/tokenization/AToken.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 AToken","isPrimacyOfImpact":null},{"id":"1pfwjuuEby68gQE3ScfvpT","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/protocol/tokenization/VariableDebtToken.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 VariableDebtToken","isPrimacyOfImpact":null},{"id":"38u34pEuBWLTLr0slsDHEN","url":"https://github.com/aave/aave-v3-core/blob/master/contracts/protocol/tokenization/StableDebtToken.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Aave v3 StableDebtToken","isPrimacyOfImpact":null},{"id":"4jOdLziVxkRfKfXYF0HhUQ","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/misc/AaveOracle.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 AaveOracle","isPrimacyOfImpact":null},{"id":"7A9JqxqbH1wmdzOMpF7tdr","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/helpers/L2Encoder.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 L2Encoder","isPrimacyOfImpact":null},{"id":"2nZFCI3WVL0R5Qfv4kFrGi","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/misc/PriceOracleSentinel.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 Price Oracle Sentinel","isPrimacyOfImpact":null},{"id":"4sXaClhMCWvye1nCU0vfzr","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/rewards/RewardsController.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 Periphery - Rewards Controller","isPrimacyOfImpact":null},{"id":"2fTCm6RYDwG9bx4vaGz7gK","url":"https://github.com/aave-dao/aave-v3-origin/blob/main/src/contracts/rewards/EmissionManager.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":3,"description":"Aave v3 Emission Manager","isPrimacyOfImpact":null},{"id":"7K1DUX29MnJWnySxU0pK5C","url":"https://github.com/bgd-labs/aave-collector-unification/blob/main/src/contracts/Collector.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Aave v3 Collector","isPrimacyOfImpact":null},{"id":"3hVFELi4qLw4Ng7VbwsRhs","url":"https://github.com/aave-dao/gho-origin/blob/main/src/contracts/facilitators/aave/oracle/GhoOracle.so","type":"smart_contract","addedAt":"2023-11-14T17:43:19.746Z","revision":2,"description":"Aave v3 GhoOracle","isPrimacyOfImpact":null},{"id":"TwSC45c6uzcv7pQqLl1NX","url":"https://github.com/bgd-labs/aave-stk-gov-v3/blob/main/src/contracts/StakedAaveV3.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":2,"description":"Aave Safety Module Staked Aave v3","isPrimacyOfImpact":null},{"id":"2y8d3Iu4AvnZcni2LGjZdj","url":"https://github.com/bgd-labs/stake-token/blob/main/src/contracts/StakeToken.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":2,"description":"new Aave Safety Module (stkABPT and stkGHO)","isPrimacyOfImpact":null},{"id":"1maRxpJ2DeRidTYcKzlsr7","url":"https://github.com/aave/protocol-v2/blob/master/contracts/protocol/configuration/LendingPoolAddressesProvider.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Aave v2 LendingPoolAddressProvider","isPrimacyOfImpact":null},{"id":"2g1MWMuIJ8d51NxHIPgB5R","url":"https://github.com/aave/protocol-v2/blob/master/contracts/protocol/lendingpool/LendingPool.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Aave v2 LendingPool","isPrimacyOfImpact":null},{"id":"7sw6PZ2NRsZHfUtAU3rwXv","url":"https://github.com/aave/protocol-v2/blob/master/contracts/protocol/lendingpool/LendingPoolCollateralManager.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Aave v2 LendingPoolCollateralManager","isPrimacyOfImpact":null},{"id":"3pjZLUjkhgKSapHBdrhGMp","url":"https://github.com/aave/protocol-v2/blob/master/contracts/protocol/lendingpool/DefaultReserveInterestRateStrategy.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Aave v2 DefaultReserveInterestRateStrategy","isPrimacyOfImpact":null},{"id":"fr9Zk8OQ4ZQkL6H3TTHu4","url":"https://github.com/aave/protocol-v2/blob/master/contracts/protocol/lendingpool/LendingPoolConfigurator.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Aave v2 LendingPoolConfigurator","isPrimacyOfImpact":null},{"id":"419D5u1xKmoyix3nqZwYlC","url":"https://github.com/aave/protocol-v2/blob/master/contracts/protocol/libraries/aave-upgradeability/BaseImmutableAdminUpgradeabilityProxy.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Aave v2 BaseImmutableAdminUpgradeabilityProxy","isPrimacyOfImpact":null},{"id":"7uaTlly0VCPgbgN7pCmFpr","url":"https://github.com/aave/protocol-v2/blob/master/contracts/protocol/libraries/aave-upgradeability/InitializableImmutableAdminUpgradeabilityProxy.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Aave v2 InitializableImmutableAdminUpgradeabilityProxy","isPrimacyOfImpact":null},{"id":"7G3rAN61rJ3TVSmTUDgvlC","url":"https://github.com/aave/protocol-v2/blob/master/contracts/protocol/libraries/aave-upgradeability/VersionedInitializable.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Aave v2 VersionedInitializable","isPrimacyOfImpact":null},{"id":"vf0lpx6s64XzSp0RPIE7I","url":"https://github.com/aave/protocol-v2/blob/master/contracts/protocol/libraries/configuration/ReserveConfiguration.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Aave v2 Global configurations - Reserve Configuration","isPrimacyOfImpact":null},{"id":"4t0seArMMKgqwdKwe73WYO","url":"https://github.com/aave/protocol-v2/blob/master/contracts/protocol/libraries/configuration/UserConfiguration.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Aave v2 Global configurations - User Configuration","isPrimacyOfImpact":null},{"id":"7dbuwCGIWqnH8NRh40zNWt","url":"https://github.com/aave/protocol-v2/blob/master/contracts/protocol/libraries/logic/GenericLogic.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Aave v2 Logic libraries - GenericLogic","isPrimacyOfImpact":null},{"id":"4FQJ1K6DvxcLOh3fYuLcnC","url":"https://github.com/aave/protocol-v2/blob/master/contracts/protocol/libraries/logic/ReserveLogic.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Aave v2 Logic libraries - ReserveLogic","isPrimacyOfImpact":null},{"id":"2oPe4jt6YfnebLd4rdUWSA","url":"https://github.com/aave/protocol-v2/blob/master/contracts/protocol/libraries/logic/ValidationLogic.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Aave v2 Logic libraries - ValidationLogic","isPrimacyOfImpact":null},{"id":"6Rspci0pLb6zrY6NergPwI","url":"https://github.com/aave/protocol-v2/blob/master/contracts/protocol/libraries/math/MathUtils.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Aave v2 Math libraries - MathUtils","isPrimacyOfImpact":null},{"id":"lKROVIALhq6xog9RiTElN","url":"https://github.com/aave/protocol-v2/blob/master/contracts/protocol/libraries/math/PercentageMath.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":2,"description":"Aave v2 Math libraries - PercentageMath","isPrimacyOfImpact":null},{"id":"2dAJHoDNfFVCEgIXdeZA1n","url":"https://github.com/aave/protocol-v2/blob/master/contracts/protocol/libraries/math/WadRayMath.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Aave v2 Math libraries - WadRayMath","isPrimacyOfImpact":null},{"id":"3WejBAJvuAW5jYCSwivm1Z","url":"https://github.com/aave/protocol-v2/blob/master/contracts/protocol/tokenization/AToken.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Aave v2 AToken","isPrimacyOfImpact":null},{"id":"3cVQTpSDLcIWOkh3QCLxlX","url":"https://github.com/aave/protocol-v2/blob/master/contracts/protocol/tokenization/VariableDebtToken.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Aave v2 VariableDebtToken","isPrimacyOfImpact":null},{"id":"1X5OxFE0QP324fyw29yaUQ","url":"https://github.com/aave/protocol-v2/blob/master/contracts/protocol/tokenization/StableDebtToken.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Aave v2 StableDebtToken","isPrimacyOfImpact":null},{"id":"571JVtmYGqdesgqrsBOVBq","url":"https://github.com/aave/protocol-v2/blob/master/contracts/misc/AaveOracle.sol","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Aave v2 Aave Oracle","isPrimacyOfImpact":null},{"id":"1PKUGjSt8kyC7Kr1SSKX1G","url":"https://etherscan.io/address/0x8A32f49FFbA88aba6EFF96F45D8BD1D4b3f35c7D","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Aave v2 Lending Rate Oracle","isPrimacyOfImpact":null},{"id":"2ndMW0az4P4qzsD6aSfwiR","url":"https://etherscan.io/address/0xEFFC18fC3b7eb8E676dac549E0c693ad50D1Ce31","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Aave v2 WrappedTokenGatewayV2","isPrimacyOfImpact":null},{"id":"lfAMZH4yoMseurXJ6erRy","url":"https://etherscan.io/address/0x464C71f6c2F760DdA6093dCB91C24c39e5d6e18c","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Aave v2 Collector","isPrimacyOfImpact":null},{"id":"6bLG6CLsuHHqPxYFETo1X2","url":"https://github.com/aave/","type":"smart_contract","addedAt":"2023-10-18T09:00:00.000Z","revision":1,"description":"Primacy of Impact Placeholder","isPrimacyOfImpact":true},{"id":"3QyQ2cTrZm37OGedmcK6t8","url":"https://github.com/aave-dao/gho-origin/blob/main/src/contracts/facilitators/gsm/Gsm.sol","type":"smart_contract","addedAt":"2024-02-08T13:54:19.068Z","revision":2,"description":"GSM","isPrimacyOfImpact":null},{"id":"2IKmmA1tq98gq1I8paikwI","url":"https://github.com/aave-dao/gho-origin/blob/main/src/contracts/facilitators/gsm/priceStrategy/FixedPriceStrategy.sol","type":"smart_contract","addedAt":"2024-02-08T13:54:16.697Z","revision":2,"description":"FixedPriceStrategy","isPrimacyOfImpact":null},{"id":"2ovENtMB652Xw6bF3uyOaw","url":"https://github.com/aave-dao/gho-origin/blob/main/src/contracts/facilitators/gsm/feeStrategy/FixedFeeStrategy.sol","type":"smart_contract","addedAt":"2024-02-08T13:54:14.373Z","revision":2,"description":"FixedFeeStrategy","isPrimacyOfImpact":null},{"id":"ZupJdaEvSeRVl9woU4g4E","url":"https://github.com/bgd-labs/solidity-utils/blob/7a7548c1d01f011febdb1c0d47e52c7ec6c30f9d/src/contracts/transparent-proxy/TransparentUpgradeableProxy.sol","type":"smart_contract","addedAt":"2024-02-08T13:54:12.368Z","revision":1,"description":"TransparentUpgradeableProxy","isPrimacyOfImpact":null},{"id":"4pRObNANN7umiful4xhFBW","url":"https://github.com/bgd-labs/aave-governance-v3/blob/main/src/contracts/Governance.sol","type":"smart_contract","addedAt":"2024-03-11T17:42:27.462Z","revision":1,"description":"Governance","isPrimacyOfImpact":null},{"id":"4LB6gYGY9kRfrPV5c0vJgf","url":"https://github.com/bgd-labs/aave-governance-v3/blob/main/src/contracts/voting/VotingStrategy.sol","type":"smart_contract","addedAt":"2024-03-11T17:42:44.848Z","revision":1,"description":"VotingStrategy","isPrimacyOfImpact":null},{"id":"4QCdgeuuyGW2MxwDHFJUbO","url":"https://github.com/bgd-labs/aave-governance-v3/blob/main/src/contracts/GovernancePowerStrategy.sol","type":"smart_contract","addedAt":"2024-03-11T17:43:00.305Z","revision":1,"description":"GovernancePowerStrategy","isPrimacyOfImpact":null},{"id":"52MpUc847COKlWmQh9Q656","url":"https://github.com/bgd-labs/aave-governance-v3/blob/main/src/contracts/voting/VotingMachine.sol","type":"smart_contract","addedAt":"2024-03-11T17:43:15.202Z","revision":1,"description":"VotingMachine","isPrimacyOfImpact":null},{"id":"6ymG4yBsmWMdmlfbzyqspE","url":"https://github.com/bgd-labs/aave-governance-v3/blob/main/src/contracts/voting/DataWarehouse.sol","type":"smart_contract","addedAt":"2024-03-11T17:43:29.915Z","revision":1,"description":"DataWarehouse","isPrimacyOfImpact":null},{"id":"1MRymBH8PVpQWBnAsImJ0y","url":"https://github.com/bgd-labs/aave-governance-v3/blob/main/src/contracts/payloads/Executor.sol","type":"smart_contract","addedAt":"2024-03-11T17:43:43.827Z","revision":1,"description":"Executor","isPrimacyOfImpact":null},{"id":"60jJ6k00ziD4l7Qdr6l6Uw","url":"https://github.com/bgd-labs/aave-governance-v3/blob/main/src/contracts/payloads/PayloadsController.sol","type":"smart_contract","addedAt":"2024-03-11T17:43:57.769Z","revision":1,"description":"PayloadsController","isPrimacyOfImpact":null},{"id":"6F8N0uk8jg4s8TOdqlcO8S","url":"https://github.com/aave-dao/gho-origin/blob/main/src/contracts/gho/UpgradeableGhoToken.sol","type":"smart_contract","addedAt":"2024-09-09T09:16:52.033Z","revision":2,"description":"UpgradeableGhoToken","isPrimacyOfImpact":null},{"id":"7GJvCoGUKQHBeSvEgWcEWM","url":"https://github.com/aave/ccip/blob/d5c6cedde6fbca9890a92a55f2db80e94793d0ec/contracts/src/v0.8/ccip/pools/GHO/UpgradeableLockReleaseTokenPool.sol","type":"smart_contract","addedAt":"2024-09-09T09:38:00.647Z","revision":2,"description":"UpgradeableLockReleaseTokenPool","isPrimacyOfImpact":null},{"id":"4lIvvl6RLZoqJDE0wIDh7J","url":"https://github.com/aave/ccip/blob/d5c6cedde6fbca9890a92a55f2db80e94793d0ec/contracts/src/v0.8/ccip/pools/GHO/UpgradeableBurnMintTokenPool.sol","type":"smart_contract","addedAt":"2024-09-09T09:38:18.362Z","revision":2,"description":"UpgradeableBurnMintTokenPool","isPrimacyOfImpact":null},{"id":"1zOz5JTci5wGYwCVlZCpOy","url":"https://github.com/aave-dao/gho-origin/blob/main/src/contracts/gho/GhoToken.sol","type":"smart_contract","addedAt":"2025-09-05T06:59:06.800Z","revision":1,"description":"GhoToken","isPrimacyOfImpact":null},{"id":"7gdYLmNdsrRXacJJTj1uBp","url":"https://github.com/aave-dao/gho-origin/blob/main/src/contracts/facilitators/flashMinter/GhoFlashMinter.sol","type":"smart_contract","addedAt":"2025-09-05T07:00:03.472Z","revision":3,"description":"GhoFlashMinter","isPrimacyOfImpact":null},{"id":"4LRy8ODtyfhylBTBW7Qekc","url":"https://github.com/aave-dao/gho-origin/blob/main/src/contracts/facilitators/gsm/Gsm4626.sol","type":"smart_contract","addedAt":"2025-09-05T07:02:17.980Z","revision":1,"description":"GSM4626","isPrimacyOfImpact":null},{"id":"4DYOMhhnlzWOhM5j6eSG4n","url":"https://github.com/aave-dao/gho-origin/blob/main/src/contracts/facilitators/gsm/priceStrategy/FixedPriceStrategy4626.sol","type":"smart_contract","addedAt":"2025-09-05T07:02:33.447Z","revision":1,"description":"FixedPriceStrategy4626","isPrimacyOfImpact":null},{"id":"35CraxY2DjuqK1K9VQZq75","url":"https://github.com/aave-dao/gho-origin/blob/main/src/contracts/facilitators/gsm/GhoReserve.sol","type":"smart_contract","addedAt":"2025-09-05T07:02:46.653Z","revision":1,"description":"GhoReserve","isPrimacyOfImpact":null},{"id":"1Pb2eGWCsyDNA5w7JMgMCx","url":"https://github.com/aave-dao/gho-origin/blob/main/src/contracts/facilitators/gsm/OwnableFacilitator.sol","type":"smart_contract","addedAt":"2025-09-05T07:02:59.331Z","revision":1,"description":"OwnableFacilitator","isPrimacyOfImpact":null}],"assetsBodyV2":"All code of Aave can be found at [https://github.com/aave-dao](https://github.com/aave-dao), [https://github.com/aave/](https://github.com/aave/), [https://github.com/aave-dao](https://github.com/aave-dao) and [https://github.com/bgd-labs](https://github.com/bgd-labs) . All production addresses can be found at  [https://github.com/bgd-labs/aave-address-book/tree/main.](https://github.com/bgd-labs/aave-address-book/tree/main)","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2023-10-18T09:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5nVG9oUSZ05hb2dlIuqPU6/5d6e4c5db151fdd8fb48448990056e05/Screenshot_2024-08-12_at_5.37.45___PM.png","maxBounty":1000000,"outOfScopeAndRules":"These impacts are out of scope for this bug bounty program. \n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials or the compromise of access-controlled functions \n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Incorrect data supplied by third party oracles\n   - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts, including those based on an asset with low trading volume. That will be considered as belonging to risk control of the protocol, and not eligible in this bug bounty program.\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n- Impacts requiring the use of non-active features including those not available due to configurations (e.g. risk parameters, flags).\n\nThe following activities are prohibited by this bug bounty program:\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Asset Management","DAO","Lending","Stablecoin","Staking"],"programOverview":"Aave is a decentralized non-custodial liquidity protocol where users can participate as suppliers or borrowers in a common pool. Suppliers provide liquidity to earn a passive income, while borrowers are able to borrow in an overcollateralized (perpetually) or undercollateralized (one-block liquidity) fashion.\n\nFor more information about Aave, please visit [https://aave.com/.](https://aave.com/) \n\nAave provides rewards in a mix of AAVE and stablecoins. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\nAave is represented by its service providers [BGD Labs](https://twitter.com/bgdlabs) (Aave v2/v3/SM/Governance) and [Aave Labs](https://twitter.com/aaveaave) (GHO). BGD and Aave Labs as appointed representatives of the DAO exclusively in this context, based on a successful Aave governance proposal. \n\n__KYC Requirement__\n\nThe provision of KYC may be required for a reward for this bug bounty program at the discretion of the DAO representative or representatives. If KYC is requested, the following information will be required to be done:\n- Live video call where the following may be asked:\n   - Government-issued ID \n\nKYC will not be required for bug reports classified with a severity level as Medium or Low.\n\n__Responsible Publication__\n\nAave adheres to category 3. This Policy determines what information whitehats are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nAave adheres to the Primacy of Impact for the following impacts:\n\n- Smart Contract - Critical - Major manipulation of governance voting result deviating from voted outcome, whenever protection mechanisms (e.g. cancellation of proposal) can’t mitigate the damage. \n- Smart Contract - Critical - Direct theft of any user funds classified as the principal, whether at-rest or in-motion, if more than 100 USD value and representing minimum 1% of the user’s position.\n- Smart Contract - Critical - Permanent locking of user funds classified as the principal, whenever no rescue of any type can be performed.\n\nIf an impact is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program. Only sub-systems of Aave and sub-systems of GHO explicitly mentioned in the section “Other Terms and Information” are considered as owned by the project, anything outside that is not eligible for any bounty. When submitting a report, just select the Primacy of Impact asset placeholder. If the impact affects something in any of the related GitHub repositories, select the placeholder containing the link to the specific repository instead. \n\nIf the team behind this project has multiple projects, those other projects are not covered under the Primacy of Impact of this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nTestnet and mock files, as well as non-active features, defined as features that 1) are not introduced in production and 2) are not able to be used due to configurations of the protocol, are not covered under the Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program.\n\n\n__Immunefi Standard Badge__\n\nAave has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209), which is given to projects that adhere to our best practices. \n\n__Governance-Run Program__\n\nThis bug bounty program is governed by a governance proposal. To view the governance proposal poll, visit [https://app.aave.com/governance/proposal/?proposalId=325](https://app.aave.com/governance/proposal/?proposalId=325) .","programType":["Smart Contract"],"project":"AAVE","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below. \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical Smart Contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 1 000 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 50 000 is to be rewarded in order to incentivize security researchers against withholding a bug report.\nThere needs to be an absolute minimum of USD 10 000 at risk in order to be considered Critical.\n\n__Reward Calculation for Direct theft of any funds in the Aave Treasury__\n\nFor the impact “Direct theft of any funds in the Aave Treasury”, which is considered as High, the reward amount is 10% of the funds directly affected up to a maximum of USD 75 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 10 000 is to be rewarded.\nThere needs to be a minimum of USD 5 000 at risk in order to be considered as High affecting the Aave Treasury.\n\n__Repeatable Attack Limitations__\n\nIn cases of repeatable attacks for smart contract bugs, the amount of funds at risk will be calculated within the first 45 minutes from the first attack, inclusive, no matter how many times the attack can be executed within that time frame, as demonstrated by the PoC provided by the security researcher. \n\nExample 1:  vulnerability is discovered that can steal USD 1 million 30 times within 45 minutes from the first execution of the attack, then the funds at risk is considered as USD 30 million. \n\nExample 2: if a vulnerability is discovered that can steal USD 1 million once every 45 minutes from the first execution of the attack, then the funds at risk is considered as USD 1 million.\n\nHowever, for smart contracts directly holding funds that can’t be protected, if a discovered vulnerability includes the temporary locking of funds that could otherwise be withdrawn and thus prevented from being stolen but still accessible to the exploiter to take the funds, the time is extended to the exact same time as temporary locking. Extensions of the temporary locking that introduce a gap where withdrawals can happen will not be considered. \n\n\n__Reward Calculation for High Level Reports__\n\nHigh smart contract vulnerabilities will be capped at up to 100% of the funds affected. In the event of temporary locking, the reward doubles for every additional 3600 blocks that the funds or NFTs could be temporarily locked, rounded down to the nearest multiple of 3600 blocks, up to the hard cap of USD 75 000. However, there is a further hard cap of 1000% of the funds affected after the multiplier effect of the duration of temporary locking. \n\nIf the duration of temporary locking is 3600 blocks or less, then the severity level will be reduced to Medium if the amount is equal to or greater than USD 1 000 000. If not, the severity level will be downgraded to Low. \n\nThere needs to be a minimum of USD 5 000 at risk in order for a report to be considered High.\n\nUnless downgraded, all bug reports with a severity level of High at the end of the evaluation of the bug report will have a minimum reward of USD 10 000. \n\n__Restrictions on Security Researcher Eligibility__\n\nSecurity researchers who fall under any of the following are INELIGIBLE for a reward:\n\n- Official Contributors, defined as:\n   - Developers who have worked on Aave Labs, BGD, or any other party officially engaged with the DAO for the development of the contracts in scope. \n   - Security auditors/firms that directly or indirectly participated in the review of the code impacted. For example, an audit firm/security researcher who audited Aave v3.1 is not eligible for bounties regarding any problem related with v3.1.\n   - White-hats who already reported the same type of bug, with the same type defined as easy to infer by an Aave-expert party, like the Immunefi reviewers.\n\nSecurity researchers who fall under any of the following are explicitly ELIGIBLE for a reward:\n- Independent security researchers who didn’t officially review the part of the code impacted.\n- Independent contributors to Aave via sporadic commits.\n- Former Official Contributors are eligible if their last contribution has been more than 24 months before the bug report. \n\n\n__Previous Audits__\n\nGHO\n\n- https://github.com/aave-dao/gho-origin/blob/main/audits/2023-03-01_ABDK.pdf\n- https://github.com/aave-dao/gho-origin/blob/main/audits/2022-08-12_Openzeppelin-v1.pdf\n- https://github.com/aave-dao/gho-origin/blob/main/audits/2022-11-10_Openzeppelin-v2.pdf\n- https://github.com/aave-dao/gho-origin/blob/main/audits/2023-07-06_SigmaPrime.pdf\n- https://github.com/aave-dao/gho-origin/blob/main/audits/2023-09-20_GSM_Stermi.pdf\n- https://github.com/aave-dao/gho-origin/blob/main/audits/2023-10-23_GSM_SigmaPrime.pdf\n- https://github.com/aave-dao/gho-origin/blob/main/certora/reports/Aave_Gho_Formal_Verification_Report.pdf\n- https://github.com/aave-dao/gho-origin/blob/main/certora/reports/Formal_Verification_Report_of_GHO_Stability_Module.pdf\n- https://github.com/aave-dao/gho-origin/blob/main/audits/2024-06-11_UpgradeableGHO_Certora.pdf\n- https://github.com/aave-dao/gho-origin/blob/main/audits/2024-09-15_ModularGhoStewards_Certora.pdf\n- https://github.com/aave-dao/gho-origin/blob/main/audits/2025-07-15_RemoteGSM_Certora.pdf\n\n\nV3.3\n- https://github.com/aave-dao/aave-v3-origin/blob/main/audits/2024-11-07_Certora_Aave-v3.3.0.pdf\n- https://github.com/aave-dao/aave-v3-origin/blob/main/audits/2024-10-22_StErMi_Aave-v3.3.pdf\n- https://github.com/aave-dao/aave-v3-origin/blob/main/audits/2025-01-29_Oxorio_Aave-v3.3.0.pdf\n- https://github.com/aave-dao/aave-v3-origin/blob/main/audits/2025-01-22_Sherlock_Aave-v3.3.0.pdf\n\nV3.2\n- https://github.com/aave-dao/aave-v3-origin/blob/main/audits/2024-09-10_Certora_Aave-v3.2_Stable_Rate_Removal.pdf\n- https://github.com/aave-dao/aave-v3-origin/blob/main/audits/2024-09-30_Enigma_Aave-v3.2.pdf\n- https://github.com/aave-dao/aave-v3-origin/blob/main/audits/2024-09-19_Certora_Aave-v3.2_Liquid_eModes.pdf\n- https://github.com/aave-dao/aave-v3-origin/blob/main/audits/2024-09-12_Oxorio_Aav3-v3.2.pdf\n- https://github.com/aave-dao/aave-v3-origin/blob/main/audits/2024-09-15_Pashov_Aave-v3.2.pdf\n\nV3.1\n- [https://github.com/aave-dao/aave-v3-origin/blob/main/audits/30-04-2024_Certora_AaveV3.1.pdf](https://github.com/aave-dao/aave-v3-origin/blob/main/audits/30-04-2024_Certora_AaveV3.1.pdf)\n- [https://github.com/aave-dao/aave-v3-origin/blob/main/audits/02-05-2024_MixBytes_AaveV3.1.pdf](https://github.com/aave-dao/aave-v3-origin/blob/main/audits/02-05-2024_MixBytes_AaveV3.1.pdf)\n- [https://github.com/aave-dao/aave-v3-origin/blob/main/audits/02-06-2024-Cantina-contest-AaveV3.1.pdf](https://github.com/aave-dao/aave-v3-origin/blob/main/audits/02-06-2024-Cantina-contest-AaveV3.1.pdf)\n\nV3.0.1 and V3.0.2\n- [https://github.com/aave-dao/aave-v3-origin/blob/main/audits/23-12-2022_SigmaPrime_AaveV3-0-1.pdf](https://github.com/aave-dao/aave-v3-origin/blob/main/audits/23-12-2022_SigmaPrime_AaveV3-0-1.pdf)\n- [https://github.com/aave-dao/aave-v3-origin/blob/main/audits/03-2023_2023_Certora_AaveV3-0-2.pdf](https://github.com/aave-dao/aave-v3-origin/blob/main/audits/03-2023_2023_Certora_AaveV3-0-2.pdf)\n- [https://github.com/aave-dao/aave-v3-origin/blob/main/audits/09-12-2022_PeckShield_AaveV3-0-1.pdf](https://github.com/aave-dao/aave-v3-origin/blob/main/audits/09-12-2022_PeckShield_AaveV3-0-1.pdf)\n- [https://github.com/aave-dao/aave-v3-origin/blob/main/audits/19-04-2023_SigmaPrime_AaveV3-0-2.pdf](https://github.com/aave-dao/aave-v3-origin/blob/main/audits/19-04-2023_SigmaPrime_AaveV3-0-2.pdf)\n\nV3.0.0\n- [https://github.com/aave-dao/aave-v3-origin/blob/main/audits/27-01-2022_ABDK_AaveV3.pdf](https://github.com/aave-dao/aave-v3-origin/blob/main/audits/27-01-2022_ABDK_AaveV3.pdf)\n- [https://github.com/aave-dao/aave-v3-origin/blob/main/audits/27-01-2022_SigmaPrime_AaveV3.pdf](https://github.com/aave-dao/aave-v3-origin/blob/main/audits/27-01-2022_SigmaPrime_AaveV3.pdf)\n- [https://github.com/aave-dao/aave-v3-origin/blob/main/audits/14-01-2022_PeckShield_AaveV3.pdf](https://github.com/aave-dao/aave-v3-origin/blob/main/audits/14-01-2022_PeckShield_AaveV3.pdf)\n- [https://github.com/aave-dao/aave-v3-origin/blob/main/audits/07-01-2022_TrailOfBits_AaveV3.pdf](https://github.com/aave/aave-v3-core/blob/master/audits/07-01-2022_TrailOfBits_AaveV3.pdf)\n- [https://github.com/aave-dao/aave-v3-origin/blob/main/audits/01-11-2021_OpenZeppelin_AaveV3.pdf](https://github.com/aave/aave-v3-core/blob/master/audits/01-11-2021_OpenZeppelin_AaveV3.pdf)\n\nAave has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward. However, you are encouraged to review these audits in order to get a better understanding of the codebase\n\n__V2__\n\n- [https://github.com/aave/protocol-v2/tree/master/audits](https://github.com/aave/protocol-v2/tree/master/audits)\n\n__Aave Governance V3__\n\n- [https://github.com/bgd-labs/aave-governance-v3/tree/main/security/sp](https://github.com/bgd-labs/aave-governance-v3/tree/main/security/sp)\n- [https://github.com/bgd-labs/aave-governance-v3/tree/main/security/certora/reports](https://github.com/bgd-labs/aave-governance-v3/tree/main/security/certora/reports)\n\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for all Smart Contract bug reports.\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules). Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Other Terms and Information__\n\n- “Sub-systems of Aave” are the following: Aave liquidity pools (including v2 and v3 in the same), Aave Governance, Aave treasury, and Aave Safety Module.\n- “Active liquidity pool instances” are Aave v2 in Ethereum, Polygon and Avalanche; Aave v3 in Ethereum, Polygon, Avalanche, Optimism, Arbitrum, Metis, Base, GnosisChain, BNBChain, Scroll, ZKSync Era and Linea.\n- “Aave Treasury” is defined as each one of the Aave Collector smart contracts in the different networks, connected to “Active liquidity pool instances”. Only components of these instances are considered active and eligible for bounties, no matter if included or not in aave-address-book.\n- “Active safety module instances” are: stkAAVE, stkABPT and stkGHO.\n- “Sub-systems of GHO” are the following: GHO stablecoin, GHO reserve of the Aave Pool, GHO FlashMinter, GHO Stability Module (GSM and GSM4626), CCIP GHO bridge, GHO stewards and GHO Remote Facilitators.\n- “GHO stablecoin” contracts are:  upgradeable and non-upgradeable versions of the GHO ERC20 Token in Ethereum, Arbitrum and Base.\n- “GHO reserve of the Aave Pool” are contracts that enables the Aave Pool on Ethereum work as GHO Facilitator (GhoAToken, GhoVariableDebtToken, GhoStableDebtToken, GhoDiscountRateStrategy and GhoOracle).\n- “GHO Stability Module (GSM)” are contracts that enable GHO-USDC and GHO-USDT swaps in Ethereum (GSM, FixedPriceStrategy and FixedFeeStrategy).GHO Token and facilitators listed as assets in scope (including GHO reserve of Aave Pool, GHO FlashMinter and GSM).\n- “CCIP GHO bridge” are contracts facilitating the transfer of GHO between Ethereum, Arbitrum and Base networks.\n- “GHO stewards” are a set of contracts that manage parameter updates related to the security, risk and growth of GHO.\n- “GHO Remote Facilitators” are a set of contracts (primarily OwnableFacilitator and GhoReserve) that define and enable distribution strategies of GHO on remote chains.\n- Only components of these instances are considered active and eligible for bounties, no matter if included or not in aave-address-book.\n- Whenever the same bug is fixed or anyhow mitigated in any instance of the same sub-system, it is considered as known by the project and not eligible for bounty.\n- Exploits consequence of newly publicly available information will be considered only if they are non-evident. Examples:\n   - Evident - A stablecoin (listed on Aave) gets exploited and that has immediate consequences on Aave via borrowing attacks or others.\n   - Non-evident - A Solidity compiler bug is found, and some logic used on Aave is affected. In addition, the nature of the way the bug affects Aave is totally different from what is disclosed in said compiler bug.\n- On attacks involving market manipulation, a solid and realistic scenario needs to be presented in order for the bug report to be considered eligible for consideration.\n   - Realistic Scenario Example - Manipulation of an asset listed as collateral is possible via flash loans, allowing for borrowing of all available liquidity.\n   - Non-Realistic Scenario Example - Manipulation of an asset listed as collateral, but not via flash loans, depending on CL oracle update with the manipulated price, and putting at risk considerable capital.\n- Attacks whose losses materialize via market dynamics, like shorting of AAVE in parallel with the exploit, will not take into account that component when determining the severity level. Thus, other impacts according to the Impacts in Scope Table will be considered when determining the severity level of the bug report.\n- Precision mechanisms on aToken and other tokenization (due to balance growing) are out of scope unless they enable a provable new attack vector involving loss of funds.\n- Loss of rewards-to-be-accrued is initially not considered a loss of funds. Only rewards already accrued would be considered under the loss of funds assessment. Otherwise, this will be downgraded to Medium. \n- For all assets labeled as “Aave v2” and deployed on the Ethereum network, only Critical and High impacts are in-scope. \n- For all assets labeled as “Aave v2” and deployed on networks other than Ethereum, including L2s on Ethereum, only Critical impacts are in-scope.\n- In the event that a vulnerability exists on the GitHub file but not on the most recently deployed contract, this may be due to actions taken to fix a vulnerability quietly and that public announcement is still being planned, or any other internal operational procedure. Thus, in order to be eligible for a reward, the vulnerability must exist both in the deployed smart contract and the respective GitHub file in the Assets in Scope table, otherwise the bug report will be considered as invalid.\n- All addresses of eligible assets can be found on the following links:\n   - Aave v2 Ethereum: https://github.com/bgd-labs/aave-address-book/blob/main/src/AaveV2Ethereum.sol\n   - Aave v2 Polygon: https://github.com/bgd-labs/aave-address-book/blob/main/src/AaveV2Polygon.sol\n   - Aave v2 Avalanche: https://github.com/bgd-labs/aave-address-book/blob/main/src/AaveV2Avalanche.sol\n   - Aave v3 and Governance Ethereum: https://github.com/bgd-labs/aave-address-book/blob/main/src/AaveV3Ethereum.sol, https://github.com/bgd-labs/aave-address-book/blob/main/src/GovernanceV3Ethereum.sol, https://github.com/bgd-labs/aave-address-book/blob/main/src/AaveV3EthereumLido.sol\n   - Aave v3 Polygon: https://github.com/bgd-labs/aave-address-book/blob/main/src/AaveV3Polygon.sol https://github.com/bgd-labs/aave-address-book/blob/main/src/GovernanceV3Polygon.sol\n   - Aave v3 Optimism: https://github.com/bgd-labs/aave-address-book/blob/main/src/AaveV3Optimism.sol https://github.com/bgd-labs/aave-address-book/blob/main/src/GovernanceV3Optimism.sol\n   - Aave v3 Arbitrum: https://github.com/bgd-labs/aave-address-book/blob/main/src/AaveV3Arbitrum.sol https://github.com/bgd-labs/aave-address-book/blob/main/src/GovernanceV3Arbitrum.sol\n   - Aave v3 Avalanche: https://github.com/bgd-labs/aave-address-book/blob/main/src/AaveV3Avalanche.sol https://github.com/bgd-labs/aave-address-book/blob/main/src/GovernanceV3Avalanche.sol\n   - Aave v3 Metis: https://github.com/bgd-labs/aave-address-book/blob/main/src/AaveV3Metis.sol https://github.com/bgd-labs/aave-address-book/blob/main/src/GovernanceV3Metis.sol\n   - Aave v3 Base: https://github.com/bgd-labs/aave-address-book/blob/main/src/AaveV3Base.sol https://github.com/bgd-labs/aave-address-book/blob/main/src/GovernanceV3Base.sol\n   - Aave v3 Gnosis: https://github.com/bgd-labs/aave-address-book/blob/main/src/AaveV3Gnosis.sol https://github.com/bgd-labs/aave-address-book/blob/main/src/GovernanceV3Gnosis.sol\n   - Aave v3 BNBChain: https://github.com/bgd-labs/aave-address-book/blob/main/src/AaveV3BNB.sol https://github.com/bgd-labs/aave-address-book/blob/main/src/GovernanceV3BNB.sol\n   - Aave v3 Scroll: https://github.com/bgd-labs/aave-address-book/blob/main/src/AaveV3Scroll.sol https://github.com/bgd-labs/aave-address-book/blob/main/src/GovernanceV3Scroll.sol\n   - Aave v3 ZKSync Era: https://github.com/bgd-labs/aave-address-book/blob/main/src/AaveV3ZkSync.sol https://github.com/bgd-labs/aave-address-book/blob/main/src/GovernanceV3ZkSync.sol\n   - Aave v3 Linea: https://github.com/bgd-labs/aave-address-book/blob/main/src/AaveV3Linea.sol https://github.com/bgd-labs/aave-address-book/blob/main/src/GovernanceV3Linea.sol\n   - Aave Safety Module: https://github.com/bgd-labs/aave-address-book/blob/main/src/AaveSafetyModule.sol\n   - GHO Ethereum: https://github.com/bgd-labs/aave-address-book/blob/main/src/GhoEthereum.sol\n   - GHO Arbitrum: https://github.com/bgd-labs/aave-address-book/blob/main/src/GhoArbitrum.sol\n   - GHO Base: https://github.com/bgd-labs/aave-address-book/blob/main/src/GhoBase.sol\n   - GHO Avalanche: https://github.com/bgd-labs/aave-address-book/blob/main/src/GhoAvalanche.sol\n   - GHO Gnosis: https://github.com/bgd-labs/aave-address-book/blob/main/src/GhoGnosis.sol\n\n- The following assets have their inheritance chain of contracts also included as in-scope for the bug bounty program within the limitations of the respective asset being in v2, v3 or GHO. The OpenZeppelin base contract, however, is not considered as in-scope. If you find a bug in the inheritance chain of contracts, select the related asset in the Assets in Scope table.\n   - Aave v2 LendingPool \n   - Aave v2 AToken\n   - Aave v2 VariableDebtToken\n   - Aave v2 StableDebtToken\n   - Aave v3 Pool\n   - Aave v3 AToken\n   - Aave v3 VariableDebtToken\n   - Aave v3 StableDebtToken\n   - Aave v3 RewardsController\n   - Aave v3 StakedAaveV3\n   - Governance\n   - VotingStrategy\n   - GovernancePowerStrategy\n   - VotingMachine\n   - PayloadsController\n   - GhoToken\n   - UpgradeableGhoToken\n   - UpgradeableLockReleaseTokenPool\n   - UpgradeableBurnMintTokenPool\n \n- The following assets are based on Chainlink’s Cross-Chain Interoperability Protocol (CCIP) [v1.5.1](https://github.com/smartcontractkit/ccip/tree/v2.14.0-ccip1.5.1). and are covered by the Chainlink Immunefi Bug Bounty Program. Only logic related to GHO and specifically added for GHO integration (including inheritance chain of contracts, except OpenZepellin base contract) is within the program’s scope.\n   - UpgradeableLockReleaseTokenPool\n   - UpgradeableBurnMintTokenPool\n\n\n__Reward Payment Terms__\n\nPayouts are handled by the Aave DAO directly, but in coordination with BGD and Aave Labs, and are denominated in USD. However, payments are done in a mix of AAVE and a stablecoin with a tight correlation to USD 1 with equal to or less than 0.5% average deviation over a period of 1 month preceding the submission of the bug report, at the discretion of BGD Labs. \n\nThe calculation of the net amount rewarded is based on the average price of the past 30 days immediately preceding the bug report time. For avoidance of doubt, this will be calculated as exactly 720 hours preceding the bug report time. However, the stablecoin used will always have an effective value of USD 1. \n\nDue to the limitations with DAO payments, each valid bug report will require its own proposal within the DAO for payment. Though this will be coordinated with the DAO representatives and the security researcher submitting the report will not be required to be involved, this delays payments to the end of each month. \n\nAs details about the bug report need to be included in the governance proposal, a proposal cannot be made until a fix has been implemented, due to the security risks of publicly disclosing a live vulnerability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"AAVE and stablecoins","slug":"aave","updatedDate":"2025-09-05T07:13:43.461Z","impactsBody":"Keep in mind the restrictions on impacts based on the respective asset:\n- For all assets labeled as “Aave v2” and deployed on the Ethereum network, only Critical and High impacts are in-scope. \n- For all assets labeled as “Aave v2” and deployed on networks other than Ethereum, including L2s on Ethereum, onlyCritical impacts are in-scope.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Aave is a decentralized non-custodial liquidity protocol where users can participate as suppliers or borrowers in a common pool. Suppliers provide liquidity to earn a passive income, while borrowers are able to borrow in an overcollateralized (perpetually) or undercollateralized (one-block liquidity) fashion.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":4498,"type":"smart_contract","severity":"low","title":"Griefing"},{"id":4499,"type":"smart_contract","severity":"low","title":"Imprecision on accounting (balances, rates)"},{"id":4500,"type":"smart_contract","severity":"low","title":"Theft of gas Low"},{"id":4501,"type":"smart_contract","severity":"low","title":"Griefing"},{"id":4502,"type":"smart_contract","severity":"high","title":"Direct theft of any funds in the Aave Treasury"},{"id":4503,"type":"smart_contract","severity":"high","title":"Theft of yield, defined as funds not classified as the principal (not including yield yet to be earned)"},{"id":4504,"type":"smart_contract","severity":"high","title":"Permanent locking of unclaimed yield of users, defined as funds not classified as the principal (not including yield yet to be earned)"},{"id":4505,"type":"smart_contract","severity":"high","title":"Temporary locking of funds classified as the principal or funds of the Aave treasury"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":4506,"type":"smart_contract","severity":"medium","title":"Loss of rewards-to-be-accrued"},{"id":4507,"type":"smart_contract","severity":"medium","title":"Manipulation of interest rates (supply or borrow) with mechanisms not intended or limited by design"},{"id":4508,"type":"smart_contract","severity":"medium","title":"Unexpected infrastructural behavior"},{"id":4509,"type":"smart_contract","severity":"critical","title":"Major manipulation of governance voting results deviating from voted outcome, whenever protection mechanisms (e.g. cancellation of proposal) can’t mitigate the damage."},{"id":4510,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds classified as the principal, whether at-rest or in-motion"},{"id":4511,"type":"smart_contract","severity":"critical","title":"Permanent locking of user funds classified as the principal or funds of the Aave treasury"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":34896,"severity":"critical","assetType":"smart_contract","maxReward":1000000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":34897,"severity":"high","assetType":"smart_contract","maxReward":75000,"minReward":10000,"rewardModel":"range"},{"id":34898,"severity":"medium","assetType":"smart_contract","fixedReward":10000,"rewardModel":"fixed"},{"id":34899,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"6HNEgpSPXBhadzW30CnEuz","url":"https://sepolia.etherscan.io/address/0xc47c71ac21C5C02bc3B67D00Ef6bDA0f3737aefb#readProxyContract","type":"smart_contract","addedAt":"2023-09-27T14:00:00.000Z","revision":4,"description":"MATIC staker contract on Ethereum Sepolia","isPrimacyOfImpact":null},{"id":"4q2o9CMIBMMVgKOrl73j1K","url":"https://sepolia.etherscan.io/address/0x9B46d57ebDb35aC2D59AB500F69127Bb24DA62b1","type":"smart_contract","addedAt":"2023-09-27T14:00:00.000Z","revision":3,"description":"MATIC whitelist contract on Ethereum Sepolia","isPrimacyOfImpact":null},{"id":"1Y4gy1UnJxloidE0qV7GXR","url":"https://github.com/TruFin-io/staking-contracts","type":"smart_contract","addedAt":"2023-09-27T14:00:00.000Z","revision":3,"description":"MATIC staker and whitelist contracts on GitHub","isPrimacyOfImpact":null},{"id":"4bnP1sh6JnzeOPuSVonu4q","url":"https://explorer.aptoslabs.com/account/0x89f93b7bf55b86e26d62cb508663cd6cb8ceaa8b4ae7509b642db3848824db79/transactions?network=testnet","type":"smart_contract","addedAt":"2024-09-17T13:55:27.193Z","revision":1,"description":"APTOS staker contract on APTOS testnet","isPrimacyOfImpact":null},{"id":"I4vkSTDPmlVgslTuL3Lf6","url":"https://explorer.aptoslabs.com/account/0x480791becb289aa1ea4678a4e29cd0661d35ff364c67a2a79b8b0132f8aecf96/modules/code/master_whitelist?network=testnet","type":"smart_contract","addedAt":"2024-09-17T13:55:43.774Z","revision":1,"description":"APTOS whitelist contract on APTOS testnet","isPrimacyOfImpact":null},{"id":"1fmFIoGCYuiLIa11EGWnmd","url":"https://testnet.nearblocks.io/address/staker003.trufin.testnet?tab=txns","type":"smart_contract","addedAt":"2024-09-17T13:56:05.175Z","revision":1,"description":"NEAR staker and whitelist contracts on NEAR testnet","isPrimacyOfImpact":null},{"id":"4xZCqYU0eHrEiy8IEhGFaD","url":"https://github.com/TruFin-io/near-staker-audit","type":"smart_contract","addedAt":"2024-09-17T13:56:25.355Z","revision":1,"description":"NEAR staker and whitelist contracts on GitHub","isPrimacyOfImpact":null},{"id":"1SWj6WcLd9unsrlHpsNRvk","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2023-12-27T16:14:41.351Z","revision":2,"description":"Primacy of Impact","isPrimacyOfImpact":true},{"id":"6rEijUS815v8QYvLXWbrMn","url":"https://github.com/TruFin-io/smart-contracts-aptos","type":"smart_contract","addedAt":"2025-05-05T13:25:43.424Z","revision":1,"description":"APTOS staker and whitelist contracts on GitHub","isPrimacyOfImpact":null},{"id":"7D2rubAwf0WHiGjLzsMvzt","url":"https://testnet.explorer.injective.network/contract/inj1zp0ac48kpp5cpu29p7a9wureydz7374h0wqy0a/","type":"smart_contract","addedAt":"2025-05-05T13:26:04.151Z","revision":1,"description":"Injective staker and whitelist contracts on testnet","isPrimacyOfImpact":null},{"id":"7crDEzvl0MsAoSDXEl5hV7","url":"https://github.com/TruFin-io/cosmos-smart-contracts/tree/main/contracts/injective-staker","type":"smart_contract","addedAt":"2025-05-05T13:26:18.110Z","revision":1,"description":"Injective staker and whitelist contracts on GitHub","isPrimacyOfImpact":null},{"id":"4oNazZ5s1oygbVspZ7iQoo","url":"https://explorer.solana.com/address/6EZAJVrNQdnBJU6ULxXSDaEoK6fN7C3iXTCkZKRWDdGM?cluster=devnet","type":"smart_contract","addedAt":"2025-05-05T13:26:31.312Z","revision":1,"description":"Solana staker and whitelist contracts on testnet","isPrimacyOfImpact":null},{"id":"57XUpS9sMpLRxagtuT2iea","url":"https://github.com/TruFin-io/solana-smart-contracts","type":"smart_contract","addedAt":"2025-05-05T13:26:43.911Z","revision":1,"description":"Solana staker and whitelist contracts on GitHub","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH","Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2023-09-27T14:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7FV6YE7dX8pvcz4F3rj6yd/dbcfe60cd7b7224ea518bc580983d51d/TruFin.png","maxBounty":40000,"outOfScopeAndRules":"These impacts are out of scope for this bug bounty program. \n\n__All Categories__\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n\n__Smart Contracts__\n\n- Incorrect data supplied by third party oracles\n   - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n- Impacts caused by bugs found in external libraries used by the contract\n- Best practice recommendations\n\nThe following activities are prohibited by this bug bounty program:\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Staking"],"programOverview":"The TruFin Protocol builds institutional-grade DeFi primitives that can be used as the foundational building blocks for complex digital asset strategies to reduce risk while generating rewards, securely on-chain.\n\nTruStake vaults provide access to liquid staking on a range of networks:\n\n- MATIC staking on the Ethereum network,\n- APT staking on the Aptos network,\n- NEAR staking on the NEAR network,\n- Injective staking on the Injective network,\n- Solana staking on the Solana network.\n\nThe TruStake vaults have custom functionality that enables the allocation of rewards to designated wallet addresses, as well as auto-restaking that compounds rewards for higher APY.\n\nIn exchange for depositing assets in a TruStake vault, users receive liquid staking tokens: TruMATIC, TruAPT,TruNEAR, TruINJ and TruSOL for MATIC, APT and NEAR, Injective and Solana, respectively. \n\nThis bug bounty program is focused around the TruStake smart contracts and whitelists and is primarily concerned with the loss of user funds.\n\nRewards are allocated based on the severity of the bug disclosed. The scope, terms and rewards are at the sole discretion of the TruFin Protocol.\n\nFor more information about TruFin, please visit [https://trufin.io.](https://trufin.io) \n\nTruFin provides rewards in __USDC__. For more details about the payment process, please view the __Rewards by Threat Level__ section. \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nTruFin adheres to the Primacy of Impact for the following impacts:\n- Smart Contract - Critical\n- Smart Contract - High\n- Smart Contract - Medium\n\nIf an impact is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program. When submitting a report, just select the Primacy of Impact asset placeholder. If the team behind this project has multiple projects, those other projects are not covered under the Primacy of Impact of this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nTestnet and mock files are not covered under the Primacy of Impact. \n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program.\n\nIf a category’s severity level is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program as long as it involves an impact under that respective severity level. When submitting a report, just select the Primacy of Impact asset placeholder. If the team behind this project has multiple projects, those other projects are not covered under the Primacy of Impact of this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nTestnet and mock files are not covered under the Primacy of Impact.\n\nAll other severity levels not listed here are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program.\n\n__Immunefi Standard Badge__\n\nTruFin has satisfied the requirements for the [Immunefi Standard Badge,](https://immunefisupport.zendesk.com/hc/en-us/articles/6427157117713-The-Immunefi-Standard-Badge-) which is given to projects that adhere to our best practices.","programType":["Smart Contract"],"project":"TruFin","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below. \n\n__Repeatable Attack Limitations__\n\nIn cases of repeatable attacks for smart contract bugs, only the first attack will be counted, regardless of whether the smart contract is upgradable, pausable, or killable.\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously discovered bugs acknowledged below are not eligible for any reward through the bug bounty program. \n\n- Slashing is only enabled for Injective. Any issue related to slashing for other stakers will not be considered.\n- Apart from the Solana staker, all TruFin stakers offer an allocation feature that enables a user to allocate rewards from the staked token. The amount allocated may exceed the total value currently staked by the user, which is fine. The user will still be required to have enough tokens in their wallet at the point at which distributions are made, hence no issue related to users not having enough to cover allocation’s distributions will be considered a bug.\n- MATIC staker only: Issues related to changing the privacy status of validators will not be considered as these are managed by the contract’s owners and only subject to be used in rare conditions.\n\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n- Smart Contract - Critical\n- Smart Contract - High\n- Smart Contract - Medium\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules) Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Trufin team directly and are denominated in USD. However, payments are done in USDC.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"trufin","updatedDate":"2025-09-01T13:29:27.772Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"The TruFin Protocol builds institutional-grade DeFi primitives that can be used as the foundational building blocks for complex digital asset strategies to reduce risk while generating rewards, securely on-chain. TruFin’s first product, TruStake, is a MATIC staking vault which provides access to MATIC staking on the Ethereum network.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Impacts caused by bugs found in external libraries used by the contract\n- Best practice recommendations\n","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":34716,"severity":"critical","assetType":"smart_contract","fixedReward":40000,"rewardModel":"fixed","rewardCalculationPercentage":10},{"id":34717,"severity":"high","assetType":"smart_contract","fixedReward":25000,"rewardModel":"fixed"},{"id":34718,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"7IDVgk3ey1KEfAzGbvEqhz","url":"https://github.com/cowprotocol/contracts/blob/6ebbd810ff2da635fb6f88e9a15fde196f8c852a/src/contracts/GPv2AllowListAuthentication.sol","type":"smart_contract","addedAt":"2022-02-18T12:41:39.708Z","revision":2,"description":"GPv2AllowListAuthentication","isPrimacyOfImpact":null},{"id":"C1sbsgXSSEakKevP2zp4p","url":"https://github.com/cowprotocol/contracts/blob/6ebbd810ff2da635fb6f88e9a15fde196f8c852a/src/contracts/libraries/GPv2EIP1967.sol","type":"smart_contract","addedAt":"2022-02-18T12:41:42.556Z","revision":2,"description":"GPv2EIP1967","isPrimacyOfImpact":null},{"id":"6pFCPVxUXKTRcwKC0pXVNz","url":"https://github.com/cowprotocol/contracts/blob/6ebbd810ff2da635fb6f88e9a15fde196f8c852a/src/contracts/GPv2Settlement.sol","type":"smart_contract","addedAt":"2022-02-18T12:41:45.679Z","revision":2,"description":"GPv2Settlement","isPrimacyOfImpact":null},{"id":"1dqxOYJ0E2mYeEi9i1KOdT","url":"https://github.com/cowprotocol/contracts/blob/6ebbd810ff2da635fb6f88e9a15fde196f8c852a/src/contracts/mixins/GPv2Signing.sol","type":"smart_contract","addedAt":"2022-02-18T12:41:47.929Z","revision":2,"description":"GPv2Signing.sol","isPrimacyOfImpact":null},{"id":"eieGGfuIG4mo01lrbBy69","url":"https://github.com/cowprotocol/contracts/blob/6ebbd810ff2da635fb6f88e9a15fde196f8c852a/src/contracts/mixins/StorageAccessible.sol","type":"smart_contract","addedAt":"2022-02-18T12:41:50.167Z","revision":2,"description":"StorageAccessible.sol","isPrimacyOfImpact":null},{"id":"2P61aZoKBQLSljHvSaOpF9","url":"https://github.com/cowprotocol/contracts/blob/6ebbd810ff2da635fb6f88e9a15fde196f8c852a/src/contracts/libraries/GPv2Interaction.sol","type":"smart_contract","addedAt":"2022-02-18T12:41:52.410Z","revision":2,"description":"GPv2Interaction.sol","isPrimacyOfImpact":null},{"id":"6wXVh6YCK8iormAFIWvlf0","url":"https://github.com/cowprotocol/contracts/blob/6ebbd810ff2da635fb6f88e9a15fde196f8c852a/src/contracts/libraries/GPv2Order.sol","type":"smart_contract","addedAt":"2022-02-18T12:41:54.518Z","revision":2,"description":"GPv2Order.sol","isPrimacyOfImpact":null},{"id":"4LZPwYXeFUqBmb5I2IlGXd","url":"https://github.com/cowprotocol/contracts/blob/6ebbd810ff2da635fb6f88e9a15fde196f8c852a/src/contracts/libraries/GPv2Trade.sol","type":"smart_contract","addedAt":"2022-02-18T12:41:56.952Z","revision":2,"description":"GPv2Trade.sol","isPrimacyOfImpact":null},{"id":"6aFcLI516TUcWk3NcDWftl","url":"https://github.com/cowprotocol/contracts/blob/6ebbd810ff2da635fb6f88e9a15fde196f8c852a/src/contracts/libraries/GPv2Transfer.sol","type":"smart_contract","addedAt":"2022-02-18T12:41:59.002Z","revision":2,"description":"GPv2Transfer.sol","isPrimacyOfImpact":null},{"id":"UWpnNoGWKzdGpPB0kNkuJ","url":"https://github.com/cowprotocol/contracts/blob/6ebbd810ff2da635fb6f88e9a15fde196f8c852a/src/contracts/libraries/GPv2SafeERC20.sol","type":"smart_contract","addedAt":"2022-02-18T12:42:01.215Z","revision":2,"description":"GPv2SafeERC20.sol","isPrimacyOfImpact":null},{"id":"FFpDPF6pNigXS1aQwLZVT","url":"https://github.com/cowprotocol/contracts/blob/6ebbd810ff2da635fb6f88e9a15fde196f8c852a/src/contracts/interfaces/GPv2Authentication.sol","type":"smart_contract","addedAt":"2022-02-18T12:42:03.465Z","revision":2,"description":"GPv2Authentication.sol","isPrimacyOfImpact":null},{"id":"1ehUC75nOi26X0LLewTjyM","url":"https://github.com/cowprotocol/contracts/blob/6ebbd810ff2da635fb6f88e9a15fde196f8c852a/src/contracts/interfaces/GPv2EIP1271.sol","type":"smart_contract","addedAt":"2022-02-18T12:42:06.729Z","revision":2,"description":"GPv2EIP1271.sol","isPrimacyOfImpact":null},{"id":"5cLG8LL6drGflG6ZOf0h9V","url":"https://github.com/cowprotocol/contracts/blob/6ebbd810ff2da635fb6f88e9a15fde196f8c852a/src/contracts/GPv2VaultRelayer.sol","type":"smart_contract","addedAt":"2022-02-18T12:42:09.583Z","revision":2,"description":"GPv2VaultRelayer.sol","isPrimacyOfImpact":null},{"id":"49XeDkiTg7p4gPiZdXOYRA","url":"https://github.com/cowprotocol/contracts/blob/6ebbd810ff2da635fb6f88e9a15fde196f8c852a/src/contracts/mixins/Initializable.sol","type":"smart_contract","addedAt":"2022-02-18T12:42:11.344Z","revision":2,"description":"Initializable.sol","isPrimacyOfImpact":null},{"id":"6xpqTZ1Ms8y5SNaLtjdtc9","url":"https://github.com/cowprotocol/contracts/blob/6ebbd810ff2da635fb6f88e9a15fde196f8c852a/src/contracts/mixins/ReentrancyGuard.sol","type":"smart_contract","addedAt":"2022-02-18T12:42:12.919Z","revision":2,"description":"ReentrancyGuard.sol","isPrimacyOfImpact":null},{"id":"5zLXpxZpaTTtkwl4ndMjzS","url":"https://github.com/cowprotocol/contracts/blob/6ebbd810ff2da635fb6f88e9a15fde196f8c852a/src/contracts/libraries/SafeCast.sol","type":"smart_contract","addedAt":"2022-02-18T12:42:15.268Z","revision":2,"description":"SafeCast.sol","isPrimacyOfImpact":null},{"id":"7069ZHbdqxv89QwHGtOyLQ","url":"https://github.com/cowprotocol/contracts/blob/6ebbd810ff2da635fb6f88e9a15fde196f8c852a/src/contracts/libraries/SafeMath.sol","type":"smart_contract","addedAt":"2022-02-18T12:42:17.885Z","revision":2,"description":"SafeMath.sol","isPrimacyOfImpact":null},{"id":"4CzqqbTzHD96QWlVwWfUa1","url":"https://github.com/cowprotocol/contracts/blob/6ebbd810ff2da635fb6f88e9a15fde196f8c852a/src/contracts/interfaces/IERC20.sol","type":"smart_contract","addedAt":"2022-02-18T12:42:21.671Z","revision":2,"description":"IERC20.sol","isPrimacyOfImpact":null},{"id":"42VjcyHurEdBA0pYWhQ5z5","url":"https://github.com/cowprotocol/contracts/blob/6ebbd810ff2da635fb6f88e9a15fde196f8c852a/src/contracts/interfaces/IVault.sol","type":"smart_contract","addedAt":"2022-02-18T12:42:40.025Z","revision":2,"description":"IVault.sol","isPrimacyOfImpact":null}],"assetsBodyV2":"We only accept reports for issues that can be reproduced in the smart contracts deployed at the following addresses:\n0x9008d19f58aabd9ed0d60971565aa8510560ab41\n\n- Ethereum: https://etherscan.io/address/0x9008d19f58aabd9ed0d60971565aa8510560ab41#code\n- Gnosis Chain: https://gnosis.blockscout.com/address/0x9008d19f58aabd9ed0d60971565aa8510560ab41?tab=contract\n0x9e7ae8bdba9aa346739792d219a808884996db67\n\n- Ethereum: https://etherscan.io/address/0x9e7ae8bdba9aa346739792d219a808884996db67#code\n- Gnosis Chain: https://gnosis.blockscout.com/address/0x9e7ae8bdba9aa346739792d219a808884996db67?tab=contract\n0xc92e8bdf79f0507f65a392b0ab4667716bfe0110\n\n- Ethereum: https://etherscan.io/address/0xc92e8bdf79f0507f65a392b0ab4667716bfe0110#code\n- Gnosis Chain: https://gnosis.blockscout.com/address/0xc92e8bdf79f0507f65a392b0ab4667716bfe0110?tab=contract\n0x2c4c28ddbdac9c5e7055b4c863b72ea0149d8afe\n\n- Ethereum: https://etherscan.io/address/0x2c4c28ddbdac9c5e7055b4c863b72ea0149d8afe#code\n- Gnosis Chain: https://gnosis.blockscout.com/address/0x2c4c28ddbdac9c5e7055b4c863b72ea0149d8afe?tab=contract\n\nThis corresponds to commit 6ebbd810ff2da635fb6f88e9a15fde196f8c852a in the [official repository](https://github.com/cowprotocol/contracts/blob/6ebbd810ff2da635fb6f88e9a15fde196f8c852a/src/contracts/).\n\nFor the Initializable, ReentrancyGuard, SafeCast, SafeMath, IERC20, and IVault smart contracts, this bug bounty program only accepts bug reports for the changes that were performed compared to the original, as well as any improper use of them that leads to actual issues in the contracts previously mentioned to be in scope. Any bug that is reproducible in the original vendored contract is out of scope.\n\nAny vulnerabilities mentioned in this [audit report](https://github.com/gnosis/gp-v2-contracts/blob/main/audits/GnosisProtocolV2May2021.pdf) are considered as out-of-scope.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH","Gnosis"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-06-15T17:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2SCCBIzc5z3ZxUhwhW1NSK/c6616b0b6f3bbacfebd5a6ea18f929dd/CoW-Protocol-icon-circle-light-purple.png","maxBounty":1000000,"outOfScopeAndRules":"Any vulnerabilities mentioned in CoW Swap’s official audits are considered out-of-scope. Audits can be found in the [official contracts repository](https://github.com/cowprotocol/contracts/tree/main/audits).\n\nAny vulnerability that has already been reported to the CoW team or the CoW DAO, whether publicly or privately, is not eligible for a bounty. We recommend checking if the reported vulnerability is discussed in the [issue tracker](https://github.com/cowprotocol/contracts/issues) of the CoW Swap contracts repository.\n\nSome known vulnerability may not (yet) have been publicly reported but are already privately known to the CoW team or have already been discovered by other parties and communicated to the CoW Team, but not yet fixed. Any such reports are not eligible.  \n\nThe decision of eligibility of any submitted bug reports and their assessment is at the sole discretion of the Cow Team.\n\nThe following are also considered as out-of-scope:\n\n- Migration methods.\n- Services that build and submit the settlement transaction (e.g., denial of service, exploiting settlement transactions to extract value via sandwich attacks).\n- Gas efficiency improvements.\n- Any issues relating to networks other than the Ethereum Mainnet.\n- Steal funds from the settlement contract as a solver.\n- Price manipulation from the solver, for example:\n    - Choosing the prices in a settlement so as to receive a premium from an order.\n    - Reusing the same token twice in a settlement to give different prices to different orders.\n\nThe following vulnerabilities are excluded from the rewards for this bug bounty program:\n\n- Attacks that the reporter has already exploited themselves, leading to damage\n- Attacks requiring access to leaked keys/credentials\n- Attacks requiring access to privileged addresses (governance, strategist)\n- Basic economic governance attacks (e.g. 51% attack)\n- Lack of liquidity\n- Best practice critiques\n- Sybil attacks\n- Running out of gas\n\nThe following activities are prohibited by bug bounty program:\n\n- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets\n- Attempting phishing or other social engineering attacks against the CoW Team and/or customers\n- Any denial of service attacks\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":[],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the following types:\n\n  - Re-entrancy\n  - Logic errors\n    - including user authentication errors\n  - Solidity/EVM details not considered\n    - including integer over-/under-flow\n    - including unhandled exceptions\n  - Misuse/wrong trust model for dependencies\n    - including composability vulnerabilities\n  - Oracle failure/manipulation\n  - Novel governance attacks\n  - Economic/financial attacks\n    - including flash loan attacks\n  - Congestion and scalability\n    - including block stuffing\n    - including susceptibility to frontrunning\n  - Consensus failures\n  - Cryptography problems\n    - Signature malleability\n    - Susceptibility to replay attacks\n    - Weak randomness\n    - Weak encryption\n  - Susceptibility to block timestamp manipulation\n  - Missing access controls / unprotected internal or debugging interfaces\n\nExamples of desired vulnerabilities/exploits\n\n  - Take funds from users’ allowances outside of a trade.\n  - Steal funds from the settlement contract as an external user (but not as the owner or a solver).\n  - Add or remove solvers without being the owner.\n  - Execute trades that have not been authorized by a user (e.g., a forged signature).\n  - Execute trades with different parameters from what the user signed (e.g., as sell order instead of as buy order).\n  - Execute expired trades.\n  - Replay already executed fill-or-kill orders.\n  - Execute more, in total, than the maximum amount for a partially fillable order.\n  - Execute a settlement so that the limit price of an order is not respected.\n  - Execute an interaction from the settlement contract to the vault relayer.","productType":["AMM","DEX"],"programOverview":"The CoW team, for and on behalf of and at the expense of [CoW DAO](https://forum.cow.fi/), is running a bug bounty program focused on CoW Protocol, a fully permissionless protocol that leverages batch auctions to provide MEV protection, plus integrates with on-chain liquidity sources to offer traders the best prices.\n\nFor background information, please refer to [the docs](https://docs.cow.fi/).\n\nThe bug bounty program is focused around the smart contracts and is mostly concerned with the loss of user funds. It is a seamless continuation of the bug bounty program formerly run by Gnosis.","programType":["Smart Contract"],"project":"CoW Protocol","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nThe CoW Protocol bounty program considers a number of variables in determining rewards. Determinations of eligibility, score, and all terms related to an award are at the sole and final discretion of the CoW team bug bounty panel, on behalf of CoW DAO.\n\nThe CoW core team (whether paid directly or indirectly, incl. Grant Core Contributor and including external auditors) including current and former team members, which includes anyone currently or formerly paid by CoW DAO or its Service Providers as well as Gnosis, are not eligible for rewards.\n\nIn order to be eligible for a reward, bug reports must include an explanation of how the bug can be reproduced, a failing test case, a valid scenario in which the bug can be exploited. Critical vulnerabilities with all of these have a maximum reward of __USD 1 000 000__. \n\nPayouts are processed on behalf of and at the expense of CoW DAO and are denominated in __USD__. However, payouts are done in ETH, on Ethereum mainnet.\n\nOnce the CoW team bug bounty panel accepts an eligible bug, the team shall have the right to decide on and implement the mitigation and publishing steps of the eligible bug on their own terms and timeline.\nBy submitting a bug report on this platform, the submitter agrees to extend our timeline for resolving the issue (and to not disclose the report elsewhere or to any other party keeping the information confidential and without exploiting the vulnerability).","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"ETH","slug":"cowprotocol","tenPercentEconomicRule":false,"updatedDate":"2025-08-19T16:06:40.858Z","impactsBody":"In addition to the Immunefi Severity Classification System, the following information is provided for each severity level. In case of discrepancies between this information and the Immunefi Severity Classification System, this information will prevail.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"The CoW team, for and on behalf of and at the expense of [CoW DAO](https://forum.cow.fi/), is running a bug bounty program focused on CoW Protocol, a fully permissionless protocol that leverages batch auctions to provide MEV protection, plus integrates with on-chain liquidity sources to offer traders the best prices.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":560,"type":"smart_contract","severity":"high","title":"Changing the order of a legitimate interaction, as well as skipping one, in a settlement"},{"id":561,"type":"smart_contract","severity":"high","title":"Removing a solver without authorization (also as a solver)"},{"id":562,"type":"smart_contract","severity":"high","title":"Making the contract unable to be operated by any solver, e.g., through self-destruction (also as a solver)"},{"id":563,"type":"smart_contract","severity":"medium","title":"Freeing storage without being a solver"},{"id":564,"type":"smart_contract","severity":"medium","title":"Invalidate an order without the permission of the user who created it"},{"id":565,"type":"smart_contract","severity":"critical","title":"Changing the owner address of the authentication contract as well as adding a solver without authorization"},{"id":566,"type":"smart_contract","severity":"critical","title":"Forgery of a user’s signature that would allow them to execute a funded trade without using the user’s private key"},{"id":567,"type":"smart_contract","severity":"critical","title":"Execute arbitrary settlements without being a solver"},{"id":568,"type":"smart_contract","severity":"critical","title":"Executing a user’s trade that is expired or at a price worse than the limit price (also as a solver)"},{"id":569,"type":"smart_contract","severity":"critical","title":"Transferring in tokens more than once for the same fill-or-kill order in the same settlement (also as a solver)"},{"id":570,"type":"smart_contract","severity":"critical","title":"Access to user funds outside of a trade."}],"rewards":[{"id":34341,"severity":"critical","assetType":"smart_contract","maxReward":1000000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":34342,"severity":"high","assetType":"smart_contract","maxReward":50000,"minReward":10000,"rewardModel":"range"},{"id":34343,"severity":"medium","assetType":"smart_contract","maxReward":10000,"minReward":1000,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"1DALQahCjVSkIb2yAQgHS8","url":"https://github.com/alpenlabs/strata-bridge","type":"smart_contract","addedAt":"2025-07-09T15:00:00.000Z","revision":1,"description":"Strata Bridge","isPrimacyOfImpact":null},{"id":"3icT4GUyOZP84UQZT47euT","url":"https://www.alpenlabs.io/","type":"websites_and_applications","addedAt":"2025-07-09T15:00:00.000Z","revision":1,"description":"Home page","isPrimacyOfImpact":null},{"id":"5RtmeEd6D1jsLzuRyxcxjY","url":"https://github.com/alpenlabs/bitcoind-async-client","type":"smart_contract","addedAt":"2025-07-09T15:00:00.000Z","revision":1,"description":"Operators","isPrimacyOfImpact":null},{"id":"6TsECaweG2Y65iF187gpin","url":"https://github.com/alpenlabs/alpen","type":"smart_contract","addedAt":"2025-07-09T15:00:00.000Z","revision":1,"description":"Alpen","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":null,"launchDate":"2025-07-09T15:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/ArQuLN0dlVMUaykA8FvXG/13f11c2ef20e3a0cc2fdd7f15f53c126/Alpen_Labs.png","maxBounty":5000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","websites_and_applications - critical","websites_and_applications - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"_blank_","productType":null,"programOverview":"Alpen gives developers the freedom to program nearly any locking conditions for BTC imaginable, limited only by the Alpen block size and gas limits. This enables developers to create new kinds of applications for BTC with features such as:\n\n- New signature types, \"provide a valid P-256 signature to authorize a transfer\"\n- Vaults, \"transfers must wait N days after being initiated to be effectuated, and can be cancelled in the mean time\"\n- Subscriptions, \"address 0x123...9a can withdraw up to v BTC per month from this account\"\n- Strong privacy, \"transaction details are end-to-end encrypted and verified using a zero-knowledge proof\"\n- Economically secured zero-confirmation payments, \"if a double-spend from this sender is reported, the reporter gets to claim the sender's full wallet balance\"\n- Financial transactions, \"if enough BTC is locked as collateral to maintain up to X% loan-to-value ratio, then up to Y of this other asset can be borrowed\"\n... and many more possibilities.\n\nFor more information about Alpen Labs , please visit https://www.alpenlabs.io/.\n\nAlpen Labs  provides rewards in **USD** via wire transfer. For more details about the payment process, please view the **Rewards by Threat Level** section.\n\n__KYC Requirement__\n\nAlpen Labs  will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nAlpen Labs  adheres to  **Category 3: Approval Required** . This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nAlpen Labs  adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page. \n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Previous Audits__\n\nAlpen Labs ’s completed audit reports can be found at Project's Audits URL. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.","programType":["Smart Contract","Websites and Applications"],"project":"Alpen Labs","projectType":null,"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.3. \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs on testnet assets, the reward is paid as a flat amount of USD 2 500. This is because there are no actual funds at risk.\n\n__Reward Calculation for High Level Reports__\n\nFor smart contract bugs on testnet assets, the reward is paid as a flat amount of USD 2 500. This is because there are no actual funds at risk.\n\n__Reward Payment Terms__\n\nPayouts are handled by the **Alpen Labs** team directly and are denominated in **USD**. However, payments are done via wire transfer.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"","slug":"alpen-labs","tenPercentEconomicRule":false,"updatedDate":"2025-08-14T06:52:18.878Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Alpen gives developers the freedom to program nearly any locking conditions for BTC imaginable, limited only by the Alpen block size and gas limits.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"},{"id":46,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:\n- HTML injection without JavaScript\n- Replacing existing text with arbitrary text\n- Arbitrary file uploads, etc."},{"id":47,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Email\n- Password of the victim etc."},{"id":48,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:\n- Email address\n- Phone number\n- Physical address, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"}],"rewards":[{"id":32041,"severity":"critical","assetType":"smart_contract","maxReward":5000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":32042,"severity":"high","assetType":"smart_contract","maxReward":2000,"rewardModel":"up_to"},{"id":32043,"severity":"critical","assetType":"websites_and_applications","maxReward":2000,"rewardModel":"up_to","otherImpactMaxReward":0},{"id":32044,"severity":"high","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"7LOvHOYE1ihY4QLfgHbFOM","url":"https://stake.link/","type":"websites_and_applications","addedAt":"2025-08-05T14:08:20.792Z","revision":1,"description":"The POST /v1/consent endpoint is out of scope.","isPrimacyOfImpact":null},{"id":"1Du1D36aOIJFnDTBIk9R5f","url":"https://etherscan.io/address/0x8753C00D1a94D04A01b931830011d882A3F8Cc72","type":"smart_contract","addedAt":"2025-05-14T14:28:00.000Z","revision":1,"description":"stLINK Reward Pool","isPrimacyOfImpact":null},{"id":"1TXBlLdUrfwBRvVWetzASJ","url":"https://etherscan.io/address/0x911D86C72155c33993d594B0Ec7E6206B4C803da","type":"smart_contract","addedAt":"2025-05-14T14:28:00.000Z","revision":1,"description":"wstLINK","isPrimacyOfImpact":null},{"id":"1ctAtGc5NKb0lGdySom9fr","url":"https://etherscan.io/address/0x4852e48215A4785eE99B640CACED5378Cc39D2A4","type":"smart_contract","addedAt":"2025-05-14T14:28:00.000Z","revision":1,"description":"Operator VCS","isPrimacyOfImpact":null},{"id":"3MXaFvBObvaErd1J2ZhgdV","url":"https://etherscan.io/address/0xAc12290b097f6893322F5430627e472131fBC1B5","type":"smart_contract","addedAt":"2025-05-14T14:28:00.000Z","revision":1,"description":"Community VCS","isPrimacyOfImpact":null},{"id":"3pflFBcwjxRuILV6OieMnw","url":"https://etherscan.io/address/0xDdC796a66E8b83d0BcCD97dF33A6CcFBA8fd60eA","type":"smart_contract","addedAt":"2025-05-14T14:28:00.000Z","revision":1,"description":"LINK Priority Pool","isPrimacyOfImpact":null},{"id":"4hK8dmzAjjt8akbAgArJ9K","url":"https://etherscan.io/address/0xd2e7381d8d3FcC97C1b4d88761bDBc8Dd26a0200","type":"smart_contract","addedAt":"2025-05-14T14:28:00.000Z","revision":1,"description":"LINK Fund Flow Controller","isPrimacyOfImpact":null},{"id":"5dspalOrZnWW0zr3qmTFXR","url":"https://etherscan.io/address/0xa60B5146E44ff755e32BD51532842ceB41D0C248","type":"smart_contract","addedAt":"2025-05-14T14:28:00.000Z","revision":1,"description":"LINK Withdrawal Pool","isPrimacyOfImpact":null},{"id":"6KRlau2OayiEPv95M7sIGO","url":"https://arbiscan.io/address/0x3106E2e148525b3DB36795b04691D444c24972fB","type":"smart_contract","addedAt":"2025-05-14T14:28:00.000Z","revision":1,"description":"wstLINK","isPrimacyOfImpact":null},{"id":"6WmVuSV4mk8JDmm40LZHff","url":"https://etherscan.io/address/0xa95c5ebb86e0de73b4fb8c47a45b792cfea28c23","type":"smart_contract","addedAt":"2025-05-14T14:28:00.000Z","revision":1,"description":"SDL","isPrimacyOfImpact":null},{"id":"7EwTMUQob8D3LeefuLHvKL","url":"https://arbiscan.io/address/0xdFeA35757264F5b6C0ff21104151D9F991D0eEC0","type":"smart_contract","addedAt":"2025-05-14T14:28:00.000Z","revision":1,"description":"BurnMint","isPrimacyOfImpact":null},{"id":"7jn2CkwIWl2nlyLHgsm7XJ","url":"https://etherscan.io/address/0xb8b295df2cd735b15be5eb419517aa626fc43cd5","type":"smart_contract","addedAt":"2025-05-14T14:28:00.000Z","revision":1,"description":"LINK Staking Pool","isPrimacyOfImpact":null},{"id":"7rkjjxI7ZckgGJWkGlPm7u","url":"https://etherscan.io/address/0xc1b7a5346c4342D352205DEEB15b049f567Da740","type":"smart_contract","addedAt":"2025-05-14T14:28:00.000Z","revision":1,"description":"LINK Staking Proxy / Feeder Pool","isPrimacyOfImpact":null},{"id":"7vCbWbRiLQ0Dfpj5CVuo0a","url":"https://etherscan.io/address/0x1711e93eec78ba83D38C26f0fF284eB478bdbec4","type":"smart_contract","addedAt":"2025-05-14T14:28:00.000Z","revision":1,"description":"LINK Rebase Controller","isPrimacyOfImpact":null},{"id":"g20KadIyXBR2bw0EM5JFU","url":"https://etherscan.io/address/0x0B2eF910ad0b34bf575Eb09d37fd7DA6c148CA4d","type":"smart_contract","addedAt":"2025-05-14T14:28:00.000Z","revision":1,"description":"SDL Pool","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Essential","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":null,"launchDate":"2025-05-14T14:28:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2DFddPat9vGtsloyhopG4W/fc67e2d19d40c48e337757925278ca96/stake.link.png","maxBounty":100000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - low","websites_and_applications - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Vulnerabilites are prioritized according to impact and/or severity.","productType":["Liquid Staking"],"programOverview":"stake.link is the first of its kind delegated liquid staking protocol for Chainlink Staking. Powered and governed by the protocol token SDL, with DeFi interoperability enabled by the liquid staking receipt token stLINK, the stake.link protocol enables anyone to provide LINK collateral to and receive a share of rewards from the most reliable and performant Chainlink node operators.\n\nFor more information about stake.link, please visit [https://stake.link/](https://stake.link/)\n\nstake.link provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__\n\nstake.link will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nstake.link adheres to **category 3 - Approval Required**. This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nstake.link adheres to the Primacy of Impact for the following impacts:\n\n- Smart Contract - Critical\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Previous Audits__\n\nstake.link’s completed audit reports can be found at [https://github.com/stakedotlink/contracts/tree/main/audits](https://github.com/stakedotlink/contracts/tree/main/audits). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.","programType":["Smart Contract","Websites and Applications"],"project":"stake.link","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD USD 100 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 10 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n- For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\n- High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 5 000 to USD 10 000 depending on the funds at risk, capped at the maximum high reward.  \n\n- In the event of temporary freezing, the reward doubles from the full frozen value for every additional [24h] that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\nFor critical web/apps bug reports will be rewarded with USD 10 000, only if the impact leads to:\n\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of USD 5 000. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Reward Payment Terms__\n\nPayouts are handled by the stake.link team directly and are denominated in USD. However, payments are done in USDC on Ethereum\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"","slug":"stakelink","tenPercentEconomicRule":false,"updatedDate":"2025-08-05T14:08:33.515Z","impactsBody":null,"websiteUrl":"https://stake.link","githubUrl":"https://github.com/stakedotlink","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"stake.link is the first of its kind delegated liquid staking protocol for Chainlink Staking. Powered and governed by the protocol token SDL, with DeFi interoperability enabled by the liquid staking receipt token stLINK, the stake.link protocol enables anyone to provide LINK collateral to and receive a share of rewards from the most reliable and performant Chainlink node operators.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":28,"type":"smart_contract","severity":"high","title":"Temporary freezing of NFTs"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":38,"type":"websites_and_applications","severity":"critical","title":"Taking down the NFT URI"},{"id":39,"type":"websites_and_applications","severity":"critical","title":"Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:\n- Changing registration information\n- Commenting\n- Voting\n- Making trades\n- Withdrawals, etc."},{"id":40,"type":"websites_and_applications","severity":"critical","title":"Changing NFT metadata"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":43,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:\n- Modifying transaction arguments or parameters\n- Substituting contract addresses\n- Submitting malicious transactions"},{"id":44,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user NFTs"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"},{"id":46,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:\n- HTML injection without JavaScript\n- Replacing existing text with arbitrary text\n- Arbitrary file uploads, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":50,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Changing the first/last name of user\n- Enabling/disabling notifications"},{"id":51,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as:\n- Reflected HTML Injection\n- Loading external site data"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":53,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction, such as:\n- Iframing leading to modifying the backend/browser state (must demonstrate impact with PoC)"},{"id":54,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links, such as:\n- Social media handles, etc."},{"id":55,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as:\n- Locking up the victim from login\n- Cookie bombing, etc."}],"rewards":[{"id":28877,"severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":28878,"severity":"high","assetType":"smart_contract","maxReward":10000,"minReward":5000,"rewardModel":"range"},{"id":28879,"severity":"medium","assetType":"smart_contract","maxReward":2000,"rewardModel":"up_to"},{"id":28880,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":28881,"severity":"critical","assetType":"websites_and_applications","maxReward":10000,"minReward":5000,"rewardModel":"range","otherImpactMaxReward":0},{"id":28882,"severity":"high","assetType":"websites_and_applications","maxReward":4000,"rewardModel":"up_to"},{"id":28883,"severity":"medium","assetType":"websites_and_applications","maxReward":2000,"rewardModel":"up_to"},{"id":28884,"severity":"low","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"3b6KyQ6vdZAps4xiBhm9XS","url":"https://explorer.hiro.so/txid/SP2VCQJGH7PHP2DJK7Z0V48AGBHQAW3R3ZW1QF4N.borrow-helper-v2-1-6?chain=mainnet","type":"smart_contract","addedAt":"2025-07-31T15:50:30.540Z","revision":1,"description":"Borrow helper","isPrimacyOfImpact":null},{"id":"5dxpFqZlCNo4bxg3qbLUIr","url":"https://explorer.hiro.so/txid/SP2VCQJGH7PHP2DJK7Z0V48AGBHQAW3R3ZW1QF4N.pool-borrow-v2-4?chain=mainnet","type":"smart_contract","addedAt":"2025-07-31T15:50:30.524Z","revision":1,"description":"Pool borrow","isPrimacyOfImpact":null},{"id":"4EVVtLvjIZxJjZFNxO5MJY","url":"https://explorer.hiro.so/txid/SP2VCQJGH7PHP2DJK7Z0V48AGBHQAW3R3ZW1QF4N.liquidation-manager-v2-3?chain=mainnet","type":"smart_contract","addedAt":"2025-07-31T15:50:30.534Z","revision":1,"description":"Liquidation Manager","isPrimacyOfImpact":null},{"id":"1CE7fJnRlgW0jmP5W5Prfg","url":"https://explorer.hiro.so/txid/SP2VCQJGH7PHP2DJK7Z0V48AGBHQAW3R3ZW1QF4N.zsbtc-v2-0?chain=mainnet","type":"smart_contract","addedAt":"2025-01-06T14:43:24.070Z","revision":1,"description":"zsbtc-v2-0","isPrimacyOfImpact":null},{"id":"1gMtFAFtwqlgN9MLYPPWVy","url":"https://explorer.hiro.so/txid/SP2VCQJGH7PHP2DJK7Z0V48AGBHQAW3R3ZW1QF4N.zusdh-v2-0?chain=mainnet","type":"smart_contract","addedAt":"2025-01-06T14:42:16.345Z","revision":1,"description":"zusdh-v2-0","isPrimacyOfImpact":null},{"id":"1jRIBZNUPIac1q1yg9YBOQ","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2024-03-11T01:01:00.000Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true},{"id":"1vmAGDZnhUhx0900I9dqfb","url":"https://explorer.hiro.so/txid/SP2VCQJGH7PHP2DJK7Z0V48AGBHQAW3R3ZW1QF4N.zusda-v2-0?chain=mainnet","type":"smart_contract","addedAt":"2025-01-06T14:41:37.779Z","revision":1,"description":"zusda-v2-0","isPrimacyOfImpact":null},{"id":"23CTrw4A9PlY14TKOT1hxm","url":"https://explorer.hiro.so/txid/0xfdb10cdd68f72265e8e6ca50e488f34022d1652df3da6d1886c9acdfad14de0c?chain=mainnet","type":"smart_contract","addedAt":"2024-03-11T01:01:00.000Z","revision":2,"description":"zststx-v2-0","isPrimacyOfImpact":null},{"id":"2eawiuGOWGorjKnr4J2JGb","url":"https://explorer.hiro.so/txid/SP2VCQJGH7PHP2DJK7Z0V48AGBHQAW3R3ZW1QF4N.zaeusdc-v2-0?chain=mainnet","type":"smart_contract","addedAt":"2024-03-11T01:01:00.000Z","revision":2,"description":"zaeusdc-v2-0","isPrimacyOfImpact":null},{"id":"2griBKwT2S4tFQ9uUi5V8a","url":"https://explorer.hiro.so/txid/SP2VCQJGH7PHP2DJK7Z0V48AGBHQAW3R3ZW1QF4N.zsusdt-v2-0?chain=mainnet","type":"smart_contract","addedAt":"2024-03-11T01:01:00.000Z","revision":2,"description":"zsusdt-v2-0","isPrimacyOfImpact":null},{"id":"2kQ8DOLka0nVWL7GbEJ9iZ","url":"https://explorer.hiro.so/txid/SP2VCQJGH7PHP2DJK7Z0V48AGBHQAW3R3ZW1QF4N.math-v2-0?chain=mainnet","type":"smart_contract","addedAt":"2025-01-06T14:45:09.958Z","revision":1,"description":"math-v2-0","isPrimacyOfImpact":null},{"id":"350Cen6mmLm33QWCWy0wFE","url":"https://explorer.hiro.so/txid/SP2VCQJGH7PHP2DJK7Z0V48AGBHQAW3R3ZW1QF4N.zsbtc-token?chain=mainnet","type":"smart_contract","addedAt":"2025-01-06T14:43:38.513Z","revision":1,"description":"zsbtc-token","isPrimacyOfImpact":null},{"id":"37R8nh3griQ6pw97Fk2rtH","url":"https://explorer.hiro.so/txid/0x5ae326829249e3af84327ddbd56e3c0a27935bf02796c24b403ead298fbb5802?chain=mainnet","type":"smart_contract","addedAt":"2025-01-06T14:44:57.829Z","revision":1,"description":"pool-vault","isPrimacyOfImpact":null},{"id":"3JkKW3SalPiSWMBhOGrlHN","url":"https://explorer.hiro.so/txid/SP2VCQJGH7PHP2DJK7Z0V48AGBHQAW3R3ZW1QF4N.zdiko-v2-0?chain=mainnet","type":"smart_contract","addedAt":"2025-01-06T14:38:37.176Z","revision":1,"description":"zdiko-token","isPrimacyOfImpact":null},{"id":"3gGeDafw7QHoHTch7hEAJn","url":"https://explorer.hiro.so/txid/SP2VCQJGH7PHP2DJK7Z0V48AGBHQAW3R3ZW1QF4N.zusdh-token?chain=mainnet","type":"smart_contract","addedAt":"2025-01-06T14:42:41.145Z","revision":1,"description":"zusdh-token","isPrimacyOfImpact":null},{"id":"3idek2rnhSrpp6TwO5zbbK","url":"https://explorer.hiro.so/txid/SP2VCQJGH7PHP2DJK7Z0V48AGBHQAW3R3ZW1QF4N.zusda-v2-0?chain=mainnet","type":"smart_contract","addedAt":"2025-01-06T14:42:01.426Z","revision":1,"description":"zusda-token","isPrimacyOfImpact":null},{"id":"4DC4Z0GpuubbJ1ErW5EymW","url":"https://explorer.hiro.so/txid/SP2VCQJGH7PHP2DJK7Z0V48AGBHQAW3R3ZW1QF4N.zdiko-v2-0?chain=mainnet","type":"smart_contract","addedAt":"2025-01-06T14:38:18.316Z","revision":1,"description":"zdiko-v2-0","isPrimacyOfImpact":null},{"id":"5OKbGkE6CM8H5z1AAetdoV","url":"https://explorer.hiro.so/txid/SP2VCQJGH7PHP2DJK7Z0V48AGBHQAW3R3ZW1QF4N.zwstx-token?chain=mainnet","type":"smart_contract","addedAt":"2025-01-06T14:43:08.055Z","revision":1,"description":"zwstx-token","isPrimacyOfImpact":null},{"id":"5UXxeRXxlg5I80ScWno3Hv","url":"https://explorer.hiro.so/txid/0xad360b87fdf5979eed34ab667111782e508ab356cb10cd2e363d2917ff9f6d43?chain=mainnet","type":"smart_contract","addedAt":"2025-01-06T14:44:28.555Z","revision":1,"description":"pool-0-reserve","isPrimacyOfImpact":null},{"id":"5XCAfOVBFGcsNITpxSYmyi","url":"https://explorer.hiro.so/txid/SP2VCQJGH7PHP2DJK7Z0V48AGBHQAW3R3ZW1QF4N.zststx-token?chain=mainnet","type":"smart_contract","addedAt":"2024-03-11T01:01:00.000Z","revision":2,"description":"zststx-token","isPrimacyOfImpact":null},{"id":"67g3HQoWb9XaIEXNjtamu8","url":"https://explorer.hiro.so/txid/SP2VCQJGH7PHP2DJK7Z0V48AGBHQAW3R3ZW1QF4N.zwstx-v2-0?chain=mainnet","type":"smart_contract","addedAt":"2025-01-06T14:42:54.469Z","revision":1,"description":"zwstx-v2-0","isPrimacyOfImpact":null},{"id":"6Q8bjXEhFHkgtO333IvGM3","url":"https://explorer.hiro.so/txid/SP2VCQJGH7PHP2DJK7Z0V48AGBHQAW3R3ZW1QF4N.zsusdt-token?chain=mainnet","type":"smart_contract","addedAt":"2024-03-11T01:01:00.000Z","revision":2,"description":"zsusdt-token","isPrimacyOfImpact":null},{"id":"6nloVtFNoZg7VeT5OrjRWV","url":"https://explorer.hiro.so/txid/SP2VCQJGH7PHP2DJK7Z0V48AGBHQAW3R3ZW1QF4N.pool-0-reserve-v2-0?chain=mainnet","type":"smart_contract","addedAt":"2025-01-06T14:44:44.502Z","revision":1,"description":"pool-0-reserve-v2-0","isPrimacyOfImpact":null},{"id":"6tPKY0ufYsTmo33TdENg6U","url":"https://immunefi.com/","type":"websites_and_applications","addedAt":"2024-03-11T01:01:00.000Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true},{"id":"7jFgy51G93EYcS7v2aC32s","url":"https://explorer.hiro.so/txid/SP2VCQJGH7PHP2DJK7Z0V48AGBHQAW3R3ZW1QF4N.zaeusdc-token?chain=mainnet","type":"smart_contract","addedAt":"2024-03-11T01:01:00.000Z","revision":2,"description":"zaeusdc-token","isPrimacyOfImpact":null},{"id":"bby394zJPZ7DTgPEsSop8","url":"https://app.zestprotocol.com/","type":"websites_and_applications","addedAt":"2024-03-11T01:01:00.000Z","revision":1,"description":"Website & Applications","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":["Vault","Subscription Plan: Essential","Arbitration"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Clarity"],"launchDate":"2024-03-11T01:01:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5DWINS6LzXToU397gx35lQ/ed2d456b4cb4cd95fa0799e8b1fe5c4b/Zest_logo_copy.png","maxBounty":100000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","websites_and_applications - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Lending"],"programOverview":"Zest Protocol is a Bitcoin lending protocol. Zest Protocol operates on-chain and is open-source.\nZest Protocol exists to make Bitcoin productive. All of it. The protocol strives to create a vibrant borrowing and lending ecosystem around BTC the asset.\n\nFor more information about Zest Protocol, please visit https://www.zestprotocol.com/.\n\nZest Protocol provides rewards in USDC/T on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nZest Protocol adheres to the Primacy of Impact for the following impacts:\n\n- Smart Contract - Critical \n- Smart Contract - High \n- Websites and Applications - Critical\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\nAny draining of funds via the token authentication use of tx-sender is not in the scope of this bug bounty. Please see https://coinfabrik.b-cdn.net/wp-content/uploads/2024/02/Zest-Protocol-Borrow-Audit-2024-01.pdf page 7 for more details.\n\n__Previous Audits__\n\nZest Protocol’s completed audit reports can be found at https://coinfabrik.b-cdn.net/wp-content/uploads/2024/02/Zest-Protocol-Borrow-Audit-2024-01.pdf. Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Zest Protocol has satisfied the requirements for the [Immunefi Standard Badge.](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209)","programType":["Smart Contract","Websites and Applications"],"project":"Zest Protocol","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 100 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 20 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\nFor critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 1 000 to USD 20 000 depending on the funds at risk, capped at the maximum high reward.  \n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\nFor critical web/apps bug reports will be rewarded with USD 25 000, only if the impact leads to:\n\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of USD 5 000. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Reward Payment Terms__\n\nPayouts are handled by the Zest Protocol team directly and are denominated in USD. However, payments are done in USDC/T on Ethereum.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC, USDT","slug":"zestprotocol","updatedDate":"2025-07-31T15:50:39.576Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Zest Protocol is a Bitcoin lending protocol. Zest Protocol operates on-chain and is open-source.\n\nZest Protocol exists to make Bitcoin productive. All of it. The protocol strives to create a vibrant borrowing and lending ecosystem around BTC the asset.\n\nFor more information about Zest Protocol, please visit [zestprotocol.com](https://www.zestprotocol.com/).\n\nZest Protocol provides rewards in USDC/T on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Lines of code that are not in the transfer-to-user function in pool-0-reserve: https://github.com/Zest-Protocol/zest-contracts/blob/main/onchain/contracts/borrow/production/vaults/pool-0-reserve.clar#L1128C17-L1128C33\n\n- Scenarios where the function get-base-supply-rate returns a value that is not u0 here https://github.com/Zest-Protocol/zest-contracts/blob/main/onchain/contracts/borrow/production/vaults/pool-0-reserve-v2-0.clar#L1783C20-L1783C38 and https://github.com/Zest-Protocol/zest-contracts/blob/main/onchain/contracts/borrow/production/vaults/pool-0-reserve-v2-0.clar#L1806\n","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":4771,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:   Changing registration information, Commenting, Voting, Making trades, Withdrawals, etc."},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":4772,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:  Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions"}],"rewards":[{"id":10205,"severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":10206,"severity":"high","assetType":"smart_contract","maxReward":20000,"minReward":1000,"rewardModel":"range"},{"id":10207,"severity":"critical","assetType":"websites_and_applications","maxReward":25000,"minReward":5000,"rewardModel":"range","otherImpactMaxReward":0}],"audits":[{"id":"52IUvv2N6DvNPYMLjORcDK","url":"https://coinfabrik.b-cdn.net/wp-content/uploads/2024/02/Zest-Protocol-Borrow-Audit-2024-01.pdf","auditor":"Borrow Audit","date":"2024-01-06"},{"id":"5HOyeRc9B2e8XFWa6guW3l","url":"https://github.com/Clarity-Alliance/audits/blob/main/Clarity%20Alliance%20-%20Zest%20Protocol.pdf","auditor":"Clarity Alliance","date":"2025-01-06"},{"id":"4Kzjvhca2zN3XhAesuxzZQ","url":"https://github.com/Clarity-Alliance/audits/blob/main/Clarity%20Alliance%20-%20Zest%20Protocol%20BTCz.pdf","auditor":"Clarity Alliance","date":"2025-01-06"},{"id":"53I5mZVTwrxe3IjO94yu9B","url":"https://github.com/Clarity-Alliance/audits/blob/main/Clarity%20Alliance%20-%20Zest%20Protocol%20E-Mode.pdf","auditor":"https://github.com/Clarity-Alliance/audits/blob/main/Clarity%20Alliance%20-%20Zest%20Protocol%20E-Mode.pdf","date":"2025-01-06"}]},{"assets":[],"assetsBodyV2":"","boostedIntroEvaluating":"","boostedIntroFinished":"### Thank You to All Participating Security Researchers!\n\nYour valuable contributions played a crucial role in identifying and resolving critical vulnerabilities, helping to strengthen and secure the Paradex platform for all users.\n\n[Leaderboard](https://immunefi.com/audit-competition/iop-paradex/leaderboard/#top)     |     [Findings](https://reports.immunefi.com/iop-paradex)     |     [Summary Report](https://drive.google.com/file/d/1iizXoQeXiOiqUW25lt0vUFOp9hnZaAHI/view)","boostedIntroLive":"$45,000 USD in rewards is available for finding bugs on Paradex contracts.\n\nFor more information, please visit about Paradex website [https://www.paradex.trade/](https://www.paradex.trade/)\n\nThis is an invite-only Program Competition, open to Security Researchers who have been invited.\n\nRunnable POCs are not required. Read our [New Audit Competition Proof-of-Concept Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/33260632501777-Proof-of-Concept-Rules-for-Audit-Competitions)\n\nInsight reports can be submitted. Read our [Insight validity rules](https://immunefisupport.zendesk.com/hc/en-us/articles/34179768760337-Insight-Severity-Level)","boostedIntroStartingIn":"","boostedLeaderboard":[{"high":0,"name":"shaflow1","critical":2,"earnings":17842,"insights":5,"mediumLow":5,"totalValidBugs":7},{"high":0,"name":"Catchme","critical":1,"earnings":8421,"insights":8,"mediumLow":0,"totalValidBugs":1},{"high":2,"name":"gln","critical":0,"earnings":4401,"insights":3,"mediumLow":1,"totalValidBugs":3},{"high":0,"name":"Kalogerone","critical":0,"earnings":2336,"insights":1,"mediumLow":6,"totalValidBugs":6}],"boostedSummaryReport":"https://drive.google.com/file/d/1iizXoQeXiOiqUW25lt0vUFOp9hnZaAHI/view?usp=sharing","ecosystem":null,"endDate":"2025-06-13T07:00:00.000Z","evaluationEndDate":"2025-07-10T12:10:39.457Z","features":["IOP (Invite Only Program)","Managed Triage: Signal Booster","Vault"],"hideAssetsInScope":false,"immunefiStandard":true,"inviteOnly":true,"kyc":true,"language":["Solidity"],"launchDate":"2025-05-23T07:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/AyHdHspTrq5VthxkOf3PG/5e9dbdc7cb7a4e1339be70fac1099e52/P_Dark_1080x1080_Transparent_440x500.png","maxBounty":45000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":null,"programOverview":"Paradex is a high-performance crypto-derivatives exchange built on a Starknet Appchain. \n\nFor more information about Paradex, please visit [https://www.paradex.trade/](https://www.paradex.trade/).\n\nParadex rewards are denominated in USD and distributed in USDC on Ethereum.\n\nKYC is required.","programType":["Smart Contract"],"project":"IOP | Paradex","projectType":null,"rewardsBody":"__Rewards Terms__\n\nRewards are distributed among SRs according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms).\n\nRewards are denominated in USD and distributed in USDC on Ethereum.\n\nThe reward pool is $33k USD if any bug is found.\n\nIf not a single bug is found (Insights do not count as bugs) the reward pool is $2.97k USD\n\nOn top of this, each participating SR will receive a guaranteed reward of $3k USD.\n\n**Proof of Concept (PoC) Requirements**\n\nFor this program, runnable PoC code is not required. Whitehats are instead required to write a step-by-step explanation of the PoC and impact.\n\n__Insight Rewards Payment Terms__\n\n*Insight Rewards*: Portion of the Rewards Pool\n\n*The \"Insight\" severity was introduced on Boost (Audit Competitions) & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi)\n\nDuplicates of Insight reports are not eligible for a reward.","rewardsPool":45000,"primaryPool":45000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"iop-paradex","tenPercentEconomicRule":false,"updatedDate":"2025-07-28T17:12:56.282Z","impactsBody":"__Build Commands, Test Commands, and How to Run Them__\n\nIncluded in repo readme\n\n__Previous Audits__\n\nParadex’s completed audit reports can be found at [https://github.com/Cairo-Security-Clan/Audit-Portfolio/blob/main/Paradex_Audit_Report.pdf](https://github.com/Cairo-Security-Clan/Audit-Portfolio/blob/main/Paradex_Audit_Report.pdf). Unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\nL1 Bridge contract is a fork of starknet’s starkgate bridge with some minor additions. Their audits are:\n- [https://github.com/tradeparadex/paradex-docs/blob/main/fern/assets/Starknet_Core_Summary_Report_Sept_2022.pdf](https://github.com/tradeparadex/paradex-docs/blob/main/fern/assets/Starknet_Core_Summary_Report_Sept_2022.pdf)\n- [https://github.com/tradeparadex/paradex-docs/blob/main/fern/assets/StarkGate_Oct_2023.pdf](https://github.com/tradeparadex/paradex-docs/blob/main/fern/assets/StarkGate_Oct_2023.pdf)\n- [https://github.com/tradeparadex/paradex-docs/blob/main/fern/assets/StarkGate_Oct_2024.pdf](https://github.com/tradeparadex/paradex-docs/blob/main/fern/assets/StarkGate_Oct_2024.pdf)\n\n__Private Known Issues Reward Policy__\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n__Optional Project Info__\n\n**Is this an upgrade of an existing system? If so, which? And what are the main differences?**\n\nMainnet is currently running a slightly newer version of the code that’s being audited.\n\nStarkgate contract is running exactly the same as the repo on mainnet\n\n**Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?**\n\nAttack Vectors:\n- Stealing User Funds / Unauthorized fund transfers\n- Market Manipulation\n\n**What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?**\n\nERC20\n\n**Which chains and/or networks will the code in scope be deployed to?**\n\nWe currently run on a starknet app chain\n\n**What external dependencies are there?**\n\nOpenzeppelin, Alexandria Data Structures\n\n**Are there any unusual points about your protocol that may confuse Security Researchers?**\n\nPotentially, the way some transfer restrictions are implemented and some of the functionalities implemented on Vaults can be quite complex \n\n**What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)**\n\n- [https://docs.paradex.trade/](https://docs.paradex.trade/)\n- [https://l2beat.com/scaling/projects/paradex](https://l2beat.com/scaling/projects/paradex)","websiteUrl":"https://www.paradex.trade/","githubUrl":null,"eligibilityCriteria":["no_employee","no_official_contributor","no_ofac_sdn","no_auditor"],"responsiblePublicationCategory":null,"description":"Paradex is a high-performance crypto-derivatives exchange built on a Starknet Appchain. ","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":5561,"type":"smart_contract","severity":"low","title":"Theft of gas"},{"id":5562,"type":"smart_contract","severity":"low","title":"Unbounded gas consumption"},{"id":5563,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 24 hour"},{"id":5564,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds for at least 1 hour"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[{"id":"4Oe5JOpQba6Hv28wqdxdAM","url":"https://github.com/Cairo-Security-Clan/Audit-Portfolio/blob/main/Paradex_Audit_Report.pdf","auditor":"CAIRO SECURITY CLAN","date":"2025-05-13"}]},{"assets":[{"id":"7aEGT8VJDjTUENDRjG4uxh","url":"https://etherscan.io/address/0x46D2A90153cd8F09464CA3a5605B6BBeC9C2fF01","type":"smart_contract","addedAt":"2022-05-10T16:26:08.098Z","revision":1,"description":"SHER (proxy)","isPrimacyOfImpact":null},{"id":"4TfVcYiwnJm8jBIhIU2nJy","url":"https://etherscan.io/address/0x91f23210A34721D33C8842673f2Ba20146b8C70f","type":"smart_contract","addedAt":"2022-05-10T16:26:09.105Z","revision":1,"description":"SHER (implementation)","isPrimacyOfImpact":null},{"id":"4pfwTTfknYRsUQmKdTStVV","url":"https://etherscan.io/address/0x0865a889183039689034dA55c1Fd12aF5083eabF","type":"smart_contract","addedAt":"2022-05-10T16:26:10.152Z","revision":1,"description":"Sherlock","isPrimacyOfImpact":null},{"id":"6o3lIJvlEki1pvzzMuijB8","url":"https://etherscan.io/address/0x1E8bE946370a99019E323998Acd37A1206bdD507","type":"smart_contract","addedAt":"2022-05-10T16:26:14.948Z","revision":2,"description":"MasterStrategy","isPrimacyOfImpact":null},{"id":"7aARbavaRccmYtmSitrVjA","url":"https://etherscan.io/address/0x5775F32787656E77dd99f20F4E478DdC85fdB31b","type":"smart_contract","addedAt":"2022-05-10T16:26:15.946Z","revision":1,"description":"SherDistributionManager","isPrimacyOfImpact":null},{"id":"2RIYo1h3P1jJ7wPMhIonfT","url":"https://etherscan.io/address/0x3d0b8A0A10835Ab9b0f0BeB54C5400B8aAcaa1D3","type":"smart_contract","addedAt":"2022-05-10T16:26:16.950Z","revision":1,"description":"SherlockProtocolManager","isPrimacyOfImpact":null},{"id":"6wvM3QmxH1iyAhT6kt503W","url":"https://etherscan.io/address/0xFeEDD254ae4B7c44A0472Bb836b813Ce4625Eb84","type":"smart_contract","addedAt":"2022-05-10T16:26:17.946Z","revision":1,"description":"SherlockClaimManager","isPrimacyOfImpact":null},{"id":"7khanr2cDg3jmF0JycOuAX","url":"https://etherscan.io/address/0x92AEffFfaD9fff820f7FCaf1563d8467aFe358c4","type":"smart_contract","addedAt":"2022-05-10T16:26:18.977Z","revision":1,"description":"timelockController","isPrimacyOfImpact":null},{"id":"2lWlmvfarczzOCft9NqOPO","url":"https://etherscan.io/address/0x7289C61C75dCdB8Fe4DF0b937c08c9c40902BDd3","type":"smart_contract","addedAt":"2022-05-10T16:26:20.028Z","revision":1,"description":"SherClaim","isPrimacyOfImpact":null},{"id":"5eGO3Y8MDRkdfhHdzljv62","url":"https://etherscan.io/address/0xf8583f22C2f6f8cd27f62879A0fB4319bce262a6","type":"smart_contract","addedAt":"2022-05-10T16:26:21.088Z","revision":1,"description":"SherBuy","isPrimacyOfImpact":null},{"id":"1o6qxxgZ5TspHNq9D2Bjnq","url":"https://etherscan.io/address/0xbFa53D098d7063DdCc39a45ea6F8c290FcD7FC70","type":"smart_contract","addedAt":"2022-07-13T22:36:27.138Z","revision":1,"description":" InfoStorage","isPrimacyOfImpact":null},{"id":"xL7Mqh6DglU5DGX93tarf","url":"https://etherscan.io/address/0x71B6BC6c70E27DCfD7d0b7AE8EbA6a76D518D88A","type":"smart_contract","addedAt":"2022-07-13T22:36:24.071Z","revision":1,"description":"AlphaBetaEqualDepositMaxSplitter","isPrimacyOfImpact":null},{"id":"1XdySEXBt8EpboHU8LY4I0","url":"https://etherscan.io/address/0x7E0049866879151480d9Ec01391Bbf713F7705b1","type":"smart_contract","addedAt":"2022-07-13T22:36:19.756Z","revision":1,"description":"AlphaBetaEqualDepositSplitter","isPrimacyOfImpact":null},{"id":"61Ks60dm87cscrm7WiuHOz","url":"https://etherscan.io/address/0x75C5d2d8D54254476239a5c1e1F23ec48Df8779E","type":"smart_contract","addedAt":"2022-07-13T22:36:16.564Z","revision":1,"description":"AaveStrategy","isPrimacyOfImpact":null},{"id":"25xzD9gkdNJbAPUIhOPzFv","url":"https://etherscan.io/address/0x5b7a52b6d75Fb3105c3c37fcc6007Eb7ac78F1B8","type":"smart_contract","addedAt":"2022-07-13T22:36:13.538Z","revision":1,"description":"CompoundStrategy","isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-10-12T15:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7aux7xm6bBE32KgmsF1XGi/db78d0f1bdfc7b2f47b41a7b5b2aa7df/Screenshot_2024-11-15_at_1.16.08___AM.png","maxBounty":500000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Services","Staking"],"programOverview":"Sherlock is a risk management platform designed to provide DeFi protocols with affordable, reliable coverage against smart contract exploits starting from Day 1.\n\nSherlock coverage is backed by proprietary staking pools that offer some of the highest risk-adjusted returns in DeFi. This is made possible by their team of security and risk experts who evaluate the smart contracts of every protocol, price the coverage and have skin in the game alongside stakers.\n\nFor more information about Sherlock, please visit [https://sherlock.xyz/about/](https://sherlock.xyz/about/)  \n\nThis bug bounty program is focused on their smart contracts and is focused on preventing:\n\n  - Loss of user funds by profitable theft or profitable freezing\n  - Loss of staker funds by profitable theft\n  - Profitable dilution of staker funds (infinite minting of staking positions)\n  - Profitable payout exploits\n  - DoS or “freezing” attacks","programType":["Smart Contract"],"project":"Sherlock","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nA PoC is required for Critical and High Smart Contract/Blockchain bug reports.\n\nExploits that result in a material loss of funds for users and is profitable for the hacker are classified as Critical. Anything else that results in a material loss/freezing of user funds that is unprofitable for the hacker is classified as High. \n\nCritical vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum of __USD 50 000__ for Critical bug reports. \n\nKnown issues in their previous audits are considered out-of-scope: https://github.com/sherlock-protocol/sherlock-v2-core/tree/main/audits\n\nIssues identified in previous audit reports may not be eligible for payout\n\nTo be eligible for reward, impact from table below must be demonstrated where all thefts must be profitable and all freezing must be reasonably priced for the impact.\n\nPayouts are handled by the __Sherlock__ team directly and are denominated in USD. Payouts are done in __USDC__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"sherlock","tenPercentEconomicRule":true,"updatedDate":"2025-07-22T17:19:13.131Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Sherlock is a risk management platform designed to provide DeFi protocols with affordable, reliable coverage against smart contract exploits starting from Day 1.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":1102,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds (greater than 1 month)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":1103,"type":"smart_contract","severity":"critical","title":"Theft of unclaimed yield"},{"id":1104,"type":"smart_contract","severity":"critical","title":"Permanent freezing of unclaimed yield"}],"rewards":[{"id":8251,"severity":"critical","assetType":"smart_contract","maxReward":500000,"rewardModel":"up_to"},{"id":5591,"severity":"high","assetType":"smart_contract","fixedReward":25000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"6RURkeSi7C2Z2gtkfeRpkJ","url":"https://basescan.org/address/0xDCcf337eA77b687A4DaCA5586351B08f8927C825","type":"smart_contract","addedAt":"2025-03-12T15:54:02.762Z","revision":3,"description":"Yelay V3 Vault Wrapper","isPrimacyOfImpact":null},{"id":"6Z484BzGH5Bpfs6DVazYuo","url":"https://basescan.org/address/0xbBC6E62F23F714405D7e0b4D3DDe079E22748a58","type":"smart_contract","addedAt":"2025-03-12T15:53:39.340Z","revision":3,"description":"Yelay V3 Swapper","isPrimacyOfImpact":null},{"id":"64U96dqwUHfTVGAJPmyPN0","url":"https://basescan.org/address/0xa1A32FC1573B8D0532845c833cF4e8eA205345f1","type":"smart_contract","addedAt":"2025-03-12T15:54:23.947Z","revision":3,"description":"Yelay V3 Aave Adapter","isPrimacyOfImpact":null},{"id":"yIEBrJNZscs9hDbcZgw3Z","url":"https://basescan.org/address/0xF4a23fC0f9beB15Df3d4e1a44425Ec559f746D4F","type":"smart_contract","addedAt":"2025-03-12T15:52:51.544Z","revision":3,"description":"Yelay V3 Management","isPrimacyOfImpact":null},{"id":"QhevoRrfcH9Ufj8Wke9Du","url":"https://basescan.org/address/0x94cec01bCed84022c91Cd5bf4f424A5CC781deE3","type":"smart_contract","addedAt":"2025-03-12T15:53:18.545Z","revision":3,"description":"Yelay V3 Clients Facet","isPrimacyOfImpact":null},{"id":"3II18flUEyjpMzvrgJX8V8","url":"https://basescan.org/address/0x56A0B723939dFB43A4D4a86822A023dFeA87cad3","type":"smart_contract","addedAt":"2025-03-12T15:51:58.884Z","revision":4,"description":"Yelay V3 Funds Facet","isPrimacyOfImpact":null},{"id":"50slKGMIstDx1smd1d4YpN","url":"https://basescan.org/address/0x30DFA736b3A20ed032E19894E7cE87FF95055e08","type":"smart_contract","addedAt":"2025-03-12T15:51:17.395Z","revision":4,"description":"Yelay V3 Owner Facet","isPrimacyOfImpact":null},{"id":"7iV2DM2eitGTpCYr5jVQ7D","url":"https://basescan.org/address/0x5982506084271f49c48E809dB1893312D4915490","type":"smart_contract","addedAt":"2025-03-12T15:52:23.275Z","revision":3,"description":"Yelay V3 Access Facet","isPrimacyOfImpact":null},{"id":"57CHWyuZNFWbtQOcsaHweR","url":"https://basescan.org/address/0xf0533A9eb11b144aC3B9BbE134728D0F7F547c52","type":"smart_contract","addedAt":"2025-03-12T15:49:51.466Z","revision":3,"description":"Yelay V3 WETH Vault","isPrimacyOfImpact":null},{"id":"5ChDgO8WiPwJfezWxomoFu","url":"https://basescan.org/address/0x47a879ac3C9646116326B4A1462e1D477056Aff0","type":"smart_contract","addedAt":"2025-03-12T15:50:20.649Z","revision":5,"description":"Yelay V3 cbBTC Vault","isPrimacyOfImpact":null},{"id":"2mVeRdXpFm2fWJZecNirtZ","url":"https://basescan.org/address/0x0c6dAf9B4e0EB49A0c80c325da82EC028Cb8118B","type":"smart_contract","addedAt":"2025-03-12T15:48:11.588Z","revision":3,"description":"Yelay V3 USDC Vault","isPrimacyOfImpact":null},{"id":"76X9hnuIEhhnRWFkftkA4Y","url":"https://basescan.org/address/0x7Cdd48a57AD24BcE6195234B153b0b8a0ee3974","type":"smart_contract","addedAt":"2024-10-30T08:07:55.783Z","revision":2,"description":"Yelay V3 Morpho Adapter","isPrimacyOfImpact":null},{"id":"18o05f4jKMde9bINLlhLMM","url":"https://www.immunefi.com","type":"smart_contract","addedAt":"2023-12-05T14:17:26.570Z","revision":2,"description":"Primacy of Impact","isPrimacyOfImpact":true},{"id":"1pbnai8u3OiOTxm6qKzjTW","url":"https://etherscan.io/address/0x39DAc87bE293DC855b60feDd89667364865378cc","type":"smart_contract","addedAt":"2025-05-07T16:58:10.037Z","revision":1,"description":"Yelay V3 USDC Vault","isPrimacyOfImpact":null},{"id":"5GFrXCDMoC8bzldo99sikw","url":"https://etherscan.io/address/0x4d95E929ABb21b6C6C0FF1ff0Ac69609e02BB368","type":"smart_contract","addedAt":"2025-05-07T16:58:47.831Z","revision":1,"description":"Yelay V3 WETH Vault","isPrimacyOfImpact":null},{"id":"1NPTNyszTje3X9DvENFAAX","url":"https://etherscan.io/address/0x6545e81356CE709823EA8797E566A60934A9B110","type":"smart_contract","addedAt":"2025-05-07T16:59:58.957Z","revision":1,"description":"Yelay V3 WBTC Vault","isPrimacyOfImpact":null},{"id":"5olSQwg800bAwFUY1lNWGo","url":"https://etherscan.io/address/0x4E078e0345820B6e466A843CEeBD074D483AD008","type":"smart_contract","addedAt":"2025-05-07T17:00:23.207Z","revision":1,"description":"Yelay V3 Owner Facet","isPrimacyOfImpact":null},{"id":"4Jx9bRKTPbCmg78uRmHM26","url":"https://etherscan.io/address/0xdd4D9766B931d165E44890D0288A6f2Dd565AdEC","type":"smart_contract","addedAt":"2025-05-07T17:00:46.479Z","revision":2,"description":"Yelay V3 Funds Facet","isPrimacyOfImpact":null},{"id":"5ImlZ8KXnrW7rfzMP3tE5F","url":"https://etherscan.io/address/0xb61413b0E6811bA11A6B34534A8CE4AF69D504b4","type":"smart_contract","addedAt":"2025-05-07T17:01:09.693Z","revision":1,"description":"Yelay V3 Access Facet","isPrimacyOfImpact":null},{"id":"1KQZChuWDPnyUMR4sSn9yq","url":"https://etherscan.io/address/0x0A09027643d21F35df24f156694A97776d211907","type":"smart_contract","addedAt":"2025-05-07T17:01:45.187Z","revision":1,"description":"Yelay V3 Management Facet","isPrimacyOfImpact":null},{"id":"1VnJbH9kht8N949pP0FaWN","url":"https://etherscan.io/address/0x1798b36C340DBA0A2bd7BD379dF100af07396e57","type":"smart_contract","addedAt":"2025-05-07T17:02:06.694Z","revision":1,"description":"Yelay V3 Clients Facet","isPrimacyOfImpact":null},{"id":"2OR9Saddr4uJZQdq4KWfLJ","url":"https://etherscan.io/address/0xD49Dc240CE448BE0513803AB82B85F8484748871","type":"smart_contract","addedAt":"2025-05-07T17:02:23.939Z","revision":1,"description":"Yelay V3 Swapper","isPrimacyOfImpact":null},{"id":"9NGORdecjRcqi2ikQ8zQ3","url":"https://etherscan.io/address/0xf65d02700915259602D9105b66401513D1CB61ff","type":"smart_contract","addedAt":"2025-05-07T17:03:05.188Z","revision":1,"description":"Yelay V3 Vault Wrapper","isPrimacyOfImpact":null},{"id":"JRE4rz7BX45InWjkpF2Rf","url":"https://etherscan.io/address/0xF4a23fC0f9beB15Df3d4e1a44425Ec559f746D4F","type":"smart_contract","addedAt":"2025-05-07T17:03:30.672Z","revision":1,"description":"Yelay V3 Aave Adapter","isPrimacyOfImpact":null},{"id":"5brBPFQDrdnCj9faMAPOko","url":"https://etherscan.io/address/0xFFB90D5599892054dDE4B415Fd827908B376DCf8","type":"smart_contract","addedAt":"2025-05-07T17:04:23.397Z","revision":1,"description":"Yelay V3 Morpho Adapter","isPrimacyOfImpact":null},{"id":"scNzg1vSid0IiaivNR25y","url":"https://etherscan.io/address/0xa1A32FC1573B8D0532845c833cF4e8eA205345f1","type":"smart_contract","addedAt":"2025-05-07T17:04:42.954Z","revision":1,"description":"Yelay V3 ERC4626 Adapter","isPrimacyOfImpact":null},{"id":"4XTEGC3IjYeSoUEf98ByD1","url":"https://etherscan.io/address/0x7Cdd48a57AD24BcE6195234B153b0b8a0ee3974f","type":"smart_contract","addedAt":"2025-05-07T17:04:59.128Z","revision":1,"description":"Yelay V3 Gearbox Adapter","isPrimacyOfImpact":null},{"id":"46gCn2hOWP6oFGRJ3LPkDy","url":"https://sonicscan.org/address/0x56b0c5C989C65e712463278976ED26D6e07592ab","type":"smart_contract","addedAt":"2025-05-07T17:07:14.066Z","revision":1,"description":"Yelay V3 USDC Vault","isPrimacyOfImpact":null},{"id":"49BxSTdiXP1oARU8uPQ8yp","url":"https://sonicscan.org/address/0xAB865D95A574511a6c893C38A4D892275ca70570","type":"smart_contract","addedAt":"2025-05-07T17:07:48.466Z","revision":1,"description":"Yelay V3 WETH Vault","isPrimacyOfImpact":null},{"id":"IiVzfy3IdhSjB1Ot02o0Z","url":"https://sonicscan.org/address/0x6880bb001417f123f824c573A07a991e0cD00daC","type":"smart_contract","addedAt":"2025-05-07T17:08:13.037Z","revision":1,"description":"Yelay V3 WS Vault","isPrimacyOfImpact":null},{"id":"6jm5xkWCz7pWhYaD9v2izG","url":"https://sonicscan.org/address/0xda1620236ACE35387ce753A081d82868a738e6ae","type":"smart_contract","addedAt":"2025-05-07T17:08:29.965Z","revision":1,"description":"Yelay V3 Owner Facet","isPrimacyOfImpact":null},{"id":"1EKxQmNFT01Ih2hO9genPw","url":"https://sonicscan.org/address/0xC203718250098584F3DbD84b0AC332D02539ebef","type":"smart_contract","addedAt":"2025-05-07T17:08:47.914Z","revision":2,"description":"Yelay V3 Funds Facet","isPrimacyOfImpact":null},{"id":"SZfHhl2lfnhtZdrG0jNrH","url":"https://sonicscan.org/address/0x90b8695EDCdEfAFA678Df6d819307573f7B1a18C","type":"smart_contract","addedAt":"2025-05-07T17:09:07.006Z","revision":1,"description":"Yelay V3 Access Facet","isPrimacyOfImpact":null},{"id":"5R17qCkyyEEdvloqYJsLqb","url":"https://sonicscan.org/address/0x0A09027643d21F35df24f156694A97776d211907","type":"smart_contract","addedAt":"2025-05-07T17:14:35.398Z","revision":1,"description":"Yelay V3 Management Facet","isPrimacyOfImpact":null},{"id":"7fmsnhSfWTzvs9PGNOj2pW","url":"https://sonicscan.org/address/0x1798b36C340DBA0A2bd7BD379dF100af07396e57","type":"smart_contract","addedAt":"2025-05-07T17:14:53.569Z","revision":1,"description":"Yelay V3 Clients Facet","isPrimacyOfImpact":null},{"id":"59cjJERYVsRB25pW7QyoH0","url":"https://sonicscan.org/address/0x98732e2FEb854bAd400D4b5336f4439E7E53fe88","type":"smart_contract","addedAt":"2025-05-07T17:15:11.304Z","revision":1,"description":"Yelay V3 Swapper","isPrimacyOfImpact":null},{"id":"1lM5mIBQSu1TdaKaBbdQpt","url":"https://sonicscan.org/address/0x0872e8391662D4e53D6649c8dE5d4bF581Bd778C","type":"smart_contract","addedAt":"2025-05-07T17:15:32.663Z","revision":1,"description":"Yelay V3 Vault Wrapper","isPrimacyOfImpact":null},{"id":"CtYLjeEiPeh0tOllCeelp","url":"https://sonicscan.org/address/0xF4a23fC0f9beB15Df3d4e1a44425Ec559f746D4F","type":"smart_contract","addedAt":"2025-05-07T17:15:49.227Z","revision":1,"description":"Yelay V3 Aave Adapter","isPrimacyOfImpact":null},{"id":"2q7OF77BAzgHl7idj9Cwtg","url":"https://sonicscan.org/address/0xa1A32FC1573B8D0532845c833cF4e8eA205345f1","type":"smart_contract","addedAt":"2025-05-07T17:16:04.697Z","revision":1,"description":"Yelay V3 ERC4626 Adapter","isPrimacyOfImpact":null},{"id":"6TbnGBghWDk5bzQXMZA51W","url":"https://etherscan.io/address/0xaee5913ffd19dbca4fd1ef6f3925ed0414407d37","type":"smart_contract","addedAt":"2025-05-07T17:16:18.624Z","revision":1,"description":"YLAY Token","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2022-07-01T16:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/mY7ippEdKWRNlkY20XzQS/141fee70e65152ee0b1abf975bf90728/R0J4dFap_400x400.png","maxBounty":150000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Asset Management","DAO","Yield Aggregator"],"programOverview":"Yelay allows banks, fintech, funds, exchanges, custodians, treasuries, launchpools, DefAI projects and other builders to earn DeFi returns in a fully composable manner. \n\nBy removing the complexity of setting up and managing DeFi portfolios, Yelay partners can deploy capital, with a single deposit, in diversified yield-generating strategies, as easy as investing in an ETF. \n\nPortfolios are auto-rebalanced and capital is automatically compounded. Yelay minimizes transaction costs, optimizes DeFi yields and brings DeFi risk management to the next level. \n\nWith Yelay, you get the most out of the DeFi market and can offer superior yield opportunities to your client base, as a cost-free white-labeled solution. Yield for the World. Fuel for DeFi.\n\nFor more information about Yelay, please visit [https://www.yelay.io/](https://www.yelay.io/).\n\nYelay provides rewards in __USDC__, denominated in __USD__. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\n__KYC Requirement__ \n\nYelay will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n  - Full name \n  - Date of birth\n  - Proof of address (either a redacted bank statement with address or a recent utility bill)\n  - Copy of Passport or other Government issued ID\n\n__Primacy of Impact vs Primacy of Rules__\n\nYelay adheres to the Primacy of Impact for the following impacts:\n\n  - Smart Contracts: Critical\n  - Smart Contracts: High\n  - Smart Contracts: Medium\n  - Smart Contracts: Low\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact) \n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Known Issue Assurance__\n\nYelay commits to providing Known Issue Assurance to bug submissions through their program. This means that Yelay will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission. \n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.\n\n__Previous Audits__\n\nYelay V3's completed audit reports can be found here:\n  -[https://github.com/YieldLayer/yelay-lite/tree/main/audits](https://github.com/YieldLayer/yelay-lite/tree/main/audits)\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, yelay has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","programType":["Smart Contract"],"project":"yelay.io","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of __USD 150 000__. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of __USD 20 000__ is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n - If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attacks within the first hour will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n  - For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\n - High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are considered at the full amount of funds at risk, capped at the maximum high reward. This is to incentivize security researchers to uncover and responsibly disclose vulnerabilities that may have not have significant monetary value today, but could still be damaging to the project if it goes unaddressed.   \n\n  - In the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lenghents, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Payment Terms__\n\nPayouts are handled by the __yelay__ team directly and are denominated in __USD__. However, payments are done in __USDC__.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"yelay","updatedDate":"2025-07-17T16:56:54.599Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Yelay is permissionless and non-custodial middleware that allows banks, fintech, funds, exchanges, custodians, treasuries, launchpools and other builders to earn DeFi returns in a fully composable manner. ","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Impacts relying on the intended wrongdoing of protocol admins having privileged access to the key functions of the protocol\n- Impacts where protocol functionality works as designed (f.e. “Users do not receive yield” in the Launchpool version of Yelay V3, or “Yield has been \n  temporarily not generated due to the lack of triggering events”\n- Specifics of the ‘Deposit lock’ feature: “In case of DepositLock, Yield data is calculated offchain. If Client has set up DepositLock functionality only \n  deposits into projectId through that are considered 'yield accruing'. If some user decides to bypass the DepositLockPlugin and deposit directly into \n  the Vault using the same projectId - users will not receive any rewards. Such users are simply filtered out from offchain yield calculations.”\n- Use of malicious strategies or those which are not fit for the purpose. For example, strategies which incur deposit/withdrawal/management fees. \n  Only performance fee is allowed for strategies used on Yelay V3 vaults.\n\n","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":2898,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for more than 24 hours"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":5517,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose direct monetary value. F.e. loss of points, sYLAY balance, wrong yield or APY calculation etc."}],"rewards":[{"id":32904,"severity":"critical","assetType":"smart_contract","maxReward":150000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":32905,"severity":"high","assetType":"smart_contract","maxReward":20000,"minReward":5000,"rewardModel":"range"},{"id":32906,"severity":"medium","assetType":"smart_contract","maxReward":5000,"rewardModel":"up_to"},{"id":32907,"severity":"low","assetType":"smart_contract","maxReward":1000,"rewardModel":"up_to"}],"audits":[]},{"assets":[{"id":"5iIIQoLUKXqf6EZAd5vpyG","url":"https://github.com/compound-finance/compound-protocol/pull/127","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"(Pull Request)","isPrimacyOfImpact":null},{"id":"JzvHbItYp05XRXV147Ily","url":"https://etherscan.io/address/0xc3d688B66703497DAA19211EEdff47f25384cdc3","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDCv3 (Mainnet USDC)","isPrimacyOfImpact":null},{"id":"71g9vsCXb69iAJSF4sflqp","url":"https://etherscan.io/address/0x285617313887d43256F852cAE0Ee4de4b68D45B0","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDCv3 Ext (Mainnet USDC)","isPrimacyOfImpact":null},{"id":"35ZSxv97L7hs7tCWa7TepM","url":"https://etherscan.io/address/0x316f9708bB98af7dA9c68C1C3b5e79039cD336E3","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Configurator (Mainnet USDC)","isPrimacyOfImpact":null},{"id":"3Zv43NvQrRCaMbiaMWpXgK","url":"https://etherscan.io/address/0x1EC63B5883C3481134FD50D5DAebc83Ecd2E8779","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Proxy Admin (Mainnet USDC)","isPrimacyOfImpact":null},{"id":"19bB1sxFjdHWseEXlTTUtl","url":"https://etherscan.io/address/0xa7F7De6cCad4D83d81676717053883337aC2c1b4","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Comet Factory (Mainnet USDC)","isPrimacyOfImpact":null},{"id":"1vc3HUoLYbnvUTHQbAMVME","url":"https://etherscan.io/address/0x1B0e765F6224C21223AeA2af16c1C46E38885a40","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Rewards (Mainnet USDC)","isPrimacyOfImpact":null},{"id":"2RGP9jfjB81yeItvT7XaB9","url":"https://etherscan.io/address/0x74a81F84268744a40FEBc48f8b812a1f188D80C3","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bulker (Mainnet USDC)","isPrimacyOfImpact":null},{"id":"7GDQRtfidEZXAFZXYYayqp","url":"https://etherscan.io/address/0x309a862bbC1A00e45506cB8A802D1ff10004c8C0","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":2,"description":"Governor (Mainnet USDC)","isPrimacyOfImpact":null},{"id":"NVI7gLlmMGXNwwKpQhWOC","url":"https://etherscan.io/address/0x6d903f6003cca6255D85CcA4D3B5E5146dC33925","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Timelock (Mainnet USDC)","isPrimacyOfImpact":null},{"id":"1BIr7NYKh3MKmn6JqJqQzA","url":"https://etherscan.io/address/0xc00e94Cb662C3520282E6f5717214004A7f26888","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"COMP (Mainnet USDC)","isPrimacyOfImpact":null},{"id":"3M434qN8kWhjAh0h6SgJDT","url":"https://etherscan.io/address/0xA17581A9E3356d9A858b789D68B4d866e593aE94","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cWETHv3 (Mainnet WETH)","isPrimacyOfImpact":null},{"id":"wbZW66jN9uuQWjFQm26pH","url":"https://etherscan.io/address/0xe2C1F54aFF6b38fD9DF7a69F22cB5fd3ba09F030","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cWETHv3 Ext (Mainnet WETH)","isPrimacyOfImpact":null},{"id":"4lR6CeX2LLWUnnSRWHr0jw","url":"https://etherscan.io/address/0x316f9708bB98af7dA9c68C1C3b5e79039cD336E3","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Configurator (Mainnet WETH)","isPrimacyOfImpact":null},{"id":"709LZeFDVER3C6WEEGh8mS","url":"https://etherscan.io/address/0x1EC63B5883C3481134FD50D5DAebc83Ecd2E8779","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Proxy Admin (Mainnet WETH)","isPrimacyOfImpact":null},{"id":"1ggqrxYuMVpqlNjJoTu3FN","url":"https://etherscan.io/address/0xa7F7De6cCad4D83d81676717053883337aC2c1b4","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Comet Factory (Mainnet WETH)","isPrimacyOfImpact":null},{"id":"4BwOzz7XV0Qr0nZhDRZbRs","url":"https://etherscan.io/address/0x1B0e765F6224C21223AeA2af16c1C46E38885a40","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Rewards (Mainnet WETH)","isPrimacyOfImpact":null},{"id":"3sNegUgYEjPGKH1n0yLgdY","url":"https://etherscan.io/address/0xa397a8C2086C554B531c02E29f3291c9704B00c7","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bulker (Mainnet WETH)","isPrimacyOfImpact":null},{"id":"1kMTKAc5anHuiLMb3CxCI2","url":"https://etherscan.io/address/0x309a862bbC1A00e45506cB8A802D1ff10004c8C0","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":2,"description":"Governor (Mainnet WETH)","isPrimacyOfImpact":null},{"id":"1QzgCmt65VHPFbgHf2iC1V","url":"https://etherscan.io/address/0x6d903f6003cca6255D85CcA4D3B5E5146dC33925","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Timelock (Mainnet WETH)","isPrimacyOfImpact":null},{"id":"59OaP1rq6gAmDDTMTuH0w","url":"https://etherscan.io/address/0xBe9895146f7AF43049ca1c1AE358B0541Ea49704","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cbETH (Mainnet WETH)","isPrimacyOfImpact":null},{"id":"5GThXXf7VNTRd4BcWEVkly","url":"https://etherscan.io/address/0xc00e94Cb662C3520282E6f5717214004A7f26888","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"COMP (Mainnet WETH)","isPrimacyOfImpact":null},{"id":"2YoBusPfrOP5A2BIqA6szI","url":"https://etherscan.io/address/0xbf5495Efe5DB9ce00f80364C8B423567e58d2110","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"ezETH (Mainnet WETH)","isPrimacyOfImpact":null},{"id":"5QDGoK9EOxjvc9cxdzVcBr","url":"https://etherscan.io/address/0xf1C9acDc66974dFB6dEcB12aA385b9cD01190E38","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"osETH (Mainnet WETH)","isPrimacyOfImpact":null},{"id":"7fibHTgBrSfggC6aIxV0VO","url":"https://etherscan.io/address/0xae78736Cd615f374D3085123A210448E74Fc6393","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"rETH (Mainnet WETH)","isPrimacyOfImpact":null},{"id":"6lgmdbykyP9SZG3h4TC9ed","url":"https://etherscan.io/address/0xA1290d69c65A6Fe4DF752f95823fae25cB99e5A7","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"rsETH (Mainnet WETH)","isPrimacyOfImpact":null},{"id":"2jGgPyXAhgCEv7ilAZiWvw","url":"https://etherscan.io/address/0x2260FAC5E5542a773Aa44fBCfeDf7C193bc2C599","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WBTC (Mainnet WETH)","isPrimacyOfImpact":null},{"id":"6wP2uzXSJZMSIn0HC9kZJ7","url":"https://etherscan.io/address/0xCd5fE23C85820F7B72D0926FC9b05b43E359b7ee","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"weETH (Mainnet WETH)","isPrimacyOfImpact":null},{"id":"20Uo6rgKpRr4UYjXLzFL2W","url":"https://etherscan.io/address/0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WETH (Mainnet WETH)","isPrimacyOfImpact":null},{"id":"7mGApCMlFj4s9miheod0wk","url":"https://etherscan.io/address/0x7f39C581F595B53c5cb19bD0b3f8dA6c935E2Ca0","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"wstETH (Mainnet WETH)","isPrimacyOfImpact":null},{"id":"PGuXQq45pVedtbd7sAayG","url":"https://etherscan.io/address/0x3Afdc9BCA9213A35503b077a6072F3D0d5AB0840","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDTv3 (Mainnet USDT)","isPrimacyOfImpact":null},{"id":"5bzTqhFmvDctZG1fg3DdJZ","url":"https://etherscan.io/address/0x5C58d4479A1E9b2d19EE052143FA73F0ee79A36e","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDTv3 Ext (Mainnet USDT)","isPrimacyOfImpact":null},{"id":"4Qelr3v99zUX7OB5WGypre","url":"https://etherscan.io/address/0x316f9708bB98af7dA9c68C1C3b5e79039cD336E3","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Configurator (Mainnet USDT)","isPrimacyOfImpact":null},{"id":"1z2t7VQHTMCpgX23xPGT3W","url":"https://etherscan.io/address/0x1EC63B5883C3481134FD50D5DAebc83Ecd2E8779","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Proxy Admin (Mainnet USDT)","isPrimacyOfImpact":null},{"id":"15WmMl8V1l9tZXzbxfTrf6","url":"https://etherscan.io/address/0x698A949f3b4f7a5DdE236106F25Fa0eAcA0FcEF1","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Comet Factory (Mainnet USDT)","isPrimacyOfImpact":null},{"id":"6Fj0ev85CexpCpAtn534n4","url":"https://etherscan.io/address/0x1B0e765F6224C21223AeA2af16c1C46E38885a40","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Rewards (Mainnet USDT)","isPrimacyOfImpact":null},{"id":"3UI0yT4e4ytE8joVKsZlXx","url":"https://etherscan.io/address/0xa397a8C2086C554B531c02E29f3291c9704B00c7","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bulker (Mainnet USDT)","isPrimacyOfImpact":null},{"id":"4g5IW1a3RAX7y7R5YvGCQ2","url":"https://etherscan.io/address/0x309a862bbC1A00e45506cB8A802D1ff10004c8C0","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":2,"description":"Governor (Mainnet USDT)","isPrimacyOfImpact":null},{"id":"7JrnVHmzzfFEF1a60FoOGz","url":"https://etherscan.io/address/0x6d903f6003cca6255D85CcA4D3B5E5146dC33925","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Timelock (Mainnet USDT)","isPrimacyOfImpact":null},{"id":"2dqOgE08UeooPdkouuvvvb","url":"https://etherscan.io/address/0xc00e94Cb662C3520282E6f5717214004A7f26888","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"COMP (Mainnet USDT)","isPrimacyOfImpact":null},{"id":"6vPLpgApXKgJEzQPvNkH5g","url":"https://etherscan.io/address/0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WETH (Mainnet USDT)","isPrimacyOfImpact":null},{"id":"5q6Krp5SGqDTifqUMQnE6L","url":"https://etherscan.io/address/0x2260fac5e5542a773aa44fbcfedf7c193bc2c599","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WBTC (Mainnet USDT)","isPrimacyOfImpact":null},{"id":"41I4qIMSX4Pz8fuLHEnanj","url":"https://etherscan.io/address/0x1f9840a85d5af5bf1d1762f925bdaddc4201f984","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"UNI (Mainnet USDT)","isPrimacyOfImpact":null},{"id":"2XmnPg4iPGDxzs8FLc93sW","url":"https://etherscan.io/address/0x514910771af9ca656af840dff83e8264ecf986ca","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"LINK (Mainnet USDT)","isPrimacyOfImpact":null},{"id":"mRmK8tOayl4PceUs59YiJ","url":"https://etherscan.io/address/0x7f39c581f595b53c5cb19bd0b3f8da6c935e2ca0","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"wstETH (Mainnet USDT)","isPrimacyOfImpact":null},{"id":"tNQgXUQ41w5ZSAadrhfzb","url":"https://etherscan.io/address/0xdAC17F958D2ee523a2206206994597C13D831ec7","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"USDT (Mainnet USDT)","isPrimacyOfImpact":null},{"id":"04QThvjbfAI5j8nyKd3qw","url":"https://polygonscan.com/address/0xF25212E676D1F7F89Cd72fFEe66158f541246445","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDCv3 (Polygon USDC)","isPrimacyOfImpact":null},{"id":"4bRXku2Bjh3gfhE0TQdNKJ","url":"https://polygonscan.com/address/0xbdE8F31D2DdDA895264e27DD990faB3DC87b372d","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDCv3 Ext (Polygon USDC)","isPrimacyOfImpact":null},{"id":"2TtIKO4hs1OsY1CoXmEE4d","url":"https://polygonscan.com/address/0x83E0F742cAcBE66349E3701B171eE2487a26e738","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Configurator (Polygon USDC)","isPrimacyOfImpact":null},{"id":"1dLxPC1yfYAn30296uU4ow","url":"https://polygonscan.com/address/0xd712ACe4ca490D4F3E92992Ecf3DE12251b975F9","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Proxy Admin (Polygon USDC)","isPrimacyOfImpact":null},{"id":"5qV4Gbfp498f2kzvNlrEbs","url":"https://polygonscan.com/address/0x2F9E3953b2Ef89fA265f2a32ed9F80D00229125B","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Comet Factory (Polygon USDC)","isPrimacyOfImpact":null},{"id":"28QHtW0XrsTMKoS7v0maKE","url":"https://polygonscan.com/address/0xCC3E7c85Bb0EE4f09380e041fee95a0caeDD4a02","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Timelock (Polygon USDC)","isPrimacyOfImpact":null},{"id":"bY8iXk2VHhRIEU5Fomb9a","url":"https://polygonscan.com/address/0x18281dfC4d00905DA1aaA6731414EABa843c468A","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bridge Receiver (Polygon USDC)","isPrimacyOfImpact":null},{"id":"uxISr8CtPETTlvFzange3","url":"https://polygonscan.com/address/0x45939657d1CA34A8FA39A924B71D28Fe8431e581","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Rewards (Polygon USDC)","isPrimacyOfImpact":null},{"id":"wdGnKkVb5n2u5eBP1jMd5","url":"https://polygonscan.com/address/0x59e242D352ae13166B4987aE5c990C232f7f7CD6","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bulker (Polygon USDC)","isPrimacyOfImpact":null},{"id":"14V7mbbx129NXKjb22UWPG","url":"https://polygonscan.com/address/0x8505b9d2254A7Ae468c0E9dd10Ccea3A837aef5c","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"COMP (Polygon USDC)","isPrimacyOfImpact":null},{"id":"5pPIaLdUT0H26fdh9CjIKd","url":"https://polygonscan.com/address/0xfa68FB4628DFF1028CFEc22b4162FCcd0d45efb6","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"MaticX (Polygon USDC)","isPrimacyOfImpact":null},{"id":"1ZbM3RCnA9YsKf5VaUHQ2N","url":"https://polygonscan.com/address/0x3A58a54C066FdC0f2D55FC9C89F0415C92eBf3C4","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"stMATIC (Polygon USDC)","isPrimacyOfImpact":null},{"id":"1ZioCzs0iF6UjdcyDQlenM","url":"https://polygonscan.com/address/0x2791Bca1f2de4661ED88A30C99A7a9449Aa84174","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"USDC (Polygon USDC)","isPrimacyOfImpact":null},{"id":"4Mcyn4JqDer5e2NDI3bCqd","url":"https://polygonscan.com/address/0x1BFD67037B42Cf73acF2047067bd4F2C47D9BfD6","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WBTC (Polygon USDC)","isPrimacyOfImpact":null},{"id":"4aAqJcW3lpt9kRmsnXlSFE","url":"https://polygonscan.com/address/0x7ceB23fD6bC0adD59E62ac25578270cFf1b9f619","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WETH (Polygon USDC)","isPrimacyOfImpact":null},{"id":"6U53vivYiKMsRNlJ8kmnUl","url":"https://polygonscan.com/address/0x0d500B1d8E8eF31E21C99d1Db9A6444d3ADf1270","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WMATIC (Polygon USDC)","isPrimacyOfImpact":null},{"id":"6N6CkBnPE8zUWfNq4f8HL","url":"https://polygonscan.com/address/0xaeB318360f27748Acb200CE616E389A6C9409a07","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDTv3 (Polygon USDT)","isPrimacyOfImpact":null},{"id":"4MUKKHep0J54VvH4KYSeJp","url":"https://polygonscan.com/address/0x2F4eAF29dfeeF4654bD091F7112926E108eF4Ed0","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDTv3 Ext (Polygon USDT)","isPrimacyOfImpact":null},{"id":"gdh11VI30yX136JuNIf39","url":"https://polygonscan.com/address/0x83E0F742cAcBE66349E3701B171eE2487a26e738","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Configurator (Polygon USDT)","isPrimacyOfImpact":null},{"id":"28NIcj7iTMTpfgQA2baEB7","url":"https://polygonscan.com/address/0xd712ACe4ca490D4F3E92992Ecf3DE12251b975F9","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Proxy Admin (Polygon USDT)","isPrimacyOfImpact":null},{"id":"1oh56edh9D7pzkoTtJMeJf","url":"https://polygonscan.com/address/0x2F9E3953b2Ef89fA265f2a32ed9F80D00229125B","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Comet Factory (Polygon USDT)","isPrimacyOfImpact":null},{"id":"69h74P28lqYTCdUkpYZPEG","url":"https://polygonscan.com/address/0xCC3E7c85Bb0EE4f09380e041fee95a0caeDD4a02","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Timelock (Polygon USDT)","isPrimacyOfImpact":null},{"id":"Z8WihkAxYo0Gccg03BKYb","url":"https://polygonscan.com/address/0x18281dfC4d00905DA1aaA6731414EABa843c468A","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bridge Receiver (Polygon USDT)","isPrimacyOfImpact":null},{"id":"2osnAAzt2DcbKKKAbJdfKu","url":"https://polygonscan.com/address/0x45939657d1CA34A8FA39A924B71D28Fe8431e581","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Rewards (Polygon USDT)","isPrimacyOfImpact":null},{"id":"BBikjnwNippUmGBb4fUSg","url":"https://polygonscan.com/address/0x59e242D352ae13166B4987aE5c990C232f7f7CD6","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bulker (Polygon USDT)","isPrimacyOfImpact":null},{"id":"7MOZ3SNvtEeXKt9TBYGv0a","url":"https://polygonscan.com/address/0x8505b9d2254A7Ae468c0E9dd10Ccea3A837aef5c","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"COMP (Polygon USDT)","isPrimacyOfImpact":null},{"id":"5Y8G7mRQGD1gINE3SmTKBj","url":"https://polygonscan.com/address/0x0d500B1d8E8eF31E21C99d1Db9A6444d3ADf1270","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WMATIC (Polygon USDT)","isPrimacyOfImpact":null},{"id":"1vIXKTDhfV9kBQBl5pumYI","url":"https://polygonscan.com/address/0x7ceB23fD6bC0adD59E62ac25578270cFf1b9f619","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WETH (Polygon USDT)","isPrimacyOfImpact":null},{"id":"6Oap1oBQv03KGae8PjT7J4","url":"https://polygonscan.com/address/0xfa68FB4628DFF1028CFEc22b4162FCcd0d45efb6","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"MaticX (Polygon USDT)","isPrimacyOfImpact":null},{"id":"3X6hjOLQWGVmzB2dUKyNSH","url":"https://polygonscan.com/address/0x3A58a54C066FdC0f2D55FC9C89F0415C92eBf3C4","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"stMATIC (Polygon USDT)","isPrimacyOfImpact":null},{"id":"2zPXFqz5FisfC48LF6Gz4B","url":"https://polygonscan.com/address/0x1BFD67037B42Cf73acF2047067bd4F2C47D9BfD6","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WBTC (Polygon USDT)","isPrimacyOfImpact":null},{"id":"5HKW4A7IKucjTL4NW5MKOb","url":"https://polygonscan.com/address/0xc2132D05D31c914a87C6611C10748AEb04B58e8F","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"USDT (Polygon USDT)","isPrimacyOfImpact":null},{"id":"15aGJiUxpHKYckKf6GI2x5","url":"https://arbiscan.io/address/0xA5EDBDD9646f8dFF606d7448e414884C7d905dCA","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDCv3 (Arbitrum USDC.e)","isPrimacyOfImpact":null},{"id":"1tixcCWmBc723atSyY8emP","url":"https://arbiscan.io/address/0x1B2E88cC7365d90e7E81392432482925BD8437E9","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDCv3 Ext (Arbitrum USDC.e)","isPrimacyOfImpact":null},{"id":"42CFTaEEE1xNCj4OWFcsq6","url":"https://arbiscan.io/address/0xb21b06D71c75973babdE35b49fFDAc3F82Ad3775","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Configurator (Arbitrum USDC.e)","isPrimacyOfImpact":null},{"id":"2IieghkZoMewBM2nKO4LR4","url":"https://arbiscan.io/address/0xD10b40fF1D92e2267D099Da3509253D9Da4D715e","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Proxy Admin (Arbitrum USDC.e)","isPrimacyOfImpact":null},{"id":"1ETm9Do0OsNDCsAwkEYdWI","url":"https://arbiscan.io/address/0xe2AA5194E45B043AfdD6E98F467c0B1c13484ae9","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Comet Factory (Arbitrum USDC.e)","isPrimacyOfImpact":null},{"id":"31mHxmJESKb0kFLtYkp2Er","url":"https://arbiscan.io/address/0x3fB4d38ea7EC20D91917c09591490Eeda38Cf88A","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Timelock (Arbitrum USDC.e)","isPrimacyOfImpact":null},{"id":"3dCAVM67P3fw6Jax0VQSNG","url":"https://arbiscan.io/address/0x88730d254A2f7e6AC8388c3198aFd694bA9f7fae","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bridge Receiver (Arbitrum USDC.e)","isPrimacyOfImpact":null},{"id":"1QO7HkP5MfIJkT4s3JJ9Ab","url":"https://arbiscan.io/address/0x88730d254A2f7e6AC8388c3198aFd694bA9f7fae","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Rewards (Arbitrum USDC.e)","isPrimacyOfImpact":null},{"id":"6SNPnFp8hhN0P1CnYgUWVi","url":"https://arbiscan.io/address/0xbdE8F31D2DdDA895264e27DD990faB3DC87b372d","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bulker (Arbitrum USDC.e)","isPrimacyOfImpact":null},{"id":"1Q0Yt8EgClqX3HDBxKW3ok","url":"https://arbiscan.io/address/0x912ce59144191c1204e64559fe8253a0e49e6548","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"ARB (Arbitrum USDC.e)","isPrimacyOfImpact":null},{"id":"6LRDC9SeZiV4ygBrgafqdi","url":"https://arbiscan.io/address/0x354A6dA3fcde098F8389cad84b0182725c6C91dE","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"COMP (Arbitrum USDC.e)","isPrimacyOfImpact":null},{"id":"7wSjUPmZOi1lOdopUfM1P8","url":"https://arbiscan.io/address/0xfc5A1A6EB076a2C7aD06eD22C90d7E710E35ad0a","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"GMX (Arbitrum USDC.e)","isPrimacyOfImpact":null},{"id":"1gWdIp6DegUCnVGnaQ0amv","url":"https://arbiscan.io/address/0xFF970A61A04b1cA14834A43f5dE4533eBDDB5CC8","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"USDC.e (Arbitrum USDC.e)","isPrimacyOfImpact":null},{"id":"1YgQ785wtM1CJaPaU7eoNt","url":"https://arbiscan.io/address/0x2f2a2543b76a4166549f7aab2e75bef0aefc5b0f","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WBTC (Arbitrum USDC.e)","isPrimacyOfImpact":null},{"id":"63zEes1SJRxXoCMrSrzHOw","url":"https://arbiscan.io/address/0x82af49447d8a07e3bd95bd0d56f35241523fbab1","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WETH (Arbitrum USDC.e)","isPrimacyOfImpact":null},{"id":"2XrIZ9VcSF048b4P1koPx0","url":"https://arbiscan.io/address/0x9c4ec768c28520B50860ea7a15bd7213a9fF58bf","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDCv3 (Arbitrum USDC)","isPrimacyOfImpact":null},{"id":"2egutoz4yuOn9GG1vaSJBi","url":"https://arbiscan.io/address/0x1B2E88cC7365d90e7E81392432482925BD8437E9","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDCv3 Ext (Arbitrum USDC)","isPrimacyOfImpact":null},{"id":"23WJjv8W1tQRv6QkV6HDmK","url":"https://arbiscan.io/address/0xb21b06D71c75973babdE35b49fFDAc3F82Ad3775","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Configurator (Arbitrum USDC)","isPrimacyOfImpact":null},{"id":"5HibQGuadzmSG9hGX0HxIL","url":"https://arbiscan.io/address/0xD10b40fF1D92e2267D099Da3509253D9Da4D715e","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Proxy Admin (Arbitrum USDC)","isPrimacyOfImpact":null},{"id":"2tMMaXaboBQG0v9gqPcWTs","url":"https://arbiscan.io/address/0xe2AA5194E45B043AfdD6E98F467c0B1c13484ae9","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Comet Factory (Arbitrum USDC)","isPrimacyOfImpact":null},{"id":"4sUG9JDo1r5nxEr8f5beez","url":"https://arbiscan.io/address/0x3fB4d38ea7EC20D91917c09591490Eeda38Cf88A","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Timelock (Arbitrum USDC)","isPrimacyOfImpact":null},{"id":"7vipVmy9EZ7NYvn8243Fu5","url":"https://arbiscan.io/address/0x42480C37B249e33aABaf4c22B20235656bd38068","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bridge Receiver (Arbitrum USDC)","isPrimacyOfImpact":null},{"id":"6t5TdfxKDITcgG3H98w3PG","url":"https://arbiscan.io/address/0x88730d254A2f7e6AC8388c3198aFd694bA9f7fae","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Rewards (Arbitrum USDC)","isPrimacyOfImpact":null},{"id":"6VxHNXYoZyoS0GelnMvesi","url":"https://arbiscan.io/address/0xbdE8F31D2DdDA895264e27DD990faB3DC87b372d","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bulker (Arbitrum USDC)","isPrimacyOfImpact":null},{"id":"3Hb7MtWeRK1npjBVQ1VP4s","url":"https://arbiscan.io/address/0x912ce59144191c1204e64559fe8253a0e49e6548","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"ARB (Arbitrum USDC)","isPrimacyOfImpact":null},{"id":"163ZXVUNw0KGcfsQCPoFbU","url":"https://arbiscan.io/address/0x354A6dA3fcde098F8389cad84b0182725c6C91dE","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"COMP (Arbitrum USDC)","isPrimacyOfImpact":null},{"id":"4YMsZZ6PwbMbJdFpnr5JoJ","url":"https://arbiscan.io/address/0xfc5A1A6EB076a2C7aD06eD22C90d7E710E35ad0a","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"GMX (Arbitrum USDC)","isPrimacyOfImpact":null},{"id":"2VmZMFoWYfOKcMep4yTSqF","url":"https://arbiscan.io/address/0xaf88d065e77c8cC2239327C5EDb3A432268e5831","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"USDC (Arbitrum USDC)","isPrimacyOfImpact":null},{"id":"Qh2xPcWCsx5FCRaACuMdN","url":"https://arbiscan.io/address/0x2f2a2543b76a4166549f7aab2e75bef0aefc5b0f","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WBTC (Arbitrum USDC)","isPrimacyOfImpact":null},{"id":"7V2wXJLS6Ocmlo8BL3PZy","url":"https://arbiscan.io/address/0x82af49447d8a07e3bd95bd0d56f35241523fbab1","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WETH (Arbitrum USDC)","isPrimacyOfImpact":null},{"id":"7Fuk4cgLbDxDLmAILtFXnX","url":"https://arbiscan.io/address/0x6f7D514bbD4aFf3BcD1140B7344b32f063dEe486","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cWETHv3 (Arbitrum WETH)","isPrimacyOfImpact":null},{"id":"3E1GSe8q6oXjzPtKBoZzTg","url":"https://arbiscan.io/address/0x5404872d8f2e24b230EC9B9eC64E3855F637FB93","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cWETHv3 Ext (Arbitrum WETH)","isPrimacyOfImpact":null},{"id":"3GenJuGvsw9CYXdxMn0WbM","url":"https://arbiscan.io/address/0xb21b06D71c75973babdE35b49fFDAc3F82Ad3775","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Configurator (Arbitrum WETH)","isPrimacyOfImpact":null},{"id":"67g1ifVvaiCM6jk3ovDEVY","url":"https://arbiscan.io/address/0xD10b40fF1D92e2267D099Da3509253D9Da4D715e","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Proxy Admin (Arbitrum WETH)","isPrimacyOfImpact":null},{"id":"2x05vvaKZh0Ym9vuUwFwHr","url":"https://arbiscan.io/address/0xe2AA5194E45B043AfdD6E98F467c0B1c13484ae9","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Comet Factory (Arbitrum WETH)","isPrimacyOfImpact":null},{"id":"1HnF8wkcAx6F6h9sRAT4C2","url":"https://arbiscan.io/address/0x3fB4d38ea7EC20D91917c09591490Eeda38Cf88A","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Timelock (Arbitrum WETH)","isPrimacyOfImpact":null},{"id":"7lFaqjkUAGJxGNG8u1Iljz","url":"https://arbiscan.io/address/0x42480C37B249e33aABaf4c22B20235656bd38068","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bridge Receiver (Arbitrum WETH)","isPrimacyOfImpact":null},{"id":"12QC5hpAdIZNARWEVvX6M1","url":"https://arbiscan.io/address/0x88730d254A2f7e6AC8388c3198aFd694bA9f7fae","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Rewards (Arbitrum WETH)","isPrimacyOfImpact":null},{"id":"2Rtt0z4srRcHcW6xxFvNqv","url":"https://arbiscan.io/address/0xbdE8F31D2DdDA895264e27DD990faB3DC87b372d","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bulker (Arbitrum WETH)","isPrimacyOfImpact":null},{"id":"5s3Phyu60g6ZO304u0LcdC","url":"https://arbiscan.io/address/0x354A6dA3fcde098F8389cad84b0182725c6C91dE","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"COMP (Arbitrum WETH)","isPrimacyOfImpact":null},{"id":"ndNmTCrfE81eRO81AfTpo","url":"https://arbiscan.io/address/0xEC70Dcb4A1EFa46b8F2D97C310C9c4790ba5ffA8","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"rETH (Arbitrum WETH)","isPrimacyOfImpact":null},{"id":"XsWB0yJDAfMn8BH0cOXcR","url":"https://arbiscan.io/address/0x5979D7b546E38E414F7E9822514be443A4800529","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"wstETH (Arbitrum WETH)","isPrimacyOfImpact":null},{"id":"3LudxHQl48v7SLKvGdfiPn","url":"https://arbiscan.io/address/0x2f2a2543B76A4166549F7aaB2e75Bef0aefC5B0f","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WBTC (Arbitrum WETH)","isPrimacyOfImpact":null},{"id":"U3nduGGvNGfVtEJVTp0UH","url":"https://arbiscan.io/address/0x82aF49447D8a07e3bd95BD0d56f35241523fBab1","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WETH (Arbitrum WETH)","isPrimacyOfImpact":null},{"id":"25eSlCOYCX2SJ7uTfXWi6Y","url":"https://arbiscan.io/address/0xd98Be00b5D27fc98112BdE293e487f8D4cA57d07","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDTv3 (Arbitrum USDT)","isPrimacyOfImpact":null},{"id":"2tGzXm4jxSeLQgCe9vYiKt","url":"https://arbiscan.io/address/0x698A949f3b4f7a5DdE236106F25Fa0eAcA0FcEF1","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDTv3 Ext  (Arbitrum USDT)","isPrimacyOfImpact":null},{"id":"7791TUAcJQCjqJmNSzmaYf","url":"https://arbiscan.io/address/0xb21b06D71c75973babdE35b49fFDAc3F82Ad3775","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Configurator (Arbitrum USDT)","isPrimacyOfImpact":null},{"id":"5zk5aT2bwoQtmmzkhxZnkM","url":"https://arbiscan.io/address/0xD10b40fF1D92e2267D099Da3509253D9Da4D715e","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Proxy Admin (Arbitrum USDT)","isPrimacyOfImpact":null},{"id":"6SK5prJVtwTh5xQi2u4LPv","url":"https://arbiscan.io/address/0xe2AA5194E45B043AfdD6E98F467c0B1c13484ae9","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Comet Factory (Arbitrum USDT)","isPrimacyOfImpact":null},{"id":"RFr9ENsUaVTAe2jXSt9Zd","url":"https://arbiscan.io/address/0x3fB4d38ea7EC20D91917c09591490Eeda38Cf88A","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Timelock (Arbitrum USDT)","isPrimacyOfImpact":null},{"id":"KpMYQDAJpHK4qNrFFIrbt","url":"https://arbiscan.io/address/0x42480C37B249e33aABaf4c22B20235656bd38068","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bridge Receiver (Arbitrum USDT)","isPrimacyOfImpact":null},{"id":"6qETZkxIr0U1rLbX6Zp4PM","url":"https://arbiscan.io/address/0x88730d254A2f7e6AC8388c3198aFd694bA9f7fae","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Rewards (Arbitrum USDT)","isPrimacyOfImpact":null},{"id":"3KlAV9mk2lfZQAAX4YsF0T","url":"https://arbiscan.io/address/0xbdE8F31D2DdDA895264e27DD990faB3DC87b372d","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bulker (Arbitrum USDT)","isPrimacyOfImpact":null},{"id":"xXjBMHEhfviroi16paLN3","url":"https://arbiscan.io/address/0x354A6dA3fcde098F8389cad84b0182725c6C91dE","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"COMP (Arbitrum USDT)","isPrimacyOfImpact":null},{"id":"7cB1v4Dl8drcwa813mVHEn","url":"https://arbiscan.io/address/0x912ce59144191c1204e64559fe8253a0e49e6548","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"ARB (Arbitrum USDT)","isPrimacyOfImpact":null},{"id":"6mpp2asz5X4V4Cp9sE91iN","url":"https://arbiscan.io/address/0x82af49447d8a07e3bd95bd0d56f35241523fbab1","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WETH (Arbitrum USDT)","isPrimacyOfImpact":null},{"id":"4HOcq5IS3HRFfhlXIu1JdM","url":"https://arbiscan.io/address/0x5979D7b546E38E414F7E9822514be443A4800529","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"wstETH (Arbitrum USDT)","isPrimacyOfImpact":null},{"id":"4C0j3jsRFhgeMX68aFRS6q","url":"https://arbiscan.io/address/0x2f2a2543b76a4166549f7aab2e75bef0aefc5b0f","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WBTC (Arbitrum USDT)","isPrimacyOfImpact":null},{"id":"19cwf1C1CaMq4jkbQYY77j","url":"https://arbiscan.io/address/0xfc5A1A6EB076a2C7aD06eD22C90d7E710E35ad0a","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"GMX (Arbitrum USDT)","isPrimacyOfImpact":null},{"id":"7DAsvG9gQS1sYW012XuzYu","url":"https://arbiscan.io/address/0xFd086bC7CD5C481DCC9C85ebE478A1C0b69FCbb9","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"USDT (Arbitrum USDT)","isPrimacyOfImpact":null},{"id":"2XsnhfpwrPnTnb6caNwDAs","url":"https://basescan.org/address/0xb125E6687d4313864e53df431d5425969c15Eb2F","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDCv3 (Base USDC)","isPrimacyOfImpact":null},{"id":"YR6f0eNuBHUr7KxJWZTe3","url":"https://basescan.org/address/0x3bac64185786922292266AA92a58cf870D694E2a","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDCv3 Ext (Base USDC)","isPrimacyOfImpact":null},{"id":"6nWMxA3S67Il5cJySd4ynC","url":"https://basescan.org/address/0x45939657d1CA34A8FA39A924B71D28Fe8431e581","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Configurator (Base USDC)","isPrimacyOfImpact":null},{"id":"2KJk0390t4dxv21hfgOx2m","url":"https://basescan.org/address/0xbdE8F31D2DdDA895264e27DD990faB3DC87b372d","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Proxy Admin (Base USDC)","isPrimacyOfImpact":null},{"id":"2mQkf2DecsGhuHcGGvDk9R","url":"https://basescan.org/address/0x27C348936400791b7350d80Fb81Bc61Ad68dF4AE","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Comet Factory (Base USDC)","isPrimacyOfImpact":null},{"id":"7dhmzQuvTXR1L1i1UCVic3","url":"https://basescan.org/address/0xCC3E7c85Bb0EE4f09380e041fee95a0caeDD4a02","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Timelock (Base USDC)","isPrimacyOfImpact":null},{"id":"5ggavU8fbn4Vzhwu0lj4we","url":"https://basescan.org/address/0x18281dfC4d00905DA1aaA6731414EABa843c468A","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bridge Receiver (Base USDC)","isPrimacyOfImpact":null},{"id":"3GJTwcoHcutlri32A8W02A","url":"https://basescan.org/address/0x123964802e6ABabBE1Bc9547D72Ef1B69B00A6b1","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Rewards (Base USDC)","isPrimacyOfImpact":null},{"id":"69Iw8Ulp6U0hE0F7F7sUqB","url":"https://basescan.org/address/0x78D0677032A35c63D142a48A2037048871212a8C","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bulker (Base USDC)","isPrimacyOfImpact":null},{"id":"53gVQntx345S2mMj2G4EHF","url":"https://basescan.org/address/0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"USDC (Base USDC)","isPrimacyOfImpact":null},{"id":"4milpN5RPRGrqwsVUKdefX","url":"https://basescan.org/address/0x2Ae3F1Ec7F1F5012CFEab0185bfc7aa3cf0DEc22","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cbETH (Base USDC)","isPrimacyOfImpact":null},{"id":"1SPn5ovvDyWWQwjHT1KxsX","url":"https://basescan.org/address/0x9e1028F5F1D5eDE59748FFceE5532509976840E0","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"COMP (Base USDC)","isPrimacyOfImpact":null},{"id":"4ouaA9oE1f1MZVUr2godeQ","url":"https://basescan.org/address/0x4200000000000000000000000000000000000006","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WETH (Base USDC)","isPrimacyOfImpact":null},{"id":"6UMMlSv6OpJA0KTqKw80Ey","url":"https://basescan.org/address/0x9c4ec768c28520B50860ea7a15bd7213a9fF58bf","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDbCv3 (Base USDbC)","isPrimacyOfImpact":null},{"id":"1gsdFQKpv08rgdvQDCPCQN","url":"https://basescan.org/address/0x2F9E3953b2Ef89fA265f2a32ed9F80D00229125B","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDbCv3 Ext (Base USDbC)","isPrimacyOfImpact":null},{"id":"4cjQqsVk2g8rfmisyq8QeH","url":"https://basescan.org/address/0x45939657d1CA34A8FA39A924B71D28Fe8431e581","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Configurator (Base USDbC)","isPrimacyOfImpact":null},{"id":"55d1pUecdhNQO1hNwb11qx","url":"https://basescan.org/address/0xbdE8F31D2DdDA895264e27DD990faB3DC87b372d","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Proxy Admin (Base USDbC)","isPrimacyOfImpact":null},{"id":"75rtNMl2Snvtc5QXVrSlqw","url":"https://basescan.org/address/0x27C348936400791b7350d80Fb81Bc61Ad68dF4AE","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Comet Factory (Base USDbC)","isPrimacyOfImpact":null},{"id":"5dS52mlCyrL63uEzKYAhyV","url":"https://basescan.org/address/0xCC3E7c85Bb0EE4f09380e041fee95a0caeDD4a02","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Timelock (Base USDbC)","isPrimacyOfImpact":null},{"id":"5AkOnDVZlR16m4eQHtaIlQ","url":"https://basescan.org/address/0x18281dfC4d00905DA1aaA6731414EABa843c468A","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bridge Receiver (Base USDbC)","isPrimacyOfImpact":null},{"id":"28wawygpqRJmEynPeMvhqj","url":"https://basescan.org/address/0x123964802e6ABabBE1Bc9547D72Ef1B69B00A6b1","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Rewards (Base USDbC)","isPrimacyOfImpact":null},{"id":"3Pq8li0Jfa1VCNqZfeCHCR","url":"https://basescan.org/address/0x78D0677032A35c63D142a48A2037048871212a8C","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bulker (Base USDbC)","isPrimacyOfImpact":null},{"id":"4WA3ZdR7bNPhVfAlLBbKL2","url":"https://basescan.org/address/0xd9aAEc86B65D86f6A7B5B1b0c42FFA531710b6CA","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"USDbC (Base USDbC)","isPrimacyOfImpact":null},{"id":"6cVBH9YmnOWsXxTpD9QKdG","url":"https://basescan.org/address/0x2Ae3F1Ec7F1F5012CFEab0185bfc7aa3cf0DEc22","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cbETH (Base USDbC)","isPrimacyOfImpact":null},{"id":"7ah1u5lQ4PRh0y1arpTYhU","url":"https://basescan.org/address/0x9e1028F5F1D5eDE59748FFceE5532509976840E0","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"COMP (Base USDbC)","isPrimacyOfImpact":null},{"id":"7C4mT94eYJBwHClfrM4gel","url":"https://basescan.org/address/0x4200000000000000000000000000000000000006","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WETH (Base USDbC)","isPrimacyOfImpact":null},{"id":"2YQN7dlc8y2jQUx02AqV9Y","url":"https://basescan.org/address/0x46e6b214b524310239732D51387075E0e70970bf","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cWETHv3 (Base WETH)","isPrimacyOfImpact":null},{"id":"2smEGuWQJHkoHMTSqsN1DK","url":"https://basescan.org/address/0x88bB8C109640778D3fB1074bB10a66e31F2c9c17","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cWETHv3 Ext (Base WETH)","isPrimacyOfImpact":null},{"id":"wVzZlQ6l13nx54gpuWGrq","url":"https://basescan.org/address/0x45939657d1CA34A8FA39A924B71D28Fe8431e581","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Configurator (Base WETH)","isPrimacyOfImpact":null},{"id":"3prZYouYSQwSzZPLfrTJy2","url":"https://basescan.org/address/0xbdE8F31D2DdDA895264e27DD990faB3DC87b372d","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Proxy Admin (Base WETH)","isPrimacyOfImpact":null},{"id":"4y5mv3PPUXPcENsAW5O8Pe","url":"https://basescan.org/address/0x27C348936400791b7350d80Fb81Bc61Ad68dF4AE","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Comet Factory (Base WETH)","isPrimacyOfImpact":null},{"id":"3ueUlGEnohMJ6THiO5Ho2s","url":"https://basescan.org/address/0xCC3E7c85Bb0EE4f09380e041fee95a0caeDD4a02","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Timelock (Base WETH)","isPrimacyOfImpact":null},{"id":"4CEAFQCqjY7qVQcEBBtC2Z","url":"https://basescan.org/address/0x18281dfC4d00905DA1aaA6731414EABa843c468A","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bridge Receiver (Base WETH)","isPrimacyOfImpact":null},{"id":"2Ps3kzwbQWuMvDRBzBtHUi","url":"https://basescan.org/address/0x123964802e6ABabBE1Bc9547D72Ef1B69B00A6b1","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Rewards (Base WETH)","isPrimacyOfImpact":null},{"id":"2m3HCHzYzkHQoN4dV7EOh6","url":"https://basescan.org/address/0x78D0677032A35c63D142a48A2037048871212a8C","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bulker (Base WETH)","isPrimacyOfImpact":null},{"id":"7gaeaQ5iDn7Ynt36tM6zmt","url":"https://basescan.org/address/0x4200000000000000000000000000000000000006","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WETH (Base WETH)","isPrimacyOfImpact":null},{"id":"5SJcXCRITFMFOcvMYnypz5","url":"https://basescan.org/address/0x2Ae3F1Ec7F1F5012CFEab0185bfc7aa3cf0DEc22","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cbETH (Base WETH)","isPrimacyOfImpact":null},{"id":"5HRpjn0XXFHmDaJQDuRxmT","url":"https://basescan.org/address/0x9e1028F5F1D5eDE59748FFceE5532509976840E0","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"COMP (Base WETH)","isPrimacyOfImpact":null},{"id":"1Iio9FvCQ7nkKPiCvMcK3r","url":"https://scrollscan.com/address/0xB2f97c1Bd3bf02f5e74d13f02E3e26F93D77CE44","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDCv3 (Scroll USDC)","isPrimacyOfImpact":null},{"id":"17DbVfnbKiDefRzd48oN9H","url":"https://scrollscan.com/address/0x27E24C49f95DfF7E231eF1C2849F760cDF25a5Ad","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDCv3 Ext (Scroll USDC)","isPrimacyOfImpact":null},{"id":"4SAj1jRWmVmJG9izHR2Ooe","url":"https://scrollscan.com/address/0xECAB0bEEa3e5DEa0c35d3E69468EAC20098032D7","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Configurator (Scroll USDC)","isPrimacyOfImpact":null},{"id":"5G6GRlWyMGxQ6eJaKChFKz","url":"https://scrollscan.com/address/0x87A27b91f4130a25E9634d23A5B8E05e342bac50","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Proxy Admin (Scroll USDC)","isPrimacyOfImpact":null},{"id":"NKyqmhzmQ1xFFrgUyJPSw","url":"https://scrollscan.com/address/0x85Bfa13eB2BC22A742Ca552566131d31677Bd41e","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Comet Factory (Scroll USDC)","isPrimacyOfImpact":null},{"id":"5pOQE0fwUDxSu6SufNolQA","url":"https://scrollscan.com/address/0xF6013e80E9e6AC211Cc031ad1CE98B3Aa20b73E4","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Timelock (Scroll USDC)","isPrimacyOfImpact":null},{"id":"5GBFoE1fMC0iPf3rE2o4O6","url":"https://scrollscan.com/address/0xC6bf5A64896D679Cf89843DbeC6c0f5d3C9b610D","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bridge Receiver (Scroll USDC)","isPrimacyOfImpact":null},{"id":"3OUnRU3VDafFNc4LIVNUhA","url":"https://scrollscan.com/address/0x70167D30964cbFDc315ECAe02441Af747bE0c5Ee","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Rewards (Scroll USDC)","isPrimacyOfImpact":null},{"id":"48o1n6mXGP0qqNDsOTHPAY","url":"https://scrollscan.com/address/0x53C6D04e3EC7031105bAeA05B36cBc3C987C56fA","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bulker (Scroll USDC)","isPrimacyOfImpact":null},{"id":"W5kaKVBTfidkZ65LqOOyi","url":"https://scrollscan.com/address/0x643e160a3C3E2B7eae198f0beB1BfD2441450e86","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"COMP (Scroll USDC)","isPrimacyOfImpact":null},{"id":"5HPHPdLEqsaRs6fe3fyQ87","url":"https://scrollscan.com/address/0x06eFdBFf2a14a7c8E15944D1F4A48F9F95F663A4","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"USDC (Scroll USDC)","isPrimacyOfImpact":null},{"id":"3u106pOyGWiI2oPVVniC0Q","url":"https://scrollscan.com/address/0xf610A9dfB7C89644979b4A0f27063E9e7d7Cda32","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"wstETH (Scroll USDC)","isPrimacyOfImpact":null},{"id":"E4RnR0Mucz9UyQqGqXcDU","url":"https://scrollscan.com/address/0x5300000000000000000000000000000000000004","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WETH (Scroll USDC)","isPrimacyOfImpact":null},{"id":"3H3ktqOdEPjWClCC6VpI8","url":"https://optimistic.etherscan.io/address/0x2e44e174f7D53F0212823acC11C01A11d58c5bCB","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDCv3 (Optimism USDC)","isPrimacyOfImpact":null},{"id":"4VLHstNyyVOVo0asqvA5rU","url":"https://optimistic.etherscan.io/address/0xE802a0b833f6080FEB46DD54c75444c5dba0c873","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDCv3 Ext (Optimism USDC)","isPrimacyOfImpact":null},{"id":"6J6PRmaT34MRDFcNdlRFQq","url":"https://optimistic.etherscan.io/address/0x84E93EC6170ED630f5ebD89A1AAE72d4F63f2713","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Configurator (Optimism USDC)","isPrimacyOfImpact":null},{"id":"1Z7VqwdBvSm487mKFFFPpA","url":"https://optimistic.etherscan.io/address/0x3C30B5a5A04656565686f800481580Ac4E7ed178","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Proxy Admin (Optimism USDC)","isPrimacyOfImpact":null},{"id":"bb5TJytQTja6EGTiS4rAL","url":"https://optimistic.etherscan.io/address/0xFa454dE61b317b6535A0C462267208E8FdB89f45","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Comet Factory (Optimism USDC)","isPrimacyOfImpact":null},{"id":"5FSRNjJwHl5TYMWBBxBLIA","url":"https://optimistic.etherscan.io/address/0xd98Be00b5D27fc98112BdE293e487f8D4cA57d07","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Timelock (Optimism USDC)","isPrimacyOfImpact":null},{"id":"3dWU3qbcWB04SaPmeZWE5y","url":"https://optimistic.etherscan.io/address/0xC3a73A70d1577CD5B02da0bA91C0Afc8fA434DAF","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bridge Receiver (Optimism USDC)","isPrimacyOfImpact":null},{"id":"3l6pf571zJwD9hwzebhryU","url":"https://optimistic.etherscan.io/address/0x443EA0340cb75a160F31A440722dec7b5bc3C2E9","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Rewards (Optimism USDC)","isPrimacyOfImpact":null},{"id":"3EmJJSNonWcnEEe8CJG4kR","url":"https://optimistic.etherscan.io/address/0xcb3643CC8294B23171272845473dEc49739d4Ba3","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bulker (Optimism USDC)","isPrimacyOfImpact":null},{"id":"3dCySbLd1sFl2Ja9dsefiC","url":"https://optimistic.etherscan.io/address/0x4200000000000000000000000000000000000042","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"OP (Optimism USDC)","isPrimacyOfImpact":null},{"id":"4TOxyaAsSadV6vgCPnXwiK","url":"https://optimistic.etherscan.io/address/0x4200000000000000000000000000000000000006","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WETH (Optimism USDC)","isPrimacyOfImpact":null},{"id":"oCAbxKdgrC5wmdjuQOaUy","url":"https://optimistic.etherscan.io/address/0x68f180fcCe6836688e9084f035309E29Bf0A2095","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WBTC (Optimism USDC)","isPrimacyOfImpact":null},{"id":"1TYNFZziUuOK3e3rgmYq2q","url":"https://optimistic.etherscan.io/address/0x7e7d4467112689329f7E06571eD0E8CbAd4910eE","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"COMP (Optimism USDC)","isPrimacyOfImpact":null},{"id":"525x98YAdxMk6uYWNBWF3N","url":"https://optimistic.etherscan.io/address/0x995E394b8B2437aC8Ce61Ee0bC610D617962B214","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDTv3 (Optimism USDT)","isPrimacyOfImpact":null},{"id":"1IZOdZ2z5ygXSooCMnr7Qk","url":"https://optimistic.etherscan.io/address/0xC49399814452B41dA8a7cd76a159f5515cb3e493","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDTv3 Ext (Optimism USDT)","isPrimacyOfImpact":null},{"id":"DPrlLAAup5gPpuf4FwVCL","url":"https://optimistic.etherscan.io/address/0x84E93EC6170ED630f5ebD89A1AAE72d4F63f2713","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Configurator (Optimism USDT)","isPrimacyOfImpact":null},{"id":"5bJuNoFDpGGnZGaJhVNSex","url":"https://optimistic.etherscan.io/address/0x3C30B5a5A04656565686f800481580Ac4E7ed178","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Proxy Admin (Optimism USDT)","isPrimacyOfImpact":null},{"id":"19OEakbN5amuiilV90nuIu","url":"https://optimistic.etherscan.io/address/0xFa454dE61b317b6535A0C462267208E8FdB89f45","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Comet Factory (Optimism USDT)","isPrimacyOfImpact":null},{"id":"v46xpCsVMRfkC7GpA7YWV","url":"https://optimistic.etherscan.io/address/0xd98Be00b5D27fc98112BdE293e487f8D4cA57d07","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Timelock (Optimism USDT)","isPrimacyOfImpact":null},{"id":"1SAO5fUZcc8bFSklwvMen6","url":"https://optimistic.etherscan.io/address/0xC3a73A70d1577CD5B02da0bA91C0Afc8fA434DAF","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bridge Receiver (Optimism USDT)","isPrimacyOfImpact":null},{"id":"1DHmKtS4Np8guKPPeBt87k","url":"https://optimistic.etherscan.io/address/0x443EA0340cb75a160F31A440722dec7b5bc3C2E9","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Rewards (Optimism USDT)","isPrimacyOfImpact":null},{"id":"7kLWzqnJX1SW3hnoBQ3zES","url":"https://optimistic.etherscan.io/address/0xcb3643CC8294B23171272845473dEc49739d4Ba3","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bulker (Optimism USDT)","isPrimacyOfImpact":null},{"id":"6Z0At4a5CJoU8in1EsJW7x","url":"https://optimistic.etherscan.io/address/0x7e7d4467112689329f7E06571eD0E8CbAd4910eE","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"COMP (Optimism USDT)","isPrimacyOfImpact":null},{"id":"2g9S2vnPmNDj598o456y4J","url":"https://optimistic.etherscan.io/address/0x4200000000000000000000000000000000000042","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"OP (Optimism USDT)","isPrimacyOfImpact":null},{"id":"7kmTtIUUikP9LjjPYRR11e","url":"https://optimistic.etherscan.io/address/0x4200000000000000000000000000000000000006","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WETH (Optimism USDT)","isPrimacyOfImpact":null},{"id":"69fvtNGM7xMJNwG9SBYmOX","url":"https://optimistic.etherscan.io/address/0x68f180fcCe6836688e9084f035309E29Bf0A2095","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WBTC (Optimism USDT)","isPrimacyOfImpact":null},{"id":"4MQusXARxaPyLIzgneqpK9","url":"https://optimistic.etherscan.io/address/0x94b008aA00579c1307B0EF2c499aD98a8ce58e58","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"USDT (Optimism USDT)","isPrimacyOfImpact":null},{"id":"4N4kmvj8LlnT9X85Crj9nj","url":"https://optimistic.etherscan.io/address/0xE36A30D249f7761327fd973001A32010b521b6Fd","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cWETHv3 (Optimism WETH)","isPrimacyOfImpact":null},{"id":"4mdjwTeceLUAgfHBE3YWrt","url":"https://optimistic.etherscan.io/address/0x82B8d9A06ccABC1e9B0c0A00f38B858E6925CF2f","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cWETHv3 Ext (Optimism WETH)","isPrimacyOfImpact":null},{"id":"1sSjgVbJN0xLekBd81Nhp8","url":"https://optimistic.etherscan.io/address/0x84E93EC6170ED630f5ebD89A1AAE72d4F63f2713","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Configurator (Optimism WETH)","isPrimacyOfImpact":null},{"id":"35rxbryhqbbnFUOjtGq5tG","url":"https://optimistic.etherscan.io/address/0x3870FAc3De911c12A57E5a2532D15aD8Ca275A60","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Configurator Implementation (Optimism WETH)","isPrimacyOfImpact":null},{"id":"7E3YwrTJrKkKLfJxBuCujR","url":"https://optimistic.etherscan.io/address/0x3C30B5a5A04656565686f800481580Ac4E7ed178","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Proxy Admin (Optimism WETH)","isPrimacyOfImpact":null},{"id":"1Iwx9cFI0F0HzTbOMBWEZl","url":"https://optimistic.etherscan.io/address/0xFa454dE61b317b6535A0C462267208E8FdB89f45","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Comet Factory (Optimism USWETHDT)","isPrimacyOfImpact":null},{"id":"6gcjy5WuU5YTDUEsm6i1IL","url":"https://optimistic.etherscan.io/address/0xd98Be00b5D27fc98112BdE293e487f8D4cA57d07","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Timelock (Optimism WETH)","isPrimacyOfImpact":null},{"id":"3DCv8t128NjRW6Dxi7tBfi","url":"https://optimistic.etherscan.io/address/0xC3a73A70d1577CD5B02da0bA91C0Afc8fA434DAF","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bridge Receiver (Optimism WETH)","isPrimacyOfImpact":null},{"id":"2kAF3DqidlQtdEZ0L5HNa3","url":"https://optimistic.etherscan.io/address/0x443EA0340cb75a160F31A440722dec7b5bc3C2E9","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Rewards (Optimism WETH)","isPrimacyOfImpact":null},{"id":"4N9lpI2gmNnGnds16GO5dq","url":"https://optimistic.etherscan.io/address/0xcb3643CC8294B23171272845473dEc49739d4Ba3","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Bulker (Optimism WETH)","isPrimacyOfImpact":null},{"id":"4YajZGwobwiYpF35VgQ7vw","url":"https://optimistic.etherscan.io/address/0x7e7d4467112689329f7E06571eD0E8CbAd4910eE","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"COMP (Optimism WETH)","isPrimacyOfImpact":null},{"id":"5A2lnudZVrmrWQYIKoFSxa","url":"https://optimistic.etherscan.io/address/0x1F32b1c2345538c0c6f582fCB022739c4A194Ebb","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"wstETH (Optimism WETH)","isPrimacyOfImpact":null},{"id":"A9B3n8jgmErW2pMj4aTAz","url":"https://optimistic.etherscan.io/address/0x9Bcef72be871e61ED4fBbc7630889beE758eb81D","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"rETH (Optimism WETH)","isPrimacyOfImpact":null},{"id":"21e54hJOhQe9DVSpdjd5Ly","url":"https://optimistic.etherscan.io/address/0x68f180fcCe6836688e9084f035309E29Bf0A2095","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WBTC (Optimism WETH)","isPrimacyOfImpact":null},{"id":"2N0qbUKkJXff6jVjmgo6oQ","url":"https://optimistic.etherscan.io/address/0x4200000000000000000000000000000000000006","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"WETH (Optimism WETH)","isPrimacyOfImpact":null},{"id":"70b0UiKJ7jDPYRSAgosDGR","url":"https://etherscan.io/address/0xe65cdB6479BaC1e22340E4E755fAE7E509EcD06c","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cAAVE (V2)","isPrimacyOfImpact":null},{"id":"452KpMfgpCwo7i9WpAXlqH","url":"https://etherscan.io/address/0x6C8c6b02E7b2BE14d4fA6022Dfd6d75921D90E4E","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cBAT (V2)","isPrimacyOfImpact":null},{"id":"1CSWBFcaVwQrwYvQiQbIy1","url":"https://etherscan.io/address/0x70e36f6BF80a52b3B46b3aF8e106CC0ed743E8e4","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cCOMP (V2)","isPrimacyOfImpact":null},{"id":"4zvUcrBmM5YgpOmVaxev2I","url":"https://etherscan.io/address/0x5d3a536E4D6DbD6114cc1Ead35777bAB948E3643","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cDAI (V2)","isPrimacyOfImpact":null},{"id":"4hOjyXK1vbqt6j8ymbDwc6","url":"https://etherscan.io/address/0x4Ddc2D193948926D02f9B1fE9e1daa0718270ED5","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cETH (V2)","isPrimacyOfImpact":null},{"id":"4cTMtWL8QO5DgyQN4dn1o6","url":"https://etherscan.io/address/0x7713DD9Ca933848F6819F38B8352D9A15EA73F67","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cFEI (V2)","isPrimacyOfImpact":null},{"id":"sGLDa4Bx8du1ajM4FT9ME","url":"https://etherscan.io/address/0xFAce851a4921ce59e912d19329929CE6da6EB0c7","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cLINK (V2)","isPrimacyOfImpact":null},{"id":"FqBv6AQYL8Sm2A8fZphdP","url":"https://etherscan.io/address/0x95b4eF2869eBD94BEb4eEE400a99824BF5DC325b","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cMKR (V2)","isPrimacyOfImpact":null},{"id":"67OZheLoTzOeMH1GIgc5FN","url":"https://etherscan.io/address/0x158079Ee67Fce2f58472A96584A73C7Ab9AC95c1","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cREP (V2)","isPrimacyOfImpact":null},{"id":"226zJNDzUsyNOlbZdzxmPB","url":"https://etherscan.io/address/0xF5DCe57282A584D2746FaF1593d3121Fcac444dC","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cSAI (V2)","isPrimacyOfImpact":null},{"id":"19GGRl85uBNqiraFawtIjq","url":"https://etherscan.io/address/0x4B0181102A0112A2ef11AbEE5563bb4a3176c9d7","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cSUSHI (V2)","isPrimacyOfImpact":null},{"id":"4vEQSsOuEoxcyWs58VAnSl","url":"https://etherscan.io/address/0x12392F67bdf24faE0AF363c24aC620a2f67DAd86","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cTUSD (V2)","isPrimacyOfImpact":null},{"id":"pmtDPNn6j9EWBYRRYcrI0","url":"https://etherscan.io/address/0x35A18000230DA775CAc24873d00Ff85BccdeD550","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUNI (V2)","isPrimacyOfImpact":null},{"id":"53vAFUsPD7X8yPR7HCuRpY","url":"https://etherscan.io/address/0x39AA39c021dfbaE8faC545936693aC917d5E7563","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDC (V2)","isPrimacyOfImpact":null},{"id":"6voMJpOUgXDn05e2rFGhyA","url":"https://etherscan.io/address/0x041171993284df560249B57358F931D9eB7b925D","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDP (V2)","isPrimacyOfImpact":null},{"id":"FYAxsGcQgNEFvsvZc9Nyb","url":"https://etherscan.io/address/0xf650C3d88D12dB855b8bf7D11Be6C55A4e07dCC9","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cUSDT (V2)","isPrimacyOfImpact":null},{"id":"43nBiIfZbxFH7X8WGhQeX1","url":"https://etherscan.io/address/0xC11b1268C1A384e55C48c2391d8d480264A3A7F4","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cWBTC (V2)","isPrimacyOfImpact":null},{"id":"4OrlTtSLhKjJSbQ4fs2Nkb","url":"https://etherscan.io/address/0xccF4429DB6322D5C611ee964527D42E5d685DD6a","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cWBTC2 (V2)","isPrimacyOfImpact":null},{"id":"1y5ARr158ek39jUnindXHh","url":"https://etherscan.io/address/0x80a2AE356fc9ef4305676f7a3E2Ed04e12C33946","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cYFI (V2)","isPrimacyOfImpact":null},{"id":"2QRDscObXykERkcKeNt8aW","url":"https://etherscan.io/address/0xB3319f5D18Bc0D84dD1b4825Dcde5d5f7266d407","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"cZRX (V2)","isPrimacyOfImpact":null},{"id":"enxPx7LtI6zgESzEhaN5D","url":"https://etherscan.io/address/0x3d9819210A31b4961b30EF54bE2aeD79B9c9Cd3B","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Comptroller (V2)","isPrimacyOfImpact":null},{"id":"oaEqEJBTtDe74RJuHLCn2","url":"https://etherscan.io/address/0x309a862bbC1A00e45506cB8A802D1ff10004c8C0","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":2,"description":"Governance (V2)","isPrimacyOfImpact":null},{"id":"19lJCOUD1TfdyAvlBmfPOB","url":"https://etherscan.io/address/0x6d903f6003cca6255D85CcA4D3B5E5146dC33925","type":"smart_contract","addedAt":"2024-12-11T16:28:00.000Z","revision":1,"description":"Timelock (V2)","isPrimacyOfImpact":null}],"assetsBodyV2":"Vulnerabilities caused by the effective changes made by the pull request listed in this table are considered as within scope of the bug bounty program, in addition to bugs in the changes themselves. \n\nVulnerabilities affecting any testnet components are not considered in-scope for this bug bounty program. Only mainnet components are considered as in-scope.\n\nFor reference, further details about these changes can be found here - [https://www.comp.xyz/t/safety-and-gas-patches/1723](https://www.comp.xyz/t/safety-and-gas-patches/1723) \n\n__Terms and Conditions__\n\n- To be eligible for bug bounty reward consideration, you must:\n\n  - Be at least 18 years of age.\n  - Be reporting in an individual capacity, or if employed by a company, reporting with the company’s written approval to submit a disclosure to Compound Labs.\n  - Not be subject to US sanctions or reside in a US-embargoed country.\n  - Not be a current or former Compound Labs employee, vendor, contractor, or employee of a Compound vendor or contractor.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Elite","Managed Triage: Expert Assessment","Safe Harbor Documents Signed"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2024-12-11T16:28:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5pzaBv2Ygrx3DN9sctxd0a/dcb98ece577d2c0ac8b6ea637e9a3069/Compound.png","maxBounty":1000000,"pocPerTypeAndSeverity":["smart_contract - low","smart_contract - medium","smart_contract - high","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the following types:\n\n  - Re-entrancy\n  - Logic errors\n    - including user authentication errors\n  - Solidity/EVM details not considered\n    - including integer over-/under-flow\n    - including unhandled exceptions\n  - Trusting trust/dependency vulnerabilities\n    - including composability vulnerabilities\n  - Oracle failure/manipulation\n  - Novel governance attacks\n  - Economic/financial attacks\n    - including flash loan attacks\n  - Congestion and scalability\n    - including running out of gas\n    - including block stuffing\n    - including susceptibility to frontrunning\n  - Consensus failures\n  - Cryptography problems\n    - Signature malleability\n    - Susceptibility to replay attacks\n    - Weak randomness\n    - Weak encryption\n  - Susceptibility to block timestamp manipulation\n  - Missing access controls / unprotected internal or debugging interfaces","productType":["Lending"],"programOverview":"Compound is a protocol on the Ethereum blockchain that establishes money markets, which are pools of assets with algorithmically derived interest rates, based on the supply and demand for the asset. Suppliers (and borrowers) of an asset interact directly with the protocol, earning (and paying) a floating interest rate, without having to negotiate terms such as maturity, interest rate, or collateral with a peer or counterparty. \n\nEach money market is unique to an Ethereum asset (such as Ether, an ERC-20 stablecoin such as DAI, or an ERC-20 utility token such as Augur), and contains a transparent and publicly-inspectable ledger, with a record of all transactions and historical interest rates.\n\nCompound III is an EVM compatible protocol that enables supplying of crypto assets as collateral in order to borrow the base asset. Accounts can also earn interest by supplying the base asset to the protocol.\n\nThe initial deployment of Compound III is on Ethereum and the base asset is USDC.\n\nFor more information about Compound Finance, please visit [https://compound.finance/](https://compound.finance/)\n\nCompound DAO provides rewards in COMP, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__Governance-Run Program__\n\nThough Immunefi considers any processes around fixing the bug report to be outside the consideration of payments, it is understood that this needs to be accounted for in a DAO environment. Specifically, fixes may take more time to be implemented, and need to be fully deployed before payouts can be made due to the payment process being more transparent with DAO processes. For example, if a payout process is initiated while a bug still has not been fixed, it may provide enough information for one or more people to find the vulnerability and exploit it. Because of this, payments may be delayed until a discovered bug has been appropriately addressed.\n\nGiven the extensive DAO proposal process, all validated bug reports will be grouped into a proposal at the end of each calendar month to reduce the burden on the DAO, as well as to streamline reporting for the bug bounty program. This monthly proposal will go over each bug report due for payout and explain the impacted asset or assets, the severity level, and the actions being taken by the respective people and entities mandated by the DAO.\n\nImmunefi’s onchain proposal for Compound’s bug bounty program and monthly proposals are sponsored by PGov.  PGov's delegate profile and contributions can be found here: [https://www.tally.xyz/gov/compound/delegate/0x3fb19771947072629c8eee7995a2ef23b72d4c8a](https://www.tally.xyz/gov/compound/delegate/0x3fb19771947072629c8eee7995a2ef23b72d4c8a)\n\n__KYC Requirement__\n\nImmunefi will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n- Eligibility Criteria\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nCompound DAO adheres to the Primacy of Impact for the following impacts:\n\n- Smart Contract - Critical\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n\n__Previous Audits__\n\nCompound Finance’s completed audit reports can be found listed below. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\n- https://docs.compound.finance/v2/security/\n- https://docs.compound.finance/#security\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Compound Finance has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","programType":["Smart Contract"],"project":"Compound Finance","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 1 000 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 50 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n- For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\n- High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of **USD 10 000** to **USD 50 000** depending on the funds at risk, capped at the maximum high reward.  \n\n- In the event of temporary freezing, the reward doubles from the full frozen value for every additional [24h] that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Payment Terms__\n\nPayouts are handled by the **Compound DAO** directly and are denominated in **USD**. However, payments are done in **COMP**\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"","slug":"compoundfinance","tenPercentEconomicRule":false,"updatedDate":"2025-07-16T16:23:39.680Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Compound is a protocol on the Ethereum blockchain that establishes money markets, which are pools of assets with algorithmically derived interest rates, based on the supply and demand for the asset. Suppliers (and borrowers) of an asset interact directly with the protocol, earning (and paying) a floating interest rate, without having to negotiate terms such as maturity, interest rate, or collateral with a peer or counterparty. ","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"","customProhibitedActivities":["Interacting with accounts that you do not own"],"impacts":[{"id":5255,"type":"smart_contract","severity":"medium","title":"Theft of coins or tokens (e.g gas) in a smart contract intended for transaction fees"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"}],"rewards":[{"id":32457,"severity":"critical","assetType":"smart_contract","maxReward":1000000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":32458,"severity":"high","assetType":"smart_contract","maxReward":50000,"minReward":10000,"rewardModel":"range"},{"id":32459,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":32460,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[{"id":"BKeTpvmx1etNqTbH16PHK","url":"https://github.com/trailofbits/publications/blob/master/reviews/compound-2.pdf","auditor":"Trail of Bits","date":"2019-04-08"},{"id":"24Ziu2BytlvXcjDrzmNkQg","url":"https://blog.openzeppelin.com/compound-audit","auditor":"OpenZeppelin","date":"2019-08-23"},{"id":"5S3oj2SCkEojQfgXTQWPoa","url":"https://github.com/trailofbits/publications/blob/master/reviews/compound-3.pdf","auditor":"Trail of Bits","date":"2019-08-16"},{"id":"2uX2ZIg0dLjPa7FKGKxHrc","url":"https://blog.openzeppelin.com/compound-finance-patch-audit","auditor":"OpenZeppelin","date":"2019-10-23"},{"id":"5xR86IWqnRhZ6h5yIC651","url":"https://blog.openzeppelin.com/compound-finance-mcd-dsr-integration","auditor":"OpenZeppelin","date":"2020-02-09"},{"id":"ZDi3S5YCpWDEumJ2HaAnf","url":"https://blog.openzeppelin.com/compound-alpha-governance-system-audit","auditor":"OpenZeppelin","date":"2020-02-25"},{"id":"4M7sf1uYG55buoUetlqFOs","url":"https://github.com/trailofbits/publications/blob/master/reviews/compound-governance.pdf","auditor":"Trail of Bits","date":"2020-02-28"},{"id":"1RKM23nQFlCSWvOTa3jrZS","url":"https://blog.openzeppelin.com/compound-tether-integration-audit","auditor":"OpenZeppelin","date":"2020-04-26"},{"id":"730E8lpHgUW2sPjhpSSdCi","url":"https://blog.openzeppelin.com/compound-comp-distribution-system-audit","auditor":"OpenZeppelin","date":"2020-05-22"},{"id":"mkahUVAuvRKFrGt7ncQkB","url":"https://blog.openzeppelin.com/compound-iii-audit","auditor":"OpenZeppelin","date":"2022-07-20"},{"id":"4kBR3HYqMmO62fZDUHEaQS","url":"https://www.chainsecurity.com/security-audit/compound-iii","auditor":"ChainSecurity","date":"2022-04-29"}]},{"assets":[{"id":"2tFRLegMycUYKhYOgjYTvX","url":"https://explorer.hiro.so/txid/SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.stacking-dao-core-v6?chain=mainnet","type":"smart_contract","addedAt":"2025-07-16T12:16:50.178Z","revision":1,"description":"SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.stacking-dao-core-v6","isPrimacyOfImpact":null},{"id":"2PVdqYXODCQtKtkpxyOr5Y","url":"https://explorer.hiro.so/txid/SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.stacking-dao-core-btc-v3?chain=mainnet","type":"smart_contract","addedAt":"2025-07-16T12:16:50.212Z","revision":1,"description":"SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.stacking-dao-core-btc-v3","isPrimacyOfImpact":null},{"id":"18X9fgO9ByyE804ccIdwuT","url":"https://explorer.hiro.so/txid/SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.direct-helpers-v4?chain=mainnet","type":"smart_contract","addedAt":"2025-07-10T16:16:47.401Z","revision":1,"description":"SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.direct-helpers-v4","isPrimacyOfImpact":null},{"id":"1DWQQVvDyeFV90ffdkiFub","url":"https://www.immunefi.com","type":"smart_contract","addedAt":"2024-02-05T06:05:36.227Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true},{"id":"1OQmpDvHiHJiYOnVzUluTP","url":"https://explorer.hiro.so/txid/SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.data-core-v2?chain=mainnet","type":"smart_contract","addedAt":"2025-07-10T16:18:32.475Z","revision":1,"description":"SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.data-core-v2","isPrimacyOfImpact":null},{"id":"1R7jTSFQTn39CzLQHvuHHr","url":"https://explorer.hiro.so/txid/0x439483828f458a5c72a1898c819e1ee62f43a262489fa4a08f26d232eb5a0f68?chain=mainnet","type":"smart_contract","addedAt":"2024-05-15T17:03:52.382Z","revision":1,"description":"SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.stacking-pool-v1","isPrimacyOfImpact":null},{"id":"1pyMd9d2OurGR8yyoUGI7s","url":"https://app.stackingdao.com/","type":"websites_and_applications","addedAt":"2024-05-15T16:58:58.107Z","revision":1,"description":"dApp","isPrimacyOfImpact":null},{"id":"1yRWzTP5pgmE4klVU6HXF6","url":"https://www.immunefi.com","type":"websites_and_applications","addedAt":"2024-02-05T06:05:34.526Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true},{"id":"25ECIRTuntmjGzJ5wH2zrW","url":"https://explorer.hiro.so/txid/0xf449cb7b70d1fc587b40736edbf70d934f672b6ee940ae3186ab446cf96d0bce?chain=mainnet","type":"smart_contract","addedAt":"2024-05-15T17:03:33.828Z","revision":2,"description":"SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.strategy-v4","isPrimacyOfImpact":null},{"id":"2uFG0rHdIslkI5ceVzpg2l","url":"https://explorer.hiro.so/txid/0x824030341f2e82b00a5777d03cd86c8cb11a82c605cadc415240d49b0a99682d?chain=mainnet","type":"smart_contract","addedAt":"2024-05-15T17:02:49.317Z","revision":1,"description":"SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.data-pools-v1","isPrimacyOfImpact":null},{"id":"31U5LD887PqNFL9H2wJzgi","url":"https://explorer.hiro.so/txid/SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.data-core-v3?chain=mainnet","type":"smart_contract","addedAt":"2025-07-10T16:18:46.071Z","revision":1,"description":"SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.data-core-v3","isPrimacyOfImpact":null},{"id":"32IfNtZVcM6u9z1shO1PYL","url":"https://explorer.hiro.so/txid/0xf6084195bbd035eafe1a1e1ef292aff54b594b8b5e7b33e2ec19cfae9c3ae657?chain=mainnet","type":"smart_contract","addedAt":"2024-05-15T16:59:48.215Z","revision":1,"description":"SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.dao","isPrimacyOfImpact":null},{"id":"3b0UbEM35VTp6QPqWqKtUK","url":"https://explorer.hiro.so/txid/SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.ststxbtc-tracking-data-v2?chain=mainnet","type":"smart_contract","addedAt":"2025-07-10T16:17:55.532Z","revision":1,"description":"SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.ststxbtc-tracking-data-v2","isPrimacyOfImpact":null},{"id":"481i2bnrdD7Tyj7NesSjzA","url":"https://explorer.hiro.so/txid/0xe8fb4c8035f241f9679bef10214fb45cf4eb4ff6e82ad54b9355ae49829882e9?chain=mainnet","type":"smart_contract","addedAt":"2024-05-15T16:59:14.354Z","revision":1,"description":"SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.ststx-token","isPrimacyOfImpact":null},{"id":"4D8wx4hiivwR96FjmGizhP","url":"https://explorer.hiro.so/txid/0x7b6606c25b4450046c2330f8a97b589d71d86f4e89fbc6be2995f2e917e081a9?chain=mainnet","type":"smart_contract","addedAt":"2024-05-15T17:00:37.770Z","revision":1,"description":"SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.data-core-v1","isPrimacyOfImpact":null},{"id":"59T3cfG3jhRfsHmMdDGOYA","url":"https://explorer.hiro.so/txid/0x25a741ea61f690e3981776419d61c9288af2748e367819f7c5db21c18f68d086?chain=mainnet","type":"smart_contract","addedAt":"2024-05-15T17:00:04.091Z","revision":1,"description":"SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.reserve-v1","isPrimacyOfImpact":null},{"id":"5rD8S5rtVwNelpsUBrrlOo","url":"https://explorer.hiro.so/txid/0x08cc59e2bd65bb2b33e1df3b89ae556aaa596f206cadede758e9b7ff49aec0ac?chain=mainnet","type":"smart_contract","addedAt":"2024-05-15T17:02:16.013Z","revision":1,"description":"SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.data-direct-stacking-v1","isPrimacyOfImpact":null},{"id":"6tYoqDF4MwGXQxFlmPbDTS","url":"https://explorer.hiro.so/txid/SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.ststxbtc-token-v2?chain=mainnet","type":"smart_contract","addedAt":"2025-07-10T16:17:44.085Z","revision":1,"description":"SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.ststxbtc-token-v2","isPrimacyOfImpact":null},{"id":"7aU8MEJgBrIYJo9DeaGqPp","url":"https://explorer.hiro.so/txid/0x0e4b2fc94f8eb539d4b5809ac3aae62c74f6227b53650f76ed8de4c3af595b67?chain=mainnet","type":"smart_contract","addedAt":"2024-05-15T17:03:18.650Z","revision":1,"description":"SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.delegates-handler-v1","isPrimacyOfImpact":null},{"id":"7mj7DVT19RUSd4HrDcqICi","url":"https://explorer.hiro.so/txid/0x063effbc12b5acabda46a1b8e1838ecf9dd20a9ebe74c3b37d24fa3574a84e1a?chain=mainnet","type":"smart_contract","addedAt":"2024-05-15T17:00:20.470Z","revision":2,"description":"SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.commission-v2","isPrimacyOfImpact":null},{"id":"7mwrHUMojRVJa1q5txKQov","url":"https://explorer.hiro.so/txid/SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.swap-ststx-ststxbtc-v2?chain=mainnet","type":"smart_contract","addedAt":"2025-07-10T16:18:56.849Z","revision":1,"description":"SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.swap-ststx-ststxbtc-v2","isPrimacyOfImpact":null},{"id":"Gj9jFcZlBeSEXeAMcIQGj","url":"https://explorer.hiro.so/txid/SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.ststxbtc-tracking-v2?chain=mainnet","type":"smart_contract","addedAt":"2025-07-10T16:18:06.605Z","revision":1,"description":"SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.ststxbtc-tracking-v2","isPrimacyOfImpact":null},{"id":"Pq0cQKvCtn85XdW5ABZjL","url":"https://explorer.hiro.so/txid/0x93eca4e7dbafe6c47aa068dbde46344e94a6c3dc57fa2abb827bbe7c5c05154d?chain=mainnet","type":"smart_contract","addedAt":"2024-05-15T16:59:31.990Z","revision":2,"description":"SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.ststx-withdraw-nft-v2","isPrimacyOfImpact":null},{"id":"an2ohZ71mLDkYGEWhGZaC","url":"https://explorer.hiro.so/txid/0x85aa5ddea931b4dc5cd1de4cf706bf6d8756f7992f112bc601d5b879b121a0b1?chain=mainnet","type":"smart_contract","addedAt":"2024-05-15T17:04:07.073Z","revision":1,"description":"SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.stacking-delegate-1-1","isPrimacyOfImpact":null},{"id":"jZY64XzVRNFyPEHg7mamb","url":"https://explorer.hiro.so/txid/SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.rewards-v5?chain=mainnet","type":"smart_contract","addedAt":"2025-07-10T16:17:30.939Z","revision":1,"description":"SP4SZE494VC2YC5JYG7AYFQ44F5Q4PYV7DVMDPBG.rewards-v5","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Stacks"],"endDate":null,"evaluationEndDate":null,"features":["Arbitration","Vault","Subscription Plan: Essential"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Clarity"],"launchDate":"2024-02-04T20:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3c1wyuX1YyOb70NlbRzfMY/504a03b8588b17c5b060319414d37d6b/StackingDAO_logo_copy.png","maxBounty":100000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","websites_and_applications - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__Smart Contracts__\n\n__Critical__\n  - Any governance voting result manipulation\n  - Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield\n  - Permanent freezing of funds\n  - Miner-extractable value (MEV)\n  - Insolvency\n  - Theft of unclaimed yield\n\n__High__\n  - Permanent freezing of unclaimed yield\n  - Temporary freezing of funds for a minimum period of 24 hours\n\n__Medium__\n  - Smart contract unable to operate due to lack of funds \n  - Block stuffing for profit\n  - Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)\n  - Theft of gas\n  - Unbounded gas consumption \n\n__Low__\n  - Smart contract fails to deliver promised returns, but doesn’t lose value\n\n__Websites and Applications__\n\n__Critical__\n  - Ability to execute system commands\n  - Extract Sensitive data/files from the server such as /etc/passwd\n  - Stealing User Cookies\n  - Signing transactions for other users\n  - Redirection of user deposits and withdrawals\n  - Subdomain takeover resulting in financial loss (applicable for subdomains with addresses published)\n  - Wallet interaction modification resulting in financial loss\n  - Direct theft of user funds \n  - Tampering with transactions submitted to the user’s wallet\n  - Submitting malicious transactions to an already-connected wallet\n\n__High__\n  - Spoofing content on the target application (Persistent)\n  - Users Confidential information disclosure such as Email\n  - Subdomain Takeover without financial loss (applicable for subdomains with no addresses published)\n  - Privilege escalation to access unauthorized functionalities\n\n__Medium__\n  - Changing details of other users without direct financial impact (CSRF)\n  - Third-Party API keys leakage that demonstrates loss of funds or modification on the website.\n  - Redirecting users to malicious websites (Open Redirect)\n  - Taking Down the application/website\n\n__Low__\n  - Framing sensitive pages leading to financial loss (ClickJacking)\n  - Any impact involving a publicly released CVE without a working PoC\n  - Broken Link Hijacking\n\nIn case of discrepancy between [Immunefi Vulnerability Severity Classification System V2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2/) and Lido on Polygon’s classification above, Lido on Polygon’s classification will be followed.","productType":["DEX","Bug bounty","Staking"],"programOverview":"Stacking DAO provides liquid staking on Stacks. Unlock your STX with stSTX, the most integrated liquid stacking token in the Stacks ecosystem\n\nFor more information about StackingDAO, please visit [https://www.stackingdao.com/](https://www.stackingdao.com/).  \n\nStackingDAO provides rewards in __USDC on Ethereum Network__, denominated in __USD__. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__Primacy of Impact vs Primacy of Rules__\n\nStackingDAO adheres to the Primacy of Impact for the following impacts:\n\n  - Smart Contracts, Critical severity\n  - Smart Contracts, High severity\n  - Web/App, Critical severity\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact). \n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n\n__Previous Audits__\n\nStackingDAO’s completed audit reports can be found at [Stacking-DAO-Audit-2023-11.pdf](https://drive.google.com/file/d/1m-Odj3ZM7nDZFeeLUckpuzrTKat2k14V/view?usp=sharing). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, StackingDAO has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","programType":["Smart Contract","Websites and Applications"],"project":"StackingDAO","projectType":["Defi","Blockchain"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the Immunefi [Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is __10%__ of the funds directly affected up to a maximum of __USD 100,000__. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of __USD 20,000__ is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n  - If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n  - For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\n  - High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of __USD 1,000 to 20,000__ depending on the funds at risk, capped at the maximum high reward.  \n\n  - In the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\nFor critical web/apps bug reports will be rewarded with __USD 25,000__, only if the impact leads to:\n\n  - A loss of funds involving an attack that does not require any user action\n  - Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of __USD 5,000__. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Reward Payment Terms__\n\nPayouts are handled by the __StackingDAO__ team directly and are denominated in __USD__. However, payments are done in __USDC on Ethereum Network__. \n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"stackingdao","updatedDate":"2025-07-16T12:17:01.393Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Stacking DAO provides liquid staking on Stacks. Unlock your STX with stSTX, the most integrated liquid stacking token in the Stacks ecosystem","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":28,"type":"smart_contract","severity":"high","title":"Temporary freezing of NFTs"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":4730,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:   Changing registration information Commenting Voting Making trades Withdrawals, etc"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":4731,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:  Modifying transaction arguments or parameters Substituting contract addresses Submitting malicious transactions"}],"rewards":[{"id":32374,"severity":"critical","assetType":"smart_contract","maxReward":100000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":32375,"severity":"high","assetType":"smart_contract","maxReward":20000,"rewardModel":"up_to"},{"id":32376,"severity":"critical","assetType":"websites_and_applications","maxReward":25000,"rewardModel":"up_to"}],"audits":[{"id":"3UqU6Tv2LZShkGqlRhcaQ3","url":"https://github.com/StackingDAO/contracts/blob/main/audits/CoinFabrik-2023-11.pdf","auditor":"CoinFabrik","date":"2024-11-30"},{"id":"6HOru79i5NOM0InzD5DSUx","url":"https://github.com/StackingDAO/contracts/blob/main/audits/ClarityAlliance-2024-11.pdf","auditor":"ClarityAlliance","date":"2024-11-06"}]},{"assets":[{"id":"1UflqcBYMc3Ec16cUWU81L","url":"https://app.metronome.io/","type":"websites_and_applications","addedAt":"2023-02-21T21:00:00.000Z","revision":1,"description":"Metronome dApp","isPrimacyOfImpact":null},{"id":"1HM9HbP4xhZE7MUGBd39Ad","url":"https://etherscan.io/address/0x82Ed3Fc9D93112124B04B6C7B35394A5AbA8af39","type":"smart_contract","addedAt":"2025-07-02T14:22:42.282Z","revision":1,"description":"AMO","isPrimacyOfImpact":null},{"id":"4YG7XQO2TdhyMGC0oxYKic","url":"https://etherscan.io/address/0x8BD81c99a2D349F6fB8E8a0B32C81704e3FE7302","type":"smart_contract","addedAt":"2025-07-02T14:23:01.653Z","revision":1,"description":"CrossChainDispatcher","isPrimacyOfImpact":null},{"id":"7CYh2vGNaT0auSS9aP7nHf","url":"https://etherscan.io/address/0x1f9732B84e22E936cFc2FF6F2d4994097DCCC93e","type":"smart_contract","addedAt":"2025-07-02T14:23:31.986Z","revision":1,"description":"DAIDepositToken","isPrimacyOfImpact":null},{"id":"7mIlllQvivcJ0F5tWlcru5","url":"https://etherscan.io/address/0x6e452fD473A0D79A1214511aF0DDEbDb3d00aAde","type":"smart_contract","addedAt":"2025-07-02T14:23:49.154Z","revision":1,"description":"DebtToken","isPrimacyOfImpact":null},{"id":"6qm7JdTapaSyLy9gSZMDmh","url":"https://etherscan.io/address/0x2A464773816CE3C827AcC772476Aa63fBe8F8C32","type":"smart_contract","addedAt":"2025-07-02T14:24:05.945Z","revision":1,"description":"DepositToken","isPrimacyOfImpact":null},{"id":"2vCtcEctrtd4dsY9jtZS61","url":"https://etherscan.io/address/0x608249cc11728E3b978f7B27F1EA13F607D484EF","type":"smart_contract","addedAt":"2025-07-02T14:24:24.394Z","revision":1,"description":"FRAXDepositToken","isPrimacyOfImpact":null},{"id":"29rGzEDw8ki0hMc8m9Imvd","url":"https://etherscan.io/address/0x9b6079607038257FDb6be657AA73B18d053cA1FE","type":"smart_contract","addedAt":"2025-07-02T14:24:39.490Z","revision":1,"description":"FeeProvider","isPrimacyOfImpact":null},{"id":"3WNtS0k8EdMbMBOghVwx4Q","url":"https://etherscan.io/address/0x6b53C16B94c1502C661140073ed522aC7Dbc5E5E","type":"smart_contract","addedAt":"2025-07-02T14:24:55.843Z","revision":1,"description":"FeeProvider","isPrimacyOfImpact":null},{"id":"3udd1g4LMDWqjyex4h9h9u","url":"https://etherscan.io/address/0xB93f48D3eA42a25f367fAde092A6Bb56DAB5F7cB","type":"smart_contract","addedAt":"2025-07-02T14:25:23.342Z","revision":1,"description":"MsBTCDebt","isPrimacyOfImpact":null},{"id":"4MDWdvcpJSXo8CaRuhr4bS","url":"https://etherscan.io/address/0x8b4F8aD3801B4015Dea6DA1D36f063Cbf4e231c7","type":"smart_contract","addedAt":"2025-07-02T14:25:49.143Z","revision":1,"description":"MsBTCSynthetic","isPrimacyOfImpact":null},{"id":"6PkqCyleuP3vUZeWQ4ZKSr","url":"https://etherscan.io/address/0xF43de8E0c2596E30c77d69d158842D1d9B937D7c","type":"smart_contract","addedAt":"2025-07-02T14:26:09.216Z","revision":1,"description":"MsETHDebt","isPrimacyOfImpact":null},{"id":"4vyI15OLajc6NOI4sGB1jI","url":"https://etherscan.io/address/0x5c574153B195AE284C063a84fB9C73d9fd37955F","type":"smart_contract","addedAt":"2025-07-02T14:26:28.088Z","revision":1,"description":"MsETHProxyOFT","isPrimacyOfImpact":null},{"id":"4zwiwvIZoajTHrrdY8VNSz","url":"https://etherscan.io/address/0x64351fC9810aDAd17A690E4e1717Df5e7e085160","type":"smart_contract","addedAt":"2025-07-02T14:26:43.985Z","revision":1,"description":"MsETHSynthetic","isPrimacyOfImpact":null},{"id":"5DWow3b4OYB5cuDkmZ0xLH","url":"https://etherscan.io/address/0x480e3178Fa102dF852643d47CAbdb9adf5dB0174","type":"smart_contract","addedAt":"2025-07-02T14:26:57.532Z","revision":1,"description":"MsUSDDebt","isPrimacyOfImpact":null},{"id":"5gRMLwc4hGIdyYTOS3eKiy","url":"https://etherscan.io/address/0xF37982E3F33ac007C690eD6266F3402d24aA27Ea","type":"smart_contract","addedAt":"2025-07-02T14:27:14.084Z","revision":1,"description":"MsUSDProxyOFT","isPrimacyOfImpact":null},{"id":"ZEcAgqjnYRm4r7TAWU6eJ","url":"https://etherscan.io/address/0xab5eB14c09D416F0aC63661E57EDB7AEcDb9BEfA","type":"smart_contract","addedAt":"2025-07-02T14:38:09.084Z","revision":1,"description":"MsUSDSynthetic","isPrimacyOfImpact":null},{"id":"6SbA4RfvMjPhI2zltcCS1M","url":"https://etherscan.io/address/0x10DA15606f98a9c12D1f7e62d88e123D164E1Ce1","type":"smart_contract","addedAt":"2025-07-02T14:38:30.705Z","revision":1,"description":"NativeTokenGateway","isPrimacyOfImpact":null},{"id":"12O6qWotc5sEtJFxfw0cNv","url":"https://etherscan.io/address/0x3364f53cB866762Aef66DeEF2a6b1a17C1F17f46","type":"smart_contract","addedAt":"2025-07-02T14:38:47.902Z","revision":1,"description":"Pool","isPrimacyOfImpact":null},{"id":"2BtFfsYRqmZuIaXjHBw0nK","url":"https://etherscan.io/address/0x11eaD85C679eAF528c9C1FE094bF538Db880048A","type":"smart_contract","addedAt":"2025-07-02T14:39:05.752Z","revision":1,"description":"PoolRegistry","isPrimacyOfImpact":null},{"id":"44CjwSfWOAmTE3asE3bBNp","url":"https://etherscan.io/address/0xD6d14C4A2AEc7B3FA179B77E202bFAd0B93A51b5","type":"smart_contract","addedAt":"2025-07-02T14:39:24.513Z","revision":1,"description":"ProxyOFT","isPrimacyOfImpact":null},{"id":"2Bg8KNS8qX1q7jPQJL4x6f","url":"https://etherscan.io/address/0xEC37f547B27d8cB216B145744875A5861E3DF6AF","type":"smart_contract","addedAt":"2025-07-02T14:39:38.225Z","revision":1,"description":"Quoter","isPrimacyOfImpact":null},{"id":"eddhH5jaaglMWU7ett7NQ","url":"https://etherscan.io/address/0x24F2d1aC81eCFD8A808001a97349185EF1bCF4ad","type":"smart_contract","addedAt":"2025-07-02T14:44:23.395Z","revision":1,"description":"SfrxETHDepositToken","isPrimacyOfImpact":null},{"id":"52oBbJaPXM0yRGsoTAbOFB","url":"https://etherscan.io/address/0x5772Ad340EeE69123C8e87E152C0C9a0E021Cdb8","type":"smart_contract","addedAt":"2025-07-02T14:52:47.144Z","revision":1,"description":"SmartFarmingManager","isPrimacyOfImpact":null},{"id":"50yk51b25ywhBtO9OEIMSQ","url":"https://etherscan.io/address/0xE0e7Ac2b0884BA8A05190fb6CEAFFaDc7c3AEDf1","type":"smart_contract","addedAt":"2025-07-02T14:53:06.460Z","revision":1,"description":"SmartFarmingManager","isPrimacyOfImpact":null},{"id":"2p6brebBoMAamo9BwzC3Op","url":"https://etherscan.io/address/0x99da110F6C529dDF5954C8F337895aACd8a91256","type":"smart_contract","addedAt":"2025-07-02T14:53:28.182Z","revision":1,"description":"SyntheticToken","isPrimacyOfImpact":null},{"id":"42BhXRhPWoFjiorvo2TtYc","url":"https://etherscan.io/address/0xBB40D96aB45f13904737b6261fbfc48b1F245573","type":"smart_contract","addedAt":"2025-07-02T14:53:46.972Z","revision":1,"description":"Treasury","isPrimacyOfImpact":null},{"id":"XBUW5UjsKQhaLjaUHIYZ5","url":"https://etherscan.io/address/0x3691EF68Ba22a854c36bC92f6b5F30473eF5fb0A","type":"smart_contract","addedAt":"2025-07-02T14:54:01.365Z","revision":1,"description":"Treasury","isPrimacyOfImpact":null},{"id":"4ghWtWrHfLmJSmA7HL6cHZ","url":"https://etherscan.io/address/0x1A9551de6d56f7768398a82aA2186624a43d89e3","type":"smart_contract","addedAt":"2025-07-02T14:54:17.780Z","revision":1,"description":"USDCDepositToken","isPrimacyOfImpact":null},{"id":"7G4Z4jdGIIihTXQ9GLl0lQ","url":"https://etherscan.io/address/0x1887e76914699B839B97A0B69FF6F8B865745321","type":"smart_contract","addedAt":"2025-07-02T15:05:19.018Z","revision":1,"description":"VaCBETHDepositToken","isPrimacyOfImpact":null},{"id":"2YqGRtiuiMqgvfsqjgr9uB","url":"https://etherscan.io/address/0x45AC59746Ea5Eb74cF782855eca460A8Adc8925a","type":"smart_contract","addedAt":"2025-07-02T15:05:36.471Z","revision":1,"description":"VaETHDepositToken","isPrimacyOfImpact":null},{"id":"vpovaBVbZNf6pTUZy3FjS","url":"https://etherscan.io/address/0x63EC45313149b1fa677b2b91CB93880232EF63AC","type":"smart_contract","addedAt":"2025-07-02T15:05:50.984Z","revision":1,"description":"VaFRAXDepositToken","isPrimacyOfImpact":null},{"id":"79i62FhcTa7BLeSTqd47VM","url":"https://etherscan.io/address/0x9e5bDf244a2Fcc44f1bcBd3aE108bE2a6dE5E379","type":"smart_contract","addedAt":"2025-07-02T15:06:04.719Z","revision":1,"description":"VaRETHDepositToken","isPrimacyOfImpact":null},{"id":"6KFdtjqKJ2OnlisT6pLdzR","url":"https://etherscan.io/address/0x691Af94cC63B99bd36173eD6Fb1eF5508b2774ec","type":"smart_contract","addedAt":"2025-07-02T15:06:19.270Z","revision":1,"description":"VaSTETHDepositToken","isPrimacyOfImpact":null},{"id":"52nICMhy1YSIWygTqPAg8K","url":"https://etherscan.io/address/0xdAec887E37e86ea9B78852EB7470D70bbF266258","type":"smart_contract","addedAt":"2025-07-02T15:06:37.688Z","revision":1,"description":"VaUSDCDepositToken","isPrimacyOfImpact":null},{"id":"6lswLJuBdTLXdP0jSmNyrn","url":"https://etherscan.io/address/0x7f9e66640Fec701D9f46ed5eD69F925fFDbb4683","type":"smart_contract","addedAt":"2025-07-02T15:06:52.596Z","revision":1,"description":"WBTCDepositToken","isPrimacyOfImpact":null},{"id":"3zz8YcpqlyPoub2ms1vmhR","url":"https://etherscan.io/address/0xA77B145c7Fa5B412eb8aD41D587bE892b9c1EfC3","type":"smart_contract","addedAt":"2025-07-03T15:59:06.836Z","revision":1,"description":"WETHDepositToken","isPrimacyOfImpact":null},{"id":"N9hfzJ53JpCz0UMptVQzq","url":"https://optimistic.etherscan.io/address/0x2F248e80901aE9e5b2109524546D68d425Df9543","type":"smart_contract","addedAt":"2025-07-03T15:59:34.811Z","revision":1,"description":"AMO","isPrimacyOfImpact":null},{"id":"1JTKgDsyVbaPwDF3c8Bpcm","url":"https://optimistic.etherscan.io/address/0xCEA698Cf2420433E21BeC006F1718216c6198B52","type":"smart_contract","addedAt":"2025-07-03T16:00:12.952Z","revision":1,"description":"CrossChainDispatcher","isPrimacyOfImpact":null},{"id":"tNUoPNpSsFayV6GK9PtYV","url":"https://optimistic.etherscan.io/address/0x2f6EF744B1f47F5A4e91213B55C69dAb10c6D535","type":"smart_contract","addedAt":"2025-07-03T16:00:27.553Z","revision":1,"description":"DebtToken","isPrimacyOfImpact":null},{"id":"7lixnTJ0ZZ1wyLgIZ0P3BE","url":"https://optimistic.etherscan.io/address/0x850C8d57F6c5FEf42D9A44Df9e99feaa807e4cCc","type":"smart_contract","addedAt":"2025-07-03T16:00:52.442Z","revision":1,"description":"DepositToken","isPrimacyOfImpact":null},{"id":"1436MZqQwCo1u3dYZzCA49","url":"https://optimistic.etherscan.io/address/0x313c7563D8520dF9543E23641d2bC5a9159126AA","type":"smart_contract","addedAt":"2025-07-03T16:01:07.034Z","revision":1,"description":"FeeProvider","isPrimacyOfImpact":null},{"id":"6wGwG07izcXVfYYRCXzdzx","url":"https://optimistic.etherscan.io/address/0xABF27B8e4dA617Fff2e666F71C137D71cf75b5F6","type":"smart_contract","addedAt":"2025-07-03T16:01:28.964Z","revision":1,"description":"FeeProvider","isPrimacyOfImpact":null},{"id":"7njtgXtqOIh3QpCG6ITQkh","url":"https://optimistic.etherscan.io/address/0x5a962457060445C1e60299d735c8539d61B4ba54","type":"smart_contract","addedAt":"2025-07-03T16:01:48.165Z","revision":1,"description":"MsETHDebt","isPrimacyOfImpact":null},{"id":"3kO90fFcMU6TXu3Vfrcp0k","url":"https://optimistic.etherscan.io/address/0x95dCFf2bfd19af97267B8c9D516206Dcc87EECDD","type":"smart_contract","addedAt":"2025-07-03T16:02:03.131Z","revision":1,"description":"MsETHProxyOFT","isPrimacyOfImpact":null},{"id":"6CxFVZOx28irD5nWpvnZ5y","url":"https://optimistic.etherscan.io/address/0x1610e3c85dd44Af31eD7f33a63642012Dca0C5A5","type":"smart_contract","addedAt":"2025-07-03T16:02:19.405Z","revision":1,"description":"MsETHSynthetic","isPrimacyOfImpact":null},{"id":"4cS6e9DCgznWmxLiROoVjV","url":"https://optimistic.etherscan.io/address/0xB55ced4d5F7346a6601EbEbdDC98D0415c94095A","type":"smart_contract","addedAt":"2025-07-03T16:02:36.970Z","revision":1,"description":"MsUSDDebt","isPrimacyOfImpact":null},{"id":"76dWrmrFUvag3rVvxaaCtD","url":"https://optimistic.etherscan.io/address/0xc2C433D36d7184192E442a243b351a9e3055FD5f","type":"smart_contract","addedAt":"2025-07-03T16:02:57.519Z","revision":1,"description":"MsUSDProxyOFT","isPrimacyOfImpact":null},{"id":"7B6hHGcYymSGypKPKaGt59","url":"https://optimistic.etherscan.io/address/0x9dAbAE7274D28A45F0B65Bf8ED201A5731492ca0","type":"smart_contract","addedAt":"2025-07-03T16:03:17.940Z","revision":1,"description":"MsUSDSynthetic","isPrimacyOfImpact":null},{"id":"6hTWH3Y1YeH0MPnX0sC4vg","url":"https://optimistic.etherscan.io/address/0x1E6039574bBf6b1F65650bC50B2Bca8911Fd9b27","type":"smart_contract","addedAt":"2025-07-03T16:03:33.265Z","revision":1,"description":"OPDepositToken","isPrimacyOfImpact":null},{"id":"7GtkAJpNTfocYJWzozcSZK","url":"https://optimistic.etherscan.io/address/0xbdF0380E921b4c0d73B9EF86a5b4c08869ACc23D","type":"smart_contract","addedAt":"2025-07-03T16:03:50.508Z","revision":1,"description":"Pool","isPrimacyOfImpact":null},{"id":"1fz482dhplb7iAs4nyxUv9","url":"https://optimistic.etherscan.io/address/0xe7C65eAEb1Ca920f0DB73cDFb4915Dd31472a6a1","type":"smart_contract","addedAt":"2025-07-03T16:04:03.709Z","revision":1,"description":"PoolRegistry","isPrimacyOfImpact":null},{"id":"4RbvkkutaUzE3PMVriAi04","url":"https://optimistic.etherscan.io/address/0x0EcC84DA119Bd5539Dc489d4009106534cfAa542","type":"smart_contract","addedAt":"2025-07-03T16:04:24.770Z","revision":1,"description":"ProxyOFT","isPrimacyOfImpact":null},{"id":"TLFwD269tXsn8dFxEJkr9","url":"https://optimistic.etherscan.io/address/0xfF11956dE4C8c53fa69B0a219126cf2290e1620B","type":"smart_contract","addedAt":"2025-07-03T16:04:39.103Z","revision":1,"description":"Quoter","isPrimacyOfImpact":null},{"id":"45FScuzJoAONPzVEXSO6vR","url":"https://optimistic.etherscan.io/address/0x1a1d1A249cf3a5Fb2c4F981a9EAE26360ebd1336","type":"smart_contract","addedAt":"2025-07-03T16:04:54.772Z","revision":1,"description":"SmartFarmingManager","isPrimacyOfImpact":null},{"id":"36vDWjEHFbBJyH7YmMMnUG","url":"https://optimistic.etherscan.io/address/0x696Ee5a8c82e621eCcc4909Ff020950b146351a0","type":"smart_contract","addedAt":"2025-07-03T16:05:09.610Z","revision":1,"description":"SmartFarmingManager","isPrimacyOfImpact":null},{"id":"7hrEyoNfAxxb2BaeUIXEHp","url":"https://optimistic.etherscan.io/address/0xB220f093e308ee702A8F6E0740712bba5EA65FA7","type":"smart_contract","addedAt":"2025-07-03T16:05:25.237Z","revision":1,"description":"SyntheticToken","isPrimacyOfImpact":null},{"id":"7sXfX6AvNmwwV8F7YSbxKY","url":"https://optimistic.etherscan.io/address/0x22C799230d837958Fc24920f8DA9Bd1254A5538c","type":"smart_contract","addedAt":"2025-07-03T16:05:40.993Z","revision":1,"description":"Treasury","isPrimacyOfImpact":null},{"id":"7tlSZKyVGsudXZyZLHlM6k","url":"https://optimistic.etherscan.io/address/0x4C6bF87b7fc1C8Db85877151C6edE38Ed27c34f6","type":"smart_contract","addedAt":"2025-07-03T16:05:57.405Z","revision":1,"description":"Treasury","isPrimacyOfImpact":null},{"id":"4SBNLjrw7TOXlVfEpia4zc","url":"https://optimistic.etherscan.io/address/0xd2e32323686de92411639d446396AFA5E6149C28","type":"smart_contract","addedAt":"2025-07-03T16:12:10.379Z","revision":1,"description":"USDCDepositToken","isPrimacyOfImpact":null},{"id":"1Ah8iy03iljN9z7uJtMm67","url":"https://optimistic.etherscan.io/address/0x564baA321227abf6B2E88a38557b6517077aAD32","type":"smart_contract","addedAt":"2025-07-03T16:12:25.694Z","revision":1,"description":"VaETHDepositToken","isPrimacyOfImpact":null},{"id":"eUQdgQRGASEvDL7PFWrD0","url":"https://optimistic.etherscan.io/address/0x25Ee6eA9353E0ffa3155655F3dF9140684671f36","type":"smart_contract","addedAt":"2025-07-03T16:12:42.028Z","revision":1,"description":"VaOPDepositToken","isPrimacyOfImpact":null},{"id":"5kF7RJXuUGAOLF6Knyfsft","url":"https://optimistic.etherscan.io/address/0x4E71790712424f246358D08A4De6C9896482dE64","type":"smart_contract","addedAt":"2025-07-03T16:13:10.151Z","revision":1,"description":"VaUSDCDepositToken","isPrimacyOfImpact":null},{"id":"7KDkiK221JTyNkcic2cH2F","url":"https://optimistic.etherscan.io/address/0x293aaC1fef48b2ebf95d0CB3a31A7B219e8Ece9E","type":"smart_contract","addedAt":"2025-07-03T16:13:26.431Z","revision":1,"description":"VaWSTETHDepositToken","isPrimacyOfImpact":null},{"id":"3jBsFWOTaFF5UzrczTisu7","url":"https://optimistic.etherscan.io/address/0x5c18f45c4C62B0687425598579B026B90785c28E","type":"smart_contract","addedAt":"2025-07-03T16:13:41.017Z","revision":1,"description":"WETHDepositToken","isPrimacyOfImpact":null},{"id":"2IgBiZu0ghVd6cJqSCUa5l","url":"https://basescan.org/address/0xDb9bD9eb1CdD9AE62A2e9569075A5154296CD632","type":"smart_contract","addedAt":"2025-07-03T16:13:57.279Z","revision":1,"description":"AMO","isPrimacyOfImpact":null},{"id":"4tH2aZUVzYZmGs5eVwTDkn","url":"https://basescan.org/address/0x94020A4636bcdCA343014988114d755984B44175","type":"smart_contract","addedAt":"2025-07-03T16:14:10.664Z","revision":1,"description":"DebtToken","isPrimacyOfImpact":null},{"id":"337oVRvlSUHsND5njowG2v","url":"https://basescan.org/address/0x9bF24739310FB7F79af48ECc38557E2172469EEE","type":"smart_contract","addedAt":"2025-07-03T16:14:24.634Z","revision":1,"description":"DepositToken","isPrimacyOfImpact":null},{"id":"4Rwk1hXb6dCcvDNsJcmLiY","url":"https://basescan.org/address/0x98dAC76F26C6b067eB9FC13714b068d787C899DE","type":"smart_contract","addedAt":"2025-07-03T16:15:47.103Z","revision":1,"description":"FeeProvider","isPrimacyOfImpact":null},{"id":"4bXfBEqSoxR7uKqCyt5J0D","url":"https://basescan.org/address/0xE1525Aa6D21A172F4e0C4420Ff68C73FD38B0CC6","type":"smart_contract","addedAt":"2025-07-03T16:16:00.814Z","revision":1,"description":"FeeProvider","isPrimacyOfImpact":null},{"id":"7aIfZABRvVodyekIdBqmZV","url":"https://basescan.org/address/0x6F622b037F9146bdE102db84FC9152dF1042aa98","type":"smart_contract","addedAt":"2025-07-03T16:16:15.455Z","revision":1,"description":"MsETHDebt","isPrimacyOfImpact":null},{"id":"5xiSj91rwSj4luu9DCOij9","url":"https://basescan.org/address/0x30EAc06D1e495411eE15cB59714Eb9DA29fc200e","type":"smart_contract","addedAt":"2025-07-03T16:16:29.801Z","revision":1,"description":"MsETHProxyOFT","isPrimacyOfImpact":null},{"id":"5slrxxAHDp20fBaQItFQeG","url":"https://basescan.org/address/0x7Ba6F01772924a82D9626c126347A28299E98c98","type":"smart_contract","addedAt":"2025-07-03T16:16:45.259Z","revision":1,"description":"MsETHSynthetic","isPrimacyOfImpact":null},{"id":"2r9nmbe0AvnddG2NayUoGq","url":"https://basescan.org/address/0x7bcC1DEcCaa98D52Bf89485f17a3E8607011cFde","type":"smart_contract","addedAt":"2025-07-03T16:17:05.318Z","revision":1,"description":"MsUSDDebt","isPrimacyOfImpact":null},{"id":"yjzBEA5vJaKbisAwTcDQn","url":"https://basescan.org/address/0x2AF13BF84F8B452cB86839330F514Cc5c2899217","type":"smart_contract","addedAt":"2025-07-03T16:17:20.295Z","revision":1,"description":"MsUSDProxyOFT","isPrimacyOfImpact":null},{"id":"4OY7CPxKoWIZ4hfndvcWgl","url":"https://basescan.org/address/0x526728DBc96689597F85ae4cd716d4f7fCcBAE9d","type":"smart_contract","addedAt":"2025-07-03T16:17:39.183Z","revision":1,"description":"MsUSDSynthetic","isPrimacyOfImpact":null},{"id":"7cCmu5jJsmnXKhqLQwo6Dm","url":"https://basescan.org/address/0xBd700f301DC8e644DC074023369fe5Bdf6051b29","type":"smart_contract","addedAt":"2025-07-03T16:17:53.642Z","revision":1,"description":"NativeTokenGateway","isPrimacyOfImpact":null},{"id":"5j1HpyJtUaRMTBPMHrFnsR","url":"https://basescan.org/address/0x2144B696bEbA98f077531e96023A7DF821Bc4586","type":"smart_contract","addedAt":"2025-07-03T16:18:07.818Z","revision":1,"description":"Pool","isPrimacyOfImpact":null},{"id":"3JZp2T0JQ7NPmIVSEWzOUs","url":"https://basescan.org/address/0x4372A2b9304296c06197a823f25Cf03119d2Fd82","type":"smart_contract","addedAt":"2025-07-03T16:18:25.292Z","revision":1,"description":"PoolRegistry","isPrimacyOfImpact":null},{"id":"2vZvJ7V4vcIlbn9HFWDxjX","url":"https://basescan.org/address/0xdDd9864C68072a4723889644b5E7075452718deD","type":"smart_contract","addedAt":"2025-07-03T16:18:38.933Z","revision":1,"description":"ProxyOFT","isPrimacyOfImpact":null},{"id":"1FCTc8ATmqZ2DNrtxUiMQ1","url":"https://basescan.org/address/0x2f4F85be85245c91779C3e36cBddf87b4eD73E3d","type":"smart_contract","addedAt":"2025-07-03T16:18:54.145Z","revision":1,"description":"Quoter","isPrimacyOfImpact":null},{"id":"4pcw3qgmiMxFt84e4B9sg8","url":"https://basescan.org/address/0x0d29f7cD7EC338528F4330C5a7ff6D92aCf5819A","type":"smart_contract","addedAt":"2025-07-03T16:19:09.638Z","revision":1,"description":"SmartFarmingManager","isPrimacyOfImpact":null},{"id":"1wHLW92jY3TtZXDVfl6mQY","url":"https://basescan.org/address/0x2f12dfb525564055B4A007B0b15eA5CD0BfF986C","type":"smart_contract","addedAt":"2025-07-03T16:19:25.260Z","revision":1,"description":"SmartFarmingManager","isPrimacyOfImpact":null},{"id":"7CsyRUg9Xw7zvYPSHRtARB","url":"https://basescan.org/address/0x1a9e6d0303eC473bCFAc0720b4427045317Fd6d8","type":"smart_contract","addedAt":"2025-07-03T16:19:47.923Z","revision":1,"description":"SyntheticToken","isPrimacyOfImpact":null},{"id":"6RJP5CzhhT1wC5ewZgOs0J","url":"https://basescan.org/address/0x934aB2262C6258fafd619Cb63bE7d89B20C19633","type":"smart_contract","addedAt":"2025-07-03T16:20:02.302Z","revision":1,"description":"Treasury","isPrimacyOfImpact":null},{"id":"1DYFWzHULMK8wUCYniwGWc","url":"https://basescan.org/address/0xAeDF96597338FE03E8c07a1077A296df5422320e","type":"smart_contract","addedAt":"2025-07-03T16:20:15.838Z","revision":1,"description":"Treasury","isPrimacyOfImpact":null},{"id":"uOB2CcAsRCXpLQzMHg0Dk","url":"https://basescan.org/address/0xC7F2f79Daa7Ea4FBbF60b45b5D6028BDE2453476","type":"smart_contract","addedAt":"2025-07-03T16:20:35.277Z","revision":1,"description":"USDCDepositToken","isPrimacyOfImpact":null},{"id":"3GxJccjkNmpvdb4AKEgeh4","url":"https://basescan.org/address/0xE7Eb345866e07201f0dfe9Afb3a8f0637D998FC9","type":"smart_contract","addedAt":"2025-07-03T16:20:53.877Z","revision":1,"description":"VaCBETHDepositToken","isPrimacyOfImpact":null},{"id":"1F0gq3RdzPIOiQuJEH6YFn","url":"https://basescan.org/address/0x631E4eFe520152b9aa98aCa50739a7F6a8f21319","type":"smart_contract","addedAt":"2025-07-03T16:21:18.742Z","revision":1,"description":"VaETHDepositToken","isPrimacyOfImpact":null},{"id":"7iPsAyCzHB5Sxbety0na6g","url":"https://basescan.org/address/0x329846f9e19dAa7fD9844065a62eD01BCf63Cf69","type":"smart_contract","addedAt":"2025-07-03T16:21:35.144Z","revision":1,"description":"VaUSDCDepositToken","isPrimacyOfImpact":null},{"id":"4WRWrIXztTRPs2xmRj18NT","url":"https://basescan.org/address/0x3E5C739deC75aC5b8BC11D763b02B2a777046802","type":"smart_contract","addedAt":"2025-07-03T16:21:50.433Z","revision":1,"description":"VaWSTETHDepositToken","isPrimacyOfImpact":null},{"id":"2FqpGgopnvtxOijIEaEtgM","url":"https://basescan.org/address/0x8b581d0013F571a792c3Aa8AF2a0366A309BF51E","type":"smart_contract","addedAt":"2025-07-03T16:22:02.158Z","revision":1,"description":"WETHDepositToken","isPrimacyOfImpact":null}],"assetsBodyV2":"Though only the proxy contracts are listed as in-scope, current implementation and any further updates to the implementation contracts are considered in scope. When reporting a bug, please make sure to select the relevant proxy smart contract as the target.\n\nHowever, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nIf an impact can be caused to any other asset managed by Metronome that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH","Optimism"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2023-02-21T21:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7tYcCLOmtIXMMh3MgHf4S0/d632ed42420c48826660786e643b3f87/met2-signet-option1.png","maxBounty":50000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","websites_and_applications - critical","websites_and_applications - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Synthetic Assets","Yield Aggregator"],"programOverview":"Metronome is continuing its journey by relaunching and innovating for DeFi in 2022. Metronome was a pioneer in the DeFi space when it was launched in June 2018. With an elegant system of four smart contracts, Metronome has had success with its daily auctions and DEX functionality. Since Metronome’s launch, DeFi has evolved due to the composable nature of protocols. Relaunching Metronome will provide upgraded token features, security enhancements, DeFi composability, a new development roadmap, and the formation of a Metronome DAO.\n\nFor more information about Metronome, please visit [https://www.metronome.io/](https://www.metronome.io/)","programType":["Smart Contract","Websites and Applications"],"project":"Metronome","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the  [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported. \n\nBounty payouts will be dependent on actual risk to the platform.  Total bounty will either be the minimum of the range, or 5% of the total funds that could be lost in the exploit (up to the maximum cap based on the tier severity) - whichever amount is greater.\n\nAll smart contract and web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. Bug reports are required to include a runnable PoC in order to prove impact. Exceptions may be made in cases where the vulnerability is objectively evident from simply mentioning the vulnerability and where it exists. However, the bug reporter may be required to provide a PoC at any point in time.\n\nKnown issues highlighted in the following audit reports are considered out of scope: \n- [https://github.com/autonomoussoftware/metronome-synth-audit/wiki/Audit](https://github.com/autonomoussoftware/metronome-synth-audit/wiki/Audit)\n\nPayouts are handled by the __Metronome__ team directly and are denominated in USD. However, payouts are done in __USDC, DAI,__ and __MET__, at the discretion of the project.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC, DAI, and MET","slug":"metronome","updatedDate":"2025-07-15T13:53:34.466Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Metronome is continuing its journey by relaunching and innovating for DeFi in 2022. Metronome was a pioneer in the DeFi space when it was launched in June 2018. With an elegant system of four smart contracts, Metronome has had success with its daily auctions and DEX functionality. Since Metronome’s launch, DeFi has evolved due to the composable nature of protocols.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":3902,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc."},{"id":3903,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as email or password of the victim, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":3907,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and blockchain keys(this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":3908,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc."},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":3909,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions"},{"id":44,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user NFTs"},{"id":3910,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through NFT metadata"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":5618,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"},{"id":5619,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 24 hours"},{"id":5620,"type":"smart_contract","severity":"high","title":"Temporary freezing NFTs for at least 24 hours"},{"id":5621,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"}],"rewards":[{"id":32313,"severity":"critical","assetType":"smart_contract","maxReward":50000,"rewardModel":"up_to","rewardCalculationPercentage":5},{"id":32314,"severity":"high","assetType":"smart_contract","maxReward":10000,"minReward":5000,"rewardModel":"range"},{"id":32315,"severity":"medium","assetType":"smart_contract","maxReward":5000,"minReward":1000,"rewardModel":"range"},{"id":32316,"severity":"critical","assetType":"websites_and_applications","maxReward":10000,"minReward":5000,"rewardModel":"range","otherImpactMaxReward":0},{"id":32317,"severity":"high","assetType":"websites_and_applications","maxReward":5000,"minReward":1000,"rewardModel":"range"}],"audits":[]},{"assets":[],"assetsBodyV2":"","boostedIntroEvaluating":"**Thank You to All Participating Security Researchers!**\n\nThe Invite-Only Program has now concluded and is currently in the evaluation phase. During this period, all submitted reports are being carefully reviewed by the Immunefi triage team and the project team.","boostedIntroFinished":"### Thank You to All Participating Security Researchers!\n\nYour valuable contributions played a crucial role in identifying and resolving critical vulnerabilities, helping to strengthen and secure the Zano Trade platform for all users.","boostedIntroLive":"$20,000 USD in rewards is available for finding bugs on Zano\n\nFor more information about Zano Trade, please visit https://zano.org/ and Zano Trade https://trade.zano.org/dex\n\nThis is an **Invite-Only Program Competition, and its only open to Security Researchers who have been invited.**\n\nRunnable POCs are not required. Read our [New Audit Competition Proof-of-Concept Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/33260632501777-Proof-of-Concept-Rules-for-Audit-Competitions)\n\nInsight reports can be submitted. Read our [Insight validity rules](https://immunefisupport.zendesk.com/hc/en-us/articles/34179768760337-Insight-Severity-Level)\n\nZano rewards are denominated in USD and distributed in USDC on Ethereum.\n\nKYC is NOT required.","boostedIntroStartingIn":"**$20,000 USD** in rewards is available for finding bugs on Zano Trade\n\nThis is an **Invite-Only Program** Competition, and its **ONLY OPEN to Security Researchers who have been invited**.","boostedLeaderboard":[{"high":0,"name":"adhd","critical":1,"earnings":7194,"insights":1,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"Opzteam","critical":1,"earnings":3971,"insights":3,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"cdl","critical":1,"earnings":2835,"insights":0,"mediumLow":0,"totalValidBugs":1}],"boostedSummaryReport":"https://drive.google.com/file/d/1t9buEqmZANTEWK46TJ2FsAnVDJzvnYFY/view?usp=sharing","ecosystem":null,"endDate":"2025-07-03T10:00:00.000Z","evaluationEndDate":"2025-07-08T12:09:53.349Z","features":["IOP (Invite Only Program)","Managed Triage: Signal Booster","Vault"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":true,"kyc":false,"language":["NextJS","Typescript"],"launchDate":"2025-06-19T10:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4BMAH2vYshpTpBYfpMLSiu/f00ffe094a0f237c7b8f1cd60b0d6508/zano-icon.png","maxBounty":20000,"outOfScopeAndRules":"To be determined","pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":null,"programOverview":"Zano Trade is a non-custodial web UI where you post or accept swap proposals for ZANO and confidential assets.\n\nFor more information about Zano, please visit https://zano.org/ and Zano Trade https://trade.zano.org/dex\n\nZano rewards are denominated in USD and distributed in USDC on Ethereum.\n\nKYC is not required.","programType":["Websites and Applications"],"project":"IOP | Zano Trade","projectType":null,"rewardsBody":"__Rewards Terms__\n\nRewards are distributed among SRs according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms).\n\nRewards are denominated in USD and distributed in USDC on Ethereum.\n\nThe reward pool is **$14,000 USD** if any bug is found.\n\nIf not a single bug is found (Insights do not count as bugs) the reward pool is $1,260 USD\n\nOn top of this, each participating SR will receive a guaranteed reward of $2,000 USD.\n\n**Proof of Concept (PoC) Requirements**\n\nFor this program, runnable PoC code is not required. Whitehats are instead required to write a step-by-step explanation of the PoC and impact.\n\n__Insight Rewards Payment Terms__\n\nInsight Rewards: Portion of the Rewards Pool\n\n*The \"Insight\" severity was introduced on Boost (Audit Competitions) & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi)\n\nDuplicates of Insight reports are not eligible for a reward.","rewardsPool":20000,"primaryPool":20000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"iop-zano-trade","tenPercentEconomicRule":false,"updatedDate":"2025-07-08T12:09:58.767Z","impactsBody":"__Build Commands, Test Commands, and How to Run Them__\n\n1. Postgres database is required\n\n2. .env file example\nPGUSER=\"postgres\"\nPGPASSWORD=\"root\"\nPGHOST=\"127.0.0.1\"\nPGDATABASE=\"zano_trade\"\nPGPORT=\"5432\"\nJWT_SECRET=\"any_string\"\nOWNER_ALIAS=\"leave empty, this functionality it out of testing scope\"\n\n3. Run commands\nnpm i\nnpm run build\nnpm start\n\n4. app will be accessible here: http://localhost:3000/\n\n\n__Previous Audits__\n\n- Zano Trade has no audit report as of 18 June 2025.\n\n\n__Where might Security Researchers confuse out-of-scope code to be in-scope?__\n\n- In-scope code is everything under /dex and all subpages (/dex/) in frontend. In the backend in-scope are all routes that can be called from /dex/ pages. All routes in provided backend files are also in-scope, as some of them can be called using API, not directly from frontend.\n\n\n__Is this an upgrade of an existing system? If so, which? And what are the main differences?__\n\n- No. It's a new web app in beta. \n\n__Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?__\n\n- Most important potential vulnerabilities:\n1. Need to ensure database security as users' trade history is sensitive data. Make sure we don't expose it.\n2. Need to ensure user can't be tricked to sign unexpected ionic swap transaction (with different amount or assets from what is in their order)\n\n\n__What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?__\n\n- Not Applicable, As it's based off confidential assets https://docs.zano.org/docs/build/confidential-assets/overview\n\n\n__What external dependencies are there?__\n\n- It's a standard next js app, so most external dependencies could be considered. \n\n\n__What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)__\n\n- Main url: https://trade.zano.org\n \n- Swap process explained: https://docs.zano.org/docs/build/confidential-assets/ionic-swaps\n \n- How does web ui work: https://docs.zano.org/docs/use/zano-trade\n \n- Api documentation: https://docs.zano.org/docs/build/zano-trade-api/overview\n \n**Scope**\n\nBackend routes:\n- https://github.com/PRavaga/zano-p2p/blob/master/api/routes/auth.router.ts\n- https://github.com/PRavaga/zano-p2p/blob/master/api/routes/dex.router.ts\n- https://github.com/PRavaga/zano-p2p/blob/master/api/routes/orders.router.ts\n- https://github.com/PRavaga/zano-p2p/blob/master/api/routes/transactions.router.ts\n- https://github.com/PRavaga/zano-p2p/blob/master/api/routes/user.router.ts\n \nFrontend pages:\n- https://github.com/PRavaga/zano-p2p/tree/master/src/pages/dex (https://trade.zano.org/dex)\n- https://github.com/PRavaga/zano-p2p/tree/master/src/pages/dex/trading (https://trade.zano.org/dex/trading/<PAIR_ID>)\n- https://github.com/PRavaga/zano-p2p/tree/master/src/pages/dex/orders  (https://trade.zano.org/dex/orders)","websiteUrl":"https://zano.org/","githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Zano Trade is a non-custodial web UI where you post or accept swap proposals for ZANO and confidential assets.\n\nFor more information about Zano, please visit https://zano.org/ and Zano Trade https://trade.zano.org/dex","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":43,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:\n- Modifying transaction arguments or parameters\n- Substituting contract addresses\n- Submitting malicious transactions"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"},{"id":46,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:\n- HTML injection without JavaScript\n- Replacing existing text with arbitrary text\n- Arbitrary file uploads, etc."},{"id":47,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Email\n- Password of the victim etc."},{"id":48,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:\n- Email address\n- Phone number\n- Physical address, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":50,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Changing the first/last name of user\n- Enabling/disabling notifications"},{"id":51,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as:\n- Reflected HTML Injection\n- Loading external site data"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":53,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction, such as:\n- Iframing leading to modifying the backend/browser state (must demonstrate impact with PoC)"},{"id":54,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links, such as:\n- Social media handles, etc."},{"id":55,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as:\n- Locking up the victim from login\n- Cookie bombing, etc."},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":39,"type":"websites_and_applications","severity":"critical","title":"Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:\n- Changing registration information\n- Commenting\n- Voting\n- Making trades\n- Withdrawals, etc."}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":true}],"audits":[]},{"assets":[],"assetsBodyV2":"","boostedIntroEvaluating":"**Thank You to All Participating Security Researchers!**\n\nThe Invite-Only Program has now concluded and is currently in the evaluation phase. During this period, all submitted reports are being carefully reviewed by the Immunefi triage team and the project team.","boostedIntroFinished":"","boostedIntroLive":"$6,000 USD in rewards is available for finding bugs on Term Structure Institutional (TSI)\n\nFor more information about Term Structure Institutional, please visit, [https://docs.institutional.ts.finance/](https://docs.institutional.ts.finance/)\n\nThis is an **Invite-Only Program Competition, and its only open to Security Researchers who have been invited.**\n\nRunnable POCs are not required. Read our [New Audit Competition Proof-of-Concept Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/33260632501777-Proof-of-Concept-Rules-for-Audit-Competitions)\n\nInsight reports can be submitted. Read our [Insight validity rules](https://immunefisupport.zendesk.com/hc/en-us/articles/34179768760337-Insight-Severity-Level)\n\nTerm Structure Institutional rewards are denominated in USD and distributed in USDC on Ethereum.\n\nKYC is required.","boostedIntroStartingIn":"**$6,000 USD** in rewards is available for finding bugs on Term Structure Institutional (TSI)\n\nThis is an **Invite-Only Program** Competition, and its **only open to Security Researchers who have been invited**.","boostedLeaderboard":[{"high":2,"name":"zeroK","critical":2,"earnings":2089,"insights":1,"mediumLow":2,"totalValidBugs":6},{"high":1,"name":"Catchme","critical":2,"earnings":1911,"insights":1,"mediumLow":2,"totalValidBugs":5}],"boostedSummaryReport":"https://drive.google.com/file/d/1W6OZ7DwDlMiG7oIcc4Pyt2T1jV2KK9qm/view?usp=sharing","ecosystem":["ETH"],"endDate":"2025-06-16T10:00:00.000Z","evaluationEndDate":"2025-07-07T16:26:20.458Z","features":["IOP (Invite Only Program)","Managed Triage: Signal Booster","Vault"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":true,"kyc":true,"language":["Solidity"],"launchDate":"2025-06-02T10:00:21.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1Ahp32eNjGwFPnX0YvGqOY/42ece9029a8d2f8f0742bf603c591166/Term_Structure_logo-round-white.png","maxBounty":6000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":null,"programOverview":"Term Structure Institutional (TSI) is an institutional-grade platform enabling clients to borrow and lend digital assets at fixed rates within the Fireblocks multi-party computation (MPC) wallet environment and a reliable TSI Electronic Communication Network (ECN). TSI empowers institutions, lenders, borrowers, and traders to participate in fixed-income markets with greater efficiency and confidence.\n\nFor more information about Term Structure Institutional, please visit, [https://docs.institutional.ts.finance/](https://docs.institutional.ts.finance/)\n\nTerm Structure Institutional rewards are denominated in USD and distributed in USDC on Ethereum.\n\nKYC is required.","programType":["Smart Contract"],"project":"IOP | Term Structure Institutional","projectType":null,"rewardsBody":"__Rewards Terms__\n\nRewards are distributed among SRs according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms).\n\nRewards are denominated in USD and distributed in USDC on Ethereum.\n\nThe reward pool is $4,000 USD if any bug is found.\n\nIf not a single bug is found (Insights do not count as bugs) the reward pool is $360 USD\n\nOn top of this, each participating SR will receive a guaranteed reward of $1,000 USD.\n\n**Proof of Concept (PoC) Requirements**\n\nFor this program, runnable PoC code is not required. Whitehats are instead required to write a step-by-step explanation of the PoC and impact.\n\n__Insight Rewards Payment Terms__\n\nInsight Rewards: Portion of the Rewards Pool\n\n*The \"Insight\" severity was introduced on Boost (Audit Competitions) & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi)\n\nDuplicates of Insight reports are not eligible for a reward.\n\n__KYC is Required__\n\nTerm Structure Institutional requires KYC information to pay for bug submissions. The following information will be required:\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\nSecurity researchers are required to submit KYC within 14 days of KYC being requested, else their rewards may be forfeited. Immunefi may make exceptions due to extenuating circumstances.","rewardsPool":6000,"primaryPool":6000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"iop-term-structure","tenPercentEconomicRule":false,"updatedDate":"2025-07-07T16:26:26.080Z","impactsBody":"__Build Commands, Test Commands, and How to Run Them__\n\n```install denpendencies```\nforge soldeer update\n\n```build```\nforge build\n\n```test```\nforge test –skip Fork\n\n__Previous Audits__\n\n- Term Structure Institutional’s has no audit report as of 28 May 2025.\n\n\n__Where might Security Researchers confuse out-of-scope code to be in-scope?__\n\n- Security researchers may incorrectly assume that the collateral management system is within scope because they might question whether collateral that is locked in the lender's wallet can be successfully retrieved during liquidation or repayment events. This confusion arises because the retrieval process is partially controlled by the business logic in the backend, which could lead researchers to believe that the collateral locking and unlocking mechanisms are part of the attackable surface area.\n\n\n__Is this an upgrade of an existing system? If so, which? And what are the main differences?__\n\n- No. This is a new product from scratch.\n\n__Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?__\n\n- We are most concerned about arithmetic overflow and loss of precision issues, which are commonly overlooked in DeFi protocols but can have severe consequences. Given TSI's complex financial calculations, several areas are particularly vulnerable:\n\n\n__What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?__\n\n- ERC20\n\n__What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?__\n\n- The signer who signs the settlement information is out of scope.\n\n__Which chains and/or networks will the code in scope be deployed to?__\n\n- Ethereum.\n\n__What external dependencies are there?__\n\n- Oracles from Chainlink or RedStone. DEXs for liquidation.\n\n__Are there any unusual points about your protocol that may confuse Security Researchers?__\n\n- All participating addresses use Fireblocks' 2-of-2 Multi-Party Computation (MPC) wallets, where users hold one key share and Fireblocks (not TSI directly) holds the other key share. This creates an unusual custody model that may confuse researchers:\n\n*Key Unusual Points:*\n\n- **Non-Custodial but Coordinated:** While TSI never holds user funds directly, the collateral locking mechanism relies on lender pre-approval rather than traditional smart contract escrow. Lenders must pre-sign transactions that allow the settlement smart contract to automatically transfer collateral from their wallet during repayment or liquidation events.\n\n- **Hybrid Settlement Model:** Unlike typical DeFi protocols where assets are deposited into smart contracts, TSI's settlement contracts facilitate direct wallet-to-wallet transfers. The contracts don't hold funds but coordinate simultaneous exchanges between parties.\n\n- **Backend-Triggered Automation:** TSI's backend system can trigger certain automated actions (like unlocking collateral during liquidation) because it coordinates with Fireblocks' MPC infrastructure, even though TSI doesn't control the private keys directly.\n\n- **Device-Bound Keys:** User key shares are bound to specific browsers/devices, making the typical \"connect any wallet\" assumption invalid.\n\nResearchers might incorrectly assume TSI has direct key control or that smart contracts hold collateral, when in reality the system uses a sophisticated coordination layer between MPC wallets and pre-authorized transaction execution.\n\n__What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)__\n\n- [https://docs.institutional.ts.finance/]\n- https://www.youtube.com/watch?v=usyhq0ucMOw&list=PLW028xWwhYBHSmzbGLFjd4BybCTrBdjaE","websiteUrl":"https://docs.institutional.ts.finance/","githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":null,"description":"Term Structure Institutional (TSI) is an institutional-grade platform enabling clients to borrow and lend digital assets at fixed rates within the Fireblocks multi-party computation (MPC) wallet environment and a reliable TSI Electronic Communication Network (ECN). TSI empowers institutions, lenders, borrowers, and traders to participate in fixed-income markets with greater efficiency and confidence.","knownIssues":[{"id":58,"link":"https://docs.institutional.ts.finance/","description":"Problems with Oracle and other third-party contracts.","lastUpdatedAt":"2025-04-15T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":57,"link":"https://docs.institutional.ts.finance/","description":"Security issues caused by private key or permission leakage.","lastUpdatedAt":"2025-04-15T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":56,"link":"https://docs.institutional.ts.finance/","description":"Centralization issues related to Fireblock flow, such as allowance management and fund locking mechanism.","lastUpdatedAt":"2025-04-15T00:00:00.000Z","relatedImpactInScope":"smart_contract"}],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":5575,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 24 hour"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":5576,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds for at least 1 hour"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[{"id":"b6h4v8JIdgaK5LaTGtv9m","url":"https://etherscan.io/address/0xde17a000ba631c5d7c2bd9fb692efea52d90dee2","type":"smart_contract","addedAt":"2025-04-21T12:58:00.000Z","revision":1,"description":"USDN Token","isPrimacyOfImpact":null},{"id":"2Z7YETR5kcmVZ4ZQI3w8eZ","url":"https://etherscan.io/address/0xf67e2dc041b8a3c39d066037d29f500757b1e886","type":"smart_contract","addedAt":"2025-04-21T12:58:00.000Z","revision":1,"description":"sUSDN","isPrimacyOfImpact":null},{"id":"1wv56HJW3wltDSIAfmsLLB","url":"https://etherscan.io/address/0x99999999999999cc837c997b882957dafdcb1af9","type":"smart_contract","addedAt":"2025-04-21T12:58:00.000Z","revision":1,"description":"wUSDN","isPrimacyOfImpact":null},{"id":"3MVXWZTx07zTVj6jBu2X9D","url":"https://etherscan.io/address/0x656cb8c6d154aad29d8771384089be5b5141f01a","type":"smart_contract","addedAt":"2025-04-21T12:58:00.000Z","revision":1,"description":"USDN Protocol","isPrimacyOfImpact":null},{"id":"6sMPCODNhog7LZ2w0EXCdj","url":"https://etherscan.io/address/0x9514D3496F46572e8461da381B200812D5Db202C","type":"smart_contract","addedAt":"2025-04-21T12:58:00.000Z","revision":1,"description":"Liquidation Rewards Manager","isPrimacyOfImpact":null},{"id":"2pNVpLp1dkjCJXmT49XCrm","url":"https://etherscan.io/address/0xaebcc85a5594e687f6b302405e6e92d616826e03","type":"smart_contract","addedAt":"2025-04-21T12:58:00.000Z","revision":1,"description":"Dip Accumulator","isPrimacyOfImpact":null},{"id":"1tMpT8DUbnOIvuE4G3f50Q","url":"https://etherscan.io/address/0xC1459fcFe23d5db9Ddb04935ab7a426Bd398EAb0","type":"smart_contract","addedAt":"2025-04-21T12:58:00.000Z","revision":1,"description":"WstEthOracleMiddleware","isPrimacyOfImpact":null},{"id":"5bPPSt80bzkT9HXTtZKZ5g","url":"https://etherscan.io/address/0xF9D36078A248AF249AA57ae1D5D0c1033d6Bbe27","type":"smart_contract","addedAt":"2025-04-21T12:58:00.000Z","revision":1,"description":"LongFarming","isPrimacyOfImpact":null},{"id":"69mrMvVal0qp4E2Ks8uf1e","url":"https://etherscan.io/address/0x49f66b1616865b2a59caecb8352bbf2ac80983e1","type":"smart_contract","addedAt":"2025-04-21T12:58:00.000Z","revision":1,"description":"Router","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":null,"launchDate":"2025-04-21T12:58:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/eg4KntgnqGEXCaoNRIODv/96c11278c62f890c722ab2112f8c83f8/USDN.png","maxBounty":50000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Vulnerabilities are prioritized according to impact and/or severity.","productType":["Stablecoin"],"programOverview":"USDN is the first synthetic U.S. dollar backed by a structured product utilizing a Delta-Neutral Strategy. Unlike traditional stablecoins, whose value is guaranteed by centralized entities, the value of a synthetic dollar is determined by a purely mathematical financial process.\n\nFor more information about USDN, please visit [https://docs.smardex.io/ultimate-synthetic-delta-neutral](https://docs.smardex.io/ultimate-synthetic-delta-neutral).\n\nUSDN provides rewards in SDEX on Ethereum, denominated in USD. For more details about the payment process, please view the **Rewards by Threat Level** section further below.\n\n__Responsible Publication__\n\nUSDN adheres to  **Category 3: Approval Required** . This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nUSDN adheres to the **Primacy of Rules**, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page. \n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Previous Audits__\n\nUSDN’s completed audit reports can be found at [https://docs.smardex.io/ultimate-synthetic-delta-neutral/audits](https://docs.smardex.io/ultimate-synthetic-delta-neutral/audits). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.","programType":["Smart Contract"],"project":"USDN","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 50 000 . The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 10 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n- For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 3 000 to USD 5 000 depending on the funds at risk, capped at the maximum high reward.  \n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Payment Terms__\n\nPayouts are handled by the USDN team directly and are denominated in USD. However, payments are done in SDEX on Ethereum\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"","slug":"usdn","tenPercentEconomicRule":false,"updatedDate":"2025-07-04T09:25:35.122Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"USDN is the first synthetic U.S. dollar backed by a structured product utilizing a Delta-Neutral Strategy. Unlike traditional stablecoins, whose value is guaranteed by centralized entities, the value of a synthetic dollar is determined by a purely mathematical financial process.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"}],"rewards":[{"id":26991,"severity":"critical","assetType":"smart_contract","maxReward":50000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":26992,"severity":"high","assetType":"smart_contract","maxReward":5000,"minReward":3000,"rewardModel":"range"},{"id":26993,"severity":"medium","assetType":"smart_contract","fixedReward":3000,"rewardModel":"fixed"},{"id":26994,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[{"id":"5AiZUpCGAlSiFgP7TypW8o","url":"https://github.com/bailsec/BailSec/blob/main/Bailsec%20-%20Smardex%20-%20Router%20-%20Final%20Report.pdf","auditor":"Bailsec","date":"2025-03-31"},{"id":"4rFwa1NgnibWVf8LB7Hxxh","url":"https://github.com/bailsec/BailSec/blob/main/Bailsec%20-%20Smardex%20USDN%20-%20Final%20Report.pdf","auditor":"Bailsec","date":"2024-05-31"}]},{"assets":[{"id":"1mSDQ4z3fU4nNYBptmEykp","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/amm/RateAdjustmentOracle.sol","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"3MFhQI8edK6FjbNZ1pxwfp","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/factory/FactorySNG.sol","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"l2o8oA1nupyDkGAYGBvsR","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/factory/Factory.sol","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"5J9N0RF7JL9h8KSU1xHtJU","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/RateOracleRegistry.sol","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"3rUemgx5xcELcIDu8B4BEJ","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/spectra-oracles/","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"57Tph4SIMtVP4a68CLDfeF","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/router/util/RouterUtil.sol","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"ubALPHncKF82UuErQnLeS","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/router/Dispatcher.sol","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"L24PWXNSntRofsitIbp6m","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/libraries/RateAdjustmentMath.sol","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"5xOY5LP1Rh5FbVPTwD0XCV","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/libraries/CurveOracleLib.sol","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"9u6upGTmgRcCJHloGI9b2","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/libraries/CurvePoolUtil.sol","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"D5twj97Xd7VrYwbW4A0uG","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/spectra-oracles/oracles/BaseOracleCurveLPT.sol","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"2JPgo7VY5lbuRVLC5GsQDh","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/spectra-oracles/oracles/BaseOracleCurvePT.sol","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"3YhsV5WusPQjVkEAXaVagP","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/spectra-oracles/oracles/BaseOracleCurveYT.sol","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"2IxBP7HboVQiFlADRjv8oZ","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/spectra-oracles/chainlinkFeeds/stableswap-ng/BaseFeedCurveLPTIBT.sol","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"hfx0dk30BZ9Mz3ZAUjgNd","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/spectra-oracles/chainlinkFeeds/stableswap-ng/BaseFeedCurvePTAsset.sol","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"6AWdZQqlMvrNQU0PFJWvh1","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/spectra-oracles/chainlinkFeeds/stableswap-ng/BaseFeedCurveYTIBT.sol","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"1pZ8hdCUNGplpE2jcE7Cc6","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/spectra-oracles/chainlinkFeeds/stableswap-ng/BaseFeedCurvePTIBT.sol","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"7KpazOHU7qXmlOfIrXDLv7","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/spectra-oracles/chainlinkFeeds/stableswap-ng/BaseFeedCurveYTAsset.sol","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"6lEASvWbBXLBRTLK35KsOk","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/spectra-oracles/chainlinkFeeds/stableswap-ng/BaseFeedCurveLPTAsset.sol","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"5ukUhKF5S1geIYiwyXqbKD","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/spectra-oracles/chainlinkFeeds/cryptoswap-ng/BaseFeedCurveLPTIBT.sol","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"7v1Dy4n61Pqu59h2X2irxq","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/spectra-oracles/chainlinkFeeds/cryptoswap-ng/BaseFeedCurvePTAsset.sol","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"75iGsrlHQi7YyAGb1xN50A","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/spectra-oracles/chainlinkFeeds/cryptoswap-ng/BaseFeedCurveYTIBT.sol","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"446luFFevKfxRhRGPDU1VO","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/spectra-oracles/chainlinkFeeds/cryptoswap-ng/BaseFeedCurvePTIBT.sol","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"5xUmjqwXi5Wm3KAcYbpSul","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/spectra-oracles/chainlinkFeeds/cryptoswap-ng/BaseFeedCurveYTAsset.sol","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"4a5NmntUTUnI3jmtcSYyvd","url":"https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/spectra-oracles/chainlinkFeeds/cryptoswap-ng/BaseFeedCurveLPTAsset.sol","type":"smart_contract","addedAt":"2025-04-03T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null}],"assetsBodyV2":"__Asset Accuracy Assurance__\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Reward Policy__\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n__Primacy of Impact vs Primacy of Rules__\n\nSpectra adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page.\n\n__KYC Requirement__\n\nNo KYC is required for the Spectra Finance Audit Competition\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this Audit Competition bug bounty and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\nWhen there is uncertainty about how feasible an attack is Immunefi will use our feasibility limitation standards to determine the severity of the report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Spectra has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"**$40,000 USD** in rewards is available for finding bugs on Spectra contracts. \n\nFor more information, please visit about [Spectra Finance](https://www.spectra.finance/)\n\nAny technical questions and support requests can be asked directly to Spectra Finance or Immunefi in the [Spectra Finance Audit Competition Discord channel](https://discord.com/channels/787092485969150012/1355219052267831459).\n\nWhen the Audit Competition has ended Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nA few days after the launch, Immunefi will publish Spectra Finance's technical walkthrough on our official [YouTube channel](https://www.youtube.com/@immunefi).\n\nRunnable POCs are not required. Read our [New Audit Competition Proof-of-Concept Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/33260632501777-Audit-Competition-Proof-of-Concept-Rules)\n\nInsight reports can be submitted. Read our [Insight validity rules](https://immunefisupport.zendesk.com/hc/en-us/articles/34179768760337-Insight-Severity-Level)","boostedIntroStartingIn":"**$40,000 USD** in rewards is available for finding bugs on Spectra Finance contract. \n\nFor more information, please visit  about [Spectra Finance](https://www.spectra.finance/)\n\nAny technical questions can be asked directly to the Spectra Finance technical team on Immunefi's [Immunefi’s Discord](https://discord.com/channels/787092485969150012/1355219052267831459) in the \"spectra-audit-comp\" channel.\n\nRunnable POCs are not required. Read our [New Audit Competition Proof-of-Concept Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/33260632501777-Audit-Competition-Proof-of-Concept-Rules)\n\nInsight reports can be submitted. Read our [Insight validity rules](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System)","boostedLeaderboard":[{"high":0,"name":"io10","critical":0,"earnings":19873,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Rhaydden","critical":0,"earnings":16260,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"MrMorningstar","critical":0,"earnings":785,"insights":2,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"PotEater","critical":0,"earnings":598,"insights":1,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"blackgrease","critical":0,"earnings":598,"insights":1,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"holydevoti0n","critical":0,"earnings":412,"insights":1,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Kyosi","critical":0,"earnings":373,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Glitch_Hunter","critical":0,"earnings":187,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"DSbeX","critical":0,"earnings":154,"insights":0,"mediumLow":4,"totalValidBugs":4},{"high":0,"name":"Coyote25049","critical":0,"earnings":145,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"ZestfulHedgehog609","critical":0,"earnings":77,"insights":0,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"din","critical":0,"earnings":77,"insights":0,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"Paludo0x","critical":0,"earnings":38,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Shahen","critical":0,"earnings":38,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"EFCCWEB3","critical":0,"earnings":38,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"kaysoft","critical":0,"earnings":38,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Vanshika","critical":0,"earnings":38,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Allen_George08","critical":0,"earnings":38,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"TECHFUND_inc","critical":0,"earnings":38,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"adrianx","critical":0,"earnings":38,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"hgrano","critical":0,"earnings":38,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Oxblackadam","critical":0,"earnings":38,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"roccomania","critical":0,"earnings":38,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Osuolale","critical":0,"earnings":38,"insights":0,"mediumLow":1,"totalValidBugs":1}],"boostedSummaryReport":"https://drive.google.com/file/d/19m3o6a9NUUaHNaa4ZL1t8CxYBnBtDIY9/view?usp=sharing","ecosystem":["ETH"],"endDate":"2025-04-17T14:00:00.000Z","evaluationEndDate":"2025-07-02T13:13:49.420Z","features":["Boost","Managed Triage: Signal Booster","Vault"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2025-04-03T14:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/66EpjCkt0P3hOk8Bd6zd6Y/7fa614a2ce84e59b551dd90458cf47b5/Spectra-Finance_Logo_Black.png","maxBounty":40000,"outOfScopeAndRules":"To be determined","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this Audit Competition program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":null,"programOverview":"Spectra is an EVM-centric protocol for interest rate derivatives with an easy-to-use flagship app.\n\nThe Spectra protocol is permissionless, meaning its services are entirely open for public use. Anyone can create new markets at will, swap yield derivatives, or become a liquidity provider.\n\n**Protocol Primitives**\nSpectra's Yield Token and Principal Token, minted on top of ERC-4626 interest-bearing tokens, are core protocol primitives. Spectra separates the right to principal from future yield via a process called yield tokenization. This process unlocks new financial possibilities beyond standalone interest-bearing tokens.\n\n**Core Use-Cases**\n- Permissionless Pool Creation\n- Fixed Rates\n- Yield TradingThese key use cases can be abstracted into other narratives, such as upfront yield, discounted tokens, fixed savings, or fixed lending activities. \n\n**Key Objectives**\n\n- Empowering DeFi with a permissionless protocol for interest rate derivatives\n- Delivering cutting-edge solutions that can be seamlessly incorporated, built upon, and utilized by builders and other platforms in the DeFi ecosystem.\n- Upholding decentralization as a fundamental value, promoting community-driven growth via a DAO while the core team diligently and sustainably progresses the protocol\n\nThis Audit Competition is running on mainnet. The following conditions apply:\n\n- Spectra team will freeze the codebase during the duration of the Audit Competition \n- Concurrently Immunefi has cloned and frozen the repositories for the duration of the Audit Competition\n- Duplicates are rewarded\n- Bugs that aren't disclosed in the private audit report are valid for rewards.\n- The project commits to keeping private all info related to bug findings until this program is over. This means the project will not leak info about any bug findings or planned bug fixes, including bug findings found independently by the project or from concurrent private audits.\n\nSpectra provides rewards in USDC, denominated in USD on Ethereum.\n\nFor more information, please visit  about [Spectra Finance](https://www.spectra.finance/)","programType":["Smart Contract"],"project":"Audit Comp | Spectra Finance","projectType":["Defi"],"rewardsBody":"**Reward pool:**\n\nThe following reward terms are a summary. For the full details read our [Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms).\n\nA reward pool of $40,000 USD will be distributed among participants, if any valid bugs are found. \n\nIf not a single bug is found (Insights do not count as bugs) the reward pool is $15% of $40,000 USD rewards → $6,000\n\nDuplicates and private known issues are valid for a reward.\n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/).\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.\n\n__Insight Rewards Payment Terms__\n\n*Insight Rewards*: Portion of the Rewards Pool\n\n*The \"Insight\" severity was introduced on Boost (Audit Competitions) & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi)\n\n**Duplicates of Insight reports are not eligible for a reward.**\n\n**Proof of Concept (PoC) Requirements**\n\nFor this program, runnable PoC code is not required. Whitehats are instead required to write a step-by-step explanation of the PoC and impact.\nFor unclear reports or to resolve disputes Immunefi may still require a runnable PoC.Read more about it in [Audit Competition Proof-of-Concept Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/33260632501777-Audit-Competition-Proof-of-Concept-Rules)","rewardsPool":40000,"primaryPool":40000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"audit-comp-spectra-finance","tenPercentEconomicRule":false,"updatedDate":"2025-07-02T13:12:16.153Z","impactsBody":"**Build commands, Test commands, and instructions on how to run them:**\n\nThe project uses Foundry as a development framework. \n\nTo build the project and install all the dependencies run: forge build\n\nFor running tests run: forge test\n\nFor running specific test cases please refer to foundry documentation or run: forge test --help\n\n\n**What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?**\n\nThe Router handle any ERC20 tokens and ERC4626 vaults\n\n\n**What emergency actions may you want to use as a reason to downgrade an otherwise valid bug report?**\n\nContracts can be paused and upgraded\n\n\n**Which chains and/or networks will the code in scope be deployed to?**\n\nEthereum Mainnet, Optimism, Arbitrum, Sonic, Base\n\n\n**Is this an upgrade of an existing system? If so, which? And what are the main differences?**\n\nThis audit covers the integration of Curve NG and Curve Stableswap NG pools into Spectra’s core protocol. Spectra is currently using Cryptoswap pools, and this audit concerns the migration to these two new sets of pools. All other Spectra features remain intact, including the implementation of the Principal Token and the Yield Token. Below is a high-level overview of the integration tasks:\nIntegration of Cryptoswap NG pools\n\n- The next generation of Curve pools on which Spectra is currently based.\n- Integration of a new type of pool: oracle-based Stableswap NG pools\n- Upgradeable rate oracles for Stableswap NG pools that reports the rate of the PT in underlying based on its initial price\n- Deployment of Spectra with Stableswap NG pools through a new factory\n- Registration of rate oracles in a new dedicated registry\n- Addition of previews and interaction execution with the new pools in the router\n\n\n**Where do you suspect there may be bugs?**\n\nThe main focus should be the StableSwap NG integration. correctness, robustness and resilience of the rate adjustment oracles for the Principal Token should be thoroughly examined.\nSecondly, the new commands of the router should be examined.\n\n\n**What external dependencies are there?**\n\nCurve smart contracts and Open Zeppelin libraries.\n\nStableswap-NG documentation at [(https://docs.curve.fi/stableswap-exchange/stableswap-ng/overview/)]\n\nOpen Zeppelin v5 at [(https://docs.openzeppelin.com/contracts/5.x/)]\n\n\n**Where might Security Researchers confuse out-of-scope code to be in-scope?**\n\nSecurity problems related to the implementation of Curve Finance pools and their internal oracle manipulations. Only Spectra’s rate oracle implementation and its influence on Stableswap’s pricing shall be considered in scope, besides Spectra’s core components. \n\n\n**What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?**\n\nAny address controlled by the Spectra DAO\n\n**Previous Audits**\n\nSpectra’s completed audit reports can be found at [](https://docs.spectra.finance/security/audits). Unfixed vulnerabilities mentioned in these reports are not eligible for a reward.","websiteUrl":"https://www.spectra.finance/","githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Spectra is an EVM-centric protocol for interest rate derivatives with an easy-to-use flagship app.\nThe Spectra protocol is permissionless, meaning its services are entirely open for public use. Anyone can create new markets at will, swap yield derivatives, or become a liquidity provider.\n\nFor more information, please visit  about [Spectra Finance](https://www.spectra.finance/)","knownIssues":[{"id":33,"link":"https://lunaray.medium.com/spectra-protocol-hack-analysis-06b877498757","description":"Spectra Protocol Hack Analysis","lastUpdatedAt":"2024-07-25T00:00:00.000Z","relatedImpactInScope":"smart_contract"}],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"","customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":5441,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 24 hour"}],"rewards":[{"level":"critical","payout":"Portion of the reward pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the reward pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the reward pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the reward pool","assetType":"smart_contract","pocRequired":true}],"audits":[{"id":"1YiGtcLrDqyg0XHR97fnMQ","url":"https://docs.spectra.finance/security/audits","auditor":"C4","date":"2024-04-05"},{"id":"6wCmyOkMyZ7yYu2gp3EoBs","url":"https://docs.spectra.finance/security/audits","auditor":"Pashov","date":"2024-03-02"}]},{"assets":[],"assetsBodyV2":"","boostedIntroEvaluating":"","boostedIntroFinished":"Invite-Only-Program cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/1p1rnkK8Cqrw5yi3LDbFWDMJRk8CvDYxz?usp=drive_link). The amounts show $2K in guaranteed rewards per SR and a $6K reward pool distributed according to the [Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms).\n\nAll paid bug reports are available in original format [here](https://reports.immunefi.com/iop-circuitdao).","boostedIntroLive":"$10,000 USD in rewards is available for finding bugs on CircuitDAO contracts.\n\nFor more information, please visit about CircuitDAO website [](https://circuitdao.com/)\n\nThis is an invite-only Program Competition, open to Security Researchers who have been invited.\n\nRunnable POCs are not required. Read our [New Audit Competition Proof-of-Concept Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/33260632501777-Proof-of-Concept-Rules-for-Audit-Competitions )\n\nInsight reports can be submitted. Read our [Insight validity rules](https://immunefisupport.zendesk.com/hc/en-us/articles/34179768760337-Insight-Severity-Level )","boostedIntroStartingIn":"","boostedLeaderboard":[{"high":1,"name":"perseverance","critical":1,"earnings":6000,"insights":0,"mediumLow":1,"totalValidBugs":3}],"boostedSummaryReport":"https://drive.google.com/file/d/1BqpVegztIFXDZL0VHmy1e5L5rEjuzn9B/view","ecosystem":null,"endDate":"2025-04-24T14:42:00.000Z","evaluationEndDate":"2025-05-08T12:56:25.331Z","features":["IOP (Invite Only Program)","Managed Triage: Time Saver","Vault"],"hideAssetsInScope":false,"immunefiStandard":true,"inviteOnly":true,"kyc":true,"language":null,"launchDate":"2025-04-09T13:50:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1URwP89FgDG52nc6opXzeb/ce036e4b8d9434e0a30c490588047691/1CjIg_vq_400x400.png","maxBounty":10000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"For CircuitDAO, the files to hunt on are:  \n`circuit_puzzles/*.clsp`, `circuit_puzzles/programs/*.clsp`, and `circuit_puzzles/include/*.clib`.","productType":null,"programOverview":"Circuit is a DeFi protocol built on the Chia blockchain.\n\nSpecifically, Circuit is a collateralized debt position (CDP) protocol that allows users to borrow Bytecash (BYC), a USD stablecoin issued by the protocol, against XCH, the native token of Chia.\n\n\nFor more information about CircuiDAo, please visit [https://docs.circuitdao.com/](https://docs.circuitdao.com/).\n\nCircuit rewards are denominated in USD and distributed in USDC on Ethereum","programType":["Smart Contract"],"project":"IOP | CircuitDAO","projectType":null,"rewardsBody":"Rewards are distributed among SRs according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms).\n\nTotal budget: **$10,000** broken down as follows:\n\n\n**Reward pool:**\n\nIf bugs are found → USD $6k (see [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms))\n\nIf only Insights are found → USD $900 (9% of the Reward pool)\n\n**Guaranteed rewards:**\n$2k per SR → $4k total (for 2 SRs)\n\nDuplicate submissions of bugs are valid. Duplicate submissions of Insights are invalid.\n\n**Proof of Concept (PoC) Requirements**\n\nFor this program, runnable PoC code is not required. Whitehats are instead required to write a step-by-step explanation of the PoC and impact.\nRead our [New Audit Competition Proof-of-Concept Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/33260632501777-Proof-of-Concept-Rules-for-Audit-Competitions )\n\n**Insight reports can be submitted**. \nRead our [Insight validity rules](https://immunefisupport.zendesk.com/hc/en-us/articles/34179768760337-Insight-Severity-Level )","rewardsPool":10000,"primaryPool":10000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"iop-circuitdao","tenPercentEconomicRule":false,"updatedDate":"2025-06-30T09:15:18.203Z","impactsBody":"__Where might Security Researchers confuse out-of-scope code to be in-scope?__\n\nN/A. There shouldn’t be any confusion. \n\n\n__Is this an upgrade of an existing system? If so, which? And what are the main differences?__\n\nNo. As a CDP protocol, we have taken some inspiration from MakerDAO, both the initial single-collateral DAI system as well as some innovations of the multi-collateral version such as Dutch liquidation auctions. However, the implementation is completely different due to Chia’s coinset (UTXO) model and Chialisp as smart contract language.\n\n\n__Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?__\n\nSee the list of in-scope bugs below. The higher the severity, the more concerned we are about the respective exploit.\n\n\n__What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?__\n\nThe protocol makes use of Chia Asset Token (CAT) standard (https://chialisp.com/cats/), singletons (https://chialisp.com/singletons/) and various custom coin types. An overview can be found here: https://docs.circuitdao.com/technical-manual/overview#list-of-protocol-coins\n\n__What emergency actions may you want to use as a reason to downgrade an otherwise valid bug report?__\n\nMitigation measures that can be taken by governance. As an (out-of-scope) example, if Announcers collude to manipulate the Oracle price, governance can swap out the Oracle by updating the ORACLE_LAUNCHER_ID Statute within STATUTES_PRICE_DELAY. \n\n__What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?__\n\nNone\n\n__What addresses would you consider any bug report requiring their involvement be out of scope, even if they exceed the privileges attributed to them?__\n\nNone\n\n__Which chains and/or networks will the code in scope be deployed to?__\n\nThe project will eventually be deployed on Chia (mainnet and testnet11). \n\n__What external dependencies are there?__\n\nSee the pyproject.toml files in ‘puzzles’ and ‘circuit’ Github repos.\nIn terms of security context, the Chialisp code from ‘puzzles’ repos will get deployed on Chia mainnet. We will run a Chia fullnode service to connect the dapp backend to the blockchain.\n\n__Are there any unusual points about your protocol that may confuse Security Researchers?__\n\nThe protocol differs from many other DeFi projects is that governance is done completely on-chain by governance token (CRT) holders. Governance proposals are created, vetoed on, and implemented (“enacted”) on-chain. There is no governance multi-sig (controlled by a foundation or otherwise).\n\nThe protocol is largely immutable, with governance being limited to changing the value of certain parameters (“Statutes”) or outputting custom conditions. The one exception to this is the Oracle singleton, which governance can replace entirely (by changing the value of the Oracle launcher ID at Statutes index 0)\n\n__What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)__\n\nDocumentation for Circuit protocol can be found at: https://docs.circuitdao.com/\nNote that the documentation is not up-to-date with the latest commit and contains inaccurate descriptions in several places. However, the docs should work well as an introduction to and general overview of the protocol.\n\nSRs may also be interested in the audit report by Zellic: \n\nChialisp-related documentation can be found at: https://chialisp.com/\n\nThe protocol makes use of modern chialisp features: https://chialisp.com/modern-chialisp/","websiteUrl":"https://circuitdao.com/","githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Circuit is a DeFi protocol built on the Chia blockchain.\n\nSpecifically, Circuit is a collateralized debt position (CDP) protocol that allows users to borrow Bytecash (BYC), a USD stablecoin issued by the protocol, against XCH, the native token of Chia.\n\n\nFor more information about CircuiDAo, please visit [https://docs.circuitdao.com/](https://docs.circuitdao.com/).\n\nCircuit rewards are denominated in USD and distributed in USDC on Ethereum\n\n","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Impacts that come up when several announcers or data providers work together in dishonest or unfair ways.\n- Economic attacks that rely on borrowing/shorting of governance tokens other than by flash loan\n","customProhibitedActivities":[],"impacts":[{"id":5442,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 24 hours"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":5443,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds for at least 1 hour"},{"id":5444,"type":"smart_contract","severity":"critical","title":"Permanent significant depeg of stablecoin (BYC), e.g. by forcing undercollateralization"},{"id":5445,"type":"smart_contract","severity":"critical","title":"Oracle price manipulation without assuming data providers are untrustworthy or can be attacked off-chain"},{"id":5446,"type":"smart_contract","severity":"critical","title":"Theft of funds from protocol treasury"},{"id":5447,"type":"smart_contract","severity":"high","title":"Temporary significant depeg of stablecoin (BYC) for at least 24  hours, e.g. by forcing undercollateralization"},{"id":5448,"type":"smart_contract","severity":"medium","title":"Temporary significant depeg of stablecoin (BYC) for at least 1 hour, e.g. by forcing undercollateralization"}],"rewards":[{"level":"critical","payout":"Portion of the reward pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the reward pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the reward pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the reward pool","assetType":"smart_contract","pocRequired":true}],"audits":[{"id":"2R7GDgUxjQcSzASDAeYgev","url":"https://github.com/Zellic/publications/blob/master/Circuit%20DAO%20-%20Zellic%20Audit%20Report.pdf","auditor":"Zellic","date":"2025-02-24"}]},{"assets":[{"id":"4ycm1d5BPVvmeH6lUXaQFo","url":"https://bscscan.com/address/0x00789Cfb69499c65ac9A3a68fb4917c9b4FcA2a7","type":"smart_contract","addedAt":"2022-02-13T19:24:33.966Z","revision":1,"description":"Core","isPrimacyOfImpact":null},{"id":"7oXc9a8GZ1crEHMtFZey3j","url":"https://bscscan.com/address/0x7859B01BbF675d67Da8cD128a50D155cd881B576","type":"smart_contract","addedAt":"2022-02-13T19:24:38.919Z","revision":1,"description":"XMS","isPrimacyOfImpact":null},{"id":"3tnoXO069BFYYr3E8ITd6P","url":"https://bscscan.com/address/0x6f12482D9869303B998C54D91bCD8bCcba81f3bE","type":"smart_contract","addedAt":"2022-02-13T19:24:44.680Z","revision":1,"description":"MarsSwapFactory","isPrimacyOfImpact":null},{"id":"1zUmTtjjETcBf6ugDw5Rf3","url":"https://bscscan.com/address/0xb68825C810E67D4e444ad5B9DeB55BA56A66e72D","type":"smart_contract","addedAt":"2022-02-13T19:24:50.172Z","revision":1,"description":"MarsSwapRouter","isPrimacyOfImpact":null},{"id":"1Y5cJhjY0OXcH9lLH8EYt","url":"https://bscscan.com/address/0x01D152fF991E76b6cb310387c07cAfdFda790a25","type":"smart_contract","addedAt":"2022-02-13T19:24:56.563Z","revision":1,"description":"AirDrop","isPrimacyOfImpact":null},{"id":"WVb1Os9UTsELIJ9YShGq8","url":"https://bscscan.com/address/0xC35a8BdBB93abFAb362aF6dC3383cD2c6aEA6cBc","type":"smart_contract","addedAt":"2022-02-13T19:24:58.307Z","revision":1,"description":"Timelock","isPrimacyOfImpact":null},{"id":"1Tkwlfig8uW6Ol6IRQApC8","url":"https://bscscan.com/address/0xc7B8285a9E099e8c21CA5516D23348D8dBADdE4a","type":"smart_contract","addedAt":"2022-02-13T19:25:00.524Z","revision":1,"description":"LiquidityMiningMaster","isPrimacyOfImpact":null},{"id":"6vTOmzfw1pEk6zw7RsQwFN","url":"https://bscscan.com/address/0x22D8d50454203bd5a41B49ef515891f1aD9f3e53","type":"smart_contract","addedAt":"2022-02-13T19:25:06.247Z","revision":1,"description":"LiquidityMiningMaster V1.1","isPrimacyOfImpact":null},{"id":"4Q3TXAVWlFAdudO2D5Q8sn","url":"https://bscscan.com/address/0x381Facb9282770a5E3Ac6c8637096b442039C3dB#contracts","type":"smart_contract","addedAt":"2022-02-13T19:25:12.825Z","revision":1,"description":"VestingMaster","isPrimacyOfImpact":null},{"id":"4pptj9gsOseDHrKgTcXwZX","url":"https://app.marsecosystem.com","type":"websites_and_applications","addedAt":"2022-02-13T19:25:15.238Z","revision":1,"description":null,"isPrimacyOfImpact":null}],"assetsBodyV2":"All smart contracts of Mars Ecosystem can be found at [https://github.com/MarsEcosystem](https://github.com/MarsEcosystem). However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["BSC","ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-09-08T11:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7KJxasjqM6UtmFBkXCD2Mj/4fc1b19a942ac6be1e3f1ba945ad5491/Mars_Ecosystem.jpeg","maxBounty":10000,"pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the following types:\n\n__Smart Contracts and Blockchain__ \n\n  - Re-entrancy\n  - Logic errors\n    - including user authentication errors\n  - Solidity/EVM details not considered\n    - including integer over-/under-flow\n    - including rounding errors\n    - including unhandled exceptions\n  - Trusting trust/dependency vulnerabilities\n    - including composability vulnerabilities\n  - Oracle failure/manipulation\n  - Novel governance attacks\n  - Economic/financial attacks\n    - including flash loan attacks\n  - Congestion and scalability\n    - including running out of gas\n    - including block stuffing\n    - including susceptibility to frontrunning\n  - Consensus failures\n  - Cryptography problems\n    - Signature malleability\n    - Susceptibility to replay attacks\n    - Weak randomness\n    - Weak encryption\n  - Susceptibility to block timestamp manipulation\n  - Missing access controls / unprotected internal or debugging interfaces\n\n__Websites and Apps__\n\n  - Remote Code Execution\n  - Trusting trust/dependency vulnerabilities\n  - Vertical Privilege Escalation\n  - XML External Entities Injection\n  - SQL Injection\n  - LFI/RFI\n  - Horizontal Privilege Escalation\n  - Stored XSS\n  - Reflective XSS with impact\n  - CSRF with impact\n  - Direct object reference\n  - Internal SSRF\n  - Session fixation\n  - Insecure Deserialization\n  - DOM XSS\n  - SSL misconfigurations\n  - SSL/TLS issues (weak crypto, improper setup)\n  - URL redirect\n  - Clickjacking (must be accompanied with PoC)\n  - Misleading Unicode text (e.g. using right to left override characters)","productType":["Stablecoin"],"programOverview":"The fundamental issue within most current stablecoin protocols is positive externality. The cost of producing and maintaining stablecoins are incurred by the protocol and its users (minters, share holders, bond holders). Whereas the majority of the value comes from the transaction The fundamental issue within most current stablecoin protocols is positive externality. The cost of stablecoins within DeFi primitives and is captured by these DeFi primitives.\n\nMars Ecosystem solves this problem by integrating the creation and the use of stablecoin into one stable yet decentralized ecosystem. The relationship between Mars Stablecoin and Mars DeFi platform creates a positive feedback loop and generates a flywheel effect.\n\nMars Stablecoin (USDm) is price stable, capital efficient, scalable and decentralized. It is an over-backed stablecoin: the redeemability of USDm is backed by the Mars Ecosystem Governance Token (XMS). The market cap of XMS is always multiple times the market cap of Mars Stablecoin which ensures that the stablecoin can be redeemed 1:1 at any given time.\n\nMars Swap provides liquidity between Mars Stablecoin and all the other tokens, making USDM the ideal medium of exchange and store of value for DeFi. The incurred transaction fees generated at Mars Swap are used to back the stability of Mars Stablecoin.\n\nFor more information about Mars Ecosystem, please visit [https://marsecosystem.com/](https://marsecosystem.com/).","programType":["Smart Contract","Websites and Applications"],"project":"Mars Ecosystem","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System 3.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. \n\nAll bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nBugs reported in the following audits are not eligible for a reward:\n\n  - [SlowMist Audit](https://github.com/MarsEcosystem/mars-resource/blob/master/audit/SlowMist%20Audit%20Report%20-%20Mars%20Ecosystem%20-%20EN.pdf)\n  - [CertiK Audit](https://github.com/MarsEcosystem/mars-resource/blob/master/audit/Certik%20Audit%20Report%20-%20Mars%20Ecosystem.pdf)\n\nPayouts are handled by the __Mars Ecosystem__ team directly and are denominated in __USD__. However, payouts are done in __XMS__ or __BUSD__, at the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"XMS, BUSD","slug":"marsecosystem","tenPercentEconomicRule":false,"updatedDate":"2025-06-26T15:38:41.855Z","impactsBody":"__SMART CONTRACT__\n\n__Theft of user funds:__ is a worst case scenario for a project. An example of in-motion funds is a swap. A user is transferring funds to the contract with the full expectation to exchange them for an equivalent value of another asset. If an attacker can manipulate the system in such a way that a user incurs losses during the transfer and the attacker profits, this is considered direct theft of user funds. If users are losing their stake, principal, vault balances, etc, that is theft of user funds.\n\n__Permanent Freezing of funds:__ This includes bricking a contract which holds tokens so that a user is no longer able to withdraw their funds. It may also include burning of funds so that they can no longer be accessed by the owner. This also includes things like self-destructing implementation contracts so that the proxy becomes useless. The impact here is that funds within a system are no longer accessible.\n\n__Protocol Insolvency:__ Some protocols provide yield to some users that is paid by other users (e.g. Compound lenders are owed yield that is provided by borrowers). An error in this calculation could result in the amount owed to users exceeding the amount owed by other users. This is insolvency. Alternatively, the protocol could have debts that exceed its assets in other ways. Of course this does not include \"bank run\" situations where it’s temporarily not possible to withdraw money from the protocol, but the protocol is otherwise adequately collateralized\n\n__Theft of Unclaimed Yield:__  A yield is any asset distributed as a reward for participation in a system. Any theft of these rewards before they are distributed or claimed is classified as theft of an unclaimed yield.\n\n__Permanent Freezing of Unclaimed Yield:__ A yield is any asset distributed as a reward for participation in a system. Whenever an attacker can prevent the yield from being able to move from the contract, for example by making the harvest() function always fail, this would mean the yield is permanently frozen.\n\n__Temporary Freezing of Funds:__ This classification refers to temporary freezing of funds belonging to the protocol or another user, which the attacker does not own. There may be an amount of time or number of blocks which is in an acceptable range of operation for a project and is therefore excluded from consideration under this impact; however, this range of operation should be kept as short as possible because attacker locked funds can significantly impact user experience and cause rippling issues for a protocol. If an attacker needs to submit many costly transactions to achieve this impact, it is instead \"Griefing\" and is classified as \"Medium\".\n\n__Smart contract unable to operate due to lack of token funds:__ This classification refers to bugs that mark the smart contract as unable to operate or work correctly due to lack of token funds. There may be cases where the smart contract cannot pay out any rewards for staked tokens because the contract doesn't hold any funds or won't accept any reimbursements. Another example would be the LINK token required to pay for certain Chainlink services. If those services are required for proper function of the system and it's possible (or likely) for the funds to be depleted, that would be a vulnerability.\n\n__Unbounded gas consumption:__ Any looping done over an arbitrarily sized array may be vulnerable to unbounded gas consumption. If an attacker can add enough items to cause the gas used to call the function to exceed the block gas limit, it can result in a denial of service attack and prevent the function from being called.\n\n__WEBSITES AND APPLICATIONS__\n\n__Execute arbitrary system commands__ This impact refers to a security vulnerability in a website or application that allows an attacker to execute arbitrary commands on the underlying system. This type of vulnerability is often called arbitrary command injection. The impact of this vulnerability can be severe, as it provides the attacker with the ability to perform unauthorized actions on the affected system like Remote Command Execution (RCE).\n\n__Retrieve sensitive data/files from a running server__ This impact allows an attacker to access and retrieve sensitive data or files from the affected server. This type of vulnerability is often called \"information disclosure\" or \"data leakage.\" The impact of this vulnerability can be significant, as it exposes sensitive information that can be used for malicious purposes or further attacks.\n\n__Taking down the application/website__ An attack that results in the disruption or complete unavailability of a website or application. This impact is different from DoS as it only refers to a vulnerability found in the application logic/code. When a website or application is taken down, it affects the user experience and the ability of users to access services and resources provided by the affected application. This can lead to customer dissatisfaction and potential loss of revenue for businesses that rely on the availability of their online services. The longer the downtime, the greater the potential negative impact on both users and the organization behind the website or application.\n\n__Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user__ The attacker found a way to bypass the access control protection and arbitrarily update the other data without any interaction requirement. An attacker is able to perform actions that modify the state of the system or the network on behalf of other users, without the users' knowledge or consent.\n\n__Subdomain takeover with already-connected wallet interaction__ This impact refers to a security vulnerability where an attacker gains control over a subdomain of a website or application, particularly one that interacts with users' connected cryptocurrency wallets. This takeover allows the attacker to manipulate the content and functionality of the subdomain, potentially leading to unauthorized interactions with the connected wallets.\n\n__Direct theft of user funds__ It refers to a security vulnerability or an attack that results in the unauthorized transfer or misappropriation of users' digital assets, such as cryptocurrencies or tokens, directly from their wallets or accounts. One way someone can do this is by making unauthorized calls on the RPC. RPC is a communication method used to interact with blockchain nodes for sending transactions, querying data, and performing other actions. If there is a vulnerability or misconfiguration in the RPC implementation, an attacker might exploit it to directly steal user funds.\n\n__Malicious interactions with an already-connected wallet__\n\n  - _Modifying transaction arguments or parameters_\nThe attacker found a way to substitute the contract address with a malicious contract address stored at the frontend level.\n\n  - _Substituting contract addresses_\nThe attacker found a way to modify the parameters of the transaction calls made to the wallet connected to the front end.\n\n  - _Submitting malicious transactions_\nThe attacker found a way to inject malicious javascript code into the frontend that could initiate a malicious transaction to the wallet connected to the frontend\n\n__Injecting/modifying the static content on the target application without Javascript (Persistent)__\nThe attacker discovered a method to persistently inject HTML code or plain text into the frontend, which could potentially deceive users visiting the frontend into providing sensitive keys, navigating to an external site controlled by the attacker, or falling for phishing \n\n__Subdomain takeover without already-connected wallet interaction__\nThe attacker found a way to claim or hijack the subdomain and inject a malicious code that could be used as a phishing vector for victims visiting the subdomain.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"The fundamental issue within most current stablecoin protocols is positive externality. The cost of producing and maintaining stablecoins are incurred by the protocol and its users (minters, share holders, bond holders). Whereas the majority of the value comes from the transaction The fundamental issue within most current stablecoin protocols is positive externality.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":null,"defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":" __Smart Contracts and Blockchain__\n - Best practice critiques\n  - Protocol Risks Caused by BlockChain(BNB Chain) Vulnerabilities\n  - Sandwich attack during swap with the issues with victim leading to exploiting himself\n  - The residual unowned rewards in the contract is frozen\n  - Withdrawal of abnormally entered (such as direct transfer) assets through the contract public function\n  - Assets entered abnormally (such as direct transfer) cannot be withdrawn\n  - Issues with the LP contracts that are due to specific underlying tokens are not in scope.\n\n\n__Websites and Apps__\n  - Clickjacking\n  - Misleading Unicode text (e.g. using right to left override characters)\n  - HTTP security headers\n  - Cache control issues","customProhibitedActivities":[],"impacts":[{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":950,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as: HTML injection without Javascript, Replacing existing text with arbitrary text, Arbitrary file uploads, etc"},{"id":951,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as: /etc/shadow, database passwords, blockchain key (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":952,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user: Changing registration info, Commenting, Voting, Making trades, Withdrawals, Changing the NFT metadata"},{"id":953,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet such as: Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions"}],"rewards":[{"id":31408,"severity":"critical","assetType":"smart_contract","fixedReward":10000,"rewardModel":"fixed","rewardCalculationPercentage":10},{"id":31409,"severity":"high","assetType":"smart_contract","fixedReward":3000,"rewardModel":"fixed"},{"id":31410,"severity":"medium","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":31411,"severity":"critical","assetType":"websites_and_applications","fixedReward":2500,"rewardModel":"fixed","otherImpactMaxReward":0},{"id":31412,"severity":"high","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"01elE7qd8COxdsjly2PYfk","url":"https://etherscan.io/address/0x5e6342D8090665bE14eeB8154c8a87B7249a4889","type":"smart_contract","addedAt":"2024-09-23T12:17:58.551Z","revision":2,"description":"Deposit Manager (rswETH)","isPrimacyOfImpact":null},{"id":"18MWMaP7RhJ1BlcCQ0qJel","url":"https://etherscan.io/address/0x8d0B4dfCcc8B2A268486d9754b135d8aD1Ee7258","type":"smart_contract","addedAt":"2024-09-23T12:18:38.816Z","revision":2,"description":"EigenPod/Withdrawal Address","isPrimacyOfImpact":null},{"id":"1KGni1HhLkTe08tXbQwUEc","url":"https://etherscan.io/address/0xE194661251877A69a1282bd0B2D344cCBA06E8aE","type":"smart_contract","addedAt":"2024-09-23T12:19:00.909Z","revision":2,"description":"UpgradeableBeacon","isPrimacyOfImpact":null},{"id":"1fIVF8Gafrd21UVTv0kzzh","url":"https://etherscan.io/address/0x625087d72c762254a72CB22cC2ECa40da6b95EAC","type":"smart_contract","addedAt":"2023-04-27T10:00:00.000Z","revision":2,"description":"Access Control Manager (swETH)","isPrimacyOfImpact":null},{"id":"1uJavdCYUDfxSnEojd7Uce","url":"https://app.swellnetwork.io/","type":"websites_and_applications","addedAt":"2023-04-27T10:00:00.000Z","revision":1,"description":"Web/App","isPrimacyOfImpact":null},{"id":"251dXlKafsE5Y1gC1YjkyA","url":"https://etherscan.io/address/0xB68b125E5B0f2600841B2bBA484E76A495DF17A0","type":"smart_contract","addedAt":"2024-09-23T12:19:08.096Z","revision":2,"description":"StakerProxy","isPrimacyOfImpact":null},{"id":"262eBKYWCfdkoxADXBjKGh","url":"https://etherscan.io/address/0xfae103dc9cf190ed75350761e95403b7b8afa6c0","type":"smart_contract","addedAt":"2024-09-23T12:17:42.539Z","revision":1,"description":"rswETH","isPrimacyOfImpact":null},{"id":"2RscjIwRmaZvrETbBJoRGM","url":"https://etherscan.io/address/0x939f1cC163fDc38a77571019eb4Ad1794873bf8c","type":"smart_contract","addedAt":"2024-09-23T12:21:59.530Z","revision":3,"description":"Registry Factory (swBTC)","isPrimacyOfImpact":null},{"id":"2Rsy1XMP6WJUHdQ6MdwHma","url":"https://etherscan.io/address/0xBD9fc4FdB07e46a69349101E862e82aa002aDe0d","type":"smart_contract","addedAt":"2024-09-23T12:23:59.137Z","revision":2,"description":"Zap (Swell L2)","isPrimacyOfImpact":null},{"id":"2znmRZdlub13dj4b8IzBE2","url":"https://etherscan.io/address/0xb3D9cf8E163bbc840195a97E81F8A34E295B8f39","type":"smart_contract","addedAt":"2023-04-27T10:00:00.000Z","revision":2,"description":"Deposit Manger / Withdrawal Address (swETH)","isPrimacyOfImpact":null},{"id":"38UXdB3PqjyzE3Lh8c6flF","url":"https://etherscan.io/address/0xC94CfFD5249Df4008a043EE61e13f19AF16d0936","type":"smart_contract","addedAt":"2024-09-23T12:18:52.658Z","revision":2,"description":"EigenLayerManager","isPrimacyOfImpact":null},{"id":"3auHEUpV6eb9eTrKK7z9JG","url":"https://etherscan.io/address/0xc2a55871a713Fb98A6b60E2e76FC94021c9f182f","type":"smart_contract","addedAt":"2024-09-23T12:21:42.276Z","revision":2,"description":"Keeper (swBTC)","isPrimacyOfImpact":null},{"id":"3erpprHIRqdAjpiYnLeKQX","url":"https://etherscan.io/address/0x796592b2092F7E150C48643dA19Dd2F28be3333F","type":"smart_contract","addedAt":"2024-09-23T12:18:13.577Z","revision":2,"description":"Access Control Manager (rswETH)","isPrimacyOfImpact":null},{"id":"3v4ehtFzivn2tUnvc8Oya2","url":"https://etherscan.io/address/0x8DB2350D78aBc13f5673A411D4700BCF87864dDE","type":"smart_contract","addedAt":"2024-09-23T12:22:17.730Z","revision":3,"description":"Vault (swBTC token)","isPrimacyOfImpact":null},{"id":"49LV3CSh6GeDTQztPfBBiB","url":"https://etherscan.io/address/0xA9Bd691b166aAFCC9EF55aaBC1960825630558d6","type":"smart_contract","addedAt":"2024-09-23T12:22:25.567Z","revision":2,"description":"Delayed Withdraw Auth (swBTC)","isPrimacyOfImpact":null},{"id":"4g6QFpQqAoDbmZintPKJgr","url":"https://etherscan.io/address/0xe5FCBdE076F36bB076170758F8E3AEC7412C5f91","type":"smart_contract","addedAt":"2024-09-23T12:22:07.975Z","revision":2,"description":"Registry (swBTC)","isPrimacyOfImpact":null},{"id":"4iyV4YDZ9xtCkIXsY2vLux","url":"https://etherscan.io/address/0x805c6d95c9e707332215F42cb89f93752FFa55B8","type":"smart_contract","addedAt":"2024-09-23T12:23:15.029Z","revision":2,"description":"Delayed Withdraw (swBTC)","isPrimacyOfImpact":null},{"id":"4qRaBAHLclT4d9LJedjMz6","url":"https://etherscan.io/address/0x46DdC39E780088B1B146Aba8cBBe15DC321A1A1d","type":"smart_contract","addedAt":"2023-04-27T10:00:00.000Z","revision":2,"description":"Node Op Registry (swETH)","isPrimacyOfImpact":null},{"id":"4x6UyMAJlymJ9jm3rHxiOj","url":"https://etherscan.io/address/0xf951E335afb289353dc249e82926178EaC7DEd78","type":"smart_contract","addedAt":"2023-04-27T10:00:00.000Z","revision":1,"description":"swETH","isPrimacyOfImpact":null},{"id":"5D5jqoAtdBrT0JCTobTrmB","url":"https://etherscan.io/address/0xD750B84845f1cAdfEAc63f96Ec74635e949bFd14","type":"smart_contract","addedAt":"2024-09-23T12:18:21.318Z","revision":2,"description":"Proxy Admin","isPrimacyOfImpact":null},{"id":"5gcdIgJZcti4TCWpuMLNQt","url":"https://etherscan.io/address/0x4c86cb5CD701CBf2364f25ED9563Ff3D3d493C22","type":"smart_contract","addedAt":"2024-09-23T12:23:22.940Z","revision":2,"description":"Withdraw Limit Module (swBTC)","isPrimacyOfImpact":null},{"id":"5tWhagclbG6Le4pEVSdWzc","url":"https://etherscan.io/address/0x48DaCb0b938Aa6D5752ca2ea23CD8593FaFb3825","type":"smart_contract","addedAt":"2024-09-23T12:21:34.328Z","revision":2,"description":"Accountant (swBTC)","isPrimacyOfImpact":null},{"id":"6JJvg6rL3qoUDBp8eKLkQt","url":"https://etherscan.io/address/0x975304C676eB3dc86CD336138328E107A95EaA50","type":"smart_contract","addedAt":"2024-09-23T12:23:31.735Z","revision":2,"description":"Tokenized Strategy (swBTC)","isPrimacyOfImpact":null},{"id":"6dlgpGu08d8GHIqYLJZnTh","url":"https://etherscan.io/address/0x5bd444Ad23E02376F8fbbA47e3CC9D2caDB6c4F6","type":"smart_contract","addedAt":"2024-09-23T12:21:50.775Z","revision":2,"description":"Release Registry (swBTC)","isPrimacyOfImpact":null},{"id":"732RfyFf1xXeHUbgXEmQMM","url":"https://etherscan.io/address/0x58749C46Ffe97e4d79508a2C781C440f4756f064","type":"smart_contract","addedAt":"2024-09-23T12:18:45.882Z","revision":2,"description":"rswEXIT","isPrimacyOfImpact":null},{"id":"7bPPbCMZZ3OxIK2f4X6dYL","url":"https://etherscan.io/address/0xAae0B305B3F1edDE7B11b680d4FA9252F7a1c524","type":"smart_contract","addedAt":"2024-09-23T12:18:06.141Z","revision":2,"description":"Node Operator Registry (rswETH)","isPrimacyOfImpact":null},{"id":"AOzpOVMWXU8YmZdEK3eKa","url":"https://etherscan.io/address/0xd5A73c748449a45CC7D9f21c7ed3aB9eB3D2e959","type":"smart_contract","addedAt":"2024-09-23T12:18:31.073Z","revision":3,"description":"Repricing Oracle","isPrimacyOfImpact":null},{"id":"MIAxtaEmB9vold80YaeVR","url":"https://etherscan.io/address/0x38D43a6Cb8DA0E855A42fB6b0733A0498531d774","type":"smart_contract","addedAt":"2024-09-23T12:23:47.802Z","revision":2,"description":"Staking (Swell L2)","isPrimacyOfImpact":null},{"id":"UTBL12mUs9MM1FJuqljxW","url":"https://etherscan.io/address/0x981771292052c5f77B14A3BD4DF22e43a8B17bB0","type":"smart_contract","addedAt":"2024-09-23T12:21:26.182Z","revision":2,"description":"Vault Factory (swBTC)","isPrimacyOfImpact":null},{"id":"mUZtsdtlimEPEagx0ROsg","url":"https://etherscan.io/address/0x8041bA598f0E656EBe80c67289efb42C09E86aE3","type":"smart_contract","addedAt":"2024-09-23T12:23:40.116Z","revision":2,"description":"Aera Strategy (swBTC)","isPrimacyOfImpact":null}],"assetsBodyV2":"Though only the proxy implementation contracts are listed as in-scope, current implementation and any further updates to the implementation contracts are considered in scope. When reporting a bug, please make sure to select the relevant proxy implementation smart contract as the target.\n\nAll smart contracts of Swell can be found at [https://github.com/SwellNetwork/.](https://github.com/SwellNetwork/) However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2023-04-27T10:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/49Iuyx7Sfkmzm6SI8INxX/91d54b122e661d32074e984b19f00741/photo_2023-04-18_14-31-24_copy.png","maxBounty":250000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Asset Management","Liquid Staking","Staking","L2"],"programOverview":"Swell is a permissionless, non-custodial, and liquid (re)staking protocol designed for stakers, node operators, and the broader Ethereum ecosystem. \n\nAs the first-ever fully unified restaking yield protocol, Swell provides a universal restaking yield layer that features a vertically-integrated restaked rollup Layer 2. This innovative architecture is powered by Swell native LRTs and secures a diverse set of AVSs, fostering a rich ecosystem of applications.\n\nAbove all, Swell aims to enhance the Ethereum ecosystem and its users by simplifying the (re)staking process and driving utility for its reward-bearing token. To learn more about Swell and how it can help you maximize your staking rewards, visit [https://swellnetwork.io/](https://swellnetwork.io/).","programType":["Smart Contract","Websites and Applications"],"project":"Swell","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the  [Immunefi Vulnerability Severity Classification System V2.2.](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/) This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported. \n\nAll bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nRewards for critical smart contract vulnerabilities are further capped at 10% of the funds at risk. In cases of repeatable attacks, only the first attack is considered unless the smart contract cannot be upgraded or paused.  However, there is a minimum reward of __USD 50 000__ and a maximum reward of __USD 250 000__ for Critical smart contract bug reports.\n\nPreviously known issues highlighted in the following audit reports are considered as out of scope: \n- [https://github.com/SwellNetwork/v3-core-public/tree/master/Audit%20Reports](https://github.com/SwellNetwork/v3-core-public/tree/master/Audit%20Reports)\n\nPayouts are handled by the __Swell__ team directly and are denominated in USD. However, payouts are done in __USDC__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"swell","updatedDate":"2025-06-25T11:42:12.425Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Swell is a permissionless, non-custodial, and liquid (re)staking protocol designed for stakers, node operators, and the broader Ethereum ecosystem. ","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":" - Best practice critiques\n\n- In general - any functionality related to LSTs. Includes the following (but not limited to):\n\n    -   rswETH - depositViaDepositManager\n    -     Deposit Manager - depositLST\n    -     Deposit Manager - transferTokenForDepositIntoStrategy\n    -     Deposit Manager - setExchangeRateProvider\n    -     EigenLayerManager - depositIntoEigenLayerStrategy\n    -     EigenLayerManager - setEigenLayerStrategy\n    -     EigenLayerManager - completeQueuedWithdrawal\n    -     StakerProxy - depositIntoStrategy\n    -     StakerProxy - withdrawERC20FromPod\n    -     StakerProxy - completeQueuedWithdrawal\n    -     StakerProxy - sendTokenBalanceToDepositManager\n    -     RepricingOracle - Any implementation involving LSTs","customProhibitedActivities":[],"impacts":[{"id":4161,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction, such as: Iframing leading to modifying the backend/browser state (demonstrate impact with PoC)"},{"id":4162,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links, such as: Social media handles, etc."},{"id":4163,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as: Locking up the victim from login, Cookie bombing, etc."},{"id":4164,"type":"smart_contract","severity":"high","title":"Attacker can steal Node Operator or Swell Treasury fees"},{"id":4165,"type":"smart_contract","severity":"high","title":"Attacker can force the exit of Swell validators"},{"id":4166,"type":"smart_contract","severity":"high","title":"Attacker can change withdrawal address of Swell registered validators"},{"id":4167,"type":"smart_contract","severity":"high","title":"Attacker can disable node operators"},{"id":4168,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:  HTML injection without JavaScript, Replacing existing text with arbitrary text, Arbitrary file uploads, etc."},{"id":4169,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: Email or password of the victim, etc."},{"id":4170,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as: Email address, Phone number, Physical address, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":4171,"type":"smart_contract","severity":"medium","title":"Attacker can pause Swell’s contracts"},{"id":4172,"type":"smart_contract","severity":"medium","title":"Attacker can modify Node Operator or Swell Treasury fee rate"},{"id":4173,"type":"smart_contract","severity":"medium","title":"Attacker can register themselves as a node operator"},{"id":4174,"type":"smart_contract","severity":"medium","title":"Attacker can obtain elevated access control privileges in Swell’s contracts"},{"id":4175,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: Changing the name of user, Enabling/disabling notifications"},{"id":4176,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as: Reflected HTML injection, Loading external site data"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":4177,"type":"smart_contract","severity":"critical","title":"Theft of users funds intended to be staked"},{"id":4178,"type":"smart_contract","severity":"critical","title":"Theft of funds in the Swell owned withdrawal addresses"},{"id":4179,"type":"smart_contract","severity":"critical","title":"Theft of funds in the Swell owned deposit contract"},{"id":4180,"type":"smart_contract","severity":"critical","title":"Theft of funds in transit from deposit contract to Beacon Chain contract"},{"id":4181,"type":"smart_contract","severity":"critical","title":"Manipulation of Swell’s ETH to swETH/rswETH conversion rate leading to the attacker obtaining a disproportionate amount of swETH/rswETH for staking ETH (> 10% difference compared to the last valid rate)"},{"id":4182,"type":"smart_contract","severity":"critical","title":"Attacker can cause the deposit of 32 ETH to the Beacon Chain to fail, losing funds"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":4183,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as: /etc/shadow, database passwords, blockchain keys,  (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":38,"type":"websites_and_applications","severity":"critical","title":"Taking down the NFT URI"},{"id":4184,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as: Changing registration information, Commenting, Voting, Making trades, Withdrawals, etc."},{"id":4185,"type":"websites_and_applications","severity":"critical","title":"Changing the NFT metadata"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":4186,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as: Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions"},{"id":44,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user NFTs"},{"id":4187,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through NFT metadata"},{"id":4188,"type":"smart_contract","severity":"critical","title":"Manipulation of wBTC to swBTC conversion rate leading to the attacker obtaining a disproportionate amount of swBTC for restaking swBTC (> 10% difference compared to the last valid rate)"}],"rewards":[{"id":8335,"severity":"critical","assetType":"smart_contract","maxReward":250000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":6638,"severity":"high","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":6639,"severity":"medium","assetType":"smart_contract","fixedReward":2500,"rewardModel":"fixed"},{"id":6640,"severity":"critical","assetType":"websites_and_applications","fixedReward":20000,"rewardModel":"fixed","otherImpactMaxReward":0},{"id":6641,"severity":"high","assetType":"websites_and_applications","fixedReward":2500,"rewardModel":"fixed"},{"id":6642,"severity":"medium","assetType":"websites_and_applications","fixedReward":1500,"rewardModel":"fixed"},{"id":6643,"severity":"low","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"26v62i8b2yHmx2Da8THqiA","url":"https://github.com/stacks-network/sbtc/tree/immunefi_attackaton_1.0","type":"blockchain_dlt","addedAt":"2025-02-24T08:00:00.000Z","revision":2,"description":"sBTC GitHub repo","isPrimacyOfImpact":null},{"id":"wlKcCketD7Sl7mJ7M6ATK","url":"https://github.com/stacks-network/sbtc/tree/immunefi_attackaton_1.0","type":"smart_contract","addedAt":"2025-02-24T08:00:00.000Z","revision":2,"description":"sBTC GitHub repo","isPrimacyOfImpact":null},{"id":"6HzehMUPFwBias0grSab74","url":"https://github.com/stacks-network/sbtc/blob/immunefi_attackaton_1.0/Cargo.toml#L31","type":"blockchain_dlt","addedAt":"2025-02-26T05:16:17.915Z","revision":1,"description":"WSTS GitHub repository. Refer to `rev` as specified in the WSTS entry of the Cargo.toml file in the sBTC repository. Vulnerabilities related to WSTS will only be considered in scope if they can be exploited in sBTC.","isPrimacyOfImpact":null}],"assetsBodyV2":"Build commands, test commands, and how to run them can be found [here on the Stacks Academy](https://immunefi.com/academy/stacks-attackathon-2/?utm_source=explore_results#400).\n### Project Technical Info\n\n**What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?**\n\nSIP10 is the only token standard supported https://github.com/stacksgov/sips/blob/main/sips/sip-010/sip-010-fungible-token-standard.md \n\n**What emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?**\n\nDeposit processing can be paused by shutting down the Emily API server. In the case of vulnerabilities in deposit handling, this can be used to reduce the impact of an ongoing attack.\n\n**What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?**\n\nSigners are permissioned and whitelisted operators. Any attack that requires a majority of signers to be malicious should be out of scope. Attacks that require a minority of signers to be malicious would still be in scope but with reduced severity. \n\n**Which chains and/or networks will the code in scope be deployed to?**\n\nStacks L2\n\n**Is this an upgrade of an existing system? If so, which? And what are the main differences?**\n\nThis attackaton focuses on sBTC V1, which adds (wrt previous attackathon for version 0.9) the ability to withdraw sBTC back into Bitcoin (on the L1). \n\nThe main differences include:\n\n- The new code related to withdrawals;\n- all existing code (including the previous code related to deposits);\n- key rotation, which allows the signer set to agree on a new aggregate key and start using it;\n- the WSTS cryptographic library that powers threshold signature on Bitcoin.\n\nCode until https://github.com/stacks-network/sbtc/releases/tag/0.0.9-rc7.1  is related to deposits. Anything more recent is related to withdrawals.\n\n**Where do you suspect there may be bugs?**\n\nThe end-to-end flow of processing new Bitcoin deposits and minting sBTC on Stacks is relatively complex and error prone. Issues here could allow DoS of valid deposits or incorrect minting/burning of unbacked sBTC.\n\nVulnerabilities in the sBTC smart contracts hosted on Stacks could break the core assumptions of the system. Any attack that leads to a mismatch between the BTC collateral and the sBTC would be highly interesting to us.\n\nAny attacks against the threshold signature scheme used on Bitcoin\n\n**Where might Security Researchers confuse out-of-scope code to be in-scope?**\n\nVulnerabilities in the Stacks L2 blockchain itself should be reported directly to the [Stacks Immunefi bug bounty](https://immunefi.com/bug-bounty/stacks/information/).","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"A flat **$250,000 USD** is in rewards for finding bugs on the Stacks sBTC upgrade.\n\n**On top of the above rewards**, the yield generated from 1 Million STX over 3 months will be distributed either among exceptional bug reports or equally among all SRs who submit a valid report, at Stacks’ discretion. Estimated to be worth about $50,000 USD as of December 1st, 2024.\n\nYou can ask technical questions to the Stacks team directly in the #stacks-attackathon channel in [Immunefi's Discord](https://discord.com/invite/immunefi).\n\nWhen the Stacks Attackathon ends, Immunefi will publish a leaderboard and Attackathon findings report.","boostedIntroStartingIn":"A flat $250,000 USD is in rewards for finding bugs on the Stacks sBTC upgrade.\n\nOn top of the above rewards, the yield generated from 1 Million STX over 3 months will be distributed either among exceptional bug reports or equally among all SRs who submit a valid report, at Stacks’ discretion. Estimated to be worth about $50,000 USD as of December 1st, 2024.\n\nThe scope is the complete sBTC upgrade, including new features, new code and bug fixes added since Stack's 1st Attackathon.\n\n[Sign up for Stacks' 2nd Attackathon](https://docs.google.com/forms/d/e/1FAIpQLSepIL-1khl05n7IpWBgXKdKQ1HT9A1G4IUuaPeKzkbURxY7rw/viewform?usp=sf_link).","boostedLeaderboard":[{"high":1,"name":"Blobism","critical":0,"earnings":64263,"insights":1,"mediumLow":2,"totalValidBugs":3},{"high":1,"name":"f4lc0n","critical":0,"earnings":54933,"insights":0,"mediumLow":2,"totalValidBugs":3},{"high":1,"name":"vini_btc","critical":0,"earnings":44297,"insights":1,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"leadwiz","critical":0,"earnings":43047,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"christ0s","critical":0,"earnings":16432,"insights":1,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Pig46940","critical":0,"earnings":14349,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"ZoA","critical":0,"earnings":5811,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Cartel","critical":0,"earnings":4783,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"XDZIBECX","critical":0,"earnings":2083,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1_tFfdUIH17_3kpKZZfh4H_-W7zDLLEMe/view?usp=sharing","ecosystem":["Bitcoin","Stacks"],"endDate":"2025-03-27T08:00:00.000Z","evaluationEndDate":"2025-06-19T16:20:47.578Z","features":["Attackathon","Vault","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Rust","Clarity"],"launchDate":"2025-02-24T08:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7k7Y3ozFznu7BV69YN9Bpz/e0a8ac082886c5c1be6fb64e19325fa1/Stacks_Logo.png","maxBounty":250000,"outOfScopeAndRules":"To be determined","pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - medium","blockchain_dlt - low","smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"Stacks","prioritizedVulnerabilities":"To be determined","productType":["L2"],"programOverview":"Stacks is a Bitcoin L2 enabling smart contracts & apps with Bitcoin as the secure base layer. This Attackathon focuses on Stacks’ sBTC upgrade.\n\nFor more information about sBTC, please visit https://sbtc.tech/  \nFor more information about Stacks, please visit https://www.stacks.co/\n\n**Live Fixes & Duplicate Rules**\n\nStacks’ Attackathon includes deployed code with live TVL in scope and so the code cannot be frozen because they may need to make bug fixes to protect users.\n\nRead our [full rules on live fixes & duplicate validity](https://immunefisupport.zendesk.com/hc/en-us/articles/32914694719889-Stacks-Attackathon-II-Code-Update-Rules) for this Attackathon.\n\n**Dispute Resolution**\n\nIf there is any dispute over bug reports between projects and security researchers, Immunefi has final say on validity and severity based on the terms of this program.\n\n**Responsible Publication Policy**\n\nImmunefi will publish bug reports, earnings, and a leaderboard for this Attackathon.\nSecurity Researchers may publish their bug reports as well, but only after Immunefi has published the valid bug reports as part of the competition results.\n\n\n**KYC Requirement**\n\nStacks requires KYC information to pay for bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\nSecurity researchers are required to submit KYC within 14 days of KYC being requested, else their rewards may be forfeited. Immunefi may make exceptions due to extenuating","programType":["Blockchain/DLT","Smart Contract"],"project":"Attackathon | Stacks II","projectType":null,"rewardsBody":"### Rewards Terms\n\nRewards are distributed among SRs according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms).\n\nRewards are denominated in USD and distributed in STX.\n\nThe reward pool is **$250,000 USD**, regardless of bugs found.\n\n**On top of the above rewards**, the yield generated from 1 Million STX over 3 months will be distributed either among exceptional bug reports or equally among all SRs who submit a valid report, at Stacks’ discretion. Estimated to be worth about $50,000 USD as of December 1st, 2024.","rewardsPool":250000,"primaryPool":250000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"STX","slug":"stacks-attackathon-2","tenPercentEconomicRule":false,"updatedDate":"2025-06-19T16:20:43.048Z","impactsBody":"**Previous Audits**\n\nStacks’s completed audit reports can be found at https://stacks.org/audits . As well as the [sBTC audit here,](https://security.bitcoinl2labs.com/audits) which the 3rd audit report from the top of the list.\n\nUnfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\n**Public Disclosure of Known Issues**\n\nBug reports for publicly disclosed bugs are not eligible for a reward. \n\n- https://github.com/stacks-network/sbtc/issues\n- https://github.com/stacks-network/sbtc/pulls\n\nThe Stacks team will label known issues with the label 'immunefi-scope' ( https://github.com/stacks-network/sbtc/labels/immunefi-scope ) to allow security researchers to easily filter them out.\n\n**Private Known Issues Reward Policy**\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n**Stacks’ Feasibility Limitations**\n\nIn addition to our [standard feasibility limitations](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards), the following also apply:\n\n- Non-Criticals which can be objectively determined to only be able to affect <1% of users may be downgraded by 1 severity.\n- Non-Critical impacts that are dependent on execution to have a malicious signer involved, may be downgraded by 1 severity level.\n- Vulnerabilities related to WSTS will only be considered in scope if they can be exploited in sBTC.","websiteUrl":"https://www.stacks.co/","githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":null,"description":"Stacks is a Bitcoin L2 enabling smart contracts & apps with Bitcoin as the secure base layer. This Attackathon focuses on Stacks’ sBTC upgrade.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"","customProhibitedActivities":[],"impacts":[{"id":11,"type":"blockchain_dlt","severity":"medium","title":"A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk"},{"id":13,"type":"blockchain_dlt","severity":"low","title":"Modification of transaction fees outside of design parameters"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":4,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":5371,"type":"blockchain_dlt","severity":"high","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":10,"type":"blockchain_dlt","severity":"medium","title":"Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":12,"type":"blockchain_dlt","severity":"low","title":"Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":5372,"type":"blockchain_dlt","severity":"high","title":"Unintended permanent chain split requiring hard fork (network partition requiring hard fork)"},{"id":5373,"type":"blockchain_dlt","severity":"high","title":"Unintended chain split (network partition)"},{"id":5374,"type":"blockchain_dlt","severity":"medium","title":"Temporarily Freezing Network Transactions"},{"id":5375,"type":"blockchain_dlt","severity":"medium","title":"API crash preventing correct processing of deposits"},{"id":5376,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 24h"},{"id":5377,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds for at least 1h"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"critical","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[{"id":"RIKVjSC0VK35voi7jKtki","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/networks/movement/movement-config","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"movement-config [981]","isPrimacyOfImpact":null},{"id":"3uG6m4wmBUDINjthJNSeXk","url":"https://github.com/immunefi-team/attackathon-movement-layerzero-devtools/tree/main/examples/oft-evm-move-adapters/deploy-eth/src/MOVEOFTAdapter.sol","type":"smart_contract","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"MOVEOFTAdapter.sol [17]","isPrimacyOfImpact":null},{"id":"35bjpEBDUswuFYp2IyeL9p","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/networks/movement/movement-full-node","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"movement-full-node [1777]","isPrimacyOfImpact":null},{"id":"5XU3oXGNmJQTq2sYogEsoa","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/access-control/aptos/account-whitelist","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"account-whitelist [77]","isPrimacyOfImpact":null},{"id":"650IcjBUJCVkBnEwWGTVGc","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/da/movement/","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"movement [4417]","isPrimacyOfImpact":null},{"id":"2r2S4iSmJFGgsGaOz5x8V0","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/da/movement/protocol/client","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"client [175]","isPrimacyOfImpact":null},{"id":"1UDxFjdDLeHPafliovSBOU","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/da/movement/protocol/da","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"da [320]","isPrimacyOfImpact":null},{"id":"1cnXGt4m0iFAD87FyPB5eD","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/da/movement/protocol/light-node","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"light-node [760]","isPrimacyOfImpact":null},{"id":"25keJ6PwWi565IbBDVc8kb","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/da/movement/protocol/light-node-signer","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"light-node-signer [34]","isPrimacyOfImpact":null},{"id":"1HJJCxVgPp8K1BE49OGKVy","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/da/movement/protocol/prevalidator","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"prevalidator [156]","isPrimacyOfImpact":null},{"id":"4LOYZ3jCcpOhHqPjodyPNq","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/da/movement/protocol/proto","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"proto [32]","isPrimacyOfImpact":null},{"id":"4XT4Z0fnY6bdnj9gkRuxMW","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/da/movement/protocol/util","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"util [937]","isPrimacyOfImpact":null},{"id":"18aSwCKFs7cWiDdVRue9Bt","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/da/movement/protocol/verifier","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"verifier [145]","isPrimacyOfImpact":null},{"id":"4oC6cEzZlnmXMiAjShwP12","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/da/movement/providers/celestia","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"celestia [175]","isPrimacyOfImpact":null},{"id":"iT8GzciHgB28R3ZIK91Ac","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/da/movement/providers/digest-store","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"digest-store [195]","isPrimacyOfImpact":null},{"id":"72lhrAI8Tn9qGp1P90be1x","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/execution/maptos/dof","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"dof [582]","isPrimacyOfImpact":null},{"id":"rRPq0v9eDn04VJyezOpKz","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/execution/maptos/opt-executor","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"opt-executor [1691]","isPrimacyOfImpact":null},{"id":"5UlkI1Y1apNvyRhfv8fafK","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/mempool/move-rocks","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"move-rocks [528]","isPrimacyOfImpact":null},{"id":"2peAPzFsOVD3Ut4LqFT5n0","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/mempool/util","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"util [199]","isPrimacyOfImpact":null},{"id":"5qJlyLUVAqILd1zV2GiX6a","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/movement-rest","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"movement-rest [102]","isPrimacyOfImpact":null},{"id":"2KBTSDNGeHaTZkNDHSKxRu","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/sequencing/memseq/sequencer","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"sequencer [431]","isPrimacyOfImpact":null},{"id":"Gpo362EkC0QjThErdlxAR","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/sequencing/memseq/util/src/lib.rs","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"lib.rs [70]","isPrimacyOfImpact":null},{"id":"7BVZis0MSd9XN0rzl0NlWq","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/sequencing/util","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"util [29]","isPrimacyOfImpact":null},{"id":"1ng6DuZI0wNYVVcPA4vdFp","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/syncing/syncup","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"syncup [159]","isPrimacyOfImpact":null},{"id":"1SNsggarVoZx831SGvz1CU","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/util/buildtime","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"buildtime [205]","isPrimacyOfImpact":null},{"id":"aBckVTQHCFZqu4UlHmoaD","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/util/buildtime/buildtime-helpers","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"buildtime-helpers [66]","isPrimacyOfImpact":null},{"id":"2wQCymnA1tH5XZFs11CunW","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/util/buildtime/buildtime-macros","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"buildtime-macros [85]","isPrimacyOfImpact":null},{"id":"41ScYgiOLrgCA8GgDqObuM","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/util/collections","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"collections [365]","isPrimacyOfImpact":null},{"id":"kh19MoT8iNJy5ZKn9Bdg8","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/util/dot-movement","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"dot-movement [166]","isPrimacyOfImpact":null},{"id":"63qHdweEWTdZLgV7yGi3Su","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/util/godfig","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"godfig [559]","isPrimacyOfImpact":null},{"id":"2cDk8ZrdFo8poAKyonhYuY","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/util/movement-algs","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"movement-algs [850]","isPrimacyOfImpact":null},{"id":"lgR7QtmOTFeE0IuJgxM7K","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/util/movement-types","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"movement-types [436]","isPrimacyOfImpact":null},{"id":"2oJN2vOHgC4faSQ5lQb4lV","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/util/signing/integrations/aptos","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"aptos [658]","isPrimacyOfImpact":null},{"id":"2jCiPlE4j4B8nuWz7LYULu","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/util/signing/providers/aws-kms","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"aws-kms [260]","isPrimacyOfImpact":null},{"id":"3ZOUZMxR4EXSgeLRrRJgiR","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/util/signing/providers/hashicorp-vault","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"hashicorp-vault [235]","isPrimacyOfImpact":null},{"id":"53Pf4KkZVQ875a8ofYGAfm","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/util/signing/signing-admin","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":3,"description":"signing-admin [318]","isPrimacyOfImpact":null},{"id":"6oFEl3XGLNFg2e5TWOZPbL","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/util/signing/util/loader","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"loader [273]","isPrimacyOfImpact":null},{"id":"3IcG2ygTV0tFEiKAn7tGLo","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/util/syncador","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"syncador [1550]","isPrimacyOfImpact":null},{"id":"2gUhhNgHu5yMzyyPoK8hsV","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/docker/compose/movement-full-node/docker-compose.yml","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"docker-compose.yml [102]","isPrimacyOfImpact":null},{"id":"7kCaOnMVdDYrIsjDmA3Lrp","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/docker/compose/movement-indexer/docker-compose.indexer.yml","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"docker-compose.indexer.yml [82]","isPrimacyOfImpact":null},{"id":"6dfyVBvLxHBtB527dM0Yzp","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/docker/compose/movement-indexer/docker-compose.local-development.indexer.yml","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"docker-compose.local-development.indexer.yml [70]","isPrimacyOfImpact":null},{"id":"5mLfjadRUTuSWGuhh2nYDQ","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/docker/compose/movement-full-node/docker-compose.follower.yml","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"docker-compose.follower.yml [68]","isPrimacyOfImpact":null},{"id":"5jAqyodBx832HKEBIiDF0l","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/docker/compose/movement-full-node/docker-compose.ledger-should-progress.yml","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"docker-compose.ledger-should-progress.yml [53]","isPrimacyOfImpact":null},{"id":"3zYBIZngeug1n8i8gabrsb","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/docker/compose/movement-full-node/docker-compose.celestia-mainnet.yml","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"docker-compose.celestia-mainnet.yml [49]","isPrimacyOfImpact":null},{"id":"6ULisrjzhZZWatA6wdv5GH","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/docker/compose/movement-full-node/docker-compose.leader.yml","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"docker-compose.leader.yml [9]","isPrimacyOfImpact":null},{"id":"2S7GAm5LLZVleqF4lb3elK","url":"https://github.com/immunefi-team/attackathon-movement/tree/main/docker/compose/movement-full-node/docker-compose.mainnet-leader.yml","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"docker-compose.mainnet-leader.yml [9]","isPrimacyOfImpact":null},{"id":"6Fnvluxm2zpxJbQeWQuLXU","url":"https://github.com/immunefi-team/attackathon-movement-layerzero-devtools/tree/main/examples/oft-evm-move-adapters/deploy-eth/script/MOVEOFTAdater.s.sol","type":"smart_contract","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"MOVEOFTAdater.s.sol [49]","isPrimacyOfImpact":null},{"id":"96UUlQAk545wkaq34yXS8","url":"https://github.com/immunefi-team/attackathon-movement-layerzero-devtools/tree/main/examples/oft-evm-move-adapters/sources/oft_implementation/move_oft_adapter.move","type":"smart_contract","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"move_oft_adapter.move [140]","isPrimacyOfImpact":null},{"id":"72u9SBqKPru2AiX62TZCPm","url":"https://github.com/immunefi-team/attackathon-movement-aptos-core/tree/main","type":"blockchain_dlt","addedAt":"2025-03-07T18:00:00.000Z","revision":2,"description":"aptos-core [28238]","isPrimacyOfImpact":null}],"assetsBodyV2":"**Are there any unusual points about your protocol that may confuse Security Researchers?**\n\nThe nodes are not currently rolling back on settlement failures: https://github.com/movementlabsxyz/movement/blob/main/protocol-units/settlement/mcr/README.md. Settlement logic is out of scope.\n\n**Where might Security Researchers confuse out-of-scope code to be in-scope?**\n\n- The entire layerzero-devtools repo is not generally in scope. Only the files we modified for our bridge are in scope.\n- The indexer / graphql are not in scope.\n- Other than the indexer, native_bridge.move, and atomic_bridge.move, the entire aptos-core repo is in scope. However, only certain parts of the movement repo are in scope.\n- The nodes are not currently rolling back on settlement failures: [https://github.com/movementlabsxyz/movement/blob/main/protocol-units/settlement/mcr/README.md](https://github.com/movementlabsxyz/movement/blob/main/protocol-units/settlement/mcr/README.md). Settlement logic and MCR is out of scope.\n\n**Is this an upgrade of an existing system? If so, which? And what are the main differences?**\n\nThe Move Language is forked from Aptos-Core, with additional modifications. Any bugs found outside of changes made by Movement Labs in Aptos-Core should be reported to Aptos Labs. Please view the following diff to view the scope of the Attackathon [https://github.com/aptos-labs/aptos-core/compare/main...movementlabsxyz:aptos-core:movement](https://github.com/aptos-labs/aptos-core/compare/main...movementlabsxyz:aptos-core:movement).\n\n**Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?**\n\nWe don’t suspect a particular area more strongly than others; all in-scope assets are subject to investigation.\n\n**What emergency actions may you want to use as a reason to downgrade an otherwise valid bug report?**\n\nMovement has the ability to rollback chain state. Any impacts which do not cause significant damage and can be mitigated by a rollback may be downgraded. Snapshots of state are taken periodically.\n\n**Which chains and/or networks is and will the code in scope be deployed to?**\n\nThe Movement Network.\n\n**What external dependencies are there?**\n\n- Crates in Cargo.toml\n- Base images in the in scope Docker Compose files\n\n**Are there any unusual points about your protocol that may confuse Security Researchers?**\n\nThe nodes are not currently rolling back on settlement failures: [https://github.com/movementlabsxyz/movement/blob/main/protocol-units/settlement/mcr/README.md](https://github.com/movementlabsxyz/movement/blob/main/protocol-units/settlement/mcr/README.md). Settlement logic and MCR is out of scope.\n\n**What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)**\n\n[https://docs.movementnetwork.xyz](https://docs.movementnetwork.xyz)\n\n**Out-of-scope clauses**\n\nThe nodes are not currently rolling back on settlement failures: [https://github.com/movementlabsxyz/movement/blob/main/protocol-units/settlement/mcr/README.md](https://github.com/movementlabsxyz/movement/blob/main/protocol-units/settlement/mcr/README.md). Settlement logic is out of scope.\n\nAdditionally, the native_bridge.move and atomic_bridge.move files within the aptos-core repository are not in scope as they are not used in production. Please see MOVEOFTAdapter.sol in the layerzero_devtools repository for bridging logic.\n\nIndexer / graphql and MCR / settlement are all considered to be out-of-scope.\n\nThe following is always considered out of scope as a security researcher needs to find an applicable in scope impact, which would not be possible if it was the following:\n- test and dev logic not directly related to our deployments\n- code that is not used","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"A flat $400,000 USD is in rewards for finding bugs on Movement Labs code.\n\nOn top of the above rewards, a separate Mitigation Audit with up to $100,000 USD will be launched in case if Movement Labs pushes public fixes of found vulnerabilities during the Attackathon.\n\nAny technical questions and support requests can be asked directly to Movement Labs or Immunefi in the #movement-labs-attackathon channel in [Immunefi's Discord](https://discord.com/invite/immunefi).\n\nWhen the Movement Labs Attackathon ends, Immunefi will publish a leaderboard and Attackathon findings report.","boostedIntroStartingIn":"A flat $400,000 USD is in rewards for finding bugs on Movement Labs code.\n\nOn top of the above rewards, a separate Mitigation Audit with up to $100,000 USD will be launched in case if Movement Labs push public fixes of found vulnerabilities during the Attackathon.\n\nMarch 7th the **Movement Labs Attackathon Education Period** begins — launching the ‘Movement Labs Academy’, and opening direct access to the Movement Labs’ team for ongoing technical Q&A on [Immunefi's Discord](https://discord.com/invite/immunefi) in the “movement-labs-attackathon\" channel.\n\nWhen the Movement Labs Attackathon ends, Immunefi will publish a leaderboard and Attackathon findings report.","boostedLeaderboard":[{"high":1,"name":"usmannk","critical":7,"earnings":95112,"insights":0,"mediumLow":0,"totalValidBugs":8},{"high":2,"name":"perseverance","critical":4,"earnings":37972,"insights":0,"mediumLow":1,"totalValidBugs":7},{"high":6,"name":"infosec_us_team","critical":1,"earnings":33781,"insights":0,"mediumLow":0,"totalValidBugs":7},{"high":4,"name":"KlosMitSoss","critical":2,"earnings":30241,"insights":4,"mediumLow":1,"totalValidBugs":7},{"high":1,"name":"jovi","critical":2,"earnings":24819,"insights":4,"mediumLow":1,"totalValidBugs":4},{"high":2,"name":"okmxuse","critical":2,"earnings":23002,"insights":4,"mediumLow":1,"totalValidBugs":5},{"high":1,"name":"dustincha","critical":1,"earnings":20715,"insights":0,"mediumLow":0,"totalValidBugs":2},{"high":0,"name":"hulkvision","critical":2,"earnings":18529,"insights":0,"mediumLow":0,"totalValidBugs":2},{"high":4,"name":"Blockian","critical":1,"earnings":16675,"insights":1,"mediumLow":0,"totalValidBugs":5},{"high":0,"name":"br0nz3p1ck4x3","critical":2,"earnings":13713,"insights":1,"mediumLow":0,"totalValidBugs":2},{"high":4,"name":"HollaDieWaldfee","critical":1,"earnings":11878,"insights":2,"mediumLow":3,"totalValidBugs":8},{"high":0,"name":"savi0ur","critical":1,"earnings":11042,"insights":2,"mediumLow":2,"totalValidBugs":3},{"high":2,"name":"niroh","critical":1,"earnings":7439,"insights":1,"mediumLow":1,"totalValidBugs":4},{"high":0,"name":"yemresaritoprak","critical":1,"earnings":6712,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"a090325","critical":1,"earnings":6712,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":3,"name":"zhaojie","critical":0,"earnings":5886,"insights":0,"mediumLow":0,"totalValidBugs":3},{"high":1,"name":"Rhaydden","critical":0,"earnings":5844,"insights":8,"mediumLow":2,"totalValidBugs":3},{"high":1,"name":"ZeroTrust","critical":0,"earnings":4826,"insights":0,"mediumLow":1,"totalValidBugs":2},{"high":1,"name":"keizo","critical":0,"earnings":4143,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"fnmain","critical":0,"earnings":4143,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"Berserk","critical":1,"earnings":3498,"insights":1,"mediumLow":0,"totalValidBugs":2},{"high":1,"name":"Cartel","critical":1,"earnings":2718,"insights":0,"mediumLow":0,"totalValidBugs":2},{"high":0,"name":"Nirix0x","critical":1,"earnings":2441,"insights":2,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"avoloder","critical":0,"earnings":2438,"insights":2,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"Minato7namikazi","critical":0,"earnings":1381,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"p_laksmana","critical":0,"earnings":1381,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":1,"name":"XDZIBECX","critical":0,"earnings":973,"insights":1,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"Franfran","critical":0,"earnings":654,"insights":1,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"p4rsely","critical":0,"earnings":559,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Cryptor","critical":0,"earnings":484,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"p4y4b13","critical":0,"earnings":290,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1IAto_Q53lXfv4AeqF1MyQtUFP6oT6jcz/view?usp=drive_link","ecosystem":null,"endDate":"2025-04-04T18:00:00.000Z","evaluationEndDate":"2025-06-19T15:16:18.008Z","features":["Attackathon","Managed Triage: Time Saver","Vault"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Move","Rust"],"launchDate":"2025-03-07T18:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7DjMVTpQlNLAmfCQBtATm3/216ffcea3d1b3fa3570ab58429e6b35e/movement-mark-reverse-rgb-2000px_72ppi__1_.png","maxBounty":400000,"outOfScopeAndRules":"To be determined","pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - medium","blockchain_dlt - low","smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"To be determined","productType":null,"programOverview":"Movement Labs is a core contributor to Movement Network, a Move-based blockchain network that settles to Ethereum and creates safer execution environments by way of move.\n\nFor more information about Movement Labs, please visit [https://movementlabs.xyz/](https://movementlabs.xyz/). \n\nThis is a **mainnet AC (audit competition)** and the project may fix bugs mid-competition. The more bugs a project fixes the more rewards will be unlocked for a simultaneously running **mitigation competition** with up to $100,000 USD in rewards that is open for everyone to participate in. Read our full [mainnet AC rules](https://immunefisupport.zendesk.com/hc/en-us/articles/33256328266769-Mainnet-Audit-Competition-Rules) for more info.\n\nBugs in code which is in scope for both the Aptos bug bounty program & Movement Attackathon will only be rewarded from the Movement Attackathon reward pool. This is so bugs won't be paid twice, once from Aptos bug bounty program and then again from Movement's Atttackathon. This only applies to bugs submitted while the Movement Attackathon is live.\n\n**Responsible Publication**\n\nImmunefi will publish bug reports, earnings, and a leaderboard for this Attackathon.\n\nSecurity Researchers may publish their bug reports as well, but only after Immunefi has published the valid bug reports as part of the competition results.\n\n**Dispute Resolution**\n\nIf there is any dispute over bug reports between projects and security researchers, Immunefi has final say on validity and severity based on the terms of this program.","programType":["Blockchain/DLT","Smart Contract"],"project":"Attackathon | Movement Labs","projectType":["Blockchain"],"rewardsBody":"Rewards are distributed among SRs according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms).\n\nRewards are denominated in USD and distributed in USDC on Ethereum and Move: $400k USDC and $100k worth of MOVE tokens.\n\nThe reward pool is **$400,000 USD** if any bug is found.\n\nIf not a single bug is found (Insights do not count as bugs) the reward pool is **$50,000 USD**.\n\n__Mitigation Competition Rewards__\n\nThe maximum reward pool for the mitigation competition is **$100,000 USD**.\n\nIf any bug in scope is fixed during the mainnet AC then a mitigation competition will begin immediately, run simultaneously, and end 5 days after the mainnet AC has ended.\n\nThe mitigation competition’s reward pool is based on how many bugs are fixed while the competitions are live relative to how many bugs are found in the mainnet AC. So if projects make more bug fixes mid-competition then the size of the mitigation competition reward pool increases up to the maximum.\n\nThe full mitigation competition reward terms can be [read here](https://immunefisupport.zendesk.com/hc/en-us/articles/33256328266769-Mainnet-Audit-Competition-Rules).","rewardsPool":400000,"primaryPool":400000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"movement-labs-attackathon","tenPercentEconomicRule":false,"updatedDate":"2025-06-19T15:15:39.123Z","impactsBody":"**No Runnable PoC Code Required**\n\nFor this program, runnable PoC code is not required. Whitehats are instead required to write a step-by-step explanation of the PoC and impact. For more information, please read [Audit Competition Proof-of-Concept Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/33260632501777-Audit-Competition-Proof-of-Concept-Rules). \n\n**Asset Accuracy Assurance**\n\nBugs found on assets incorrectly listed in-scope are valid.\n\n**Previous Audits**\n\nMovement Labs’s completed audit reports can be found here:\n- [https://1247499478-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FBMbDkZsgQosju3BU30VN%2Fuploads%2FIw6F6sO75Gl3oOa9D6kD%2Fmeridian_audit_final.pdf?alt=media&token=f5ab2581-9407-4b2b-93d2-e7c61760cdbd](https://1247499478-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FBMbDkZsgQosju3BU30VN%2Fuploads%2FIw6F6sO75Gl3oOa9D6kD%2Fmeridian_audit_final.pdf?alt=media&token=f5ab2581-9407-4b2b-93d2-e7c61760cdbd)\n- [https://docs.canopyhub.xyz/audits/audit-reports](https://docs.canopyhub.xyz/audits/audit-reports)\n- [https://drive.google.com/file/d/1nTg57yVLay1TrBbB3HnEoQ_ElQ0_rScL/view?usp=sharing](https://drive.google.com/file/d/1nTg57yVLay1TrBbB3HnEoQ_ElQ0_rScL/view?usp=sharing)\n- [https://docs.echelon.market/echelon-v1/security/audit-reports](https://docs.echelon.market/echelon-v1/security/audit-reports)\n- [https://github.com/movementlabsxyz/layerzero-devtools/issues](https://github.com/movementlabsxyz/layerzero-devtools/issues)\n- [https://github.com/movementlabsxyz/aptos-core/issues](https://github.com/movementlabsxyz/aptos-core/issues)\n- [https://github.com/movementlabsxyz/movement/issues](https://github.com/movementlabsxyz/movement/issues)\n- [https://github.com/aptos-labs/aptos-core/issues](https://github.com/aptos-labs/aptos-core/issues)\n\nUnfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\n**Public Disclosure of Known Issues**\n\nBug reports for publicly disclosed bugs are not eligible for a reward. \n- [https://github.com/movementlabsxyz/aptos-core/pull/115](https://github.com/movementlabsxyz/aptos-core/pull/115)\n- https://github.com/movementlabsxyz/movement/issues/1113 \n\n**Private Known Issues Reward Policy**\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n**Mainnet AC (Audit Competition) Bug Fix Policy**\n\nThe project may make bug fixes during the competition.\n- Fixed bugs immediately become out of scope once the fix is public.\n- Duplicate submissions of a bug are only valid if they’re submitted before the fix is public.\t\n\nAll project made bug fixes immediately become in scope for the mitigation competition once the fix is public, including fixes to bugs found independently of SRs.\n\nRead our full [mainnet AC rules](https://immunefisupport.zendesk.com/hc/en-us/articles/33256328266769-Mainnet-Audit-Competition-Rules) for more info.\n\n**KYC Requirement**\n\nMovement Labs requires KYC information to pay for bug submissions. The following information will be required:\n- Full name\n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\nSecurity researchers are required to submit KYC within 14 days of KYC being requested, else their rewards may be forfeited. Immunefi may make exceptions due to extenuating circumstances.\n\n**Eligibility Criteria**\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in an audit review of the code in scope (Such auditors may still participate in this program only if they receive project permission)","websiteUrl":"https://movementlabs.xyz/","githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":null,"description":"Movement Labs is a core contributor to Movement Network, a Move-based blockchain network that settles to Ethereum and creates safer execution environments by way of move. ","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"The nodes are not currently rolling back on settlement failures: [https://github.com/movementlabsxyz/movement/blob/main/protocol-units/settlement/mcr/README.md](https://github.com/movementlabsxyz/movement/blob/main/protocol-units/settlement/mcr/README.md). Settlement logic is out of scope.\n\nAdditionally, the native_bridge.move and atomic_bridge.move files within the aptos-core repository are not in scope as they are not used in production. Please see MOVEOFTAdapter.sol in the layerzero_devtools repository for bridging logic.\n\nIndexer / graphql and MCR / settlement are all considered to be out-of-scope.\n\nThe following is always considered out of scope as a security researcher needs to find an applicable in scope impact, which would not be possible if it was the following:\n- test and dev logic not directly related to our deployments\n- code that is not used","customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":4,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":2,"type":"blockchain_dlt","severity":"critical","title":"Unintended permanent chain split requiring hard fork (network partition requiring hard fork)"},{"id":5,"type":"blockchain_dlt","severity":"high","title":"Unintended chain split (network partition)"},{"id":6,"type":"blockchain_dlt","severity":"high","title":"Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments"},{"id":7,"type":"blockchain_dlt","severity":"high","title":"Causing network processing nodes to process transactions from the mempool beyond set parameters"},{"id":8,"type":"blockchain_dlt","severity":"high","title":"RPC API crash affecting programs with greater than or equal to 25% of the market capitalization on top of the respective layer"},{"id":9,"type":"blockchain_dlt","severity":"medium","title":"Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours"},{"id":10,"type":"blockchain_dlt","severity":"medium","title":"Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":11,"type":"blockchain_dlt","severity":"medium","title":"A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk"},{"id":13,"type":"blockchain_dlt","severity":"low","title":"Modification of transaction fees outside of design parameters"},{"id":12,"type":"blockchain_dlt","severity":"low","title":"Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":5405,"type":"smart_contract","severity":"high","title":"Permanent freezing of funds"},{"id":1,"type":"blockchain_dlt","severity":"critical","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":5406,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds for at least 24 hour"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"critical","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[{"id":"664snwsffdMxjsYAyf5gL","url":"https://ofza.com/","type":"websites_and_applications","addedAt":"2025-06-18T07:41:20.429Z","revision":1,"description":"Crypto currency exchange Regulated  by VARA ","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":null,"launchDate":"2025-06-18T05:11:00.000Z","logo":"https://qn5bmgziiocgawpp.public.blob.vercel-storage.com/76788-rfS129jaGhIhJO4Vjg2OK-6jUzFcBg2j4m7Cbupk4fazB1mQ1RvS.png","maxBounty":10000,"pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium"],"primaryPaymentWallet":"Solana","prioritizedVulnerabilities":"Account takeover \nsql inejction\nrace condition\nSSRF","productType":["CEX"],"programOverview":"The Ofza Bug Bounty Program is built to ensure the highest level of security for our user, partners, and infrastructure. As digital threats continue to evolve, we recognize the importance of working with the broader security community to stay ahead. The program empowers ethical hackers and security researchers to proactively report potential vulnerabilities, helping us to identify and fix issues before they can be exploited maliciously.\n\nFor more information about OFZA, please visit https://ofza.com\n\nOFZA provides rewards in **USDT** on **Tron** denominated in USD. For more details about the payment process, please view the **Rewards by Threat Level** section.\n\n__KYC Requirement__\n\nOFZA will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nOFZA adheres to **Category 3 - Approval Required**. This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nOFZA adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page. \n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- Email address enumeration\n\n__Previous Audits__\n\nOFZA’s completed audit reports can be found at [https://ofza.com](https://ofza.com). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.","programType":["Websites and Applications"],"project":"OFZA","projectType":["Exchange"],"rewardsBody":"__Rewards by Threat Level__\n\nFor critical web/apps bug reports will be rewarded with USD $10,000 only if the impact leads to:\n\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of **USD $3,000**. The rest of the severity levels are paid out according to the Impact in Scope table.\n\n__Reward Payment Terms__\n\nPayouts are handled by the **OFZA** team directly and are denominated in **USD**. However, payments are done in **USDT** on **Tron**.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDT","slug":"ofza-1","tenPercentEconomicRule":false,"updatedDate":"2025-06-18T09:14:16.838Z","impactsBody":null,"websiteUrl":"https://ofza.com","githubUrl":null,"eligibilityCriteria":["no_employee","no_official_contributor","no_ofac_sdn","no_auditor"],"responsiblePublicationCategory":"category_3","description":"OFZA is a VARA regulated cryptocurrency trading platform based in the UAE, designed to provide secure, seamless, and innovative crypto trading experiences for users across the UAE. With a focus on accessibility, security, and user-centric features, OFZA aims to bridge the gap between traditional finance and the world of digital assets.","knownIssues":[{"id":61,"link":"https://ofza.com","description":"Email Address Enumeration","lastUpdatedAt":"2025-06-15T20:00:00.000Z","relatedImpactInScope":"websites_and_applications"}],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"},{"id":47,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Email\n- Password of the victim etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":50,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Changing the first/last name of user\n- Enabling/disabling notifications"}],"rewards":[{"id":30982,"severity":"critical","assetType":"websites_and_applications","maxReward":10000,"minReward":3000,"rewardModel":"range","otherImpactMaxReward":0},{"id":30983,"severity":"high","assetType":"websites_and_applications","maxReward":3000,"minReward":1000,"rewardModel":"range"},{"id":30984,"severity":"medium","assetType":"websites_and_applications","maxReward":1000,"minReward":500,"rewardModel":"range"}],"audits":[{"id":"5l37l4xB9VjCVT6DMzdzRw","url":"https://ofza.com/","auditor":"Securelayer7","date":"2024-04-19T20:00:00.000Z"}]},{"assets":[{"id":"4PDg2uMK7TPHi7bdXZ4ixk","url":"https://etherscan.io/address/0x80CA847618030Bc3e26aD2c444FD007279DaF50A","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"Resonate","isPrimacyOfImpact":null},{"id":"1oSsA13H2YrDhwf7F9WVeF","url":"https://etherscan.io/address/0xbfacb56e0Ab0dc99E80a95B0412c8DC9C035cD2D","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"Address Lock Proxy","isPrimacyOfImpact":null},{"id":"4kshh0CbIKs9OeeCir5qqm","url":"https://etherscan.io/address/0x8f74c989252B94Fd2d08a668884D303D57c91422","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"OutputReceiver Proxy","isPrimacyOfImpact":null},{"id":"4LqJOtCPlEOwwtywzqUUKO","url":"https://etherscan.io/address/0xEbB1185f41A2347Dd77B45e1F5e068f1e84f536a","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"Resonate Helper (unable to be verified, github link included below)","isPrimacyOfImpact":null},{"id":"6LaEd0JCXyUJWnLiVGRN90","url":"https://github.com/Revest-Finance/ResonateContracts/blob/public/hardhat/contracts/ResonateHelper.sol","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"Resonate Helper (Github)","isPrimacyOfImpact":null},{"id":"3cFLywmv5LrQbVNjVe0STT","url":"https://etherscan.io/address/0xEDb07875051B26b56747e738efB3d7a271d9145e","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"Sandwich Bot Proxy","isPrimacyOfImpact":null},{"id":"LaHTBVRcEtE3e76EVOZuH","url":"https://etherscan.io/address/0x0F89ba3F140Ea9370aB05d434B8e32fDf41a6093","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"PriceProvider","isPrimacyOfImpact":null},{"id":"1eMzVCp3Oku6tUPtVGpNze","url":"https://etherscan.io/address/0x492CbB6217D34d68f0abb77a9D9781C8CcbfdFE8","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"Smart Wallet Checker","isPrimacyOfImpact":null},{"id":"72pDtZ25JoMqsVRW373OGF","url":"https://etherscan.io/address/0x00fD2c29CF3AA4880A4C05e7CA1382bF987B3495","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"Dev Wallet","isPrimacyOfImpact":null},{"id":"1fcpRuA9GsQsRqY8Bdqh0S","url":"https://etherscan.io/address/0x3Bf38B338c5c45AB8068827f3bF92Cbca951B87F","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"Metadata Handler","isPrimacyOfImpact":null},{"id":"3mh3ejObd2qi3LjfEna7Ka","url":"https://etherscan.io/address/0x74Bd7427c8424E71C2a92e23E4Abe4aaeCD299DE","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"Chainlink USD Oracle","isPrimacyOfImpact":null},{"id":"15IuR1BgamgEINtGiahZW6","url":"https://etherscan.io/address/0x331f8A5c6236C76EEA6c194102dBe2f86D72F09F","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"PoolSmartWallet","isPrimacyOfImpact":null},{"id":"EiOpiTnlYrWXCU9Ahi1d0","url":"https://etherscan.io/address/0xbdaf965FCfE4730707424a71389F742696985311","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"SmartWallet","isPrimacyOfImpact":null},{"id":"5fc88mqq4LRzXg15s2qP12","url":"https://etherscan.io/address/0x91ee5184763d0b80f8dfdCbdE762b5D13ad295f4","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"Yearn Adapter V2","isPrimacyOfImpact":null},{"id":"3vIgbE7KANM2aja9MeKjiW","url":"https://etherscan.io/address/0xe3890F1D7032F3BE1924F65507355a3ff1F575Cf","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"Curve USD LP Oracle","isPrimacyOfImpact":null},{"id":"19Iz1MxZFsPXTF5FqpiR8J","url":"https://etherscan.io/address/0x74Bd7427c8424E71C2a92e23E4Abe4aaeCD299DE","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"Chainlink Oracle","isPrimacyOfImpact":null},{"id":"66NhBgIWJlys4V9vqYemEC","url":"https://etherscan.io/address/0xE999232E3edd607610fE16Ee7aEbADba92fEC5DE","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"Governance Controller","isPrimacyOfImpact":null},{"id":"3iTUjKzp1XbyKhvN45X43C","url":"https://etherscan.io/address/0xBf4933c84D331Bd09Be83Cb480C211DdeE3E0080","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"Curve ETH LP Oracle","isPrimacyOfImpact":null},{"id":"25WqoXlJNg23FrQgvNLYeV","url":"https://ftmscan.com/address/0x062B3aB17dFac433F9E211F95e6a7A0C627c9a62","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"LP Oracle","isPrimacyOfImpact":null},{"id":"3SH4NUFbBjTHkn37rqVZ9J","url":"https://optimistic.etherscan.io/address/0x22031BE61b10d2C6cC9648f251E1284Be5AFa3f9","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"Velodrome TWAP Oracle","isPrimacyOfImpact":null},{"id":"17yTzhDTTRknzWYHPgjKo4","url":"https://ftmscan.com/address/0x8e20A69aF81eaeDD74589C9d0684557fd54b0DdA","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"TWAP Oracle","isPrimacyOfImpact":null},{"id":"3E6J7XGMxBpm04mRWrxVA8","url":"https://ftmscan.com/address/0xdB84260bE05054b42a71D4a287fF17a199C1c8FF","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"Reaper Farms Adapter","isPrimacyOfImpact":null},{"id":"60Y5d6UCUTvqFHDW7g2c7z","url":"https://ftmscan.com/address/0x1A5C2ee3FB7fe4A2C2e42474a3657C71f6C775CF","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"Yearn Adapter","isPrimacyOfImpact":null},{"id":"7LoSF66b9C8GzCwQGTJIIT","url":"https://ftmscan.com/address/0xA6273F603985D13Ea7405B1B497C3b2F7D798Fd2","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"Beefy Adapter","isPrimacyOfImpact":null},{"id":"6zCEYHS0An83LMQSJUe0O2","url":"https://ftmscan.com/address/0xeF1ffCa755216941874Bd2ab28C9CfC2F3f652bC","type":"smart_contract","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"Stader sFTMx Oracle","isPrimacyOfImpact":null},{"id":"4GM1xHubbo3VIPrYwq980L","url":"https://www.resonate.finance/","type":"websites_and_applications","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"Web/App","isPrimacyOfImpact":null},{"id":"7hlACp2kq48fuhohycjPg1","url":"https://app.resonate.finance/","type":"websites_and_applications","addedAt":"2022-10-20T18:00:00.000Z","revision":1,"description":"Web/App","isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nIf any Critical or High severity impact can be caused to any other asset managed by Resonate that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["BSC","ETH","Fantom"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["JavaScript","Solidity"],"launchDate":"2022-10-20T18:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4jvlJuHsyVaQIZnGgijmjc/84bb3df0eaef2725bb1390584fc7e10f/Resonate_Logo_Small.png","maxBounty":100000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","websites_and_applications - critical","websites_and_applications - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["L2","Yield Aggregator"],"programOverview":"Resonate is the DeFi Yield futures protocol. Resonate splits apart the interest and principal components of a yield-bearing position. Those who hold tokens which may be deposited into yield-bearing systems can receive an instant, upfront payment on the present value of that future yield, in exchange for locking their tokens. An ideal solution for traders who want to receive guaranteed and consistent yield farming rewards for staking tokens or providing liquidity. \n\nFor those who want to purchase the Yield Futures, or the rights to future yield, Resonate places them in a position where they can do so at a discount to the expected future value of the interest. For protocols wanting to reduce their burn rate, this discount can offer a better way to incentivize providing LPs.\n\nFor more information about Resonate, please visit [https://www.resonate.finance/](https://www.resonate.finance/).","programType":["Smart Contract","Websites and Applications"],"project":"Resonate","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll Critical/High/Medium severity bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nRewards for critical smart contract vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of __USD 40 000__. \n\nCritical website and application bug reports will be rewarded with __USD 30 000__ only if the impact leads to a direct loss in funds. All other impacts that would be classified as Critical would be rewarded no more than __USD 15 000__.\n\nKnown issues highlighted in the following audit report are considered out of scope: \n  - [Zellic Audit Part 1](https://www.resonate.finance/audits/Zellic-Part-I.pdf)\n  - [Zellic Audit Part 2](https://www.resonate.finance/audits/Zellic-Part-II.pdf)\n  - [BlockSec Audit](https://www.resonate.finance/audits/BlockSec-Audit.pdf)\n  - [BlockSec Oracle Audit](https://www.resonate.finance/audits/BlockSec-Oracle-Audit.pdf)\n  - [Bug Bounty Report by GalloDaSballo](https://docs.google.com/document/d/1NJm2d7JK5a8Cu-TGNip8AQwiVtNqcdd818xyUHkRnCM/edit)\n\nPayouts are handled by the __Resonate__ team directly and are denominated in USD. However, payouts are done in __USDC__ or __RVST__, at the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC or RVST","slug":"resonate","updatedDate":"2025-06-17T12:31:57.680Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Resonate is the DeFi Yield futures protocol. Resonate splits apart the interest and principal components of a yield-bearing position. Those who hold tokens which may be deposited into yield-bearing systems can receive an instant, upfront payment on the present value of that future yield, in exchange for locking their tokens. An ideal solution for traders who want to receive guaranteed and consistent yield farming rewards for staking tokens or providing liquidity.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques\n  - Curve reentrancy vulnerabilities, which are not a valid vector against our system. ","customProhibitedActivities":[],"impacts":[{"id":3470,"type":"smart_contract","severity":"low","title":"Smart contract fails to deliver promised returns without losing value"},{"id":3471,"type":"smart_contract","severity":"low","title":"Price manipulation via oracle-based attacks that do not result in any loss of value, excluding provider-based attacks such as Chainlink"},{"id":3472,"type":"smart_contract","severity":"low","title":"MEV-based slippage attacks (sandwich bots)"},{"id":3473,"type":"smart_contract","severity":"high","title":"Theft of user funds in O(n) transactional complexity, including the theft of user funds from multiple pools requiring multiple transactions"},{"id":3474,"type":"smart_contract","severity":"high","title":"Temporary freezing of user funds for periods greater than one hour with no escape-hatch available during that period"},{"id":3475,"type":"smart_contract","severity":"high","title":"Price manipulation via oracle-based attacks that results in theft of value, excluding provider-based attacks such as Chainlink"},{"id":3476,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc."},{"id":3477,"type":"websites_and_applications","severity":"high","title":"Takedown of website for periods greater than four hours"},{"id":3478,"type":"smart_contract","severity":"medium","title":"Temporary freezing of user funds for periods less than one hour but spanning multiple blocks"},{"id":3479,"type":"smart_contract","severity":"medium","title":"Griefing and/or gas theft"},{"id":3480,"type":"smart_contract","severity":"medium","title":"Admin-based attacks that allow for theft of user-value"},{"id":3481,"type":"smart_contract","severity":"medium","title":"Price manipulation via oracle-based attacks that results in loss of value, excluding provider-based attacks such as Chainlink"},{"id":3482,"type":"smart_contract","severity":"medium","title":"Unintentional release of funds ahead of time"},{"id":3483,"type":"smart_contract","severity":"critical","title":"Theft of user funds in O(1) transactional complexity, including the theft of user funds from multiple pools within the same transaction"},{"id":3484,"type":"smart_contract","severity":"critical","title":"Permanent freezing of user funds"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":3485,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and blockchain keys(this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":3486,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc."},{"id":3487,"type":"websites_and_applications","severity":"critical","title":"Changing the NFT metadata"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":3488,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions"},{"id":3489,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through NFT metadata"}],"rewards":[{"id":30859,"severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":40000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":30860,"severity":"high","assetType":"smart_contract","fixedReward":40000,"rewardModel":"fixed"},{"id":30861,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":30862,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":30863,"severity":"critical","assetType":"websites_and_applications","maxReward":30000,"minReward":15000,"rewardModel":"range","otherImpactMaxReward":15000},{"id":30864,"severity":"high","assetType":"websites_and_applications","fixedReward":5000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"1Tnjt6e2pnTSWJNon8EyWb","url":"https://etherscan.io/address/0xc14900dFB1Aa54e7674e1eCf9ce02b3b35157ba5","type":"smart_contract","addedAt":"2022-11-30T20:15:25.569Z","revision":2,"description":"vaFrax","isPrimacyOfImpact":null},{"id":"4bVP4r4CfmxViqUZRHQbgc","url":"https://etherscan.io/address/0x0538C8bAc84E95A9dF8aC10Aad17DbE81b9E36ee","type":"smart_contract","addedAt":"2022-11-30T20:16:39.225Z","revision":2,"description":"vaDAI","isPrimacyOfImpact":null},{"id":"7uyXYLVmAS6brL1BJQD30O","url":"https://etherscan.io/address/0xd1C117319B3595fbc39b471AB1fd485629eb05F2","type":"smart_contract","addedAt":"2022-11-30T20:17:09.066Z","revision":2,"description":"vaETH","isPrimacyOfImpact":null},{"id":"5pjnscDcLSWosrTcNNLUZk","url":"https://etherscan.io/address/0xa8b607Aa09B6A2E306F93e74c282Fb13f6A80452","type":"smart_contract","addedAt":"2022-11-30T20:17:53.917Z","revision":2,"description":"vaUSDC","isPrimacyOfImpact":null},{"id":"1ivxDRRuZ9Mwi7YbbjGXbR","url":"https://etherscan.io/address/0x4Dbe3f01aBe271D3E65432c74851625a8c30Aa7B","type":"smart_contract","addedAt":"2022-11-30T20:19:35.691Z","revision":2,"description":"vastETH","isPrimacyOfImpact":null},{"id":"3ywuIm7Ht64lXmfJNK7mdW","url":"https://etherscan.io/address/0x01e1d41C1159b745298724c5Fd3eAfF3da1C6efD","type":"smart_contract","addedAt":"2022-11-30T20:19:59.408Z","revision":3,"description":"vaWBTC","isPrimacyOfImpact":null},{"id":"Pc0ToiWrUwqtvgbCW70Cz","url":"https://etherscan.io/address/0x650CD45DEdb19c33160Acc522aD1a82D9701036a","type":"smart_contract","addedAt":"2022-11-30T20:21:00.289Z","revision":2,"description":"vacbETH","isPrimacyOfImpact":null},{"id":"6to9QiJ0FeePqcCOU7X9UM","url":"https://etherscan.io/address/0xef4F4604106de23CDadfEAE08fcC34602cB475C1","type":"smart_contract","addedAt":"2022-11-30T20:22:21.923Z","revision":2,"description":"vaLINK","isPrimacyOfImpact":null},{"id":"1j6LGSRQ9hr6wpBgoSsq2C","url":"https://etherscan.io/address/0xDD9F61a85fFE73E41eF889817972f0B0AaE6D6Dd","type":"smart_contract","addedAt":"2022-12-01T02:47:36.186Z","revision":2,"description":"varETH","isPrimacyOfImpact":null},{"id":"3ljHZYKAm3tBLKvz8twOzO","url":"http://App.vesper.finance","type":"websites_and_applications","addedAt":"2022-12-01T02:47:14.035Z","revision":2,"description":"vaMUSD Pool","isPrimacyOfImpact":null},{"id":"7iEjed5mSQa7JFMLBUtc7V","url":"https://optimistic.etherscan.io/address/0xdd63ae655b388Cd782681b7821Be37fdB6d0E78d","type":"smart_contract","addedAt":"2025-06-13T21:13:46.226Z","revision":1,"description":"Optimism wSTETH","isPrimacyOfImpact":null},{"id":"bOnsOkGEqXe0r8SyRP7MZ","url":"https://optimistic.etherscan.io/address/0x539505Dde2B9771dEBE0898a84441c5E7fDF6BC0","type":"smart_contract","addedAt":"2025-06-13T21:14:13.342Z","revision":1,"description":"Optimism USDC","isPrimacyOfImpact":null},{"id":"0iG0AtYyJmA4agIo8Cdwv","url":"https://optimistic.etherscan.io/address/0xCcF3d1AcF799bAe67F6e354d685295557cf64761","type":"smart_contract","addedAt":"2025-06-13T21:14:33.785Z","revision":1,"description":"Optimism ETH","isPrimacyOfImpact":null},{"id":"4eE18NIapBzj6QXAVnUrO5","url":"https://optimistic.etherscan.io/address/0x19382707d5a47E74f60053b652Ab34b6e30Febad","type":"smart_contract","addedAt":"2025-06-13T21:14:57.218Z","revision":1,"description":"Optimism OP","isPrimacyOfImpact":null},{"id":"5kwrBOAVmIacqoIq4G6BmN","url":"https://basescan.org//address/0x82562507429876486B60AF4F32390ef0947b3d13","type":"smart_contract","addedAt":"2025-06-13T21:15:16.642Z","revision":1,"description":"Base ETH","isPrimacyOfImpact":null},{"id":"5DUlVpCqPm3smWqalZkNIQ","url":"https://basescan.org//address/0x1e41238aCd3A9fF90b0DCB9ea96Cf45F104e09Ef","type":"smart_contract","addedAt":"2025-06-13T21:15:34.393Z","revision":1,"description":"Base USDC","isPrimacyOfImpact":null},{"id":"72YcuHnwU7mZ7p8WsAJVvQ","url":"https://basescan.org//address/0x3899a6090c5C178dB8A1800DA39daD0D06EeEFBE","type":"smart_contract","addedAt":"2025-06-13T21:15:57.875Z","revision":1,"description":"Base cbETH","isPrimacyOfImpact":null},{"id":"JJDQTyKsmNRmmi3hgf9u7","url":"https://basescan.org//address/0x46fb68Eb2b1Fc43654AbaE5691D39D18D933E4b4","type":"smart_contract","addedAt":"2025-06-13T21:16:59.822Z","revision":1,"description":"Base wstETH","isPrimacyOfImpact":null}],"assetsBodyV2":"All smart contracts of Vesper can be found at [https://github.com/vesperfi/vesper-pools/tree/main/contracts](https://github.com/vesperfi/vesper-pools/tree/main/contracts). However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nIf an impact can be caused to any other asset managed by Vesper that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project. If a bug is submitted in an underlying Vesper strategy that results in the loss of user funds (not listed as a Smart Contract above),it may be considered as ‘In Scope’.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["JavaScript","Solidity"],"launchDate":"2021-05-06T05:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7dITyStGvxKujlwtjOQEKo/9fdf4fd4b601246ac60030eee6ad4321/Copy_of_vesper.jpeg","maxBounty":50000,"outOfScopeAndRules":"The following vulnerabilities are excluded from the rewards for this bug bounty program:\n\n  - Attacks that the reporter has already exploited themselves, leading to damage\n  - Attacks requiring access to leaked keys/credentials\n  - Attacks requiring access to privileged addresses (governance, strategist)\n\n__Smart Contracts__\n  - Incorrect data supplied by third party oracles\n    - Not to exclude oracle manipulation/flash loan attacks\n  - Basic economic governance attacks (e.g. 51% attack)\n  - Lack of liquidity\n  - Best practice critiques\n  - Sybil attacks\n  - Centralization risks\n\n__Websites and Apps__\n  - Theoretical vulnerabilities without any proof or demonstration\n  - Attacks requiring physical access to the victim device\n  - Attacks requiring access to the local network of the victim\n  - Reflected plain text injection ex: url parameters, path, etc.\n    - This does not exclude reflected HTML injection with or without javascript\n    - This does not exclude persistent plain text injection\n  - Self-XSS\n  - Captcha bypass using OCR without impact demonstration\n  - CSRF with no state modifying security impact (ex: logout CSRF)\n  - Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n  - Server-side non-confidential information disclosure such as IPs, server names, and most stack traces\n  - Vulnerabilities used only to enumerate or confirm the existence of users or tenants\n  - Vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n  - Lack of SSL/TLS best practices\n  - DDoS vulnerabilities\n  - Feature requests\n  - Issues related to the frontend without concrete impact and PoC\n  - Best practices issues without concrete impact and PoC\n  - Vulnerabilities primarily caused by browser/plugin defects\n  - Leakage of non sensitive api keys ex: etherscan, Infura, Alchemy, etc.\n  - Any vulnerability exploit requiring browser bugs for exploitation. ex: CSP bypass\n\nThe following activities are prohibited by this bug bounty program:\n\n  - Any testing with mainnet or public testnet contracts; all testing should be done on private testnets\n  - Any testing with pricing oracles or third party smart contracts\n  - Attempting phishing or other social engineering attacks against our employees and/or customers\n  - Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n  - Any denial of service attacks\n  - Automated testing of services that generates significant amounts of traffic\n  - Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["smart_contract - critical","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Yield Aggregator"],"programOverview":"Vesper provides a platform for easy-to-use Decentralized Finance (DeFi) products. Vesper's DeFi products deliver ease-of-use in achieving your crypto-finance objectives. The Vesper token (VSP) is the core economic engine that facilitates the building and expansion of Vesper’s capabilities and its community.\n\nThe Vesper project rests on three pillars:\n\n__Vesper Products:__ At launch, Vesper offers a variety of interest-yielding \"Grow Pools\" that enable users to passively increase their crypto holdings by simply selecting the desired aggressiveness of their strategy and the digital asset held. The Vesper Grow Pools represent the first product on the Vesper platform. More will be developed and presented over time.\n\n__Vesper Token:__ VSP incentivizes participation, facilitates governance, and catalyzes user contribution. Users earn VSP through pool participation and, later, participating in Vesper's continuous improvement.\n\n__Vesper Community:__ Vesper is building a user community that sustains and grows the product portfolio, facilitates progressive decentralization, and enables users to build new products while earning a share of that product's fees.\n\nFor more information about Vesper, please visit [https://vesper.finance/](https://vesper.finance/)","programType":["Smart Contract","Websites and Applications"],"project":"Vesper","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. \n\nBounty payouts will be dependent on actual risk to the platform.  Total bounty will either be the minimum of the range, or 5% of the total funds that could be lost in the exploit (up to the maximum cap based on the tier severity) - whichever amount is greater.\n\nAll Critical severity bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. \n\nAll web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nKnown issues highlighted in the following audit reports are considered out of scope: \n  - [https://github.com/vesperfi/doc/tree/main/audit/v3%2B](https://github.com/vesperfi/doc/tree/main/audit/v3%2B)\n\nPayouts are handled by the __Vesper__ team directly and are denominated in USD. However, payouts are done in __USDC__, __DAI__, or __VSP__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC, DAI, or VSP","slug":"vesper","tenPercentEconomicRule":true,"updatedDate":"2025-06-16T12:43:27.928Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Vesper provides a platform for easy-to-use Decentralized Finance (DeFi) products. Vesper's DeFi products deliver ease-of-use in achieving your crypto-finance objectives. The Vesper token (VSP) is the core economic engine that facilitates the building and expansion of Vesper’s capabilities and its community.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":386,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds that cannot be fixed by an upgrade"},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":38,"type":"websites_and_applications","severity":"critical","title":"Taking down the NFT URI"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":44,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user NFTs"},{"id":387,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc"},{"id":388,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as email or password of the victim, etc"},{"id":389,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information such as email address, phone number, physical address, etc"},{"id":390,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as changing the first/last name of user, or en/disabling notification"},{"id":391,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without Javascript (Reflected) such as reflected HTML injection or loading external site data"},{"id":392,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":393,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds that cannot be fixed by an upgrade"},{"id":394,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and blockchain keys(this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":395,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc"},{"id":396,"type":"websites_and_applications","severity":"critical","title":"Changing the NFT metadata"},{"id":397,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions"},{"id":398,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through NFT metadata"}],"rewards":[{"id":30854,"severity":"critical","assetType":"smart_contract","maxReward":50000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":30855,"severity":"high","assetType":"smart_contract","maxReward":10000,"minReward":5000,"rewardModel":"range"},{"id":30856,"severity":"critical","assetType":"websites_and_applications","maxReward":10000,"minReward":5000,"rewardModel":"range","otherImpactMaxReward":0},{"id":30857,"severity":"high","assetType":"websites_and_applications","maxReward":5000,"minReward":1000,"rewardModel":"range"},{"id":30858,"severity":"medium","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"2J91J0Fz7AlXeSylq0C4EL","url":"https://docs.pareto.credit/developers/addresses/product/credit-vaults","type":"smart_contract","addedAt":"2024-12-12T11:36:22.094Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"78BeyyEf1qYkMkTl8yAl4N","url":"https://docs.pareto.credit/developers/addresses/product/usp","type":"smart_contract","addedAt":"2024-12-12T11:36:31.719Z","revision":2,"description":null,"isPrimacyOfImpact":null}],"assetsBodyV2":"Only Senior Best Yield contracts will be considered in scope for the Best Yield. Governance and Utilities and ERC-4626 wrappers contracts are not covered under this bug bounty program. **Paused** contracts and contract market as **Deprecated**/**Decommissioned** in doc are not considered in scope","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":null,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-03-25T07:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/52eX2vYXd4Q7PBZ7WCxhjL/062d7f630b8f0decfd1d4746e0dc96ab/Screenshot_2025-06-03_at_4.20.18_pm.png","maxBounty":50000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the\nfollowing types:\n\n**Smart Contracts/Blockchain:**\n\n- Re-entrancy\n- Logic errors\n  - including user authentication errors\n- Solidity/EVM details not considered\n  - including integer over-/under-flow\n  - including unhandled exceptions\n- Trusting trust/dependency vulnerabilities\n  - including composability vulnerabilities\n- Oracle failure/manipulation\n- Novel governance attacks\n- Economic/financial attacks\n  - including flash loan attacks\n- Congestion and scalability\n  - including running out of gas\n  - including block stuffing\n  - including susceptibility to frontrunning\n- Consensus failures\n- Cryptography problems\n  - Signature malleability\n  - Susceptibility to replay attacks\n  - Weak randomness\n  - Weak encryption\n- Susceptibility to block timestamp manipulation\n- Missing access controls / unprotected internal or debugging interfaces","productType":["Yield Aggregator"],"programOverview":"Pareto is a private credit marketplace that connects institutional lenders and borrowers, providing scalable, yield-generating opportunities and bridging institutional capital on-chain.\n\nTailored for asset managers, digital asset funds, and other professional investors, Pareto offers seamless access to regulatory-compliant alternative credit products. Its infrastructure emphasizes transparency, automation, and flexibility. Credit Vaults are the core primitive: they eliminate utilization-based inefficiencies, reduce operational overhead, and improve capital efficiency for both lenders and borrowers.\n\nCurrently, Pareto Credit product suite includes: :\n- Credit Vaults  a suite of smart contracts built to simplify on-chain lending and credit position management for borrowers and lenders. They provide the infrastructure for real-world financing, making it more transparent and efficient.\n- USP: a synthetic dollar protocol backed by real-world institutional-grade private credit, alongside a globally accessible savings asset, sUSP.\n\nPayouts are handled by Pareto Credit directly and are denominated in USD, payouts are done in stablecoins.","programType":["Smart Contract"],"project":"Pareto Credit","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System 2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. \n\nThe final reward for critical bounty payouts is capped at 10% of the funds at risk based on the vulnerability reported.\n\nPoC is required for all levels.\n\nTheft of yield or interest is considered as Medium but may be considered High depending on the amount of funds at risk.\n\nBest practices critiques are not accepted under this program. \n\nThe likelihood of exploitability is also taken into consideration in the\ndetermination of the final payout amount based on the severity of the bug\nreported according to the table below:\n\n| | Medium | High | Critical |\n|  :-- | :-- | :-- | :-: |\n| Almost Certain | $5,000 | $20,000 | $50,000 |\n| Likely | $3,000 | $10,000 | $25,000 | \n| Possible | $1,000 | $5,000 | $10,000 |\n| Unlikely  | $500 | $1,000 | $5,000 |\n| Almost Possible | $100 | $500 | $1,000 |\n\nPayouts are handled by **Idle Finance** governance directly and are denominated\nin **USD**. Payouts under $10,000 are done in **USDC**. When payouts are over\n$10,000, the first $10,000 is paid in **USDC** and then the rest are paid in\n**IDLE** up to the total of $50 000.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC, IDLE","slug":"pareto","tenPercentEconomicRule":false,"updatedDate":"2025-06-03T15:23:16.105Z","impactsBody":"For Credit Vaults  contract marked in the description as “Queue” should be considered out of scope while for USP “Queue” contract is in scope. . Paused contracts and contract market as Deprecated/Decommissioned in doc are not considered in scope","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_2","description":"Pareto is a private credit marketplace that connects institutional lenders and borrowers, providing scalable, yield-generating opportunities and bridging institutional capital on-chain.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques\n- Freezing of Funds after a borrower defaults\n- Attacks the are considering either the manager or the owner a malicious actor\n- Everything acknowledged on previous audits\n\n\nOnly Senior Best Yield contracts will be considered in scope for the Best Yield. Governance and Utilities and ERC-4626 wrappers contracts are not covered under this bug bounty program. **Paused** contracts and contract market as **Deprecated**/**Decommissioned** in doc are not considered in scope","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":183,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":184,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV) if can freeze funds or cause protocol insolvency"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":30309,"severity":"critical","assetType":"smart_contract","maxReward":50000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":30310,"severity":"high","assetType":"smart_contract","maxReward":20000,"rewardModel":"up_to"},{"id":30311,"severity":"medium","assetType":"smart_contract","maxReward":5000,"rewardModel":"up_to"}],"audits":[]},{"assets":[{"id":"NoWKbHIxUtJSCGdCUgRzQ","url":"https://bscscan.com/address/0x0782b6d8c4551B9760e74c0545a9bCD90bdc41E5","type":"smart_contract","addedAt":"2022-06-16T16:30:00.000Z","revision":3,"description":"lisUSD","isPrimacyOfImpact":null},{"id":"6AtjWV0gbJUOFekDrNrh0b","url":"https://bscscan.com/address/0xB68443Ee3e828baD1526b3e0Bdf2Dfc6b1975ec4","type":"smart_contract","addedAt":"2022-06-16T16:30:00.000Z","revision":2,"description":"INTERACTION","isPrimacyOfImpact":null},{"id":"288nKGjpE20LNRFeYyRDt5","url":"https://bscscan.com/address/0x272d6589cecc19165cfcd0466f73a648cb1ea700","type":"smart_contract","addedAt":"2022-06-16T16:30:00.000Z","revision":4,"description":"AuctionLib","isPrimacyOfImpact":null},{"id":"3Rny8srkhmvm4MwFT1HZOB","url":"https://bscscan.com/address/0x563282106A5B0538f8673c787B3A16D3Cc1DbF1a","type":"smart_contract","addedAt":"2022-06-16T16:30:00.000Z","revision":2,"description":"CeToken(ceABNBc)","isPrimacyOfImpact":null},{"id":"pxiksigpq717zaUA8UXBj","url":"https://bscscan.com/address/0x4b30fcAA7945fE9fDEFD2895aae539ba102Ed6F6","type":"smart_contract","addedAt":"2022-06-16T16:30:00.000Z","revision":3,"description":"clisBNB","isPrimacyOfImpact":null},{"id":"U4jRXxH9i34j0WrGq8lp9","url":"https://bscscan.com/address/0x25b21472c073095bebC681001Cbf165f849eEe5E","type":"smart_contract","addedAt":"2022-06-16T16:30:00.000Z","revision":2,"description":"CeVault","isPrimacyOfImpact":null},{"id":"43SbxAURaIgtA4Lr6qKLQR","url":"https://bscscan.com/address/0xA186D2363E5048D129E0a35E2fddDe767d4dada8","type":"smart_contract","addedAt":"2022-06-16T16:30:00.000Z","revision":2,"description":"CerosRouter","isPrimacyOfImpact":null},{"id":"6WHzzzCaI0YeqXV87Npt5j","url":"https://bscscan.com/address/0xa835F890Fcde7679e7F7711aBfd515d2A267Ed0B","type":"smart_contract","addedAt":"2022-06-16T16:30:00.000Z","revision":2,"description":"HelioProvider","isPrimacyOfImpact":null},{"id":"4MlnjBnFkcfrpKbNGUd3pu","url":"https://bscscan.com/address/0x33A34eAB3ee892D40420507B820347b1cA2201c4","type":"smart_contract","addedAt":"2022-06-16T16:30:00.000Z","revision":3,"description":"VAT","isPrimacyOfImpact":null},{"id":"4uNQI92oEzp8eLMSCL1RYI","url":"https://bscscan.com/address/0x49bc2c4E5B035341b7d92Da4e6B267F7426F3038","type":"smart_contract","addedAt":"2022-06-16T16:30:00.000Z","revision":2,"description":"SPOT","isPrimacyOfImpact":null},{"id":"KNqtMJuQwb3fmO74ZaQHE","url":"https://bscscan.com/address/0x4C798F81de7736620Cd8e6510158b1fE758e22F7","type":"smart_contract","addedAt":"2022-06-16T16:30:00.000Z","revision":2,"description":"HayJoin","isPrimacyOfImpact":null},{"id":"3rJWhtKBalMkmX6A3xyJxQ","url":"https://bscscan.com/address/0x787BdEaa29A253e40feB35026c3d05C18CbCA7B3","type":"smart_contract","addedAt":"2022-06-16T16:30:00.000Z","revision":2,"description":"JUG","isPrimacyOfImpact":null},{"id":"3MmcnLzHjs0kymzaXMR3OK","url":"https://bscscan.com/address/0xd57E7b53a1572d27A04d9c1De2c4D423f1926d0B","type":"smart_contract","addedAt":"2022-06-16T16:30:00.000Z","revision":2,"description":"DOG","isPrimacyOfImpact":null},{"id":"4PueANhoU2xQSW3BfHNooT","url":"https://bscscan.com/address/0xc1359eD77E6B0CBF9a8130a4C28FBbB87B9501b7","type":"smart_contract","addedAt":"2022-06-16T16:30:00.000Z","revision":2,"description":"ABACI","isPrimacyOfImpact":null},{"id":"6vyowfQAOPcBWIRcAueaEw","url":"https://bscscan.com/address/0xfA14F330711A2774eC438856BBCf2c9013c2a6a4","type":"smart_contract","addedAt":"2022-06-16T16:30:00.000Z","revision":2,"description":"BNBJoin","isPrimacyOfImpact":null},{"id":"4GfjM75h3th76qWjn2nb8H","url":"https://bscscan.com/address/0x2dcFb02CE33955b6Cc0aF34033189DE3ac4C0292","type":"smart_contract","addedAt":"2022-06-16T16:30:00.000Z","revision":2,"description":"ClipCE","isPrimacyOfImpact":null},{"id":"17mkHxTIqNtFQBLwv82W1j","url":"https://bscscan.com/address/0x0a1Fd12F73432928C190CAF0810b3B767A59717e","type":"smart_contract","addedAt":"2024-02-07T15:25:43.800Z","revision":1,"description":"JAR","isPrimacyOfImpact":null},{"id":"5eL5IRbpPuhwnhf6n8GDmO","url":"https://bscscan.com/address/0x2078A1969Ea581D618FDBEa2C0Dc13Fc15CB9fa7","type":"smart_contract","addedAt":"2024-02-07T15:25:40.788Z","revision":1,"description":"VOW","isPrimacyOfImpact":null},{"id":"6xKQ1Lgs6L5VG83iBQH21m","url":"https://bscscan.com/address/0xf81748d12171De989A5Bbf2d76bf10BFbBaEC596","type":"smart_contract","addedAt":"2024-02-07T15:25:38.513Z","revision":1,"description":"BnbOracle","isPrimacyOfImpact":null},{"id":"5OlFgpu2z70Qt6JWeDiM0S","url":"https://bscscan.com/address/0x6c813d1d114d0cabf3f82f9e910bc29fe7f96451","type":"smart_contract","addedAt":"2024-02-07T15:25:36.279Z","revision":1,"description":"cewBETH","isPrimacyOfImpact":null},{"id":"5IyLY0YDQOhUsPw7cRr7Sn","url":"https://bscscan.com/address/0xA230805C28121cc97B348f8209c79BEBEa3839C0","type":"smart_contract","addedAt":"2024-02-07T15:25:33.896Z","revision":1,"description":"CeETHVault","isPrimacyOfImpact":null},{"id":"1hsC0iQDJCKvhZAwClwPtA","url":"https://bscscan.com/address/0x0326c157bfF399e25dd684613aEF26DBb40D3BA4","type":"smart_contract","addedAt":"2024-02-07T15:25:31.636Z","revision":2,"description":"HelioETHProvider","isPrimacyOfImpact":null},{"id":"482gcB21jsx9TG99A3TgAi","url":"https://bscscan.com/address/0xA0cD5EAfa37EBA1d04Fb003512f962f2f73C3e86","type":"smart_contract","addedAt":"2024-02-07T15:25:29.085Z","revision":1,"description":"CerosETHRouter","isPrimacyOfImpact":null},{"id":"1kvOBjHd0hHMild9MU44WF","url":"https://bscscan.com/address/0x5aEfa6309e8Da3eaBd32745aD5B2c9C1EBE54bef","type":"smart_contract","addedAt":"2024-02-07T15:25:27.063Z","revision":1,"description":"GemJoin(ethJoin)","isPrimacyOfImpact":null},{"id":"4rhsGABY7ZDTw6WecfxtEm","url":"https://bscscan.com/address/0xdF9cf824D1822Ab61aFAf5c97353682F6df0a8d5","type":"smart_contract","addedAt":"2024-02-07T15:25:24.410Z","revision":1,"description":"Clipper(clipEthCE)","isPrimacyOfImpact":null},{"id":"5btIaB6nvLAxdGtfYQtMtd","url":"https://bscscan.com/address/0x9945e33be177b5fccb90710fee59c548cac8acba","type":"smart_contract","addedAt":"2024-02-07T15:25:21.413Z","revision":1,"description":"EthOracle","isPrimacyOfImpact":null},{"id":"4TM43QRi7RGU0tr1tA50sX","url":"https://bscscan.com/address/0xB0b84D294e0C75A6abe60171b70edEb2EFd14A1B","type":"smart_contract","addedAt":"2024-02-07T15:25:18.956Z","revision":1,"description":"slisBNB","isPrimacyOfImpact":null},{"id":"5ndUzX7umsqckUr6F3ZAul","url":"https://bscscan.com/address/0x1adB950d8bB3dA4bE104211D5AB038628e477fE6","type":"smart_contract","addedAt":"2024-02-07T15:25:17.294Z","revision":1,"description":"ListaStakeManger","isPrimacyOfImpact":null},{"id":"5yZJLoujHw4MvePrbQrcGZ","url":"https://bscscan.com/address/0xb0af7db079f599255b1e43ef83e8ce16e88fd174","type":"smart_contract","addedAt":"2024-02-22T13:49:07.094Z","revision":1,"description":"ceankrBNB","isPrimacyOfImpact":null},{"id":"1Jx80zrpZx0Qp2XECW8OdN","url":"https://bscscan.com/address/0x986b40c2618ff295a49ac442c5ec40febb26cc54#code","type":"smart_contract","addedAt":"2024-02-22T13:49:45.412Z","revision":1,"description":"Master Vault","isPrimacyOfImpact":null},{"id":"KUhl0GnxWz3rn6oZJjepb","url":"https://bscscan.com/address/0x00d8697d73216278de8f97bbeae6ca90cf0a5cb0","type":"smart_contract","addedAt":"2024-02-22T13:50:07.108Z","revision":1,"description":"CerosYiledConverterStrategy","isPrimacyOfImpact":null},{"id":"4lyeKCtfCdZOWQevCyrsro","url":"https://bscscan.com/address/0x98cb81d921b8f5020983a46e96595471ad4e60be","type":"smart_contract","addedAt":"2024-02-22T13:50:33.663Z","revision":1,"description":"stkBNBStrategy","isPrimacyOfImpact":null},{"id":"WLmHm4WndrMIpfbTDqusf","url":"https://bscscan.com/address/0x6f28fec449dbd2056b76ac666350af8773e03873","type":"smart_contract","addedAt":"2024-02-22T13:51:38.789Z","revision":1,"description":"snBNBStrategy","isPrimacyOfImpact":null},{"id":"4xfTlKNTb6zSAVuSur70MA","url":"https://bscscan.com/address/0x6ae7073d801a74ee753f19323df320c8f5fe2dbc","type":"smart_contract","addedAt":"2024-02-22T13:52:08.437Z","revision":1,"description":"bnbYieldConverterStrategy","isPrimacyOfImpact":null},{"id":"3BNGgJ8eyRB9AkwNH48Aib","url":"https://bscscan.com/token/0x620e897d529EfECa41E57d0344eBB24f75864D1E","type":"smart_contract","addedAt":"2024-02-22T13:52:28.154Z","revision":2,"description":"clisETH","isPrimacyOfImpact":null},{"id":"2kHWf0YBbsntukEsFLMqgu","url":"https://bscscan.com/address/0x91e49983598685dd5acac90ceb4061a772f6e5ae","type":"smart_contract","addedAt":"2024-02-22T13:52:45.955Z","revision":2,"description":"Gemjoin(slisBNB)","isPrimacyOfImpact":null},{"id":"1qlNAOfgwrDFlvGIwjEmYg","url":"https://bscscan.com/address/0xba92899ea8bebb717cfc60507251acbb79a3b959","type":"smart_contract","addedAt":"2024-02-22T13:53:05.167Z","revision":2,"description":"clipCE(slisBNB)","isPrimacyOfImpact":null},{"id":"libLeair7iqv9eJBaBZ2T","url":"https://bscscan.com/address/0x8ecf78fb59e5a4c26cb218d34db29c4696af89f6","type":"smart_contract","addedAt":"2024-02-22T13:53:27.862Z","revision":3,"description":"Oracle(slisBNB)","isPrimacyOfImpact":null},{"id":"i1jaolB9hz4IKNXm73wVr","url":"https://bscscan.com/address/0xf45c3b619ee86f653805e007fe211b7e930e0b3b","type":"smart_contract","addedAt":"2024-02-22T13:53:44.973Z","revision":1,"description":"Gemjoin(wBETH)","isPrimacyOfImpact":null},{"id":"5lpMMeLbjpTMna9O5dalQx","url":"https://bscscan.com/address/0x96b64bfcdbe658f2792322ac7a9d2dc215eba48f","type":"smart_contract","addedAt":"2024-02-22T13:54:04.654Z","revision":1,"description":"clipCE(wBETH)","isPrimacyOfImpact":null},{"id":"3ZcReSDtMzVpYaNTxnsNzq","url":"https://bscscan.com/address/0x25787055964a8d2a0de4387d6ec9ebc0dc139dd5","type":"smart_contract","addedAt":"2024-02-22T13:54:22.286Z","revision":1,"description":"Oracle(wBETH)","isPrimacyOfImpact":null},{"id":"2KaOnAHVMlLDezanA82jHX","url":"https://bscscan.com/address/0xad9eAAe95617c39019aCC42301a1dCa4ea5b6f65","type":"smart_contract","addedAt":"2024-05-22T18:57:38.584Z","revision":1,"description":"Gemjoin(BTCB)","isPrimacyOfImpact":null},{"id":"5X3sjAHmOHPrDO2JdiK8AI","url":"https://bscscan.com/address/0xb12fF6FD1885a9Cb2b26302c98092644604B1e92","type":"smart_contract","addedAt":"2024-05-22T18:57:53.790Z","revision":1,"description":"clipCE(BTCB)","isPrimacyOfImpact":null},{"id":"6wx7vP7q2NFVhyjVqLll8o","url":"https://bscscan.com/address/0x2eeDc4723b1ED2f24afCD9c0e3665061bD2D5642","type":"smart_contract","addedAt":"2024-05-22T18:59:02.103Z","revision":1,"description":"Oracle(BTCB)","isPrimacyOfImpact":null},{"id":"1UUbGsb4JlSgMxqayx36ZQ","url":"https://bscscan.com/address/0xd7E33948e2a43e7C1ec2F19937bf5bf8BbF9BaE8","type":"smart_contract","addedAt":"2024-05-22T18:59:19.252Z","revision":1,"description":"Gemjoin(ezETH)","isPrimacyOfImpact":null},{"id":"1l5MuMkI3jucxm7RyLm790","url":"https://bscscan.com/address/0x5784e62b4495c7Cc4B09CcD3f206Cc7128449CE0","type":"smart_contract","addedAt":"2024-05-22T18:59:34.689Z","revision":1,"description":"clipCE(ezETH)","isPrimacyOfImpact":null},{"id":"3vGAlL9vSpEeOcY5w127BD","url":"https://bscscan.com/address/0xE859f3f6EE5532313C33A02283150E201290F45F","type":"smart_contract","addedAt":"2024-05-22T18:59:50.695Z","revision":1,"description":"Oracle(ezETH)","isPrimacyOfImpact":null},{"id":"23KE1bQnpsGggdac9xEWg1","url":"https://bscscan.com/address/0x2367f2Da6fd39De6944218CC9EC706BCdc9a6918","type":"smart_contract","addedAt":"2024-05-22T19:00:07.114Z","revision":1,"description":"Gemjoin(weETH)","isPrimacyOfImpact":null},{"id":"54U6Dke5hzFq6IKco3ccOO","url":"https://bscscan.com/address/0xF21B35EdF7A927799b80F09C395C460C3d31D057","type":"smart_contract","addedAt":"2024-05-22T19:00:24.094Z","revision":1,"description":"clipCE(weETH)","isPrimacyOfImpact":null},{"id":"4EoGODUnmrIuSnrSDoBJbm","url":"https://bscscan.com/address/0xE514851E324B54f152F7D9631ACe1A0a87248b46","type":"smart_contract","addedAt":"2024-05-22T19:00:40.949Z","revision":1,"description":"Oracle(weETH)","isPrimacyOfImpact":null},{"id":"a8zRXVG4mOxcm437HMJ60","url":"https://bscscan.com/address/0x876cd9a380Ee7712129b52f8293F6f06056c3104","type":"smart_contract","addedAt":"2024-05-22T19:00:58.596Z","revision":1,"description":"Gemjoin(STONE)","isPrimacyOfImpact":null},{"id":"4rtqEJ147E1G66H2DYlqkC","url":"https://bscscan.com/address/0x5AaBBBe154C0AFA072e313d46b29592936493b26","type":"smart_contract","addedAt":"2024-05-22T19:01:17.366Z","revision":1,"description":"clipCE(STONE)","isPrimacyOfImpact":null},{"id":"1BvImTBI46Bk1sARAVy886","url":"https://bscscan.com/address/0xDF5A8e190CF63D74a4Ec743253fA26D4C7539Be8","type":"smart_contract","addedAt":"2024-05-22T19:01:32.558Z","revision":1,"description":"Oracle(STONE)","isPrimacyOfImpact":null},{"id":"2JcCgHQjdyMW31pifMDRs2","url":"https://bscscan.com/address/0xA94AA72e033b39AD7CD448f38Bc1eda5B52f7079","type":"smart_contract","addedAt":"2024-07-26T06:35:25.921Z","revision":1,"description":"Gemjoin(solvBTC)","isPrimacyOfImpact":null},{"id":"2ERUPCxVLEz4jIAmGWEJwJ","url":"https://bscscan.com/address/0xf920018fc69515102b915a543DFEfbC837c3F9e6","type":"smart_contract","addedAt":"2024-07-26T06:36:06.652Z","revision":1,"description":"clipCE(solvBTC)","isPrimacyOfImpact":null},{"id":"1e2KxNWoGFzq41NkTERwGt","url":"https://bscscan.com/address/0xb7A753f3776282976c1f2b0bcB2fF0d13d48Af85","type":"smart_contract","addedAt":"2024-07-26T06:36:38.622Z","revision":1,"description":"Oracle(solvBTC)","isPrimacyOfImpact":null},{"id":"3c4QM8gakQ12SpOjkHhYB9","url":"https://bscscan.com/address/0x157c9a692ee99C39272856055957083a928cE299","type":"smart_contract","addedAt":"2024-07-26T06:37:12.084Z","revision":1,"description":"Gemjoin(BBTC)","isPrimacyOfImpact":null},{"id":"78tQxuVegiTPrAGwi8wpTM","url":"https://bscscan.com/address/0x4192fF5f1feFCcBC446702117A48Ac25Fd1723B3","type":"smart_contract","addedAt":"2024-07-26T06:37:29.446Z","revision":1,"description":"clipCE(BBTC)","isPrimacyOfImpact":null},{"id":"72gMzYAXFf8iIXvogPOtOL","url":"https://bscscan.com/address/0x2Ea16e082cA50eB6017BBFCB967CC7c6E2b8fB5A","type":"smart_contract","addedAt":"2024-07-26T06:38:02.098Z","revision":1,"description":"Oracle(BBTC)","isPrimacyOfImpact":null},{"id":"3cZFqqXZHEG9UyitEA09Rc","url":"https://bscscan.com/address/0xf3afD82A4071f272F403dC176916141f44E6c750","type":"smart_contract","addedAt":"2024-07-26T06:38:30.687Z","revision":1,"description":"ResilientOracle","isPrimacyOfImpact":null},{"id":"5PGxjSbgMNldecvz4HrWqm","url":"https://bscscan.com/address/0x837CB07f6B8a98731856092457524FF37b25E7B3","type":"smart_contract","addedAt":"2024-07-26T06:39:33.951Z","revision":2,"description":"ListaOFTAdapter","isPrimacyOfImpact":null},{"id":"2FsLrcegXlGqwTRG4xRnSG","url":"https://etherscan.io/address/0xf9B24C9364457Ea85792179D285855753549eBAa","type":"smart_contract","addedAt":"2024-07-26T06:40:47.940Z","revision":2,"description":"ListaOFT(Ethereum)","isPrimacyOfImpact":null},{"id":"5b7wngblCkRUZfWfVQp8wI","url":"https://bscscan.com/address/0x9bA88e6b20041750Fd4e6271fEa455F5D44063Cb","type":"smart_contract","addedAt":"2024-09-09T08:09:49.726Z","revision":1,"description":"FlashBuy","isPrimacyOfImpact":null},{"id":"3Bfo8G8qFcwOem9wKbS3xm","url":"https://bscscan.com/address/0x9bA88e6b20041750Fd4e6271fEa455F5D44063Cb","type":"smart_contract","addedAt":"2024-10-15T04:52:52.910Z","revision":1,"description":"FlashBuy","isPrimacyOfImpact":null},{"id":"6VDgVVlLW1kgJiltFPwlJb","url":"https://bscscan.com/address/0xe8f4644637f127aFf11F9492F41269eB5e8b8dD2","type":"smart_contract","addedAt":"2024-10-15T04:53:08.150Z","revision":1,"description":"ERC20Distributor (Pancake Stable pool lisUSD/USDT)","isPrimacyOfImpact":null},{"id":"172UC4v936UfVa67A1s4MO","url":"https://bscscan.com/address/0xFf5ed1E64aCA62c822B178FFa5C36B40c112Eb00","type":"smart_contract","addedAt":"2024-10-15T04:53:17.016Z","revision":2,"description":"ERC20Distributor (Thena slisBNB/BNB correlated)","isPrimacyOfImpact":null},{"id":"45g0ZWRX56WUwml3ANaaTN","url":"https://bscscan.com/address/0x1Cf9c6D475CdcA67942d41B0a34BD9cB9D336C4d","type":"smart_contract","addedAt":"2024-10-15T04:53:27.857Z","revision":2,"description":"ERC20Distributor (Thena lisUSD/FRAX stable)","isPrimacyOfImpact":null},{"id":"1nNP0GHVfNpkZy1Y4MfZLY","url":"https://bscscan.com/address/0xC23d348f9cC86dDB059ec798e87E7F76FBC077C1","type":"smart_contract","addedAt":"2024-10-15T04:53:35.786Z","revision":2,"description":"ERC20Distributor (Thena lisUSD/USDT cl stable)","isPrimacyOfImpact":null},{"id":"1sypTXiZNf1WbGg63f8ptd","url":"https://bscscan.com/address/0x9B4FcbC3a01378B85d81DEFbaf9359155718be4a","type":"smart_contract","addedAt":"2024-10-15T04:53:42.934Z","revision":2,"description":"ERC20Distributor (Thena lisUSD/frxETH norrow)","isPrimacyOfImpact":null},{"id":"3B1J5uk3Gn2P2s8Jc5MO3Q","url":"https://bscscan.com/address/0x11bf1122871e13c13466681022C74B496B59147a","type":"smart_contract","addedAt":"2024-10-15T04:53:50.231Z","revision":2,"description":"ERC20Distributor (Thena lisUSD/frxETH wide)","isPrimacyOfImpact":null},{"id":"6tsV3sLdlsf6wutG7FXuWb","url":"https://bscscan.com/address/0x39D099F6A78c7Cef7a527f55c921E7e1EE39716a","type":"smart_contract","addedAt":"2024-10-15T04:53:58.529Z","revision":2,"description":"ERC20Distributor (Thena lisUSD/BNB norrow)","isPrimacyOfImpact":null},{"id":"2djVVCpucIwP9AsspiRkxz","url":"https://bscscan.com/address/0x9f6C251C3122207Adf561714C1171534B569eFf4","type":"smart_contract","addedAt":"2024-10-15T04:54:05.305Z","revision":2,"description":"ERC20Distributor (Thena lisUSD/BNB wide)","isPrimacyOfImpact":null},{"id":"6kBxt2vmDM1mz9JB0Lhy0c","url":"https://bscscan.com/address/0xF6aB5cfdB46357f37b0190b793fB199D62Dcf504","type":"smart_contract","addedAt":"2024-10-15T04:54:16.636Z","revision":2,"description":"ERC20Distributor (Thena lisUSD/BNB ichi)","isPrimacyOfImpact":null},{"id":"2wc4qLjKvOpF0Df1OMeIuW","url":"https://bscscan.com/address/0x4b2D67Bf25245783Fc4C33a48962775437F9159c","type":"smart_contract","addedAt":"2024-10-15T04:54:24.171Z","revision":2,"description":"ERC20Distributor (Thena LISTA/USDT norrow)","isPrimacyOfImpact":null},{"id":"1IX0x974E8e6dTTFs0x8t9","url":"https://bscscan.com/address/0xE31f0BcE1F825A8e27f2Cc30B54af19DA2978f10","type":"smart_contract","addedAt":"2024-10-15T04:54:32.285Z","revision":2,"description":"PancakeStaking","isPrimacyOfImpact":null},{"id":"4GlBwhfEkZV5jIFWLfsjqC","url":"https://bscscan.com/address/0xFA5B482882F9e025facCcE558c2F72c6c50AC719","type":"smart_contract","addedAt":"2024-10-15T04:54:48.309Z","revision":2,"description":"ThenaStaking","isPrimacyOfImpact":null},{"id":"15IrWMLw2cpIoEa8wDaqP6","url":"https://bscscan.com/address/0x62DfeC5C9518fE2e0ba483833d1BAD94ecF68153","type":"smart_contract","addedAt":"2024-10-15T04:54:57.154Z","revision":2,"description":"PancakeVault","isPrimacyOfImpact":null},{"id":"7AzOql22miN4qai4UciaMn","url":"https://bscscan.com/address/0xF40D0d497966fe198765877484FFf08c2D2004ad","type":"smart_contract","addedAt":"2024-10-15T04:55:05.678Z","revision":2,"description":"ThenaVault","isPrimacyOfImpact":null},{"id":"59CCVEdsKWsGxUUDMEKA30","url":"https://bscscan.com/address/0x5A0E3291514F5F1797A0C7eFefdac81eeC70ec01","type":"smart_contract","addedAt":"2024-10-15T04:55:13.679Z","revision":2,"description":"lpProxy","isPrimacyOfImpact":null},{"id":"6jRGjTZl54lHGIW5841McQ","url":"https://bscscan.com/address/0xfc136f286805a7922d9bf04317068964b231336c#code","type":"smart_contract","addedAt":"2024-10-30T04:16:48.672Z","revision":1,"description":"Emission Voting","isPrimacyOfImpact":null},{"id":"1DU66mkrUQ9Ivj1gyz8VKR","url":"https://bscscan.com/address/0x9a0530A81c83D3b0daE720BF91C9254FECC3BF5E","type":"smart_contract","addedAt":"2024-11-13T17:47:10.967Z","revision":1,"description":"VeListaAutoCompounder","isPrimacyOfImpact":null},{"id":"6Z01NF42prNlYZkfpMTple","url":"https://bscscan.com/address/0x03DB750d6212C6a0BCa9258E8cB7cf46dfD63067","type":"smart_contract","addedAt":"2024-11-13T17:47:35.416Z","revision":1,"description":"Gemjoin(SolvBTC.BBN)","isPrimacyOfImpact":null},{"id":"1PS7JXCSx81X0eeWjEM3Xz","url":"https://bscscan.com/address/0xEB995ff652da728E7B0EBC31Ab543c39e054b1eA","type":"smart_contract","addedAt":"2024-11-13T17:47:58.735Z","revision":1,"description":"clipCE(SolvBTC.BBN)","isPrimacyOfImpact":null},{"id":"2zjWJvlER9DEOiRxkrrhGp","url":"https://bscscan.com/address/0x0AD764098FF68b100d0976a8BCF2294B67669cAa","type":"smart_contract","addedAt":"2024-11-13T17:48:17.810Z","revision":1,"description":"Oracle(SolvBTC.BBN)","isPrimacyOfImpact":null},{"id":"4jQ287hbylSmdV8DoLntJf","url":"https://bscscan.com/address/0xfD31e1C5e5571f8E7FE318f80888C1e6da97819b","type":"smart_contract","addedAt":"2024-12-04T05:50:25.801Z","revision":1,"description":"slisBNBProvider","isPrimacyOfImpact":null},{"id":"47UcwW7pM0gHN0luNDyvaU","url":"https://bscscan.com/address/0xaa57F36DD5Ef2aC471863ec46277f976f272eC0c","type":"smart_contract","addedAt":"2024-12-04T05:50:54.686Z","revision":1,"description":"PSM(USDT)","isPrimacyOfImpact":null},{"id":"3SEhtwiVHRNIXrcnjk5l8O","url":"https://bscscan.com/address/0x5763DDeB60c82684F3D0098aEa5076C0Da972ec7","type":"smart_contract","addedAt":"2024-12-04T05:51:15.082Z","revision":1,"description":"VaultManager(USDT)","isPrimacyOfImpact":null},{"id":"3kxYj3sVXvbaRz9iRjlRiD","url":"https://bscscan.com/address/0xf76D9cFD08dF91491680313B1A5b44307129CDa9","type":"smart_contract","addedAt":"2024-12-04T05:51:34.974Z","revision":1,"description":"VenusAdapter(USDT)","isPrimacyOfImpact":null},{"id":"5vdkjozbrVD68AnFREvbl3","url":"https://bscscan.com/address/0x37DB1AE9B24055D1F9fE973Aea40B7EB2995D0Bf","type":"smart_contract","addedAt":"2024-12-04T05:51:53.397Z","revision":1,"description":"LisUSDPoolSet","isPrimacyOfImpact":null},{"id":"2f0TIE3ctfkZ1FiaDTkIqW","url":"https://bscscan.com/address/0x66dE07893Db7492B56bA88503B4cC99bAb1796F3","type":"smart_contract","addedAt":"2024-12-04T05:52:10.112Z","revision":1,"description":"EarnPool","isPrimacyOfImpact":null},{"id":"MnWXIuBKyv89HH5GNmep7","url":"https://bscscan.com/address/0xf2fA32498305E6595e3D54Dc41674d0FcA207026","type":"smart_contract","addedAt":"2024-12-04T05:52:26.197Z","revision":1,"description":"StakeLisUSDListaDistributor(USDT)","isPrimacyOfImpact":null},{"id":"6GHk9Y1GVNZMlq5QILdNkI","url":"https://bscscan.com/address/0x98b167359566c1ea05335D52794C7Eb6f8E6739a","type":"smart_contract","addedAt":"2024-12-10T18:21:14.524Z","revision":1,"description":"GemJoin(sUSDX)","isPrimacyOfImpact":null},{"id":"1aXNggLEPgCuwT2405rw4e","url":"https://bscscan.com/address/0xAf71337d151408401cC3A971e0a05C6D2790e08e","type":"smart_contract","addedAt":"2024-12-10T18:21:43.581Z","revision":1,"description":"Clipper(sUSDX)","isPrimacyOfImpact":null},{"id":"1mWMF89hhop16LSURn3Uwt","url":"https://bscscan.com/address/0xF19dc2B8AcD55aa4e80583DE3943260FA3a26A72","type":"smart_contract","addedAt":"2024-12-10T18:21:59.905Z","revision":1,"description":"Oracle(sUSDX)","isPrimacyOfImpact":null},{"id":"2MBuRwrjIZPdIA5TdXuJ3p","url":"https://bscscan.com/address/0x56627826504E2CbDd7213e38089c2a4E6327204C","type":"smart_contract","addedAt":"2024-12-10T18:22:16.105Z","revision":1,"description":"CollateralListaDistributor(sUSDX)","isPrimacyOfImpact":null},{"id":"7m3EXuGLTPiGkE01vFIKmH","url":"https://bscscan.com/address/0x05AC03faeB31c8102A29Dc1Fa4365Dc9e18A4c9C","type":"smart_contract","addedAt":"2024-12-16T08:10:51.948Z","revision":1,"description":"VotingIncentive","isPrimacyOfImpact":null},{"id":"4T5EsmDCZDVCAUlRgqPNcE","url":"https://bscscan.com/address/0x88a596F8c8290F96d5742ae0905F912dd5291c27","type":"smart_contract","addedAt":"2025-02-14T10:07:45.223Z","revision":1,"description":"clismBTC","isPrimacyOfImpact":null},{"id":"6GV6YqhRPmSBxTbPgbSQ1m","url":"https://bscscan.com/address/0x4510aa2b3efd13bBFD78C9BfdE764F224ecc7f50","type":"smart_contract","addedAt":"2025-02-14T10:08:01.639Z","revision":1,"description":"cemBTC","isPrimacyOfImpact":null},{"id":"2qnLb0eaR6infbKYrrUfVH","url":"https://bscscan.com/address/0x8A016f1896dC2939fFDbB60f6E42bCc245e2bB0b","type":"smart_contract","addedAt":"2025-02-14T10:08:17.667Z","revision":1,"description":"mBTCProvider","isPrimacyOfImpact":null},{"id":"3vzgo2Pp7x8pKLsuk2O4Oy","url":"https://bscscan.com/address/0x3F3e0A03A9E123e5861044d436862dFA1468CC10","type":"smart_contract","addedAt":"2025-02-14T10:08:34.473Z","revision":1,"description":"GemJoin(cemBTC)","isPrimacyOfImpact":null},{"id":"1R1v8kIyCTt3yqxOodCK8w","url":"https://bscscan.com/address/0x334e4F80cC2985D0F8196Cc562DD8aedDdA1b704","type":"smart_contract","addedAt":"2025-02-14T10:08:50.172Z","revision":1,"description":"Clipper(cemBTC)","isPrimacyOfImpact":null},{"id":"78fJglajJKZEDL5tcgcYEX","url":"https://bscscan.com/address/0x31D558b899461D6Ea498C3c1664a150a19b87AAF","type":"smart_contract","addedAt":"2025-02-14T10:09:10.769Z","revision":1,"description":"Oracle(cemBTC)","isPrimacyOfImpact":null},{"id":"2lnvX48lc0NkShKD9beyYK","url":"https://bscscan.com/address/0x605356cc9f725e6744A51E78CD49E6029DcC4404","type":"smart_contract","addedAt":"2025-02-14T10:09:26.971Z","revision":1,"description":"GemJoin(mCake)","isPrimacyOfImpact":null},{"id":"323MTpkvuhIIYNME0E8KBn","url":"https://bscscan.com/address/0xf57a8cF44104EA0dfbE286781BD1f51533a659F3","type":"smart_contract","addedAt":"2025-02-14T10:09:45.201Z","revision":1,"description":"Clipper(mCake)","isPrimacyOfImpact":null},{"id":"1b0dAH9XjQdf0iUGfiYGHR","url":"https://bscscan.com/address/0x01b39E969A76D2F7c9a8a81EcD1B2F7116b44E23","type":"smart_contract","addedAt":"2025-02-14T10:10:04.975Z","revision":1,"description":"Oracle(mCake)","isPrimacyOfImpact":null},{"id":"7zxqKFu5cuMYSXjpkQJ3BX","url":"https://bscscan.com/address/0x3cd434f0A58018B87eF1D2436cb710ca46F0fC43","type":"smart_contract","addedAt":"2025-02-14T10:11:12.941Z","revision":1,"description":"GemJoin(mwBETH)","isPrimacyOfImpact":null},{"id":"6OaGo2WZrLbl4SGcx2z9xm","url":"https://bscscan.com/address/0xc4857c08295cB9270fEB0a87Fd60b3BFD459a998","type":"smart_contract","addedAt":"2025-02-14T10:11:28.472Z","revision":1,"description":"Clipper(mwBETH)","isPrimacyOfImpact":null},{"id":"6HFAvsURVnrPsc1CgcxP4C","url":"https://bscscan.com/address/0xAa4912633e4e2F65604Fe7f6A6bA9Eb5EF6D50d0","type":"smart_contract","addedAt":"2025-02-14T10:11:45.322Z","revision":1,"description":"Oracle(mwBETH)","isPrimacyOfImpact":null},{"id":"2m3ginVBhL1bghf7G83cXw","url":"https://bscscan.com/address/0x982d1DB2D643Ff4f497D5A4F566A565376eCF70C","type":"smart_contract","addedAt":"2025-02-14T10:12:01.807Z","revision":1,"description":"BorrowListaDistributor(cemBTC)","isPrimacyOfImpact":null},{"id":"5Tz7qQwSNTzX9APiJF6Z3N","url":"https://bscscan.com/address/0xa3BCE2dEf1823A551A407b14572C54D2aDB0Fd45","type":"smart_contract","addedAt":"2025-02-14T10:12:18.720Z","revision":1,"description":"BorrowListaDistributor(mCake)","isPrimacyOfImpact":null},{"id":"5lQjKULnpKZvl4a7l2yDqD","url":"https://bscscan.com/address/0xF8d1D8a862eA77Bf4f826BF6612bFf0d0883eafa","type":"smart_contract","addedAt":"2025-02-14T10:12:36.270Z","revision":1,"description":"BorrowListaDistributor(mwBETH)","isPrimacyOfImpact":null},{"id":"45Cf2jePiMUr99XfF38DEh","url":"https://bscscan.com/address/0xE61f4386608578199471747E4654Ae450adEE39A","type":"smart_contract","addedAt":"2025-02-14T10:12:55.297Z","revision":1,"description":"CollateralListaDistributor(cemBTC)","isPrimacyOfImpact":null},{"id":"7tayxfGwX7ym2jwpxVbjqL","url":"https://bscscan.com/address/0xB1da312097C7CBf9b49ef9d29D21a0646d9A5aF4","type":"smart_contract","addedAt":"2025-02-14T10:13:10.889Z","revision":1,"description":"CollateralListaDistributor(mCake)","isPrimacyOfImpact":null},{"id":"3dcRXFnSXoc1FrRK35twGX","url":"https://bscscan.com/address/0xE786eC5b4838410C24e5C1c75633d7C59705d6be","type":"smart_contract","addedAt":"2025-02-14T10:13:25.821Z","revision":1,"description":"CollateralListaDistributor(mwBETH)","isPrimacyOfImpact":null},{"id":"66cLC8zg869K37GRhV1qdB","url":"https://bscscan.com/address/0xE4153Eb04417bE05b8d6B2222E4Cdd8AE674ee76","type":"smart_contract","addedAt":"2025-02-14T10:13:40.151Z","revision":1,"description":"VeListaRevenueDistributor","isPrimacyOfImpact":null},{"id":"3hjZXwZOcGWLohE3GASHbl","url":"https://bscscan.com/address/0xda1E93d58CCCC9683f9Cb051cAEC5CF2F01B3253","type":"smart_contract","addedAt":"2025-03-21T10:50:28.322Z","revision":1,"description":"VeListaInterestRebater","isPrimacyOfImpact":null},{"id":"4YhZ6JlhL6Ii19KOShsMn2","url":"https://bscscan.com/address/0x8B35291ecF29fD36BA405A03C9832725f2E9e164","type":"smart_contract","addedAt":"2025-03-21T10:50:47.757Z","revision":1,"description":"gemJoin(USDF)","isPrimacyOfImpact":null},{"id":"3eeRZbLxnBXcRUZQv71utO","url":"https://bscscan.com/address/0x63393E8a6Fa3dab6874729AE680B370c0Ca96b2b","type":"smart_contract","addedAt":"2025-03-21T10:51:08.017Z","revision":1,"description":"clipper(USDF)","isPrimacyOfImpact":null},{"id":"4IHyppqPIa25juUr2OmFO6","url":"https://bscscan.com/address/0xa53A9a3e496F00bbe3f1247cac88Ea28C2b6B107","type":"smart_contract","addedAt":"2025-03-21T10:51:28.176Z","revision":1,"description":"oracle(USDF)","isPrimacyOfImpact":null},{"id":"mVwbTyrYoMj2kXjhiRedP","url":"https://bscscan.com/address/0xB53e69b662a2d10343f857eBa9e3b6158Acf632F","type":"smart_contract","addedAt":"2025-03-21T10:51:46.167Z","revision":1,"description":"gemJoin(asUSDF)","isPrimacyOfImpact":null},{"id":"5h4rhl8yve5jIAPyvm8egi","url":"https://bscscan.com/address/0xe7e8098a724CF4F2f1aCf67b06a17710a52011ac","type":"smart_contract","addedAt":"2025-03-21T10:52:05.041Z","revision":1,"description":"clipper(asUSDF)","isPrimacyOfImpact":null},{"id":"7qbdYeXjWuTxwbKlbcZvPe","url":"https://bscscan.com/address/0x53C7024411E5d12C0B17D412943C3Dd5939a2Fb1","type":"smart_contract","addedAt":"2025-03-21T10:52:22.393Z","revision":1,"description":"oracle(asUSDF)","isPrimacyOfImpact":null},{"id":"55h3B9bFG8SoRBlQutNbP5","url":"https://bscscan.com/address/0xF53330104B4943bBf6e3f366FE11270183f93A46","type":"smart_contract","addedAt":"2025-03-21T10:52:38.848Z","revision":1,"description":"CollateralListaDistributor(USDF)","isPrimacyOfImpact":null},{"id":"yJGEZdt943r7ldykqpbcr","url":"https://bscscan.com/address/0xD60316C4FAB1fB2eb18Fc5B72eCf982aDb04e579","type":"smart_contract","addedAt":"2025-03-21T10:52:55.536Z","revision":1,"description":"CollateralListaDistributor(asUSDF)","isPrimacyOfImpact":null},{"id":"3ZELbfwep544KOf89SZtfo","url":"https://bscscan.com/address/0x5F43C6a44E314f09173C2a517bEE8db9304c30F1","type":"smart_contract","addedAt":"2025-03-21T10:53:11.662Z","revision":1,"description":"BorrowListaDistributor(USDF)","isPrimacyOfImpact":null},{"id":"20ZLBBtASSofg0PpfOw6jY","url":"https://bscscan.com/address/0x031a6F543449D5FBf9C3e77F907043f7BE7c1461","type":"smart_contract","addedAt":"2025-03-21T10:53:28.640Z","revision":1,"description":"BorrowListaDistributor(asUSDF)","isPrimacyOfImpact":null},{"id":"4BfC1K1RSnxSvsLTPewR94","url":"https://bscscan.com/address/0x2725d7336027773d7a958e10819a923dcd65aa57","type":"smart_contract","addedAt":"2025-04-29T14:36:17.400Z","revision":1,"description":"ERC20TokenProvider","isPrimacyOfImpact":null},{"id":"7IYFh6jnAVkgvU1JXnk97O","url":"https://bscscan.com/address/0x367384C54756a25340c63057D87eA22d47Fd5701","type":"smart_contract","addedAt":"2025-05-27T10:31:33.652Z","revision":1,"description":"BNBProvider (Lista WBNB Vault)","isPrimacyOfImpact":null},{"id":"24lSH6HnXO08EDjysrDwUD","url":"https://bscscan.com/address/0x501bE17CcA1d8a009753Da271D6714C18c1A35c9","type":"smart_contract","addedAt":"2025-05-27T10:31:48.888Z","revision":1,"description":"BNBProvider (MEV WBNB Vault)","isPrimacyOfImpact":null},{"id":"2G50WM03SOIDw5mqqYfKm9","url":"https://bscscan.com/address/0x33f7A980a246f9B8FEA2254E3065576E127D4D5f","type":"smart_contract","addedAt":"2025-05-27T10:32:04.830Z","revision":1,"description":"SlisBNBProvider","isPrimacyOfImpact":null},{"id":"7GC8HXo4JpcGO4nFLMSD4q","url":"https://bscscan.com/address/0x665410ee5Ea96aa729589491bADC11E0FE163d29","type":"smart_contract","addedAt":"2025-05-27T10:32:18.834Z","revision":1,"description":"LendingRewardsDistributor","isPrimacyOfImpact":null},{"id":"58AGVoTTccbw7ATC2Sn9nR","url":"https://bscscan.com/address/0x68B9A9eA70f4391c016746BE240037E5d4f63807","type":"smart_contract","addedAt":"2025-05-27T10:32:46.018Z","revision":1,"description":"GemJoin(USD1)","isPrimacyOfImpact":null},{"id":"6dOqAoeyIIVScxe4AV8tTd","url":"https://bscscan.com/address/0xdeB93441fAc0737321199E84a5F0420931A6562e","type":"smart_contract","addedAt":"2025-05-27T10:33:18.539Z","revision":1,"description":"Clipper(USD1)","isPrimacyOfImpact":null},{"id":"48u04rJqJh1WeimGgMgFlq","url":"https://bscscan.com/address/0xD111f17Ff76015152DC5Dd59bEC74A70B590e72E","type":"smart_contract","addedAt":"2025-05-27T10:33:33.178Z","revision":1,"description":"Oracle(USD1)","isPrimacyOfImpact":null}],"assetsBodyV2":"All smart contracts of Lista can be found at https://github.com/lista-dao/lista-dao-contracts, https://github.com/lista-dao/synclub-contracts and https://github.com/lista-dao/lista-token.\nHowever, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nFor proxy contracts, both the current implementation and any further updates to the implementation contracts are considered in scope.\n\nIf an impact can be caused to any other asset managed by Lista that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["BSC"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["JavaScript","Solidity"],"launchDate":"2022-06-16T16:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5aOBSUu0V6jW0Op03W4NDF/beec6ccbe2927310dffb147f24fdb902/Twitter_profile_400x400.png","maxBounty":1000000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Lending","Stablecoin","Yield Aggregator"],"programOverview":"Lista DAO, powered by the BNB Smart Chain, introduces an innovative integration of Liquid Staking and Staking services. Lista DAO's native CDP stablecoin is known as lisUSD, and it is over-collateralized against a variety of tokens such as BNB, ETH, wBETH and slisBNB. Upon borrowing lisUSD, users can opt to stake their holdings for long-term yield on affiliated partner DEXes, engage in trading activities, or utilize lisUSD as a form of monetary payment.\n\nLista DAO also offers simple and secure liquid staking solutions on the BNB Smart Chain, with users minting Lista Staked BNB, slisBNB, in exchange for staking their BNB. The staked BNB is held securely on BSC validator nodes providing attractive liquid staking yields on their staked BNB.","programType":["Smart Contract"],"project":"Lista DAO","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\n__Reward calculation of Critical bug reports__\n\nFor critical smart contract bugs, the reward amount is __10%__ of the funds directly affected up to a maximum of __USD 1 000 000 USD__, however there is a minimum of __USD 100 000__\n\n__Reward calculation of High bug reports__\t\n\nHigh severity vulnerabilities concerning theft of unclaimed yield, permanent freezing of unclaimed yield, and temporary freezing of funds for a minimum period of 30 days are considered at the full amount of funds at risk, capped at the maximum high reward. This is to incentivize security researchers to uncover and responsibly disclose vulnerabilities that may have not have significant monetary value today, but could still be damaging to the project if it goes unaddressed. \n\nAll vulnerabilities marked in the [Certik security review](https://drive.google.com/file/d/1A_iAbKkRyToXjFA25v8gLFfuSqFuIPEd/view?usp=sharing), [Peckshield security review](https://drive.google.com/file/d/1tyH5DAg0EE12TKOvucORw-kSsXpJFofu/view?usp=sharing), [Slowmist security review](https://drive.google.com/file/d/1ki1MrZcnkHReKuR5cMY40n2j-U9bnx25/view?usp=sharing), [Veridise security review](https://github.com/lista-dao/lista-dao-contracts/blob/master/audits/Veridise_270622.pdf) and https://github.com/lista-dao/synclub-contracts/tree/master/audit and https://github.com/lista-dao/lista-dao-contracts/tree/master/audits are not eligible for a reward.\n\nAll rewards for the Lista bug bounty program are scaled based on an internally established team criteria, taking into account the exploitability of the bug, the impact it causes, and the likelihood of the vulnerability presenting itself, which is especially factored in with bug reports requiring multiple conditions to be met that are currently not in-place. However, there is a minimum reward of __USD 1,000__ for each severity level, rewards will be provided at the determined fair value by the team depending on these conditions, assuming that the bug report is in-scope of the bug bounty program.\n\nPayouts are handled by the __Lista__ team directly and are denominated in __USD__. However, payouts are done in __USDT, USDC and lisUSD__, with the choice of the ratio at the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDT, USDC, lisUSD","slug":"listadao","updatedDate":"2025-05-27T10:34:19.548Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Lista DAO, powered by the BNB Smart Chain, introduces an innovative integration of Liquid Staking and Staking services. Lista DAO's native CDP stablecoin is known as lisUSD, and it is over-collateralized against a variety of tokens such as BNB, ETH, wBETH and slisBNB.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"__Websites__\n- Content spoofing / Text injection issues without any security impact\n- Server-side information disclosure such as IPs, server names, and most stack traces\n- Vulnerabilities used to enumerate or confirm the existence of users or tenants\n- Vulnerabilities requiring unlikely user actions or complex user interactions\n- URL Redirects (unless combined with another vulnerability to produce a more severe impact)\n- Attacks requiring privileged access from within the organization\n- Feature requests or suggestions for best practices\n- Internal SSRF (Server-Side Request Forgery)\n- Path Traversal without real security impact\n- Clickjacking without sensitive actions\n- Issues related to browser-specific behavior that do not pose a security threat\n- Denial of Service (DoS) attacks not explicitly allowed in scope\n- Vulnerabilities in third-party software or libraries without evidence of impact on our service\n- Issues with non-production environments (staging, testing, etc.)\n\n*XSS reports are restricted to those that have an impact of prompting a user to sign a transaction or a redirect.*\n\n__Backend Services__\n- Missing or misconfigured security headers that do not lead to direct security vulnerabilities\n- Information disclosure of non-sensitive data (e.g., stack traces, debug messages)\n- Issues related to outdated software versions unless they can be exploited in our context\n- Rate-limiting or brute-force attacks on non-critical endpoints\n- Vulnerabilities requiring extensive social engineering or phishing\n- Any issues that require physical access to our servers or network\n- Findings from automated scans without a proof of concept demonstrating security impact\n- Low-impact vulnerabilities that require unlikely attack scenarios\n- Directory listing on non-sensitive directories\n- Server configuration issues without a clear security impact\n- Cosmetic issues and text errors","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":2808,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for a minimum period of 30 days"},{"id":2809,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc."},{"id":2810,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as email or password of the victim, etc."},{"id":2811,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information such as email address, phone number, physical address, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":2812,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of funds"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":2813,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as changing the first/last name of user, or en/disabling notification"},{"id":2814,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without Javascript (Reflected) such as reflected HTML injection or loading external site data"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":2815,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":2816,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc."},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":2817,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions"}],"rewards":[{"id":9905,"severity":"critical","assetType":"smart_contract","maxReward":1000000,"minReward":100000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":9906,"severity":"high","assetType":"smart_contract","maxReward":10000,"minReward":5000,"rewardModel":"range"},{"id":9907,"severity":"medium","assetType":"smart_contract","maxReward":5000,"minReward":1000,"rewardModel":"range"},{"id":9908,"severity":"critical","assetType":"websites_and_applications","fixedReward":5000,"rewardModel":"fixed","otherImpactMaxReward":0},{"id":9909,"severity":"high","assetType":"websites_and_applications","fixedReward":3000,"rewardModel":"fixed"},{"id":9910,"severity":"medium","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"222985PqOCS8Gnts6UPije","url":"https://github.com/ethereum/consensus-specs","type":"blockchain_dlt","addedAt":"2024-11-25T14:00:00.000Z","revision":2,"description":"Specification - Consensus Specification","isPrimacyOfImpact":null},{"id":"1H0KtzBZ6r6neNdl08UTcX","url":"https://github.com/ethereum/execution-specs","type":"blockchain_dlt","addedAt":"2024-11-25T14:00:00.000Z","revision":2,"description":"Specification - Execution Specification","isPrimacyOfImpact":null},{"id":"7s5Lv6frbz7ziSnqDyNvYg","url":"https://github.com/ethereum/consensus-specs/blob/dev/specs/phase0/deposit-contract.md","type":"blockchain_dlt","addedAt":"2024-11-25T14:00:00.000Z","revision":2,"description":"Specification - Deposit Contract Specification","isPrimacyOfImpact":null},{"id":"7KUEbgJx3RhMK6RIsDh3IF","url":"https://etherscan.io/address/0x00000000219ab540356cBB839Cbe05303d7705Fa#code","type":"smart_contract","addedAt":"2024-11-25T14:00:00.000Z","revision":1,"description":"DepositContract.sol - [110]","isPrimacyOfImpact":null},{"id":"31ThCJ2OekWDmGdvw8ILu4","url":"https://github.com/prysmaticlabs/prysm","type":"blockchain_dlt","addedAt":"2024-11-25T14:00:00.000Z","revision":1,"description":"Prysm - [400k]","isPrimacyOfImpact":null},{"id":"4Mz83vIDD7AhGb65TuvTDQ","url":"https://github.com/ethereum/go-ethereum","type":"blockchain_dlt","addedAt":"2024-11-25T14:00:00.000Z","revision":1,"description":"Go Ethereum - [200k]","isPrimacyOfImpact":null},{"id":"2EgdxWQYKwHoyvoiyxpUhI","url":"https://github.com/sigp/lighthouse","type":"blockchain_dlt","addedAt":"2024-11-25T14:00:00.000Z","revision":1,"description":"Lighthouse - [200k]","isPrimacyOfImpact":null},{"id":"45IxDPEk4E1DkcanqKm3ba","url":"https://github.com/NethermindEth/nethermind","type":"blockchain_dlt","addedAt":"2024-11-25T14:00:00.000Z","revision":2,"description":"Nethermind - [250k]","isPrimacyOfImpact":null},{"id":"1lGcRezwotn9RNyRMBRYVZ","url":"https://github.com/Consensys/teku","type":"blockchain_dlt","addedAt":"2024-11-25T14:00:00.000Z","revision":2,"description":"Teku - [350k]","isPrimacyOfImpact":null},{"id":"22IF2w58Lup0QFpVjiykzj","url":"https://github.com/hyperledger/besu","type":"blockchain_dlt","addedAt":"2024-11-25T14:00:00.000Z","revision":1,"description":"Besu - [100k]","isPrimacyOfImpact":null},{"id":"264yATywWGOKplWZrpBRjp","url":"https://github.com/status-im/nimbus-eth2","type":"blockchain_dlt","addedAt":"2024-11-25T14:00:00.000Z","revision":1,"description":"Nimbus Eth2 - [100k]","isPrimacyOfImpact":null},{"id":"2B3YBOlp0W89OHd75y12bP","url":"https://github.com/ledgerwatch/erigon","type":"blockchain_dlt","addedAt":"2024-11-25T14:00:00.000Z","revision":1,"description":"Erigon - [350k]","isPrimacyOfImpact":null},{"id":"2t6BghXiSnXYi2wSAJN9l7","url":"https://github.com/paradigmxyz/reth","type":"blockchain_dlt","addedAt":"2024-11-25T14:00:00.000Z","revision":1,"description":"Reth - [150k]","isPrimacyOfImpact":null},{"id":"J5ENB1Y4K5Pj4WrrvI2j2","url":"https://github.com/chainsafe/lodestar","type":"blockchain_dlt","addedAt":"2024-11-25T14:00:00.000Z","revision":1,"description":"Lodestar - [100k]","isPrimacyOfImpact":null},{"id":"4tSde70EV2ABSBX0eQsAXV","url":"https://github.com/ethereum/solidity","type":"smart_contract","addedAt":"2024-11-25T14:00:00.000Z","revision":2,"description":"Solidity Compiler - [124k]","isPrimacyOfImpact":null},{"id":"2DQBywvEv3ikGV831m8tNj","url":"https://github.com/vyperlang/vyper","type":"smart_contract","addedAt":"2024-11-25T14:00:00.000Z","revision":2,"description":"Vyper - [19k]","isPrimacyOfImpact":null},{"id":"7rT6szeYlH5ZrzA6EwlPRx","url":"https://immunefi.com","type":"smart_contract","addedAt":"2024-11-25T14:00:00.000Z","revision":2,"description":"Primacy of Impact [Critical]","isPrimacyOfImpact":true},{"id":"6oGiUhKiUT4EyBdrmaTPCY","url":"https://immunefi.com","type":"blockchain_dlt","addedAt":"2024-11-25T14:00:00.000Z","revision":2,"description":"Primacy of Impact [Critical, High]","isPrimacyOfImpact":true}],"assetsBodyV2":"__KYC Requirement__\n\nImmunefi will be requesting KYC information in order to pay for successful bug submissions to whitehats who earn $500 USD or more. The following information will be required:\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n__Eligibility Criteria__ \n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- From a restricted country or territory: North Korea, Iran, Cuba, Syria, certain regions of Ukraine (Crimea, Donetsk and Luhansk), West Bank and Gaza regions of Israel, Venezuela, Afghanistan\n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review, or who work for the company which did the audit review\n- Employees and contractors of the Ethereum Foundation may participate in the program only in the accrual of points and will not receive monetary rewards. Client teams may participate in finding vulnerabilities in other client team’s projects, however employees and contractors of individual client teams who self report vulnerabilities will only result in accrual of points and will not receive monetary rewards\n\n__Asset Accuracy Assurance__\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Reward Policy__\n\nPrivate known issues, meaning known issues that were not publicly disclosed or disclosed to Immunefi, are valid for a reward at one severity lower than what they’re confirmed as. However, bug reports that are private known issues do not unlock reward pool tiers. For example, a High bug that ended up being a private known issue, would be paid as a Medium and would not qualify for unlocking the $500k tier of the reward pool for this Attackathon.\n\n__Primacy of Impact vs Primacy of Rules__\n\nEthereum Foundation adheres to the Primacy of Impact for the following impacts:\n- Blockchain/DLT - Critical\n- Blockchain/DLT - High\n- Smart Contract - Critical\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact).\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Responsible Publication__\n\nAfter the Attackathon concludes, whitehats may only publish more info on the fixed and paid bug reports that appear on the [Immunefi Audit Competitions Gitbook](https://reports.immunefi.com). Reports closed as invalid are also okay to publish after this time. This rule is to prevent premature publication of any bugs that will take considerable time to fix. \n\nImmunefi will also publish a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\nThe project may receive reports that are valid (the bug and attack vector are real) and that cite assets and impacts in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Ethereum has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/9522048467857-Immunefi-Standard-Badge).","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"Up to $1.5 million USD is available in Attackathon rewards during November 25th to January 20, 2025.\n\nYou can ask the Ethereum Protocol team any questions directly in the [Ethereum Attackathon Discord channel](https://discord.gg/immunefi?utm_source=immunefi) on Immunefi's Discord. During the Attackathon, Ethereum Protocol commits to responding within 48 hours on weekdays to all bug reports.\n\nAfter the Attackathon, Immunefi will publish a leaderboard and Attackathon findings report, as well as whitehat spotlights and bugfix reviews for top placements.","boostedIntroStartingIn":"Up to $1.5 million USD is available in Attackathon rewards during November 25th to January 20, 2025.\n\nWhen the $1.5 million Ethereum Protocol Attackathon has ended, Immunefi will publish a leaderboard, Attackathon findings report, whitehat spotlights, and bugfix reviews.\n\n**October 28th onward:**\n\nThe Ethereum Protocol Education Period is live. To help you learn the Ethereum Protocol quickly and deeply, we'll be providing the Ethereum Protocol Academy, a learning page designed for security researchers to help you upskill on the Ethereum protocol as well as the Ethereum clients. We’ll also host a series of technical walkthroughs, and both the Ethereum Protocol and Ethereum client teams will provide direct technical support. \n\nYou can ask the Ethereum Protocol or Ethereum client teams any questions directly in the [Ethereum Protocol Attackathon Discord channel](https://discord.com/invite/immunefi) on Immunefi's Discord. Just make sure to tag the appropriate Ethereum client team.\n\n**November 25th 2024 2pm UTC to January 20th 2025 2pm UTC:**\n\nEthereum Protocol’s Attackathon is live. Find bugs and earn rewards. \n\nDuring the Attackathon, the Ethereum Protocol and Ethereum client teams commit to responding within 48 hours on weekdays to all bug reports. \n\n[Sign up here for Ethereum Protocol Attackathon Updates](https://marketing.immunefi.com/eth-attackathon-signup).","boostedLeaderboard":[{"high":0,"name":"anatomist","critical":0,"earnings":148677,"insights":3,"mediumLow":9,"totalValidBugs":9},{"high":0,"name":"gln","critical":0,"earnings":146250,"insights":0,"mediumLow":7,"totalValidBugs":7},{"high":0,"name":"CertiK","critical":0,"earnings":90801,"insights":14,"mediumLow":6,"totalValidBugs":6},{"high":0,"name":"Franfran","critical":0,"earnings":33750,"insights":0,"mediumLow":3,"totalValidBugs":3},{"high":0,"name":"Blobism","critical":0,"earnings":33750,"insights":0,"mediumLow":3,"totalValidBugs":3},{"high":0,"name":"Omik","critical":0,"earnings":16590,"insights":3,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"troy_ar","critical":0,"earnings":15134,"insights":2,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"br0nz3p1ck4x3","critical":0,"earnings":4369,"insights":3,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Pig46940","critical":0,"earnings":2913,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"cheems","critical":0,"earnings":2427,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"csludo","critical":0,"earnings":2427,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"impermanentW","critical":0,"earnings":1456,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"a3yip6","critical":0,"earnings":1456,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"[redacted]","critical":0,"earnings":0,"insights":3,"mediumLow":3,"totalValidBugs":3},{"high":0,"name":"[redacted]","critical":0,"earnings":0,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/15lCy1jza9MsnDooWmponwdaTq_EjV2-m/view?usp=sharing","ecosystem":["ETH"],"endDate":"2025-01-25T14:00:00.000Z","evaluationEndDate":"2025-05-22T12:56:05.879Z","features":["Attackathon","Managed Triage: Time Saver","Vault"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity","Vyper"],"launchDate":"2024-11-25T14:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6itRuATvu87slB9sHlEDxS/680a257b5c3950fea7a3e835ca522fb4/eth-diamond-purple.7929ed26__1_.png","maxBounty":1500000,"outOfScopeAndRules":"To be determined.","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low","blockchain_dlt - low","blockchain_dlt - medium","blockchain_dlt - high","blockchain_dlt - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["L1"],"programOverview":"Ethereum is a decentralized, open-source blockchain protocol that supports the development and execution of smart contracts and decentralized applications (dApps). It enables a trustless, peer-to-peer network where participants can create, exchange, and secure digital assets without intermediaries.\n\nThe protocol's core is its Proof of Stake (PoS) consensus mechanism, which ensures the security and validation of transactions through a network of validators. Validators are responsible for proposing and validating blocks of transactions, while the system rewards them for their participation and secures the network from malicious actors.\n\nFor more information about Ethereum, please visit [https://ethereum.org](https://ethereum.org).\n\nThe Attackathon program spans end-to-end: from soundness of protocols (such as the blockchain consensus model, the wire and p2p protocols, proof of stake, etc.) and protocol/implementation compliance to network security and consensus integrity. Classical client security as well as security of cryptographic primitives are also part of the program.\n\nFor more details about the reward system, please refer to the \"Rewards by Threat Level\" section further below.\n\n- **For PoCs, test against the latest release**\n- **Code will not be frozen for this Attackathon, as assets are on mainnet**\n- **Make sure to check the list of [publicly known issues](https://immunefi.slite.com/app/docs/npGhR5rBwFfnTi) before submitting a report**","programType":["Smart Contract","Blockchain/DLT"],"project":"Attackathon | Ethereum Protocol","projectType":["Blockchain"],"rewardsBody":"The following reward terms are a summary, for the full details read our [Ethereum Attackathon Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/30287460669841-Ethereum-Protocol-Attackathon-Reward-Terms).\n\nThe reward pool size varies based on the severity of bugs found:\n- If one or more Low severity bugs are found the reward pool will be **$250,000 USD**\n- If one or more Medium severity bugs are found the reward pool will be **$500,000 USD**\n- If one or more High severity bugs are found the reward pool will be **$900,000 USD**\n- If one or more Critical severity bugs are found the reward pool will be **$1,500,000 USD**\n\nPrivate known issues are considered valid.\n\n**Duplicates are not valid for this Attackathon.**\n\nPrivate known issues will unlock higher reward pools as though they were one severity level lower. For example, a Critical severity bug which was a private known issue would unlock the  reward pool conditional on a High severity bug being found.\n\nThe severity level of private known issues remains unchanged and SRs earn their portion of the reward pool and position on the leaderboard according to this unchanged severity level.\n\nPublic known issues are invalid as normal.\n\nRewards are distributed according to the impact of the vulnerability based on the Immunefi [Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/).\n\n__Reward Payment Terms__\n\nPayouts are handled by the Immunefi team directly and are denominated in USD. However, payments are done in ETH\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.\n\n__Insight Rewards Payment Terms__\n\nInsight Rewards: Portion of the Rewards Pool\n\n- The \"Insight\" severity was introduced on Audit Competition & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi).","rewardsPool":1500000,"primaryPool":1500000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"ETH","slug":"ethereum-protocol-attackathon","tenPercentEconomicRule":false,"updatedDate":"2025-05-22T15:57:48.375Z","impactsBody":"Each asset in scope listed above points to the latest changes which is the source of truth of what’s in scope.\n\nIf a bug in the specifications results in an impact on client implementations, the relevant impact should be selected from the Blockchain/DLT impacts list. If an impact of the specification bug cannot be identified, you are encouraged to submit it under the Low severity “A bug in specifications with no direct impact on client implementations”, at which point it will be evaluated and may have its severity increased at the discretion of the Ethereum Foundation.\n\nFor compiler impacts, only those issues which affect runtime logic will be considered as in scope. If a bug is the result of an anti-pattern of the language, enabling experimental features, or use of inline assembly, it may be downgraded or considered out of scope. If there are no affected applications, a vulnerability may be downgraded due to feasibility limitations of exploitability. Compiler bugs should be tested against the latest release version. Bugs which are not known issues which impact previous versions may be considered if an on-chain impact can be demonstrated.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Whitehat Educational Resources & Technical Info Architecture documents:__\n\nConsensus client diversity will be calculated as an average of the following three data sources provided in https://clientdiversity.org/\n- Sigma Prime's Blockprint\n- Miga Labs\n- Rated.Network\n\nExecution client diversity will be calculated as an average of the following three data sources:\n- [https://clientdiversity.org/](https://clientdiversity.org/)\n- [https://ethernodes.org/](https://ethernodes.org/)\n- [https://explorer.rated.network/network?network=mainnet&timeWindow=1d&rewardsMetric=average&geoDistType=all&hostDistType=all&soloProDist=stake](https://explorer.rated.network/network?network=mainnet&timeWindow=1d&rewardsMetric=average&geoDistType=all&hostDistType=all&soloProDist=stake)\n\n__Is this an upgrade of an existing system? If so, which? And what are the main differences?__\n\nThe Ethereum Protocol is in scope, however, only the clients and codebases which are listed in the assets table above qualify for this program. The specifications of the consensus layer and execution layer are in scope, please see the following resource to understand how to find and report a bug in the specification documents.\n\n__Where do you suspect there may be bugs? Useful aspects of this question are:__\n\n- **Which parts of the code are you most concerned about?**\n    - We are most concerned about code related to consensus, validators, cryptography, networking (libp2p, devp2p)\n     - Bugs concerning the following mechanisms:\n        - beacon-chain.md files: Any bugs that may cause the beacon chain to stop or consensus failure.\n        - fork-choice.md files: This logic is likely the most complicated and requires a more sophisticated attack vector or fuzzing to detect potential bugs. Note that there are some known but too costly attacks. For example, accountable safety guarantees that no conflicting finalization can happen without 1/3 of the validator set being flashable.\n        - p2p-interface.md files: These docs are primarily written in English words instead of executable and tested Python code. Networking experts can refer to these documents to find DOS attack vectors.\n    - Bugs are mostly found in typing issues, such as:\n        - Receiving a U256 instance in a variable expecting a Uint\n        - Getting a Bytes20 in a Bytes slot\n    - Edge case behavior that deviates from \"true\" Ethereum can also cause issues, including:\n        - Opcode behavior at extremes (e.g., blockhash at 255/256 depth)\n        - Precompiles decoding their arguments differently\n    - Cryptography is a complex area where ensuring that libraries are correctly implemented and match mainnet behavior is crucial.\n    - Discrepancies between the optimized and non-optimized modules may also be a valuable source of bugs.\n\n- **What attack vectors are you most concerned about? Which part(s) of the system do you want whitehats to attempt to break the most?**\n    - Specifically for the specifications:\n        - Incorrect behavior is biggest attack vector, eg. What happens if a theoretical new Ethereum client follows the specification to the letter?\n        - We are interested in cases when the chosen algorithm may not be suitable for a production client, or when simplifying assumptions (e.g., no re-orgs) are impractical in real-world scenarios.\n\n- **Are there any assumed invariants that you want whitehats to attempt to break?**\n    - We use many Python assertions (`assert`) to explicitly indicate the invariants in the markdown files.\n    - We use [SSZ typing](https://github.com/ethereum/consensus-specs/blob/dev/ssz/simple-serialize.md) to determine the domain of variables.\n\n__What external dependencies are there?__\n\n- A functioning Ethereum execution client (geth, reth, etc.) to provide blocks\n- [https://github.com/ethereum/execution-specs/blob/1e9a6e518adab7ae55ebddb15d72f91041240c8a/setup.cfg#L113-L117](https://github.com/ethereum/execution-specs/blob/1e9a6e518adab7ae55ebddb15d72f91041240c8a/setup.cfg#L113-L117)\n- [https://github.com/ethereum/execution-specs/blob/1e9a6e518adab7ae55ebddb15d72f91041240c8a/setup.cfg#L152-L180](https://github.com/ethereum/execution-specs/blob/1e9a6e518adab7ae55ebddb15d72f91041240c8a/setup.cfg#L152-L180)\n\n__Where might whitehats confuse out-of-scope code to be in-scope?__\n\n- `docc` and its plugins are completely out of scope.\n- Anything under src/ethereum_spec_tools is likely out of scope, but bug reports are still appreciated.\n- Attacks that require manually making the JSON-RPC publicly available are not in scope for the execution layer or consensus layer. It is known that there are multiple attack vectors (DDoS) and it is not intended to make it public unless multiple layers of protection are in place.\n- The JSON RPC is out of scope. Users are told not to expose the JSON RPC to the public as they are a well known attack vector.\n\n__Are there any unusual points about your protocol that may confuse whitehats?__\n\n- For the specifications, correctness and readability trump everything else, including performance.\n- We use int64 FAR FUTURE EPOCH: 2**64 - 1 as a stab of the epoch time that is unlikely to reach. When testing the variables' bounds, we should consider the probability of occurrence when determining the impact.\n- The Electra specs and “features” specs (under https://github.com/ethereum/consensus-specs/tree/dev/specs/_features folder) are still in development, so they are not in the scope.\n- The deposit contract only accepts deposits. To withdraw funds, a validator must exit their node or do work. Learn more here.\n- We use Python SSZ implementation [remerkleable](https://github.com/protolambda/remerkleable) a lot in pyspec. The bugs caused by remerkleable are not considered in scope as pyspec itself is not a product. Bugs must be considered in the context of client implementations.\n\n__What is the test suite setup information?__\n\nPlease see each respective node software’s documentation regarding test suite setup.\n\n__What qualifies as a hard fork of the network?__\n\nA hard fork is the case when a potential attack’s damage is proven to be irreversible, and the only possible fix is splitting the network on a hard fork. It is a radical change to a network’s protocol that makes previously invalid blocks and transactions valid, or vice-versa. This means nodes (clients) that do not update to the new protocol will no longer be able to participate in or validate the same blockchain as the updated nodes.\n\nIf a hard fork is required for the uncle chain to fix consensus for those clients and continue building on the canonical chain, it does not qualify as critical, as the canonical chain remains unchanged and does not require a hard fork. The issue caused should have the downstream effect of clients needing to deploy patches to continue building blocks on the canonical chain.\n\n__Previous Audits & Public Disclosure of Known Issues__\n\nBug reports covering previously discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\nEthereum’s completed audit reports can be found at [https://github.com/ethereum/public-disclosures](https://github.com/ethereum/public-disclosures). Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\nThere may be other findings tracked in these repositories’ GitHub issues which are not exhaustively listed here. Whitehat’s are responsible for ensuring a vulnerability is not publicly disclosed in the respective clients [known issues list or any previous audits](https://immunefi.slite.com/app/docs/npGhR5rBwFfnTi).\n\nFor reports related to the Solidity Compiler, rewards will not be issued for crashes of the solc compiler on maliciously generated data.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":null,"description":"Ethereum is a decentralized blockchain that exists whenver there are connected computers running software following the Ethereum protocol and adding to the Ethereum Blockchain. ","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"Only the targets which directly affect the Ethereum network are part of the Ethereum Protocol Attackathon. This means that for example our infrastructure; such as webpages, dns, email etc, are not part of the bounty-scope. ERC20 contract bugs are typically not included in the bounty scope. However, we can help reach out to affected parties, such as authors or exchanges in such cases. ENS is maintained by the ENS foundation, and is not part of the bounty scope. Vulnerabilities requiring the user to have publicly exposed an API, such as JSON-RPC or the Beacon API, is out of scope of the bug bounty program.\n\nThese impacts are out of scope for this bug bounty program. \n\n- Impacts on Example Code provided by Ethereum or smart contract code that was deployed by the user.\n\nBlockchain/DLT Specific:\n\n- Incorrect data supplied by third party oracles\n    - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":5226,"type":"blockchain_dlt","severity":"critical","title":"Unintended permanent chain split affecting greater than or equal to 25% of the network, requiring hard fork (network partition requiring hard fork)"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":5227,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":5228,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":5229,"type":"blockchain_dlt","severity":"critical","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":5230,"type":"blockchain_dlt","severity":"high","title":"Shutdown of greater than or equal to 33% of network processing nodes without brute force actions, but does not shut down the network"},{"id":5231,"type":"blockchain_dlt","severity":"high","title":"Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments affecting greater than or equal to 25% of the network"},{"id":5233,"type":"blockchain_dlt","severity":"medium","title":"Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments affecting less than 25% of the network"},{"id":5234,"type":"blockchain_dlt","severity":"medium","title":"bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk"},{"id":5235,"type":"blockchain_dlt","severity":"medium","title":"Causing greater than or equal to 25% of network processing nodes to process transactions from the mempool beyond set parameters (e.g. prevents processing transactions from the mempool)"},{"id":5236,"type":"blockchain_dlt","severity":"medium","title":"Increasing greater than or equal to 25% of network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours"},{"id":5237,"type":"blockchain_dlt","severity":"medium","title":"Shutdown of greater than or equal to 10% or equal to but less than 33% of network processing nodes without brute force actions, but does not shut down the network"},{"id":5238,"type":"blockchain_dlt","severity":"medium","title":"Unintended chain split affecting greater than or equal to 25% of the network (Network partition)"},{"id":5239,"type":"blockchain_dlt","severity":"low","title":"Causing less than 25% of network processing nodes to process transactions from the mempool beyond set parameters (e.g. prevents processing transactions from the mempool)"},{"id":5240,"type":"blockchain_dlt","severity":"low","title":"Unintended chain split affecting less than 25% of the network (Network partition)"},{"id":5241,"type":"blockchain_dlt","severity":"low","title":"Increasing less than 25% of network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours"},{"id":5242,"type":"blockchain_dlt","severity":"low","title":"Modification of transaction fees outside of design parameters"},{"id":5243,"type":"blockchain_dlt","severity":"low","title":"Shutdown of less than 10% of network processing nodes without brute force actions, but does not shut down the network"},{"id":5244,"type":"blockchain_dlt","severity":"low","title":"(Specifications) A bug in specifications with no direct impact on client implementations"},{"id":5245,"type":"smart_contract","severity":"critical","title":"(Compiler) Elimination of security checks"},{"id":5246,"type":"smart_contract","severity":"high","title":"(Compiler) Incorrect bytecode generation leading to incorrect behavior"},{"id":5247,"type":"smart_contract","severity":"medium","title":"(Compiler) Memory-Related errors"},{"id":5248,"type":"smart_contract","severity":"medium","title":"(Compiler) Encoding errors"},{"id":5249,"type":"smart_contract","severity":"low","title":"(Compiler) Semantic analysis errors"},{"id":5250,"type":"smart_contract","severity":"low","title":"(Compiler) Exception handling errors"},{"id":5251,"type":"smart_contract","severity":"low","title":"(Compiler) Syntactic analysis errors"},{"id":5252,"type":"smart_contract","severity":"low","title":"(Compiler) Optimization errors"},{"id":5253,"type":"smart_contract","severity":"low","title":"(Compiler) Unexpected behavior"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"critical","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[{"id":"1jlZ9RgFNxz4sloCqhOHMx","url":"https://etherscan.io/address/0x4c9edd5852cd905f086c759e8383e09bff1e68b3","type":"smart_contract","addedAt":"2024-04-04T16:46:29.000Z","revision":1,"description":"USDe.sol","isPrimacyOfImpact":null},{"id":"2Chn6aqu7ZV4YxasnSYpKH","url":"https://etherscan.io/address/0xe3490297a08d6fC8Da46Edb7B6142E4F461b62D3#code","type":"smart_contract","addedAt":"2024-04-04T16:46:29.000Z","revision":3,"description":"EthenaMinting.sol V2","isPrimacyOfImpact":null},{"id":"5r093sG53BiuHEPz76Geth","url":"https://etherscan.io/address/0x9d39a5de30e57443bff2a8307a4256c8797a3497","type":"smart_contract","addedAt":"2024-04-04T16:46:29.000Z","revision":1,"description":"StakedUSDe.sol","isPrimacyOfImpact":null},{"id":"2EOVeSLznLVWhVCnPRRBAq","url":"https://etherscan.io/address/0x9d39a5de30e57443bff2a8307a4256c8797a3497","type":"smart_contract","addedAt":"2024-04-04T16:46:29.000Z","revision":1,"description":"StakedUSDeV2.sol","isPrimacyOfImpact":null},{"id":"5Lwn8cyCatU11dtEcTjPfD","url":"https://etherscan.io/address/0x7FC7c91D556B400AFa565013E3F32055a0713425","type":"smart_contract","addedAt":"2024-04-04T16:46:29.000Z","revision":1,"description":"USDeSilo.sol","isPrimacyOfImpact":null},{"id":"4JK11cxcTOm0AjBPb3g38E","url":"https://etherscan.io/address/0x2cc440b721d2cafd6d64908d6d8c4acc57f8afc3","type":"smart_contract","addedAt":"2024-04-04T16:46:29.000Z","revision":1,"description":"SingleAdminAccessControl.sol","isPrimacyOfImpact":null},{"id":"o7haO6QHzwXIk7f9lzzOF","url":"https://etherscan.io/address/0x8707f238936c12c309bfc2B9959C35828AcFc512","type":"smart_contract","addedAt":"2024-04-04T16:46:29.000Z","revision":5,"description":"EthenaLPStaking.sol. Present on both Ethereum and Mantle: https://explorer.mantle.xyz/address/0xf2fa332bD83149c66b09B45670bCe64746C6b439?tab=contract","isPrimacyOfImpact":null},{"id":"2zGEpq9coI1pXRNrsNnsxQ","url":"https://etherscan.io/address/0xf2fa332bd83149c66b09b45670bce64746c6b439#tokentxns","type":"smart_contract","addedAt":"2024-04-04T16:46:29.000Z","revision":1,"description":"StakingRewardsDistributor.sol","isPrimacyOfImpact":null},{"id":"3q5p48wVmzckePAoqeK0ho","url":"https://etherscan.io/address/0x57e114B691Db790C35207b2e685D4A43181e6061","type":"smart_contract","addedAt":"2024-04-04T16:46:29.000Z","revision":1,"description":"ENA.sol","isPrimacyOfImpact":null},{"id":"77P1lVBJeLmCJDdXCNSeHR","url":"https://www.ethena.fi","type":"websites_and_applications","addedAt":"2024-04-04T16:46:29.000Z","revision":3,"description":"Project Link","isPrimacyOfImpact":null},{"id":"5azgjSRvS8OFK3dxeFLz1I","url":"https://app.ethena.fi","type":"websites_and_applications","addedAt":"2024-04-04T16:46:29.000Z","revision":2,"description":"Subdomain","isPrimacyOfImpact":null},{"id":"3YcUUiqxjcsZpJ8oc2tPlr","url":"https://claim.ethena.fi","type":"websites_and_applications","addedAt":"2024-04-04T16:46:29.000Z","revision":2,"description":"Subdomain","isPrimacyOfImpact":null},{"id":"393oGI7e6oG6AAJzQUrygm","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2024-04-04T16:46:29.000Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true},{"id":"2Mtbd8HCiL2RC6O0JLL9Cf","url":"https://etherscan.io/address/0x58538e6a46e07434d7e7375bc268d3cb839c0133","type":"smart_contract","addedAt":"2024-04-15T09:50:42.896Z","revision":1,"description":"ENAOFTAdapter.sol","isPrimacyOfImpact":null},{"id":"6P4G5MdnJfaEOFGzKgZh2w","url":"https://etherscan.io/address/0x5d3a1ff2b6bab83b63cd9ad0787074081a52ef34","type":"smart_contract","addedAt":"2024-04-15T09:51:03.695Z","revision":1,"description":"USDeOFTAdapter.sol","isPrimacyOfImpact":null},{"id":"Vv3nzU1MSTWLEmph5s4hh","url":"https://etherscan.io/address/0x211cc4dd073734da055fbf44a2b4667d5e5fe5d2","type":"smart_contract","addedAt":"2024-04-15T09:51:26.013Z","revision":1,"description":"StakedUSDeOFTAdapter.sol","isPrimacyOfImpact":null},{"id":"1Ku8u04sOdQy4go8UG44rR","url":"https://explorer.mantle.xyz/address/0x5d3a1Ff2b6BAb83b63cd9AD0787074081a52ef34","type":"smart_contract","addedAt":"2024-04-15T09:54:11.685Z","revision":2,"description":"USDeOFT.sol - Present on the following chains: Mantle, Arbitrum One, Manta Pacific, Optimism, BNB, Kava, Scroll, Mode, Metis, Fraxtal, Linea, and some others updated here: https://docs.ethena.fi/solution-design/key-addresses","isPrimacyOfImpact":null},{"id":"5Gg5hWUAESm11rfktaMK5I","url":"https://explorer.mantle.xyz/address/0x211Cc4DD073734dA055fbF44a2b4667d5E5fE5d2","type":"smart_contract","addedAt":"2024-04-15T09:55:34.303Z","revision":2,"description":"StakedUSDeOFT.sol - Present on the following chains: Mantle, Arbitrum One, Manta Pacific, Optimism, BNB, Kava, Scroll, Mode, Metis, Fraxtal, Linea, and some others updated here: https://docs.ethena.fi/solution-design/key-a","isPrimacyOfImpact":null},{"id":"JqHMluVpTArK1lW9gD26Y","url":"https://explorer.mantle.xyz/address/0x58538e6A46E07434d7E7375Bc268D3cb839C0133","type":"smart_contract","addedAt":"2024-04-15T09:56:07.424Z","revision":2,"description":"ENAOFT.sol - Present on the following chains: Mantle, Arbitrum One, Manta Pacific, Optimism, BNB, Kava, Scroll, Mode, Metis, Fraxtal, Linea, and some others updated here: https://docs.ethena.fi/solution-design/key-addresses","isPrimacyOfImpact":null},{"id":"1rwKRZ9HBT8ud99W7WgzL2","url":"https://etherscan.io/address/0x8bE3460A480c80728a8C4D7a5D5303c85ba7B3b9#code","type":"smart_contract","addedAt":"2025-04-04T06:03:20.730Z","revision":1,"description":"StakedENA.sol","isPrimacyOfImpact":null},{"id":"4j2mZcqqI9Wi7MPZ8GVDyD","url":"https://etherscan.io/address/0xc139190f447e929f090edeb554d95abb8b18ac1c#code","type":"smart_contract","addedAt":"2025-04-04T06:03:37.132Z","revision":1,"description":"USDtb.sol","isPrimacyOfImpact":null},{"id":"3qJSIsxSsiGuyyqVAhmdWC","url":"https://etherscan.io/address/0xa3DDBf92077b850E29C4805Df0a2459Ae048416a","type":"smart_contract","addedAt":"2025-04-04T06:03:50.745Z","revision":1,"description":"USDtbMinting.sol","isPrimacyOfImpact":null},{"id":"6qm45X0Wj8lbdw1offuuHV","url":"https://tonviewer.com/EQAIb6KmdfdDR7CN1GBqVJuP25iCnLKCvBlJ07Evuu2dzP5f","type":"smart_contract","addedAt":"2025-05-20T06:37:48.655Z","revision":1,"description":"USDe minter contract on TON","isPrimacyOfImpact":null},{"id":"1jcU0bRxKXW8gBR6i0KT4H","url":"https://tonviewer.com/EQDQ5UUyPHrLcQJlPAczd_fjxn8SLrlNQwolBznxCdSlfQwr","type":"smart_contract","addedAt":"2025-05-20T06:38:05.854Z","revision":1,"description":"tsUSDe minter contract on TON","isPrimacyOfImpact":null},{"id":"2RCUApOZPRzkH3LlH7jTmF","url":"https://tonviewer.com/EQChGuD1u0e7KUWHH5FaYh_ygcLXhsdG2nSHPXHW8qqnpZXW","type":"smart_contract","addedAt":"2025-05-20T06:38:29.313Z","revision":1,"description":"tsUSDe vault on TON","isPrimacyOfImpact":null},{"id":"1YjYRT8GMd8gfk6FCpCIuw","url":"https://tonviewer.com/EQAjpnYUX43uNjL3IqrFA5LyLPC0vo9iTgOCeab1AF-2aYcq","type":"smart_contract","addedAt":"2025-05-20T06:38:44.519Z","revision":1,"description":"USDe OFT contract on TON","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Elite","Managed Triage: Expert Assessment","Arbitration"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":null,"launchDate":"2024-04-04T16:46:29.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2SCfByxtr2f7bf1Z8Vefzb/cea115652062b3f56441d4d63702fe22/download_copy.png","maxBounty":3000000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low","websites_and_applications - critical","websites_and_applications - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Stablecoin"],"programOverview":"Ethena is a synthetic dollar protocol built on Ethereum that will provide a crypto-native solution for money not reliant on traditional banking system infrastructure, alongside a globally accessible dollar denominated savings instrument - the 'Internet Bond'.\n\nEthena's synthetic dollar, USDe, provides the crypto-native, scalable solution for money achieved by delta-hedging Ethereum and Bitcoin collateral. USDe is fully backed and free to compose throughout DeFi.\n\nUSDe peg stability is supported through the use of delta hedging derivatives positions against  protocol-held collateral. \n\nThe 'Internet Bond' combines yield derived from staked Ethereum as well as the funding & basis spread from perpetual and futures' markets, to create the first onchain crypto-native 'bond' that can function as a dollar-denominated savings instrument for users in permitted jurisdictions.\n\nFor more information about Ethena, please visit https://www.ethena.fi\n\nEthena provides rewards in USDC on Mainnet, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__ \n\nEthena will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n- Eligibility Criteria \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nEthena adheres to the Primacy of Impact for the following impacts:\n\n- Smart Contract - Critical\n- Smart Contract - High\n- Smart Contract  - Medium\n- Smart Contract - Low\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- SOFT_RESTRICTED_STAKER_ROLE can be bypassed by user buying/selling stUSDe on the open market\n- maxRedeemPerBlock does not limit redemption in case of REDEEMER_ROLE key compromise unlike maxMintPerBlock, as the attacker can redeem all collateral held in the contract for 0 USDe, which does not increment maxRedeemPerBlock. This is by design, as limiting unlimited mints was the primary attack vector we wish to eliminate on key compromise and losing all funds currently in minting contract (which will be a small amount taking the total TVL as a reference) is an acceptable outcome.\n- The vesting period for sUSDe is hardcoded to 8 hours while the sUSDe rewards distribution occurs once every week. This means that an experienced user could buy usde => stake right after we transfer => hold for a few hours => sell. \nWe already addressed this issue with the help from the Staking Rewards Distributor smart contract and an offchain component in the form of a cron job, which triggers every 8 hours and sends a slice of the total staking rewards in every run. Distributing the whole amount evenly throughout the week.\n- FULL_RESTRICTED Stakers can bypass restriction through approvals\n\n\n__Previous Audits__\n\nEthena’s completed audit reports can be found at https://ethena-labs.gitbook.io/ethena-labs/resources/audits. Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Ethena has satisfied the requirements for the[ Immunefi Standard Badge.](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209)","programType":["Smart Contract","Websites and Applications"],"project":"Ethena","projectType":null,"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the[ Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD $3 Million. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD $100,000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk.\n\nFor critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of $10k to $75K depending on the funds at risk, capped at the maximum high reward.  \n\n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional [1h] that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\nFor critical web/apps bug reports will be rewarded with $50,000, only if the impact leads to:\n\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of $20,000. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Reward Payment Terms__\n\nPayouts are handled by the Ethena team directly and are denominated in USD. However, payments are done in USDC on Mainnet.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"ethena","updatedDate":"2025-05-20T06:39:16.014Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Ethena is a synthetic dollar protocol built on Ethereum that will provide a crypto-native solution for money not reliant on traditional banking system infrastructure, alongside a globally accessible dollar denominated savings instrument - the 'Internet Bond'.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":4815,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:  HTML injection without JavaScript, Replacing existing text with arbitrary text, Arbitrary file uploads, etc"},{"id":4816,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:  Email, Password of the victim etc."},{"id":4817,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:  Email address, Phone number, Physical address, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":4818,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:   /etc/shadow, database passwords, blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":4819,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:   Changing registration information, Commenting, Voting, Making trades, Withdrawals, etc."},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":4820,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:  Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"}],"rewards":[{"id":11553,"severity":"critical","assetType":"smart_contract","maxReward":3000000,"minReward":100000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":11554,"severity":"high","assetType":"smart_contract","maxReward":75000,"minReward":10000,"rewardModel":"range"},{"id":11555,"severity":"medium","assetType":"smart_contract","fixedReward":10000,"rewardModel":"fixed"},{"id":11556,"severity":"low","assetType":"smart_contract","fixedReward":2500,"rewardModel":"fixed"},{"id":11557,"severity":"critical","assetType":"websites_and_applications","maxReward":50000,"minReward":20000,"rewardModel":"range","otherImpactMaxReward":0},{"id":11558,"severity":"high","assetType":"websites_and_applications","fixedReward":15000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"4AGMaGNEuV2pRMGsiscGHf","url":"https://etherscan.io/address/0xf2F305D14DCD8aaef887E0428B3c9534795D0d60","type":"smart_contract","addedAt":"2023-12-14T21:00:00.000Z","revision":1,"description":"DepositQueue","isPrimacyOfImpact":null},{"id":"4rQPaSuTMs0NYWIadfgl3R","url":"https://etherscan.io/address/0xbf5495Efe5DB9ce00f80364C8B423567e58d2110","type":"smart_contract","addedAt":"2023-12-14T21:00:00.000Z","revision":1,"description":"EzEthToken","isPrimacyOfImpact":null},{"id":"7iyNZdHTsmKf85DKBNpvg8","url":"https://etherscan.io/address/0xbAf5f3A05BD7Af6f3a0BBA207803bf77e2657c8F","type":"smart_contract","addedAt":"2023-12-14T21:00:00.000Z","revision":1,"description":"OperatorDelegator1","isPrimacyOfImpact":null},{"id":"5Bl0VAZXGvic1OELvNg4tb","url":"https://etherscan.io/address/0x5a12796f7e7EBbbc8a402667d266d2e65A814042","type":"smart_contract","addedAt":"2023-12-14T21:00:00.000Z","revision":1,"description":"RenzoOracle","isPrimacyOfImpact":null},{"id":"2R5QKpTfIhzhOS2MW2p9N9","url":"https://etherscan.io/address/0x74a09653A083691711cF8215a6ab074BB4e99ef5","type":"smart_contract","addedAt":"2023-12-14T21:00:00.000Z","revision":1,"description":"RestakeManager","isPrimacyOfImpact":null},{"id":"7EEhoxKdypaD7wQ9A00twX","url":"https://etherscan.io/address/0x22eEC85ba6a5cD97eAd4728eA1c69e1D9c6fa778","type":"smart_contract","addedAt":"2023-12-14T21:00:00.000Z","revision":1,"description":"RewardHandler","isPrimacyOfImpact":null},{"id":"5HbID7g0TtvBj9okyvtBNf","url":"https://etherscan.io/address/0x4994EFc62101A9e3F885d872514c2dC7b3235849","type":"smart_contract","addedAt":"2023-12-14T21:00:00.000Z","revision":1,"description":"RoleManager","isPrimacyOfImpact":null},{"id":"3ALAG0vSVedoODytUPN7N6","url":"https://etherscan.io/address/0x5efc9D10E42FB517456f4ac41EB5e2eBe42C8918","type":"smart_contract","addedAt":"2024-06-12T13:18:13.722Z","revision":1,"description":"WithdrawQueue","isPrimacyOfImpact":null},{"id":"GRwiCTs2Y0LvTCe4kXliZ","url":"https://app.renzoprotocol.com/","type":"websites_and_applications","addedAt":"2023-12-14T21:00:00.000Z","revision":1,"description":"Renzo Protocol App","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":false,"inviteOnly":false,"kyc":true,"language":["JavaScript","Solidity"],"launchDate":"2023-12-14T21:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5vS0LqsY8aTwXw4AXCjNrB/3a1542886af81a0885485f9187ecb693/2.0_Renzo_Black_Logo__1_.png","maxBounty":500000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low","websites_and_applications - critical","websites_and_applications - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Asset Management","Liquid Restaking","Token"],"programOverview":"Renzo is a Liquid Restaking Token (LRT) and Strategy Manager for EigenLayer. It is the interface to the EigenLayer ecosystem securing Actively Validated Services (AVSs) and offering a higher yield than ETH staking.\nThe protocol abstracts all complexity from the end-user and enables easy collaboration between them and EigenLayer node operators.\n\nRenzo strongly advocates for EigenLayer and its goal of facilitating permissionless innovation on Ethereum, and programmatically acquiring trust for the ecosystem. Renzo is built to promote the widespread adoption of Eigenlayer.\n\nThe Renzo Protocol is built as an interface to the EigenLayer Protocol smart contracts.  As EigenLayer will be upgrading contracts on an ongoing basis, it should be assumed that future releases may cause breaking changes against the existing deployed smart contracts in the Renzo Protocol. Future developments of the Renzo Protocol will be deployed in concert with EigenLayer upgrades, therefore, disclosures relating to potential future vulnerabilities from an upgrade will be out of scope.\n\nFor more information about Renzo, please visit [https://www.renzoprotocol.com/](https://www.renzoprotocol.com/)\n\nRenzo provides rewards in USDC, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__ \n\nRenzo will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nRenzo adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page. \n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n\n__Previous Audits__\n\nRenzo’s completed audit reports can be found at [https://github.com/Renzo-Protocol/contracts-public/blob/master/Audit/Renzo_Protocol_EVM_Contracts_Smart_Contract_Security_Assessment.pdf.](https://github.com/Renzo-Protocol/contracts-public/blob/master/Audit/Renzo_Protocol_EVM_Contracts_Smart_Contract_Security_Assessment.pdf) Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.","programType":["Smart Contract","Websites and Applications"],"project":"Renzo Protocol","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 500 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 100 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attacks within the first hour will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\nFor critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 10 000 - USD 100 000 depending on the funds at risk, capped at the maximum high reward. \n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\nFor critical web/apps bug reports will be rewarded with USD 25 000, only if the impact leads to:\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of USD 10 000. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Reward Payment Terms__\n\nPayouts are handled by the Renzo team directly and are denominated in USD. However, payments are done in USDC\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"renzoprotocol","updatedDate":"2025-05-16T15:21:39.874Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Renzo is a Liquid Restaking Token (LRT) and Strategy Manager for EigenLayer. It is the interface to the EigenLayer ecosystem securing Actively Validated Services (AVSs) and offering a higher yield than ETH staking. The protocol abstracts all complexity from the end-user and enables easy collaboration between them and EigenLayer node operators.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":4682,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for more than 24 hours"},{"id":4683,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:  HTML injection without JavaScript, Replacing existing text with arbitrary text, Arbitrary file uploads, etc"},{"id":4684,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:  Email, Password of the victim etc."},{"id":4685,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:  Email address, Phone number, Physical address, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":4686,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:   /etc/shadow, database passwords, blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":4687,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:   Changing registration information, Commenting, Voting, Making trades, Withdrawals, etc."},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":4688,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:  Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"}],"rewards":[{"id":29005,"severity":"critical","assetType":"smart_contract","maxReward":500000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":29006,"severity":"high","assetType":"smart_contract","maxReward":100000,"rewardModel":"up_to"},{"id":29007,"severity":"medium","assetType":"smart_contract","maxReward":10000,"rewardModel":"up_to"},{"id":29008,"severity":"low","assetType":"smart_contract","maxReward":1000,"rewardModel":"up_to"},{"id":29009,"severity":"critical","assetType":"websites_and_applications","maxReward":25000,"rewardModel":"up_to","otherImpactMaxReward":10000},{"id":29010,"severity":"high","assetType":"websites_and_applications","maxReward":10000,"rewardModel":"up_to"}],"audits":[]},{"assets":[{"id":"xFqLeFIAi95hsbA666bwD","url":"https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/INFTContract.sol","type":"smart_contract","addedAt":"2025-03-11T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"2eNZS6JXp0St1cGB0wcXmL","url":"https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/Reward.sol","type":"smart_contract","addedAt":"2025-03-11T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"5gw0P6RnM0fhn4TajsQe3l","url":"https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/RewardSettings.sol","type":"smart_contract","addedAt":"2025-03-11T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"6p8mo7YIWpEQRU1CcbfzAo","url":"https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol","type":"smart_contract","addedAt":"2025-03-11T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"7tU3Eo7td4c7EP7lyIqRcI","url":"https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/Yeet.sol","type":"smart_contract","addedAt":"2025-03-11T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"2E1OuFJHUqxEUx2mxvjEKh","url":"https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/YeetGameSettings.sol","type":"smart_contract","addedAt":"2025-03-11T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"6sKxKLdCYGpT12v2lMPhYz","url":"https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/YeetToken.sol","type":"smart_contract","addedAt":"2025-03-11T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"710LKqRI3bHBzOPblhKWUl","url":"https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/Yeetback.sol","type":"smart_contract","addedAt":"2025-03-11T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"71y9VksHhtKKtpTwTZR5ET","url":"https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/contracts/MoneyBrinter.sol","type":"smart_contract","addedAt":"2025-03-11T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"4wBHxhwWPEULWDB5zzL1S2","url":"https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/contracts/Zapper.sol","type":"smart_contract","addedAt":"2025-03-11T14:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null}],"assetsBodyV2":"**Is this an upgrade of an existing system? If so, which? And what are the main differences?**\n\nNo\n\n**What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?**\n\nERC4626, ERC-20\n\n**What emergency actions may you want to use as a reason to downgrade an otherwise valid bug report?**\n\nIf there are configurations that we can change that would mitigate affected areas. Pausing the game or changing game settings for example.\n\n**What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?**\n\nAny addresses controlled by the team—whether an EOA with elevated access or a multisig—would not typically be considered in scope for a bug report, as long as the team retains control over them.\n\n**What addresses would you consider any bug report requiring their involvement be out of scope, even if they exceed the privileges attributed to them?**\n\nAny addresses controlled by the team—whether an EOA with elevated access or a multisig—would not typically be considered in scope for a bug report, as long as the team retains control over them.\n\n**Which chains and/or networks will the code in scope be deployed to?**\n\nBerachain\n\n**What external dependencies are there?**\n\ndocs.oogabooga.io, \ndocs.pyth.network/entropy, \nhttps://www.beradrome.com/ \nhttps://kodiak.finance/\n\n**Are there any unusual points about your protocol that may confuse Security Researchers?**\n\nNo\n\n**What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)**\n\ndocs.yeetit.xyz","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"$30,000 USD in rewards available for finding bugs on Yeet smart contracts.\n\nKYC is not required.\n\nYeet will respond within 24 hours on weekdays to all bug reports. Any technical questions can be asked directly to the Yeet technical team on [Immunefi’s Discord](https://discord.com/invite/immunefi) in the \"yeet-audit-comp\" channel.\n\nWhen the Audit Competition has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.","boostedLeaderboard":[{"high":2,"name":"merlinboii","critical":1,"earnings":7691,"insights":1,"mediumLow":2,"totalValidBugs":5},{"high":2,"name":"kmm","critical":1,"earnings":4222,"insights":0,"mediumLow":0,"totalValidBugs":3},{"high":0,"name":"max10afternoon","critical":1,"earnings":4099,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"trtrth","critical":0,"earnings":4002,"insights":3,"mediumLow":3,"totalValidBugs":4},{"high":0,"name":"RNemes","critical":0,"earnings":3384,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"robin_bl4z3","critical":0,"earnings":1150,"insights":1,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"yesofcourse","critical":0,"earnings":484,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":1,"name":"Oxl33","critical":1,"earnings":425,"insights":1,"mediumLow":2,"totalValidBugs":4},{"high":0,"name":"NHristov","critical":0,"earnings":274,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":1,"name":"DoD4uFN","critical":0,"earnings":233,"insights":2,"mediumLow":1,"totalValidBugs":2},{"high":1,"name":"OxAnmol","critical":0,"earnings":218,"insights":0,"mediumLow":1,"totalValidBugs":2},{"high":1,"name":"cryptostaker","critical":0,"earnings":218,"insights":0,"mediumLow":1,"totalValidBugs":2},{"high":1,"name":"kaysoft","critical":0,"earnings":218,"insights":0,"mediumLow":1,"totalValidBugs":2},{"high":0,"name":"ox9527","critical":1,"earnings":184,"insights":0,"mediumLow":1,"totalValidBugs":2},{"high":1,"name":"Ragnarok","critical":1,"earnings":154,"insights":2,"mediumLow":0,"totalValidBugs":2},{"high":0,"name":"Minnow80539","critical":0,"earnings":146,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"OldDingo56530","critical":0,"earnings":146,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":1,"name":"dobrevaleri","critical":1,"earnings":132,"insights":1,"mediumLow":0,"totalValidBugs":2},{"high":1,"name":"Oxgritty","critical":1,"earnings":110,"insights":0,"mediumLow":0,"totalValidBugs":2},{"high":1,"name":"nnez","critical":1,"earnings":110,"insights":0,"mediumLow":0,"totalValidBugs":2},{"high":1,"name":"BenR","critical":0,"earnings":109,"insights":1,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"Bluedragon","critical":0,"earnings":94,"insights":1,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"Yaneca_b","critical":1,"earnings":87,"insights":0,"mediumLow":1,"totalValidBugs":2},{"high":0,"name":"pontifex","critical":1,"earnings":87,"insights":0,"mediumLow":1,"totalValidBugs":2},{"high":0,"name":"peppef","critical":1,"earnings":82,"insights":2,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"x60scs","critical":1,"earnings":75,"insights":1,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"X0sauce","critical":0,"earnings":72,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"p0wd3r","critical":0,"earnings":72,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"Ace30","critical":0,"earnings":72,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"valy001","critical":0,"earnings":72,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"Le_Rems","critical":0,"earnings":72,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"chista0x","critical":0,"earnings":59,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"h2134","critical":0,"earnings":59,"insights":4,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Oxrochimaru","critical":0,"earnings":56,"insights":1,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"DSbeX","critical":0,"earnings":49,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"zaevlad","critical":0,"earnings":49,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"MarsKittyHacker","critical":0,"earnings":49,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"T0_Socrates","critical":0,"earnings":49,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"pxng0lin","critical":0,"earnings":44,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Victor_TheOracle","critical":0,"earnings":44,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"rajkaur","critical":1,"earnings":38,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"armormadeofwoe","critical":1,"earnings":38,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"Pyro","critical":1,"earnings":38,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"InquisitorScythe","critical":1,"earnings":38,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"zeroK","critical":1,"earnings":38,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"aksoy","critical":1,"earnings":38,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"whitehatanon1","critical":1,"earnings":38,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"aman","critical":1,"earnings":38,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"vladi319","critical":1,"earnings":38,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"Oxodus","critical":1,"earnings":38,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"Ekko","critical":1,"earnings":38,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"testnate","critical":1,"earnings":38,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"hustling0x","critical":1,"earnings":38,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"greed","critical":1,"earnings":38,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"Oxgee001","critical":1,"earnings":38,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"Invcbull","critical":1,"earnings":38,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"Bani70","critical":1,"earnings":38,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"KaptenCrtz","critical":1,"earnings":38,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"x0bserver","critical":1,"earnings":38,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"libro9595","critical":1,"earnings":38,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"Oxbakeng","critical":0,"earnings":37,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"ZeroXGondar","critical":0,"earnings":37,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"OxSimao","critical":0,"earnings":37,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"perseverance","critical":0,"earnings":30,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"magtentic","critical":0,"earnings":22,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"k1k1","critical":0,"earnings":22,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"p3nc1l","critical":0,"earnings":22,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Nawsanders","critical":0,"earnings":22,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Oxblackadam","critical":0,"earnings":22,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Dimaranti","critical":0,"earnings":22,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"xdead4f","critical":0,"earnings":7,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Exp10its","critical":0,"earnings":7,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1N4hI89jA2gfWfKe3k9CA39mBuIcpooOU/view","ecosystem":null,"endDate":"2025-03-25T14:00:00.000Z","evaluationEndDate":"2025-05-09T18:03:18.249Z","features":["Boost","Vault","Managed Triage: Signal Booster"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2025-03-11T14:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1CC05KTqzC9pnQ0o7kXJ0t/dcb30f884a2cabb80ba78be5f4a59db0/yeet.png","maxBounty":30000,"outOfScopeAndRules":"To be determined","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - low","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"To be determined","productType":null,"programOverview":"Your favorite Bonzi on berachain. Yeet is a gamified DeFi protocol in the Berachain ecosystem with no dominant game theoretic strategy. Players can win or lose money in a variety of different ways, and employ multiple types of tactics whilst playing.\n\nFor more information about Yeet, please visit https://www.yeetit.xyz/","programType":["Smart Contract"],"project":"Audit Comp | Yeet","projectType":null,"rewardsBody":"**Reward pool:**\n\nIf bugs are found → USD $30k (see [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms))\n\nIf not a single bug is found (Insights do not count as bugs) the reward pool is (15% of the max Reward Pool) → $4.5k.\n\nDuplicate submissions of bugs are valid. Duplicate submissions of Insights are invalid.\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid and unlock the corresponding reward pool.\n\nYeet rewards are denominated in USD and distributed in USDC on Ethereum\n\n**Proof of Concept (PoC) Requirements**\n\nFor this program, runnable PoC code is not required. Whitehats are instead required to write a step-by-step explanation of the PoC and impact\nThis explanation needs to be entered in the PoC section of the submission wizard to prevent the submission from being excluded by our OOS filter.","rewardsPool":30000,"primaryPool":30000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"audit-comp-yeet","tenPercentEconomicRule":false,"updatedDate":"2025-05-09T18:56:50.357Z","impactsBody":"**Build Commands, Test Commands, and How to Run Them**\n\nforge build, forge test.\n\n**Asset Accuracy Assurance**\n\nBugs found on assets incorrectly listed in-scope are valid.\n\n**Code Freeze Assurance**\n\nCode of the assets in scope is frozen while the program is live.\n\n- Duplicate submissions of bugs are valid. Duplicate submissions of Insights are invalid.\n\n- The project commits to keeping private all info related to bug findings until this program is over. This means the project will not leak info about any bug findings or planned bug fixes, including bug findings found independently by the project or from concurrent private audits.","websiteUrl":"https://www.yeetit.xyz/","githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Yeet is a gamified DeFi protocol on Berachain that offers an interactive financial experience through strategy and timing. Its core feature, the Yeet Game, allows users to deposit BERA tokens into a pool, with the last depositor winning most of the funds. YeetBonds help protocols manage their liquidity efficiently, while Yeetard NFTs provide additional in-game benefits. \n\nThe native $YEET token can be farmed and staked for rewards. By integrating game mechanics into DeFi, Yeet fosters community engagement, liquidity solutions, and a unique way to participate in decentralized finance.  Learn more at https://www.yeetit.xyz/","knownIssues":[{"id":36,"link":"https://drive.google.com/file/d/1JK91TgoE_t62RI7lu66V_N517P3AkA9c/view","description":"Pre-Audit Analysis","lastUpdatedAt":"2025-03-10T00:00:00.000Z","relatedImpactInScope":"smart_contract"}],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- **The contract `NFTVesting.sol` is not included in the scope of this Audit Competition.**\n- **Griefing via block stuffing on berachain to prevent users from Yeeting, forcing the game to end by blocking new transactions.**\n","customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":5403,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 24 hours"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":5404,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds for at least 1 hour"}],"rewards":[{"level":"critical","payout":"Portion of the reward pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the reward pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the reward pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the reward pool","assetType":"smart_contract","pocRequired":true}],"audits":[{"id":"6Tu7Gj2Slg0M46JvJiTFPS","url":"https://github.com/yeet-protocol/contracts/tree/main/audits","auditor":"Zellic, Shieldify, 0xweiss","date":"2024-11-11"}]},{"assets":[{"id":"71muawJZSEcxxcFEBXPZzA","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/runtime/adapters/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:03:58.117Z","revision":1,"description":"adapters","isPrimacyOfImpact":null},{"id":"01nuMq2tYpGxrGbzXg0uGB","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/asset-registry/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:04:16.058Z","revision":1,"description":"pallet-asset-registry","isPrimacyOfImpact":null},{"id":"4PwNv2enyNrANkQBexLbzA","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/asset-registry/src/types.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:04:33.494Z","revision":1,"description":"pallet-asset-registry","isPrimacyOfImpact":null},{"id":"1HxjdXJVCmv6T46M0AT2Yi","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/bonds/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:04:49.175Z","revision":1,"description":"pallet-bonds","isPrimacyOfImpact":null},{"id":"3PlcFAkBhwrritvJuSR8wk","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/circuit-breaker/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:05:07.777Z","revision":1,"description":"pallet-circuit-breaker","isPrimacyOfImpact":null},{"id":"6iVpVvxV6uuc65KbJT5b2v","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/collator-rewards/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:05:25.321Z","revision":1,"description":"pallet-collator-rewards","isPrimacyOfImpact":null},{"id":"3g1jK2uj05IPb8FEfcRbsp","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/dca/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:05:40.563Z","revision":1,"description":"pallet-dca","isPrimacyOfImpact":null},{"id":"44EmsoC9EbxpjihtULPLhx","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/dca/src/types.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:05:56.351Z","revision":1,"description":"pallet-dca","isPrimacyOfImpact":null},{"id":"54VaOualRmamaC0u1ldUAR","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/dynamic-evm-fee/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:06:12.211Z","revision":1,"description":"pallet-dynamic-evm-fee","isPrimacyOfImpact":null},{"id":"2eJQ2xV7MOJUPObgS1GGbg","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/dynamic-fees/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:06:30.057Z","revision":1,"description":"pallet-dynamic-fees","isPrimacyOfImpact":null},{"id":"6AnrJEIYTaOcp7sXHE4eC1","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/dynamic-fees/src/traits.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:06:45.119Z","revision":1,"description":"pallet-dynamic-fees","isPrimacyOfImpact":null},{"id":"DtKunFdBHOUn5wLL1Zgbe","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/dynamic-fees/src/types.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:07:02.007Z","revision":1,"description":"pallet-dynamic-fees","isPrimacyOfImpact":null},{"id":"2AzEfoxrVx9IwMtbPzLxLs","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/math/src/dynamic_fees/math.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:07:27.525Z","revision":1,"description":"Dynamic Fees Math","isPrimacyOfImpact":null},{"id":"44eUkFr0VJrI8Zk46dyOOP","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/math/src/dynamic_fees/types.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:07:42.979Z","revision":1,"description":"Dynamic Fees Math","isPrimacyOfImpact":null},{"id":"5tkNYrJs29SzaZ58qBsEL4","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/ema-oracle/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:07:58.561Z","revision":1,"description":"pallet-ema-oracle","isPrimacyOfImpact":null},{"id":"7HvVGTomStcFPEsLVEWCh9","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/ema-oracle/src/types.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:08:14.211Z","revision":1,"description":"pallet-ema-oracle","isPrimacyOfImpact":null},{"id":"3J45efeqjZ6hYVHntxSos5","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/math/src/ema/math.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:08:32.385Z","revision":1,"description":"EMA Math","isPrimacyOfImpact":null},{"id":"1vfmKRLFpTNeASkWMQF0TN","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/evm-accounts/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:08:49.301Z","revision":1,"description":"pallet-evm-accounts","isPrimacyOfImpact":null},{"id":"63m4PxGXjw0z5ntjxbawC4","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/evm-accounts/rpc/runtime-api/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:09:05.655Z","revision":1,"description":"pallet-evm-accounts","isPrimacyOfImpact":null},{"id":"2KIRB05X7LNmPFBd0VErYr","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/lbp/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:09:20.971Z","revision":1,"description":"pallet-lbp","isPrimacyOfImpact":null},{"id":"z4IuuneEbQ1LLfBR5PQo1","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/lbp/src/trade_execution.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:09:36.876Z","revision":1,"description":"pallet-lbp","isPrimacyOfImpact":null},{"id":"26aRS8aonIOxLEg2eqDjd0","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/lbp/src/types.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:09:53.385Z","revision":1,"description":"pallet-lbp","isPrimacyOfImpact":null},{"id":"6pxEKVVN7UK4xNae92oZVj","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/math/src/lbp/lbp.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:10:09.006Z","revision":1,"description":"LBP Math","isPrimacyOfImpact":null},{"id":"4c3N14o4sPoo0v7x4mdf8k","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/liquidity-mining/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:10:24.432Z","revision":1,"description":"pallet-liquidity-mining","isPrimacyOfImpact":null},{"id":"2YCOJbIs8hNAT0Nw21IacZ","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/liquidity-mining/src/types.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:10:39.835Z","revision":1,"description":"pallet-liquidity-mining","isPrimacyOfImpact":null},{"id":"31ue1qOOLo3lKzMfDJfXnE","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/math/src/liquidity_mining/liquidity_mining.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:10:55.751Z","revision":1,"description":"Liquidity Mining Math","isPrimacyOfImpact":null},{"id":"3z2dz2poNV0wlfzCer0JB2","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/nft/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:11:11.535Z","revision":1,"description":"pallet-nft","isPrimacyOfImpact":null},{"id":"2iqXRUOgrD0Gt2htuBKolU","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/nft/src/types.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:11:26.704Z","revision":1,"description":"pallet-nft","isPrimacyOfImpact":null},{"id":"4PLfhoXnl5mWANdkp4OTwX","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/omnipool/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:11:44.639Z","revision":1,"description":"pallet-omnipool","isPrimacyOfImpact":null},{"id":"3hYHJNJq4wRHLM6IhWgck4","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/omnipool/src/provider.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:12:00.251Z","revision":1,"description":"pallet-omnipool","isPrimacyOfImpact":null},{"id":"7uHpcCyXmQr6g3smp4BU83","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/omnipool/src/router_execution.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:12:16.494Z","revision":1,"description":"pallet-omnipool","isPrimacyOfImpact":null},{"id":"6gcXW38fDsGUGWjYRTKssI","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/omnipool/src/traits.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:12:32.386Z","revision":1,"description":"pallet-omnipool","isPrimacyOfImpact":null},{"id":"44YP26eaoc7TwpO8n2SqJz","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/omnipool/src/types.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:12:47.468Z","revision":1,"description":"pallet-omnipool","isPrimacyOfImpact":null},{"id":"1cEzl7v5C61UKeawa4Joi0","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/math/src/omnipool/math.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:13:03.489Z","revision":1,"description":"Omnipool Math","isPrimacyOfImpact":null},{"id":"4j7PTyDSlHvAbmazuXAV5t","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/math/src/omnipool/types.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:13:18.238Z","revision":1,"description":"Omnipool Math","isPrimacyOfImpact":null},{"id":"6pfSNL4G7zhkOfDsOI0vW5","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/math/src/omnipool_subpools/math.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:13:33.350Z","revision":1,"description":"Omnipool Subpools Math","isPrimacyOfImpact":null},{"id":"6EO2gXxaG4bONhRRrOYwqd","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/math/src/omnipool_subpools/types.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:13:47.904Z","revision":1,"description":"Omnipool Subpools Math","isPrimacyOfImpact":null},{"id":"6Fe1pcbaI3HXUhXTtiUVKk","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/omnipool-liquidity-mining/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:14:06.735Z","revision":1,"description":"pallet-omnipool-liquidity-mining","isPrimacyOfImpact":null},{"id":"7IPa8JZr61wgl5CB2gwhmg","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/otc/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:14:21.630Z","revision":1,"description":"pallet-otc","isPrimacyOfImpact":null},{"id":"3plPYsvGChMBZwqa8MNqS4","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/referrals/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:14:37.067Z","revision":1,"description":"pallet-referrals","isPrimacyOfImpact":null},{"id":"2TkBLmKCgebl2cfYqwE9Vr","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/referrals/src/traits.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:14:51.795Z","revision":1,"description":"pallet-referrals","isPrimacyOfImpact":null},{"id":"4AYTSRe2PucG9Iu3o7gweg","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/route-executor/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:15:07.780Z","revision":1,"description":"pallet-route-executor","isPrimacyOfImpact":null},{"id":"1IThf78oSll2tI1WlEtvje","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/stableswap/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:15:26.929Z","revision":1,"description":"pallet-stableswap","isPrimacyOfImpact":null},{"id":"5ANYjl6ebA4FXSeM2Ye7Nr","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/stableswap/src/trade_execution.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:15:43.421Z","revision":1,"description":"pallet-stableswap","isPrimacyOfImpact":null},{"id":"kGv0fcY1nuNJY0zD1nsKS","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/stableswap/src/types.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:16:13.500Z","revision":1,"description":"pallet-stableswap","isPrimacyOfImpact":null},{"id":"3X0L4I1i4BPEkwpU7EDaFE","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/math/src/stableswap/math.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:16:28.208Z","revision":1,"description":"Stableswap Math","isPrimacyOfImpact":null},{"id":"2FmxrLg31PSK5V3nCw1Lej","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/math/src/stableswap/types.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:16:43.877Z","revision":1,"description":"Stableswap Math","isPrimacyOfImpact":null},{"id":"7n0BmtNcxV9AqqqPKKSgUy","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/staking/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:17:00.691Z","revision":1,"description":"pallet-staking","isPrimacyOfImpact":null},{"id":"3VNUBgpJ1T32sHcaGykBK7","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/staking/src/integrations.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:17:16.677Z","revision":1,"description":"pallet-staking","isPrimacyOfImpact":null},{"id":"6Q08oQa67UqvY7aBwEpfl","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/staking/src/traits.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:17:34.185Z","revision":1,"description":"pallet-staking","isPrimacyOfImpact":null},{"id":"48g10sTsREf1KWvvKVKhu2","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/staking/src/types.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:17:49.529Z","revision":1,"description":"pallet-staking","isPrimacyOfImpact":null},{"id":"6oEp5rfw5htWVkCXBR9puw","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/math/src/staking/math.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:18:05.604Z","revision":1,"description":"Staking Math","isPrimacyOfImpact":null},{"id":"50Lx4wRkjQMfT81P9hq1xe","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/transaction-multi-payment/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:18:21.723Z","revision":1,"description":"pallet-transaction-multi-payment","isPrimacyOfImpact":null},{"id":"3EMoYYyjg5YigU54OUw8Nj","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/transaction-multi-payment/src/traits.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:18:38.074Z","revision":1,"description":"pallet-transaction-multi-payment","isPrimacyOfImpact":null},{"id":"6ZMh5y5g2QThEJgeP9Xn8O","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/transaction-pause/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:18:54.700Z","revision":1,"description":"pallet-transaction-pause","isPrimacyOfImpact":null},{"id":"1lL619uCiYUb0eZrNDdBjO","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/xcm-rate-limiter/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:19:11.052Z","revision":1,"description":"pallet-xcm-rate-limiter","isPrimacyOfImpact":null},{"id":"1Bd1QuL1d29r1X25MIcJB2","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/math/src/rate_limiter/math.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:19:26.170Z","revision":1,"description":"Rate Limiter Math","isPrimacyOfImpact":null},{"id":"AezU4vwIcIxd4M70uH3ax","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/xyk/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:19:42.433Z","revision":1,"description":"pallet-xyk","isPrimacyOfImpact":null},{"id":"5cGmSBCpRlCYRjDySiGH5Y","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/xyk/src/impls.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:19:59.265Z","revision":1,"description":"pallet-xyk","isPrimacyOfImpact":null},{"id":"4BDuMDQtZKSu8drV4RZquW","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/xyk/src/trade_execution.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:20:14.890Z","revision":1,"description":"pallet-xyk","isPrimacyOfImpact":null},{"id":"7r45zSywcIHwYVP0b2qKiz","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/pallets/xyk/src/types.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:20:30.594Z","revision":1,"description":"pallet-xyk","isPrimacyOfImpact":null},{"id":"6ezBmfoE4RIKrgjKMSUmSS","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/math/src/xyk/math.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:20:46.507Z","revision":1,"description":"XYK Math","isPrimacyOfImpact":null},{"id":"3GSYSsudgCqQuyQUYTKlro","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/traits/src/lib.rs","type":"blockchain_dlt","addedAt":"2024-03-19T19:21:01.750Z","revision":1,"description":"traits lib","isPrimacyOfImpact":null},{"id":"2Hk5yJW6r51xTeeqmAOn25","url":"https://github.com/galacticcouncil/apps","type":"websites_and_applications","addedAt":"2024-03-19T19:21:17.057Z","revision":1,"description":"repo #1","isPrimacyOfImpact":null},{"id":"68rSpYrMuSXddFTyNj8M3F","url":"https://github.com/galacticcouncil/Hydradx-ui/","type":"websites_and_applications","addedAt":"2024-03-19T19:21:32.557Z","revision":1,"description":"repo #2","isPrimacyOfImpact":null},{"id":"4xojqBYDGuYBTDiACni5Wt","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/runtime/hydradx/src/evm/precompiles/multicurrency.rs","type":"blockchain_dlt","addedAt":"2024-05-21T15:55:43.715Z","revision":1,"description":"EVM precompiles","isPrimacyOfImpact":null},{"id":"6jZACdW9Phlm9I1n4bW6JA","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/runtime/hydradx/src/evm/evm_fee.rs","type":"blockchain_dlt","addedAt":"2024-05-21T15:55:57.977Z","revision":1,"description":"EVM precompiles","isPrimacyOfImpact":null},{"id":"7bdGwvJRJYfq7EzbYezjek","url":"https://github.com/galacticcouncil/HydraDX-node/blob/master/runtime/hydradx/src/evm/permit.rs","type":"blockchain_dlt","addedAt":"2024-05-21T15:56:13.250Z","revision":1,"description":"EVM precompiles","isPrimacyOfImpact":null},{"id":"7wTBL49d9nthSTLdN8Pe4x","url":"https://github.com/galacticcouncil/hydration-node/blob/master/pallets/broadcast/src/lib.rs","type":"blockchain_dlt","addedAt":"2025-05-09T09:01:42.572Z","revision":1,"description":"pallet-broadcast","isPrimacyOfImpact":null},{"id":"3vFp29CvRy03aY5KryRrtT","url":"https://github.com/galacticcouncil/hydration-node/blob/master/pallets/dispatcher/src/lib.rs","type":"blockchain_dlt","addedAt":"2025-05-09T09:02:03.224Z","revision":1,"description":"pallet-dispatcher","isPrimacyOfImpact":null},{"id":"5W4Ql7krpjExMgpxosspyv","url":"https://github.com/galacticcouncil/hydration-node/blob/master/pallets/liquidation/src/lib.rs","type":"blockchain_dlt","addedAt":"2025-05-09T09:02:27.288Z","revision":1,"description":"pallet-liquidation","isPrimacyOfImpact":null},{"id":"73U9AyGG2wtesYQHORxMCa","url":"https://github.com/galacticcouncil/hydration-node/blob/master/pallets/otc-settlements/src/lib.rs","type":"blockchain_dlt","addedAt":"2025-05-09T09:02:55.148Z","revision":1,"description":"pallet-otc-settlements","isPrimacyOfImpact":null},{"id":"6hShwlc6WesENpW1GhLf9X","url":"https://github.com/galacticcouncil/hydration-node/blob/master/pallets/xyk-liquidity-mining/src/lib.rs","type":"blockchain_dlt","addedAt":"2025-05-09T09:03:20.792Z","revision":1,"description":"pallet-xyk-liquidity-mining","isPrimacyOfImpact":null}],"assetsBodyV2":"Payouts under the Hydration bug bounty program are only made for reports of vulnerabilities which fall under the scope of the program. You can find a full overview of all assets which are in scope hereunder.\n\nIf an impact can be caused to any other asset managed by Hydration that isn’t on this table but for which the impact is in the “Impacts in Scope” section below, you are encouraged to submit it for the consideration by the project. This applies only to Critical impacts.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Polkadot"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Rust"],"launchDate":"2023-02-20T20:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3lm40Mobfxo3pFJkKBXPuc/b12c4e4926c6c5185a9b2a0ce7ae106a/Hydration.png","maxBounty":500000,"pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","blockchain_dlt - critical","blockchain_dlt - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["AMM","DEX","Staking"],"programOverview":"Hydration is the leading liquidity protocol on Polkadot. Its mission is to make DeFi efficient, simple, and unstoppable. To achieve this, Hydration unites swaps, lending and a stablecoin currency under the roof of a single, scalable appchain.\n\nFor more information about Hydration, please visit [https://hydration.net/](https://hydration.net/).","programType":["Blockchain/DLT","Websites and Applications"],"project":"Hydration","projectType":["Blockchain","Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported. \n\nAll web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. All High and Critical Blockchain bug reports require a PoC to be eligible for a reward. Explanations and statements are not accepted as PoC and code are required.\n\nThe rewards for reporting Critical Blockchain vulnerabilities are capped at __10%__ of the potential economic damage, or __USD 500,000__ (whichever is lower). Economic damage is limited to the situation where there is a reasonable risk for existing funds on the Hydration platform. Indirect damages such as reputational damage are out of scope. \n\nSimulations of attack scenarios will only be accepted if they fulfil the following criteria:\n\n- The simulation should account for all security measures present on the Hydration Mainnet, such as: fees (trade, add liquidity, withdraw liquidity etc), liquidity limits and caps, and others;\n- The ratio of value-at-risk to extractable-value should not exceed 5:1 (e.g. an attack with $5M should be able to extract at least $1M);\n- The simulation should account for price arbitrage to happen at least once every 5 blocks;\n- The total execution time of the attack should not exceed 2h.\n\nThe assessment of the extent of any potential economic damage is at the full discretion of the Galactic Council. However, there is a minimum reward of ___USD 15,000___ for reporting any vulnerability which can be classified under the category Critical Blockchain.\n\nAll potential vulnerabilities are assessed by the Galactic Council based on internally established criteria, taking into account the exploitability of the bug, the impact it causes, and the likelihood of the vulnerability presenting itself, which is especially factored in with bug reports requiring multiple conditions to be met that are currently not in place. \n\nHigh Blockchain/DLT vulnerabilities are scaled based on internally established team criteria, taking into account the exploitability of the bug, the impact it causes, and the likelihood of the vulnerability presenting itself, which is especially factored in with bug reports requiring multiple conditions to be met that are currently not in place. However, there is a minimum reward of __USD 5,000__, rewards will be provided at the determined fair value by the team depending on these conditions, assuming that the bug report is in-scope of the bug bounty program.\n\nWith regard to Blockchain vulnerabilities, only code involving runtime pallets of Hydration and pallets developed by Galactic Council are considered as in-scope of the bug bounty program. Pallets that are not in the mainnet runtime, are not live or are under development are considered as out-of-scope of the bug bounty program. \n\nPayouts are handled by the __Galactic Council__ directly and are denominated in USD. However, the payouts are done in __HDX__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"HDX","slug":"hydration","updatedDate":"2025-05-09T09:03:47.059Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Hydration is the leading liquidity protocol on Polkadot. Its mission is to make DeFi efficient, simple, and unstoppable. To achieve this, Hydration unites swaps, lending and a stablecoin currency under the roof of a single, scalable appchain.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques\n- DDoS vulnerabilities\n- Feature requests\n- Issues related to the frontend without concrete impact and PoC\n- Best practices issues without concrete impact and PoC","customProhibitedActivities":[],"impacts":[{"id":3862,"type":"blockchain_dlt","severity":"low","title":"DoS of greater than 10% but less than 30% of validator or miner nodes without shutting down the network"},{"id":3863,"type":"blockchain_dlt","severity":"high","title":"Blocking or modifying governance processes"},{"id":3864,"type":"blockchain_dlt","severity":"high","title":"Blocking users from accessing their funds"},{"id":3865,"type":"blockchain_dlt","severity":"high","title":"Theft of unclaimed yield"},{"id":3866,"type":"blockchain_dlt","severity":"high","title":"Stalling the chain for at least 222 minutes"},{"id":3867,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc"},{"id":3868,"type":"blockchain_dlt","severity":"medium","title":"Putting on-chain data into an unexpected state without interrupting the system or users from performing their tasks"},{"id":3869,"type":"websites_and_applications","severity":"medium","title":"Open redirect"},{"id":3870,"type":"websites_and_applications","severity":"medium","title":"Taking down the application"},{"id":3871,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without Javascript (Reflected) such as reflected HTML injection or loading external site data"},{"id":3872,"type":"blockchain_dlt","severity":"critical","title":"Governance compromise"},{"id":3873,"type":"blockchain_dlt","severity":"critical","title":"Identity theft that compromises user’s assets (fungible, non-fungibles)"},{"id":3874,"type":"blockchain_dlt","severity":"critical","title":"Unauthorized token minting"},{"id":3875,"type":"blockchain_dlt","severity":"critical","title":"Unauthorized NFT minting"},{"id":3876,"type":"blockchain_dlt","severity":"critical","title":"Omnipool account theft"},{"id":3877,"type":"blockchain_dlt","severity":"critical","title":"Omnipool manipulation resulting in loss/theft of liquidity"},{"id":3878,"type":"blockchain_dlt","severity":"critical","title":"Double spending"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":3879,"type":"blockchain_dlt","severity":"critical","title":"Transaction/consensus manipulation"},{"id":3880,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user’s assets (fungibles, non-fungibles)"},{"id":3881,"type":"websites_and_applications","severity":"critical","title":"Performing state modifying action without user’s consent such as making trades, transfers, withdrawals etc."},{"id":3882,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover (only applies to main Hydration web app)"}],"rewards":[{"id":28491,"severity":"critical","assetType":"blockchain_dlt","maxReward":500000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":28492,"severity":"high","assetType":"blockchain_dlt","maxReward":15000,"minReward":5000,"rewardModel":"range"},{"id":28493,"severity":"medium","assetType":"blockchain_dlt","fixedReward":5000,"rewardModel":"fixed"},{"id":28494,"severity":"low","assetType":"blockchain_dlt","fixedReward":1000,"rewardModel":"fixed"},{"id":28495,"severity":"critical","assetType":"websites_and_applications","maxReward":15000,"minReward":5000,"rewardModel":"range","otherImpactMaxReward":0},{"id":28496,"severity":"high","assetType":"websites_and_applications","fixedReward":5000,"rewardModel":"fixed"},{"id":28497,"severity":"medium","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"332cKgUZjh9d8eiL2AsJPa","url":"https://docs.xapp.folks.finance/developers/contracts","type":"smart_contract","addedAt":"2024-09-26T08:15:12.081Z","revision":1,"description":"Core","isPrimacyOfImpact":null},{"id":"5Hesl9fBmF3YG5mtOVHOE9","url":"https://docs.folks.finance/developer/contracts","type":"smart_contract","addedAt":"2022-05-10T15:54:58.801Z","revision":2,"description":"Core","isPrimacyOfImpact":null}],"assetsBodyV2":"In the Github link in the Assets in Scope table, only Exact Match Verified smart contracts are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Algorand","Avalanche","ETH","Base","Arbitrum","BSC"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Python","Solidity"],"launchDate":"2022-03-31T17:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4TM7aspvZxpPR9ToJuIZWC/fe0d98e1960bf04060fc9d764c9cc23a/folks_finance.png","maxBounty":200000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"Algorand","prioritizedVulnerabilities":"In case of discrepancy between [Immunefi Vulnerability Severity Classification System V2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2/) and Folks Finance’s classification above, Folks Finance classification will be followed.","productType":["Lending"],"programOverview":"Folks Finance is a community-driven DeFi protocol offering a variety of tools for digital asset management\n\nFor more information about Folks Finance, please visit [https://folks.finance/](https://folks.finance/). \n\nThis bounty program will expire on 31.12.2025","programType":["Smart Contract"],"project":"Folks Finance","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported. \n\nSmart Contract bug reports require a PoC and a suggestion for a fix to be eligible for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nHigh and Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of __USD 50 000__ for Critical and __USD 10 000__ for High. \n\nAll vulnerabilities marked in the following Github repository [https://github.com/Folks-Finance/audits](https://github.com/Folks-Finance/audits) are ineligible for a reward\n\nBug reports related solely to external incentives distributed on top of the protocol are downgraded in severity by one level. \n\nBug reports covering previously-discovered bugs are not eligible for any reward through the bug bounty program. If a bug report covers a known issue, it may be rejected together with proof of the issue being known before escalation of the bug report via Immunefi. Previous known issues can be found at https://github.com/Folks-Finance/folks-finance-xchain-contracts/issues?q=is%3Aissue+is%3Aclosed. \n\nIn addition, below are known issues that the project is aware of but has consciously decided not to “fix”:\n\n- Griefing through consuming external rate limits of tokens e.g. Circle CCTP rate limits for USDC\n- Griefing through consuming internal rate limits where we have the ability to respond by temporarily boosting capacity\n- Dust positions not being liquidated because of gas fees\n- Manipulation of stable borrow rate to get cheaper borrow\n- Liquidation leading to bad debt when we are prioritising the certainty of a lesser amount of bad debt against the risk of incurring a larger amount of bad debt\n\n__KYC__ shall be completed for bug bounty hunters submitting a vulnerability report and requesting a reward for Critical and High Smart Contracts vulnerabilities. The basic information needed is full name, residential address, and passport details (DOB, issuing country and passport number). Based on the basic information submitted, Folks Finance team may request further information at its sole discretion for compliance with applicable\nLaws.\n\nAdditionally, all levels of bug bounty hunters submitting a vulnerability report and requesting a reward need to submit certification that \n- (i) they are not acting, directly or indirectly, for or on behalf of any person, group entity, or nation named by any Executive Order or the United States Treasury Department as a terrorist, “Specially Designated National and Blocked Person,” or other banned or blocked person, entity, nation, or transaction pursuant to any law, order, rule or regulation that is\nenforced or administered by the Office of Foreign Assets Control; and  \n- (ii) they are not engaging in, instigating or facilitating this transaction, directly or indirectly, on behalf of any such person, group,\nentity, or nation. They also need to submit an attestation that all information provided is true, correct, up-to-date and not misleading. The collection of this information will be done by the Folks Finance team.\n\nPayouts are handled by the __Folks Finance__ team directly and are denominated in USD. However, payouts are done in __USDCa__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDCa","slug":"folksfinance","updatedDate":"2025-05-05T14:42:26.281Z","impactsBody":null,"websiteUrl":"https://folks.finance/","githubUrl":"https://github.com/Folks-Finance","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_auditor","no_employee"],"responsiblePublicationCategory":"category_3","description":"Folks Finance is a community-driven DeFi protocol offering a variety of tools for digital asset management","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":null,"customOutOfScopeInformation":"The following vulnerabilities are excluded from the rewards for this bug bounty program:\n\n- Attacks that the reporter has already exploited themselves, leading to damage\n- Attacks requiring access to leaked keys/credentials\n- Attacks requiring access to privileged addresses (governance, strategist)\n\n__Smart Contracts and Blockchain__\n\n- Incorrect data supplied by third party oracles and market manipulation\n    - Not to exclude oracle manipulation/flash loan attacks\n- Impacts relying on the depegging of an external token where the attacker does not directly cause the depegging from a bug in the in-scope contracts\n- Basic economic governance attacks (e.g. 51% attack)\n- Lack of liquidity\n- Best practice critiques\n- Sybil attacks\n- Centralization risks\n","customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":5368,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 48 hours"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":5369,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds for at least 24 hours"}],"rewards":[{"id":13618,"severity":"critical","assetType":"smart_contract","maxReward":200000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":13619,"severity":"high","assetType":"smart_contract","maxReward":50000,"minReward":10000,"rewardModel":"range"},{"id":13620,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":13621,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"3Q3432H5w75gKyGW39pbNw","url":"https://explorer.haven1.org/address/0x20234d842CC8502f583F1EfDc63950DEE047f462","type":"smart_contract","addedAt":"2025-04-30T12:58:00.000Z","revision":1,"description":"Core Contracts","isPrimacyOfImpact":null},{"id":"2G2FynR1LhH1fpC6ItaWl2","url":"https://explorer.haven1.org/address/0xE352B5DE61d72e22e06A3bdDd5D3Fa6FF25A5C80","type":"smart_contract","addedAt":"2025-04-30T12:58:00.000Z","revision":1,"description":"Core Contracts","isPrimacyOfImpact":null},{"id":"Q9rZYNmNTlA9HthUBJldZ","url":"https://explorer.haven1.org/address/0x064735F398E707752F9Eabd6F81D98Ac5cE672A8","type":"smart_contract","addedAt":"2025-04-30T12:58:00.000Z","revision":1,"description":"Core Contracts","isPrimacyOfImpact":null},{"id":"7aPvMLZWdFKs9SHEbEHoXN","url":"https://explorer.haven1.org/address/0x64833078c3665df17529E98bEF62fB90Dac53B67","type":"smart_contract","addedAt":"2025-04-30T12:58:00.000Z","revision":1,"description":"Core Contracts","isPrimacyOfImpact":null},{"id":"wOHSnBBfbtgBmsH3cBf9G","url":"https://explorer.haven1.org/address/0x716ED8C844495aBf237C170E0a0a7b7a9566dBf6","type":"smart_contract","addedAt":"2025-04-30T12:58:00.000Z","revision":1,"description":"Core Contracts","isPrimacyOfImpact":null},{"id":"21LpEeMVjlhm7dImwnjH06","url":"https://explorer.haven1.org/address/0x708E6dd0452D2C245e7d461c6c8B70F587ca3167","type":"smart_contract","addedAt":"2025-04-30T12:58:00.000Z","revision":1,"description":"Core Contracts","isPrimacyOfImpact":null},{"id":"1jWpBWWqZww2QozML48Th3","url":"https://explorer.haven1.org/address/0xac488B7E18Cef83aC300E9ffD9324BAa5BB62a13","type":"smart_contract","addedAt":"2025-04-30T12:58:00.000Z","revision":1,"description":"Core Contracts","isPrimacyOfImpact":null},{"id":"6kTUlhqHj2H9ebcHyr2ufY","url":"https://explorer.haven1.org/address/0xd10A542F088099b880B2CDF269B85df2F9dd3A23","type":"smart_contract","addedAt":"2025-04-30T12:58:00.000Z","revision":1,"description":"Core Contracts","isPrimacyOfImpact":null},{"id":"4EhdMqBZImIGvgHd3wYK3Z","url":"https://explorer.haven1.org/address/0x0F0B779e21579Cc56E00Bb018707e4449cA11E08","type":"smart_contract","addedAt":"2025-04-30T12:58:00.000Z","revision":1,"description":"Core Contracts","isPrimacyOfImpact":null},{"id":"1njqhIVrWciJkA4WJ5McqC","url":"https://explorer.haven1.org/address/0xEDf674ed9FEe3b568110ea9d6B664133FbE8D87a","type":"smart_contract","addedAt":"2025-04-30T12:58:00.000Z","revision":1,"description":"Core Contracts","isPrimacyOfImpact":null},{"id":"4cJPq9ZOT90rgfJ42uPSq0","url":"https://explorer.haven1.org/address/0x43eb2296AB0E642C11BBdb44847390C4869650eb","type":"smart_contract","addedAt":"2025-04-30T12:58:00.000Z","revision":1,"description":"Core Contracts","isPrimacyOfImpact":null},{"id":"4QxA6pL69Sc4dHGg8nhzBE","url":"https://explorer.haven1.org/address/0x1c82cD17C9D06ADB43E730713913369c43B5EE0c","type":"smart_contract","addedAt":"2025-04-30T12:58:00.000Z","revision":1,"description":"Core Contracts","isPrimacyOfImpact":null},{"id":"41ppbAePNnhmHFucS3SQ0S","url":"https://explorer.haven1.org/address/0x97AEE1CB38A055bCA22F0C998ccF7A2f6A865B87","type":"smart_contract","addedAt":"2025-04-30T12:58:00.000Z","revision":1,"description":"Core Contracts","isPrimacyOfImpact":null},{"id":"a0zN30KLbJF3f0TXyvUbw","url":"https://immunefi.com","type":"smart_contract","addedAt":"2025-04-30T12:58:00.000Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":null,"launchDate":"2025-04-30T12:58:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5vvfy5qYACiilc6H32yvlJ/dfb4dd89e109cfb705f93bc4109f81ad/Haven1.png","maxBounty":100000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Vulnerabilites are prioritised according to impact and/or severity.","productType":null,"programOverview":"Haven1 is a REKT-Resistant EVM L1 blockchain meticulously designed to prevent onchain hacks, scams and rug pulls through network-level safety guardrails that connects verified users to verified builders so they can interact with complete peace-of-mind. \n\nFor more information about Haven1, please visit [https://haven1.org/](https://haven1.org/)\n\nHaven1 provides rewards in USDC on ETH, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__\n\nHaven1 will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nHaven1 adheres to **category 2 - Notice Required**. This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\nHaven1 adheres to the Primacy of Impact for the following impacts:\n\n- Smart Contracts - Critical\n- Smart Contracts - High \n- Smart Contracts - Medium\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n__Previous Audits__\n\nHaven1’s completed audit reports can be found at:\n\n- [https://github.com/haven1network/permissions-contracts-sc&sa=D&source=docs&ust=1743003670652515&usg=AOvVaw0qrUOazYn2L2PZE8MRnRZ6](https://github.com/haven1network/permissions-contracts-sc&sa=D&source=docs&ust=1743003670652515&usg=AOvVaw0qrUOazYn2L2PZE8MRnRZ6). \n- [https://www.google.com/url?q=https://github.com/zokyo-sec/audit-reports/tree/main/Haven1&sa=D&source=docs&ust=1743003670652571&usg=AOvVaw0J66sHWn2Rdpa2slPOnPHG](https://www.google.com/url?q=https://github.com/zokyo-sec/audit-reports/tree/main/Haven1&sa=D&source=docs&ust=1743003670652571&usg=AOvVaw0J66sHWn2Rdpa2slPOnPHG)\n- [https://hashlock.com/audits/haven1](https://hashlock.com/audits/haven1)\n\nAny unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Haven1 has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","programType":["Smart Contract"],"project":"Haven1","projectType":null,"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 100 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 25 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the Haven1 attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n- For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\n- High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 6 000 - USD 20 000 depending on the funds at risk, capped at the maximum high reward.  \n\n- In the event of temporary freezing, the reward doubles from the full frozen value for every additional [24h] that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Haven1 team directly and are denominated in USD. However, payments are done in USDC on ETH.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"","slug":"haven1","tenPercentEconomicRule":false,"updatedDate":"2025-05-05T07:54:19.737Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_2","description":"","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":28,"type":"smart_contract","severity":"high","title":"Temporary freezing of NFTs"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"}],"rewards":[{"id":28078,"severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":15000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":28079,"severity":"high","assetType":"smart_contract","maxReward":10000,"minReward":1000,"rewardModel":"range"},{"id":28080,"severity":"medium","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"7xWIGH0ijV61mhyKk5sq9J","url":"https://github.com/deri-protocol/deriprotocol-v4","type":"smart_contract","addedAt":"2022-02-10T11:54:42.881Z","revision":5,"description":"Deri V4 (EVM)","isPrimacyOfImpact":null},{"id":"mLbhg7gSac9sVAu0hD01F","url":"https://deri.io","type":"websites_and_applications","addedAt":"2022-08-31T08:08:45.018Z","revision":2,"description":"Main Web/App","isPrimacyOfImpact":null},{"id":"5ufrEldg3c5N3ruw7Woyro","url":"https://github.com/deri-protocol/deriprotocol-v4-supra","type":"smart_contract","addedAt":"2025-04-29T14:58:10.356Z","revision":1,"description":"Deri V4 Supra Chain (Move)","isPrimacyOfImpact":null}],"assetsBodyV2":"In the Github link in the Assets in Scope table, only Exact Match Verified smart contracts are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["BSC","ETH","Heco","Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-09-14T12:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1vaEedQcs3Gfn9vzeJOLZJ/0cf99504218c2ba8af3b91595d460161/Deri.png","maxBounty":10000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","websites_and_applications - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__Smart Contracts__\n\n__Critical__\n\n  - Any governance voting result manipulation\n  - Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield\n  - Permanent freezing of funds\n  - Miner-extractable value (MEV)\n  - Insolvency\n  - Trading front-run results in significant fund loss \n  - Flashloan attacks or manipulations\n\n__High__\n\n  - Theft of unclaimed yield\n  - Permanent freezing of unclaimed yield\n  - Temporary freezing of funds for over one hour\n  - Making trading profit in any unfair ways\n  - Sandwich attacks without any slippage control mechanisms\n\n__Medium__\n\n  - Smart contract unable to operate due to lack of funds \n  - Block stuffing for profit\n  - Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)\n  - Theft of gas\n  - Unbounded gas consumption \n\n__Websites and Applications__\n\n  - Critical\n  - Ability to execute system commands\n  - Taking Down the application/website\n  - Bypassing Authentication\n  - Signing transactions for other users\n  - Redirection of user deposits and withdrawals\n  - Subdomain takeover resulting in financial loss (applicable for subdomains with addresses published)\n  - Wallet interaction modification resulting in financial loss\n  - Direct theft of user funds \n  - Tampering with transactions submitted to the user’s wallet\n  - Submitting malicious transactions to an already-connected wallet","productType":["AMM","Derivatives","Options","Oracle"],"programOverview":"Deri, your option, your future!\n\nDeri Protocol is the DeFi way to trade derivatives: to hedge, to speculate, to arbitrage, all on chain. With Deri Protocol, trades are executed under AMM paradigm and positions are tokenized as NFTs, highly composable with other DeFi projects. Having provided an on-chain mechanism to exchange risk exposures precisely and capital-efficiently, Deri Protocol has minted one of the most important blocks of the DeFi infrastructure. \n\nFor more information about Deri, please visit [https://deri.io/](https://deri.io). \n\nThis bug bounty program is focused on their smart contracts, websites and applications and is focused on preventing the following impacts:\n\n  - Any governance voting result manipulation\n  - Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield\n  - Permanent freezing of funds\n  - Miner-extractable value (MEV)\n  - Insolvency\n  - Trading front-run results in significant fund loss \n  - Flashloan attacks or manipulations","programType":["Smart Contract","Websites and Applications"],"project":"Deri Protocol","projectType":["Defi","NFT"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. \n\nAll web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. All Smart Contract bug reports require a PoC and a suggestion for a fix to be eligible for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nPayouts are handled by the __Deri Protocol__ team directly and are denominated in USD. However, payouts are done in __DERI__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"DERI","slug":"deriprotocol","tenPercentEconomicRule":false,"updatedDate":"2025-04-29T14:58:37.924Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Deri Protocol is the DeFi way to trade derivatives: to hedge, to speculate, to arbitrage, all on chain. With Deri Protocol, trades are executed under AMM paradigm and positions are tokenized as NFTs, highly composable with other DeFi projects.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":990,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for over one hour"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":991,"type":"smart_contract","severity":"high","title":"Making trading profit in any unfair ways"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":992,"type":"smart_contract","severity":"high","title":"Sandwich attacks without any slippage control mechanisms"},{"id":993,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of funds"},{"id":994,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":995,"type":"smart_contract","severity":"critical","title":"Trading front-run"},{"id":996,"type":"smart_contract","severity":"critical","title":"Flashloan attacks or manipulations"},{"id":997,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":998,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"},{"id":999,"type":"smart_contract","severity":"critical","title":"Insolvency"},{"id":1000,"type":"websites_and_applications","severity":"critical","title":"Ability to execute system commands"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":1001,"type":"websites_and_applications","severity":"critical","title":"Signing transactions for other users"},{"id":1002,"type":"websites_and_applications","severity":"critical","title":"Bypassing Authentication"},{"id":1003,"type":"websites_and_applications","severity":"critical","title":"Redirection of user deposits and withdrawals"},{"id":1004,"type":"websites_and_applications","severity":"critical","title":"Wallet interaction modification resulting in financial loss"},{"id":1005,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover resulting in financial loss (applicable for subdomains with addresses published)"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":1006,"type":"websites_and_applications","severity":"critical","title":"Tampering with transactions submitted to the user’s wallet"},{"id":1007,"type":"websites_and_applications","severity":"critical","title":"Submitting malicious transactions to an already-connected wallet"}],"rewards":[{"id":9425,"severity":"critical","assetType":"smart_contract","fixedReward":10000,"rewardModel":"fixed","rewardCalculationPercentage":0},{"id":9426,"severity":"high","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":9427,"severity":"medium","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":9428,"severity":"critical","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed","otherImpactMaxReward":0}],"audits":[]},{"assets":[{"id":"TyUVMre7mywP6WdN1SNZP","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/LBTC/ILBTC.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":5,"description":"LBTC","isPrimacyOfImpact":null},{"id":"7Bd0GuZ3AOuCN6CSODSv4Y","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/LBTC/LBTC.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"LBTC","isPrimacyOfImpact":null},{"id":"4BwxSuI64JQk3gYJTefLN2","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/bascule/BasculeV2.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"Bascule","isPrimacyOfImpact":null},{"id":"bduVlaFsB5zlR3GKAt93Z","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/bascule/interfaces/IBascule.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"Bascule","isPrimacyOfImpact":null},{"id":"3Sm2VA0rsYG32OdFvwU2vW","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/bridge/Bridge.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"Bridge","isPrimacyOfImpact":null},{"id":"5CHnoLEJZE2FqtlIh5uLOw","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/bridge/IBridge.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"Bridge","isPrimacyOfImpact":null},{"id":"5qEokv46JqtQvPfYzijBll","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/interfaces/IConsortiumConsumer.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"Interfaces","isPrimacyOfImpact":null},{"id":"74ZQOeucJBGvhkiq9T70QZ","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/main/contracts/bridge/adapters/TokenPool.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":1,"description":"Bridge","isPrimacyOfImpact":null},{"id":"7nXoVutrGUtjiSS1SgYqa3","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/bridge/adapters/CLAdapter.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"Bridge","isPrimacyOfImpact":null},{"id":"43wpvlvzo8CWdHB9XGrVcF","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/bridge/adapters/IAdapter.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"Bridge","isPrimacyOfImpact":null},{"id":"2nQGolgjOeCfMYp7FI3Krp","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/bridge/adapters/AbstractAdapter.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"Bridge","isPrimacyOfImpact":null},{"id":"61qmoEGkVbx70QUfB8fR2K","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/bridge/oft/LBTCBurnMintOFTAdapter.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"Bridge","isPrimacyOfImpact":null},{"id":"7Io4UhivMEiyn3Rut7r9oC","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/bridge/oft/EfficientRateLimitedOFTAdapter.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":3,"description":"Bridge","isPrimacyOfImpact":null},{"id":"2iZ2U73JsIngTWWczWQdFH","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/bridge/oft/EfficientRateLimiter.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"Bridge","isPrimacyOfImpact":null},{"id":"3OW5ItxNem9zMKLi08q3st","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/bridge/oft/LBTCOFTAdapter.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"Bridge","isPrimacyOfImpact":null},{"id":"7nQ5ygrIj9PAy3Qfi1NJQo","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/consortium/Consortium.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"Consortium","isPrimacyOfImpact":null},{"id":"10dx2ch37icv9iC90WKjcJ","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/consortium/INotaryConsortium.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"Consortium","isPrimacyOfImpact":null},{"id":"7FWt6xn6tIxTdMpBtCdnTo","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/consortium/LombardTimeLock.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"Consortium","isPrimacyOfImpact":null},{"id":"3OmmdjpVqr5rIQl9Qt33dN","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/consortium/ILombardTimelockController.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"Consortium","isPrimacyOfImpact":null},{"id":"3QF1V7EzuQvtwwX9lPcX04","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/factory/ProxyFactory.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"Factory","isPrimacyOfImpact":null},{"id":"E4xk7LFaA16aBEExFFqki","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/libs/Actions.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"libs","isPrimacyOfImpact":null},{"id":"5b9lHpWF4nlmBEP26aZ7RI","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/libs/BitcoinUtils.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"libs","isPrimacyOfImpact":null},{"id":"5pGo0e3ZUJCZeIgOZ6Tp9O","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/libs/EIP1271SignatureUtils.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"libs","isPrimacyOfImpact":null},{"id":"5uirmGLaSSzmo08j58UWvX","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/libs/FeeUtils.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"libs","isPrimacyOfImpact":null},{"id":"1ZYaXX9RlaDoD26DjsY03L","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/libs/IProxyAdmin.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"libs","isPrimacyOfImpact":null},{"id":"6LmulFFyxjahzIcA0eWVLh","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/libs/RateLimits.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"libs","isPrimacyOfImpact":null},{"id":"VScAqSdHFlAQzNaowp6hD","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/pmm/BTCB/BTCB.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"pmm","isPrimacyOfImpact":null},{"id":"46OLwb3cCsAbPUECgRoLTt","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/pmm/CBBTC.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"(same as BTCB.sol wit renamed functions)","isPrimacyOfImpact":null},{"id":"2qUy53cxwR1UhFMEXUofLi","url":"https://github.com/lombard-finance/evm-smart-contracts/blob/edd557006050ee5b847fa1cc67c1c4e19079437e/contracts/fbtc/PartnerVault.sol","type":"smart_contract","addedAt":"2024-12-18T16:00:00.000Z","revision":2,"description":"fbtc","isPrimacyOfImpact":null},{"id":"5K8zp14W8IIOvXsljVlV7R","url":"https://github.com/lombard-finance/evm-smart-contracts/commit/edd557006050ee5b847fa1cc67c1c4e19079437e","type":"smart_contract","addedAt":"2024-12-19T10:42:41.513Z","revision":1,"description":"Final commit hash","isPrimacyOfImpact":null}],"assetsBodyV2":"__Asset Accuracy Assurance__\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n__Previous Audits__\n\nLombard’s completed audit reports can be found [here](https://github.com/lombard-finance/evm-smart-contracts/tree/main/docs/audit). Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Private Known Issues Reward Policy__\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward equal to that of a bug one severity lower.\n\n__Primacy of Impact vs Primacy of Rules__\n\nLombard adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page.\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this audit competition and a leaderboard of the participants and their earnings.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Lombard has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/1Av4itxzWFuAykHmPdVLCkNNx4U1oG4ND)\n\nAll paid bug reports are available in original format here --> [Reports: Lombard Audit Competition](https://reports.immunefi.com/lombard)","boostedIntroLive":"$20,000 - $100,000 USD in rewards available for finding bugs in Lombard codebase of about 3500 nSLOC. KYC is required.\n\nAny technical questions and support requests can be asked directly to Lombard or Immunefi in the [Lombard Audit Competition Discord channel](https://discord.com/channels/787092485969150012/1318226749347074149).\n\nWhen the Audit Competition has ended Immunefi will publish an event-specific leaderboard and bug reports from the event.","boostedIntroStartingIn":"$20,000 - $100,000 USD in rewards available for finding bugs on Lombard smart contracts.\n\nKYC is required.\n\nLomabard will respond within 24 hours on weekdays to all bug reports. Any technical questions can be asked directly to the Lombard technical team on [Immunefi’s Discord](https://discord.com/invite/immunefi) in the \"lombard-audit-comp\" channel.\n\nWhen the Audit Competition has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nA few days after the launch, we’ll share a technical walkthrough in the Discord channel.\n\nJoin our Discord for more updates.","boostedLeaderboard":[{"high":0,"name":"perseverance","critical":0,"earnings":10841,"insights":0,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"holydevoti0n","critical":0,"earnings":8131,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"security","critical":0,"earnings":4238,"insights":1,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"OxAlix2","critical":0,"earnings":2905,"insights":1,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"MrMorningstar","critical":0,"earnings":2775,"insights":1,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"iamandreiski","critical":0,"earnings":2147,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"jasonxiale","critical":0,"earnings":1334,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"nnez","critical":0,"earnings":1334,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Shahen","critical":0,"earnings":519,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"IlIlHunterlIlI","critical":0,"earnings":194,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"c4a4dda89","critical":0,"earnings":194,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"focusoor","critical":0,"earnings":194,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"OxAnmol","critical":0,"earnings":130,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"huntercheto","critical":0,"earnings":65,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1Q_GTHwJxCKkduR5P0yLuvWg3IuySyhU-/view?usp=sharing","ecosystem":null,"endDate":"2025-01-08T16:00:00.000Z","evaluationEndDate":"2025-02-14T13:21:28.298Z","features":["Boost","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2024-12-18T16:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5ER98zQbbMd0ecna1Kk5Di/276c155814568872cab8d53286f0f898/Lombard__Finance.png","maxBounty":100000,"outOfScopeAndRules":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - low","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"To be determined","productType":null,"programOverview":"Lombard is on a mission to unlock Bitcoin's potential as a dynamic financial tool by connecting it to DeFi with LBTC. LBTC is a secure Bitcoin LST, developed by Lombard on top of Babylon. It's a yield-bearing, natively cross-chain, liquid Bitcoin backed 1:1 by BTC. With LBTC, Bitcoin can be held as a store of value and simultaneously used to lend, borrow, stake, trade, and transfer in DeFi across multiple blockchain ecosystems.\n\nFounded in April 2024, Lombard is dedicated to unlocking Bitcoin's potential as a dynamic financial tool by connecting it to DeFi. Lombard is building the universal standard for Bitcoin. Secured by Bitcoin-aligned ecosystem players, Lombard enables the yield-bearing BTC to move cross-chain without fragmenting liquidity, paving the way to become the single largest catalyst for onboarding net new capital into DeFi.\n\nBitcoin represents over 50% of the cryptocurrency market. But its interoperability with DeFi has been limited to date.\n\nOur flagship product, LBTC—a yield-bearing, cross-chain, liquid Bitcoin backed 1:1 by BTC— changes this and brings DeFi interoperability to ‘digital gold’. For the first time Bitcoin can be held as a store of value, and simultaneously used to earn, stake, trade, and transfer in DeFi at scale. Jump to LBTC.\n\nLBTC opens up new opportunities for Bitcoin holders to earn, stake, and trade on-chain, all while retaining Bitcoin as a store of value. For DeFi protocols, LBTC provides increased liquidity and user activity by unlocking $1.4 trillion new capital.\n\nLombard is currently live on Ethereum mainnet in Public Beta, where eligible participants are staking native BTC and minting LBTC.\n\nFor more information about Lombard, please visit https://www.lombard.finance/\n\nFinal Commit report link [here](https://github.com/lombard-finance/evm-smart-contracts/commit/edd557006050ee5b847fa1cc67c1c4e19079437e)\n\nThis Audit Competition is running on mainnet. The following conditions apply:\n\n1. Lombard team will freeze the codebase during the duration of the Audit Competition\n2. Duplicates are rewarded\n\n**KYC Requirement**\n\n__Lombard will be requesting KYC information in order to pay for successful bug submissions. The following information will be required__\n\n- Full name\n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID","programType":["Smart Contract"],"project":"Audit Comp | Lombard","projectType":null,"rewardsBody":"Lombard provides rewards in USDC on Ethereum, denominated in USD. The following reward terms are a summary. For the full details read our [Lombard Audit Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31051806316433-Lombard-Audit-Competition-Reward-Terms)\n\nRewards are distributed all at once after the competition has ended. No rewards are distributed during the competition.\n\nThe reward pool size is determined by the greatest condition met. If multiple conditions are met only the largest reward pool applies. \n\n- If one or more Critical severity bugs are found, the reward pool will be - **$100,000 USD**\n- If one or more High severity bugs are found, the reward pool will be - **$75,000 USD**\n- If one or more Medium severity bugs are found, the reward pool will be - **$35,000 USD**\n- Othewise the reward pool will be - **$20,000 USD**\n\nDuplicates and private known issues are valid for a reward.\n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/).\n\n__Insight Rewards Payment Terms__\n\n*Insight Rewards*: Portion of the Rewards Pool\n\n*The \"Insight\" severity was introduced on Boost (Audit Competitions) & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi)\n\nDuplicates of Insight reports are not eligible for a reward.","rewardsPool":100000,"primaryPool":100000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"audit-comp-lombard","tenPercentEconomicRule":false,"updatedDate":"2025-04-29T10:18:04.249Z","impactsBody":"__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n\n\n__Whitehat Educational Resources & Technical Info__\n\nhttps://docs.lombard.finance/\n\n__What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?__\n\nERC-20, ERC-20 Permit\n\n__What emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?__\n\nIf the Ethereum mainnet contract is Paused or upgraded from the audit competition version.\n\n__What monitoring systems may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?__\n\nWe use https://www.hexagate.com/ for contracts monitoring.\n\n__What addresses are considered out of scope for bug reports requiring their involvement, regardless of whether they operate within or exceed their attributed privileges?__\n\nAll admin and operational roles are out of scope\n\n__Which chains and/or networks will the code in scope be deployed to?__\n\nEthereum, Base, BSC\n\n__Is this an upgrade of an existing system? If so, which? And what are the main differences?__\n\nIt's an upgrade and extension of the contracts deployed here:\nhttps://etherscan.io/address/0x4cbd8802465f690e7637454783955fa8e6d0c4bc#code\nhttps://etherscan.io/address/0x67927d7ea19f9a1053f4f5bbdf827ed9870f1a1b#code\nThe main difference is upgraded and extended logic(for example TSS was replaced with multisig), and also new contracts which provide new functionality to the Lombard stack(like integration with Chaiblink bridge and Layerzero, previous contract also had bridge functions but it never was used and was moved to separate contract). Also, there is new logic and a new contract for improved user experience (mintWithFee)\n\n__Where do you suspect there may be bugs?__\nWe are most concerned about stealing or loss of funds. We would most like security researchers to break our 1:1 peg with bitcoin by contract exploits, and to focus on how to steal funds from another user through the contracts provided. We are most concerned about re-entrancy attacks and malicious payload injections as attack vectors. Different ways that allow double claiming of deposits.\n\n__What external dependencies are there?__\nWe rely on OpenZeppelin contracts for a lot of boilerplate Solidity code (https://github.com/OpenZeppelin/openzeppelin-contracts and https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable). On top of this, we depend on Chainlink and LayerZero code for bridging (https://github.com/Cyfrin/ccip-contracts and https://github.com/LayerZero-Labs/LayerZero-v2/tree/main/packages/layerzero-v2/evm).\n\n__Where might Security Researchers confuse out-of-scope code to be in-scope?__\nAll admin/operator functions are out of scope, and all notarization systems(lombard/chainlink/LayerZero) are out of scope. For upgradable contracts, all bugs that can be fixed by upgrade and do not bring financial damage are counted as low severity.\n\n__Are there any unusual points about your protocol that may confuse Security Researchers?__\nWe use complex bridging code and extend base functionality for given contracts in this regard, which takes a bit of back and forth reading to understand. In this case, specifically, there will be some logic that will be activated given a setting about enabling attestations; in a mainnet scenario, we should always assume that attestations are enabled. We have a complex notarization system with different validators, so there is no centralization.","websiteUrl":"https://www.lombard.finance/","githubUrl":" https://github.com/lombard-finance/evm-smart-contracts/commit/edd557006050ee5b847fa1cc67c1c4e19079437e","eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Lombard is on a mission to unlock Bitcoin's potential as a dynamic financial tool by connecting it to DeFi with LBTC. LBTC is a secure Bitcoin LST, developed by Lombard on top of Babylon. It's a yield-bearing, natively cross-chain, liquid Bitcoin backed 1:1 by BTC. With LBTC, Bitcoin can be held as a store of value and simultaneously used to lend, borrow, stake, trade, and transfer in DeFi across multiple blockchain ecosystems\n","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":5276,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 30 days"},{"id":5277,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol (not lower than $1K))"}],"rewards":[{"level":"critical","payout":"portion of the reward pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"portion of the reward pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"portion of the reward pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"portion of the reward pool","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[{"id":"1Xd0wzccAx75KX6zWLmWHb","url":"https://github.com/immunefi-team/audit-comp-butter-cfm-v1","type":"smart_contract","addedAt":"2025-01-23T10:00:00.000Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"3cZhkexgbsYOS2xZFoOBZs","url":"https://github.com/immunefi-team/audit-comp-butter-cfm-v1-playmoney","type":"smart_contract","addedAt":"2025-01-23T10:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null}],"assetsBodyV2":"__Asset Accuracy Assurance__\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Reward Policy__\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n__Primacy of Impact vs Primacy of Rules__\n\nButter adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page.\n\n__KYC Requirement__\n\nButter will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\nSecurity researchers are required to submit KYC within 14 days of KYC being requested, else their rewards may be forfeited. Immunefi may make exceptions due to extenuating circumstances.\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this Audit Competition bug bounty and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\nWhen there is uncertainty about how feasible an attack is Immunefi will use our feasibility limitation standards to determine the severity of the report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Butter has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/1wpSBXIJ_9tHpYAWu84YpaHCUOvCvJiD4)\n\nAll paid bug reports are available in original format here --> [Reports: Butter Audit Competition](https://reports.immunefi.com/butter)","boostedIntroLive":"**$30,000 USD** in rewards is available for finding bugs on Butter contract. \n\nFor more information about Butter, please visit https://buttery.gg\n\n**KYC is required**\n\nAny technical questions and support requests can be asked directly to Butter or Immunefi in the [Butter Audit Competition Discord channel](https://discord.com/invite/immunefi).\n\nWhen the Audit Competition has ended Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nFor more information about Butter, please visit https://buttery.gg\n\nA few days after the launch, Immunefi will publish Butter's technical walkthrough on our official [YouTube channel](https://www.youtube.com/@immunefi).","boostedIntroStartingIn":"**$30,000 USD** in rewards is available for finding bugs on Butter contract. \n\nFor more information about Butter, please visit https://buttery.gg\n\n**KYC is required**\n\nAny technical questions can be asked directly to the Butter technical team on Immunefi's [Immunefi’s Discord](https://discord.com/invite/immunefi) in the \"butter\" channel.\n\nWhen the Audit Competition has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nA few days after the launch, Immunefi will publish Butter's technical walkthrough on our official [YouTube channel](https://www.youtube.com/@immunefi).","boostedLeaderboard":[{"high":0,"name":"perseverance","critical":0,"earnings":27900,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Topmark","critical":0,"earnings":477,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"onthesunnyside","critical":0,"earnings":477,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Bx4","critical":0,"earnings":477,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"iehnnkta","critical":0,"earnings":286,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"NHristov","critical":0,"earnings":191,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"kenzo","critical":0,"earnings":95,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"huntercheto","critical":0,"earnings":95,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/181PpjmsDspnmFvnXT90Uo4lKp3ux87d9/view?usp=sharing","ecosystem":null,"endDate":"2025-02-01T10:00:00.000Z","evaluationEndDate":"2025-02-27T08:25:09.254Z","features":["Boost","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2025-01-23T10:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/TCewawmeHxFAMPrXEqxUN/3f0522188f281b23bc8d1c78628b8b55/Butter_VI_Final_Icon_Dark_16x9__1_.png","maxBounty":30000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this Audit Competition program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["DAO","Services","Prediction Market"],"programOverview":"Butter is a grantee of Uniswap Foundation and Optimism Foundation. **[Grant Allocation Announcement](https://x.com/UniswapFND/status/1846929189171351594)**.\n\nThe first iteration of Conditional Funding Markets will be launched on Feb 27th in partnership with Uniswap Foundation and Optimism Foundation. Both will allocate **[funding](https://x.com/SuperchainEco/status/1869803471102455857)** through the mechanism. Butter’s smart contracts will provide the conditional prediction markets that will instruct which project to fund. For this first version, the funding allocation decision rule will happen off-chain.\n\n **[Conditional Funding Markets (CFMs)](https://ggresear.ch/t/conditional-funding-markets/27/)**, an implementation of **[Futarchy](https://mason.gmu.edu/~rhanson/futarchy2013.pdf)**, are a special type of prediction market. CFMs leverage speculative markets to estimate the probability that a funding decision will produce a desired effect or metric before the funding decision is made. The resulting probability distribution of all possible allocations is subsequently used to allocate the funding.\n\nIn a vote-based system, a large token holder or influential delegate can consistently tilt funding decisions in their favour, regardless of whether the decision is in the interest of the protocol’s stakeholders and at little personal cost. In decision markets, traders are incentivized to find the outcome with the highest payoff. Betting against the market to fund a personal project using protocol resources is both expensive and, if successful, leaves the attacker holding worthless positions.\n\nThis Audit Competition is running on testnet. The following conditions apply:\n\n- Butter team will freeze the codebase during the duration of the Audit Competition \n- Concurrently Immunefi has cloned and frozen the repositories for the duration of the Audit Competition\n- Duplicates are rewarded\n- Bugs that aren't disclosed in the private audit report are valid for rewards. \n\nButter provides rewards in USDC, denominated in USD on Ethereum.  \n\nFor more information about Butter, please visit https://buttery.gg","programType":["Smart Contract"],"project":"Audit Comp | Butter","projectType":null,"rewardsBody":"The following reward terms are a summary. For the full details read our [Butter Audit Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/32014062101009-Butter-Audit-Competition-Reward-Terms)\n\nA reward pool of $30,000 USD will be distributed among participants, if any valid bugs are found. \n\nIf not a single bug is found (Insights do not count as bugs) the reward pool is $15% of $30,000 USD rewards.\n\nDuplicates and private known issues are valid for a reward.\n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/).\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.\n\n__Insight Rewards Payment Terms__\n\n*Insight Rewards*: Portion of the Rewards Pool\n\n*The \"Insight\" severity was introduced on Boost (Audit Competitions) & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi)\n\n**Duplicates of Insight reports are not eligible for a reward.**","rewardsPool":30000,"primaryPool":30000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"audit-comp-butter","tenPercentEconomicRule":false,"updatedDate":"2025-04-29T10:15:26.145Z","impactsBody":"**Asset Accuracy Assurance**\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n**Build commands, Test commands, and instructions on how to run them:**\n\n- forge soldeer install\n- forge build\n- forge test\n- FOUNDRY_PROFILE=itest forge test # integration tests with actual ConditionalTokens and Wrapped1155Factory contracts\n- FOUNDRY_PROFILE=ftest forge test # fork tests\n\n**What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?**\n\nTokens that we will recommend to use as ERC20 collateralToken (We will filter out of our frontend any instances of FlatCFM that don’t follow guidelines):\n- The play money collateral token generated through cfm-v1-playmoney factory\n- USDC\n- DAI\n- sDAI [](https://github.com/makerdao/sdai)\n- USDS [](https://github.com/makerdao/usds)\n- sUSDS [](https://github.com/makerdao/sdai/tree/susds)\n- GHO (https://github.com/aave/gho-core/tree/main/src/contracts/gho)\n- USDe (https://github.com/ethena-labs/code4arena-contest/tree/main/protocols/USDe/contracts)\n- StakedUSDeV2 (https://github.com/ethena-labs/code4arena-contest/tree/main/protocols/USDe/contracts)\n\n**Which chains and/or networks will the code in scope be deployed to?**\n\nUnichain\n\n**Where do you suspect there may be bugs?**\n\n- In the way payouts are reported to ConditionalTokens\n- In Reality state management: we need to make sure our questions don’t get stuck\n- In handling unknown ERC20 tokens as part of ConditionalScalarMarket functions\n- State management (reentrancy…) in the factory and in ConditionalScalarMarket\n\n**What external dependencies are there?**\n\n- RealityETH v3\n- ConditionalTokens\n- Wrapped1155Factory\n\n**Where might Security Researchers confuse out-of-scope code to be in-scope?**\n\nSee all dependencies, plus ERC20 tokens that might be used as input -> these are all out of scope but need to be understood in great detail.\n\n**Are there any unusual points about your protocol that may confuse Security Researchers?**\n\nIt’s making use of conditional tokens which aren't obvious to understand.\n\n**Which chains?**\n\nDeployment is planned on Unichain mainnet as soon as available. Other EVM deployments can happen in the future.\n\n**What external contracts (dependencies) is this project relying on?**\n\nThere are two main dependencies: ConditionalTokens and RealityETH.\n\nConditionalTokens is a contract produced by Gnosis. Butter is planning on deploying identical versions to Unichain mainnet (see repositories: \n\n[ConditionalTokens](https://github.com/butterygg/conditional-tokens-contracts) and [Wrapped1155Factory](https://github.com/butterygg/1155-to-20)),  These contracts reuse an exact version that has already been audited, with no changes to the Solidity version. However, **they are not included in the scope of this Audit Competition**.\n\nRealityETH version 3.0 is used. It is expected that the Arbitrator used is Kleros. Kleros might require some arbitration fee (see [here](https://forum.kleros.io/t/kip-72-court-proposal-on-ethereum-oracle-court/1279)).\n\n**Previous Audits**\n\nButter’s completed audit reports can be found at https://github.com/immunefi-team/audit-comp-butter-cfm-v1/tree/main/audits. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.","websiteUrl":"https://buttery.gg","githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":null,"description":"Butter addresses misalignment and capture in crypto governance through robust mechanisms. The current focus is to solve treasury allocation for the largest DAOs within the Ethereum ecosystem by deploying **[Conditional Funding Markets](https://community.ggresear.ch/t/conditional-funding-markets/27)**, based on futarchy and prediction markets.\n\nFor more information about Butter, please visit https://buttery.gg\n","knownIssues":[{"id":24,"link":"https://gist.github.com/lajarre/94f7af6a980da30f756654a2ca0f7a25","description":"Known Issue","lastUpdatedAt":"2025-01-17T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":23,"link":"https://gist.github.com/lajarre/8f2b808ee7549785e9cc0afbf002e900","description":"Known Issue","lastUpdatedAt":"2025-01-17T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":25,"link":"https://gist.github.com/lajarre/61495716497c704b2258b32e41a57d64","description":"Known Issue","lastUpdatedAt":"2025-01-17T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":26,"link":"https://gist.github.com/lajarre/fb7b857bdaa5765167e77220258049c8","description":"Known Issue","lastUpdatedAt":"2025-01-17T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":27,"link":"https://gist.github.com/lajarre/8aba7f4ac04583fdd6339279e14c3486","description":"Known Issue","lastUpdatedAt":"2025-01-17T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":28,"link":"https://gist.github.com/lajarre/92cd0ba594f6e4490bf4763020509d96","description":"Known Issue","lastUpdatedAt":"2025-01-17T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":29,"link":"https://gist.github.com/lajarre/d8c9741773272919d110dc5f728295c0","description":"Known Issue","lastUpdatedAt":"2025-01-17T00:00:00.000Z","relatedImpactInScope":"smart_contract"},{"id":21,"link":"https://github.com/immunefi-team/audit-comp-butter-cfm-v1/tree/main/audits","description":"Previous Audits","lastUpdatedAt":"2025-01-17T00:00:00.000Z","relatedImpactInScope":"smart_contract"}],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":5294,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 1 hour"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":5295,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds for at least 10 minute"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[{"id":"4swPViBX7R2gxtdzm0Hv9r","url":"https://github.com/immunefi-team/audit-comp-butter-cfm-v1/tree/main/audits","auditor":"teamomega.eth, trust-security","date":"2025-01-17"}]},{"assets":[{"id":"3YAW2HkADfXTuAzTCju6UQ","url":"https://etherscan.io/address/0x8a113da63f02811e63c1e38ef615df94df5d9e70","type":"smart_contract","addedAt":"2024-09-25T15:13:33.429Z","revision":1,"description":"Nexus","isPrimacyOfImpact":null},{"id":"5zzmM6tPdLRMF38sGr2nfF","url":"https://etherscan.io/address/0x2d5e65ff87d986d18ac224e725dc654bec3a04cd","type":"smart_contract","addedAt":"2024-09-25T15:13:44.770Z","revision":1,"description":"Coinbase Cloud","isPrimacyOfImpact":null},{"id":"3bVXaLLTghhSLiPMaegU3i","url":"https://etherscan.io/address/0x8eea6cc08d824b20efb3bf7c248de694cb1f75f4","type":"smart_contract","addedAt":"2024-09-25T15:13:58.252Z","revision":1,"description":"Coinbase Cloud Pool","isPrimacyOfImpact":null},{"id":"bmWnl428sq0lbYVw5oQXF","url":"https://etherscan.io/address/0x4e6a0740aa4c89c7e36c430afe3dd3bec68b6aec","type":"smart_contract","addedAt":"2024-09-25T15:14:18.325Z","revision":1,"description":"Coinbase Cloud Pool","isPrimacyOfImpact":null},{"id":"34plwsGM6QuQcGvHHoKVFk","url":"https://etherscan.io/address/0xd54ede626441ae514b15743d6a78a74c664b30a2","type":"smart_contract","addedAt":"2024-09-25T15:14:31.874Z","revision":1,"description":"Coinbase Cloud Pool","isPrimacyOfImpact":null},{"id":"3AlywNNkO1z2wMv7qVHD23","url":"https://etherscan.io/address/0x99a6d933bd22040136b7ccd5dbc3acdf2c103be6","type":"smart_contract","addedAt":"2024-09-25T15:14:49.156Z","revision":1,"description":"Coinbase Cloud Pool","isPrimacyOfImpact":null},{"id":"4ksMOB9CyIOrb8AQt5aFwk","url":"https://etherscan.io/address/0xc63d9f0040d35f328274312fc8771a986fc4ba86","type":"smart_contract","addedAt":"2024-09-25T15:15:01.517Z","revision":1,"description":"Kiln","isPrimacyOfImpact":null},{"id":"4CCZGAztuDfpGOSkMub6Yi","url":"https://etherscan.io/address/0x00a0be1bbc0c99898df7e6524bf16e893c1e3bb9","type":"smart_contract","addedAt":"2024-09-25T15:15:18.689Z","revision":1,"description":"Kiln Pool","isPrimacyOfImpact":null},{"id":"2O9BYiuptDayH4NuXTr3sN","url":"https://etherscan.io/address/0xd9f56e8a1b159b1482ec3bb6ce742fa5ce084f4c","type":"smart_contract","addedAt":"2024-09-25T15:15:28.796Z","revision":1,"description":"Kiln Pool","isPrimacyOfImpact":null},{"id":"4YjbV63PoH0adEjdT6bbZi","url":"https://etherscan.io/address/0xa748ae65ba11606492a9c57effa0d4b7be551ec2","type":"smart_contract","addedAt":"2024-09-25T15:15:41.279Z","revision":1,"description":"factoryHatcher","isPrimacyOfImpact":null},{"id":"18t0bdhyCdm5k1A68afRJu","url":"https://etherscan.io/address/0x48005e62373277fbbe5584b351830b1b2ec1e3fd","type":"smart_contract","addedAt":"2024-09-25T15:16:00.018Z","revision":1,"description":"treasuryHatcher","isPrimacyOfImpact":null},{"id":"6crQSXpKtcwzjLTt98QwHI","url":"https://etherscan.io/address/0x1d6103243d0507a9d1314bac09379bf57a5cf155","type":"smart_contract","addedAt":"2024-09-25T15:16:12.189Z","revision":1,"description":"poolHatcher","isPrimacyOfImpact":null},{"id":"6aQSfpqErQJ1uc5qVggV9J","url":"https://etherscan.io/address/0x066b6c3fca9034395068eb9d442ee5041eac33dc","type":"smart_contract","addedAt":"2024-09-25T15:16:26.506Z","revision":1,"description":"withdrawalRecipientHatcher","isPrimacyOfImpact":null},{"id":"1Bx38L8htz7qw7WNqKjNHb","url":"https://etherscan.io/address/0xdac8cf86ca42185ebce7ed2dbec9bc2be1734ffc","type":"smart_contract","addedAt":"2024-09-25T15:16:40.085Z","revision":1,"description":"execLayerRecipientHatcher","isPrimacyOfImpact":null},{"id":"6ifuRH7mvS4z61UQFRgdWZ","url":"https://etherscan.io/address/0x24d6e12fa25b7f8fc6b4bba0ea77fc643d7210d3","type":"smart_contract","addedAt":"2024-09-25T15:16:56.361Z","revision":1,"description":"coverageRecipientHatcher","isPrimacyOfImpact":null},{"id":"FQIz41eS4vBWIiQz2ItGF","url":"https://etherscan.io/address/0xc2c48fbfec0e61683133aaff32c9c2e98fd17788","type":"smart_contract","addedAt":"2024-09-25T15:17:17.981Z","revision":1,"description":"oracleAggregatorHatcher","isPrimacyOfImpact":null},{"id":"2oxP3Sje7aKnCqj3879ufi","url":"https://etherscan.io/address/0x24a1dfebaec4e501c2152a5e4a434b236fce3d3b","type":"smart_contract","addedAt":"2024-09-25T15:17:30.413Z","revision":1,"description":"exitQueueHatcher","isPrimacyOfImpact":null},{"id":"7zrdRjIswRlFwksjr4smcy","url":"https://etherscan.io/address/0x0a3d5e898fa7e7d593a940486095c156c01a0b0c","type":"smart_contract","addedAt":"2024-09-25T15:17:47.596Z","revision":1,"description":"ONTO Wallet Staked ETH (owsETH)","isPrimacyOfImpact":null},{"id":"dQt8nQCDNmN6qw6UE6Hgz","url":"https://etherscan.io/address/0x18099b65842cada4d87075920986559d9216a5bf","type":"smart_contract","addedAt":"2024-09-25T15:18:01.885Z","revision":1,"description":"Staking Rewards Partial ETH (srpETH)","isPrimacyOfImpact":null},{"id":"36j2AsnDux3etfmtRqrLCD","url":"https://etherscan.io/address/0x2401c39d7ba9e283668a53fcc7b8f5fd9e716fdf","type":"smart_contract","addedAt":"2024-09-25T15:18:14.608Z","revision":1,"description":"On-Chain Staked Ethereum (ocsETH)","isPrimacyOfImpact":null},{"id":"6fQJ1O3dz3lNm46y20q5tA","url":"https://etherscan.io/address/0x2e3956e1ee8b44ab826556770f69e3b9ca04a2a7","type":"smart_contract","addedAt":"2024-09-25T15:18:27.265Z","revision":1,"description":"CDP Staked ETH (CDPstakedETH)","isPrimacyOfImpact":null},{"id":"3qiQwMS9Jdy9AVGllGcrOE","url":"https://etherscan.io/address/0x30a4aa1d14d44f0f5bfe887447ab6facc94a549f","type":"smart_contract","addedAt":"2024-09-25T15:18:40.412Z","revision":1,"description":"Coinbase Wallet Staked ETH (cbwsETH)","isPrimacyOfImpact":null},{"id":"nTKMO7DCnzKDl4jjqyKPI","url":"https://etherscan.io/address/0x42ecf9bde9078d659663da66b97c4823f762005e","type":"smart_contract","addedAt":"2024-09-25T15:18:53.590Z","revision":1,"description":"CoolWallet Staked ETH (cwstETH)","isPrimacyOfImpact":null},{"id":"4hT4wFMCOeDO7C1iv4h6ZN","url":"https://etherscan.io/address/0x437636e4b984eae19045626aa269a89f906cf96c","type":"smart_contract","addedAt":"2024-09-25T15:19:05.782Z","revision":1,"description":"Crypto.com Defi Wallet ETH (cdwETH)","isPrimacyOfImpact":null},{"id":"14f7SiFrGMr0wDyOEZVz08","url":"https://etherscan.io/address/0x594db36d6f3e747f2c7675659f712bf4d72a9f97","type":"smart_contract","addedAt":"2024-09-25T15:19:21.845Z","revision":1,"description":"Walletverse Staked ETH (wvETH)","isPrimacyOfImpact":null},{"id":"2ogDXDaCxDfW2xaxw6508t","url":"https://etherscan.io/address/0x5b1c9ee05794e9667806f1bd1c6ae6d196498183","type":"smart_contract","addedAt":"2024-09-25T15:19:34.257Z","revision":1,"description":"Giddy Wallet Staked ETH (GiddyETH)","isPrimacyOfImpact":null},{"id":"6NUoxVUFUAss1PJuVSkByr","url":"https://etherscan.io/address/0x5db5235b5c7e247488784986e58019fffd98fda4","type":"smart_contract","addedAt":"2024-09-25T15:19:48.430Z","revision":1,"description":"Pooled Staked ETH (psETH)","isPrimacyOfImpact":null},{"id":"7rYfhiVjIJJATgROngIdIg","url":"https://etherscan.io/address/0x61ac42269d0035cd86c52b6c5bb299daa73c7135","type":"smart_contract","addedAt":"2024-09-25T15:20:01.938Z","revision":1,"description":"Bitnovo Staked ETH (bnETH)","isPrimacyOfImpact":null},{"id":"1VhYVBcBgrADsB7DZJfhUe","url":"https://etherscan.io/address/0x7d4b92522df1c7d211cbab49148d9d260b5a5e41","type":"smart_contract","addedAt":"2024-09-25T15:20:15.011Z","revision":1,"description":"CDP Staked ETH (CDPstakedETH)","isPrimacyOfImpact":null},{"id":"8NvFG827nbEyS9We9tlW0","url":"https://etherscan.io/address/0x9995f241c6a0d5b712281dfd3bd0e0289a5f2a98","type":"smart_contract","addedAt":"2024-09-25T15:20:27.394Z","revision":1,"description":"Dakota Kiln Staked ETH (dkETH)","isPrimacyOfImpact":null},{"id":"4tlWAvaBxX7pDT5FyiYJUz","url":"https://etherscan.io/address/0xba1613cf1ff0d7307315f1d98465e27877ad3f02","type":"smart_contract","addedAt":"2024-09-25T15:20:39.920Z","revision":1,"description":"MEW_Coinbase Staked ETH (MEWcbETH)","isPrimacyOfImpact":null},{"id":"62fznGUcHqKidwA7Rcj1Ei","url":"https://etherscan.io/address/0xe5faa3fcc7729c3ac7b4571207bb5978e5c33e81","type":"smart_contract","addedAt":"2024-09-25T15:20:52.830Z","revision":1,"description":"Veno Kiln staked ETH (VenoKilnETH)","isPrimacyOfImpact":null},{"id":"2tkeAhZpg2Atp1l4f8OQFA","url":"https://etherscan.io/address/0xeb4d67dba18b3be04484dfc7b7c2780e8d32a79d","type":"smart_contract","addedAt":"2025-04-25T14:08:55.593Z","revision":1,"description":"Edge Kiln staked ETH (edgeETH)","isPrimacyOfImpact":null},{"id":"VWZow04Dr4Zv9ZroYHLKT","url":"https://etherscan.io/address/0xc4dcb059dd98b45b090da8982234c61d0b9e84f9","type":"smart_contract","addedAt":"2025-04-25T14:09:15.564Z","revision":1,"description":"Ledger Coinbase staked shared ETH (lcStakedSharedETH)","isPrimacyOfImpact":null},{"id":"27Y3ScMpO8xiUSB5qGPOvP","url":"https://etherscan.io/address/0x4d893e724a0a913f6fb6ca1581644dbd81dcd5bd","type":"smart_contract","addedAt":"2025-04-25T14:09:32.877Z","revision":1,"description":"xPortal Kiln staked ETH (xPortalStakedETH)","isPrimacyOfImpact":null}],"assetsBodyV2":".","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":["Arbitration"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2023-08-21T10:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2iDDxMXgRnP06wYCjb4T3E/5c65c546efd0c74e47ac0db66e773bb5/Kiln_Defi.png","maxBounty":500000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Staking"],"programOverview":"Kiln On-Chain (v2) enables non-custodial platforms to propose an ETH staking offer where users can stake any amount of ETH on operator pools while remaining the only one able to access their staked assets.\n\nThe goal of these Ethereum Smart Contracts is to enable:\n\n- Operator to register its validation keys deposit data on their operator vFactory Smart Contract\n- Operator to propose deposit services like pooling on top of their vFactory\n- Integrators to propose white-labelled staking offers on top of operator pools with their Smart Contract\n- Users to deposit any amount of ETH to be staked\n- Enable Integrators, Operators to have a performance fee dispatched on-chain\n\nThis Bug Bounty is focused on Kiln On-Chain v2 Smart Contracts only, all items regarding dApps or validation infrastructure are out of scope but can be submitted at security@kiln.fi. \n\nFor more information about Kiln On-Chain, please visit [https://www.kiln.fi/kiln-on-chain](https://www.kiln.fi/kiln-on-chain)\n\nAnother bug bounty program on [Kiln On-Chain v1](https://immunefi.com/bug-bounty/kiln/information/) (dedicated staking) is available here and under its own bug bounty scope, bounties and rules.\n\nKiln provides rewards in __USDC__ on __Ethereum__, denominated in __USD__. For more details about the payment process, please view the __Rewards by Threat Level__ section.\n\n__KYC Requirement__\n\nKiln will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- **If the claim comes from an individual:**\n\n  - The first names, surnames, date and place of birth of the person concerned\n  - A Valid ID\n\n- **If the claim comes from a business:**\n\n  - Legal form, name, registration number and address of the registered office\n  - Valid certificate of incorporation\n- List of shareholders/directors\n- KYC information is only required on confirmation of the validity of a bug report.   \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nKiln adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page. \n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Previous Audits__\n\nKiln’s completed audit reports can be found at [https://kilnfi.notion.site/EXTERNAL-AUDITS-479819dce90540d1a0800c0541d2352b](https://kilnfi.notion.site/EXTERNAL-AUDITS-479819dce90540d1a0800c0541d2352b). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Kiln has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).\n\n__Responsible Disclosure Clause__\n\nResearchers who submit valid vulnerability reports agree to adhere to the following responsible disclosure process:\n\n1. Upon confirmation of a valid vulnerability, Kiln will work diligently to develop and implement a fix.\n2. Once the fix is deployed to production, Kiln will notify the researcher and initiate a 1-month (30 calendar days) disclosure waiting period.\n3. During this waiting period, the researcher must maintain strict confidentiality regarding the vulnerability and shall not disclose any information about it to third parties or the public.\n4. After the 1-month period has elapsed following the production deployment of the fix, the researcher may publicly disclose the vulnerability, provided they have obtained written approval from Kiln regarding the content of the disclosure.\n5. The researcher agrees to coordinate with Kiln on the timing and content of any public disclosure to ensure all parties are prepared and to minimize potential risks to users.\n6. If the researcher discovers that the vulnerability has become publicly known before the end of the waiting period, they should immediately notify Kiln.\n7. Kiln reserves the right to request an extension of the waiting period in exceptional circumstances, which will be communicated to the researcher in writing.\n\nCompliance with this responsible disclosure clause is a condition for receiving the bug bounty reward. Failure to adhere to these terms may result in forfeiture of the reward and potential legal action.\n\n__Other Terms and Information__\n\n- This bug bounty program will have a hard cap of __USDC 1 000 000__. In the event that multiple bug reports are submitted that exceed this amount, the rewards will be provided on a first come first served basis. The last bounty will be paid up to the remaining amount of the program even if the bounty amount is larger.\n- The administrator roles (admin, proxy admin, hatcher admin, treasury, oracles etc.) are trusted to behave properly and in the best interest of the users. They should not be considered as malicious.  Reports taking this assumption will be considered invalid.","programType":["Smart Contract"],"project":"Kiln On-Chain v2","projectType":["Defi","Infrastructure"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor Critical Smart Contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of __USD 500 000__. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of __USD 100 000__ is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n- For Critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\n- High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of __USD 20 000__ to __USD 50 000__ depending on the funds at risk, capped at the maximum high reward.  \n\n- For High Smart Contract vulnerabilities that result in direct theft or permanent freezing of unclaimed yield, or the temporary freezing of unclaimed yield for more than 2 days (oracle timing should not be taken into account in this delay), the reward amount will be capped at 100% of the funds affected, up to a maximum of __USD 50 000__.  However, a minimum reward of __USD 20 000__ is to be rewarded in order to incentivize security researchers against withholding a bug report.  \n\n__Reward Calculation for Medium Level Reports__\n\nFor Medium Smart Contract bugs, the reward amount is 10% of the commission funds directly affected up to a maximum of __USD 20 000__. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of __USD 5 000__ is to be rewarded in order to incentivize security researchers against withholding a bug report.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Kiln team directly and are denominated in __USD__. However, payments are done in __USDC__ on __Ethereum__","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"kiln","updatedDate":"2025-04-25T14:09:38.170Z","impactsBody":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn"],"responsiblePublicationCategory":"category_3","description":"","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":4434,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds (> 2 days without taking into account possible oracle delay)"},{"id":4435,"type":"smart_contract","severity":"medium","title":"Direct theft of any commission, whether at-rest or in-motion"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"}],"rewards":[{"id":10700,"severity":"critical","assetType":"smart_contract","maxReward":500000,"minReward":100000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":10701,"severity":"high","assetType":"smart_contract","maxReward":50000,"minReward":20000,"rewardModel":"range"},{"id":10702,"severity":"medium","assetType":"smart_contract","maxReward":20000,"minReward":5000,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"2gFgktjEhJmN70toPQUqSI","url":"https://github.com/shardeum/shardus-core/tree/bugbounty","type":"blockchain_dlt","addedAt":"2025-01-15T21:44:00.000Z","revision":2,"description":"DLT - 48906","isPrimacyOfImpact":null},{"id":"2CLuTlhWkEC3GIERp3o7N1","url":"https://github.com/shardeum/shardeum/tree/bugbounty","type":"blockchain_dlt","addedAt":"2025-01-15T21:44:00.000Z","revision":2,"description":"DLT- - 22264","isPrimacyOfImpact":null},{"id":"3ixpQ5HAXeFlOC7cPchu7T","url":"https://github.com/shardeum/lib-crypto-utils/tree/bugbounty","type":"blockchain_dlt","addedAt":"2025-01-15T21:44:00.000Z","revision":2,"description":"Library–499","isPrimacyOfImpact":null},{"id":"sdocLpdyQfQUltXHWxjEa","url":"https://github.com/shardeum/lib-net/tree/bugbounty","type":"blockchain_dlt","addedAt":"2025-01-15T21:44:00.000Z","revision":2,"description":"Library–2321","isPrimacyOfImpact":null}],"assetsBodyV2":"__Asset Accuracy Assurance__\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Reward Policy__\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward equal to that of a bug one severity lower.\n\n__Known Issue Assurance__\n\nShardeum commits to providing Known Issue Assurance to bug submissions through their program. This means that Shardeum will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission. \n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.\n\n__Primacy of Impact vs Primacy of Rules__\n\nShardeum adheres to the Primacy of Rules for all impacts. Which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page. \n\n\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this audit competition and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Shardeum has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/1ThQUQMcM6Khxkp7tCKzoVsavmae4cO-c)\n\nAll paid bug reports are available in original format [here](https://reports.immunefi.com/shardeum-core-iii)\n\n\n\n\n\n\n\n(https://reports.immunefi.com/shardeum-core-iiI)","boostedIntroLive":"","boostedIntroStartingIn":"A total of $250,000 USD in rewards is available for discovering bugs in Shardeum Core III. The scope includes four components: the Shardus Core Protocol, Shardeum Validator Nodes, networking libraries, and crypto-utils.\n\nFor more information about Shardeum, please visit https://shardeum.org/\n\nNo KYC is required.\n\nAny technical questions can be asked directly to the Shardeum technical team on [Immunefi’s Discord](https://discord.com/invite/immunefi) in the \"shardeum-core-iii-audit-competition\" channel.\n\nNote:\nWhitehats, to join the testnet that Shardeum will be running, please ping the project team here in the Discord channel to get your EVM address whitelisted. Alternatively, you can DM the Shardeum Team for assistance.\n\nWhen the Audit Competition has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\nShardeum will record a technical walkthrough, which will then be shared in the Immunefi Discord.\n\nJoin our Discord for more updates.","boostedLeaderboard":[{"high":0,"name":"Blockian","critical":10,"earnings":94767,"insights":0,"mediumLow":1,"totalValidBugs":11},{"high":0,"name":"throwing5tone7","critical":3,"earnings":34483,"insights":0,"mediumLow":0,"totalValidBugs":3},{"high":0,"name":"ZhouWu","critical":4,"earnings":32346,"insights":3,"mediumLow":0,"totalValidBugs":4},{"high":1,"name":"bountyhunter2048","critical":2,"earnings":32014,"insights":1,"mediumLow":0,"totalValidBugs":3},{"high":0,"name":"periniondon630","critical":2,"earnings":17111,"insights":0,"mediumLow":0,"totalValidBugs":2},{"high":0,"name":"fomohacker","critical":1,"earnings":13766,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"riproprip","critical":2,"earnings":12820,"insights":0,"mediumLow":1,"totalValidBugs":3},{"high":0,"name":"neploxaudit","critical":2,"earnings":10297,"insights":0,"mediumLow":0,"totalValidBugs":2},{"high":0,"name":"gladiator111","critical":0,"earnings":1147,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Pig46940","critical":0,"earnings":625,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"XDZIBECX","critical":0,"earnings":625,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1VrAHi9k1DaWxxWLpf-BapmsIMHaLA08p/","ecosystem":["Shardeum"],"endDate":"2025-02-12T17:00:00.000Z","evaluationEndDate":"2025-04-17T13:20:40.592Z","features":["Boost","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Typescript"],"launchDate":"2025-01-15T21:44:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2RGZifA5Y7aVEVItpmE3ST/08f7b34f881a614a49730ff91f64dbfc/4B19YQz__400x400.png","maxBounty":250000,"outOfScopeAndRules":"Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\nBugs from previous bounties are in scope unless explicitly said otherwise.\nReports 33428, 33655, 33963, 34508, 33576, 34053, 36024, 36025, 36025 are OOS.\n\n\nShardeum Core full list of [reports](https://app.gitbook.com/o/SXzCm0g2yGtKdYxV9Y1d/s/eYmXU5PPPCrUVU4AeKnd/shardeum-core) \nShardeum Core II full list of [reports](https://app.gitbook.com/o/SXzCm0g2yGtKdYxV9Y1d/s/eYmXU5PPPCrUVU4AeKnd/shardeum-core-ii)","pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - medium","blockchain_dlt - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the impacts listed in this program are accepted within this AC program.  All other impacts are not considered as in-scope, even if they affect something in the assets in scope table","productType":["L1"],"programOverview":"This Audit Competition is running on testnet. The following conditions apply:\n\nShardeum team will freeze the codebase during the duration of the Audit Competition\n- Duplicates are rewarded\n- Shardeum provides rewards in USDC, denominated in USD.\n\nNote: \n\nWhitehats who need to run the network locally must submit their EVM address for whitelisting to receive test tokens from the project team in the Discord channel. Alternatively, you can DM the Shardeum Team for assistance.","programType":["Blockchain/DLT"],"project":"Audit Comp | Shardeum: Core III","projectType":["Blockchain"],"rewardsBody":"The following reward terms are a summary, for the full details read our [Shardeum Core III Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31793771662865-Shardeum-Core-III-Audit-Competition-Reward-Terms)\n\nThe reward pool size is determined by the greatest condition met. If multiple conditions are met only the largest reward pool applies.\n\nIf one or more Critical severity bugs are found, the reward pool will be **100% of the respective reward pool, $250,000 USD**\nIf one or more High severity bugs are found, the reward pool will be **75% of the respective reward pool, $187,500 USD**\nIf one or more Medium severity bugs are found, the reward pool will be **50% of the respective reward pool, $125,000 USD**\nOtherwise, the reward pool will be **25% of the respective reward pool, $62,500 USD**\n\nDuplicates and private known issues are valid for a reward.\n\n**Duplicates of Insight reports are not eligible for a reward.**\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3.](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/).\n\n**Reward Payment Terms**\nPayouts are handled by the Shardeum team directly and are denominated in USD. However, payments are done in USDC on Ethereum.\n\n**Insight Rewards Payment Terms**\nInsight Rewards: Portion of the Rewards Pool\nThe \"Insight\" severity was introduced on Audit Competition & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights.](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi)","rewardsPool":250000,"primaryPool":250000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"audit-comp-shardeum-core-iii","tenPercentEconomicRule":false,"updatedDate":"2025-04-18T09:36:35.513Z","impactsBody":"**Which chains and/or networks will the code in scope be deployed to?**\n\nShardeum\n\n**Which parts of the code are you most concerned about?**\nWe are concerned with the web3 and business logic within all four repositories in this boost. Things like transaction queuing, penalties, and consensus. This includes any internal transactions or things involving the global account.\n\n**What attack vectors are you most concerned about?**\n\nParsing/signature errors, cheating the rotation system, and transaction processing. We received quite a few message parsing and signature related reports in the previous boosts and feel like there may still be some vulns to find. Secure accounts and multisig transactions involving them will be valuable targets and need extra scrutiny.\n**Which part(s) of the system do you want whitehats to attempt to break the most?**\ntransaction queuing, penalties, and consensus.\n**Are there any assumed invariants that you want whitehats to attempt to break?**\nSum of EOA account balances before attack == Sum of EOA account balances after attack + transaction fees. This should cover SHM disappearing from the network or being created out of thin air\n\n**What external dependencies are there?**\n\nThese are listed in package.json\n\n**Where might Security Researchers confuse out-of-scope code to be in-scope?**\n\n\nA note on Shardeum and Shardus Core scope: the default config in release mode in the branch is in scope. Whitehats are free to configure, patch, and modify their own malicious nodes however they want. However, target nodes must be running the default config in the target branch in release mode. This is to prevent the whitehats from wasting time reporting things we specifically allow in debug mode. The only exception is minNodes and maxNodes settings, which allow different size networks to be created. Certain vulnerabilities may only exist in certain network sizes, and we do not wish to limit Whitehat activity and participation for lack of computing power attempting to run a large local network. However, network-wide attacks that only work under 128 nodes may be rejected or reduced in severity at our discretion. If the researchers can enable debug mode options remotely then that is valid and can be paid out.\n\nAttacks that require the network to still be initializing/bootstrapping are out of scope. Wait until the network mode reaches “processing” + 15 cycles after startup before launching attacks. The rules for staking/join are a little different and the network will not be public during this time. Attacks on a network that is repairing itself (was once in “processing” mode but has since degraded to “safety” or “recovery”) are in scope.\nThis bounty introduces the concept of a KYC-required “genesis node”. Attacks performed with genesis nodes are in scope, attacks performed against genesis nodes are in scope. Nodes attacking themselves are out of scope.\n\n0day vulnerabilities in dependencies are in scope. Any other vuln in dependencies is out of scope. Smart contracts are out of scope\n\nFinally, the more nodes that are required to launch an attack, the more at risk the vuln is of being downgraded. If it takes 33% (for example) of the nodes in the network being malicious to cause damage, then it becomes difficult to distinguish the impact from a brute-force/51% attack, which is completely out of scope.\n\n**Are there any unusual points about your protocol that may confuse Security Researchers?**\n\nPlease consider how your vulnerability will behave on a network with a shard size of 129 nodes. We will accept reports with a PoC on a smaller network, but the severity may be affected if the impact is less feasible on network with a shard size of 129 nodes.","websiteUrl":"https://shardeum.org/","githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Shardeum is an EVM-based, linearly scalable network offering low gas fees forever while maintaining true decentralization and (hopefully) solid security. Shardeum is a large project and as such, will be split over two concurrent boosts. This boost, called Core III, will cover the Web3 aspects of the project. This will cover four components: Shardus Core Protocol, Shardeum Validator Nodes, networking libs, and Crypto-utils. For more information about Shardeum, please visit [https://shardeum.org/](https://shardeum.org/)\n","knownIssues":[{"id":11,"link":"https://reports.immunefi.com/shardeum-core-ii","description":"Shardeum Core II Audit Competition","lastUpdatedAt":"2024-12-17T00:00:00.000Z","relatedImpactInScope":"blockchain_dlt"},{"id":10,"link":"https://reports.immunefi.com/shardeum-core","description":"https://reports.immunefi.com/shardeum-core","lastUpdatedAt":"2024-12-17T00:00:00.000Z","relatedImpactInScope":"blockchain_dlt"},{"id":6,"link":"https://drive.google.com/file/d/1H6o8IPtrlTDvr_cfTRhvgr1Vvh4EYwb8/view","description":"Known Issues before BB1","lastUpdatedAt":"2024-12-17T00:00:00.000Z","relatedImpactInScope":"blockchain_dlt"}],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\nBugs from previous bounties are in scope unless explicitly said otherwise.\n\nReports 33428, 33655, 33963, 34508, 33576, 34053, 36024, 36025, 36025 are OOS.\n\n\nShardeum Core full list of [reports](https://app.gitbook.com/o/SXzCm0g2yGtKdYxV9Y1d/s/eYmXU5PPPCrUVU4AeKnd/shardeum-core) \nShardeum Core II full list of [reports](https://app.gitbook.com/o/SXzCm0g2yGtKdYxV9Y1d/s/eYmXU5PPPCrUVU4AeKnd/shardeum-core-ii)\n\n**Other Known issues**\n\n- AJV Validation error on archiver can cause missing receipts [https://github.com/shardeum/archiver/blob/bugbounty/src/Data/Collector.ts#L280](https://github.com/shardeum/archiver/blob/bugbounty/src/Data/Collector.ts#L280)\n\n- getTxTimestampBinary endpoint could be used as a memory overflow mechanism [https://github.com/shardeum/core/blob/9dae0abe5232ed532a9285da82118b41a04b3711/src/state-manager/TransactionConsensus.ts#L1796](https://github.com/shardeum/core/blob/9dae0abe5232ed532a9285da82118b41a04b3711/src/state-manager/TransactionConsensus.ts#L1796)\n\n- SQL injection in inputs at https://github.com/shardeum/shardeum/blob/dev/src/storage/sqlite3storage.ts#L257-L289\n\n- Tx data : ( ORIGINAL_TX_DATA) getting saved in originalTxData, processedData and transaction table without any verification [https://github.com/shardeum/archiver/blob/cbe1d515e91058d17fa483f84361992cd3d1cf9c/src/archivedCycle/StateMetaData.ts#L156](https://github.com/shardeum/archiver/blob/cbe1d515e91058d17fa483f84361992cd3d1cf9c/src/archivedCycle/StateMetaData.ts#L156)","customProhibitedActivities":[],"impacts":[{"id":1,"type":"blockchain_dlt","severity":"critical","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":4,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":7,"type":"blockchain_dlt","severity":"high","title":"Causing network processing nodes to process transactions from the mempool beyond set parameters"},{"id":9,"type":"blockchain_dlt","severity":"medium","title":"Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours"},{"id":10,"type":"blockchain_dlt","severity":"medium","title":"Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":12,"type":"blockchain_dlt","severity":"low","title":"Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":13,"type":"blockchain_dlt","severity":"low","title":"Modification of transaction fees outside of design parameters"},{"id":5281,"type":"blockchain_dlt","severity":"critical","title":"Bypassing Staking Requirements"},{"id":5282,"type":"blockchain_dlt","severity":"critical","title":"Bypassing Penalties"},{"id":5289,"type":"blockchain_dlt","severity":"high","title":"Blocking specific wallet addresses from making transactions"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true}],"audits":[{"id":"3swJjDq8HBLP5yUuMiCRjm","url":"https://reports.immunefi.com/shardeum-core","auditor":"Immunefi","date":"2024-08-14"},{"id":"63g3xgoGhSAoM3lmgF0Npu","url":"https://reports.immunefi.com/shardeum-core-ii","auditor":"Immunefi","date":"2024-10-16"},{"id":"56cuhfwh8oCbinI5HVeW3X","url":"https://docs.google.com/document/d/1OlmijVY2ga_7QEe8DYU-NTEXfAqMRpuwlduIofjmEwA","auditor":"The Arcadia Group","date":"2024-02-23"},{"id":"2pxskA87kYZKNIbENrU9ew","url":"https://docs.google.com/document/d/1n11d40JZYgL33-F-Lw6FMuBP9AJSXvyg-xBpJhwOkUE","auditor":"HashCloak","date":"2024-04-16"}]},{"assets":[{"id":"nBQq3ROzT4iQtYIFfpDj7","url":"https://github.com/pyth-network/pyth-client/tree/main/program","type":"smart_contract","addedAt":"2024-06-24T16:00:00.000Z","revision":1,"description":"Pyth Oracle","isPrimacyOfImpact":null},{"id":"10WrThz2qw1T2sqDGv9wLY","url":"https://github.com/pyth-network/pyth-crosschain/tree/main/target_chains/ethereum/contracts/contracts/pyth","type":"smart_contract","addedAt":"2024-06-24T16:00:00.000Z","revision":1,"description":"Pyth Crosschain: Ethereum","isPrimacyOfImpact":null},{"id":"7GiUjjaafbPgw5Wct76nHt","url":"https://github.com/pyth-network/pyth-crosschain/tree/main/target_chains/aptos/contracts/sources","type":"smart_contract","addedAt":"2024-06-24T16:00:00.000Z","revision":1,"description":"Pyth Crosschain: Aptos","isPrimacyOfImpact":null},{"id":"64ZeZd96GW0YKHsm9BspF9","url":"https://github.com/pyth-network/pyth-crosschain/tree/main/target_chains/cosmwasm/contracts/pyth/src","type":"smart_contract","addedAt":"2024-06-24T16:00:00.000Z","revision":1,"description":"Pyth Crosschain: Cosmwasm","isPrimacyOfImpact":null},{"id":"11nhxtfAziTZdftTvvFMek","url":"https://github.com/pyth-network/pyth-crosschain/tree/main/target_chains/near/receiver","type":"smart_contract","addedAt":"2024-06-24T16:00:00.000Z","revision":1,"description":"Pyth Crosschain: NEAR","isPrimacyOfImpact":null},{"id":"18Ezc3oBWgMNfyEk794pzR","url":"https://github.com/pyth-network/pyth-crosschain/tree/main/target_chains/solana","type":"smart_contract","addedAt":"2024-06-24T16:00:00.000Z","revision":1,"description":"Pyth Crosschain: Solana","isPrimacyOfImpact":null},{"id":"6HWdfAYenNIXYv94Pq8LCA","url":"https://github.com/pyth-network/pyth-crosschain/tree/main/target_chains/sui/contracts","type":"smart_contract","addedAt":"2024-06-24T16:00:00.000Z","revision":1,"description":"Pyth Crosschain: Sui","isPrimacyOfImpact":null},{"id":"zQ4Mqu2QZzsvSotG0VOTw","url":"https://github.com/pyth-network/governance/tree/main/staking/programs/staking","type":"smart_contract","addedAt":"2024-06-24T16:00:00.000Z","revision":1,"description":"Pyth Governance","isPrimacyOfImpact":null},{"id":"7xuZPkwmRFWYt0ONsF0B5T","url":"https://github.com/pyth-network/pyth-crosschain/tree/main/target_chains/aptos/contracts","type":"smart_contract","addedAt":"2024-06-24T16:00:00.000Z","revision":1,"description":"Pyth Crosschain Aptos","isPrimacyOfImpact":null},{"id":"2ZmAnjSoaYsdEuF4y8v9aj","url":"https://github.com/pyth-network/pyth-crosschain/tree/main/target_chains/ethereum/contracts/contracts/entropy","type":"smart_contract","addedAt":"2024-06-24T16:00:00.000Z","revision":1,"description":"Pyth Entropy","isPrimacyOfImpact":null},{"id":"3LTpKrSh0ifOiSTWrN0bG5","url":"https://github.com/pyth-network/per/tree/main/contracts/src","type":"smart_contract","addedAt":"2024-08-30T16:52:13.796Z","revision":1,"description":"Pyth Express Relay","isPrimacyOfImpact":null},{"id":"4Au0xnuMSF5As3WXbw6SjW","url":"https://staking.pyth.network/","type":"websites_and_applications","addedAt":"2024-11-04T18:57:54.440Z","revision":1,"description":"Pyth Staking","isPrimacyOfImpact":null},{"id":"2PH2bozA5PSBaCsWe6dLje","url":"https://github.com/pyth-network/pyth-crosschain/tree/main/target_chains/ton/contracts","type":"smart_contract","addedAt":"2025-02-20T08:29:39.955Z","revision":1,"description":"Pyth Crosschain: TON","isPrimacyOfImpact":null},{"id":"7wnLORK7eDrrNr3O8TWroE","url":"https://github.com/pyth-network/pyth-crosschain/tree/main/lazer/contracts/evm","type":"smart_contract","addedAt":"2025-04-08T08:29:45.303Z","revision":1,"description":"Pyth Lazer: EVM","isPrimacyOfImpact":null},{"id":"23jParzkoY3eGBnkDLEf8i","url":"https://github.com/pyth-network/pyth-crosschain/tree/main/lazer/contracts/solana","type":"smart_contract","addedAt":"2025-04-08T08:30:02.504Z","revision":1,"description":"Pyth Lazer: Solana","isPrimacyOfImpact":null},{"id":"6pPABbLg1O1zXvUhX1SL4o","url":"https://github.com/pyth-network/per/tree/main/auction-server/src","type":"websites_and_applications","addedAt":"2025-04-16T17:39:37.397Z","revision":1,"description":"Pyth Express Relay Auction Server","isPrimacyOfImpact":null}],"assetsBodyV2":"Specific mainnet contract addresses can be found on [https://docs.pyth.network/price-feeds/contract-addresses](https://docs.pyth.network/price-feeds/contract-addresses) and [https://docs.pyth.network/entropy/contract-addresses](https://docs.pyth.network/entropy/contract-addresses).","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Solana"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":null,"launchDate":"2024-06-24T16:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5MjWJd5jcGHtNLtAZnYNN0/0c111c048c5b2452457756f172948bb9/pyth-network-pyth-logo.png","maxBounty":250000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low","websites_and_applications - low","websites_and_applications - medium","websites_and_applications - high","websites_and_applications - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Oracle"],"programOverview":"Pyth Network is the largest and fastest-growing first-party oracle network. Pyth delivers real-time market data to financial dApps across 50+ blockchains and provides 380+ low-latency price feeds across cryptocurrencies, equities, ETFs, FX pairs, and commodities.\n\nFor more information about Pyth Network, please visit https://pyth.network.  \n\nPyth Network provides rewards in USDC, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__ \n\nPyth Network will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n- If you are a U.S. person, please send us a filled-out and signed [W-9](https://www.irs.gov/pub/irs-pdf/fw9.pdf)\n- If you are not a U.S. person, please send us a filled-out and signed [W-8BEN](https://www.irs.gov/pub/irs-pdf/fw8ben.pdf)\n\n\nPyth Network adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page. \n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n__Known Issue Assurance__\n\nPyth Network commits to providing Known Issue Assurance to bug submissions through their program. This means that Pyth Network will either disclose known issues publicly, or at the very least, privately to reporters who we believe have discovered a duplicate bug report. \n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.\n\n\n__Previous Audits__\n\nPyth Network’s completed audit reports can be found at https://github.com/pyth-network/audit-reports. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.","programType":["Smart Contract","Websites and Applications"],"project":"Pyth Network","projectType":["Infrastructure"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\n__Reward Calculation for Critical Smart Contract Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of 250 000 USDC. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted.  For the avoidance of doubt, directly affected funds calculation does not include downstream protocols or users of the Pyth protocol or any effects on the $PYTH token price.\n\n__Reward Calculation for Critical Websites and Applications Reports__\n\nFor Critical web/apps bug reports will be rewarded with **USD 50 000**, only if the impact leads to:\n\n- A loss of funds involving an attack that does not require any user action\n- Unauthorized minting of tokens on-chain\n- Private key or private key generation leakage leading to unauthorized access to user funds\n- The impact occurs on a user facing application, generally hosted under pyth.network\n\nAll other impacts that would be classified as **Critical** would be rewarded a flat amount of **USD 30 000**.\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attacks within the first hour will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n\nFor critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Smart Contract Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded up to $50,000 USDC depending on the funds at risk, capped at the maximum high reward.  \n\n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Calculation for High Websites and Applications Reports__\n\nFor High web/app impacts, the maximum reward of **USD 20 000** will only be paid out for issues that affect our main user-facing applications, generally hosted under pyth.network.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Pyth Data Association directly and are denominated in USD. However, payments are done in USDC. \n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"pythnetwork","tenPercentEconomicRule":false,"updatedDate":"2025-04-16T17:41:22.128Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Pyth Network is the largest and fastest-growing first-party oracle network. Pyth delivers real-time market data to financial dApps across 50+ blockchains and provides 380+ low-latency price feeds across cryptocurrencies, equities, ETFs, FX pairs, and commodities.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"For the Pyth Express Relay Auction Server, only exploits that lead to the loss of funds for users (not searchers) in market orders are considered in scope (i.e. the `/v1/opportunities/quote` endpoint). All other exploits will not be considered.\n\nFor all other components, which means all except Pyth Express Relay Auction Server, the following impacts are out of scope.\n***existing/default list of of out of scope impacts***","customProhibitedActivities":[],"impacts":[{"id":4861,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but  doesn't lose value"},{"id":4862,"type":"smart_contract","severity":"high","title":"Software flaws in the on-chain program cause Pyth to publish an inaccurate price when ≥ 3/4 of the contributing publishers are accurate."},{"id":4863,"type":"smart_contract","severity":"high","title":"Exposure of private keys controlled by the PDA or permissionless services"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":4864,"type":"smart_contract","severity":"critical","title":"Arbitrarily manipulate Pyth oracle prices or other published values"},{"id":4865,"type":"smart_contract","severity":"critical","title":"Assume ownership of Pyth’s contracts in mainnet"},{"id":4866,"type":"smart_contract","severity":"critical","title":"Locking, loss, or theft of funds staked on Pyth"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":39,"type":"websites_and_applications","severity":"critical","title":"Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:\n- Changing registration information\n- Commenting\n- Voting\n- Making trades\n- Withdrawals, etc."},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":43,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:\n- Modifying transaction arguments or parameters\n- Substituting contract addresses\n- Submitting malicious transactions"},{"id":46,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:\n- HTML injection without JavaScript\n- Replacing existing text with arbitrary text\n- Arbitrary file uploads, etc."},{"id":47,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Email\n- Password of the victim etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":51,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as:\n- Reflected HTML Injection\n- Loading external site data"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":53,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction, such as:\n- Iframing leading to modifying the backend/browser state (must demonstrate impact with PoC)"}],"rewards":[{"id":26938,"severity":"critical","assetType":"smart_contract","maxReward":250000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":26939,"severity":"high","assetType":"smart_contract","maxReward":50000,"minReward":10000,"rewardModel":"range"},{"id":26940,"severity":"medium","assetType":"smart_contract","maxReward":10000,"minReward":2500,"rewardModel":"range"},{"id":26941,"severity":"low","assetType":"smart_contract","maxReward":2500,"minReward":1000,"rewardModel":"range"},{"id":26942,"severity":"critical","assetType":"websites_and_applications","maxReward":50000,"minReward":20000,"rewardModel":"range","otherImpactMaxReward":30000},{"id":26943,"severity":"high","assetType":"websites_and_applications","maxReward":20000,"minReward":5000,"rewardModel":"range"},{"id":26944,"severity":"medium","assetType":"websites_and_applications","fixedReward":2500,"rewardModel":"fixed"},{"id":26945,"severity":"low","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"39a0vXb661TBbwxRdihluK","url":"https://api.hibachi.xyz","type":"websites_and_applications","addedAt":"2025-01-08T14:58:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"2d2FxRcOqUmo6paQe1T0K","url":"https://data-api.hibachi.xyz","type":"websites_and_applications","addedAt":"2025-01-08T14:58:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Celestia"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":null,"launchDate":"2025-01-08T14:58:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/86uYalXw77xPgt0tHUI79/99bbd4a6580107cb38c51c89c4b0d328/Hibachi.png","maxBounty":20000,"pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Vulnerabilities are prioritized according to severity and/or impact.","productType":["DEX"],"programOverview":"Hibachi is a DeFi trading platform built for professionals, secured by zk math, and powered by Celestia, Risc Zero and Hashflow. For more information about Hibachi, please visit [https://hibachi.xyz/](https://hibachi.xyz/).\n\nHibachi provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the __Rewards by Threat Level__ section.\n\n__KYC Requirement__\n\nHibachi will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n- Eligibility Criteria \n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n\n__Responsible Publication__\n\nHibachi adheres to **category 3 - Approval Required**. This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nHibachi adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page. \n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- Ability to use a single OTP for multiple operations due to race condition\n- Provider Users a Secure Way to Recover their Account After Losing Access to 2FA\n- Implement CSRF for All Requests\n\n__Previous Audits__\n\nHibachi’s completed audit reports can be found at [WebApp & API Pentest - Whitebox Audit.pdf](https://drive.google.com/file/d/1WcpB5CDJw7sjYDbNyw7nDDiZKWdLkRbW/view) Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Hibachi has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","programType":["Websites and Applications"],"project":"Hibachi","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\nFor critical web/apps bug reports will be rewarded with **USD $40,000**, only if the impact leads to:\n\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nRewards are subject to adjustment based on the nature of the vulnerability, exploitability, and how practical the attack vector is in a real-world scenario.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Hibachi team directly and are denominated in USD. However, payments are done in USDC on Ethereum\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.\n\nThe assessment of the extent of any potential indirect economic damage, defined as damage other than that evidenced by a PoC that showcases the direct exploitation of the vulnerability leading to impact, is at the full discretion of the Project. This decision is final and non-negotiable. Rewards are based on severity, impact, and report quality.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"","slug":"hibachi","tenPercentEconomicRule":false,"updatedDate":"2025-04-08T14:37:35.770Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Hibachi is a DeFi trading platform built for professionals, secured by zk math, and powered by Celestia, Risc Zero and Hashflow. For more information about Hibachi, please visit [https://hibachi.xyz/](https://hibachi.xyz/).","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"1. Unauthorized Access & Exploited Attacks\n- Attacks already exploited by the reporter, causing real-world damage.\n- Vulnerabilities requiring access to leaked credentials, API keys, or secrets, unless proven to be actively used in production.\n- Exploits requiring privileged access (e.g., governance, strategist roles), except when the contract is explicitly designed to have no privileged access to affected functions.\n- Attacks requiring access to internal test files, configuration files, or non-production environments, unless explicitly stated as in-scope.\n- Attacks requiring physical access to devices, internal systems, or restricted networks.\n\n2. Third-Party & Environmental Limitations\n- Issues in third-party services, infrastructure, or dependencies not owned or managed by Hibachi.\n- Bugs related to outdated software versions beyond Hibachi's control (e.g., unsupported browsers).\n- Attacks relying on the depegging of external stablecoins unless directly caused by a flaw in Hibachi's code.\n- Reflected plain text injection (e.g., URL parameters, paths) without proof of real-world impact.\n  - Note: This does not exclude reflected HTML injection (with or without JavaScript) or persistent plain text injection.\n- Any vulnerability requiring browser bugs for exploitation (e.g., CSP bypass).\n- Server-side non-confidential information disclosure (e.g., IPs, server names, most stack traces).\n- SPF/DMARC misconfigured records without security impact.\n\n3. Social Engineering & User Manipulation\n- Phishing, social engineering, or coercion of Hibachi employees, partners, or users.\n- CSRF vulnerabilities without state-modifying impact (e.g., logout CSRF).\n- Automated testing of services generating excessive traffic (e.g., brute force, spam).\n\n4. Automated Attacks & Service Disruptions\n- Denial of Service (DoS), brute force, or rate-limiting bypass attacks.\n- Captcha bypass using OCR without impact demonstration.\n- DDoS-only attacks with no security relevance.\n- Enumeration of user existence (e.g., checking if an email is registered).\n\n5. Theoretical & Non-Exploitable Vulnerabilities\n- Theoretical vulnerabilities without a working proof-of-concept (PoC).\n- Issues requiring in-app user actions that are not part of normal workflows.\n- Impacts requiring access to a victim’s local network (e.g., ARP spoofing, MITM).\n- Lack of SSL/TLS best practices without proven exploitation.\n- Leaked non-sensitive API keys (e.g., Etherscan, Infura, Alchemy).\n- Automated scanner reports without impact demonstration.\n- Missing HTTP headers or cookie flags (e.g., httponly, X-FRAME-OPTIONS) unless leading to an exploitable vulnerability.\n- UX/UI-related bugs that do not materially impact security.\n- Non-future-proof NFT rendering vulnerabilities.","customProhibitedActivities":[],"impacts":[{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":39,"type":"websites_and_applications","severity":"critical","title":"Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:\n- Changing registration information\n- Commenting\n- Voting\n- Making trades\n- Withdrawals, etc."},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":43,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:\n- Modifying transaction arguments or parameters\n- Substituting contract addresses\n- Submitting malicious transactions"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"},{"id":46,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:\n- HTML injection without JavaScript\n- Replacing existing text with arbitrary text\n- Arbitrary file uploads, etc."},{"id":47,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Email\n- Password of the victim etc."},{"id":48,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:\n- Email address\n- Phone number\n- Physical address, etc."},{"id":50,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Changing the first/last name of user\n- Enabling/disabling notifications"},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":51,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as:\n- Reflected HTML Injection\n- Loading external site data"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":53,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction, such as:\n- Iframing leading to modifying the backend/browser state (must demonstrate impact with PoC)"},{"id":54,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links, such as:\n- Social media handles, etc."},{"id":55,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as:\n- Locking up the victim from login\n- Cookie bombing, etc."}],"rewards":[{"id":23055,"severity":"critical","assetType":"websites_and_applications","maxReward":20000,"minReward":5000,"rewardModel":"range","otherImpactMaxReward":0},{"id":23056,"severity":"high","assetType":"websites_and_applications","maxReward":5000,"minReward":2500,"rewardModel":"range"},{"id":23057,"severity":"medium","assetType":"websites_and_applications","maxReward":2500,"rewardModel":"up_to"},{"id":23058,"severity":"low","assetType":"websites_and_applications","maxReward":1000,"rewardModel":"up_to"}],"audits":[{"id":"2jC25J3PUT5EWJ3KbihINy","url":"https://drive.google.com/file/d/1WcpB5CDJw7sjYDbNyw7nDDiZKWdLkRbW/view","auditor":"Halborn","date":"2024-08-10"}]},{"assets":[{"id":"1tMlkjWqhWtajFQqqXs1Gx","url":"https://github.com/shardeum/validator-gui/tree/itn4","type":"websites_and_applications","addedAt":"2025-01-15T21:45:00.000Z","revision":2,"description":"WebApp - - 7313","isPrimacyOfImpact":null},{"id":"23FDMXtxRH47E7PBPDqYIj","url":"https://github.com/shardeum/validator-cli/tree/itn4","type":"websites_and_applications","addedAt":"2025-01-15T21:45:00.000Z","revision":2,"description":"Command line app - 2051","isPrimacyOfImpact":null},{"id":"2sj6azi1QKbu3NiyIGqqVk","url":"https://github.com/shardeum/archive-server/tree/itn4","type":"websites_and_applications","addedAt":"2025-01-15T21:45:00.000Z","revision":2,"description":"WebApp - 14144","isPrimacyOfImpact":null},{"id":"4CIVRMfv0ub6OtOOhwt0ka","url":"https://github.com/shardeum/json-rpc-server/tree/itn4","type":"websites_and_applications","addedAt":"2025-01-15T21:45:00.000Z","revision":2,"description":"WebApp - 8015","isPrimacyOfImpact":null}],"assetsBodyV2":"__Asset Accuracy Assurance__\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Reward Policy__\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward equal to that of a bug one severity lower.\n\n__Known Issue Assurance__\n\nShardeum commits to providing Known Issue Assurance to bug submissions through their program. This means that Shardeum will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission. \n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.\n\n__Primacy of Impact vs Primacy of Rules__\n\nShardeum adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page. \n\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this audit competition and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Shardeum has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/11ltDwfWK0Ow799N_FY9oZ8Bpk8Oynj5p?usp=sharing). \n\nAll paid bug reports are available in original format [here](https://reports.immunefi.com/shardeum-ancillaries-iii)","boostedIntroLive":"","boostedIntroStartingIn":"A total of $100,000 USD in rewards is available for identifying bugs in Shardeum Ancillaries III. This scope is limited to the Web2 components of the project.\n\nNo KYC is required.\n\nAny technical questions can be asked directly to the Shardeum technical team on [Immunefi’s Discord](https://discord.com/invite/immunefi) in the \"shardeum-ancillaries-iii-audit-competition\" channel.\n\nShardeum will record a technical walkthrough, which will then be shared in the Immunefi Discord.\n\nWhen the Audit Competition has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.","boostedLeaderboard":[{"high":0,"name":"Blockian","critical":3,"earnings":49315,"insights":1,"mediumLow":0,"totalValidBugs":3},{"high":0,"name":"periniondon630","critical":3,"earnings":31936,"insights":0,"mediumLow":0,"totalValidBugs":3},{"high":0,"name":"ZhouWu","critical":1,"earnings":9836,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"anton_quantish","critical":0,"earnings":5542,"insights":0,"mediumLow":4,"totalValidBugs":4},{"high":0,"name":"Franfran","critical":0,"earnings":2197,"insights":1,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"riproprip","critical":0,"earnings":675,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"br0nz3p1ck4x3","critical":0,"earnings":500,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1cuZEwk7e163gcIe0a-AGLnpvOd0eJlZj/view","ecosystem":["Shardeum"],"endDate":"2025-02-12T17:00:00.000Z","evaluationEndDate":"2025-03-31T17:47:10.219Z","features":["Boost","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Typescript"],"launchDate":"2025-01-15T21:45:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/50jbsPjqHgWEHZN7KZIjiB/396901905d4d1515ab3c0aaa9fc5bcc4/4B19YQz__400x400.png","maxBounty":100000,"outOfScopeAndRules":"Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \nBugs from previous bounties are in scope unless explicitly said otherwise. Reports 33428, 33655, 33963, 34508, 33576, 34053, 36024, 36025, 36025 are OOS.\n\n[https://reports.immunefi.com/shardeum-ancillaries](https://reports.immunefi.com/shardeum-ancillaries-ii)\n[https://reports.immunefi.com/shardeum-ancillaries-ii](https://reports.immunefi.com/shardeum-ancillaries-ii)","pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the impacts listed in this program are accepted within this AC program.  All other impacts are not considered as in-scope, even if they affect something in the assets in scope table","productType":["Services","Validator"],"programOverview":"Shardeum is an EVM-based, linearly scalable network offering low gas fees forever while maintaining true decentralization and (hopefully) solid security. Shardeum is a large project and as such, will be split over two concurrent boosts. This boost, called Ancillaries III, will cover the Web2 aspects of the project. This will cover four components: The validator GUI, validator CLI, Archive Server, and the RPC server.\n\nThis Audit Competition is running on testnet. The following conditions apply:\n\n- Shardeum team will freeze the codebase during the duration of the Audit Competition\n- Duplicates are rewarded\n\nShardeum provides rewards in USDC, denominated in USD. \n\nFor more information about Shardeum, please visit [https://shardeum.org/](https://shardeum.org/)","programType":["Websites and Applications"],"project":"Audit Comp | Shardeum: Ancillaries III","projectType":["Blockchain"],"rewardsBody":"The following reward terms are a summary, for the full details read our [Ancillaries III Boost Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31797437799441-Shardeum-Ancillaries-III-Audit-Competition-Reward-Terms)\n\n\nThe reward pool will be entirely distributed among participants. The size depends on the bugs found:\n* If one or more Critical severity bugs are found, **the reward pool will be 100% of the respective reward pool, $100,000 USD**\n* If one or more High severity bugs are found, the **reward pool will be 75% of the respective reward pool, $75,000 USD** \n* If one or more Medium severity bugs are found, **the reward pool will be 50% of the respective reward pool, $50,000 USD**\n* Otherwise, the reward pool will be **25% of the respective reward pool, $25,000 USD**\n\nFor this Audit Competition, duplicates and private known issues are valid for a reward. \n\nPrivate known issues will unlock higher reward pools according to their severity level without any downgrade. For example, a Critical severity bug which was a private known issue would unlock the reward pool conditional on a Critical severity bug being found.\n\n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3.](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/) \n\n**Duplicates of Insight reports are not eligible for a reward.** \n\n**Reward Payment Terms**\nPayouts are handled by the Shardeum team directly and are denominated in USD. However, payments are done in USDC\n\n**Insight Rewards Payment Terms**\nInsight Rewards: Portion of the Rewards Pool\n\nThe \"Insight\" severity was introduced on Audit Competition & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights.](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi)","rewardsPool":100000,"primaryPool":100000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"audit-comp-shardeum-ancillaries-iii","tenPercentEconomicRule":false,"updatedDate":"2025-03-31T17:47:16.075Z","impactsBody":"__Proof of Concept (PoC) Requirements__\n\nPOCs should be tested against the most recent changes on the /tree/dev github repo.\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n**Which parts of the code are you most concerned about?**\nCommunication between the archiver and validators\nCommunication between the RPC and the validators\nThe GUI\n\n**What attack vectors are you most concerned about?**\nPriv escalation from the GUI\nCrashing archivers\nPriv escalation in  archivers. Archivers will not be public at launch\nPriv escalation in RPC\nLoss of data integrity on archive/RPC servers  Ex: changing receipts\n**Which part(s) of the system do you want whitehats to attempt to break the most?**\nArchiver and RPC server. We want them to break all of it obviously but we believe these two components need more attention\n\n**What external dependencies are there?**\n\nThings listed in package.json\n\n**Where might Security Researchers confuse out-of-scope code to be in-scope?**\n\nThe default config in the branch is in scope. Whitehats are free to configure, patch, and modify their own malicious hosts however they want. However, target service must be running the default config in the target branch running in production mode. Vulns involving a service attacking itself are not in scope. This is to prevent the whitehats from wasting time reporting things we specifically allow in debug mode. If the researchers can enable debug mode options remotely then that is valid and can be paid out.\nAttacks that require the attacker to own an archive server will have their severity reduced to insight by default, but may be raised at the project’s discretion.\nAttacks that require the network to still be initializing/bootstrapping are out of scope. Wait until the network mode reaches “processing” + 15 cycles after startup before launching attacks. The rules for staking/join are a little different and the network will not be public during this time. Attacks on a network that is repairing itself (was once in “processing” mode but has since degraded to “safety” or “recovery”) are in scope.\nAttacks that require lots of network traffic, large messages, or many connections will be given an severity of “insight”. The project may increase this at our discretion.\n0day vulnerabilities in dependencies will have a max impact of insight. Any other vuln in dependencies is out of scope.\nAny report based on unit tests, simulations, or anything not a fully functioning service, will have a max impact of low.\nSmart contracts and smart contract related code/functions are out of scope\nFinally, the more nodes that are required to launch an attack, the more at risk the vuln is of being downgraded. If it takes 33% (for example) of the nodes in the network being malicious to cause damage, then it becomes difficult to distinguish the impact from a brute-force/51% attack, which is completely out of scope.\n\n**Are there any unusual points about your protocol that may confuse Security Researchers?**\n\nThe archive server is designed to store the history of the network. Archivers are not a part of the core protocol, do not have any part in consensus, and do not affect joining/rotation. Another quirk is that currently, the transaction history is not chained. The cycle certificates are chained which contains information like joined and lost nodes per cycle, active nodes, archiver list, standby list, etc. The transaction history will have a Merkle root published while the chaining is developed.","websiteUrl":"https://shardeum.org/","githubUrl":"https://github.com/shardeum","eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Shardeum is an EVM-based, linearly scalable network offering low gas fees forever while maintaining true decentralization and (hopefully) solid security. Shardeum is a large project and as such, will be split over two concurrent boosts. This boost, called Ancillaries III, will cover the Web2 aspects of the project. This will cover four components: The validator GUI, validator CLI, Archive Server, and the RPC server. For more information about Shardeum, please visit [https://shardeum.org/](https://shardeum.org/) \n\n","knownIssues":[{"id":5,"link":"https://drive.google.com/file/d/1H6o8IPtrlTDvr_cfTRhvgr1Vvh4EYwb8/view","description":"Known Issues before BB1","lastUpdatedAt":"2024-12-17T00:00:00.000Z","relatedImpactInScope":"websites_and_applications"}],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \nBugs from previous bounties are in scope unless explicitly said otherwise. Reports 33428, 33655, 33963, 34508, 33576, 34053, 36024, 36025, 36025 are OOS.\n\n[https://reports.immunefi.com/shardeum-ancillaries](https://reports.immunefi.com/shardeum-ancillaries-ii)\n\n[https://reports.immunefi.com/shardeum-ancillaries-ii](https://reports.immunefi.com/shardeum-ancillaries-ii)\n\n\n**Other Known issues**\n\n- AJV Validation error on archiver can cause missing receipts [https://github.com/shardeum/archiver/blob/bugbounty/src/Data/Collector.ts#L280](https://github.com/shardeum/archiver/blob/bugbounty/src/Data/Collector.ts#L280)\n\n- getTxTimestampBinary endpoint could be used as a memory overflow mechanism [https://github.com/shardeum/core/blob/9dae0abe5232ed532a9285da82118b41a04b3711/src/state-manager/TransactionConsensus.ts#L1796](https://github.com/shardeum/core/blob/9dae0abe5232ed532a9285da82118b41a04b3711/src/state-manager/TransactionConsensus.ts#L1796)\n\n- SQL injection in inputs at https://github.com/shardeum/shardeum/blob/dev/src/storage/sqlite3storage.ts#L257-L289\n\n- Tx data : ( ORIGINAL_TX_DATA) getting saved in originalTxData, processedData and transaction table without any verification [https://github.com/shardeum/archiver/blob/cbe1d515e91058d17fa483f84361992cd3d1cf9c/src/archivedCycle/StateMetaData.ts#L156](https://github.com/shardeum/archiver/blob/cbe1d515e91058d17fa483f84361992cd3d1cf9c/src/archivedCycle/StateMetaData.ts#L156)","customProhibitedActivities":[],"impacts":[{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":39,"type":"websites_and_applications","severity":"critical","title":"Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:\n- Changing registration information\n- Commenting\n- Voting\n- Making trades\n- Withdrawals, etc."},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":43,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:\n- Modifying transaction arguments or parameters\n- Substituting contract addresses\n- Submitting malicious transactions"},{"id":46,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:\n- HTML injection without JavaScript\n- Replacing existing text with arbitrary text\n- Arbitrary file uploads, etc."},{"id":47,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Email\n- Password of the victim etc."},{"id":48,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:\n- Email address\n- Phone number\n- Physical address, etc."},{"id":50,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Changing the first/last name of user\n- Enabling/disabling notifications"},{"id":51,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as:\n- Reflected HTML Injection\n- Loading external site data"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":53,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction, such as:\n- Iframing leading to modifying the backend/browser state (must demonstrate impact with PoC)"},{"id":54,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links, such as:\n- Social media handles, etc."},{"id":55,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as:\n- Locking up the victim from login\n- Cookie bombing, etc."},{"id":5284,"type":"websites_and_applications","severity":"high","title":"Taking down the application/website"},{"id":5286,"type":"websites_and_applications","severity":"medium","title":"Subdomain takeover without already-connected wallet interaction"},{"id":5287,"type":"websites_and_applications","severity":"medium","title":"RPC API crash affecting projects with greater than or equal to 25% of the market capitalization on top of the respective layer"},{"id":5288,"type":"websites_and_applications","severity":"medium","title":"Injection of malicious HTML or XSS through metadata"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":true}],"audits":[{"id":"1LdgNqdnEosXZIK0TDXW8K","url":"https://reports.immunefi.com/shardeum-ancillaries","auditor":"Immunefi","date":"2024-08-14"},{"id":"2u2ne92N780VjqSsruy0X9","url":"https://reports.immunefi.com/shardeum-ancillaries-ii","auditor":"Immunefi","date":"2024-10-16"},{"id":"7cYyx5S4ct0NnNUl6LSClM","url":"https://docs.google.com/document/d/1OlmijVY2ga_7QEe8DYU-NTEXfAqMRpuwlduIofjmEwA","auditor":"Arcadia","date":"2024-02-23"},{"id":"7L38JwR6JKQ5Rf0VRlPFAM","url":"https://docs.google.com/document/d/1n11d40JZYgL33-F-Lw6FMuBP9AJSXvyg-xBpJhwOkUE","auditor":"HashCloak","date":"2024-04-16"}]},{"assets":[],"assetsBodyV2":"","boostedIntroEvaluating":"","boostedIntroFinished":"Invite-Only-Program cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/1oUpt-4gLND-g4xQbzCCDbUmM9psCSu2Z). The amounts show $5K in guaranteed rewards per SR and a $15K reward pool distributed according to the [Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms).\n\nAll paid bug reports are available in original format [here](https://reports.immunefi.com/zano-iop).","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[{"high":1,"name":"jovi","critical":0,"earnings":14533,"insights":2,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"Blockian","critical":0,"earnings":467,"insights":2,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1R8jcc5_vFfCdR4jAmtfEGvmCoa2j0dJe/view","ecosystem":null,"endDate":"2025-03-10T14:00:00.000Z","evaluationEndDate":"2025-03-26T14:00:00.000Z","features":["IOP (Invite Only Program)"],"hideAssetsInScope":true,"immunefiStandard":true,"inviteOnly":true,"kyc":true,"language":["C/C++"],"launchDate":"2025-02-17T10:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2UvftJe7XYAVH926tVd3Yq/e2c7302dea7cc9dd5caebc6f88993f56/zano.png","maxBounty":25000,"pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - medium","blockchain_dlt - low","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are concerned the most about implementation of cryptography and core rules(Bulletproofs, CLSAG etc). concentrated mostly in [https://github.com/hyle-team/zano/tree/master/src/crypto](https://github.com/hyle-team/zano/tree/master/src/crypto)\n\nMost concerning attack vectors are:\n- Emission bugs (printing coins out of air)\n- Consensus bugs (double spend attack vectors, PoS grinding attacks)","productType":["L1"],"programOverview":"Zano is the development of a scalable and secure coin, designed for use in e-commerce. The technology behind our blockchain provides reliability, security, and flexibility—a perfect option for P2P transactions.\n\nFor more information about Zano, please visit [https://zano.org/](https://zano.org/).\n\nZano rewards are denominated in USD and distributed in USDC on Ethereum","programType":["Blockchain/DLT","Websites and Applications"],"project":"IOP | Zano","projectType":["Blockchain"],"rewardsBody":"Rewards are distributed among SRs according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms).\n\nTotal budget: $25,000 broken down as follows:\n\n**Reward pool:**\n\nIf bugs are found → USD $15k (see [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms))\n\nIf only Insights are found → USD $1,35k (9% of the Reward pool)\n\n**Guaranteed rewards:**\n$5k per SR → $10k total (for 2 SRs)\n\nDuplicate submissions of bugs are valid. Duplicate submissions of Insights are invalid.\n\n**Proof of Concept (PoC) Requirements**\n\nFor this program, runnable PoC code is not required. Whitehats are instead required to write a step-by-step explanation of the PoC and impact.","rewardsPool":25000,"primaryPool":25000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"iop-zano","tenPercentEconomicRule":false,"updatedDate":"2025-03-26T17:01:27.321Z","impactsBody":"**Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?**\n\nWe are concerned the most about implementation of cryptography and core rules (Bulletproofs, CLSAG etc). \n\nMost concerning attack vectors are:\n- Emission bugs (printing coins out of air)\n- Consensus bugs (double spend attack vectors, PoS grinding attacks)\n\n**What external dependencies are there?**\n\nBoost and OpenSSL\n\n**What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc**\n\nThis repository contains papers that describe math behind the project:  [https://github.com/hyle-team/docs/tree/master/zano](https://github.com/hyle-team/docs/tree/master/zano)","websiteUrl":"https://zano.org/","githubUrl":"https://github.com/hyle-team/zano","eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Zano is the development of a scalable and secure coin, designed for use in e-commerce. The technology behind our blockchain provides reliability, security, and flexibility—a perfect option for P2P transactions.\n\nFor more information about Zano, please visit [https://zano.org/](https://zano.org/).\n\nZano rewards are denominated in USD and distributed in USDC on Ethereum","knownIssues":[{"id":31,"link":"https://github.com/immunefi-team/zano-iop","description":"Any attacks related to lock time in transaction are out of scope. We removed this parameter from API but it still possible to create transaction with locked outputs. we are aware of this situation and it’s known to exist. Also, the default wallet behaviour is ignoring such transactions.","lastUpdatedAt":"2025-02-13T00:00:00.000Z","relatedImpactInScope":"websites_and_applications"}],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":1,"type":"blockchain_dlt","severity":"critical","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":36,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:\n- /etc/shadow\n- database passwords\n- blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":38,"type":"websites_and_applications","severity":"critical","title":"Taking down the NFT URI"},{"id":39,"type":"websites_and_applications","severity":"critical","title":"Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:\n- Changing registration information\n- Commenting\n- Voting\n- Making trades\n- Withdrawals, etc."},{"id":40,"type":"websites_and_applications","severity":"critical","title":"Changing NFT metadata"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":43,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:\n- Modifying transaction arguments or parameters\n- Substituting contract addresses\n- Submitting malicious transactions"},{"id":44,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user NFTs"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"},{"id":46,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:\n- HTML injection without JavaScript\n- Replacing existing text with arbitrary text\n- Arbitrary file uploads, etc."},{"id":47,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Email\n- Password of the victim etc."},{"id":48,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:\n- Email address\n- Phone number\n- Physical address, etc."},{"id":50,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:\n- Changing the first/last name of user\n- Enabling/disabling notifications"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":51,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as:\n- Reflected HTML Injection\n- Loading external site data"},{"id":53,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction, such as:\n- Iframing leading to modifying the backend/browser state (must demonstrate impact with PoC)"},{"id":54,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links, such as:\n- Social media handles, etc."},{"id":55,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as:\n- Locking up the victim from login\n- Cookie bombing, etc."},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":2,"type":"blockchain_dlt","severity":"critical","title":"Unintended permanent chain split requiring hard fork (network partition requiring hard fork)"},{"id":4,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":5,"type":"blockchain_dlt","severity":"high","title":"Unintended chain split (network partition)"},{"id":6,"type":"blockchain_dlt","severity":"high","title":"Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments"},{"id":7,"type":"blockchain_dlt","severity":"high","title":"Causing network processing nodes to process transactions from the mempool beyond set parameters"},{"id":8,"type":"blockchain_dlt","severity":"high","title":"RPC API crash affecting programs with greater than or equal to 25% of the market capitalization on top of the respective layer"},{"id":10,"type":"blockchain_dlt","severity":"medium","title":"Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":9,"type":"blockchain_dlt","severity":"medium","title":"Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours"},{"id":11,"type":"blockchain_dlt","severity":"medium","title":"A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk"},{"id":12,"type":"blockchain_dlt","severity":"low","title":"Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":13,"type":"blockchain_dlt","severity":"low","title":"Modification of transaction fees outside of design parameters"}],"rewards":[{"level":"critical","payout":"portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"high","payout":"portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"medium","payout":"portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"low","payout":"portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"critical","payout":"portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":true},{"level":"high","payout":"portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":true},{"level":"medium","payout":"portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":true},{"level":"low","payout":"portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":true}],"audits":[]},{"assets":[{"id":"1JiuXBKQfiHDxGjHbd5Wbv","url":"https://etherscan.io/address/0x947Cb49334e6571ccBFEF1f1f1178d8469D65ec7","type":"smart_contract","addedAt":"2024-08-02T08:21:31.239Z","revision":1,"description":"LRT Config","isPrimacyOfImpact":null},{"id":"1vrepWjGhkg9BUbgftYT1H","url":"https://etherscan.io/address/0xA1290d69c65A6Fe4DF752f95823fae25cB99e5A7","type":"smart_contract","addedAt":"2024-08-02T08:21:51.141Z","revision":1,"description":"rsETH","isPrimacyOfImpact":null},{"id":"6tKW7zh2pt3BBWNs8J6cM6","url":"https://etherscan.io/address/0x036676389e48133B63a802f8635AD39E752D375D","type":"smart_contract","addedAt":"2024-08-02T08:22:05.830Z","revision":1,"description":"LRT Deposit Pool","isPrimacyOfImpact":null},{"id":"6NHj3YaxMfMCVQE3hjiznN","url":"https://etherscan.io/address/0x349A73444b1a310BAe67ef67973022020d70020d","type":"smart_contract","addedAt":"2024-08-02T08:22:17.584Z","revision":1,"description":"LRT Oracle","isPrimacyOfImpact":null},{"id":"29cYBk2DvyF0PK9gyY8UNh","url":"https://etherscan.io/address/0x3D08ccb47ccCde84755924ED6B0642F9aB30dFd2","type":"smart_contract","addedAt":"2024-08-02T08:23:03.053Z","revision":1,"description":"EthXPriceOracle","isPrimacyOfImpact":null},{"id":"6U8JUrQrXCK0CyZJx9JR1C","url":"https://etherscan.io/address/0xdbc3363de051550d122d9c623cbaff441afb477c","type":"smart_contract","addedAt":"2024-08-02T08:23:20.682Z","revision":1,"description":"FeeReceiver","isPrimacyOfImpact":null},{"id":"5evodQd1ZYxTWAdmg6pKRs","url":"https://etherscan.io/address/0x598dbcb99711e5577ff76ef4577417197b939dfa","type":"smart_contract","addedAt":"2024-08-02T08:24:02.315Z","revision":1,"description":"LRTConverter","isPrimacyOfImpact":null},{"id":"69wEkrlSuIrspYLqLH8Pvx","url":"https://etherscan.io/address/0x62De59c08eB5dAE4b7E6F7a8cAd3006d6965ec16","type":"smart_contract","addedAt":"2024-08-02T08:24:16.464Z","revision":2,"description":"LRTWithdrawalManager","isPrimacyOfImpact":null},{"id":"69D12tv2JaXDah7b4I0jM9","url":"https://etherscan.io/address/0xc66830e2667bc740c0bed9a71f18b14b8c8184ba","type":"smart_contract","addedAt":"2024-08-02T08:24:31.914Z","revision":1,"description":"LRTUnstakingVault","isPrimacyOfImpact":null},{"id":"6NrWiZCQh24dqIYupxFrJu","url":"https://etherscan.io/address/0x07b96cf1183c9bff2e43acf0e547a8c4e4429473","type":"smart_contract","addedAt":"2024-08-02T08:25:31.915Z","revision":1,"description":"NodeDelegator","isPrimacyOfImpact":null},{"id":"4fwcwSUGQwRqhiah9uDlG","url":"https://kelpdao.xyz/restake","type":"websites_and_applications","addedAt":"2024-08-02T08:25:44.480Z","revision":1,"description":"Restaking","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":["Arbitration"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":null,"launchDate":"2024-08-02T00:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/45teNS8w4f7XgiQvJnl82R/aafacb2bdce0fe3bbaf3b4453ad422ab/IwyLpOfL_400x400.png","maxBounty":250000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Liquid Restaking"],"programOverview":"Kelp DAO is a a multichain liquid restaking platform with $1B+ in TVL. \n\nFor more information about Kelp DAO, please visit [https://kelpdao.xyz/](https://kelpdao.xyz/)\n\nKelp DAO provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the __Rewards by Threat Level__ section further below. \n\n__KYC Requirement__ \n\nKelp DAO will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n- Eligibility Criteria \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nKelp DAO adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page. \n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Previous Audits__\n\nKelp DAO’s completed audit reports can be found at [https://kelp.gitbook.io/kelp/audits](https://kelp.gitbook.io/kelp/audits). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Kelp DAO has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","programType":["Smart Contract","Websites and Applications"],"project":"Kelp DAO","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 250 000. \n\nThe calculation of the amount of funds at risk is based on the time and date the bug report is submitted. \n\nHowever, a minimum reward of USD 100 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. \n\nThis is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n\nFor critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. \n\nThis is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 50 000 to USD 100 000  depending on the funds at risk, capped at the maximum high reward.  \n\n__Reward Calculation for Medium Level Reports__\n\nMedium vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 11 000 to USD 50 000   depending on the funds at risk, capped at the maximum medium reward.  \n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional [24h] that the funds are temporarily frozen, up until a max cap of the high reward. \n\nThis is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\nFor critical web/apps bug reports will be rewarded with USD 100 000, only if the impact leads to:\n\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of USD 20 000. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Reward Payment Terms__\n\nPayouts are handled by the Kelp DAO team directly and are denominated in USD. However, payments are done in USDC on Ethereum\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"kelp-dao","tenPercentEconomicRule":false,"updatedDate":"2025-03-21T10:29:19.016Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":40,"type":"websites_and_applications","severity":"critical","title":"Changing NFT metadata"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":5035,"type":"smart_contract","severity":"low","title":"Block stuffing"},{"id":5037,"type":"websites_and_applications","severity":"low","title":"Changing details of users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction, such as:  Iframing leading to modifying the backend/browser state (must demonstrate impact with PoC)"},{"id":5038,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links, such as:  Social media handles, etc."},{"id":5039,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as:  Locking up the victim from login Cookie bombing, etc."},{"id":5040,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover with already-connected wallet interaction"},{"id":5041,"type":"websites_and_applications","severity":"high","title":"Injection of malicious HTML or XSS through metadata"},{"id":5042,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:  HTML injection without JavaScript Replacing existing text with arbitrary text Arbitrary file uploads, etc"},{"id":5043,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:  Email Password of the victim etc."},{"id":5044,"type":"smart_contract","severity":"medium","title":"Permanent freezing of unclaimed yield"},{"id":5045,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds"},{"id":5046,"type":"websites_and_applications","severity":"medium","title":"Taking down the application/website"},{"id":5047,"type":"websites_and_applications","severity":"medium","title":"Improperly disclosing confidential user information, such as:  Email address Phone number Physical address, etc."},{"id":5050,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:   /etc/shadow database passwords blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":5051,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:   Changing registration information Commenting Voting Making trades Withdrawals, etc."},{"id":5052,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:  Modifying transaction arguments or parameters Substituting contract addresses Submitting malicious transactions"},{"id":5432,"type":"websites_and_applications","severity":"low","title":"Changing non-sensitive details of users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: Changing the first/last name of user Enabling/disabling notifications"},{"id":5433,"type":"websites_and_applications","severity":"low","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as: Reflected HTML injection Loading external site data"},{"id":5434,"type":"websites_and_applications","severity":"low","title":"Redirecting users to malicious websites (open redirect)"}],"rewards":[{"id":15434,"severity":"critical","assetType":"smart_contract","maxReward":250000,"minReward":100000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":15435,"severity":"high","assetType":"smart_contract","maxReward":100000,"minReward":50000,"rewardModel":"range"},{"id":15436,"severity":"medium","assetType":"smart_contract","maxReward":50000,"minReward":11000,"rewardModel":"range"},{"id":15437,"severity":"low","assetType":"smart_contract","fixedReward":10000,"rewardModel":"fixed"},{"id":15438,"severity":"critical","assetType":"websites_and_applications","maxReward":25000,"minReward":10000,"rewardModel":"range","otherImpactMaxReward":20000},{"id":15439,"severity":"high","assetType":"websites_and_applications","fixedReward":5000,"rewardModel":"fixed"},{"id":15440,"severity":"medium","assetType":"websites_and_applications","fixedReward":2500,"rewardModel":"fixed"},{"id":15441,"severity":"low","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"49OY3hUekSvHIJapGx7UKv","url":"https://etherscan.io/address/0xd5F7838F5C461fefF7FE49ea5ebaF7728bB0ADfa","type":"smart_contract","addedAt":"2023-11-28T14:00:00.000Z","revision":1,"description":"mETH Token L1","isPrimacyOfImpact":null},{"id":"37m98keRlNBTDXKyHueDfE","url":"https://etherscan.io/address/0xe3cBd06D7dadB3F4e6557bAb7EdD924CD1489E8f","type":"smart_contract","addedAt":"2023-11-28T14:00:00.000Z","revision":1,"description":"Staking","isPrimacyOfImpact":null},{"id":"4sRLIVbU6rER35yGjrd7Jt","url":"https://etherscan.io/address/0x38fDF7b489316e03eD8754ad339cb5c4483FDcf9","type":"smart_contract","addedAt":"2023-11-28T14:00:00.000Z","revision":1,"description":"UnstakeRequestsManager","isPrimacyOfImpact":null},{"id":"7JqZIEPDoK0coggJOZasoE","url":"https://etherscan.io/address/0x8735049F496727f824Cc0f2B174d826f5c408192","type":"smart_contract","addedAt":"2023-11-28T14:00:00.000Z","revision":1,"description":"Oracle","isPrimacyOfImpact":null},{"id":"gYpPymDelDthKYa0SpJBf","url":"https://etherscan.io/address/0x92e56d2146D54d5AEcB25CA36c89D027a6ea0D90","type":"smart_contract","addedAt":"2023-11-28T14:00:00.000Z","revision":1,"description":"OracleQuorumManager","isPrimacyOfImpact":null},{"id":"6Qt22htDNfYHPB0nH2Uqig","url":"https://etherscan.io/address/0x1766be66fBb0a1883d41B4cfB0a533c5249D3b82","type":"smart_contract","addedAt":"2023-11-28T14:00:00.000Z","revision":1,"description":"ReturnsAggregator","isPrimacyOfImpact":null},{"id":"EpkmvStN6u4CT2Cdb4GFx","url":"https://etherscan.io/address/0xD4e11C28E04c0c2bf370b7a9989498B7eA02493f","type":"smart_contract","addedAt":"2023-11-28T14:00:00.000Z","revision":1,"description":"ConsensusLayerReceiver","isPrimacyOfImpact":null},{"id":"5nKV3q03XTMkh84CuUM6Ho","url":"https://etherscan.io/address/0xD6E4aA932147A3FE5311dA1b67D9e73da06F9cEf","type":"smart_contract","addedAt":"2023-11-28T14:00:00.000Z","revision":1,"description":"ExecutionLayerReceiver","isPrimacyOfImpact":null},{"id":"4rfw9HXMp3IjbTp3dphBl8","url":"https://etherscan.io/address/0x29Ab878aEd032e2e2c86FF4A9a9B05e3276cf1f8","type":"smart_contract","addedAt":"2023-11-28T14:00:00.000Z","revision":1,"description":"Pauser","isPrimacyOfImpact":null},{"id":"6QXO4Eph31e37Ox1pvNMMR","url":"https://explorer.mantle.xyz/address/0xcDA86A272531e8640cD7F1a92c01839911B90bb0","type":"smart_contract","addedAt":"2023-11-28T14:00:00.000Z","revision":1,"description":"mETH Token L2","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2023-11-28T14:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5TuHbYiYuIs9pkt4uXgpYi/e3de325d4dccda8d68e8a4cc61e95050/mantle.png","maxBounty":500000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Staking"],"programOverview":"mETH Protocol is a permissionless, non-custodial ETH liquid staking protocol deployed on Ethereum L1 and[ governed by mETH Protocol. ](https://docs.mantle.xyz/governance/introduction/overview)Mantle Staked Ether (mETH) serves as the value-accumulating receipt token.\n\nmETH Protocol Bug Bounty Program is a program designed to incentivize security researchers to identify and report vulnerabilities in the mETH Protocol. The program is open to all security researchers, regardless of experience or affiliation.\n\nFor more information about mETH Protocol, please visit [https://docs.mantle.xyz/meth/introduction/overview](https://docs.mantle.xyz/meth/introduction/overview)\n\nmETH Protocol provides rewards in USDC, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nmETH Protocol adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms stated in this page.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n__Known Issue Assurance__\n\nmETH Protocol commits to providing Known Issue Assurance to bug submissions through their program. This means that mETH Protocol will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission. \n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.\n\nKnown issues:\n- [https://github.com/lidofinance/lido-dao/issues/803](https://github.com/lidofinance/lido-dao/issues/803)\n\n__Previous Audits__\n\nmETH Protocol’s completed audit reports can be found at [https://docs.mantle.xyz/meth/security/audits.](https://docs.mantle.xyz/meth/security/audits) Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, mETH Protocol has satisfied the requirements for the [Immunefi Standard Badge.](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209)","programType":["Smart Contract"],"project":"mETH Protocol","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 500 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 100 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attacks within the first hour will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n__Reward Calculation for High Level Reports__\n\n- High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are considered at the full amount of funds at risk, capped at the maximum high reward. This is to incentivize security researchers to uncover and responsibly disclose vulnerabilities that may have not have significant monetary value today, but could still be damaging to the project if it goes unaddressed.   \n- In the event of temporary freezing, the reward increases at a multiplier of two from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lenghents, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.    \n\n__Reward Payment Terms__\n\nPayouts are handled by the mETH Protocol team directly and are denominated in USD. However, payments are done in USDC","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"mETH","updatedDate":"2025-03-18T13:56:04.710Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"mETH Protocol is a permissionless, non-custodial ETH liquid staking protocol deployed on Ethereum L1 and[ governed by mETH Protocol. ](https://docs.mantle.xyz/governance/introduction/overview)Mantle Staked Ether (mETH) serves as the value-accumulating receipt token. ","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Any issues identified in Published Audits [https://docs.mantle.xyz/meth/security/audits](https://docs.mantle.xyz/meth/security/audits)\n- Impact of future improper configuration of contracts that are not deployed\n- Impacts from an assumption of a malicious majority of oracles\n- Gas optimization","customProhibitedActivities":[],"impacts":[{"id":4590,"type":"smart_contract","severity":"high","title":"Protocol insolvency"},{"id":4591,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield or tokenized staking yield"},{"id":4592,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed or tokenized staking yield"},{"id":4593,"type":"smart_contract","severity":"high","title":"Acquiring owner/admin rights without contract’s owner/admin action"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":4594,"type":"smart_contract","severity":"medium","title":"Susceptibility to frontrunning"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":4595,"type":"smart_contract","severity":"critical","title":"Permanent freezing of staked funds"}],"rewards":[{"id":22032,"severity":"critical","assetType":"smart_contract","maxReward":500000,"minReward":100000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":22033,"severity":"high","assetType":"smart_contract","maxReward":100000,"minReward":20000,"rewardModel":"range"},{"id":22034,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"NnkiRaKDIZXqSwEWnqJ17","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/arbitrum/IArbToken.sol","type":"smart_contract","addedAt":"2022-05-10T16:01:47.069Z","revision":2,"description":"IArbToken.sol ","isPrimacyOfImpact":null},{"id":"3FjjPKlf857sH5WHkXq0M2","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/arbitrum/L2ArbitrumMessenger.sol","type":"smart_contract","addedAt":"2022-05-10T16:01:49.730Z","revision":2,"description":"L2ArbitrumMessenger.sol ","isPrimacyOfImpact":null},{"id":"1hwaPsfAf15N5VN9oHTk6y","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/arbitrum/StandardArbERC20.sol","type":"smart_contract","addedAt":"2022-05-10T16:01:50.781Z","revision":2,"description":"StandardArbERC20.sol","isPrimacyOfImpact":null},{"id":"64ACCcri1jAu9GeAbig1F7","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/arbitrum/gateway/L2ArbitrumGateway.sol","type":"smart_contract","addedAt":"2022-05-10T16:01:52.872Z","revision":2,"description":"L2ArbitrumGateway.sol ","isPrimacyOfImpact":null},{"id":"7vSaGvy2yJYsEJpcssqw2l","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/arbitrum/gateway/L2CustomGateway.sol","type":"smart_contract","addedAt":"2022-05-10T16:01:53.913Z","revision":2,"description":"L2CustomGateway.sol ","isPrimacyOfImpact":null},{"id":"2BGhceZfGItIxILEKwHNt4","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/arbitrum/gateway/L2ERC20Gateway.sol","type":"smart_contract","addedAt":"2022-05-10T16:01:54.882Z","revision":2,"description":"L2ERC20Gateway.sol ","isPrimacyOfImpact":null},{"id":"5HV8kOhd0tAHcw0RsyoipW","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/arbitrum/gateway/L2GatewayRouter.sol","type":"smart_contract","addedAt":"2022-05-10T16:01:56.921Z","revision":2,"description":"L2GatewayRouter.sol","isPrimacyOfImpact":null},{"id":"53Q9LmoRbpaeVkCayFQZMp","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/arbitrum/gateway/L2WethGateway.sol","type":"smart_contract","addedAt":"2022-05-10T16:01:57.947Z","revision":2,"description":"L2WethGateway.sol ","isPrimacyOfImpact":null},{"id":"27zTSQkmGhriUVmWtqIIU3","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/ethereum/ICustomToken.sol","type":"smart_contract","addedAt":"2022-05-10T16:01:59.272Z","revision":2,"description":"ICustomToken.sol ","isPrimacyOfImpact":null},{"id":"5DhmgJfeG8XOoT4BTUXbKF","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/ethereum/L1ArbitrumMessenger.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:00.275Z","revision":2,"description":"L1ArbitrumMessenger.sol ","isPrimacyOfImpact":null},{"id":"2Oa2Ylxpu6A1iZIqIuKBC9","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/ethereum/gateway/L1ArbitrumExtendedGateway.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:01.354Z","revision":2,"description":"L1ArbitrumExtendedGateway.sol","isPrimacyOfImpact":null},{"id":"2Td1ADOtNm12nbxfZySVqt","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/ethereum/gateway/L1ArbitrumGateway.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:02.440Z","revision":2,"description":"L1ArbitrumGateway.sol ","isPrimacyOfImpact":null},{"id":"oiisAsw0bhhU5pbzXGzNG","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/ethereum/gateway/L1CustomGateway.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:04.773Z","revision":2,"description":"L1CustomGateway.sol","isPrimacyOfImpact":null},{"id":"6LmNa6fVHyiD4GUPPkblB5","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/ethereum/gateway/L1ERC20Gateway.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:05.744Z","revision":2,"description":"L1ERC20Gateway.sol ","isPrimacyOfImpact":null},{"id":"30aPt5C1Tsaahcj9Ad55Td","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/ethereum/gateway/L1GatewayRouter.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:06.778Z","revision":2,"description":"L1GatewayRouter.sol ","isPrimacyOfImpact":null},{"id":"3M4KQihMa1kjHHkup72Dwq","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/ethereum/gateway/L1WethGateway.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:07.791Z","revision":2,"description":"L1WethGateway.sol ","isPrimacyOfImpact":null},{"id":"5jANFdJCbH4DOQnYw9Pjjb","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/libraries/BytesParser.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:11.818Z","revision":2,"description":"BytesParser.sol ","isPrimacyOfImpact":null},{"id":"21YaUroknQoyVXURbzaq4R","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/libraries/ClonableBeaconProxy.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:15.873Z","revision":2,"description":"ClonableBeaconProxy.sol ","isPrimacyOfImpact":null},{"id":"6Rt0vvjEMOLsCHKw3rrLA0","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/libraries/ITransferAndCall.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:17.514Z","revision":2,"description":"ITransferAndCall.sol ","isPrimacyOfImpact":null},{"id":"3njGfvfCSlxPmObI9ljUtD","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/libraries/L2GatewayToken.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:19.623Z","revision":2,"description":"L2GatewayToken.sol ","isPrimacyOfImpact":null},{"id":"5AWKcPKsviUJVhR0xUMWEw","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/libraries/TransferAndCallToken.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:20.653Z","revision":2,"description":"TransferAndCallToken.sol ","isPrimacyOfImpact":null},{"id":"1DUcDZUkh8QBtm2q8NK4xQ","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/libraries/aeERC20.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:22.679Z","revision":2,"description":"aeERC20.sol ","isPrimacyOfImpact":null},{"id":"4WCAflcoV7X6J48IzgnjUJ","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/libraries/aeWETH.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:26.884Z","revision":2,"description":"aeWETH.sol","isPrimacyOfImpact":null},{"id":"1gkzYkeH7xkZOP2zPURSFj","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/libraries/gateway/GatewayMessageHandler.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:29.839Z","revision":2,"description":"GatewayMessageHandler.sol ","isPrimacyOfImpact":null},{"id":"ZOYGfzj7s2FDfCYktajLX","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/libraries/gateway/GatewayRouter.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:30.817Z","revision":2,"description":"GatewayRouter.sol ","isPrimacyOfImpact":null},{"id":"V1zsOLltqXCyXFzhPcJXk","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/libraries/gateway/ICustomGateway.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:32.877Z","revision":2,"description":"ICustomGateway.sol","isPrimacyOfImpact":null},{"id":"3kAUrQ4IFtWdg4lMGgMoHZ","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/libraries/gateway/ITokenGateway.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:33.889Z","revision":2,"description":"ITokenGateway.sol ","isPrimacyOfImpact":null},{"id":"16vr5IDcVwqoVOd0sDopka","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/libraries/gateway/TokenGateway.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:34.903Z","revision":2,"description":"TokenGateway.sol ","isPrimacyOfImpact":null},{"id":"kqdI7RCc8lvu84gL3MVQp","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/state/Machine.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:35.959Z","revision":3,"description":"Machine.sol","isPrimacyOfImpact":null},{"id":"5KH2K2SNEoAOyJ2BR4Ycm0","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/state/Value.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:37.013Z","revision":3,"description":"Value.sol ","isPrimacyOfImpact":null},{"id":"6J1Iwxwi4I5inYRIJqmqkU","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/bridge/Bridge.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:39.006Z","revision":3,"description":"Bridge.sol ","isPrimacyOfImpact":null},{"id":"2rAqu6GvadvLEt8JFfwZ1L","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/bridge/Inbox.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:39.984Z","revision":3,"description":"Inbox.sol ","isPrimacyOfImpact":null},{"id":"7vAqHJybwbOvwcLrLb1J4u","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/bridge/Messages.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:42.487Z","revision":3,"description":"Messages.sol ","isPrimacyOfImpact":null},{"id":"Ekh273Jw6FAOz7GAGcO37","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/bridge/Outbox.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:43.753Z","revision":3,"description":"Outbox.sol ","isPrimacyOfImpact":null},{"id":"6gpR3PktxrWgxEJVd9fGY3","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/bridge/SequencerInbox.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:45.805Z","revision":3,"description":"SequencerInbox.sol ","isPrimacyOfImpact":null},{"id":"5kaIBVRpoPyIOUybqMF4WG","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/bridge/IBridge.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:47.255Z","revision":3,"description":"IBridge.sol ","isPrimacyOfImpact":null},{"id":"4BTJtkPwM1w9PlmfOh4m01","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/bridge/IInbox.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:48.222Z","revision":3,"description":" IInbox.sol ","isPrimacyOfImpact":null},{"id":"6IufocYbEJPrRMOS7FVXMd","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/bridge/IOutbox.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:49.207Z","revision":3,"description":"IOutbox.sol ","isPrimacyOfImpact":null},{"id":"63flkSTgWJsEyvZNwx4V7A","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/bridge/ISequencerInbox.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:50.255Z","revision":3,"description":"ISequencerInbox.sol ","isPrimacyOfImpact":null},{"id":"3fHnsXHCKa1SlYwdryJN1U","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/libraries/BytesLib.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:52.317Z","revision":2,"description":"BytesLib.sol ","isPrimacyOfImpact":null},{"id":"3IXcPpxiGZqeULWJDjG5zI","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/libraries/Cloneable.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:53.374Z","revision":2,"description":"Cloneable.sol ","isPrimacyOfImpact":null},{"id":"21WycrkqLxDh9ULyDowfdY","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/libraries/ICloneable.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:54.454Z","revision":2,"description":" ICloneable.sol ","isPrimacyOfImpact":null},{"id":"2bnytSHl0jXRo2qgudwALd","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/libraries/MerkleLib.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:55.517Z","revision":3,"description":"MerkleLib.sol ","isPrimacyOfImpact":null},{"id":"2GaK6oa7uAfFHGghEMATsT","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/libraries/Whitelist.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:56.556Z","revision":2,"description":"Whitelist.sol","isPrimacyOfImpact":null},{"id":"2qj2YvLotg1nE2jzQV0Umg","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/rollup/BridgeCreator.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:57.754Z","revision":3,"description":"BridgeCreator.sol ","isPrimacyOfImpact":null},{"id":"xLWBvm4izneY2UCzD3fGD","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/rollup/IRollupCore.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:58.835Z","revision":3,"description":"IRollupCore.sol ","isPrimacyOfImpact":null},{"id":"62BGYgBWFoK41gOW9aNNaz","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/rollup/Node.sol","type":"smart_contract","addedAt":"2022-05-10T16:02:59.948Z","revision":3,"description":"Node.sol ","isPrimacyOfImpact":null},{"id":"7FSpK1XfbDLIr1qAl9Xf5O","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/rollup/RollupCore.sol","type":"smart_contract","addedAt":"2022-05-10T16:03:01.199Z","revision":3,"description":"RollupCore.sol ","isPrimacyOfImpact":null},{"id":"3gctOwrfQQvx1TxSVCRELY","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/rollup/RollupCreator.sol","type":"smart_contract","addedAt":"2022-05-10T16:03:02.296Z","revision":3,"description":"RollupCreator.sol ","isPrimacyOfImpact":null},{"id":"4ousYaqHQE9SE246kTEyob","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/rollup/RollupLib.sol","type":"smart_contract","addedAt":"2022-05-10T16:03:03.428Z","revision":3,"description":"RollupLib.sol ","isPrimacyOfImpact":null},{"id":"60torU6wBDAGlR5c2683Hr","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/rollup/ValidatorUtils.sol","type":"smart_contract","addedAt":"2022-05-10T16:03:04.584Z","revision":3,"description":"ValidatorUtils.sol ","isPrimacyOfImpact":null},{"id":"5mWEKENLpJTTTAHyZ9Fgz6","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/rollup/ValidatorWalletCreator.sol","type":"smart_contract","addedAt":"2022-05-10T16:03:05.582Z","revision":3,"description":"ValidatorWalletCreator.sol","isPrimacyOfImpact":null},{"id":"sjoZf1nA292aUCg5c3hoc","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/precompiles/ArbAddressTable.sol","type":"smart_contract","addedAt":"2022-05-10T16:03:06.593Z","revision":3,"description":"ArbAddressTable.sol","isPrimacyOfImpact":null},{"id":"3ynGQfMRBFuMcX79x6HtD7","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/precompiles/ArbSys.sol","type":"smart_contract","addedAt":"2022-05-10T16:03:07.692Z","revision":3,"description":"ArbSys.sol","isPrimacyOfImpact":null},{"id":"pwLYYns3K8skqKex70N7t","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/precompiles/ArbAggregator.sol","type":"smart_contract","addedAt":"2023-01-30T02:01:33.383Z","revision":2,"description":"ArbAggregator.sol","isPrimacyOfImpact":null},{"id":"1lM4U8iWwri11jF436LUcA","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/precompiles/ArbDebug.sol","type":"smart_contract","addedAt":"2023-01-30T02:01:30.568Z","revision":2,"description":"ArbDebug.sol","isPrimacyOfImpact":null},{"id":"3UyPkmXXLDgMGO3xC8Bobv","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/precompiles/ArbBLS.sol","type":"smart_contract","addedAt":"2023-01-30T02:01:27.503Z","revision":2,"description":"ArbBLS.sol","isPrimacyOfImpact":null},{"id":"1QJIvYsxc0NzuZVFIsPJWi","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/precompiles/ArbFunctionTable.sol","type":"smart_contract","addedAt":"2023-01-30T02:01:23.576Z","revision":2,"description":"ArbFunctionTable.sol","isPrimacyOfImpact":null},{"id":"6FANAEFy1hIcmuEmjRoYKn","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/precompiles/ArbGasInfo.sol","type":"smart_contract","addedAt":"2023-01-30T02:01:19.552Z","revision":2,"description":"ArbGasInfo.sol","isPrimacyOfImpact":null},{"id":"30AroYEGTf58tm964M4Tuz","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/precompiles/ArbInfo.sol","type":"smart_contract","addedAt":"2023-01-30T02:01:16.461Z","revision":2,"description":"ArbInfo.sol","isPrimacyOfImpact":null},{"id":"ENilKBoFKzurhTI5eFPEa","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/precompiles/ArbOwner.sol","type":"smart_contract","addedAt":"2023-01-30T02:01:13.449Z","revision":2,"description":"ArbOwner.sol","isPrimacyOfImpact":null},{"id":"5zgLkbzCWXjT75vadebWrs","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/precompiles/ArbOwnerPublic.sol","type":"smart_contract","addedAt":"2023-01-30T02:01:10.282Z","revision":2,"description":"ArbOwnerPublic.sol","isPrimacyOfImpact":null},{"id":"3VvkFwue2iCvROt4qQsiyw","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/precompiles/ArbRetryableTx.sol","type":"smart_contract","addedAt":"2023-01-30T02:01:06.796Z","revision":2,"description":"ArbRetryableTx.sol","isPrimacyOfImpact":null},{"id":"1lO8mBV2s0Vmgl9WkRWB7K","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/precompiles/ArbStatistics.sol","type":"smart_contract","addedAt":"2023-01-30T02:01:03.980Z","revision":2,"description":"ArbStatistics.sol","isPrimacyOfImpact":null},{"id":"6OU8xEXex2yoGa2Qk9JdcQ","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/precompiles/ArbSys.sol","type":"smart_contract","addedAt":"2023-01-30T02:01:01.274Z","revision":2,"description":"ArbSys.sol","isPrimacyOfImpact":null},{"id":"58BfblWmtdtBzTRQ7nZMmA","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/precompiles/ArbosActs.sol","type":"smart_contract","addedAt":"2023-01-30T02:00:59.055Z","revision":2,"description":"ArbosActs.sol","isPrimacyOfImpact":null},{"id":"4ZICtt2UqaqZmeorvpOTGH","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/precompiles/ArbosTest.sol","type":"smart_contract","addedAt":"2023-01-30T02:00:41.728Z","revision":2,"description":"ArbosTest.sol","isPrimacyOfImpact":null},{"id":"GFJiZrpSsCFMq6ObzynDt","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/bridge/IDelayedMessageProvider.sol","type":"smart_contract","addedAt":"2023-01-30T02:00:38.730Z","revision":2,"description":"IDelayedMessageProvider.sol","isPrimacyOfImpact":null},{"id":"pGdg7HIC7OvhJuIzAxZf6","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/libraries/AddressAliasHelper.sol","type":"smart_contract","addedAt":"2023-01-30T02:00:07.712Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"7yAUvoR9lcXJDQtVNFENst","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/libraries/AdminFallbackProxy.sol","type":"smart_contract","addedAt":"2023-01-30T02:00:04.997Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"UzwjgE7axpOdZRajoT0rB","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/libraries/Constants.sol","type":"smart_contract","addedAt":"2023-01-30T02:00:02.229Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"6vBUXgazG5Fj1mdRDCMkuR","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/libraries/CryptographyPrimitives.sol","type":"smart_contract","addedAt":"2023-01-30T01:59:59.120Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"2qUzV6TiOaqJZOdrSfEumF","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/libraries/DelegateCallAware.sol","type":"smart_contract","addedAt":"2023-01-30T01:59:50.045Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"1TTJ1727lbz5Ysiae1GE04","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/libraries/DoubleLogicUUPSUpgradeable.sol","type":"smart_contract","addedAt":"2023-01-30T01:59:47.022Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"2LAdj72M9ACQJTSYA8K7hP","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/libraries/Error.sol","type":"smart_contract","addedAt":"2023-01-30T01:59:44.058Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"3OKAHWNVQO5KvL3mIITTnI","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/libraries/IGasRefunder.sol","type":"smart_contract","addedAt":"2023-01-30T01:59:41.654Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"3BSFCDulQryzCug1NSi8g6","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/libraries/MerkleLib.sol","type":"smart_contract","addedAt":"2023-01-30T01:59:38.524Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"2fpl3adpVxjD2XGKQWyGXj","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/libraries/UUPSNotUpgradeable.sol","type":"smart_contract","addedAt":"2023-01-30T01:59:35.664Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"Nd3HdLarusQiZ59XZhnmJ","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/node-interface/NodeInterface.sol","type":"smart_contract","addedAt":"2023-01-30T01:59:31.754Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"2c2z41KgBKaB3D6RntObIb","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/node-interface/NodeInterfaceDebug.sol","type":"smart_contract","addedAt":"2023-01-30T01:59:28.577Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"aHzrsL2LxL0Wr60QBAz0z","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/osp/HashProofHelper.sol","type":"smart_contract","addedAt":"2023-01-30T01:59:25.504Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"6N7suJK0S5PVXTfiun4ZHJ","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/osp/IOneStepProofEntry.sol","type":"smart_contract","addedAt":"2023-01-30T01:59:22.898Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"726HvzI0uGsFzRKAlaDSC9","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/osp/IOneStepProver.sol","type":"smart_contract","addedAt":"2023-01-30T01:59:19.721Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"1XjOrXF0OspEYxWOZU5rBT","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/osp/OneStepProofEntry.sol","type":"smart_contract","addedAt":"2023-01-30T01:59:16.614Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"1VxmSNKYuvIIuAj8HWDzNY","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/osp/OneStepProver0.sol","type":"smart_contract","addedAt":"2023-01-30T01:59:13.535Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"78q43m0GrePlVAsXTkZpKA","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/osp/OneStepProverHostIo.sol","type":"smart_contract","addedAt":"2023-01-30T01:59:10.228Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"7MNq1H47fRyPJJb7p3NpPO","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/osp/OneStepProverMath.sol","type":"smart_contract","addedAt":"2023-01-30T01:59:07.229Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"DgvlbxQHBIfSu9X5zAxGT","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/osp/OneStepProverMemory.sol","type":"smart_contract","addedAt":"2023-01-30T01:59:03.603Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"cl7YiQBDbAh5whqBbuD6o","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/rollup/IRollupEventInbox.sol","type":"smart_contract","addedAt":"2023-01-30T01:59:00.963Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"1E8Nx0q99I4bWVUhXv7w6m","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/rollup/IRollupLogic.sol","type":"smart_contract","addedAt":"2023-01-30T01:58:57.360Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"5sv9aDd4p59ZZF8VYKGd60","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/rollup/RollupAdminLogic.sol","type":"smart_contract","addedAt":"2023-01-30T01:58:54.021Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"2B0Y1t55uaDNEmYVkzfDGo","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/rollup/RollupProxy.sol","type":"smart_contract","addedAt":"2023-01-30T01:58:51.477Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"18XrUtxSWpNVmJXWljeRe0","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/rollup/RollupUserLogic.sol","type":"smart_contract","addedAt":"2023-01-30T01:58:48.255Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"7zOLotVHkQAfD1UL3J90eg","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/state/Deserialize.sol","type":"smart_contract","addedAt":"2023-01-30T01:58:45.633Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"65zYMXeFI0EUOL7vOR4SD","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/state/GlobalState.sol","type":"smart_contract","addedAt":"2023-01-30T01:58:42.864Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"7203bLda3WxSEKmzU8jbIt","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/state/Instructions.sol","type":"smart_contract","addedAt":"2023-01-30T01:58:39.614Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"4fsgV27gps1N7CJYK8P3l9","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/state/Machine.sol","type":"smart_contract","addedAt":"2023-01-30T01:58:37.039Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"3YfnwLAlgMZ6M1c2hR8vsq","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/state/Module.sol","type":"smart_contract","addedAt":"2023-01-30T01:58:34.923Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"l4v7VlhWn0ZV3slGVLmmR","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/state/ModuleMemory.sol","type":"smart_contract","addedAt":"2023-01-30T01:58:31.819Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"6XRT2WFQAseBYKxY1PwFX4","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/state/PcArray.sol","type":"smart_contract","addedAt":"2023-01-30T01:58:28.653Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"2GTFujRSrHFq3Oo95X9eFE","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/state/StackFrame.sol","type":"smart_contract","addedAt":"2023-01-30T01:58:18.718Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"3T3GI4XrCDqcZ7ZJmHDqyP","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/state/ValueArray.sol","type":"smart_contract","addedAt":"2023-01-30T01:58:15.709Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"4QY2BM2F0cLt1QFVxghkOC","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/state/ValueStack.sol","type":"smart_contract","addedAt":"2023-01-30T01:58:12.670Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"7gm9zdDkJsUO5jQsB8GZeP","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/ethereum/gateway/IL1ArbitrumGateway.sol","type":"smart_contract","addedAt":"2023-01-30T01:58:10.079Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"3LIvJcSNZ43wEl48F3Mttu","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/ethereum/gateway/IL1GatewayRouter.sol","type":"smart_contract","addedAt":"2023-01-30T01:58:07.341Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"3stfN3befJWaN4PYVIq5N5","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/libraries/gateway/IGatewayRouter.sol","type":"smart_contract","addedAt":"2023-01-30T01:58:04.248Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"7zoaaoDfIpnsVhf8oQ9TGW","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/libraries/ERC165.sol","type":"smart_contract","addedAt":"2023-01-30T01:58:01.785Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"4tI1GWp3I1yZYF86QE2PK","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/libraries/IERC165.sol","type":"smart_contract","addedAt":"2023-01-30T01:57:59.725Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"5Zcokaq8ctu0e2OYk51iJC","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/libraries/ProxyUtil.sol","type":"smart_contract","addedAt":"2023-01-30T01:57:56.805Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"7cYcTHMCIVAcOc087yqaMm","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/ethereum/gateway/L1ForceOnlyReverseCustomGateway.sol","type":"smart_contract","addedAt":"2023-04-05T16:58:58.217Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"6vG6FHumuuDrOg99B0zYKc","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/ethereum/gateway/L1ReverseCustomGateway.sol","type":"smart_contract","addedAt":"2023-04-05T16:58:55.968Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"6bBmzSk7InnSJxIeKXvgRV","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/arbitrum/ReverseArbToken.sol","type":"smart_contract","addedAt":"2023-04-05T16:58:53.725Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"3rufX2j09nYjYXaigpAIjK","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/arbitrum/gateway/L2ReverseCustomGateway.sol","type":"smart_contract","addedAt":"2023-04-05T16:58:51.404Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"3Af5tw1rKOni604MvT3E2k","url":"https://github.com/OffchainLabs/token-bridge-contracts/blob/main/contracts/tokenbridge/libraries/L2CustomGatewayToken.sol","type":"smart_contract","addedAt":"2023-04-05T16:58:49.135Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"6d3YtMxaFOAMaaSQJ2PGyA","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/ArbitrumDAOConstitution.sol","type":"smart_contract","addedAt":"2023-04-05T16:58:47.186Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"6HHXDL2r9QalmfKJ9yZEgv","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/ArbitrumTimelock.sol","type":"smart_contract","addedAt":"2023-04-05T16:58:45.354Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"3WXi0F0yhe6gaq8wHFX41i","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/ArbitrumVestingWallet.sol","type":"smart_contract","addedAt":"2023-04-05T16:58:43.605Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"3ahabPYxowq9AVxEzf09eC","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/FixedDelegateErc20Wallet.sol","type":"smart_contract","addedAt":"2023-04-05T16:58:39.823Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"4Sg18cCsuVpwwOewzZQXVU","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/L1ArbitrumMessenger.sol","type":"smart_contract","addedAt":"2023-04-05T16:58:37.489Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"2qqxBdivn4UhnqXUAPGog3","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/L1ArbitrumTimelock.sol","type":"smart_contract","addedAt":"2023-04-05T16:58:35.007Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"6p25OMHc5IQ1HSmDiVNkcu","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/L1ArbitrumToken.sol","type":"smart_contract","addedAt":"2023-04-05T16:58:32.921Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"3P7HZ7QZZFrbZ2KYFLr9U0","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/L1GovernanceFactory.sol","type":"smart_contract","addedAt":"2023-04-05T16:58:30.488Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"5MVk5qIwQa8ENxG1dmKdhW","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/L2ArbitrumGovernor.sol","type":"smart_contract","addedAt":"2023-04-05T16:58:28.222Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"5vCI7TPmZ7tp1y5nlIiGBu","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/L2ArbitrumToken.sol","type":"smart_contract","addedAt":"2023-04-05T16:58:26.604Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"35EBpmDRfOlmNVc9O4t9nV","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/L2GovernanceFactory.sol","type":"smart_contract","addedAt":"2023-04-05T16:58:24.342Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"3wBUrvzO3MIcmE1uiyOagO","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/TokenDistributor.sol","type":"smart_contract","addedAt":"2023-04-05T16:58:22.002Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"tbPYkY9JhCSqEXctbBQOt","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/TransferAndCallToken.sol","type":"smart_contract","addedAt":"2023-04-05T16:58:19.253Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"7mnR1ZmXcg3EPxX1n1Ck4H","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/UpgradeExecutor.sol","type":"smart_contract","addedAt":"2023-04-05T16:58:16.592Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"7MuyE5ZCduHDGljNakhlND","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/Util.sol","type":"smart_contract","addedAt":"2023-04-05T16:58:14.087Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"5L1vmpzrrBjpbNA9iUk4ob","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/ArbitrumFoundationVestingWallet.sol","type":"smart_contract","addedAt":"2023-08-11T23:51:21.645Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"j97YUVjoVZhGOvY0QLA5e","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/security-council-mgmt/SecurityCouncilManager.sol","type":"smart_contract","addedAt":"2023-09-22T19:32:09.346Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"5ghZpM4VNpcz7Au99ytubq","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/security-council-mgmt/SecurityCouncilMemberSyncAction.sol","type":"smart_contract","addedAt":"2023-09-22T19:32:06.836Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"3xKdsyuBWjqrQs2du9mmhe","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/security-council-mgmt/SecurityCouncilMgmtUtils.sol","type":"smart_contract","addedAt":"2023-09-22T19:32:04.430Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"ochIueQxkcOE8S5JMgsi5","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/security-council-mgmt/factories/L2SecurityCouncilMgmtFactory.sol","type":"smart_contract","addedAt":"2023-09-22T19:32:02.321Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"7afwPCdADJgGE5o66KiMLh","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/security-council-mgmt/governors/SecurityCouncilMemberElectionGovernor.sol","type":"smart_contract","addedAt":"2023-09-22T19:31:59.634Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"2xLemrcRKd9XlIX0H1pueE","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/security-council-mgmt/governors/SecurityCouncilMemberRemovalGovernor.sol","type":"smart_contract","addedAt":"2023-09-22T19:31:57.142Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"71gc7ZQDIdoRvF15qpivMH","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/security-council-mgmt/governors/SecurityCouncilNomineeElectionGovernor.sol","type":"smart_contract","addedAt":"2023-09-22T19:31:54.594Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"707S4eRuiAia24rd8ycUVS","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/security-council-mgmt/governors/modules/ArbitrumGovernorProposalExpirationUpgradeable.sol","type":"smart_contract","addedAt":"2023-09-22T19:31:52.022Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"H5YNpyZ1pwu56cdxDfRQs","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/security-council-mgmt/governors/modules/ArbitrumGovernorVotesQuorumFractionUpgradeable.sol","type":"smart_contract","addedAt":"2023-09-22T19:31:49.923Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"ZllhLRNurJk21rm8awv0n","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/security-council-mgmt/governors/modules/ElectionGovernor.sol","type":"smart_contract","addedAt":"2023-09-22T19:31:47.070Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"zuYlT5tFjsbr3HpCeIT3z","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/security-council-mgmt/governors/modules/SecurityCouncilMemberElectionGovernorCountingUpgradeable.sol","type":"smart_contract","addedAt":"2023-09-22T19:31:44.539Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"3vN5E0g2bF67k3cSiuq5xD","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/security-council-mgmt/governors/modules/SecurityCouncilNomineeElectionGovernorCountingUpgradeable.sol","type":"smart_contract","addedAt":"2023-09-22T19:31:42.749Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"gCLWWpXrY3gzqNMu0cUm5","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/security-council-mgmt/governors/modules/SecurityCouncilNomineeElectionGovernorTiming.sol","type":"smart_contract","addedAt":"2023-09-22T19:31:38.281Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"R0sXFoMT7YJtYwygbJOH4","url":"https://github.com/ArbitrumFoundation/governance/blob/main/src/UpgradeExecRouteBuilder.sol","type":"smart_contract","addedAt":"2023-09-22T19:31:36.355Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"3EY9soURVcdNG50lKgijh9","url":"https://github.com/OffchainLabs/fund-distribution-contracts/blob/main/src/RewardDistributor.sol","type":"smart_contract","addedAt":"2023-09-22T19:31:34.574Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"3KHPBCoLGlhTIPAijcwXyR","url":"https://github.com/OffchainLabs/fund-distribution-contracts/blob/main/src/Util.sol","type":"smart_contract","addedAt":"2023-09-22T19:31:33.062Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"fwIWA20F38LM7fGeIWyk8","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/challengeV2/EdgeChallengeManager.sol","type":"smart_contract","addedAt":"2025-03-06T12:33:39.839Z","revision":1,"description":"EdgeChallengeManager.sol","isPrimacyOfImpact":null},{"id":"5yVqSDzj6jtX4IJo0BMBqy","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/challengeV2/IAssertionChain.sol","type":"smart_contract","addedAt":"2025-03-06T12:34:07.760Z","revision":1,"description":"IAssertionChain.sol","isPrimacyOfImpact":null},{"id":"3jIrIXBxV1X8flnEKITvmU","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/challengeV2/IEdgeChallengeManager.sol","type":"smart_contract","addedAt":"2025-03-06T12:34:21.680Z","revision":1,"description":"IEdgeChallengeManager.sol","isPrimacyOfImpact":null},{"id":"4LCYzLRlKrqPdMcHYBG7fi","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/challengeV2/libraries/ArrayUtilsLib.sol","type":"smart_contract","addedAt":"2025-03-06T12:34:36.343Z","revision":1,"description":"ArrayUtilsLib.sol","isPrimacyOfImpact":null},{"id":"1dkVfc1ZZWb4g9vb36MLCg","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/challengeV2/libraries/ChallengeEdgeLib.sol","type":"smart_contract","addedAt":"2025-03-06T12:34:49.323Z","revision":1,"description":"ChallengeEdgeLib.sol","isPrimacyOfImpact":null},{"id":"35SGNkUaCqBXnZ8aNNOn2g","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/challengeV2/libraries/ChallengeErrors.sol","type":"smart_contract","addedAt":"2025-03-06T12:35:05.584Z","revision":1,"description":"ChallengeErrors.sol","isPrimacyOfImpact":null},{"id":"4JN9X9A2i9TBfuv5GxhgJd","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/challengeV2/libraries/EdgeChallengeManagerLib.sol","type":"smart_contract","addedAt":"2025-03-06T12:35:18.332Z","revision":1,"description":"EdgeChallengeManagerLib.sol","isPrimacyOfImpact":null},{"id":"3Tor9dTVxZBcqKGV9CV5hH","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/challengeV2/libraries/Enums.sol","type":"smart_contract","addedAt":"2025-03-06T12:35:32.994Z","revision":1,"description":"Enums.sol","isPrimacyOfImpact":null},{"id":"3Xka2O23s1unUOK8Pqje53","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/challengeV2/libraries/MerkleTreeAccumulatorLib.sol","type":"smart_contract","addedAt":"2025-03-06T12:36:24.726Z","revision":1,"description":"MerkleTreeAccumulatorLib.sol","isPrimacyOfImpact":null},{"id":"7IjcvBQnYSKMsFGKxyDYCK","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/challengeV2/libraries/Structs.sol","type":"smart_contract","addedAt":"2025-03-06T12:36:38.435Z","revision":1,"description":"Structs.sol","isPrimacyOfImpact":null},{"id":"01PGlNScIdMdB2ycoWiwVM","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/challengeV2/libraries/UintUtilsLib.sol","type":"smart_contract","addedAt":"2025-03-06T12:36:50.388Z","revision":1,"description":"UintUtilsLib.sol","isPrimacyOfImpact":null},{"id":"6aeiCfw1DYn705e28nH13K","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/assertionStakingPool/AbsBoldStakingPool.sol","type":"smart_contract","addedAt":"2025-03-06T12:37:02.731Z","revision":1,"description":"AbsBoldStakingPool.sol","isPrimacyOfImpact":null},{"id":"2zoUBWjkv5f8n9LxNcSoz1","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/assertionStakingPool/AssertionStakingPool.sol","type":"smart_contract","addedAt":"2025-03-06T12:37:26.797Z","revision":1,"description":"AssertionStakingPool.sol","isPrimacyOfImpact":null},{"id":"7kqsv7LJUrl9FgUjEUBhqk","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/assertionStakingPool/AssertionStakingPoolCreator.sol","type":"smart_contract","addedAt":"2025-03-06T12:37:41.919Z","revision":1,"description":"AssertionStakingPoolCreator.sol","isPrimacyOfImpact":null},{"id":"1gzhhWfGISYWQskWheRg2Z","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/assertionStakingPool/EdgeStakingPool.sol","type":"smart_contract","addedAt":"2025-03-06T12:37:54.835Z","revision":1,"description":"EdgeStakingPool.sol","isPrimacyOfImpact":null},{"id":"6iqod33hcw1XoTIwIJqa3q","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/assertionStakingPool/EdgeStakingPoolCreator.sol","type":"smart_contract","addedAt":"2025-03-06T12:38:11.180Z","revision":1,"description":"EdgeStakingPoolCreator.sol","isPrimacyOfImpact":null},{"id":"nciaQhKXyXVgn1DDVx8d6","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/assertionStakingPool/StakingPoolCreatorUtils.sol","type":"smart_contract","addedAt":"2025-03-06T12:39:09.826Z","revision":1,"description":"StakingPoolCreatorUtils.sol","isPrimacyOfImpact":null},{"id":"62Yz6zT6qTeIjELJzgBbDL","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/assertionStakingPool/interfaces/IAbsBoldStakingPool.sol","type":"smart_contract","addedAt":"2025-03-06T12:40:04.590Z","revision":1,"description":"IAbsBoldStakingPool.sol","isPrimacyOfImpact":null},{"id":"6sXxQq5QrX0UKJCs7SHesH","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/assertionStakingPool/interfaces/IAssertionStakingPool.sol","type":"smart_contract","addedAt":"2025-03-06T12:40:22.197Z","revision":1,"description":"IAssertionStakingPool.sol","isPrimacyOfImpact":null},{"id":"7bOfJJMK33w5iI6slIcry0","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/assertionStakingPool/interfaces/IAssertionStakingPoolCreator.sol","type":"smart_contract","addedAt":"2025-03-06T12:40:35.787Z","revision":1,"description":"IAssertionStakingPoolCreator.sol","isPrimacyOfImpact":null},{"id":"fIR0rAJ4HnC2ebf6VoPyu","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/assertionStakingPool/interfaces/IEdgeStakingPool.sol","type":"smart_contract","addedAt":"2025-03-06T12:40:52.546Z","revision":1,"description":"IEdgeStakingPool.sol","isPrimacyOfImpact":null},{"id":"4uTtRoeDyNSIZctyYzhHfg","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/assertionStakingPool/interfaces/IEdgeStakingPoolCreator.sol","type":"smart_contract","addedAt":"2025-03-06T12:41:10.227Z","revision":1,"description":"IEdgeStakingPoolCreator.sol","isPrimacyOfImpact":null},{"id":"32ntA6DX32gfKqWHcTMIZy","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/osp/HashProofHelper.sol","type":"smart_contract","addedAt":"2025-03-06T12:41:22.971Z","revision":1,"description":"HashProofHelper.sol","isPrimacyOfImpact":null},{"id":"5ARBTDUg3MLAZdoonUjEg1","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/osp/IOneStepProofEntry.sol","type":"smart_contract","addedAt":"2025-03-06T12:41:36.155Z","revision":1,"description":"IOneStepProofEntry.sol","isPrimacyOfImpact":null},{"id":"3lF6TZqtC5cdeiy2PLTwYm","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/osp/IOneStepProver.sol","type":"smart_contract","addedAt":"2025-03-06T12:41:57.932Z","revision":1,"description":"IOneStepProver.sol","isPrimacyOfImpact":null},{"id":"1E4nBJFKxuha2BYBYEKDQr","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/osp/OneStepProofEntry.sol","type":"smart_contract","addedAt":"2025-03-06T12:42:10.093Z","revision":1,"description":"OneStepProofEntry.sol","isPrimacyOfImpact":null},{"id":"1D52pEkyPh6HgOF4XWm7Qa","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/osp/OneStepProver0.sol","type":"smart_contract","addedAt":"2025-03-06T12:42:58.541Z","revision":1,"description":"OneStepProver0.sol","isPrimacyOfImpact":null},{"id":"1c3iKXlPrLAXN1DzVJKoql","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/osp/OneStepProverHostIo.sol","type":"smart_contract","addedAt":"2025-03-06T12:43:17.519Z","revision":1,"description":"OneStepProverHostlo.sol","isPrimacyOfImpact":null},{"id":"1jekdaOoNLIWwGw2oslCBY","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/osp/OneStepProverMath.sol","type":"smart_contract","addedAt":"2025-03-06T12:43:42.592Z","revision":1,"description":"OneStepProverMath.sol","isPrimacyOfImpact":null},{"id":"ljkPxjGTW3j9Mzbt6Igyg","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/osp/OneStepProverMemory.sol","type":"smart_contract","addedAt":"2025-03-06T12:44:14.099Z","revision":1,"description":"OneStepProverMemory.sol","isPrimacyOfImpact":null},{"id":"71THWYu9zSKif9Nfdhz4wC","url":"https://github.com/OffchainLabs/nitro-contracts/tree/main/src/bridge/DelayBuffer.sol","type":"smart_contract","addedAt":"2025-03-06T12:44:41.774Z","revision":1,"description":"DelayBuffer.sol","isPrimacyOfImpact":null},{"id":"43mbW4KRlOHaTArtO9VLV7","url":"https://github.com/OffchainLabs/nitro-contracts/tree/main/src/bridge/DelayBufferTypes.sol","type":"smart_contract","addedAt":"2025-03-06T12:44:56.141Z","revision":1,"description":"DelayBufferTypes.sol","isPrimacyOfImpact":null},{"id":"jUmhxH0ggvuO9aNKXWlja","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/libraries/CallerChecker.sol","type":"smart_contract","addedAt":"2025-03-06T12:45:08.222Z","revision":1,"description":"CallerChecker.sol","isPrimacyOfImpact":null},{"id":"2piKcDBlDeq2Q6nxLxJbMq","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/rollup/Assertion.sol","type":"smart_contract","addedAt":"2025-03-06T12:45:21.866Z","revision":1,"description":"Assertion.sol","isPrimacyOfImpact":null},{"id":"6EndkckbaHHn54fpixQOs5","url":"https://github.com/OffchainLabs/nitro-contracts/blob/main/src/rollup/AssertionState.sol","type":"smart_contract","addedAt":"2025-03-06T12:45:34.926Z","revision":1,"description":"AssertionState.sol","isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nAssets should be evaluated according to the their public, mainnet deployments; their deployed addresses are listed on the following pages:\n[https://developer.arbitrum.io/useful-addresses](https://developer.arbitrum.io/useful-addresses)\n[https://docs.arbitrum.foundation/deployment-addresses](https://docs.arbitrum.foundation/deployment-addresses)","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2021-08-31T13:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4R1H4ktLiQcp601gnixkJa/20dc4d9cf5229ae712f1413d9afced4f/Arbitrum.jpeg","maxBounty":2000000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the following types:\n\n__Smart Contracts and Blockchain__ \n\n  - Re-entrancy\n  - Logic errors\n    - including user authentication errors\n  - Solidity/EVM details not considered\n    - including integer over-/under-flow\n    - including rounding errors\n    - including unhandled exceptions\n  - Trusting trust/dependency vulnerabilities\n    - including composability vulnerabilities\n  - Oracle failure/manipulation\n  - Novel governance attacks\n  - Economic/financial attacks\n    - including flash loan attacks\n  - Congestion and scalability\n    - including running out of gas\n    - including block stuffing\n    - including susceptibility to frontrunning\n  - Consensus failures\n  - Cryptography problems\n    - Signature malleability\n    - Susceptibility to replay attacks\n    - Weak randomness\n    - Weak encryption\n  - Susceptibility to block timestamp manipulation\n  - Missing access controls / unprotected internal or debugging interfaces","productType":["L2"],"programOverview":"Arbitrum is a suite of scaling solutions for Ethereum developed by Offchain Labs that drastically reduces costs and latency. Arbitrum One is an \"Optimistic Rollup\", which instantly scales apps, reducing costs and increasing capacity, without sacrificing Ethereum's security. Arbitrum validators optimistically post updates to Ethereum, and the protocol uses an interactive fraud proof mechanism to resolve any disputes efficiently with a minimal on-chain footprint. Porting contracts to Arbitrum requires no code changes or downloads as Arbitrum is fully compatible with most existing Ethereum developer tooling. Arbitrum Nova, is another chain that relies on AnyTrust technology and posts calldata to a Data Availability Committee, further reducing costs while adding a small trust assumption.\n\nFor more information about Arbitrum and the related mainnet chains, please visit [https://developer.offchainlabs.com/](https://developer.offchainlabs.com/).\n\nThis bug bounty program is focused on the mainnet Arbitrum chains, Arbitrum One and Arbitrum Nova and their underlying technologies, Arbitrum Rollup and Arbitrum AnyTrust respectively. Any vulnerabilities unrelated to either of the two mainnet chains are not covered by this program. Issues that affect Arb1 and Nova will be treated as a single issue, and a report of the same issue with the only difference being the network will be treated as a duplicate. This program is focused on their smart contracts and is focused on preventing the following impacts:\n\nThis bug bounty program is focused on their smart contracts and is focused on preventing the following impacts:\n\n  - Loss of user funds by permanent freezing or direct theft\n  - Temporary freezing of funds\n  - Unable to call smart contract\n  - Network shutdown\n  - Smart contract gas drainage","programType":["Smart Contract"],"project":"Arbitrum","projectType":["Blockchain"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nAll bug reports must come with a PoC in order to be considered for a reward.\n\nCritical bug reports are capped at 10% of economic damage, primarily considering the funds at risk, and taking into account branding and PR issues, at the discretion of the team. However, rewards for Critical bug reports have a minimum reward of __USD 50 000__.\n\nPayouts are handled by the __Offchain Labs__ team directly and are denominated in USD. However, payouts are done in __USDC__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"arbitrum","tenPercentEconomicRule":true,"updatedDate":"2025-03-06T12:45:48.172Z","impactsBody":"In addition to the versions of these smart contracts on GitHub, this bug bounty also covers the deployments of these contracts presently in use by the Arbitrum One and Arbitrum Nova networks to the extent that any vulnerability impacts said networks (e.g. if only Arbitrum One's deployment had out of date vulnerable code relating to the Data Availability Service which is not enabled on Arbitrum One and this made the vulnerability unusable to harm Arbitrum One, it would not be in scope). This bug bounty also covers any upgrades to those in scope deployments which have been scheduled by a passed on-chain constitutional DAO vote or the non-emergency security council multisig, as long as that action is currently waiting in the L2 governance timelock, the bridge to L1, or the L1 governance timelock (i.e. it has passed and is set to go through, and has not been canceled).","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Arbitrum is a suite of scaling solutions for Ethereum developed by Offchain Labs that drastically reduces costs and latency. Arbitrum One is an \"Optimistic Rollup\", which instantly scales apps, reducing costs and increasing capacity, without sacrificing Ethereum's security. Arbitrum validators optimistically post updates to Ethereum, and the protocol uses an interactive fraud proof mechanism to resolve any disputes efficiently with a minimal on-chain footprint.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"__Informational__\n  - Changes or bugs found or related to Tutorials maintained by Offchain Labs\n  - Changes or bugs regarding the arbitrum-sdk\n  - Inconsistencies found between documentation and smart contracts and other blockchain code\n  - Best practice critiques\n  - Denial of Service (DoS) Attacks that only affects some nodes, or cause only some nodes to crash\n  - Problems caused by L1 Gas Pricing\n  - Issues that affect geth and are not caused by changes made in the Nitro implementation\n\n  - Issues that affect Arbitrum One and Arbitrum Nova will be treated as a single issue, and a report of the same issue with the only difference being \n    the network will be treated as a duplicate.","customProhibitedActivities":[],"impacts":[{"id":917,"type":"smart_contract","severity":"low","title":"Smart contract fails to deliver promised returns, but doesn’t lose value"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":918,"type":"smart_contract","severity":"high","title":"Permanent freezing of funds (can be fixed by upgrade)"},{"id":919,"type":"smart_contract","severity":"high","title":"Bugs relating to reorgs"},{"id":920,"type":"smart_contract","severity":"high","title":"Damage relating to withdrawing funds via fast bridges"},{"id":921,"type":"smart_contract","severity":"high","title":"Denial of Service (DoS) Attacks that cause network-wide outages (attacks that only take down the RPC do not count)"},{"id":922,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of funds"},{"id":923,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":924,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion"},{"id":925,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds (cannot be fixed by upgrade)"},{"id":926,"type":"smart_contract","severity":"critical","title":"Insolvency"}],"rewards":[{"id":8364,"severity":"critical","assetType":"smart_contract","maxReward":2000000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":6867,"severity":"high","assetType":"smart_contract","fixedReward":30000,"rewardModel":"fixed"},{"id":6868,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":6869,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"25PjCoxtseQRLXksawP1am","url":"https://sonicscan.org/address/0xe5da20f15420ad15de0fa650600afc998bbe3955#code","type":"smart_contract","addedAt":"2025-02-14T10:26:00.659Z","revision":1,"description":"Beets Staked Sonic","isPrimacyOfImpact":null},{"id":"7gnY4UMMiqIRhTe4bt6VPi","url":"https://sonicscan.org/address/0x2d0e0814e62d80056181f5cd932274405966e4f0#code","type":"smart_contract","addedAt":"2025-02-14T10:26:24.172Z","revision":1,"description":"Beets Token","isPrimacyOfImpact":null},{"id":"4mnlvQ4nESWEZteFcOCutR","url":"https://sonicscan.org/address/0x5f9a5CD0B77155AC1814EF6Cd9D82dA53d05E386#code","type":"smart_contract","addedAt":"2025-02-14T10:26:36.508Z","revision":1,"description":"Beets Token Migrator","isPrimacyOfImpact":null}],"assetsBodyV2":"All smart contracts of Beets can be found at [https://github.com/beethovenxfi](https://github.com/beethovenxfi). However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nIf an impact can be caused to any other asset managed by Beets that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Fantom","Optimism"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2022-09-16T03:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4GlzHxgPznR8kcXXInjZb5/8bbd0a32213345274cbd638cf963af5c/Beets.png","maxBounty":200000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["AMM","DEX","Liquid Staking","Token"],"programOverview":"The Flagship LST Hub on Sonic. From seamless staking to earning real yield on LST-focused liquidity pools, Beets is the ultimate destination for your liquid-staked tokens.\nFor more information about Beets, please visit [https://beets.fi/](https://beets.fi/).  \n\nPlease note that BeetsX is a friendly fork of [Balancer V2 and V3](https://balancer.fi/). All balancer core contracts are covered by their [bug bounty program](https://immunefi.com/bug-bounty/balancer/information/)","programType":["Smart Contract"],"project":"Beets","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll High and Critical Smart Contract bug reports require a PoC and a suggestion for a fix to be eligible for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nCritical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk. However, there is a minimum reward of __USD 20 000__. \n\nHigh severity smart contract vulnerabilities are also further capped at 10% of economic damage,  primarily taking into consideration funds at risk. However, there is a minimum reward of __USD 5 000__.\n\nAll vulnerabilities marked in the [audits](https://github.com/beethovenxfi/sonic-staking/tree/main/audits) are not eligible for a reward.\n\nPayouts are handled by the __Beets DAO__ directly and are denominated in USD. However, payouts are done in __USDC and BEETS__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC and BEETS","slug":"beets","updatedDate":"2025-02-18T09:09:32.633Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"The Flagship LST Hub on Sonic. From seamless staking to earning real yield on LST-focused liquidity pools, Beets is the ultimate destination for your liquid-staked tokens.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":5362,"type":"smart_contract","severity":"critical","title":"Direct theft of >10% of user funds, other than unclaimed yield, in excess of gas costs or swap fees"},{"id":5363,"type":"smart_contract","severity":"critical","title":"Permanent freezing of >10% of total funds in excess of gas costs or swap fees"},{"id":5364,"type":"smart_contract","severity":"high","title":"Theft of >10% of total unclaimed yield"},{"id":5365,"type":"smart_contract","severity":"high","title":"Permanent freezing of >10% of total unclaimed yield"},{"id":5366,"type":"smart_contract","severity":"high","title":"Direct theft of >5% of user funds, other than unclaimed yield, in excess of gas costs or swap fees"},{"id":5367,"type":"smart_contract","severity":"high","title":"Permanent freezing of >5% of total funds in excess of gas costs or swap fees"}],"rewards":[{"id":13704,"severity":"critical","assetType":"smart_contract","maxReward":200000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":13705,"severity":"high","assetType":"smart_contract","maxReward":20000,"minReward":5000,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"1of8wnI30dVq2qtL8ICZCV","url":"https://github.com/jito-foundation/jito-solana","type":"blockchain_dlt","addedAt":"2024-08-28T13:00:00.000Z","revision":1,"description":"jito-solana","isPrimacyOfImpact":null},{"id":"0Qp2HpMRuvM8XCbebSG23","url":"https://github.com/jito-foundation/jito-relayer","type":"blockchain_dlt","addedAt":"2024-08-28T13:00:00.000Z","revision":1,"description":"jito-relayer","isPrimacyOfImpact":null},{"id":"m1xM0rzWApxFmcIiBUVag","url":"https://github.com/jito-foundation/jito-programs/tree/master/mev-programs","type":"smart_contract","addedAt":"2024-08-28T13:00:00.000Z","revision":1,"description":"jito-programs","isPrimacyOfImpact":null},{"id":"2jPnpb64nNVdczc6zol1Cj","url":"https://github.com/jito-foundation/restaking/tree/master/restaking_core","type":"smart_contract","addedAt":"2025-01-21T14:48:19.694Z","revision":1,"description":"Restaking: restaking-core","isPrimacyOfImpact":null},{"id":"2EPC2hlQekOJ2cjWvz1e1y","url":"https://github.com/jito-foundation/restaking/tree/master/restaking_program","type":"smart_contract","addedAt":"2025-01-21T14:48:36.001Z","revision":1,"description":"Restaking: restaking-program","isPrimacyOfImpact":null},{"id":"6xDMjXnQ5jPAsXyrYoP86j","url":"https://github.com/jito-foundation/restaking/tree/master/vault_core","type":"smart_contract","addedAt":"2025-01-21T14:48:49.288Z","revision":1,"description":"Restaking: vault-core","isPrimacyOfImpact":null},{"id":"2uArh11Q2DqbyP9gRVJKvy","url":"https://github.com/jito-foundation/restaking/tree/master/vault_program","type":"smart_contract","addedAt":"2025-01-21T14:49:05.958Z","revision":1,"description":"Restaking: vault-program","isPrimacyOfImpact":null},{"id":"3xLNblrVm9l2uvYMLUc4tl","url":"https://github.com/jito-foundation/stake-deposit-interceptor","type":"smart_contract","addedAt":"2025-01-21T14:49:21.774Z","revision":1,"description":"Stake Deposit Interceptor","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Solana"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Rust","Solidity","JavaScript","Typescript","Python"],"launchDate":"2024-08-28T13:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7rNleS7nuHpc97aucvjUbp/8f9a7d9fbab73c7295370d1900cc5fe4/JitoFoundation.png","maxBounty":250000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["blockchain_dlt - low","blockchain_dlt - medium","blockchain_dlt - high","blockchain_dlt - critical","smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Vulnerabilities are prioritized based on severity and impact.","productType":["Liquid Staking"],"programOverview":"__Jito-Solana__\n\nJito-Solana is standing on the shoulders of giants — Solana Labs. \n\nWe’ve modified the Solana Labs validator client to allow validators to efficiently collect and distribute MEV to their stakers. \n\nThe validator client supports lists of transactions (bundles) which gives searchers and high frequency traders the flexibility in expressing transaction ordering. It tightly integrates with the relayer and third party  block engines to improve the network performance for all.\n\nSetting it up is as simple as downloading our validator client and passing the closest Block Engine URL on the command line.\n\n__Relayer__\n\nThe relayer provides a layer of protection between your validator’s transaction processing unit and spam from the network. The relayer works seamlessly with QUIC and allows one to separate receiving and verification of packets from the transaction processing inside your validator. \n\nRun your own or use our hosted version.\n\n__Tip Payment & Distribution__\n\nThe tip payment and distribution smart contracts are responsible for enabling and distributing validator tips.\n\n__Re-Staking / Vault__\n\nJito (Re)staking is a multi-asset staking protocol for node consensus networks. The system is made of two programs: the restaking program and the vault program.\n\nThe restaking program acts as a node consensus network and operator registry. The program leverages a flexible system of admins so NCNs can customize the operators and vaults supported and operators can customize the NCNs they stake to and vaults they can receive delegations from.\n\nThe vault program manages the minting and burning of vault receipt tokens (VRTs). VRTs are SPL tokens that represent a pro-rata stake of assets in the vault. VRTs provide enhanced liquidity, composability, and interoperability with other Solana programs. The program also leverages a flexible system of admins so vaults can customize the capacity, operators that can receive delegations from the vault, the NCNs supported by the vault, and the fee structure for staking and unstaking.\n\n__Interceptor__\n\nInterceptor is a program designed to help SPL Stake Pool LSTs avoid the impacts of toxic decentralized exchange flow resulting from socialized liquidity. \n\nFor more information about Jito Foundation, please visit [https://www.jito.network/](https://www.jito.network/).\n\nJito provides rewards in JTO on Solana, denominated in USD. For more details about the payment process, please view the __Rewards by Threat Level__ section further below.\n\n__Known Issue Guidelines__\n\nTo ensure fairness and transparency in the bug reporting process, Jito is prohibited from claiming that a bug report is a known or duplicate issue without providing clear and verifiable evidence. This measure is crucial to maintaining the integrity of the bug bounty program. Jito must present specific proof that an issue has been previously reported and acknowledged even if not disclosed publicly or privately as a known issue. Without such evidence, the bug report will be considered valid and eligible for the appropriate reward as per the bug bounty program terms. For detailed information as what qualifies as acceptable proof of known issues, refer to the article on Immunefi Support: [Report Closed for Known Issues](https://immunefisupport.zendesk.com/hc/en-us/articles/10644746170897-Report-Closed-for-Known-Issues).\n\n__Previous Audits__\n\nJito Foundation’s completed audit reports can be found at [https://jito-foundation.gitbook.io/mev/resources/audits](https://jito-foundation.gitbook.io/mev/resources/audits). Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Jito has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","programType":["Blockchain/DLT","Smart Contract"],"project":"Jito","projectType":["Defi"],"rewardsBody":"__Rewards by Threat Level__\n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical Blockchain/DLT bugs, the reward amount is 10% of the funds directly affected, capped at the maximum critical reward $250,000. However, a minimum reward of USD $100,000 is to be rewarded in order to incentivize security researchers against withholding on a bug report.\n\nFor __Critical Blockchain/DLT__ bugs with a non-funds-at risk impact, the reward will be paid out as follows: \n\n- Network not being able to confirm new transactions (total network shutdown) - $250,000\n- Unintended permanent chain split requiring hard fork (network partition requiring hard fork) - $250,000\n- Permanent freezing of funds (fix requires hardfork) - $250,000\n\nFor __High Blockchain/DLT__ non-funds-at risk impacts, the reward will be paid out as follows: \n- Unintended chain split (network partition) - $100,000\n- Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments - $100,000\n\nFor __Critical Blockchain/DLT__ bugs, the reward is dependent on the ratio between the funds at risk, which includes all affected projects on top of the respective Blockchain/DLT, and the market cap according to the 7-day TWAP of JTO, calculated at the time the bug report is submitted. \n\n__Reward Payment Terms__\n\nPayouts are handled by the Jito Foundation directly and reward amounts are denominated in USD. However, payments are done in JTO on Solana.\n\nThe calculation of the net amount rewarded is based on the 7-day [TWAP](https://en.wikipedia.org/wiki/Time-weighted_average_price) of JTO at the time of settlement. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"JTO","slug":"jito","tenPercentEconomicRule":false,"updatedDate":"2025-02-17T05:08:03.251Z","impactsBody":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"The Jito Foundation","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Any affected code, from dependant Solana client implementations (eg. Agave) should be reported upstream.\n- Example code ([https://github.com/jito-foundation/jito-programs/tree/master/example-programs](https://github.com/jito-foundation/jito-programs/tree/master/example-programs))\n","customProhibitedActivities":[],"impacts":[{"id":12,"type":"blockchain_dlt","severity":"low","title":"Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":13,"type":"blockchain_dlt","severity":"low","title":"Modification of transaction fees outside of design parameters"},{"id":5,"type":"blockchain_dlt","severity":"high","title":"Unintended chain split (network partition)"},{"id":6,"type":"blockchain_dlt","severity":"high","title":"Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments"},{"id":5057,"type":"smart_contract","severity":"high","title":"Theft of protocol revenue"},{"id":5058,"type":"blockchain_dlt","severity":"medium","title":"Causing network processing nodes to process transactions from the mempool beyond set parameters"},{"id":9,"type":"blockchain_dlt","severity":"medium","title":"Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours"},{"id":10,"type":"blockchain_dlt","severity":"medium","title":"Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":11,"type":"blockchain_dlt","severity":"medium","title":"A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":1,"type":"blockchain_dlt","severity":"critical","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":2,"type":"blockchain_dlt","severity":"critical","title":"Unintended permanent chain split requiring hard fork (network partition requiring hard fork)"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":4,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":5298,"type":"smart_contract","severity":"high","title":"Theft of Yield"}],"rewards":[{"id":11209,"severity":"critical","assetType":"blockchain_dlt","maxReward":250000,"minReward":100000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":11210,"severity":"high","assetType":"blockchain_dlt","maxReward":100000,"minReward":25000,"rewardModel":"range"},{"id":11211,"severity":"medium","assetType":"blockchain_dlt","maxReward":25000,"minReward":5000,"rewardModel":"range"},{"id":11212,"severity":"low","assetType":"blockchain_dlt","maxReward":5000,"minReward":1000,"rewardModel":"range"},{"id":11213,"severity":"critical","assetType":"smart_contract","maxReward":250000,"minReward":100000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":11214,"severity":"high","assetType":"smart_contract","maxReward":100000,"minReward":25000,"rewardModel":"range"},{"id":11215,"severity":"medium","assetType":"smart_contract","maxReward":25000,"minReward":5000,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"hcpcKW4yFCuVX48nEzzfP","url":"https://github.com/celo-org/optimism/blob/celo10/op-chain-ops/cmd/celo-migrate/ancients.go","type":"smart_contract","addedAt":"2024-11-14T12:26:53.243Z","revision":1,"description":"ancients - 193","isPrimacyOfImpact":null},{"id":"10yGSfs5Gh68RNEvk6RZ9P","url":"https://github.com/celo-org/optimism/blob/celo10/op-chain-ops/cmd/celo-migrate/db.go","type":"smart_contract","addedAt":"2024-11-14T12:27:20.970Z","revision":1,"description":"db - 106","isPrimacyOfImpact":null},{"id":"61PgjrPVy2rIzWmDiSJiD4","url":"https://github.com/celo-org/optimism/blob/celo10/op-chain-ops/cmd/celo-migrate/genesis.go","type":"smart_contract","addedAt":"2024-11-14T12:27:43.722Z","revision":1,"description":"genesis - 636","isPrimacyOfImpact":null},{"id":"5C1O0AYuQiVKop7WpzsM8m","url":"https://github.com/celo-org/optimism/blob/celo10/op-chain-ops/cmd/celo-migrate/main.go","type":"smart_contract","addedAt":"2024-11-14T12:28:05.242Z","revision":2,"description":"main - 378","isPrimacyOfImpact":null},{"id":"5cAxolMMT4BamhqIeK1oNp","url":"https://github.com/celo-org/optimism/blob/celo10/op-chain-ops/cmd/celo-migrate/non-ancients.go","type":"smart_contract","addedAt":"2024-11-14T12:28:33.384Z","revision":1,"description":"ancients - 76","isPrimacyOfImpact":null},{"id":"3Wm6da6jEzmMklSdxhYnco","url":"https://github.com/celo-org/optimism/blob/celo10/op-chain-ops/cmd/celo-migrate/state.go","type":"smart_contract","addedAt":"2024-11-14T12:28:55.285Z","revision":1,"description":"state - 304","isPrimacyOfImpact":null},{"id":"42rtFJrQynvXsV1lBWfNQW","url":"https://github.com/celo-org/optimism/blob/celo10/op-chain-ops/cmd/celo-migrate/state_test.go","type":"smart_contract","addedAt":"2024-11-14T12:29:17.202Z","revision":1,"description":"state_test - 134","isPrimacyOfImpact":null},{"id":"3YtIGkhljSoAE1IxJb3Nmx","url":"https://github.com/celo-org/optimism/blob/celo10/op-chain-ops/cmd/celo-migrate/transform.go","type":"smart_contract","addedAt":"2024-11-14T12:29:35.736Z","revision":1,"description":"transform - 76","isPrimacyOfImpact":null},{"id":"6YSSMuPZgi95mssRJyjSKy","url":"https://github.com/celo-org/optimism/blob/celo10/op-chain-ops/cmd/check-derivation/main.go","type":"smart_contract","addedAt":"2024-11-14T12:29:57.797Z","revision":1,"description":"main - 391","isPrimacyOfImpact":null},{"id":"7rRMdeZksa9zx6QOukuMA0","url":"https://github.com/celo-org/optimism/blob/celo10/op-chain-ops/deployer/broadcaster/keyed.go","type":"smart_contract","addedAt":"2024-11-14T12:30:21.452Z","revision":1,"description":"keyed - 193","isPrimacyOfImpact":null},{"id":"tcv5leBI07DnOt4Y8efPe","url":"https://github.com/celo-org/optimism/blob/celo10/op-chain-ops/genesis/config.go","type":"smart_contract","addedAt":"2024-11-14T12:30:44.676Z","revision":1,"description":"config - 776","isPrimacyOfImpact":null},{"id":"3dIdtf7ukv8timktQ23Drg","url":"https://github.com/celo-org/optimism/blob/celo10/op-chain-ops/genesis/genesis.go","type":"smart_contract","addedAt":"2024-11-14T12:31:02.396Z","revision":1,"description":"genesis - 191","isPrimacyOfImpact":null},{"id":"6TAB1Yv4j7Lm9Pfoi9wiWS","url":"https://github.com/celo-org/staked-celo/pull/211/files","type":"smart_contract","addedAt":"2024-11-14T12:31:45.726Z","revision":1,"description":"Stcelo fix #1","isPrimacyOfImpact":null},{"id":"2vL66W8EWIROUolJtpaAfO","url":"https://github.com/celo-org/celo-monorepo/commit/03d20ee25e4c2f4de40a6d922a5904d313166ef7","type":"smart_contract","addedAt":"2024-11-14T12:31:55.967Z","revision":1,"description":"Stcelo fix #2","isPrimacyOfImpact":null},{"id":"swkuwFsG2LjsiaGhSNb7K","url":"https://github.com/celo-org/celo-monorepo/blob/release/core-contracts/12/packages/protocol/contracts/common/FeeHandler.sol","type":"smart_contract","addedAt":"2024-11-14T12:37:37.150Z","revision":1,"description":"FeeHandler - 4","isPrimacyOfImpact":null},{"id":"6nKGN2uMBUNNs72BYOCueQ","url":"https://github.com/celo-org/celo-monorepo/blob/release/core-contracts/12/packages/protocol/test-sol/unit/common/FeeHandler.t.sol","type":"smart_contract","addedAt":"2024-11-14T12:37:58.580Z","revision":1,"description":"FeeHandler.t - 37","isPrimacyOfImpact":null},{"id":"2dU64Fi0wVodS8ouhEvlhY","url":"https://github.com/celo-org/staked-celo/blob/master/contracts/interfaces/IDefaultStrategy.sol","type":"smart_contract","addedAt":"2024-11-14T13:08:34.024Z","revision":1,"description":"IDefaultStrategy - 8","isPrimacyOfImpact":null},{"id":"3bY3NR8b9lVogMLDlqXA8Y","url":"https://github.com/celo-org/staked-celo/blob/master/contracts/Vote.sol","type":"smart_contract","addedAt":"2024-11-14T13:09:03.965Z","revision":1,"description":"Vote - 4","isPrimacyOfImpact":null},{"id":"5PBsNmjJBBxPSs6IXYN4xF","url":"https://github.com/celo-org/staked-celo/blob/master/contracts/SpecificGroupStrategy.sol","type":"smart_contract","addedAt":"2024-11-14T13:09:23.055Z","revision":1,"description":"SpecificGroupStrategy - 59","isPrimacyOfImpact":null},{"id":"46WT4xv1JLFrw2yntStAS9","url":"https://github.com/celo-org/staked-celo/blob/master/contracts/Manager.sol","type":"smart_contract","addedAt":"2024-11-14T13:09:40.059Z","revision":1,"description":"Manager - 36","isPrimacyOfImpact":null},{"id":"4XYc4SqTP9MwpT61W0oGzA","url":"https://github.com/celo-org/staked-celo/blob/master/contracts/DefaultStrategy.sol","type":"smart_contract","addedAt":"2024-11-14T13:09:57.469Z","revision":1,"description":"DefaultStrategy - 56","isPrimacyOfImpact":null},{"id":"4ob0yWmUoUq0ExoDxokH2U","url":"https://github.com/celo-org/staked-celo/blob/master/contracts/Account.sol","type":"smart_contract","addedAt":"2024-11-14T13:10:12.898Z","revision":1,"description":"Account - 53","isPrimacyOfImpact":null},{"id":"6OrwuVxGGvHYgmYpIYDR8X","url":"https://github.com/celo-org/celo-monorepo/blob/release/core-contracts/12/packages/protocol/contracts-0.8/common/EpochManager.sol","type":"smart_contract","addedAt":"2024-11-15T17:09:45.385Z","revision":1,"description":"EpochManager - 488","isPrimacyOfImpact":null},{"id":"2ztoM775e40jnoEyqL7EqY","url":"https://github.com/celo-org/celo-monorepo/blob/release/core-contracts/12/packages/protocol/contracts-0.8/common/CeloUnreleasedTreasury.sol","type":"smart_contract","addedAt":"2024-11-15T17:10:02.862Z","revision":1,"description":"CeloUnreleasedTreasury - 48","isPrimacyOfImpact":null},{"id":"6PvTj1pA4w4LkwXyBrSHmI","url":"https://github.com/celo-org/celo-monorepo/blob/release/core-contracts/12/packages/protocol/contracts/governance/LockedGold.sol","type":"smart_contract","addedAt":"2024-11-15T17:10:21.857Z","revision":1,"description":"LockedGold - 573","isPrimacyOfImpact":null},{"id":"Fq0HbcCAbl6B3MI5IPIxt","url":"https://github.com/celo-org/celo-monorepo/blob/release/core-contracts/12/packages/protocol/contracts/common/GoldToken.sol","type":"smart_contract","addedAt":"2024-11-15T17:10:34.646Z","revision":1,"description":"GoldToken - 155","isPrimacyOfImpact":null},{"id":"XFDKMtgebCrkisfI7dpQU","url":"https://github.com/celo-org/celo-monorepo/blob/release/core-contracts/12/packages/protocol/contracts-0.8/common/EpochManagerEnabler.sol","type":"smart_contract","addedAt":"2024-11-15T17:10:51.194Z","revision":1,"description":"EpochManagerEnabler - 63","isPrimacyOfImpact":null},{"id":"BzaBNyrGQXw3E5kkJz12B","url":"https://github.com/celo-org/celo-monorepo/blob/release/core-contracts/12/packages/protocol/contracts-0.8/common/MentoFeeCurrencyAdapter.sol","type":"smart_contract","addedAt":"2024-11-15T17:11:06.555Z","revision":1,"description":"MentoFeeCurrencyAdapter - 55","isPrimacyOfImpact":null},{"id":"4laRyaMjpqpCZW35tsZzrv","url":"https://github.com/celo-org/celo-monorepo/blob/release/core-contracts/12/packages/protocol/contracts-0.8/common/GasPriceMinimum.sol","type":"smart_contract","addedAt":"2024-11-15T17:11:40.248Z","revision":1,"description":"GasPriceMinimum - 160","isPrimacyOfImpact":null}],"assetsBodyV2":"Celo’s up to date codebase can be found at [https://github.com/celo-org](https://github.com/celo-org). \n\n__Asset Accuracy Assurance__\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Reward Policy__\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n__Primacy of Impact vs Primacy of Rules__\n\nCelo adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page.\n\n__KYC Requirement__\n\nCelo will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\nSecurity researchers are required to submit KYC within 14 days of KYC being requested, else their rewards may be forfeited. Immunefi may make exceptions due to extenuating circumstances.\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFAC's SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this Audit Competition bug bounty and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Celo has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/1bz7ftAvwgTWTM8dHABn3QK-ENo4BqAuI?usp=sharing)\n\nAll paid bug reports are available in original format [here](https://reports.immunefi.com/celo)","boostedIntroLive":"$50,000 USD is available in rewards for finding bugs in Celo contracts of 5,253 nSLOC. \n\nKYC is required.\n\nAny technical questions and support requests can be asked directly to Celo or Immunefi in the [Celo Audit Competition Discord channel](https://discord.com/invite/immunefi).\n\nWhen the Audit Competition has ended Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nFor more information about Celo, please visit https://celo.org/","boostedIntroStartingIn":"$50,000 USD in rewards is available for finding bugs on Celo. \n\nCelo is scaling Ethereum with real-world solutions, leading a thriving new digital economy for all.\n\nFor more information about Celo, please visit https://celo.org/\n\n**KYC is required**\n\nAny technical questions can be asked directly to the Celo technical team on Immunefi's [Immunefi’s Discord](https://discord.com/invite/immunefi) in the \"celo-audit-competition\" channel.\n\nWhen the Audit Competition has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nA few days after the launch, Immunefi will publish Celo's technical walkthrough on our official YouTube channel.","boostedLeaderboard":[{"high":2,"name":"innertia","critical":1,"earnings":20768,"insights":0,"mediumLow":0,"totalValidBugs":3},{"high":1,"name":"jovi","critical":1,"earnings":15387,"insights":1,"mediumLow":0,"totalValidBugs":2},{"high":0,"name":"shadowHunter","critical":1,"earnings":10310,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"okmxuse","critical":0,"earnings":3536,"insights":0,"mediumLow":1,"totalValidBugs":1}],"boostedSummaryReport":"https://drive.google.com/file/d/1hxnu0v5URZ-fg3nwmw-ISClJexASKiTt/view","ecosystem":null,"endDate":"2024-12-06T19:00:00.000Z","evaluationEndDate":"2025-02-03T13:00:32.445Z","features":["Boost","Managed Triage: Time Saver","Vault"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity","Go"],"launchDate":"2024-11-13T19:00:43.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7nM3c2euHCQclF8A6mCxD/f953e7450deb632beb4fe7aca1e5766f/Celo_Symbol_CMYK_Onyx__1_.png","maxBounty":50000,"outOfScopeAndRules":"To be determined","pocPerTypeAndSeverity":["smart_contract - medium","smart_contract - high","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":null,"programOverview":"Our mission is to build a regenerative digital economy that creates conditions of prosperity for all.\n\nFor more information about Celo, please visit [https://celo.org/](https://celo.org/). \n\nCelo provides rewards in cUSD, denominated in USD. \n\n**This Audit Competition has an audit running in parallel. Bugs in the audit report that aren't disclosed pre-launch are valid for rewards.**","programType":["Smart Contract"],"project":"Audit Comp | Celo","projectType":null,"rewardsBody":"The following reward terms are a summary. For the full details read our [Celo Audit Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/30062321013393-Celo-Audit-Competition-Reward-Terms)\n\nA reward pool of $50,000 USD will be distributed among participants, even if no valid bugs are found. \n\nDuplicates and private known issues are valid for a reward.\n\n**This Audit Competition has an audit running in parallel. Bugs in the audit report that aren't disclosed pre-launch are valid for rewards.**\n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/).\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.\n\n__Insight Rewards Payment Terms__\n\n*Insight Rewards*: Portion of the Rewards Pool\n\n*The \"Insight\" severity was introduced on Boost (Audit Competitions) & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi)\n\n**Duplicates of Insight reports are not eligible for a reward.**","rewardsPool":50000,"primaryPool":50000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"cUSD","slug":"audit-comp-celo","tenPercentEconomicRule":false,"updatedDate":"2025-02-13T08:23:35.978Z","impactsBody":"__Technical Resources__\n\n**Roadmap** \n\n[https://forum.celo.org/t/cel2-roadmap-update/6815](https://forum.celo.org/t/cel2-roadmap-update/6815)\n\n**Technical**\n\n- [https://specs.celo.org/](https://specs.celo.org/)\n- [https://docs.celo.org/](https://docs.celo.org/)\n\n**Non-technical**\n[https://www.youtube.com/watch?v=mkpTmbkRv4A](https://www.youtube.com/watch?v=mkpTmbkRv4A)\n\n__Is this an upgrade of an existing system? If so, which? And what are the main differences?__\n\nCelo is transitioning from a standalone EVM-compatible Layer 1 blockchain to an Ethereum Layer 2. This shift, proposed by cLabs in July 2023, aims to maintain the seamless user experience that Celo is known for—characterized by speed, low costs, and ease of use—while leveraging Ethereum's security and ecosystem.\n\n__Where do you suspect there may be bugs? Which parts of the code are you most concerned about?__\n\nExperimental Features, Custom Gas Token, Alternate Data Availability Layer implementation in the OP Stack.\n\n__What attack vectors are you most concerned about?__\n\nMigration to L2 and Sequencer \n\n__Which part(s) of the system do you want whitehats to attempt to break the most?__\n\nCustom Gas Currency (https://docs.celo.org/cel2/fee-currencies)\n\n__What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?__\n\nAll ERC20 / ERC721 / ERC777 / ERC1155 standards are supported. \n\n__What emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?__\n\nTest on Testnet: [https://docs.celo.org/cel2/network-information](https://docs.celo.org/cel2/network-information)\n\n__What monitoring systems may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?__\n\nThird-party security review\nBlockchain Explorer\n\n__What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?__\n\nAny is fine on Testnet\n\n__What external dependencies are there?__\n\n[https://github.com/ethereum-optimism/op-geth](https://github.com/ethereum-optimism/op-geth)\n\n__Where might whitehats confuse out-of-scope code to be in-scope?__\n\nOpen source code in defined repos are in scope. Anything on testnet is in scope. Cel2 code is not deployed to Mainnet. \n\nstCelo (staked-celo) is live and on Mainnet, this is in scope.  \n\n__What is the test suite setup information?__\n\n- [https://docs.celo.org/cel2/network-information](https://docs.celo.org/cel2/network-information)\n- [https://celo.academy/t/exploring-alfajores-testnet-a-comprehensive-guide-to-celos-test-network/2618](https://celo.academy/t/exploring-alfajores-testnet-a-comprehensive-guide-to-celos-test-network/2618)\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- [https://github.com/celo-org/staked-celo/pull/211/files](https://github.com/celo-org/staked-celo/pull/211/files)\n\n__Previous Audits__\n\nCelo’s previous audit reports can be found here: [https://celo.org/audits](https://celo.org/audits)\n\nCelo’s is currently running an audit. Bugs in the audit report that aren't disclosed pre-launch are valid for rewards.","websiteUrl":"https://celo.org/","githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":null,"description":"Celo is scaling Ethereum with real-world solutions, leading a thriving new digital economy for all.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":5218,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds on L1"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":5219,"type":"smart_contract","severity":"critical","title":"L1 contract manipulation (sequencer address, malicious state root update)"},{"id":5220,"type":"smart_contract","severity":"critical","title":"Critical hot wallets compromised (batcher, proposer, sequencer)"},{"id":5221,"type":"smart_contract","severity":"high","title":"L2 re-org"},{"id":5222,"type":"smart_contract","severity":"high","title":"Permanent freezing of funds on L2"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[{"id":"mWiiJfIryePm17WasTxus","url":"https://github.com/stacks-network/sbtc/tree/immunefi_attackaton_0.9/signer","type":"blockchain_dlt","addedAt":"2024-12-02T08:00:00.000Z","revision":1,"description":"sBTC Signer - a signer entity separate from the Stacks Nakamoto signer which signs sBTC operations, communicates with sBTC contracts, and manages sBTC UTXOs. - 19760","isPrimacyOfImpact":null},{"id":"62GqEM1obidH4Fk7jo7DDT","url":"https://github.com/stacks-network/sbtc/tree/immunefi_attackaton_0.9/emily","type":"blockchain_dlt","addedAt":"2024-12-02T08:00:00.000Z","revision":1,"description":"Emily - An API that helps facilitate and supervise the sBTC Bridge - 6000","isPrimacyOfImpact":null},{"id":"9VUhMac5zrLarJu9eoIvW","url":"https://github.com/stacks-network/sbtc/tree/immunefi_attackaton_0.9/protobufs","type":"blockchain_dlt","addedAt":"2024-12-02T08:00:00.000Z","revision":1,"description":"Protobuffs - Platform-neutral extensible mechanisms for serializing structured data. - 292","isPrimacyOfImpact":null},{"id":"lg0NutDDOz4o2YIvvztBD","url":"https://github.com/stacks-network/sbtc/tree/immunefi_attackaton_0.9/sbtc","type":"blockchain_dlt","addedAt":"2024-12-02T08:00:00.000Z","revision":1,"description":"lib-sbtc - A library for creating BTC deposit transactions that can be handled by the sBTC signers. - 1186","isPrimacyOfImpact":null},{"id":"RzovoaWgIExBQbYPMzKLS","url":"https://github.com/stacks-network/sbtc/tree/immunefi_attackaton_0.9/contracts/contracts","type":"smart_contract","addedAt":"2024-12-02T08:00:00.000Z","revision":1,"description":"Smart Contract - sBTC contracts - The Clarity contracts for the sBTC protocol. - 645","isPrimacyOfImpact":null}],"assetsBodyV2":"Learn more on the Stacks' Academy.\n\n## Project Technical Info\n\nWhat ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?\n\n- SIP10 is the only token standard supported https://github.com/stacksgov/sips/blob/main/sips/sip-010/sip-010-fungible-token-standard.md \n\nWhat emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?\n\n- Deposit processing can be paused by shutting down the Emily API server. In the case of vulnerabilities in deposit handling, this can be used to reduce the impact of an ongoing attack.\n\nWhat addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?\n\n- Signers are permissioned and whitelisted operators. Any attack that requires a majority of signers to be malicious should be out of scope. Attacks that require a minority of signers to be malicious would still be in scope but with reduced severity. \n\nWhich chains and/or networks will the code in scope be deployed to?\n\n- Stacks L2\n\n## Security Researcher Education\n\nIs this an upgrade of an existing system? If so, which? And what are the main differences?\n\n- sBTC is a new 1:1 Bitcoin-backed asset on the Stacks Bitcoin L2. The in-scope codebase is completely new. \n\nWhere do you suspect there may be bugs?\n\n- The end-to-end flow of processing new Bitcoin deposits and minting sBTC on Stacks is relatively complex and error prone. Issues here could allow DoS of valid deposits or incorrect minting of unbacked sBTC.\n\nVulnerabilities in the sBTC smart contracts hosted on Stacks could break the core assumptions of the system. Any attack that leads to a mismatch between the BTC collateral and the sBTC would be highly interesting to us.\n\n- Any attacks against the threshold signature scheme used on Bitcoin\n\nWhere might Security Researchers confuse out-of-scope code to be in-scope?\n\n- Vulnerabilities in the Stacks L2 blockchain itself should be reported directly to the [Stacks Immunefi bug bounty](https://immunefi.com/bug-bounty/stacks/information/). \n\n- The initial launch of sBTC does not enable withdrawals back to Bitcoin. While partial code to support withdrawals can be found in the codebase, issues that can’t be exploited in “deposit-only” mode will be downgraded.\n\nAre there any unusual points about your protocol that may confuse Security Researchers?\n\n- sBTC launches without support for withdrawals. Users can go from BTC -> sBTC, but the support for sBTC -> BTC is not fully implemented. This functionality will be part of a follow-up contest.","boostedIntroEvaluating":"","boostedIntroFinished":"Attackathon Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/1V-_UyyGxXRy_0-z0L7_WysbvHyDbeVyT)\n\nAll paid bug reports are available in original format [here](https://reports.immunefi.com/stacks-i-attackathon)","boostedIntroLive":"A flat $250,000 USD is in rewards for finding bugs on the Stacks sBTC upgrade.\n\nOn top of the $250k, a bonus reward equal to the yield generated from 1 Million STX over 3 months will be distributed equally among all SRs who submit a valid bug report. Estimated to be worth about $50,000 USD as of December 2nd, 2024.\n\nAfter the first Attackathon, a second will be launched on more new code with an additional $250,000 USD + bonus STX in rewards.\n\nAny technical questions and support requests can be asked directly to Stacks or Immunefi in the #stacks-attackathon channel in [Immunefi's Discord](https://discord.com/invite/immunefi).\n\nWhen the Stacks Attackathon ends, Immunefi will publish a leaderboard and Attackathon findings report.","boostedIntroStartingIn":"A flat $250,000 USD is in rewards for finding bugs on the Stacks sBTC upgrade.\n\nOn top of the above rewards, the yield generated from 1 Million STX over 3 months will be distributed equally among all SRs who submit a valid bug report. Estimated to be worth about $50,000 USD as of December 2nd, 2024.\n\nAfter the first Attackathon, a second will be launched on more new code with an additional $250,000 USD + bonus STX in rewards.\n\nDecember 2nd the **Stacks Attackathon Education Period** begins — launching the ‘Stacks sBTC Academy’, and opening direct access to the Stack’s team for ongoing technical Q&A on [Immunefi's Discord](https://discord.com/invite/immunefi) in the “stacks-attackathon\" channel.\n\nWhen the Stacks Attackathon ends, Immunefi will publish a leaderboard and Attackathon findings report.\n\n[Sign up for Stacks Attackathon Updates](https://docs.google.com/forms/d/e/1FAIpQLSepIL-1khl05n7IpWBgXKdKQ1HT9A1G4IUuaPeKzkbURxY7rw/viewform?usp=sf_link).","boostedLeaderboard":[{"high":4,"name":"f4lc0n","critical":1,"earnings":101043,"insights":2,"mediumLow":5,"totalValidBugs":10},{"high":7,"name":"n4nika","critical":0,"earnings":84837,"insights":3,"mediumLow":2,"totalValidBugs":9},{"high":0,"name":"throwing5tone7","critical":1,"earnings":45403,"insights":0,"mediumLow":1,"totalValidBugs":2},{"high":1,"name":"jovemjeune","critical":0,"earnings":10892,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"PaiMei_and_Gandalf","critical":0,"earnings":3631,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"niroh","critical":0,"earnings":1961,"insights":0,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"XDZIBECX","critical":0,"earnings":1210,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"ZoA","critical":0,"earnings":1023,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1uyOVRAIK_UAtRHszN29ekjI82BJIHJQi/view?usp=sharing","ecosystem":["Bitcoin","Stacks"],"endDate":"2025-01-13T08:00:00.000Z","evaluationEndDate":"2025-02-10T15:01:52.852Z","features":["Attackathon","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Rust","Clarity"],"launchDate":"2024-12-02T08:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/01l459XixXD643sQk4fGWl/ac67a0956b6f6b7e69185e9f53ecf120/Stacks_Logo.png","maxBounty":250000,"outOfScopeAndRules":"To be determined","pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - medium","blockchain_dlt - low","smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"Stacks","prioritizedVulnerabilities":"To be determined","productType":["L2"],"programOverview":"Stacks is a Bitcoin L2 enabling smart contracts & apps with Bitcoin as the secure base layer. This Attackathon focuses on Stacks’ sBTC upgrade.\n\nFor more information about sBTC and, visit https://sbtc.tech/ and https://www.stacks.co/.\n\nThis Attackathon has an audit running in parallel. Bugs in the audit report that aren't disclosed are valid for rewards.\n\nThis Attackathon’s code is/will be on mainnet during the competition. Code cannot be frozen because the project may need to immediately mitigate severe bugs in live code. The following conditions apply:\n- The project will share detailed changelogs when code changes are released during the Attackathon on Discord and they will be documented in our [Stacks changelog](https://immunefisupport.zendesk.com/hc/en-us/articles/30737752973073-Stacks-Attackathon-1-Code-Update-Changelog).\n- Duplicates and private known issues are valid for a reward until those bugs are shared publicly.\n- Read our [Code Update Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/30553426831633-Stacks-Attackathon-1-Code-Update-Rules) for further details on how code updates will be allowed & communicated \n\n**Responsible Publication**\n\nSecurity Researchers may publish their bug reports, but only after Immunefi has released all of the raw bug reports as part of the contest results, with the following exceptions:\n\n- Bug reports in evaluation may not be published until the evaluation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this Attackathon, as well as a leaderboard showing the participants and their earnings.","programType":["Blockchain/DLT","Smart Contract"],"project":"Attackathon | Stacks","projectType":null,"rewardsBody":"The following reward terms are a summary, for the full details read our [Stacks Attackathon 1 Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/30553590157073-Stacks-Attackathon-1-Reward-Terms).\n\n- **The reward pool size is $250,000 USD**, regardless of bugs found.\n\n- **On top of the above rewards,** the yield generated from 1 Million STX over 3 months will be distributed equally among all SRs who submit a valid bug report. Estimated to be **worth about $50,000 USD** as of December 2nd, 2024.\n\nDuplicates and private known issues are valid for a reward.","rewardsPool":250000,"primaryPool":250000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"STX","slug":"stacks-attackathon-1","tenPercentEconomicRule":false,"updatedDate":"2025-02-12T10:33:56.779Z","impactsBody":"**Asset Accuracy Assurance**\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\nThe initial launch of sBTC does not enable withdrawals back to Bitcoin. While partial code to support withdrawals can be found in the codebase, issues that can’t be exploited in “deposit-only” mode will be downgraded.\n\n**Public Disclosure of Known Issues**\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n- https://github.com/stacks-network/sbtc/issues?q=is%3Aissue+is%3Aopen+label%3A%22flagged+by+AR%22\n- https://github.com/stacks-network/sbtc/issues\n\nThe project will share detailed changelogs when code changes are released during the Attackathon on Discord and they will be documented in our [Stacks changelog](https://immunefisupport.zendesk.com/hc/en-us/articles/30737752973073-Stacks-Attackathon-1-Code-Update-Changelog).\n\n**Previous Audits**\n\nStacks’s completed audit reports can be found at https://stacks.org/audits. Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n**Private Known Issues Reward Policy**\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n**Primacy of Impact vs Primacy of Rules**\n\nStacks adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page.\n\n**KYC Information**\n\nStacks will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n- Full name\n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\nSecurity researchers are required to submit KYC within 14 days of KYC being requested, else their rewards may be forfeited. Immunefi may make exceptions due to extenuating circumstances.","websiteUrl":"https://www.stacks.co/","githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":null,"description":"Stacks is a Bitcoin L2 enabling smart contracts & apps with Bitcoin as the secure base layer. This Attackathon focuses on Stacks’ sBTC upgrade.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"Security researchers are required to submit KYC within 14 days of KYC being requested, else their rewards may be forfeited. Immunefi may make exceptions due to extenuating circumstances.\n","customProhibitedActivities":[],"impacts":[{"id":5256,"type":"blockchain_dlt","severity":"high","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":4,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":5,"type":"blockchain_dlt","severity":"high","title":"Unintended chain split (network partition)"},{"id":10,"type":"blockchain_dlt","severity":"medium","title":"Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":11,"type":"blockchain_dlt","severity":"medium","title":"A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk"},{"id":12,"type":"blockchain_dlt","severity":"low","title":"Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":13,"type":"blockchain_dlt","severity":"low","title":"Modification of transaction fees outside of design parameters"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":5257,"type":"blockchain_dlt","severity":"high","title":"Unintended permanent chain split requiring hard fork (network partition requiring hard fork)"},{"id":5258,"type":"blockchain_dlt","severity":"medium","title":"API crash preventing correct processing of deposits"},{"id":5259,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 24h"},{"id":5260,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds for at least 1h"},{"id":5261,"type":"blockchain_dlt","severity":"medium","title":"Temporarily Freezing Network Transactions"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"critical","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[{"id":"GjoDtBxgv0SaWNHE7g9gs","url":"https://etherscan.io/address/0x7122985656e38BDC0302Db86685bb972b145bD3C","type":"smart_contract","addedAt":"2024-09-12T14:36:25.000Z","revision":1,"description":"STONE Token","isPrimacyOfImpact":null},{"id":"1J9LLjoVNsS7L6tB0KCyUA","url":"https://etherscan.io/address/0xA62F9C5af106FeEE069F38dE51098D9d81B90572","type":"smart_contract","addedAt":"2024-09-12T14:36:25.000Z","revision":1,"description":"STONE Vault","isPrimacyOfImpact":null},{"id":"1FUhjEXFiGzvEcP2rXQXZJ","url":"https://etherscan.io/address/0x9485711f11B17f73f2CCc8561bcae05BDc7E9ad9","type":"smart_contract","addedAt":"2024-09-12T14:36:25.000Z","revision":1,"description":"AssetsVault","isPrimacyOfImpact":null},{"id":"3UZgEJqCBMHtkM681fPLYe","url":"https://etherscan.io/address/0x87D004f22BDD5F9c85AD6D3F74F1fB6e7A256982","type":"smart_contract","addedAt":"2024-09-12T14:36:25.000Z","revision":1,"description":"EigenLayer Strategy","isPrimacyOfImpact":null},{"id":"2zeQ2dID70rMJyXLfQknCI","url":"https://etherscan.io/address/0x2D70868f12A05b8C347974415baC5de053DAa376","type":"smart_contract","addedAt":"2024-09-12T14:36:25.000Z","revision":1,"description":"Native Strategy","isPrimacyOfImpact":null},{"id":"6cVmv3peO5NFtLazqyuknV","url":"https://etherscan.io/address/0xc20dB8e8a23F5Ec02126617C4B76f6092A27Ce4b","type":"smart_contract","addedAt":"2024-09-12T14:36:25.000Z","revision":1,"description":"Symbiotic WstETH Strategy","isPrimacyOfImpact":null},{"id":"7zYS6eps7F6HCOReROZqTc","url":"https://etherscan.io/address/0x58907ad5c7eD1EaB5FdCc0Cc347F25bF5BC0e7da","type":"smart_contract","addedAt":"2024-09-12T14:36:25.000Z","revision":1,"description":"Symbiotic WBETH Strategy","isPrimacyOfImpact":null},{"id":"2gjqNMj7x6pEtCxtvD5xDp","url":"https://etherscan.io/address/0xe9b7ccFc7d05028bD8214bd04F9B4fa7C734d574","type":"smart_contract","addedAt":"2024-09-12T14:36:25.000Z","revision":1,"description":"Mellow WstETH Strategy","isPrimacyOfImpact":null},{"id":"7GNQwCivol6u69V1mrhhkb","url":"https://immunefi.com/bug-bounty/stakestone/","type":"smart_contract","addedAt":"2024-09-12T14:36:25.000Z","revision":2,"description":"Primacy of Impact","isPrimacyOfImpact":true}],"assetsBodyV2":"StakeStone’s codebase can be found in the table above. Documentation and further resources can be found on [https://docs.stakestone.io/stakestone](https://docs.stakestone.io/stakestone).","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH","Bitcoin"],"endDate":null,"evaluationEndDate":null,"features":["Arbitration","Subscription Plan: Essential"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2024-09-12T14:36:25.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/lTWhtXDyfizGgVkU5Myjr/f2b9c05def378a446671efd050d90389/StakeStone.png","maxBounty":300000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - high","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Vulnerabilities are prioritized based on severity and impact.","productType":["Liquid Staking","Staking"],"programOverview":"StakeStone is committed to building the first stable, yield-bearing liquid ETH/BTC, powered by an adaptive staking network that supports various risk-free consensus layers with native assets. Yield opportunities are optimized through adaptable underlying strategies using an on-chain proposal mechanism called OPAP, which seamlessly redistributes omnichain liquidity across ecosystems and protocols. Backed by leading investors such as Binance Labs, OKX Ventures, SevenX, HashKey Capital & HashKey Cloud, Amber Group, Cobo, Nomad Capital, Symbolic Capital, Dao5, and Bankless Ventures.\n\nFor more information about StakeStone, please visit [https://stakestone.io/](https://stakestone.io/)\n\nStakeStone provides rewards in __USDC__ on Ethereum, denominated in __USD__. For more details about the payment process, please view the __Rewards by Threat Level__ section further below. \n\n__KYC Requirement__\n\nImmunefi will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n- Eligibility Criteria \n\n\n__Primacy of Rules__\n\nStakeStone adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page. \n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Previous Audits__\n\nStakeStone’s completed audit reports can be found at https://docs.stakestone.io/stakestone/additionals/audits-and-security. Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, StakeStone has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","programType":["Smart Contract"],"project":"StakeStone","projectType":null,"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 300 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 20 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\nFor critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 5 000 to USD 20 000, depending on the funds at risk, capped at the maximum high reward.  \n\n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional [24h] that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Payment Terms__\n\nPayouts are handled by the StakeStone team directly and are denominated in __USD__. However, payments are done in __USDC__ on __ETH__.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"stakestone","tenPercentEconomicRule":false,"updatedDate":"2025-02-03T07:42:52.842Z","impactsBody":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":11940,"severity":"critical","assetType":"smart_contract","maxReward":300000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":11941,"severity":"high","assetType":"smart_contract","maxReward":20000,"minReward":5000,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"4e61RQY6Kd8YKLyj1Nd9e8","url":"https://polygonscan.com/address/0x4d97dcd97ec945f40cf65f87097ace5ea0476045","type":"smart_contract","addedAt":"2024-04-22T17:00:00.000Z","revision":1,"description":"ConditionalTokens","isPrimacyOfImpact":null},{"id":"57lccCvPOFVYpngZBx7e9i","url":"https://polygonscan.com/address/0x4bfb41d5b3570defd03c39a9a4d8de6bd8b8982e","type":"smart_contract","addedAt":"2024-04-22T17:00:00.000Z","revision":1,"description":"CTFExchange","isPrimacyOfImpact":null},{"id":"6OhE2OheG8mEd1dBDjkakE","url":"https://polygonscan.com/address/0x56C79347e95530c01A2FC76E732f9566dA16E113","type":"smart_contract","addedAt":"2024-04-22T17:00:00.000Z","revision":1,"description":"FeeModule","isPrimacyOfImpact":null},{"id":"7nUGKoDkSRueTe4zZtYUKK","url":"https://polygonscan.com/address/0xd91E80cF2E7be2e162c6513ceD06f1dD0dA35296","type":"smart_contract","addedAt":"2024-04-22T17:00:00.000Z","revision":1,"description":"NegRiskAdapter","isPrimacyOfImpact":null},{"id":"AYTpnuVUB2iUfx57onFEP","url":"https://polygonscan.com/address/0xC5d563A36AE78145C45a50134d48A1215220f80a","type":"smart_contract","addedAt":"2024-04-22T17:00:00.000Z","revision":1,"description":"NegRiskCtfExchange","isPrimacyOfImpact":null},{"id":"6IJZtvUBrVs0fuTpdNI67u","url":"https://polygonscan.com/address/0x78769D50Be1763ed1CA0D5E878D93f05aabff29e","type":"smart_contract","addedAt":"2024-04-22T17:00:00.000Z","revision":1,"description":"NegRiskFeeModule","isPrimacyOfImpact":null},{"id":"O8zf6QvxXCtyM9Xw9vEP3","url":"https://polygonscan.com/address/0x71523d0f655B41E805Cec45b17163f528B59B820","type":"smart_contract","addedAt":"2024-04-22T17:00:00.000Z","revision":1,"description":"NegRiskOperator","isPrimacyOfImpact":null},{"id":"oFDH15MSKo7fuPRk8z4AJ","url":"https://polygonscan.com/address/0x2F5e3684cb1F318ec51b00Edba38d79Ac2c0aA9d","type":"smart_contract","addedAt":"2024-04-22T17:00:00.000Z","revision":1,"description":"NegRiskUmaCtfAdapter","isPrimacyOfImpact":null},{"id":"6AVhv3euRNvpTBe35KVyA7","url":"https://polygonscan.com/address/0x3A3BD7bb9528E159577F7C2e685CC81A765002E2","type":"smart_contract","addedAt":"2024-04-22T17:00:00.000Z","revision":1,"description":"NegRiskWrappedCollateral","isPrimacyOfImpact":null},{"id":"16iMPpGrjZex8SaKhLUayh","url":"https://polygonscan.com/address/0xaB45c5A4B0c941a2F231C04C3f49182e1A254052","type":"smart_contract","addedAt":"2024-04-22T17:00:00.000Z","revision":1,"description":"ProxyFactory","isPrimacyOfImpact":null},{"id":"29rtVcnsFmJd9KClvNTzKN","url":"https://polygonscan.com/address/0xaacFeEa03eb1561C4e67d661e40682Bd20E3541b","type":"smart_contract","addedAt":"2024-04-22T17:00:00.000Z","revision":1,"description":"SafeFactory","isPrimacyOfImpact":null},{"id":"2PS81AH1kbS3Qd4W0wjOVm","url":"https://polygonscan.com/address/0x6A9D222616C90FcA5754cd1333cFD9b7fb6a4F74","type":"smart_contract","addedAt":"2024-04-22T17:00:00.000Z","revision":1,"description":"UmaCtfAdapter","isPrimacyOfImpact":null},{"id":"T4rFlkBI6kaMPo9tAWCoO","url":"https://polymarket.com/","type":"websites_and_applications","addedAt":"2024-04-22T17:00:00.000Z","revision":1,"description":"Home Page","isPrimacyOfImpact":null},{"id":"T0GbjEQlnGwS5mCZbG9hc","url":"https://immunefi.com","type":"smart_contract","addedAt":"2024-04-22T17:00:00.000Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true},{"id":"4GcXCgkvR30oK92c7tiYZ8","url":"https://immunefi.com","type":"websites_and_applications","addedAt":"2024-04-22T17:00:00.000Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true}],"assetsBodyV2":"Audits and deployments can be found at [https://github.com/Polymarket/contract-security](https://github.com/Polymarket/contract-security).","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":["Managed Triage: Time Saver","Subscription Plan: Essential"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":null,"launchDate":"2024-04-22T17:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5jxAOPTfTYMoswZPI9Mn9N/ffb11e8d127bd24a1aec560645af8f51/photo_2024-04-22_20.07.26__1_.png","maxBounty":1000000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Prediction Market"],"programOverview":"Polymarket is the world’s largest prediction market.\n\nBet on the outcome of future events in a wide range of topics, like sports, politics, and pop culture. Get accurate real-time probabilities of the events that matter most to you.\n\nFor more information about Polymarket, please visit https://polymarket.com/\n\nPolymarket provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nPolymarket adheres to the Primacy of Impact for the following levels:\n- Smart Contract - Critical\n- Smart Contract - High\n- Web/App - Critical\n- Web/App - High\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact).  \n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Known Issue Assurance__\n\nPolymarket commits to providing Known Issue Assurance to bug submissions through their program. This means that Polymarket will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission. \n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.\n\n\n__Previous Audits__\n\nPolymarket’s completed audit reports can be found at [https://github.com/Polymarket/contract-security](https://github.com/Polymarket/contract-security). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Polymarket has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","programType":["Smart Contract","Websites and Applications"],"project":"Polymarket","projectType":null,"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 1,000,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 25,000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\nFor critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 2 500 to USD 25 000 depending on the funds at risk, capped at the maximum high reward.  \n\n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\nFor critical web/apps bug reports will be rewarded with USD 20 000, only if the impact leads to:\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of USD 5 000. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Reward Payment Terms__\n\nPayouts are handled by the Polymarket team directly and are denominated in USD. However, payments are done in USDC on Ethereum\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"polymarket","updatedDate":"2025-01-24T16:20:20.929Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Polymarket is the world’s largest prediction market. With Polymarket you can bet on the outcome of future events in a wide range of topics, like sports, politics, and pop culture. Get accurate real-time probabilities of the events that matter most to you.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":4840,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction, such as:  Iframing leading to modifying the backend/browser state"},{"id":4841,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links, such as:  Social media handles, etc."},{"id":4842,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as: Locking up the victim from login, Cookie bombing, etc."},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":4843,"type":"websites_and_applications","severity":"high","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as: Changing registration information, Commenting"},{"id":4844,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as: HTML injection without JavaScript, Replacing existing text with arbitrary text, Arbitrary file uploads, etc"},{"id":4845,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as: Email address"},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":4846,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as: Reflected HTML injection, Loading external site data"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":4847,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as: /etc/shadow, database passwords, blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":4848,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as: Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"}],"rewards":[{"id":11547,"severity":"critical","assetType":"smart_contract","maxReward":1000000,"minReward":25000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":11548,"severity":"high","assetType":"smart_contract","maxReward":25000,"minReward":2000,"rewardModel":"range"},{"id":11549,"severity":"critical","assetType":"websites_and_applications","maxReward":20000,"minReward":5000,"rewardModel":"range","otherImpactMaxReward":0},{"id":11550,"severity":"high","assetType":"websites_and_applications","fixedReward":5000,"rewardModel":"fixed"},{"id":11551,"severity":"medium","assetType":"websites_and_applications","fixedReward":2000,"rewardModel":"fixed"},{"id":11552,"severity":"low","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"1NZgCai6kvihG3LkBtwuji","url":"https://github.com/oasisprotocol/oasis-core","type":"blockchain_dlt","addedAt":"2024-02-20T16:32:00.000Z","revision":1,"description":"Oasis Core","isPrimacyOfImpact":null},{"id":"6JWgaTT3NPBVTjyuvC5Rpb","url":"https://github.com/oasisprotocol/oasis-sdk","type":"blockchain_dlt","addedAt":"2024-02-20T16:32:00.000Z","revision":1,"description":"Oasis SDK","isPrimacyOfImpact":null},{"id":"J47n0TeewUHsQBDtN1Svx","url":"https://github.com/oasisprotocol/sapphire-paratime","type":"blockchain_dlt","addedAt":"2024-02-20T16:32:00.000Z","revision":1,"description":"Sapphire","isPrimacyOfImpact":null},{"id":"2CEypRvGn6lyNk99STE7vx","url":"https://github.com/oasisprotocol/curve25519-voi","type":"blockchain_dlt","addedAt":"2024-02-20T16:32:00.000Z","revision":1,"description":"curve25519-voi","isPrimacyOfImpact":null},{"id":"6rzllN8RJLfd51uNfoVLG5","url":"https://github.com/oasisprotocol/deoxysii","type":"blockchain_dlt","addedAt":"2024-02-20T16:32:00.000Z","revision":1,"description":"deoxysii","isPrimacyOfImpact":null},{"id":"7wT0FrBG9YQhm3e35SYJCK","url":"https://github.com/oasisprotocol/deoxysii-rust","type":"blockchain_dlt","addedAt":"2024-02-20T16:32:00.000Z","revision":1,"description":"deoxysii-rust","isPrimacyOfImpact":null},{"id":"3mOO5Myo4MvRSRggdovIrU","url":"https://github.com/oasisprotocol/cli","type":"websites_and_applications","addedAt":"2024-02-20T16:32:00.000Z","revision":1,"description":"CLI","isPrimacyOfImpact":null},{"id":"3kMdLPQpcsh0mraESHHCGH","url":"https://github.com/oasisprotocol/oasis-web3-gateway","type":"websites_and_applications","addedAt":"2024-02-20T16:32:00.000Z","revision":1,"description":"Web3 Gateway","isPrimacyOfImpact":null},{"id":"1re8yZkOxSias4S8ItGQs6","url":"https://github.com/oasisprotocol/oasis-wallet-web","type":"websites_and_applications","addedAt":"2024-02-20T16:32:00.000Z","revision":1,"description":"Web Wallet","isPrimacyOfImpact":null},{"id":"e8HlESaXdSLkHdLqN9FAh","url":"https://wallet.oasis.io","type":"websites_and_applications","addedAt":"2024-02-20T16:32:00.000Z","revision":1,"description":"Web Wallet","isPrimacyOfImpact":null},{"id":"rS5nePnZq5p3ZxLsiDplg","url":"https://immunefi.com/","type":"blockchain_dlt","addedAt":"2024-02-20T16:32:00.000Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true},{"id":"5CI0UAXYvQek4NgrXJDeIS","url":"https://immunefi.com/","type":"websites_and_applications","addedAt":"2024-02-20T16:32:00.000Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":null,"launchDate":"2024-02-20T16:32:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7cPAZ4QrnHqejjUgvieyXf/17653320455ff119207a568deb6b1129/oasis-network-rose-logo_copy.png","maxBounty":100000,"pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - medium","websites_and_applications - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["L1"],"programOverview":"Oasis is a privacy layer for Web3 with native high performance and cross-chain interoperability.\n\nFor more information about Oasis, please visit https://oasisprotocol.org/\n\nOasis provides rewards in USDC, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__ \n\nOasis will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n__Primacy of Impact vs Primacy of Rules__\n\nOasis adheres to the Primacy of Impact for the following impacts:\n\n- Blockchain/DLT: Critical\n- Blockchain/DLT: High\n- Blockchain/DLT: Medium\n- Web/App: Critical\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. Github issues can be found here: https://github.com/oasisprotocol\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Oasis has satisfied the requirements for the [Immunefi Standard Badge.](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209)","programType":["Blockchain/DLT","Websites and Applications"],"project":"Oasis","projectType":["Blockchain"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\n__Reward Calculation for Critical Level Reports__\n\nFor critical Blockchain/DLT bugs, the reward amount is 10% of the funds directly affected, capped at the maximum critical reward USD 100 000. However, a minimum reward of USD 10 000 is to be rewarded in order to incentivize security researchers against withholding on a bug report.\n\nFor critical Blockchain/DLT bugs with a non-funds-at risk impact, the reward will be paid out as follows: \n\n- Network not being able to confirm new transactions (total network shutdown and does not include network level DDoS attack)\n[USD 10 000] \n- Unintended permanent chain split requiring hard fork (network partition requiring hard fork)\n[USD 10 000] \n- Permanent freezing of funds (fix requires hardfork)\n[USD 10 000] \n\n__Reward Payment Terms__\n\nPayouts are handled by the Oasis team directly and are denominated in USD. However, payments are done in USDC.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"oasis","updatedDate":"2025-01-24T16:19:50.540Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Oasis is a privacy layer for Web3 with native high performance and cross-chain interoperability.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":4743,"type":"blockchain_dlt","severity":"high","title":"RPC API crash affecting projects with greater than or equal to 25% of the market capitalization on top of the respective layer"},{"id":10,"type":"blockchain_dlt","severity":"medium","title":"Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":11,"type":"blockchain_dlt","severity":"medium","title":"A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk"},{"id":1,"type":"blockchain_dlt","severity":"critical","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":4,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":4744,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:   /etc/shadow, database passwords, blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":4745,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:   Changing registration information, Commenting, Voting, Making trades, Withdrawals, etc."},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":4746,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:  Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions"}],"rewards":[{"id":11543,"severity":"critical","assetType":"blockchain_dlt","maxReward":100000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":11544,"severity":"high","assetType":"blockchain_dlt","fixedReward":10000,"rewardModel":"fixed"},{"id":11545,"severity":"medium","assetType":"blockchain_dlt","fixedReward":1000,"rewardModel":"fixed"},{"id":11546,"severity":"critical","assetType":"websites_and_applications","fixedReward":10000,"rewardModel":"fixed","otherImpactMaxReward":0}],"audits":[]},{"assets":[{"id":"271efAzPJxBMYPQlNPMvlg","url":"https://bscscan.com/address/0x9e347Af362059bf2E55839002c699F7A5BaFE86E","type":"smart_contract","addedAt":"2023-06-22T21:58:07.853Z","revision":1,"description":"BNB Pool","isPrimacyOfImpact":null},{"id":"5feiYDzh9VcrSU5ghzUaxp","url":"https://bscscan.com/address/0x52F24a5e03aee338Da5fd9Df68D2b6FAe1178827","type":"smart_contract","addedAt":"2022-07-21T18:00:00.000Z","revision":2,"description":"ankrBNB","isPrimacyOfImpact":null},{"id":"1FV5sbI6JBoAahOIi5PhyC","url":"https://bscscan.com/token/0x67428dE0680494E448F1A19d33C2022a51719348","type":"smart_contract","addedAt":"2023-01-12T16:32:02.620Z","revision":2,"description":"BNBStakingConfig","isPrimacyOfImpact":null},{"id":"66gh6Laq3dZJQPC9CunkZi","url":"https://etherscan.io/address/0x84db6eE82b7Cf3b47E8F19270abdE5718B936670","type":"smart_contract","addedAt":"2022-11-28T19:17:21.655Z","revision":1,"description":"ETH Pool","isPrimacyOfImpact":null},{"id":"1VBeAe6ZK53cN9xnv4MhQ7","url":"https://etherscan.io/token/0xE95A203B1a91a908F9B9CE46459d101078c2c3cb#code","type":"smart_contract","addedAt":"2022-11-28T19:17:18.568Z","revision":1,"description":"aETHc","isPrimacyOfImpact":null},{"id":"3PvVK9ELKRF9oJS3ErVWRj","url":"https://etherscan.io/token/0xd01ef7c0a5d8c432fc2d1a85c66cf2327362e5c6#code","type":"smart_contract","addedAt":"2022-11-28T19:17:15.913Z","revision":1,"description":"aETHb","isPrimacyOfImpact":null},{"id":"6obn0iZNqYV0O3ABFQ0nPh","url":"https://etherscan.io/address/0xCfD4B4Bc15C8bF0Fd820B0D4558c725727B3ce89","type":"smart_contract","addedAt":"2023-01-25T15:13:30.847Z","revision":1,"description":"PolygonPool","isPrimacyOfImpact":null},{"id":"6Q3o28BXsPFZhUPPCcCeYC","url":"https://etherscan.io/address/0x26dcFbFa8Bc267b250432c01C982Eaf81cC5480C","type":"smart_contract","addedAt":"2023-01-25T15:13:28.194Z","revision":1,"description":"ankrMATIC","isPrimacyOfImpact":null},{"id":"6pMwmwAJlAMHjIboTwqvPA","url":"https://etherscan.io/address/0x99534Ef705Df1FFf4e4bD7bbaAF9b0dFf038EbFe","type":"smart_contract","addedAt":"2023-01-25T15:13:25.609Z","revision":1,"description":"aMATICb","isPrimacyOfImpact":null},{"id":"1WcLCTmcmNmBxN5Fd6RoIw","url":"https://etherscan.io/address/0xad0dCC6635a5c38be6B87007210797Ad94AdB4B7","type":"smart_contract","addedAt":"2023-01-25T15:13:23.981Z","revision":1,"description":"MaticCrosschainStaking","isPrimacyOfImpact":null},{"id":"1foFgmvYp5e5szlg3kzdQy","url":"https://polygonscan.com/address/0xad0dCC6635a5c38be6B87007210797Ad94AdB4B7","type":"smart_contract","addedAt":"2023-01-25T15:13:21.777Z","revision":1,"description":"MaticCrosschainStaking","isPrimacyOfImpact":null},{"id":"6SNsOZvKMNfeIj19H4Ya1x","url":"https://polygonscan.com/address/0x62a509ba95c75cabc7190469025e5abee4eddb2a","type":"smart_contract","addedAt":"2023-01-25T15:13:17.663Z","revision":1,"description":" MaticSwapPool","isPrimacyOfImpact":null},{"id":"444tnEdSHiZUYkQBUfEwLg","url":"https://www.ankr.com/staking/*","type":"websites_and_applications","addedAt":"2022-07-21T18:00:00.000Z","revision":1,"description":"Main Web App","isPrimacyOfImpact":null}],"assetsBodyV2":"Only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nThough only the proxy contracts are listed as in-scope, current implementation and any further updates to the implementation contracts are considered in scope. When reporting a bug, please make sure to select the relevant proxy smart contract as the target. \n\nIf an impact can be caused to any other asset managed by Ankr that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project. This only applies to Critical impacts.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["BSC","ETH","Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["JavaScript","Vyper"],"launchDate":"2022-07-21T18:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3LohZrbHuhcG4MgU2zrH4A/39bca0e7dc6e249cee3706c8c0021929/Ankr_logo.jpeg","maxBounty":500000,"pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Services","Liquid Staking"],"programOverview":"Ankr is a decentralized blockchain infrastructure provider that operates an array of nodes globally distributed across over 50 Proof-of-Stake networks.\n\nAnkr Staking makes cross-chain staking, liquid staking, and other yield-earning opportunities simple and accessible to all crypto investors. Ankr has created a scalable, flexible and decentralized staking mechanism that resolves the capital inefficiency of Proof-of-Stake networks and similar blockchain consensus mechanisms. Stake your crypto and get liquid staking tokens or use liquid staking to boost your yield.\n\nFor more information about Ankr, please visit [https://www.ankr.com/about-staking/](https://www.ankr.com/about-staking/).","programType":["Smart Contract","Websites and Applications"],"project":"Ankr","projectType":["Infrastructure"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the  [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nCritical smart contract vulnerabilities are capped at 5% of economic damage, primarily taking into consideration funds at risk. However, there is a minimum reward of __USD 10 000__. \n\nAll other rewards for the Ankr bug bounty program are scaled based on an internally established team criteria, taking into account the exploitability of the bug, the impact it causes, and the likelihood of the vulnerability presenting itself, which is especially factored in with bug reports requiring multiple conditions to be met that are currently not in-place. However, there is a minimum reward of __USD 1 000__ for each severity level, rewards will be provided at the determined fair value by the team depending on these conditions, assuming that the bug report is in-scope of the bug bounty program.\n\nThe following vulnerabilities marked in [https://www.ankr.com/docs/staking/extra/audit-reports/](https://www.ankr.com/docs/staking/extra/audit-reports/) are not eligible for a reward.\n\nPayouts are handled by the Ankr team directly and are denominated in USD. However, payouts are done in __ANKR, USDT and USDC__, with the choice of the ratio at the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"ANKR, USDT and USDC","slug":"ankr","updatedDate":"2025-01-24T16:10:55.590Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Ankr is a decentralized blockchain infrastructure provider that operates an array of nodes globally distributed across over 50 Proof-of-Stake networks.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":3005,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 30 days"},{"id":3006,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc."},{"id":3007,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as email or password of the victim, etc."},{"id":3008,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information such as email address, phone number, physical address, etc."},{"id":3009,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":3010,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as changing the first/last name of user, or en/disabling notification"},{"id":3011,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without Javascript (Reflected) such as reflected HTML injection or loading external site data"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":3012,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":3013,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and blockchain keys(this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":3014,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc."},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":3015,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions"}],"rewards":[{"id":11526,"severity":"critical","assetType":"smart_contract","maxReward":500000,"rewardModel":"up_to","rewardCalculationPercentage":0},{"id":11527,"severity":"high","assetType":"smart_contract","maxReward":50000,"rewardModel":"up_to"},{"id":11528,"severity":"medium","assetType":"smart_contract","maxReward":5000,"rewardModel":"up_to"},{"id":11529,"severity":"low","assetType":"smart_contract","maxReward":1000,"rewardModel":"up_to"},{"id":11530,"severity":"critical","assetType":"websites_and_applications","maxReward":10000,"rewardModel":"up_to","otherImpactMaxReward":0},{"id":11531,"severity":"high","assetType":"websites_and_applications","maxReward":5000,"rewardModel":"up_to"},{"id":11532,"severity":"medium","assetType":"websites_and_applications","maxReward":2000,"rewardModel":"up_to"}],"audits":[]},{"assets":[{"id":"yOgrLdcEZbKtrmmJ5tDIV","url":"https://etherscan.io/address/0xc9d7bd1Fad7D5621DdA20335818E9575Ae07Ea03","type":"smart_contract","addedAt":"2023-07-26T12:00:00.000Z","revision":1,"description":"MintedTokenCappedCrowdsaleExtv1","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2023-07-26T12:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/11JCYUuvvCgVwDyzMmDklA/79a4bfd3682951f96d5ca851f6d9abdb/10_copy.png","maxBounty":500000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Services"],"programOverview":"UTIX is a decentralized, event hosting and e-ticketing platform that utilizes blockchain based smart contracts to bring control to the community.\n\nThe main purpose of this bug bounty program is to help identify a way to unlock funds that are stuck in our smart contract.\n\nFor more information about Utix, please visit [https://utix.io/](https://utix.io/)\n\nUtix provides rewards in ETH. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nUtix adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms stated in this page.\n\n__Known Issue Assurance__\n\nUtix commits to providing Known Issue Assurance to bug submissions through their program. This means that Utix will either disclose known issues publicly or at the very least privately via a self-reported bug submission in order to allow for a more objective and streamlined mediation process to prove that an issue is known. Otherwise, assuming the bug report itself is valid, it would result in the bug report being considered in-scope and due 100% of the reward with respect to the bug bounty program terms. \n\n__Immunefi Standard Badge__\n\nUtix has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/6427157117713-The-Immunefi-Standard-Badge-), which is given to projects that adhere to our best practices.","programType":["Smart Contract"],"project":"Utix","projectType":null,"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below. \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical Smart Contract bugs, the reward amount is 25% of the funds directly affected up to a maximum of USD 500 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 25 000 is to be rewarded in order to incentivize security researchers against withholding a bug report.   \nThere are currently 800 000 USD locked in the smart contract and a minimum payout of 25,000 USD will be provided if 25% of the funds can be successfully recovered. The payout amount will be scaled up proportionally to 500,000 USD for 100% recovery of the funds.\n\n__Repeatable Attack Limitations__\n\nIn cases of repeatable attacks for smart contract bugs, only the first attack will be counted, regardless of whether the smart contract is upgradable, pausable, or killable.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n- Smart Contract - Critical - PoC Required\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules) Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Utix team directly and are denominated in USD. However, payments are done in ETH. \n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability. For avoidance of doubt, if the reward amount is USD 5 000 and the average price is USD 1.75 per token, then the reward will be 2857.142857 units of that token.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"ETH","slug":"utix","updatedDate":"2025-01-24T16:07:08.781Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"UTIX is a decentralized, event hosting and e-ticketing platform that utilizes blockchain based smart contracts to bring control to the community.\n\n\nThe main purpose of this bug bounty program is to help identify a way to unlock funds that are stuck in our smart contract.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":4341,"type":"smart_contract","severity":"critical","title":"Unlocking stuck funds"}],"rewards":[{"id":11515,"severity":"critical","assetType":"smart_contract","fixedReward":500000,"rewardModel":"fixed","rewardCalculationPercentage":25}],"audits":[]},{"assets":[{"id":"2tymwAGHt0tt4BBGvDPqJV","url":"https://explorer.mantle.xyz/address/0xbee335BB44e75C4794a0b9B54E8027b111395943","type":"smart_contract","addedAt":"2024-12-20T14:29:38.122Z","revision":1,"description":"FireBridge","isPrimacyOfImpact":null},{"id":"47CHkxhQ7rwJeptcGXDauK","url":"https://explorer.mantle.xyz/address/0x80b534D4bB3D809FbDA809DCB26D3f220634AED7","type":"smart_contract","addedAt":"2024-12-20T14:29:51.046Z","revision":1,"description":"Minter","isPrimacyOfImpact":null},{"id":"3GG9Y239IK92j27LdPlJhz","url":"https://explorer.mantle.xyz/address/0xC96dE26018A54D51c097160568752c4E3BD6C364","type":"smart_contract","addedAt":"2024-12-20T14:30:02.841Z","revision":1,"description":"FToken","isPrimacyOfImpact":null},{"id":"2JlzFVSF5dRcFcuSlFmcdA","url":"https://explorer.mantle.xyz/address/0xd12D39E682715a40dbC860fa07F02bF48841294e","type":"smart_contract","addedAt":"2024-12-20T14:30:13.630Z","revision":1,"description":"FeeModel","isPrimacyOfImpact":null},{"id":"46WuxgXxeFgze2EZ4h3Jep","url":"https://explorer.mantle.xyz/address/0x09e4c43eD89E5972df026d94FdA3a7680637c59A","type":"smart_contract","addedAt":"2024-12-20T14:30:24.986Z","revision":1,"description":"GovernorModule","isPrimacyOfImpact":null},{"id":"74KhaGuoVFR8kZn8EPknwn","url":"https://explorer.mantle.xyz/address/0x4697F9b54Bf24776b81f42A5E2Da81FBA3763bA4?tab=contract","type":"smart_contract","addedAt":"2024-12-20T14:31:00.412Z","revision":1,"description":"Factory Contract","isPrimacyOfImpact":null},{"id":"71WEoWX0vMox1dA7Jhz1kQ","url":"https://etherscan.io/address/0xbee335BB44e75C4794a0b9B54E8027b111395943","type":"smart_contract","addedAt":"2024-12-20T14:31:11.706Z","revision":1,"description":"FireBridge","isPrimacyOfImpact":null},{"id":"4csGUqWhfr6LXj1qo8mYFK","url":"https://etherscan.io/address/0x80b534D4bB3D809FbDA809DCB26D3f220634AED7","type":"smart_contract","addedAt":"2024-12-20T14:31:23.855Z","revision":1,"description":"Minter","isPrimacyOfImpact":null},{"id":"5kMgweah1dJ4Hi1IIeKjXS","url":"https://etherscan.io/address/0xC96dE26018A54D51c097160568752c4E3BD6C364","type":"smart_contract","addedAt":"2024-12-20T14:31:35.126Z","revision":1,"description":"FToken","isPrimacyOfImpact":null},{"id":"4eddAgkXjrmkEwIhSpeUMk","url":"https://etherscan.io/address/0xd12D39E682715a40dbC860fa07F02bF48841294e","type":"smart_contract","addedAt":"2024-12-20T14:31:49.380Z","revision":1,"description":"FeeModel","isPrimacyOfImpact":null},{"id":"2MiClQbKc0fIZRISGbS6fG","url":"https://etherscan.io/address/0x09e4c43eD89E5972df026d94FdA3a7680637c59A","type":"smart_contract","addedAt":"2024-12-20T14:32:09.175Z","revision":1,"description":"GovernorModule","isPrimacyOfImpact":null},{"id":"6RyTtHKdWwGqCRpzsI7YiT","url":"https://etherscan.io/address/0x722b9348712418469DD6bb6c92C2560072537584","type":"smart_contract","addedAt":"2024-12-20T14:32:22.697Z","revision":1,"description":"Factory Contract","isPrimacyOfImpact":null},{"id":"2OfVCJlW0aIyTlXGrEnbVp","url":"https://bscscan.com/address/0xbee335BB44e75C4794a0b9B54E8027b111395943","type":"smart_contract","addedAt":"2024-12-20T14:32:34.519Z","revision":1,"description":"FireBridge","isPrimacyOfImpact":null},{"id":"1Pc2rz28wcPFISRiBCyBgk","url":"https://bscscan.com/address/0x80b534D4bB3D809FbDA809DCB26D3f220634AED7","type":"smart_contract","addedAt":"2024-12-20T14:33:17.471Z","revision":1,"description":"Minter","isPrimacyOfImpact":null},{"id":"XitsR7wtEt3i000Pgvre0","url":"https://bscscan.com/address/0xC96dE26018A54D51c097160568752c4E3BD6C364","type":"smart_contract","addedAt":"2024-12-20T14:33:28.564Z","revision":1,"description":"FToken","isPrimacyOfImpact":null},{"id":"7k3uHc3pVP4y2TybMVV9Re","url":"https://bscscan.com/address/0x84cFc251F9cC8B2cf9cc1D6EaB3D2bEAA2C128F5","type":"smart_contract","addedAt":"2024-12-20T14:33:41.217Z","revision":1,"description":"FeeModel","isPrimacyOfImpact":null},{"id":"6evPVGYCOGEXbjB3xNu7mi","url":"https://bscscan.com/address/0x09e4c43eD89E5972df026d94FdA3a7680637c59A","type":"smart_contract","addedAt":"2024-12-20T14:33:55.078Z","revision":1,"description":"GovernorModule","isPrimacyOfImpact":null},{"id":"6DqIU0MRlDiFf1o2GkVwhE","url":"https://bscscan.com/address/0x0Ed3bb37CD17d17bD18dB0D36558D57520D76292#code","type":"smart_contract","addedAt":"2024-12-20T14:34:08.629Z","revision":1,"description":"Factory Contract","isPrimacyOfImpact":null},{"id":"1OMODP0lYbmDvyk0CTLalI","url":"https://arbiscan.io/address/0xbee335BB44e75C4794a0b9B54E8027b111395943#code","type":"smart_contract","addedAt":"2024-12-20T14:34:22.563Z","revision":1,"description":"FireBridge","isPrimacyOfImpact":null},{"id":"2M2wtNnbC1BJDTYhssmAi2","url":"https://arbiscan.io/address/0x80b534D4bB3D809FbDA809DCB26D3f220634AED7","type":"smart_contract","addedAt":"2024-12-20T14:34:54.026Z","revision":1,"description":"Minter","isPrimacyOfImpact":null},{"id":"1aj773bhN4vMhP7f5qVmRh","url":"https://arbiscan.io/address/0xC96dE26018A54D51c097160568752c4E3BD6C364","type":"smart_contract","addedAt":"2024-12-20T14:35:05.864Z","revision":1,"description":"FToken","isPrimacyOfImpact":null},{"id":"4jKwOZRtbPqnyLvEAadDPI","url":"https://arbiscan.io/address/0x84cFc251F9cC8B2cf9cc1D6EaB3D2bEAA2C128F5","type":"smart_contract","addedAt":"2024-12-20T14:35:17.432Z","revision":1,"description":"FeeModel","isPrimacyOfImpact":null},{"id":"6Kalg2vf09loBGc50AThVE","url":"https://arbiscan.io/address/0x0d771823c72CcCa4D74695934d5a346938914547","type":"smart_contract","addedAt":"2024-12-20T14:35:34.416Z","revision":1,"description":"GovernorModule","isPrimacyOfImpact":null},{"id":"177YFdMvVjaz3P6nsvFOeI","url":"https://arbiscan.io/address/0x0Ed3bb37CD17d17bD18dB0D36558D57520D76292#code","type":"smart_contract","addedAt":"2024-12-20T14:36:55.709Z","revision":1,"description":"Factory Contract","isPrimacyOfImpact":null},{"id":"5115IISXjHyamsnozOq7LY","url":"https://explorer.gobob.xyz/address/0xbee335BB44e75C4794a0b9B54E8027b111395943","type":"smart_contract","addedAt":"2024-12-20T14:37:08.863Z","revision":1,"description":"FireBridge","isPrimacyOfImpact":null},{"id":"1fR5KFICFEXjf8t93u9uRL","url":"https://explorer.gobob.xyz/address/0x80b534D4bB3D809FbDA809DCB26D3f220634AED7","type":"smart_contract","addedAt":"2024-12-20T14:37:20.633Z","revision":1,"description":"Minter","isPrimacyOfImpact":null},{"id":"6FBxnet3WgLj25DhaAUjQO","url":"https://explorer.gobob.xyz/address/0xC96dE26018A54D51c097160568752c4E3BD6C364","type":"smart_contract","addedAt":"2024-12-20T14:37:32.774Z","revision":1,"description":"FToken","isPrimacyOfImpact":null},{"id":"6F6IOKW6yexT5OG4mUV8O1","url":"https://explorer.gobob.xyz/address/0x84cFc251F9cC8B2cf9cc1D6EaB3D2bEAA2C128F5","type":"smart_contract","addedAt":"2024-12-20T14:37:45.646Z","revision":1,"description":"FeeModel","isPrimacyOfImpact":null},{"id":"bo7jcx9BSlBAvOZuvOETO","url":"https://explorer.gobob.xyz/address/0x0d771823c72CcCa4D74695934d5a346938914547","type":"smart_contract","addedAt":"2024-12-20T14:37:57.488Z","revision":1,"description":"GovernorModule","isPrimacyOfImpact":null},{"id":"7Gl2YKMMTkVqDQy7wEnkvi","url":"https://explorer.gobob.xyz/address/0xdDf20C1A73A2bCa6ad4D877EFe7c9029Ff82a37B","type":"smart_contract","addedAt":"2024-12-20T14:38:11.012Z","revision":1,"description":"Factory Contract","isPrimacyOfImpact":null},{"id":"4hywWwP0T6u0Eqzga2HTsd","url":"https://basescan.org/address/0x80b534d4bb3d809fbda809dcb26d3f220634aed7","type":"smart_contract","addedAt":"2024-12-20T14:38:29.677Z","revision":1,"description":"Minter","isPrimacyOfImpact":null},{"id":"10bdhJgEMyiN1Va1PUh7yG","url":"https://basescan.org/address/0xc96de26018a54d51c097160568752c4e3bd6c364","type":"smart_contract","addedAt":"2024-12-20T14:38:44.371Z","revision":1,"description":"FToken","isPrimacyOfImpact":null},{"id":"2xSOjB0SaEa7qtsF451Rgb","url":"https://basescan.org/address/0x84cFc251F9cC8B2cf9cc1D6EaB3D2bEAA2C128F5","type":"smart_contract","addedAt":"2024-12-20T14:38:57.171Z","revision":1,"description":"FeeModel","isPrimacyOfImpact":null},{"id":"4UqJ88aKfxbW4c5jOSa3cV","url":"https://basescan.org/address/0x0d771823c72ccca4d74695934d5a346938914547","type":"smart_contract","addedAt":"2024-12-20T14:39:12.451Z","revision":1,"description":"GovernorModule","isPrimacyOfImpact":null},{"id":"2cUs8mekVJuTDqL8AKbdtp","url":"https://basescan.org/address/0x26D4a08Ed364Cf07142127aeC202Df910aB33455","type":"smart_contract","addedAt":"2024-12-20T14:39:24.412Z","revision":1,"description":"Factory Contract","isPrimacyOfImpact":null},{"id":"6cCXwCGfy8s8qcw3GFlya5","url":"https://basescan.org/address/0xbee335bb44e75c4794a0b9b54e8027b111395943","type":"smart_contract","addedAt":"2024-12-20T14:39:36.066Z","revision":1,"description":"FireBridge","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":["Arbitration"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":null,"launchDate":"2024-12-19T19:46:46.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/0HsOMFTI5wCKiK3qWsupo/f4a32361884fef795964414549b32902/fbtc.png","maxBounty":100000,"pocPerTypeAndSeverity":[],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"FBTC’s codebase can be found at  https://github.com/fbtc-com. Documentation and further resources can be found on https://docs.fbtc.com/.","productType":["Asset Management"],"programOverview":"FBTC is a decentralized protocol that enables the seamless transfer and management of Bitcoin (BTC) across various blockchain networks. By leveraging advanced cryptographic techniques and decentralized governance, FBTC ensures the security, efficiency, and interoperability of BTC assets within the broader blockchain ecosystem.\n\nFor more information about FBTC, please visit https://fbtc.com/\n\nFBTC provides rewards in USDC/USDT on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.\n\nFBTC’s completed audit reports can be found at https://github.com/fbtc-xyz/fbtc-contract/tree/main/audits. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.","programType":["Smart Contract"],"project":"FBTC","projectType":null,"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 100 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 20 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack is eligible for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n- For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\n- High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 10 000 to USD 25 000 depending on the funds at risk, capped at USD 25 000.  \n\n\n- In the event of temporary freezing, the reward doubles from the full frozen value for every additional [24h] that the funds are temporarily frozen, up to the maximum high reward cap of USD 25 000. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC/USDT","slug":"fbtc","tenPercentEconomicRule":false,"updatedDate":"2025-01-24T16:06:02.886Z","impactsBody":null,"websiteUrl":"https://fbtc.com/","githubUrl":"https://github.com/fbtc-com","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"FBTC is a decentralized protocol that enables the seamless transfer and management of Bitcoin (BTC) across various blockchain networks. By leveraging advanced cryptographic techniques and decentralized governance, FBTC ensures the security, efficiency, and interoperability of BTC assets within the broader blockchain ecosystem.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"}],"rewards":[{"id":11511,"severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":11512,"severity":"high","assetType":"smart_contract","maxReward":25000,"minReward":10000,"rewardModel":"range"},{"id":11513,"severity":"medium","assetType":"smart_contract","fixedReward":2500,"rewardModel":"fixed"},{"id":11514,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[{"id":"4GFxn6JbaZjIcWuKTuW1Z8","url":"https://github.com/fbtc-xyz/fbtc-contract/tree/main/audits","auditor":"All Audits","date":"2024-12-20"}]},{"assets":[{"id":"4AeKNyL1tDmIJk1QEdZgGl","url":"https://etherscan.io/address/0x1d7f221965e68475d44d1a8357f3211799b55e24","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"Vault Implementation","isPrimacyOfImpact":null},{"id":"1oFWay3YBbe37QmsXcDBha","url":"https://etherscan.io/address/0x15f7f910e5a8c86e609fd11c58f7342d86d3a25c","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"VaultUpgradeableBeacon","isPrimacyOfImpact":null},{"id":"y7S69nW0GWFQxp4Wi39Qq","url":"https://etherscan.io/address/0xEEEBc7537717a39b747015FEaE221C1F069daE0b","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"ConnectorRegistry","isPrimacyOfImpact":null},{"id":"2pq5Xy8L2rOfheYk6JpHIt","url":"https://etherscan.io/address/0xA59a98872393BE8410C42f8EED13821fa85A32a1","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"VaultFactory","isPrimacyOfImpact":null},{"id":"40gLmgfE04iFqbDgEaVwzU","url":"https://etherscan.io/address/0x0D97Fa6C8F668E98C1ED9f6bB9Ec6d245d11DF41","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"AaveV3Connector","isPrimacyOfImpact":null},{"id":"49joWptwaf0APcvDQWfRpU","url":"https://etherscan.io/address/0xF259CF58d4ddc9E3C8AbEA3EEBA5710db3F71045","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"CompoundV3Connector","isPrimacyOfImpact":null},{"id":"4qX67N3R4MbyPluSmq1teW","url":"https://etherscan.io/address/0x08f80358Ce68363Ec06304cE667F1727246C852D","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"CompoundV3MarketRegistry","isPrimacyOfImpact":null},{"id":"6WNBD5cXbbGnjmpPFnXGou","url":"https://etherscan.io/address/0xb569824646a31fc950abe23B150d020c38B59D26","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"SDAIConnector","isPrimacyOfImpact":null},{"id":"5rvJZEXvjKaPhHD6ZjthgR","url":"https://etherscan.io/address/0xF4918Ef824a242602E0d3e5DB07fFd4DaC4ad3Ea","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"Bitcoin.com Spark DAI vault","isPrimacyOfImpact":null},{"id":"FMuTol5PufxV7HvEnHXyt","url":"https://bscscan.com/address/0x59d323355F4b257097e041C4776b7492Ed294Ea4","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"Vault Implementation","isPrimacyOfImpact":null},{"id":"qXWuwJSJWwsCgbTHPcgjT","url":"https://bscscan.com/address/0x50006F2C5C914cEF560ceeD7686f038480199202","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"VaultUpgradeableBeacon","isPrimacyOfImpact":null},{"id":"6dTZlfquiJPO8V4OGmnKd3","url":"https://bscscan.com/address/0xdaAd68A24d658F8e123b8620Fd8249C340749eCf","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"ConnectorRegistry","isPrimacyOfImpact":null},{"id":"2AmP60wiyY3A1vsackWhML","url":"https://bscscan.com/address/0x004074879Bc69E9B95084580A6Cc132a19b7A3Ac","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"VaultFactory","isPrimacyOfImpact":null},{"id":"1yhYF13I1e6GpwcOIgD5Dn","url":"https://bscscan.com/address/0x124d426898eF174aa8D23f548fCfd13c34F91D2B","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"AaveV3Connector","isPrimacyOfImpact":null},{"id":"6VSjkVfgbdVL9uHB7IvQxk","url":"https://bscscan.com/address/0x4d1806C26A728f2e1b82b4549b9E074DBE5940B9","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"Cool Wallet AaveV3 USDT","isPrimacyOfImpact":null},{"id":"3y6FV1LCK70X907Vh6sZdv","url":"https://arbiscan.io/address/0x55Ee64c446c44e2bDcbD4242341D4a5A2DD61034","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"Vault Implementation","isPrimacyOfImpact":null},{"id":"2tEfy0eXPwTZZv8noZ55mP","url":"https://arbiscan.io/address/0xB03DDF4375E879B8E3bc240527bc55988c975ac4","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"VaultUpgradeableBeacon","isPrimacyOfImpact":null},{"id":"3w0CKWVGZD7admqeVYknsc","url":"https://arbiscan.io/address/0x75df468D9Aa3438cd12d98606Bb71B73145e9972","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"ConnectorRegistry","isPrimacyOfImpact":null},{"id":"3kpEnd9iBnFAHmzL5iN4Cj","url":"https://arbiscan.io/address/0xd717eDe67EE3c5cAf385E392f2176c320E06Dd9d","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"VaultFactory","isPrimacyOfImpact":null},{"id":"Q02mn28S7e0GQTs0m1GXQ","url":"https://arbiscan.io/address/0x431ed6d951c0d97d9b33fb5e26bc589d75c3d05d","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"AaveV3Connector","isPrimacyOfImpact":null},{"id":"3xuOKUL5HUKLgxHk9RsqX9","url":"https://arbiscan.io/address/0x0F3Fa73dcF101F328AbFdD9176Cd11a16BD7bc16","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"CompoundV3Connector","isPrimacyOfImpact":null},{"id":"61OIpLlWz1x5fbZGEW6mXh","url":"https://arbiscan.io/address/0x9cb057f462BBd076E5dD30C5f5d5dfa97ab006D3","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"CompoundV3MarketRegistry","isPrimacyOfImpact":null},{"id":"1jdnklR54eZcadnJHiROL1","url":"https://arbiscan.io/address/0x19A0F016Ac3989e754ab8216810beD8503bDA37e","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"Bitnovo Compound v3 USDC","isPrimacyOfImpact":null},{"id":"6fEmQ1yTGCxGFjRBGJyJwj","url":"https://polygonscan.com/address/0xD04a891b7d4c42f51FCF6e88e47800dAec5B0CbF","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"Vault Implementation","isPrimacyOfImpact":null},{"id":"4fkCzXpcJgjutkvLuE7dpF","url":"https://polygonscan.com/address/0x89312A13D978820F15bC9414ef6ec9cC004C5D1f","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"VaultUpgradeableBeacon","isPrimacyOfImpact":null},{"id":"4othKF6GtZ5QwdDqHKYQPy","url":"https://polygonscan.com/address/0xB55BCCcc4837FD5E960944cf2828e202deBF0891","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"ConnectorRegistry","isPrimacyOfImpact":null},{"id":"79xffge8dOI1tihzDSydGT","url":"https://polygonscan.com/address/0x8cC927d0CFb6F9ddC4E6d20f5e5d23E8162eA602","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"VaultFactory","isPrimacyOfImpact":null},{"id":"5ILbbN8YxfoZbTWf63LMEV","url":"https://polygonscan.com/address/0xa85aa46892D9a0087B59883F417bF23C3Ab4c920","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"AaveV3Connector","isPrimacyOfImpact":null},{"id":"1mbw66fisp4eJTOSTXnrcZ","url":"https://polygonscan.com/address/0x03441c89e7b751bb570f9dc8c92702b127c52c51","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"Cool Wallet AaveV3 USDT","isPrimacyOfImpact":null},{"id":"1QKqehIrP7JEdYeV49VhdY","url":"https://optimistic.etherscan.io/address/0x4094fc930CcFe3fc3A9369BE7335467dac8b20fa","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"Vault Implementation","isPrimacyOfImpact":null},{"id":"fV5rLn6sCmWMEfm54JAlx","url":"https://optimistic.etherscan.io/address/0xE1CacE168150265E1b1bC6E9c1636B747928a1D8","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"VaultUpgradeableBeacon","isPrimacyOfImpact":null},{"id":"3mwSGusoouwl801eiTSL0i","url":"https://optimistic.etherscan.io/address/0x30cD15434d0d979b75ACe5116199d26623F6A804","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"ConnectorRegistry","isPrimacyOfImpact":null},{"id":"yDZtqE2cUsqroNpB6HImP","url":"https://optimistic.etherscan.io/address/0xC65f4f4E6eFaeB68F900B90AfB00bF9D5A71D102","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"VaultFactory","isPrimacyOfImpact":null},{"id":"3bCDSou5gxY2j5fpKpdS6r","url":"https://optimistic.etherscan.io/address/0x35a60d4bDeedb3d6103ae1521cd985C649D81297","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"AaveV3Connector","isPrimacyOfImpact":null},{"id":"7LiNG8rWh86MFH47EHDMUV","url":"https://optimistic.etherscan.io/address/0xb9ebff375d5eade50ed561f611754902f70e34cf","type":"smart_contract","addedAt":"2024-09-25T18:09:33.000Z","revision":1,"description":"Dakota AAVE v3 USDC","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","BSC","Optimism","Polygon","Base","Linea"],"endDate":null,"evaluationEndDate":null,"features":["Arbitration"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Go","Typescript","Solidity","Python","C/C++"],"launchDate":"2024-09-25T18:09:33.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2rN68srCOESswyxdwjzdRM/90ac006b52d632dc6f51d60ea3122922/Kiln_Defi.png","maxBounty":500000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Vulnerabilities are prioritized based on severity and impact.","productType":["Staking","Services"],"programOverview":"Kiln DeFi enables non-custodial platforms to propose DeFi yield products (like lending supply or rwa distributor) where users can deposit any amount of ERC20 on a vault while remaining the only one able to access their staked assets.\n\nThe goal of these EVM Smart Contracts is to enable:\n\n- Users to deposit to supported protocols with a common 4626 interface\n- Enable Integrators, and any third parties enabled by the integrator to have a fee on the rewards generated or on the deposit, dispatched on-chain\n\nThis Bug Bounty is focused on Kiln DeFi Smart Contracts only, all items regarding dApps or indexing / reporting stacks are out of scope but can be submitted at security@kiln.fi. \n\nFor more information about Kiln DeFi, please visit [https://www.kiln.fi/defi](https://www.kiln.fi/defi)\n\nOther bug bounty programs on Kiln On-Chain v1 (dedicated staking), Kiln On-Chain v2 (pooled staking)  are available and under their own bug bounty scope, bounties and rules.\n\nKiln provides rewards in __USDC__ on __Ethereum__, denominated in __USD__. For more details about the payment process, please view the __Rewards by Threat Level__ section.\n\n__KYC Requirement__\n\nKiln will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n- If the claim comes from an individual:\n   - The first names, surnames, date and place of birth of the person concerned\n   - A Valid ID\n- If the claim comes from a business:\n   - Legal form, name, registration number and address of the registered office\n   - Valid certificate of incorporation\n   - List of shareholders/directors\n\nKYC information is only required on confirmation of the validity of a bug report.   \n\n__Primacy of Impact vs Primacy of Rules__\n\nKiln adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page. \n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- that newly created vault can be griefed if they have a decimalOffset = 0 and attackers inflates the shares (can only happen on fresh instances so no real impact)\n- that it is theoritically possible to sandwich calls to claimAdditionalRewards() to capture the share value increase (prevented by private mempool + not really profitable)\n\n__Previous Audits__\n\nKiln’s completed audit reports can be found at [https://kilnfi.notion.site/EXTERNAL-AUDITS-479819dce90540d1a0800c0541d2352b](https://kilnfi.notion.site/EXTERNAL-AUDITS-479819dce90540d1a0800c0541d2352b). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Kiln has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).\n\n__Responsible Disclosure Clause:__\n\nResearchers who submit valid vulnerability reports agree to adhere to the following responsible disclosure process:\n\n1. Upon confirmation of a valid vulnerability, Kiln will work diligently to develop and implement a fix.\n2. Once the fix is deployed to production, Kiln will notify the researcher and initiate a 1-month (30 calendar days) disclosure waiting period.\n3. During this waiting period, the researcher must maintain strict confidentiality regarding the vulnerability and shall not disclose any information about it to third parties or the public.\n4. After the 1-month period has elapsed following the production deployment of the fix, the researcher may publicly disclose the vulnerability, provided they have obtained written approval from Kiln regarding the content of the disclosure.\n5. The researcher agrees to coordinate with Kiln on the timing and content of any public disclosure to ensure all parties are prepared and to minimize potential risks to users.\n6. If the researcher discovers that the vulnerability has become publicly known before the end of the waiting period, they should immediately notify Kiln.\n7. Kiln reserves the right to request an extension of the waiting period in exceptional circumstances, which will be communicated to the researcher in writing.\n\nCompliance with this responsible disclosure clause is a condition for receiving the bug bounty reward. Failure to adhere to these terms may result in forfeiture of the reward and potential legal action.\n\n__Other Terms and Information__\n\n- This bug bounty program will have a hard cap of __USDC 1 000 000__. In the event that multiple bug reports are submitted that exceed this amount, the rewards will be provided on a first come first served basis. The last bounty will be paid up to the remaining amount of the program even if the bounty amount is larger.\n- The administrator roles (admin, proxy admin, hatcher admin, treasury, oracles etc.) are trusted to behave properly and in the best interest of the users. They should not be considered as malicious.  Reports taking this assumption will be considered invalid.","programType":["Smart Contract"],"project":"Kiln DeFi","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 500 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 100 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n- For Critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\n- High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 20 000 to USD 50 000 depending on the funds at risk, capped at the maximum high reward.  \n\n- For High Smart Contract vulnerabilities that result in direct theft or permanent freezing of unclaimed yield, or the temporary freezing of unclaimed yield for more than 2 days (oracle timing should not be taken into account in this delay), the reward amount will be capped at 100% of the funds affected, up to a maximum of USD 50 000.  However, a minimum reward of USD 20 000 is to be rewarded in order to incentivize security researchers against withholding a bug report.   \n\n__Reward Calculation for Medium Level Reports__\n\nFor Medium Smart Contract bugs, the reward amount is 10% of the commission funds directly affected up to a maximum of USD 20 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 5 000 is to be rewarded in order to incentivize security researchers against withholding a bug report.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Kiln team directly and are denominated in __USD__. However, payments are done in __USDC__ on __Ethereum__","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"","slug":"kiln-defi","tenPercentEconomicRule":false,"updatedDate":"2025-01-24T15:57:53.798Z","impactsBody":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn"],"responsiblePublicationCategory":"category_3","description":"Kiln DeFi enables non-custodial platforms to propose DeFi yield products (like lending supply or rwa distributor) where users can deposit any amount of ERC20 on a vault while remaining the only one able to access their staked assets.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":5150,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds (> 2 days without taking into account possible oracle delay)"},{"id":5151,"type":"smart_contract","severity":"medium","title":"Direct theft of any commission, whether at-rest or in-motion"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":11504,"severity":"critical","assetType":"smart_contract","maxReward":500000,"minReward":100000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":11505,"severity":"high","assetType":"smart_contract","maxReward":50000,"minReward":20000,"rewardModel":"range"},{"id":11506,"severity":"medium","assetType":"smart_contract","maxReward":20000,"minReward":5000,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"456TV1KioqWqOjH5rWUidW","url":"https://etherscan.io/address/0xA8A3A5013104e093245164eA56588DBE10a3Eb48","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/base/BoringVault.sol (ssETH Mainnet&Sei)","isPrimacyOfImpact":null},{"id":"3pzXk5B1ibb4fS5RLa6QRz","url":"https://etherscan.io/address/0x6035832F65b0cf20064681505b73A6dE307a04cB","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/base/Roles/AccountantWithRateProviders.sol (ssETH Mainnet&Sei)","isPrimacyOfImpact":null},{"id":"1Y5UnIHG2NfHs3263Zw6Os","url":"https://etherscan.io/address/0xCaF6FC6BAb79A32a1169Cb6A35bFa1d6B8551Bd2","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/base/Roles/ManagerWithMerkleVerification.sol (ssETH Mainnet&Sei)","isPrimacyOfImpact":null},{"id":"739bJCz7xJOTCKpdQULu6H","url":"https://etherscan.io/address/0x97D0B97A9FA017f8aD2565a5c6AED5745f3918b9","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/base/Roles/CrossChain/MultiChainLayerZeroTellerWithMultiAssetSupport.sol (ssETH Mainnet&Sei)","isPrimacyOfImpact":null},{"id":"5brTfLYR0Y8m3iRdoymj7v","url":"https://etherscan.io/address/0x6cDD5833285bf954957a9483b869B36BD5A26277","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"RolesAuthority.sol (ssETH Mainnet&Sei)","isPrimacyOfImpact":null},{"id":"43R2Oinqci318980yHadmc","url":"https://seitrace.com/token/0x9fAaEA2CDd810b21594E54309DC847842Ae301Ce?chain=pacific-1","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/base/BoringVault.sol (seiyanETH Mainnet&Sei)","isPrimacyOfImpact":null},{"id":"7vsRuvOGtlreNcZRsMYZFC","url":"https://seitrace.com/token/0x24152894Decc7384b05E8907D6aDAdD82c176499?chain=pacific-1","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/base/Roles/AccountantWithRateProviders.sol (seiyanETH Mainnet&Sei)","isPrimacyOfImpact":null},{"id":"6kKAbvwqqXPNH77UtqsH3Z","url":"https://seitrace.com/token/0x9B99d4584a3858C639F94fE055DB9E94017fE009?chain=pacific-1","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/base/Roles/ManagerWithMerkleVerification.sol (seiyanETH Mainnet&Sei)","isPrimacyOfImpact":null},{"id":"2bQdmu6eGDvxJJeo835YFG","url":"https://seitrace.com/token/0xB52C7d88F0514796877B04cF945E56cC4C66CD05?chain=pacific-1","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/base/Roles/CrossChain/MultiChainLayerZeroTellerWithMultiAssetSupport.sol (seiyanETH Mainnet&Sei)","isPrimacyOfImpact":null},{"id":"1yw3YQGZO5o0PzJCgjQYH1","url":"https://seitrace.com/token/0xEfD9931eD35820C88196351E132421f5917736bE?chain=pacific-1","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"RolesAuthority.sol (seiyanETH Mainnet&Sei)","isPrimacyOfImpact":null},{"id":"1OM0E9Cg8elgL2hBJ5Yl8f","url":"https://etherscan.io/address/0x19e099B7aEd41FA52718D780dDA74678113C0b32","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/base/BoringVault.sol (tETH Mainnet)","isPrimacyOfImpact":null},{"id":"qDrdgDJnK9OFGuDIWry0Q","url":"https://etherscan.io/address/0x8c1902A5996978F2628558DD93d309F7e3926dfD","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/base/Roles/AccountantWithRateProviders.sol (tETH Mainnet)","isPrimacyOfImpact":null},{"id":"7JwnfWOQavOp5VH15m9pBL","url":"https://etherscan.io/address/0xf875dEe4e500ab850369fa9c9F6a8296B912c598","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/base/Roles/ManagerWithMerkleVerification.sol (tETH Mainnet)","isPrimacyOfImpact":null},{"id":"5igKnq9Z9GGjMmx9micq9W","url":"https://etherscan.io/address/0x6Ae187EacF40ebd1e571a655dB92A1f47452E0Bf","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/base/Roles/TellerWithMultiAssetSupport.sol (tETH Mainnet)","isPrimacyOfImpact":null},{"id":"1EWkMxyI4ckGjWNengJBiD","url":"https://etherscan.io/address/0x56Db310194Afd0Eb6A2eC7Dc463d4c727b48CAE2","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/helper/WarpRouteWrapper.sol (tETH Mainnet)","isPrimacyOfImpact":null},{"id":"23PFHjyWR9C5B45Ac2TFUh","url":"https://etherscan.io/address/0xa9220c99Bf3620Ac7e6F0Ff1cbde410635Fb87Fa","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"RolesAuthority.sol (tETH Mainnet)","isPrimacyOfImpact":null},{"id":"2vXYrdPffY6uKZ4S85SVTQ","url":"https://etherscan.io/address/0x9Ed15383940CC380fAEF0a75edacE507cC775f22","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/base/BoringVault.sol (earnETH Mainnet)","isPrimacyOfImpact":null},{"id":"7uhnVEmrqq4gqcyLA0ZWhe","url":"https://etherscan.io/address/0x411c78BC8c36c3c66784514f28c56209e1DF2755","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/base/Roles/AccountantWithRateProviders.sol (earnETH Mainnet)","isPrimacyOfImpact":null},{"id":"1CpnA0Ba4Hs17RTEbo7qdd","url":"https://etherscan.io/address/0x69FC700226E9e12D8c5E46a4b50A78efB64F50C0","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/base/Roles/ManagerWithMerkleVerification.sol (earnETH Mainnet)","isPrimacyOfImpact":null},{"id":"35f52v65aTGZecQ0rl1Vpw","url":"https://etherscan.io/address/0x685aDb4797fb38D4Fc4a69750aa048B398160429","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/base/Roles/TellerWithMultiAssetSupport.sol (earnETH Mainnet)","isPrimacyOfImpact":null},{"id":"2gEAGHnx0b66zDhGh0XkNs","url":"https://etherscan.io/address/0x1F5dddF627C3796a589c6271b36A570f18d3a016","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"RolesAuthority.sol (earnETH Mainnet)","isPrimacyOfImpact":null},{"id":"3sCA1uY25FLOS31GYsAY8K","url":"https://etherscan.io/address/0x6C587402dC88Ef187670F744dFB9d6a09Ff7fd76","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/base/BoringVault.sol (FETH Mainnet)","isPrimacyOfImpact":null},{"id":"6kQm6vqn3cnp8KqRk2WYBe","url":"https://etherscan.io/address/0x8ca1d13De3039142186aA57656Adbe0fD2620D2B","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/base/Roles/AccountantWithRateProviders.sol (FETH Mainnet)","isPrimacyOfImpact":null},{"id":"1hgHqQeN8QpUk1gEK2oUry","url":"https://etherscan.io/address/0xb010a69AC77C3ef3Ee4B6Fe58326B2579882BF67","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/base/Roles/ManagerWithMerkleVerification.sol (FETH Mainnet)","isPrimacyOfImpact":null},{"id":"6iB2XSQIgMqX3hgqnyepMT","url":"https://etherscan.io/address/0xd567b6D8e9C95d8a29e60018156becaBDC63E851","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/base/Roles/TellerWithMultiAssetSupport.sol (FETH Mainnet)","isPrimacyOfImpact":null},{"id":"2QxYaHWzIww79o9xeoT51F","url":"https://etherscan.io/address/0x1f10E54Fe0223752B3DcFDfD5A3377A93dd724B3","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"RolesAuthority.sol (FETH Mainnet)","isPrimacyOfImpact":null},{"id":"1XR5CAT0bSzLsiLMJa2ZPK","url":"https://etherscan.io/address/0x196ead472583bc1e9af7a05f860d9857e1bd3dcc","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/base/BoringVault.sol (unifiETH Mainnet)","isPrimacyOfImpact":null},{"id":"3pcnCnXmj34zZBRp17wO5D","url":"https://etherscan.io/address/0xa9fb7e2922216debe3fd5e1bbe7591ee446dc21c","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/base/Roles/AccountantWithRateProviders.sol (unifiETH Mainnet)","isPrimacyOfImpact":null},{"id":"6rHAnIeAKJMKcf8I4JOjmx","url":"https://etherscan.io/address/0xe31fb4471dce722fe79f432e7f4b59417190ad98","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/base/Roles/ManagerWithMerkleVerification.sol (unifiETH Mainnet)","isPrimacyOfImpact":null},{"id":"1UuRaa7rF28TrK9N59fEsi","url":"https://etherscan.io/address/0x08eb2eccdf6ebd7aba601791f23ec5b5f68a1d53","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"src/base/Roles/TellerWithMultiAssetSupport.sol (unifiETH Mainnet)","isPrimacyOfImpact":null},{"id":"1AsRLFPodrxHnydJxnFED0","url":"https://etherscan.io/address/0x11eb44ddcc14b8ec4b4b9d6b3324c1ee00179a7d","type":"smart_contract","addedAt":"2024-12-05T14:58:00.000Z","revision":1,"description":"RolesAuthority.sol (unifiETH Mainnet)","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Sei"],"endDate":null,"evaluationEndDate":null,"features":["Subscription Plan: Essential","Arbitration"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2024-12-05T14:58:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2qCwSDuVU4ePltEqcJE5cc/73041be9b5fc4d3993c94d4574dcfb93/Nucleus.png","maxBounty":500000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Vulnerabilites are prioritised according to impact and severity.","productType":["Crosschain Liquidity","Yield Aggregator"],"programOverview":"Nucleus is the default yield provider for networks. Nucleus stands to revolutionize the way users interact with networks by removing the opportunity costs of exploring new ecosystems via embedding yield for all users at the network layer.\n\nNucleus enables networks to create a new yield generating primitive at the base of a network’s ecosystem. Users are able to generate yield by default on a wide variety of assets by bridging supported assets to the network. These assets will allow users to earn more while exploring all of the unique applications in the network’s ecosystem.\n\nNucleus's mission is to enable yield by default in every network in the crypto ecosystem to further empower the builders, users, and infrastructure within them.\n\nFrom a security perspective, the contracts are different from traditional vault standards in that it combines offchain actors with on-chain constraints—giving offchain entities specific permissions to maintain exchange rates and to manage the vaults’ liquidity—allowing the vault to operate with more compute and maintain state across multiple chains while safeguarding the depositors from malicious behavior. This design decision can be found throughout the codebase.\n\nFor more information about Nucleus, please visit https://www.nucleusearn.io/\n\nNucleus provides rewards in USDC on ETH, denominated in USD. For more details about the payment process, please view the __Rewards by Threat Level__ section.\n\n__Eligibility Criteria__\n\n- Security researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nNucleus adheres to **category 3 - Approval Required**. This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our [Responsible Publication](https://immunefi.com/responsible-publication/) page.\n\n__Primacy of Impact vs Primacy of Rules__\n\nNucleus adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page. \n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Previous Audits__\n\nNucleus’s completed audit reports can be found at https://docs.nucleusearn.io/security/audits. Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Nucleus has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","programType":["Smart Contract"],"project":"Nucleus","projectType":["Infrastructure"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.3. \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD $500,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD $25,000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n- For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\n- High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of [minimum high]to[maximum high] depending on the funds at risk, capped at the maximum high reward.  \n- In the event of temporary freezing, the reward doubles from the full frozen value for every additional [24h] that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Nucleus team directly and are denominated in USD. However, payments are done in USDC on ETH.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"","slug":"nucleus","tenPercentEconomicRule":true,"updatedDate":"2025-01-22T15:06:11.937Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"}],"rewards":[{"id":11269,"severity":"critical","assetType":"smart_contract","maxReward":500000,"minReward":25000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":11270,"severity":"high","assetType":"smart_contract","maxReward":20000,"minReward":10000,"rewardModel":"range"},{"id":11271,"severity":"medium","assetType":"smart_contract","maxReward":5000,"minReward":2500,"rewardModel":"range"},{"id":11272,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"2txcdHJh31vEpTJMJgVEI2","url":"https://github.com/jito-foundation/restaking/tree/master/restaking_core","type":"smart_contract","addedAt":"2024-11-04T10:00:41.000Z","revision":1,"description":"Restaking Core [1009]","isPrimacyOfImpact":null},{"id":"1FCy4bgRb52ybWj9g6eWds","url":"https://github.com/jito-foundation/restaking/tree/master/restaking_program","type":"smart_contract","addedAt":"2024-11-04T10:00:41.000Z","revision":1,"description":"Restaking Program [1370]","isPrimacyOfImpact":null},{"id":"1sQxZZYIFp1uZW3spcXZtB","url":"https://github.com/jito-foundation/restaking/tree/master/vault_core","type":"smart_contract","addedAt":"2024-11-04T10:00:41.000Z","revision":1,"description":"Vault Core [3356]","isPrimacyOfImpact":null},{"id":"5gZofwMN0kBZO5jzkWJr26","url":"https://github.com/jito-foundation/restaking/tree/master/vault_program","type":"smart_contract","addedAt":"2024-11-04T10:00:41.000Z","revision":1,"description":"Vault Program [2660]","isPrimacyOfImpact":null}],"assetsBodyV2":"Jito’s up-to-date codebase can be found at [https://github.com/jito-foundation/restaking](https://github.com/jito-foundation/restaking). Documentation and further resources can be found at [https://docs.restaking.jito.network](https://docs.restaking.jito.network).\n\n__Mid-Contest Code Updates__\n\nIn this contest bug fixes may be applied mid-contest. \n\nThe project is to keep changes private as far as possible. When changes need to be made public, then the changelog will be updated here & in the Jito Restaking Audit Competition Discord channel. Publicly fixed bugs are invalid and the scope is updated to the new code.\n\nAll bug reports before the fix was public will earn a reward. All bug reports after are invalid. If a new bug is introduced by their fix then it is valid for a reward.\n\n__Mid-Contest Changelog__\n\nNone\n\n__KYC Requirement__\n\nJito will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\nSecurity researchers are required to submit KYC within 14 days of KYC being requested, else their rewards may be forfeited. Immunefi may make exceptions due to extenuating circumstances.\n\n__Asset Accuracy Assurance__\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Reward Policy__\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward equal to that of a bug one severity lower.\n\n__Primacy of Impact vs Primacy of Rules__\n\nJito adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page.\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this audit competition and a leaderboard of the participants and their earnings.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Jito has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/1MGBrzXcCGAa7DwIrpfeOk8mnVPGQtKK0?usp=drive_link)\n\nAll paid bug reports are available in original format [here](https://reports.immunefi.com/jito-restaking)","boostedIntroLive":"$150,000 USD is available in rewards for finding bugs in Jito's Restaking codebase of about 14000 nSLOC. KYC is required.\n\nAny technical questions and support requests can be asked directly to Jito or Immunefi in the [Jito Restaking Audit Competition Discord channel](https://discord.com/invite/immunefi).\n\nIn this contest bug fixes may be applied mid-contest. Further details are in the 'Assets In Scope' section.\n\nWhen the Audit Competition has ended Immunefi will publish an event-specific leaderboard and bug reports from the event.","boostedIntroStartingIn":"$150,000 USD in rewards is available for finding bugs on Jito restaking protocol built on Solana.\n\nKYC is required.\n\nJito will respond within 24 hours on weekdays to all bug reports. Any technical questions can be asked directly to the Jito technical team on [Immunefi’s Discord](https://discord.com/invite/immunefi) in the \"jito-restaking-audit-competition\" channel.\n\nJito will give a live technical walkthrough which will then be uploaded to Immunefi's YouTube channel, so stay tuned!\n\nWhen the Audit Competition has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nJoin our Discord for more updates.","boostedLeaderboard":[{"high":2,"name":"niroh","critical":0,"earnings":44487,"insights":0,"mediumLow":0,"totalValidBugs":2},{"high":1,"name":"Hoverfly9132","critical":0,"earnings":38386,"insights":1,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"Emmanuel001","critical":0,"earnings":12276,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"GlitchLens","critical":0,"earnings":8697,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"shanb1605","critical":0,"earnings":4327,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"NinetyNineCrits","critical":0,"earnings":4327,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1IS2I-GncvFUAwItI8wHMAFRbn7Y7toOi/view?usp=sharing","ecosystem":["Solana"],"endDate":"2024-12-02T10:00:00.000Z","evaluationEndDate":"2025-01-14T16:01:04.053Z","features":["Boost","Managed Triage: Time Saver","Vault"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":null,"launchDate":"2024-11-04T10:00:41.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/59ZugNbGcWjZC9Vk2UvLSW/cab63d1c9033e2935a66537128cb37dc/image__18_.png","maxBounty":150000,"outOfScopeAndRules":"To be determined","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Staking"],"programOverview":"Jito (Re)staking is a multi-asset staking protocol for node consensus networks. The protocol tokenizes staked assets as vault receipt tokens for enhanced liquidity and composability. Node consensus networks can use Jito Restaking to easily customize staking parameters, slashing conditions, and economic incentives to tailor their security and tokenomics.\n\nFor more information about Jito, please visit [https://www.jito.network/](https://www.jito.network/). \n\nJito provides rewards in JTO, denominated in USD.\n\n**This Audit Competition is running on mainnet. The following conditions apply:**\n- **Bug fixes may be applied mid-contest. Any public changes will be documented in the Mid-Contest Changelog section.**\n- **Duplicates are rewarded.**","programType":["Smart Contract"],"project":"Audit Comp | Jito Restaking","projectType":["Defi","Infrastructure"],"rewardsBody":"The following reward terms are a summary, for the full details read our [Jito Restaking Audit Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/29877415850769-Jito-Restaking-Audit-Competition-Reward-Terms)\n\nThe reward pool will be entirely distributed among participants. The size depends on the bugs found:\n- If one or more Critical severity bugs are found, **the reward pool will be 100% of the respective reward pool, $150,000 USD**\n- If one or more High severity bugs are found, **the reward pool will be 75% of the respective reward pool, $112,500 USD**\n- If one or more Medium severity bugs are found, **the reward pool will be 50% of the respective reward pool, $75,000 USD**\n- If Low severity bugs or no bugs are found, **the reward pool will be 25% of the respective reward pool, $37,500 USD**\n\n**Duplicates of Insight reports are not eligible for a reward.**\n\nFor this Audit Competition, duplicates and private known issues are valid for a reward. \n\nPrivate known issues will unlock higher reward pools according to their severity level without any downgrade. For example, a Critical severity bug which was a private known issue would unlock the reward pool conditional on a Critical severity bug being found.\n\nRewards are distributed according to the impact of the vulnerability based on the Immunefi [Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/).\n\n__Reward Payment Terms__\n\nPayouts are handled by the Jito team directly and are denominated in USD. However, payments are done in JTO on Solana.\n\nThe calculation of the net amount rewarded is based on the 7-day [TWAP](https://en.wikipedia.org/wiki/Time-weighted_average_price) of JTO at the time of settlement. No adjustments are made based on liquidity availability.\n\n__Insight Rewards Payment Terms__\n\nInsight Rewards: Portion of the Rewards Pool\n\nThe \"Insight\" severity was introduced on Audit Competition & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi).","rewardsPool":150000,"primaryPool":150000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"JTO","slug":"jito-restaking-audit-competition","tenPercentEconomicRule":false,"updatedDate":"2025-01-14T15:59:15.254Z","impactsBody":"__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Whitehat Educational Resources & Technical Info__\n\nThe documentation for the restaking programs is located at [https://docs.restaking.jito.network/](https://docs.restaking.jito.network/).\n\n__Is this an upgrade of an existing system? If so, which? And what are the main differences?__\n\nThis will be the maiden deployment of Jito’s restaking protocol. This is a new codebase, not a fork. Slashing will not be enabled at launch, as an initial guardrail, but the protocol otherwise resembles existing restaking protocols.\n\n__Where do you suspect there may be bugs?__\n\nAs previously mentioned, slashing will not be implemented at launch. However, any bug which might allow an operator to avoid or frontrun being slashed would be an interesting insight. Rounding issues around vault shares would be interesting. There might be bugs around fees and rewards, allowing an attacker to either avoid fees or collect a larger share of rewards. There is some complexity around validating, tracking, and updating vault state, so any issues involving out-of-date/out-of-sync vault state would be interesting. \n\n__What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?__\n\nThe Vault and Restaking programs support the SPL Token and SPL Token 2022 standards \n\n__What emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?__\n\nNone that are relevant. There is an `admin` role which can be used to pause vault accounts. However, we’re interested in any impact which could deny or impair functionality, or lead to loss of funds or adverse outcomes for either the protocol or its users;These would still be valid findings even if they can be partially mitigated by pausing+migrating to a new vault.\n\n__What addresses would you consider any bug report requiring their involvement be out of scope, even if they exceed the privileges attributed to them?__\n\nWe’re still interested in impacts involving permissioned roles in the protocol (malicious NCN operators, malicious slashers, malicious delegates). However, any report involving compromise of the private keys of any Jito Foundation-associated account would be out of scope.\n\n__What external dependencies are there?__\n\nExternal dependencies are pretty minimal. The programs depend on the Solana Program Library, and the SPL ATA, SPL Token, and SPL Token 2022 programs.\n\n__Where might whitehats confuse out-of-scope code to be in-scope?__\n\nAll the client code is in the same git repository as the assets-in-scope, but it’s not particularly interesting. The code for the frontend clients is generated using kinobi, and the IDLs for the client are generated with shank. Since it is all auto-generated and simply represents an interface for interacting with the underlying protocol, it is not included in the contest scope.\n\n__Are there any unusual points about your protocol that may confuse whitehats?__\n\nSlashing is not implemented at present, as the protocol is in its initial phase. \n\n__What is the test suite setup information?__\n\nIt is recommended to use cargo nextest. The instructions for running tests can be found here: [https://github.com/jito-foundation/restaking/blob/master/README.md](https://github.com/jito-foundation/restaking/blob/master/README.md)\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n- VRTs are tokenized shares of a vault’s underlying deposits. Vault deposits are calculated by getting the total amount of assets held by the vault token account. An attacker could inflate the exchange rate of shares to underlying assets by “donating” directly to a vault. If the attacker is the first depositor to a vault, they could deprive subsequent depositors of shares relative to their amount of deposited assets. This can be mitigated by requiring or suggesting that integrators mint some small amount of shares in the same transaction in which the vault is initialized. Relevant PRs: [https://github.com/jito-foundation/restaking/pull/150](https://github.com/jito-foundation/restaking/pull/150)\n- The amount of fees charged can change between the time when a withdrawal ticket is enqueued and when the withdrawal ticket is burned. Withdrawals should account for the difference. The issue hasn’t been resolved yet but a mitigation is in the works.\n- In the case where an operator’s state has been updated but a vault update epoch was missed or close_vault_update_state_tracker has not been called, the vault should be updated to reflect the operator’s new state. Otherwise, the amount reserved for cooldown can be too large. Relevant PRs: [https://github.com/jito-foundation/restaking/pull/163/](https://github.com/jito-foundation/restaking/pull/163/)\n\n__Previous Audits__\n\nJito’s completed audit reports can be found at [https://jito-foundation.gitbook.io/mev/resources/audits](https://jito-foundation.gitbook.io/mev/resources/audits). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":null,"description":"The Jito Foundation","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":5176,"type":"smart_contract","severity":"high","title":"Theft of protocol revenue"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[{"id":"5N5OtGiOi4qhuH39kfQJU9","url":"https://github.com/Folks-Finance/algo-liquid-staking-contracts/blob/8bd890fde7981335e9b042a99db432e327681e1a/contracts/xalgo/consensus_v2.py","type":"smart_contract","addedAt":"2024-12-09T10:00:12.000Z","revision":2,"description":"ConsensusV2 [651]","isPrimacyOfImpact":null}],"assetsBodyV2":"__Asset Accuracy Assurance__\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Build commands, Test commands, and instructions on how to run them:__\n\nYou can find the smart contract repository at [https://github.com/Folks-Finance/algo-liquid-staking-contracts](https://github.com/Folks-Finance/algo-liquid-staking-contracts). Follow the instructions in the README to get setup and be able to run the tests\n\n__Impact Terms__\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n- You cannot delete an added proposer.\n- A proposer’s balance may go below the minimum balance needed in order to be eligible for consensus rewards.\n- A decrease in the max proposer balance may lead to some proposer balances being temporarily above the limit. \n- Unclaimed fees are generating additional yield for everyone.\n- Unclaimed fees can be slightly reduced through often updates because of rounding down.\n- Loss of precision over time as the value of xALGO accumulates.\n- The smart contract doesn’t check for box cost payments - instead they are implicitly required.\n\n__Previous Audits__\n\nFolks Finance’s completed audit reports can be found at [https://github.com/Folks-Finance/audits/blob/50831a54420ed3e4513c8fa17a42f2bbd0338df1/Coinspect%20-%20Audit%20of%20Liquid%20Staking%20-%20August%202024.pdf](https://github.com/Folks-Finance/audits/blob/50831a54420ed3e4513c8fa17a42f2bbd0338df1/Coinspect%20-%20Audit%20of%20Liquid%20Staking%20-%20August%202024.pdf). Note that this is an audit on the previous version of the smart contract which shares similarities with the new version. Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Private Known Issues Reward Policy__\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward equal to that of a bug one severity lower.\n\n__Primacy of Impact vs Primacy of Rules__\n\nFolks Finance adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page.\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this audit competition and a leaderboard of the participants and their earnings.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Folks Finance has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/1LKBn1EGnUFLXx-ULjt2epNQUsZ4M5QEV?usp=sharing)\n\nAll paid bug reports are available in original format [here](https://reports.immunefi.com/folks-liquid-staking)","boostedIntroLive":"$30,000 USD is available in rewards for finding bugs in Folks Finance's contracts of 651 nSLOC.\n\nNo KYC is required.\n\nAny technical questions and support requests can be asked directly to Folks Finance or Immunefi in the \"[project name]-audit-competition\" channel.\n\nWhen the Audit Competition has ended Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nFor more information about Folks Finance, please visit [https://folks.finance/](https://folks.finance/).","boostedIntroStartingIn":"$30,000 USD in rewards is available for finding bugs on Folks: Liquid Staking Audit Competition which introduces new liquid staking contract on Algorand. \n\nFor more information about Folks Finance please visit [https://folks.finance/](https://folks.finance/). \n\nNo KYC is required.\n\nAny technical questions can be asked directly to the Folks Finance technical team on Immunefi's [Immunefi's Discord](https://discord.com/invite/immunefi) in the \"folks-liquid-staking-audit-competition\" channel.\n\nWhen the Audit Competition has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nA few days after the launch, Immunefi will publish Folks Finance's technical walkthrough on our official YouTube channel.","boostedLeaderboard":[{"high":1,"name":"uhudo","critical":0,"earnings":7155,"insights":1,"mediumLow":1,"totalValidBugs":2},{"high":1,"name":"A2Security","critical":0,"earnings":6473,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"Blockian","critical":0,"earnings":3336,"insights":1,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"danvinci_20","critical":0,"earnings":3122,"insights":2,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"holydevoti0n","critical":0,"earnings":2264,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"Oxbakeng","critical":0,"earnings":2264,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"dustykid","critical":0,"earnings":2264,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"ruhum","critical":0,"earnings":2264,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"k13n","critical":0,"earnings":643,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"perseverance","critical":0,"earnings":214,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1xRCghsyzF9YPgrUG2TeIZTmuayOaU7LF/view?usp=sharing","ecosystem":null,"endDate":"2024-12-19T10:00:00.000Z","evaluationEndDate":"2025-01-13T13:27:04.445Z","features":["Boost","Managed Triage: Time Saver","Vault"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":null,"launchDate":"2024-12-09T10:00:12.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4NFnVNSefjOLrvyAZJNJya/b7e769f644c794bf71656737775fcf99/image_23_cropped.png","maxBounty":30000,"pocPerTypeAndSeverity":["smart_contract - low","smart_contract - medium","smart_contract - high","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":null,"programOverview":"Folks Finance is a leading DeFi platform providing innovative tools for lending, borrowing, trading and managing digital assets, all in one place.\n\nFor more information about Folks Finance and their existing products, please visit [https://folks.finance](https://folks.finance).\n\nFolks Finance provides rewards in USDC on Algorand, denominated in USD.\n\n- Folks Finance team will freeze the codebase for the duration of the Audit Competition\n- Duplicates are rewarded","programType":["Smart Contract"],"project":"Audit Comp | Folks: Liquid Staking","projectType":null,"rewardsBody":"The following reward terms are a summary, for the full details read our [Folks: Liquid Staking Audit Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/30675078530449-Folks-Finance-Liquid-Staking-Audit-Competition-Reward-Terms).\n\nRewards are denominated in USD and distributed in USDC on Algorand.\n\nRewards are distributed all at once after the competition has ended. No rewards are distributed during the competition.\n\nThe reward pool is **$30,000 USD and will be fully distributed among whitehat participants in the form of USDC on Algorand**.\n\nDuplicates and private known issues are valid for a reward.\n\nRewards are distributed according to the impact of the vulnerability based on the Immunefi [Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/).\n\n__Reward Payment Terms__\n\nPayouts are handled by the Folks Finance team directly and are denominated in USD. However, payments are done in USDC on Algorand.\n\n__Insight Rewards Payment Terms__\n\nInsight Rewards: Portion of the Rewards Pool\n\n- The \"Insight\" severity was introduced on Audit Competition & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi).","rewardsPool":30000,"primaryPool":30000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"folks-finance-liquid-staking-audit-competition","tenPercentEconomicRule":false,"updatedDate":"2025-01-13T13:29:03.971Z","impactsBody":"__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Whitehat Educational Resources & Technical Info__\n\n__What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?__\n\nAlgorand has native support for tokens with ASAs (Algorand Standard Assets). The liquid staking token which is distributed is an Algorand ASA.\n\n__What emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?__\n\nWe can update the deployed application in an emergency so some issues e.g. freezing of funds, may be mitigated from a permanent issue to a temporary issue.  We also have the ability to pause immediate and/or delayed minting. \n\n__What monitoring systems may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?__\n\nNone\n\n__What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?__\n\nThe four admins:\n- The “admin” which is the super admin.\n- The “register_admin” which can add proposers, set the proposer admin and register a proposer offline.\n- The “xgov_admin” which can subscribe and unsubscribe proposers to xgov.\n- The “proposer_admin” which can register a proposer online and offline.\n\n__What addresses would you consider any bug report requiring their involvement be out of scope, even if they exceed the privileges attributed to them?__\n\nNone\n\n__Security Researcher Education__\n\n__Project educational resources__\n\n- Design Overview for ALGO Staking Smart Contract [https://docs.google.com/document/d/1w-0ZmpWGTGrFl46PNhjmguEKj3ChnnFnMM3X_is1R9M/edit?usp=sharing](https://docs.google.com/document/d/1w-0ZmpWGTGrFl46PNhjmguEKj3ChnnFnMM3X_is1R9M/edit?usp=sharing)\n- Smart Contract deployed on Testnet [https://lora.algokit.io/testnet/application/730430673](https://lora.algokit.io/testnet/application/730430673)\n- Algorand Consensus Incentivisation Whitepaper [https://assets-global.website-files.com/62d96b0e9ea60fd1c96a1b50/65a7c0863805fd8b83cf34d5_upload_consensus-incentives.pdf](https://assets-global.website-files.com/62d96b0e9ea60fd1c96a1b50/65a7c0863805fd8b83cf34d5_upload_consensus-incentives.pdf)\n- The xGov Integration Requirements [https://docs.google.com/document/d/1zB8-t0vHtkQVZeNgVlI5W8z38ugD8IhBK8uRrkoRAxM/edit?usp=sharing](https://docs.google.com/document/d/1zB8-t0vHtkQVZeNgVlI5W8z38ugD8IhBK8uRrkoRAxM/edit?usp=sharing)\n- Docs for old version of ALGO Staking [https://docs.folks.finance/functionalities/xalgo-liquid-staking](https://docs.folks.finance/functionalities/xalgo-liquid-staking)\n\n__Is this an upgrade of an existing system? If so, which? And what are the main differences?__\n\nYes it is an upgrade of the old version of ALGO Liquid Staking deployed at [https://lora.algokit.io/mainnet/application/1134695678](https://lora.algokit.io/mainnet/application/1134695678). The main differences are:\n- Support for subscribing and unsubscribing from the xGov program. \n- Support for 3rd party node runners where now each proposer has its own admin which can register it online and offline. \n- The smart contract enforces the splitting of stake between the proposers. \n- Removed “min_proposer_balance” checks.\n\nNote that the existing state of the smart contract will persist after the update (global/local state and box storage). \n\n__Where do you suspect there may be bugs?__\n\nThe calculations for “immediate_mint”, “delayed_mint”, “claim_delayed_mint” and “burn” cannot be manipulated. In addition, the smart contract should enforce an approximate equal stake split between the proposers.\n\nYou should also check privileged operations are safely guarded.\n\n__What external dependencies are there?__\n\nThe main external dependency is the Algorand Consensus participation. Each proposers; participation keys will reside on its own Algorand Node and will receive ALGO rewards each time it proposes a block.\n\nAnother external dependency is the xGov program. The xGov power is given to block proposers and the smart contract allows delegating the control of the votes to an external address supplied by the “xgov_admin”.\n\nLastly some of the proposers’ Algorand Nodes may be run by trusted projects and/or key community members. \n\n__Are there any unusual points about your protocol that may confuse Security Researchers?__\n\nThe smart contract is an update of an existing smart contract which is already deployed on mainnet. Therefore there is no application create call supported. In addition you should consider the existing state of the smart contract [https://lora.algokit.io/mainnet/application/1134695678](https://lora.algokit.io/mainnet/application/1134695678) (global/local state and box storage) as these will persist between updates. The accompanying Design Overview Document provides further details on this.\n\nWhen an account is marked online/offline, the moment a key registration transaction is confirmed by the network it takes 320 rounds for the change to take effect. So, if a key registration is confirmed in round 5000, the account will stop participating at round 5320.\n\nThe same applies for changes in stake.","websiteUrl":"https://folks.finance/","githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Folks Finance is a leading DeFi platform providing innovative tools for lending, borrowing, trading and managing digital assets, all in one place.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":5267,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 1 hour"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[],"assetsBodyV2":"","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/1H12MNgVNcauXpJtCQFw9gmkVTHVnZtDy)\n\nAll paid bug reports are available in original format [here](https://reports.immunefi.com/fluid-protocol)","boostedIntroLive":"","boostedIntroStartingIn":"Fluid Protocol is an over-collateralized, decentralized borrowing platform for the Fuel ecosystem.\n\nUSDF is an over-collateralized, native stablecoin built on Fuel Network. Borrowers can draw 0% interest-free loans by depositing their collateral, whereby receiving USDF. Fuel Network is the fastest modular execution layer, delivering maximum security and highest flexible throughput.\n\nFor more information about Fluid Protocol, please visit https://fluidprotocol.xyz/\n\nFludi Protocol provides rewards in UDSC, denominated in USD.","boostedLeaderboard":[{"high":0,"name":"Catchme","critical":1,"earnings":22345,"insights":0,"mediumLow":1,"totalValidBugs":2},{"high":0,"name":"jasonxiale","critical":1,"earnings":20959,"insights":0,"mediumLow":2,"totalValidBugs":3},{"high":0,"name":"Blockian","critical":1,"earnings":16461,"insights":2,"mediumLow":2,"totalValidBugs":3},{"high":0,"name":"Minato7namikazi","critical":1,"earnings":13646,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"InquisitorScythe","critical":0,"earnings":3417,"insights":3,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"SeveritySquad","critical":0,"earnings":2921,"insights":0,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"perseverance","critical":0,"earnings":250,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1y__jRFS4qlN4QrRor3Rx0kyUqqXb-GA4/view?usp=sharing","ecosystem":["Fuel Network"],"endDate":"2024-12-12T10:00:00.000Z","evaluationEndDate":"2025-01-07T13:25:31.198Z","features":["IOP (Invite Only Program)","Managed Triage: Time Saver","Vault","Boost"],"hideAssetsInScope":false,"immunefiStandard":true,"inviteOnly":true,"kyc":true,"language":["Sway"],"launchDate":"2024-11-14T11:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2uVW4I32P0N2q5UKbfm3nl/e362ab873873928d6c70177f3abd82e4/s7e5pBIm_400x400.png","maxBounty":80000,"outOfScopeAndRules":"These impacts are out of scope for this bug bounty program. \n\n__All Categories:__\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n\n__Blockchain/DLT & Smart Contract Specific:__\n\n- Incorrect data supplied by third party oracles\n    - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n\n__Prohibited Activities:__\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Fluid protocol adheres to the Primacy of Impact for all severities listed.","productType":null,"programOverview":"Fluid Protocol is an over-collateralized, decentralized borrowing platform specifically built for Fuel Network. Fluid provides users with a secure and efficient way to unlock liquidity from their collateral without selling their underlying assets, thereby enabling maximum capital efficiency.\n\nUSDF, the flagship product, is an over-collateralized native stablecoin soft-pegged to the US Dollar. By depositing collateral, borrowers can draw 0% interest-free loans, offering immediate liquidity while retaining ownership of their collateral—all without incurring interest charges or recurring fees. This battle-tested approach meets the demand within the Fuel community for a decentralized, stable unit of account.\n\nFor more information about Fluid Protocol, please visit [fluidprotocol.xyz](fluidprotocol.xyz)\n\nFluid Protocol GH repo: https://github.com/Hydrogen-Labs/fluid-protocol\n\nFluid Protocol provides rewards in USDC, denominated in USD. \n\nThis Audit Competition is running on mainnet. The following conditions apply:\n\n1. Fluid team will freeze the codebase during the duration of the Audit Competition\n2. Duplicates are rewarded","programType":["Smart Contract"],"project":"IOP | Fluid Protocol","projectType":null,"rewardsBody":"The following reward terms are a summary, for the full details read our [Fluid Protocol Invite-only program Reward Distribution Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/29970475885457-Fluid-Protocol-Invite-Only-Program-Reward-Terms). \n\nA reward pool of $80,000 USD will be distributed among participants, even if no valid bugs are found. \n\nDuplicates and private known issues are valid for a reward.\n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/).\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.\n\n__Insight Rewards Payment Terms__\n\nInsight Rewards: Portion of the Rewards Pool\n\n* The \"Insight\" severity was introduced on Audit Competition & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi)\n\n\nPrivate known issues will unlock higher reward pools as though they were one severity level lower. For example, a Critical severity bug which was a private known issue would unlock the reward pool conditional on a High severity bug being found.\n\nThe severity level of private known issues remains unchanged and whitehats earn their portion of the reward pool and position on the leaderboard according to this unchanged severity level.\nRewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.3.","rewardsPool":80000,"primaryPool":80000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"iop-fluid-protocol","tenPercentEconomicRule":false,"updatedDate":"2025-01-07T14:51:52.734Z","impactsBody":"__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Whitehat Educational Resources & Technical Info__\n\n- [https://docs.hydrogenlabs.xyz/fluid-protocol-community/](https://docs.hydrogenlabs.xyz/fluid-protocol-community/)\n- Ottersec audit: [https://drive.google.com/file/d/1qhiI26aB9MTXfo-hLW8Qy9ki2ueCudKN/view?usp=sharing](https://drive.google.com/file/d/1qhiI26aB9MTXfo-hLW8Qy9ki2ueCudKN/view?usp=sharing)\n\n\n__Is this an upgrade of an existing system? If so, which? And what are the main differences?__\n\nThis is a rewrite of Liquity (v1) from Solidity into Sway, with numerous design changes. The main differences are the lack of recovery, multi-collateral system with single stability pool, and partial liquidations.\n\n__Where do you suspect there may be bugs? Useful aspects of this question are:__\n\nYes, please see required functions across all the contracts. Specifically in FPT staking, there are the same assumed invariants as in this report for Liquity: [https://github.com/trailofbits/publications/blob/master/reviews/LiquityProtocolandStabilityPoolFinalReport.pdf](https://github.com/trailofbits/publications/blob/master/reviews/LiquityProtocolandStabilityPoolFinalReport.pdf)\nAdditionally, math rounding throughout the contracts, since we are using 9 decimals of precision whereas liquity is using 18. \n\n__What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?__\n\nSRC-20 Token Standard\n\n__What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?__\n\nAn Owner is out of scope. \n\n\n__What addresses would you consider any bug report requiring their involvement be out of scope, even if they exceed the privileges attributed to them?__\n\nOwner Address.\n\n__What external dependencies are there?__\n\nFuel standard library primarily. Sway libs. Pyth, Redstone. \n\n\n__Are there any unusual points about your protocol that may confuse whitehats?__\n\nThe Fluid Proocol docs overview covers the main design changes from Liquity. There are some other minor changes that are not documented. \n\n__What is the test suite setup information?__\n\nThe tests for the smart contracts are included in the GitHub repo: [https://github.com/Hydrogen-Labs/fluid-protocol](https://github.com/Hydrogen-Labs/fluid-protocol)\n\n**Test Structure:**\nUnit tests for some smart contracts are located in ./contracts/[contract-name]/src/utils.sw\nIntegration tests are located in <!-- ./contracts/[contract-name]/tests -->\nThe interfaces and setup for integration tests are in <!-- ./test-utils -->\n\n**Running the Tests:**\nMake sure you have fuelup, fuel-core, cargo, and rust installed\nUse command: make build-and-test\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n__Previous Audits__\n\nFluid Proocol’s completed audit reports can be found here [https://drive.google.com/file/d/1qhiI26aB9MTXfo-hLW8Qy9ki2ueCudKN/view?usp=sharing](https://drive.google.com/file/d/1qhiI26aB9MTXfo-hLW8Qy9ki2ueCudKN/view?usp=sharing). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.","websiteUrl":"https://fluidprotocol.xyz/","githubUrl":"https://github.com/Hydrogen-Labs/fluid-protocol","eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":null,"description":"**Fluid Protocol's Invite-Only Program is a form of Audit Competition which is exclusively accessible to a select group of security researchers who have submitted at least 1 valid report during Fuel Attackathon event. These researchers will share a flat reward pool for every valid bug found.**","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"The following contract is to be considered out-of-scope:\n\n\nhttps://github.com/Hydrogen-Labs/fluid-protocol/tree/main/contracts/token-contract/src/main.sw","customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":5207,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for more than one week"}],"rewards":[{"level":"critical","payout":"Portion of the reward pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the reward pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the reward pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the reward pool","assetType":"smart_contract","pocRequired":true}],"audits":[{"id":"3rnkGllqqzXgBl1Posu9d0","url":"https://drive.google.com/file/d/1qhiI26aB9MTXfo-hLW8Qy9ki2ueCudKN/view","auditor":"OtterSec","date":"2024-10-20"}]},{"assets":[{"id":"12FTHst6nd4J13nHNV6YAf","url":"https://etherscan.io/address/0x4ABEF2263d5A5ED582FC9A9789a41D85b68d69DB","type":"smart_contract","addedAt":"2023-07-08T11:00:00.000Z","revision":1,"description":"StaderConfig","isPrimacyOfImpact":null},{"id":"1a9DHQd6TBw2r1OKfHEDuB","url":"https://etherscan.io/address/0x03ABEEC03BF39ac5A5C8886cF3496326d8164E1E","type":"smart_contract","addedAt":"2023-07-08T11:00:00.000Z","revision":1,"description":"VaultFactory","isPrimacyOfImpact":null},{"id":"10JbubVxMZ1RR48YBcz233","url":"https://etherscan.io/address/0x85A22763f94D703d2ee39E9374616ae4C1612569","type":"smart_contract","addedAt":"2023-07-08T11:00:00.000Z","revision":1,"description":"Auction","isPrimacyOfImpact":null},{"id":"56TiYeqtvKOugNHtyq9wNh","url":"https://etherscan.io/address/0xA35b1B31Ce002FBF2058D22F30f95D405200A15b","type":"smart_contract","addedAt":"2023-07-08T11:00:00.000Z","revision":1,"description":"ETHx Token","isPrimacyOfImpact":null},{"id":"6G0nj3MVA9Gbmskmsqk1SM","url":"https://etherscan.io/address/0x84ffDC9De310144D889540A49052F6d1AdB2C335","type":"smart_contract","addedAt":"2023-07-08T11:00:00.000Z","revision":1,"description":"OperatorRewardCollector","isPrimacyOfImpact":null},{"id":"nJyB4So8M9DRWqpBzG4hY","url":"https://etherscan.io/address/0x84645f1B80475992Df2C65c28bE6688d15dc6ED6","type":"smart_contract","addedAt":"2023-07-08T11:00:00.000Z","revision":1,"description":"Penalty","isPrimacyOfImpact":null},{"id":"3D6NTuCeUMyVWjfQN3dPCO","url":"https://etherscan.io/address/0xaf42d795A6D279e9DCc19DC0eE1cE3ecd4ecf5dD","type":"smart_contract","addedAt":"2023-07-08T11:00:00.000Z","revision":1,"description":"PermissionedNodeRegistry","isPrimacyOfImpact":null},{"id":"qnoESyQbJZyIC9V6RCEGH","url":"https://etherscan.io/address/0x09134C643A6B95D342BdAf081Fa473338F066572","type":"smart_contract","addedAt":"2023-07-08T11:00:00.000Z","revision":1,"description":"PermissionedPool","isPrimacyOfImpact":null},{"id":"brbyt2Ki15g2PhgyS6IDc","url":"https://etherscan.io/address/0x4f4Bfa0861F62309934a5551E0B2541Ee82fdcF1","type":"smart_contract","addedAt":"2023-07-08T11:00:00.000Z","revision":1,"description":"PermissionlessNodeRegistry","isPrimacyOfImpact":null},{"id":"4WdsZbpyp8W0JVvO0qg5RS","url":"https://etherscan.io/address/0xd1a72Bd052e0d65B7c26D3dd97A98B74AcbBb6c5","type":"smart_contract","addedAt":"2023-07-08T11:00:00.000Z","revision":1,"description":"PermissionlessPool","isPrimacyOfImpact":null},{"id":"43OHLR9k4kjaix3z4xOq3d","url":"https://etherscan.io/address/0x62e0b431990Ea128fe685E764FB04e7d604603B0","type":"smart_contract","addedAt":"2023-07-08T11:00:00.000Z","revision":1,"description":"PoolSelector","isPrimacyOfImpact":null},{"id":"ujqylPyGsPUPB7wrH1pgf","url":"https://etherscan.io/address/0xeDA89ed8F89D786D816F8E14CF8d2F90c6BF763f","type":"smart_contract","addedAt":"2023-07-08T11:00:00.000Z","revision":1,"description":"PoolUtils","isPrimacyOfImpact":null},{"id":"4YNmddkCSKGumkXCSdNPxj","url":"https://etherscan.io/address/0x7Af4730cc8EbAd1a050dcad5c03c33D2793EE91f","type":"smart_contract","addedAt":"2023-07-08T11:00:00.000Z","revision":1,"description":"SDCollateral","isPrimacyOfImpact":null},{"id":"2gOjVnFhxgi3kWC9fUC9hG","url":"https://etherscan.io/address/0x9d4C3166c59412CEdBe7d901f5fDe41903a1d6Fc","type":"smart_contract","addedAt":"2023-07-08T11:00:00.000Z","revision":1,"description":"Permissioned Socializing Pool","isPrimacyOfImpact":null},{"id":"2X1nt0qZSKKRlC1jDJnFhs","url":"https://etherscan.io/address/0x1DE458031bFbe5689deD5A8b9ed57e1E79EaB2A4","type":"smart_contract","addedAt":"2023-07-08T11:00:00.000Z","revision":1,"description":"Permissionless Socializing Pool","isPrimacyOfImpact":null},{"id":"3eth1UgqaSWZzW3AgMlynD","url":"https://etherscan.io/address/0xbe3781CE437Cc3fC8c8167913B4d462347D11F20","type":"smart_contract","addedAt":"2023-07-08T11:00:00.000Z","revision":1,"description":"StaderInsuranceFund","isPrimacyOfImpact":null},{"id":"YVTQ9NCtWVCSU88tzOgUf","url":"https://etherscan.io/address/0xF64bAe65f6f2a5277571143A24FaaFDFC0C2a737","type":"smart_contract","addedAt":"2023-07-08T11:00:00.000Z","revision":1,"description":"StaderOracle","isPrimacyOfImpact":null},{"id":"71fqfKB9sUo73C8MYjXOeq","url":"https://etherscan.io/address/0xcf5EA1b38380f6aF39068375516Daf40Ed70D299","type":"smart_contract","addedAt":"2023-07-08T11:00:00.000Z","revision":1,"description":"Stader Stake Pool Manager","isPrimacyOfImpact":null},{"id":"7izx3PfgFB307ygGulvotQ","url":"https://etherscan.io/address/0x9F0491B32DBce587c50c4C43AB303b06478193A7","type":"smart_contract","addedAt":"2023-07-08T11:00:00.000Z","revision":1,"description":"User Withdrawal Manager","isPrimacyOfImpact":null},{"id":"0Xc9WObzJeVCCz0ASTObW","url":"https://etherscan.io/address/0x97c92752DD8a8947cE453d3e35D2cad5857367af","type":"smart_contract","addedAt":"2023-07-08T11:00:00.000Z","revision":1,"description":"NodeELRewardVault","isPrimacyOfImpact":null},{"id":"7eQPyMjj4KCYrmGNIRLUVl","url":"https://etherscan.io/address/0x3073cC90aD39E0C30bb0d4c70F981FbD00f3458f","type":"smart_contract","addedAt":"2023-07-08T11:00:00.000Z","revision":1,"description":"validatorWithdrawalVault","isPrimacyOfImpact":null},{"id":"3DbuwDV0U3IOMCE90DWOC4","url":"https://immunefi.com","type":"smart_contract","addedAt":"2023-10-05T15:28:15.874Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2023-07-08T11:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1iQDInT514hzL2832OmJSQ/81275804e386d69c44048a90c690eecb/j-TUyZEq_400x400.jpg","maxBounty":1000000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Staking"],"programOverview":"Stader is a non-custodial smart contract based staking platform that helps you conveniently discover and access staking solutions.\n\nStader has built liquid staking tokens on Polygon, BNB, Fantom, among others.\n\nFor more information about Stader for ETH, please visit [https://www.staderlabs.com/eth/](https://www.staderlabs.com/eth/)\n\nStader provides rewards in USDC. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nStader adheres to the Primacy of Impact for the following severity levels:\n- Smart Contract - Critical\n- Smart Contract - High\n\nIf a category’s severity level is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program as long as it involves an impact under that respective severity level. When submitting a report, just select the Primacy of Impact asset placeholder. If the team behind this project has multiple projects, those other projects are not covered under the Primacy of Impact of this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nTestnet and mock files are not covered under the Primacy of Impact.\n\nAll other severity levels not listed here are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program.\n\n__Immunefi Standard Badge__\n\nStader has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/6427157117713-The-Immunefi-Standard-Badge-), which is given to projects that adhere to our best practices.","programType":["Smart Contract"],"project":"Stader for ETH","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below. \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical Smart Contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 1 000 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 100 000 is to be rewarded in order to incentivize security researchers against withholding a bug report.   \n\n__Repeatable Attack Limitations__\n\nIn cases of repeatable attacks for smart contract bugs, only the first attack will be counted, regardless of whether the smart contract is upgradable, pausable, or killable.\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs acknowledged below are not eligible for any reward through the bug bounty program. \n- SD Auction final bid price can be gamed by MEV optimization. (This is intended)\n- Node Operator can avoid small portion of validator penalty by exiting at the right time. (This is limited to once per validator and cost of exiting and reactivation does not justify penalty saved)\n- ER update via chainlink may return incorrect or state data as it is not implemented yet, Currently ER data is submitted by oracle members.\n- Protocol will not benefit from slashing mechanism when remaining penalty bigger than minThreshold of SD \n\n__Previous Audits__\n\nStader has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.\n- [https://www.staderlabs.com/audits/ethereum/smartcontracts/ETHx_SmartContract_Audit_Report_by_Halborn_v2.pdf](https://www.staderlabs.com/audits/ethereum/smartcontracts/ETHx_SmartContract_Audit_Report_by_Halborn_v2.pdf)\n- [https://www.staderlabs.com/audits/ethereum/smartcontracts/ETHx_SmartContract_audit_report_by_SigmaPrime_v2.pdf](https://www.staderlabs.com/audits/ethereum/smartcontracts/ETHx_SmartContract_audit_report_by_SigmaPrime_v2.pdf)\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n- Smart Contract - Critical\n- Smart Contract - High\n- Smart Contract - Medium\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules). Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Stader team directly and are denominated in USD. However, payments are done in USDC.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"staderforeth","updatedDate":"2025-01-01T19:57:21.288Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Stader is a non-custodial smart contract based staking platform that helps you conveniently discover and access staking solutions.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":4334,"type":"smart_contract","severity":"high","title":"Protocol insolvency"},{"id":4335,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield on a recurring basis"},{"id":4338,"type":"smart_contract","severity":"critical","title":"Direct theft of any user deposited funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":4339,"type":"smart_contract","severity":"critical","title":"Permanent freezing of staked funds"},{"id":4340,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"}],"rewards":[{"id":10187,"severity":"critical","assetType":"smart_contract","maxReward":1000000,"minReward":100000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":10188,"severity":"high","assetType":"smart_contract","fixedReward":100000,"rewardModel":"fixed"},{"id":10189,"severity":"medium","assetType":"smart_contract","fixedReward":20000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"7LdYMynq3mpNEr1xtwwKTX","url":"https://etherscan.io/address/0xf03A7Eb46d01d9EcAA104558C732Cf82f6B6B645","type":"smart_contract","addedAt":"2022-04-25T17:30:00.000Z","revision":2,"description":"MaticX token ERC20 - Stader for Polygon","isPrimacyOfImpact":null},{"id":"7ekZ0EOZpzmr4ycNi89h0C","url":"https://etherscan.io/address/0xf556442d5b77a4b0252630e15d8bbe2160870d77","type":"smart_contract","addedAt":"2022-04-25T17:30:00.000Z","revision":2,"description":"ValidatorRegistry - Stader for Polygon","isPrimacyOfImpact":null},{"id":"6rP3loetR2aFbQT7kmOCh","url":"https://finder.terra.money/mainnet/address/terra1xacqx447msqp46qmv8k2sq6v5jh9fdj37az898","type":"smart_contract","addedAt":"2024-12-17T09:39:33.350Z","revision":1,"description":"Staking","isPrimacyOfImpact":null},{"id":"6fTzhdCZH3mJ4jwNMPh6W0","url":"https://finder.terra.money/mainnet/address/terra1d8cjkwxvrw8cmpyja3p8luag2hxsktersc0wez","type":"smart_contract","addedAt":"2024-12-17T09:39:43.659Z","revision":1,"description":"Reward","isPrimacyOfImpact":null},{"id":"oZs4iBs2UPCCHNRxAWi9T","url":"https://finder.terra.money/mainnet/address/terra1vq83s69rykjypyqcqhc7hsqzups6p9fwzu0wre","type":"smart_contract","addedAt":"2024-12-17T09:39:58.259Z","revision":1,"description":"Airdrops Registry","isPrimacyOfImpact":null}],"assetsBodyV2":"For proxy contracts, only the current implementation and any further updates to the implementation contracts are considered in scope.\n\nHowever, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nIf any Critical or High severity impact can be caused to any other asset managed by Stader for Polygon that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["JavaScript","Rust"],"launchDate":"2022-04-25T17:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2Tl7DfY3q5JeEXIH9yDXHN/3ee91b3e0f42d42e83040eb3648cb7c1/Stader_Brand_Icon_Logo_Small.png","maxBounty":250000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__Smart Contracts__\n\nCritical\n  - Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield\n  - Permanent freezing of funds\n  - Protocol Insolvency\n\nHigh\n  - Theft of unclaimed yield\n  - Permanent freezing of unclaimed yield\n  - Temporary freezing of funds for at least 48 hours\n\nMedium\n  - Smart contract unable to operate due to lack of token funds \n  - Unbounded gas consumption","productType":["Crosschain Liquidity","Staking"],"programOverview":"Stader for Polygon is a non-custodial smart contract based staking platform that helps you conveniently discover and access staking solutions.\n\nIn the short term, Stader for Polygon is building native staking smart contracts across multiple chains including Terra, Fantom, Polygon, Solana, among others, and building an economic ecosystem to grow and develop solutions like YFI-style farming with rewards, launchpads, gaming with rewards, liquid staking solutions, and more.\n\nIn the long term, Stader for Polygon is focused on unlocking the platform approach and nurturing third parties to develop several staking-related applications on top of Stader for Polygon infrastructure.\n\nFor more information about Stader for Polygon, please visit [https://staderlabs.com/](https://staderlabs.com/).","programType":["Smart Contract"],"project":"Stader for Polygon","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll  bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nRewards for critical smart contract vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of __USD 50 000__ for Critical smart contract bug reports. \n\nPrevious issues highlighted in the following audit reports are considered out of scope of this program: \n  - [https://github.com/stader-labs/audits/blob/main/halborn/StaderLabs_MaticX_Smart_Contract_Security_Audit_Report_Halborn_Final.pdf ](https://github.com/stader-labs/audits/blob/main/halborn/StaderLabs_MaticX_Smart_Contract_Security_Audit_Report_Halborn_Final.pdf)\n  - [https://staderlabs-docs.s3.amazonaws.com/audits/polygon/StaderLabs_maticX_Audit_Report_Immunebytes.pdf](https://staderlabs-docs.s3.amazonaws.com/audits/polygon/StaderLabs_maticX_Audit_Report_Immunebytes.pdf)\n\nPayouts are handled by the __Stader for Polygon__ team directly and are denominated in USD. However, payouts are done in __USDC__ or __ETH__, at the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC, ETH","slug":"StaderforPolygon","updatedDate":"2024-12-17T09:49:59.188Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Stader for Polygon is a non-custodial smart contract based staking platform that helps you conveniently discover and access staking solutions.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":5275,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 48 hours"}],"rewards":[{"id":9963,"severity":"critical","assetType":"smart_contract","maxReward":250000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":9964,"severity":"high","assetType":"smart_contract","maxReward":50000,"minReward":20000,"rewardModel":"range"},{"id":9965,"severity":"medium","assetType":"smart_contract","maxReward":20000,"rewardModel":"up_to"}],"audits":[]},{"assets":[{"id":"7dt8oOpBNUe2nJJRV4oWlP","url":"https://github.com/OrderlyNetwork/evm-cross-chain/tree/main/contracts","type":"smart_contract","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"All files under /contracts/ folder except contracts/test, and contracts/layerzero/mocks","isPrimacyOfImpact":null},{"id":"5pBr5AVXQ6QGdnbDCYsvLF","url":"https://github.com/OrderlyNetwork/contract-evm/tree/main/src","type":"smart_contract","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"All files under /main/src except tUSDC.sol contract","isPrimacyOfImpact":null},{"id":"6hbA11Sqwb9o9SCI2KuUfV","url":"https://arbiscan.io/address/0x816f722424b49cf1275cc86da9840fbd5a6167e9","type":"smart_contract","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"Vault Arb","isPrimacyOfImpact":null},{"id":"54BIeRPVQZHJYqBE0exFla","url":"https://optimistic.etherscan.io/address/0x816f722424b49cf1275cc86da9840fbd5a6167e9","type":"smart_contract","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"Vault OP","isPrimacyOfImpact":null},{"id":"B0MGbCAgv4nQTv6AzOHzl","url":"https://polygonscan.com/address/0x816f722424b49cf1275cc86da9840fbd5a6167e9","type":"smart_contract","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"Vault Polygon PoS","isPrimacyOfImpact":null},{"id":"6Wneq49gjtujWWi5KqNFkE","url":"https://arbiscan.io/address/0xa0a07a78c7d31E6f8698F48Fc9219f9a3030f38C","type":"smart_contract","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"Vault cross-chain manager ARB","isPrimacyOfImpact":null},{"id":"3DiWlNLN25Dtsk8nG744e","url":"https://optimistic.etherscan.io/address/0xa0a07a78c7d31E6f8698F48Fc9219f9a3030f38C","type":"smart_contract","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"Vault cross-chain manager OP","isPrimacyOfImpact":null},{"id":"5CcIOTUUW442ZieIJW2S9N","url":"https://polygonscan.com/address/0xa0a07a78c7d31E6f8698F48Fc9219f9a3030f38C","type":"smart_contract","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"Vault cross-chain manager polygon","isPrimacyOfImpact":null},{"id":"6y0uk1Gg6c2sRZzpquAjxV","url":"https://arbiscan.io/address/0x173B47eDBeCa665125edc24C509bfE545CDA60a9","type":"smart_contract","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"Crosschain relay ARB","isPrimacyOfImpact":null},{"id":"5e4EeKAEC4snmzETDWCzyI","url":"https://optimistic.etherscan.io/address/0x173B47eDBeCa665125edc24C509bfE545CDA60a9","type":"smart_contract","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"Crosschain relay OP","isPrimacyOfImpact":null},{"id":"3sI0dkVESIQThmyRdVtoXL","url":"https://polygonscan.com/address/0x173B47eDBeCa665125edc24C509bfE545CDA60a9","type":"smart_contract","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"Crosschain relay Polygon","isPrimacyOfImpact":null},{"id":"1xmvVtaw45wY3F1a2uRym6","url":"https://arbiscan.io/address/0xA2eA0a58b083c492AdC91A687FAc8B53AdB7c0Fd","type":"smart_contract","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"Vault Admin ARB","isPrimacyOfImpact":null},{"id":"7I7Oeqp3UqrbyVzC7iH3EV","url":"https://optimistic.etherscan.io/address/0xA2eA0a58b083c492AdC91A687FAc8B53AdB7c0Fd","type":"smart_contract","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"Vault Admin OP","isPrimacyOfImpact":null},{"id":"1bfIfS2N0KwrswhFUyaq2u","url":"https://polygonscan.com/address/0xa2ea0a58b083c492adc91a687fac8b53adb7c0fd","type":"smart_contract","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"Vault Admin Polygon PoS","isPrimacyOfImpact":null},{"id":"4OxvN6ttGgisiSTfQTqZ9w","url":"https://explorer.orderly.network/address/0x173B47eDBeCa665125edc24C509bfE545CDA60a9","type":"smart_contract","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"Crosschain relay","isPrimacyOfImpact":null},{"id":"3urk7cTI9PBMRxgTnVnO3X","url":"https://explorer.orderly.network/address/0x6F7a338F2aA472838dEFD3283eB360d4Dff5D203","type":"smart_contract","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"Ledger contract (Verifying Contract for  EIP712 Withdraw Msg)","isPrimacyOfImpact":null},{"id":"5Ww3eOrKAwACtK4dtnOubg","url":"https://explorer.orderly.network/address/0x7CC5B6433eb33164c88F6512f56C566CFC3420BF","type":"smart_contract","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"Operator manager","isPrimacyOfImpact":null},{"id":"6KVWolW6pdnhDLjTSFfcnn","url":"https://explorer.orderly.network/address/0x14a6342A8C1Ef9856898F510FcCE377e46668F33","type":"smart_contract","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"Vault manager","isPrimacyOfImpact":null},{"id":"4QoRC3DavV1ArmZUO8qcA1","url":"https://explorer.orderly.network/address/0xa0a07a78c7d31E6f8698F48Fc9219f9a3030f38C","type":"smart_contract","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"Ledger crosschain manager","isPrimacyOfImpact":null},{"id":"yKCHGjqME8D3KkzrR5wE0","url":"https://explorer.orderly.network/address/0x173B47eDBeCa665125edc24C509bfE545CDA60a9","type":"smart_contract","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"Crosschain relay","isPrimacyOfImpact":null},{"id":"71M9dZskApwNknw7ccSlj2","url":"https://explorer.orderly.network/address/0x343Ca787e960cB2cCA0ce8cfB2f38c3739E28a1E","type":"smart_contract","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"Fee manager","isPrimacyOfImpact":null},{"id":"1rptwHSUUm15ZtdsYqu7Kh","url":"https://explorer.orderly.network/address/0x9281CBc1e37d3bcDB8BAddFa4302B6eb5DAd2672","type":"smart_contract","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"Market manager","isPrimacyOfImpact":null},{"id":"10NXDt98AJwZhwRRdGBKFD","url":"https://api.orderly.org","type":"websites_and_applications","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"Api","isPrimacyOfImpact":null},{"id":"O586VwYBVX4IDwrlgY53F","url":"https://api-evm.orderly.org","type":"websites_and_applications","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"Api EVM","isPrimacyOfImpact":null},{"id":"5hy3FJfKfKxZPjPB1sAYJh","url":"https://orderly.network/","type":"websites_and_applications","addedAt":"2024-02-27T00:05:00.000Z","revision":1,"description":"Main Web App","isPrimacyOfImpact":null}],"assetsBodyV2":"All code of Orderly Network can be found at https://github.com/OrderlyNetwork. Documentation for the assets provided in the table can be found at https://orderly.network/docs/build-on-evm/smart-contract-overview.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2024-02-27T00:05:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7lTtLkBbBPlnMIrlDObNWW/b7e2aea26d0ecd4b3e0f6d092ee52100/logo.png","maxBounty":100000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Derivatives"],"programOverview":"Orderly Network is the permissionless liquidity layer for web3. \n\nFor more information about Orderly Network, please visit https://orderly.network/.  \n\nOrderly Network provides rewards in USDT. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__Primacy of Impact vs Primacy of Rules__\n\nOrderly Network adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms stated in this page.","programType":["Smart Contract","Websites and Applications"],"project":"Orderly Network","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below. \n\n__Reward Calculation for Critical Level Reports__\n \nFor critical Smart Contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 100,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 25,000 is to be rewarded in order to incentivize security researchers against withholding a bug report.   \n\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n\nFor critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of $5,000 to $20,000 depending on the funds at risk, capped at the maximum high reward.  \n\n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 48h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\nFor critical web/apps bug reports will be rewarded with $10,000, only if the impact leads to:\n\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds that results in lost user funds\n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of $7,500. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Previous Audits__\n\nOrderly Network has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.\n\n- https://github.com/OrderlyNetwork/Audits \n\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n\n- Smart Contract, Critical\n- Smart Contract, High\n- Smart Contract, Medium\n- Smart Contract, Low\n- Web/App, Critical\n- Web/App, High\n- Web/App, Medium\n- Web/App, Low\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules). Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Orderly Network team directly and are denominated in USD. However, payments are done in USDT.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDT","slug":"orderlynetwork","updatedDate":"2024-12-16T08:08:56.989Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Orderly Network is the permissionless liquidity layer for web3. ","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"Any connection issues with third-party systems and applications(e.g. Discord boost sever) ","customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":4754,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction, such as:  Iframing leading to modifying the backend/browser state (demonstrate impact with PoC)"},{"id":4755,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links, such as:  Social media handles, etc."},{"id":4756,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as:  Locking up the victim from login, Cookie bombing, etc."},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":4757,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application (persistent), such as:    - HTML injection, - Replacing existing text with arbitrary text, Arbitrary file uploads, etc."},{"id":4758,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:  Email, Password of the victim etc."},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":4759,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application (reflected), such as:  - Reflected HTML injection,  - Loading external site data"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":4760,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:   /etc/shadow, database passwords, blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":4761,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website (no DDoS)"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"}],"rewards":[{"id":9931,"severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":25000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":9932,"severity":"high","assetType":"smart_contract","maxReward":20000,"minReward":5000,"rewardModel":"range"},{"id":9933,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":9934,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":9935,"severity":"critical","assetType":"websites_and_applications","maxReward":10000,"minReward":7500,"rewardModel":"range","otherImpactMaxReward":7500},{"id":9936,"severity":"high","assetType":"websites_and_applications","fixedReward":5500,"rewardModel":"fixed"},{"id":9937,"severity":"medium","assetType":"websites_and_applications","fixedReward":4000,"rewardModel":"fixed"},{"id":9938,"severity":"low","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"24Esrb8lfc3jwweS901NYx","url":"https://etherscan.io/address/0x0f5d2fb29fb7d3cfee444a200298f468908cc942","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Mana","isPrimacyOfImpact":null},{"id":"1zz5mCofmYVOWGcnzISscP","url":"https://etherscan.io/address/0xf87e31492faf9a91b02ee0deaad50d51d56d5d4d","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"LAND Proxy","isPrimacyOfImpact":null},{"id":"7leZYHyojQnoUXqujksBi3","url":"https://etherscan.io/address/0x554bb6488ba955377359bed16b84ed0822679cdc#code","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"LAND implementation","isPrimacyOfImpact":null},{"id":"1RsgqX39pqRSCoQQ4gWmZq","url":"https://etherscan.io/address/0x959e104e1a4db6317fa58f8295f586e1a978c297","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"ESTATE Proxy","isPrimacyOfImpact":null},{"id":"4HbnRNtzp17g9s0eAupXfO","url":"https://etherscan.io/address/0x1784ef41af86e97f8d28afe95b573a24aeda966e#code","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"ESTATE implementation","isPrimacyOfImpact":null},{"id":"2fKDY270jzaTVZzElwBvtm","url":"https://etherscan.io/address/0x8e5660b4ab70168b5a6feea0e0315cb49c8cd539#code","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Marketplace Proxy","isPrimacyOfImpact":null},{"id":"5QqeqgiC4kO4TiHAA4Qh7X","url":"https://etherscan.io/address/0x19a8ed4860007a66805782ed7e0bed4e44fc6717#code","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Marketplace implementation","isPrimacyOfImpact":null},{"id":"3gJtxo6z81YymWQN7tE4Dn","url":"https://etherscan.io/address/0xe479dfd9664c693b2e2992300930b00bfde08233","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Bid","isPrimacyOfImpact":null},{"id":"dtKsznylpORlyg8lJlPrG","url":"https://etherscan.io/address/0x2a187453064356c898cae034eaed119e1663acb8","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"DCL Name Registrar","isPrimacyOfImpact":null},{"id":"26DnhKLjnvo8hd7N745kqr","url":"https://etherscan.io/address/0x6843291bd86857d97f0d269e698939fb10d60772","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"DCL Name Controller","isPrimacyOfImpact":null},{"id":"3BcaMBNVBz28AJSTnnjibU","url":"https://etherscan.io/address/0xc04528c14c8ffd84c7c1fb6719b4a89853035cdd","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Collections V1 Implementation","isPrimacyOfImpact":null},{"id":"4buM9NphGbPQtzDqcUoMvT","url":"https://etherscan.io/address/0xecf073f91101ce5628669c487aee8f5822a101b1","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Collections V1.1 Implementation","isPrimacyOfImpact":null},{"id":"4Pp6X027Q2116bwXOBy0qL","url":"https://etherscan.io/address/0xc57185366bcda81cde363380e2099758712038d0","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Vesting Batch Factory","isPrimacyOfImpact":null},{"id":"7ApP8S5XS3AK6HhGHf86c7","url":"https://etherscan.io/address/0xe357273545c152f07afe2c38257b7b653fd3f6d0","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Vesting Factory","isPrimacyOfImpact":null},{"id":"4Kr4Rbtsx8ZsSfthGkgoAB","url":"https://etherscan.io/address/0x42f32e19365d8045661a006408cc6d1064039fbf","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Vesting implementation","isPrimacyOfImpact":null},{"id":"1Td0C5C2R7Tm9n8dg843QL","url":"https://etherscan.io/address/0xb76b389cd04595321d51f575f5d950df1cef3dd7","type":"smart_contract","addedAt":"2022-12-07T19:31:28.896Z","revision":1,"description":"Periodic Vesting Implementation","isPrimacyOfImpact":null},{"id":"6g7pjau21c5PurahJH3DPd","url":"https://etherscan.io/address/0x24b18ac1c0cc1cfa14b03fe5c4580ab85191608a","type":"smart_contract","addedAt":"2022-12-07T19:31:26.797Z","revision":1,"description":"Owneable Batch vesting","isPrimacyOfImpact":null},{"id":"7ieWO0Plb0SD3Gei6UpWSv","url":"https://etherscan.io/address/0x3a1469499d0be105d4f77045ca403a5f6dc2f3f5","type":"smart_contract","addedAt":"2022-12-07T19:31:25.003Z","revision":1,"description":"Rentals Proxy","isPrimacyOfImpact":null},{"id":"7z0YHrSTtMp2J1kcppYLJL","url":"https://etherscan.io/address/0xb49882c17281d3451972ae7e476cb3e0698af712","type":"smart_contract","addedAt":"2022-12-07T19:31:22.926Z","revision":1,"description":"Rentals Proxy Admin ","isPrimacyOfImpact":null},{"id":"4SAE6NLVN8AKwmC1h93COx","url":"https://etherscan.io/address/0xe90636e24d8faf02aa0e01c26d72dab9629865cb","type":"smart_contract","addedAt":"2022-12-07T19:31:21.431Z","revision":1,"description":"Rentals Implementation","isPrimacyOfImpact":null},{"id":"5FZcoJ5Aq2iaf327znW2Ib","url":"https://polygonscan.com/address/0x7ffb3d637014488b63fb9858e279385685afc1e2#code","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Mana Polygon Implementation","isPrimacyOfImpact":null},{"id":"2Opn5m129UgSA2F25vYOLA","url":"https://polygonscan.com/address/0xB549B2442b2BD0a53795BC5cDcBFE0cAF7ACA9f8","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Collections V2 Factory","isPrimacyOfImpact":null},{"id":"3I6w3CPOFeRcRkZJS6pNiz","url":"https://polygonscan.com/address/0x006080C6061C4aF79b39Da0842a3a22A7b3f185e","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Collection V2 Implementation","isPrimacyOfImpact":null},{"id":"56pkV31QFR3jqEJcS1TBsN","url":"https://polygonscan.com/address/0x17113b44fdd661A156cc01b5031E3aCF72c32EB3","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Rarities","isPrimacyOfImpact":null},{"id":"5Af2SatlnEY4kXnCRck0RR","url":"https://polygonscan.com/address/0xA9158E22F89Bb3F69c5600338895Cb5FB81e5090","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Rarities with Oracle","isPrimacyOfImpact":null},{"id":"6M089iiBmw00B5nHtCdORj","url":"https://polygonscan.com/address/0xaeec95a8aa671a6d3fec56594827d7804964fa70","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Committee","isPrimacyOfImpact":null},{"id":"5Ue0rzCV3LiRntHzLKiCZs","url":"https://polygonscan.com/address/0x9D32AaC179153A991e832550d9F96441Ea27763A#code","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Collections Manager","isPrimacyOfImpact":null},{"id":"5sHk9atSaNXPJlBPyKYLSb","url":"https://polygonscan.com/address/0xBF6755A83C0dCDBB2933A96EA778E00b717d7004","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Forwarder","isPrimacyOfImpact":null},{"id":"4hzHx6R0ul7PZ6zMDojJQa","url":"https://polygonscan.com/address/0x214ffC0f0103735728dc66b61A22e4F163e275ae","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Collections Store","isPrimacyOfImpact":null},{"id":"RAjgn8i2VV6P3iPbsT1Aj","url":"https://polygonscan.com/address/0x02080031b45A3c67d338Dd4A2CC309D28756A160","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Marketplace","isPrimacyOfImpact":null},{"id":"3ACAee6mJSZ00xrwW5IKaf","url":"https://polygonscan.com/address/0x480a0f4e360E8964e68858Dd231c2922f1df45Ef","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Marketplace V2","isPrimacyOfImpact":null},{"id":"1JZOLjVbsURyNU4VyG9dxB","url":"https://polygonscan.com/address/0x90958D4531258ca11D18396d4174a007edBc2b42","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Royalties manager","isPrimacyOfImpact":null},{"id":"7MW1Nejug166qYvbPBh5Oe","url":"https://polygonscan.com/address/0xb96697FA4A3361Ba35B774a42c58dACcaAd1B8E1","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Bids","isPrimacyOfImpact":null},{"id":"5W3QNimFlvMQoPlLxlLzHo","url":"https://polygonscan.com/address/0x1a91dd8d4eeddc2fac31f36818604b7093dc95e0","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":2,"description":"Chainlink Oracle","isPrimacyOfImpact":null},{"id":"5AGNLuDmkOodeJ7GZCIpKF","url":"https://polygonscan.com/address/0xF44063d872C88eEBab2EFC0318194e75a5218C1E","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"TPR Admin","isPrimacyOfImpact":null},{"id":"1W1zfGYZzAS9XMCJHw8dRi","url":"https://polygonscan.com/address/0x1C436C1EFb4608dFfDC8bace99d2B03c314f3348","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"TPR Proxy","isPrimacyOfImpact":null},{"id":"5ikw9tDNf8mHxU4BBYVkkG","url":"https://polygonscan.com/address/0x1f8063CC04398Be214a7d8dD25B6b6e2b870d99e","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"TPR Implementation","isPrimacyOfImpact":null},{"id":"7dIZgsaXoQ95dISZOT25Of","url":"https://polygonscan.com/address/0x3195e88aE10704b359764CB38e429D24f1c2f781","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Collections Factory V3","isPrimacyOfImpact":null},{"id":"629B0N2Ps9cCrpoE1SA6tb","url":"https://polygonscan.com/address/0xDDb3781Fff645325C8896AA1F067bAa381607ecc","type":"smart_contract","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Collections Upgradeable Beacon","isPrimacyOfImpact":null},{"id":"6OQwJyl4g1pmyoeuBv29zv","url":"https://decentraland.org/","type":"websites_and_applications","addedAt":"2022-07-05T16:30:00.000Z","revision":1,"description":"Main Web App","isPrimacyOfImpact":null},{"id":"70bIhDH7FqpNTLIBzLItdR","url":"https://decentraland.org/marketplace","type":"websites_and_applications","addedAt":"2024-02-27T11:22:15.285Z","revision":1,"description":"Market","isPrimacyOfImpact":null},{"id":"6jrbZ8GzdCD1yKDWQqUNMg","url":"https://decentraland.org/builder","type":"websites_and_applications","addedAt":"2024-02-27T11:22:31.468Z","revision":1,"description":"Builder","isPrimacyOfImpact":null},{"id":"7wwuI7IjGp3Xnlows0jyui","url":"https://decentraland.org/play","type":"websites_and_applications","addedAt":"2024-02-27T11:22:47.110Z","revision":1,"description":"Client","isPrimacyOfImpact":null},{"id":"4IY8my81qoClpn4wj90c5L","url":"https://decentraland.org/governance","type":"websites_and_applications","addedAt":"2024-02-27T11:23:02.280Z","revision":1,"description":"DAO","isPrimacyOfImpact":null},{"id":"4omH7Q2sVDpRiEkao0QJFT","url":"https://decentraland.org/account","type":"websites_and_applications","addedAt":"2024-02-27T11:23:19.049Z","revision":1,"description":"Account","isPrimacyOfImpact":null},{"id":"78LrCznt9kKBgGXcrEspK","url":"https://decentraland.org/events","type":"websites_and_applications","addedAt":"2024-02-27T11:23:51.289Z","revision":1,"description":"Web/App & API - Events","isPrimacyOfImpact":null},{"id":"4BmyuU2zyqzdVsuI27Q9S3","url":"https://decentraland.org/rewards","type":"websites_and_applications","addedAt":"2024-02-27T11:24:08.849Z","revision":1,"description":"Web/App & API - Rewards","isPrimacyOfImpact":null},{"id":"7HQUdSLYjcjvga4IUggfaT","url":"https://decentraland.org/places","type":"websites_and_applications","addedAt":"2024-02-27T11:24:26.212Z","revision":1,"description":"Web/App & API - Places","isPrimacyOfImpact":null},{"id":"5DVmsHKct79fmfDXpg3Rj0","url":"https://decentraland.org/profile","type":"websites_and_applications","addedAt":"2024-02-27T11:24:40.858Z","revision":1,"description":"Profile","isPrimacyOfImpact":null},{"id":"5I8ZGiaS1M3AxTfWucHYFL","url":"https://decentraland.org/auth","type":"websites_and_applications","addedAt":"2024-02-27T11:24:56.748Z","revision":1,"description":"Auth","isPrimacyOfImpact":null},{"id":"7HVt3TcyqTCDzl2AhcgCiy","url":"https://docs.decentraland.org/","type":"websites_and_applications","addedAt":"2024-02-27T11:25:12.437Z","revision":1,"description":"Docs","isPrimacyOfImpact":null},{"id":"6qBmoPLr9XJPlqBFciRblp","url":"https://builder-api.decentraland.org","type":"websites_and_applications","addedAt":"2024-02-27T11:25:41.811Z","revision":1,"description":"API","isPrimacyOfImpact":null},{"id":"cZyfLlJdEWRL88B5piCxI","url":"https://worlds-content-server.decentraland.org/","type":"websites_and_applications","addedAt":"2024-02-27T11:25:57.684Z","revision":1,"description":"API","isPrimacyOfImpact":null},{"id":"7jMp5SBOiUtvy6ej02vGfy","url":"https://peer.decentraland.org/","type":"websites_and_applications","addedAt":"2024-02-27T11:26:11.490Z","revision":1,"description":"API","isPrimacyOfImpact":null},{"id":"1P39xT5PdHkNG9PTCJS75s","url":"https://nft-api.decentraland.org","type":"websites_and_applications","addedAt":"2024-02-27T11:26:24.213Z","revision":1,"description":"API","isPrimacyOfImpact":null},{"id":"SKnnHaGaKC7BYFJ3PaETe","url":"https://signatures-api.decentraland.org","type":"websites_and_applications","addedAt":"2024-02-27T11:26:37.096Z","revision":1,"description":"API","isPrimacyOfImpact":null},{"id":"TGrarrgaNcfKplg8KhJgK","url":"https://transactions-api.decentraland.org","type":"websites_and_applications","addedAt":"2024-02-27T11:26:49.450Z","revision":1,"description":"API","isPrimacyOfImpact":null},{"id":"6FtnDNlPq76eYciXeB9Aqz","url":"https://marketplace-api.decentraland.org","type":"websites_and_applications","addedAt":"2024-02-27T11:27:01.385Z","revision":1,"description":"API","isPrimacyOfImpact":null},{"id":"4oTY9BoQTLKQDo9xWzij1Z","url":"https://api.decentraland.org","type":"websites_and_applications","addedAt":"2024-02-27T11:27:12.304Z","revision":1,"description":"API","isPrimacyOfImpact":null},{"id":"7vAklE4VvujaSOOwPxf3v7","url":"https://auth-api.decentraland.org","type":"websites_and_applications","addedAt":"2024-02-27T11:27:23.687Z","revision":1,"description":"API","isPrimacyOfImpact":null},{"id":"4U80wzCWCGSHCizv19OIxW","url":"http://social-service.decentraland.org/","type":"websites_and_applications","addedAt":"2024-02-27T11:27:37.306Z","revision":1,"description":"API","isPrimacyOfImpact":null},{"id":"2PsCPG8O4ypMvJ2QL4HhfM","url":"https://realm-provider.decentraland.org/","type":"websites_and_applications","addedAt":"2024-02-27T11:27:54.193Z","revision":1,"description":"API","isPrimacyOfImpact":null},{"id":"31xEj6yUli3txD6XfEhHrL","url":"https://etherscan.io/address/0x2d6b3508f9aca32d2550f92b2addba932e73c1ff","type":"smart_contract","addedAt":"2024-12-16T07:51:15.091Z","revision":1,"description":"Marketplace V3","isPrimacyOfImpact":null},{"id":"SB7MImVv9Q21krvF1NQhd","url":"https://polygonscan.com/address/0x540fb08edb56aae562864b390542c97f562825ba","type":"smart_contract","addedAt":"2024-12-16T07:51:39.820Z","revision":1,"description":"Marketplace V3","isPrimacyOfImpact":null},{"id":"CIRtHwNvyIJbKLrzVzqFZ","url":"https://polygonscan.com/address/0x90cb68d170275da51d2a645bdf70be29d215bda7","type":"smart_contract","addedAt":"2024-12-16T07:51:55.201Z","revision":1,"description":"Coupon Manager","isPrimacyOfImpact":null},{"id":"2EKvlkhJs7dHb314QCCtb7","url":"https://polygonscan.com/address/0xc914507fe297b2dddd1232ac3a8903f1c125e794","type":"smart_contract","addedAt":"2024-12-16T07:52:11.341Z","revision":1,"description":"Collection Coupon Discount","isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nIf an impact can be caused to any other asset managed by Decentraland that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.\n\nBug reports from compensated team members of any Decentraland core units will not be eligible for a reward.\n\nAll team members of the audit companies Decentraland works with, and its third-party suppliers, including Immunefi itself and its subsidiaries, are not eligible for a reward.\n\nBug reports from team members and third-party suppliers of businesses and organizations that are not a Decentraland Core Unit but have assets considered as critical infrastructure covered under the bug bounty program are also not eligible for the bug bounty program.\n\nEmployees and team members of Decentraland third-party suppliers \"to core units\" that operate in a technical capacity will also not be eligible for a reward if the bug is related to the work assigned or if the bug reporter is leveraging privileged information coming from the agreed services.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH","Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2022-07-05T16:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/CXsZzmFYIOc6VRsmn4i4P/aa9602446e06cec6320bbab0f437ea98/decentraland-mana-logo_copy.png","maxBounty":500000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - high","smart_contract - medium","smart_contract - low","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Gaming"],"programOverview":"[Decentraland](https://c212.net/c/link/?t=0&l=en&o=3541085-1&h=4099657792&u=https%3A%2F%2Fdecentraland.org%2F&a=Decentraland) is a decentralized virtual social platform powered by the Ethereum blockchain. Within the Decentraland platform, users can create, experience, and monetize content and applications. Decentraland is built, governed, and owned by its users. Through the decentralized autonomous organization (DAO) users can submit proposals for owners of MANA and LAND to vote on.\n\nFor more information about Decentraland, please visit [https://decentraland.org/](https://decentraland.org/).","programType":["Smart Contract","Websites and Applications"],"project":"Decentraland","projectType":["Defi","Infrastructure"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward.  All Smart Contract bug reports require a PoC and a suggestion for a fix to be eligible for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nHigh smart contract vulnerabilities to be calculated as __0.1%__ of the economic damage and capped at USD 500,000, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of __USD 20,000__.\n\nAll other rewards for the bug bounty program are scaled based on an internally established team criteria, taking into account the exploitability of the bug, the impact it causes, and the likelihood of the vulnerability presenting itself, which is especially factored in with bug reports requiring multiple conditions to be met that are currently not in-place. However, there is a minimum reward of USD 1 000 for each severity level for smart contracts, rewards will be provided at the determined fair value by the team depending on these conditions, assuming that the bug report is in-scope of the bug bounty program.\n\nDecentraland has combined Critical and High Smart Contract impacts together, please refer to the High Smart Contract rewards and impacts respectively. \n\nThe following vulnerabilities are not eligible for a reward:\n\n  - Estate: The [getFingerprint](https://github.com/decentraland/land/blob/master/contracts/estate/EstateRegistry.sol#L317) function can run out of gas for Estates bigger than 4000 LANDs.\n  - Collections: Missing the ERC165 interface registration.\n  - All vulnerabilities marked in [https://github.com/decentraland/smart-contract-audits](https://github.com/decentraland/smart-contract-audits) \n\nDecentraland requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. The information needed are Name, Mailing Address and any ID. The collection of this information will be done by the Decentraland team.\n\nPayouts are handled by the __Decentraland__ team directly and are denominated in USD. However, payouts are done in __MANA and USDT__, with a minimum of 20% to be done in USDT.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"MANA, USDT","slug":"decentraland","updatedDate":"2024-12-16T07:52:14.781Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"[Decentraland](https://c212.net/c/link/?t=0&l=en&o=3541085-1&h=4099657792&u=https%3A%2F%2Fdecentraland.org%2F&a=Decentraland) is a decentralized virtual social platform powered by the Ethereum blockchain. Within the Decentraland platform, users can create, experience, and monetize content and applications. Decentraland is built, governed, and owned by its users.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques\n- Frontrunning, including backrunning and sandwich attacks that may not lead to user funds or assets\n- Bugs in dependencies (unless they lead to equivalently direct attacks on Wormhole)\n- Any secret data checked into the repository. Such as API/AUTH tokens\n\n- Attacks requiring privileged access from within the organization\n- Crashes in play.decentraland.org or scene preview\n- Software defects in deployed scenes in play.decentraland.org\n- Issues related to scene code itself\n- Scenes deployed by users using malicious code that requires users to download or interact with it\n- Any vulnerability that requires the user to input commands in the browser console","customProhibitedActivities":[],"impacts":[{"id":2875,"type":"smart_contract","severity":"low","title":"Smart contract fails to deliver promised returns, but doesn’t lose value"},{"id":2876,"type":"smart_contract","severity":"low","title":"Reentrancy or frontrunning attacks with no users assets loss involvement but lead to an undesired product behaviour by design"},{"id":2877,"type":"websites_and_applications","severity":"low","title":"Changing non-sensitive details of other users (including modifying browser localStorage) with/without already-connected wallet interaction and with up to one click of user interaction, such as changing the first/last name of user, or disabling notification"},{"id":2878,"type":"websites_and_applications","severity":"low","title":"Any impact involving a publicly released CVE"},{"id":2879,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling users to access the sites without the possibility of solving it by logging in again, such as locking up the victim from login, cookie bombing, etc."},{"id":2880,"type":"smart_contract","severity":"high","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":2881,"type":"smart_contract","severity":"high","title":"Transaction & meta transactions replay attacks"},{"id":2882,"type":"smart_contract","severity":"high","title":"Undesired destruction or burning of assets: wearables"},{"id":2883,"type":"smart_contract","severity":"high","title":"Minting assets from unauthorized addresses"},{"id":2884,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information such as email address, phone number, physical address, etc. bypassing system securities and it is not public."},{"id":2885,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover of decentraland.org."},{"id":2886,"type":"websites_and_applications","severity":"high","title":"Retrieving sensitive user information, like user’s credentials."},{"id":2887,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser localStorage) without already-connected wallet interaction and with up to one click of user interaction, such as email or password of the victim, etc."},{"id":2888,"type":"websites_and_applications","severity":"high","title":"Escape sandbox attack from scenes (injection of HTML or code injections in main thread from deployed scene code)"},{"id":2889,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds/assets for any amount of time"},{"id":2890,"type":"smart_contract","severity":"medium","title":"Controlled loss of user assets"},{"id":2891,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption that lead to make the core contract functionality unusable"},{"id":2892,"type":"websites_and_applications","severity":"medium","title":"Defacing the sites, totally or partially, resulting in unauthorized visual changes of the site which could impact multiple users."},{"id":2893,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites without their consent (Open Redirect)"},{"id":2894,"type":"websites_and_applications","severity":"medium","title":"Catalyst Content: Impersonation of a user to alter their stored content."},{"id":2895,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":2896,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc."},{"id":2897,"type":"websites_and_applications","severity":"critical","title":"Performing malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions, stealing funds or assets."}],"rewards":[{"id":6586,"severity":"high","assetType":"smart_contract","maxReward":500000,"rewardModel":"up_to"},{"id":6587,"severity":"medium","assetType":"smart_contract","maxReward":20000,"rewardModel":"up_to"},{"id":6588,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":6589,"severity":"critical","assetType":"websites_and_applications","maxReward":16000,"rewardModel":"up_to","otherImpactMaxReward":0},{"id":6590,"severity":"high","assetType":"websites_and_applications","maxReward":4000,"rewardModel":"up_to"},{"id":6591,"severity":"medium","assetType":"websites_and_applications","maxReward":2000,"rewardModel":"up_to"},{"id":6592,"severity":"low","assetType":"websites_and_applications","fixedReward":500,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"5VQ2qXQ8ROQZNTGO5ogvzU","url":"https://etherscan.io/address/0x462Dd07A79e5DDfBe0C171449C5c01788d5d03C3","type":"smart_contract","addedAt":"2024-10-01T15:17:47.602Z","revision":1,"description":"Consensus Layer Fee Dispatcher","isPrimacyOfImpact":null},{"id":"5GpwQUSWM7eELtHDyXOi0w","url":"https://goerli.etherscan.io/address/0xD36B422a7EE65219732724d849B8b6BceD6155Fe","type":"smart_contract","addedAt":"2024-10-01T15:18:03.017Z","revision":1,"description":"Consensus Layer Fee Dispatcher (testnet)","isPrimacyOfImpact":null},{"id":"6gRsd3Kz2G4PWQjaq8TIjd","url":"https://etherscan.io/address/0xE8EC6F702D68ded71112031D78bBFf959c7234C7","type":"smart_contract","addedAt":"2024-10-01T15:18:16.353Z","revision":1,"description":"Consensus Layer Fee Dispatcher Proxy","isPrimacyOfImpact":null},{"id":"1uAckEZfyGjHSKCEx2kwZU","url":"https://goerli.etherscan.io/address/0x50Dba42662FD69f5Fd9236540aaD9f99f7F6b3b2","type":"smart_contract","addedAt":"2024-10-01T15:18:29.739Z","revision":1,"description":"Consensus Layer Fee Dispatcher Proxy (testnet)","isPrimacyOfImpact":null},{"id":"HT2VbBeovVklks8jUBGMw","url":"https://etherscan.io/address/0xca4DD914fA713214844c84F153A5e1627536a7fC","type":"smart_contract","addedAt":"2024-10-01T15:18:42.765Z","revision":1,"description":"Execution Layer Fee Dispatcher","isPrimacyOfImpact":null},{"id":"9HrhiKTY7DIYEk6c6cO96","url":"https://goerli.etherscan.io/address/0xa69dDEBd0B6893A6F3d34A5df610d0E2ED433D18","type":"smart_contract","addedAt":"2024-10-01T15:18:57.194Z","revision":1,"description":"Execution Layer Fee Dispatcher (testnet)","isPrimacyOfImpact":null},{"id":"d1eINxqWBX1bNvOumPNxm","url":"https://etherscan.io/address/0x72b4C52f18f52EbA3E4290a002dF7c387427b058","type":"smart_contract","addedAt":"2024-10-01T15:19:12.128Z","revision":1,"description":"Execution Layer Fee Dispatcher Proxy","isPrimacyOfImpact":null},{"id":"6xU2HowYjg61HBNFo9wbrd","url":"https://goerli.etherscan.io/address/0x639d818639B85a1892Bfbb40Bd724b4Ddea43C0C","type":"smart_contract","addedAt":"2024-10-01T15:19:32.637Z","revision":1,"description":"Execution Layer Fee Dispatcher Proxy (testnet)","isPrimacyOfImpact":null},{"id":"66O1OQmXgxsdoIZsJNxQ6U","url":"https://etherscan.io/address/0x933fBfeb4Ed1F111D12A39c2aB48657e6fc875C6","type":"smart_contract","addedAt":"2024-10-01T15:20:42.855Z","revision":1,"description":"Fee Recipient","isPrimacyOfImpact":null},{"id":"2zerwJPCbDUS8ot3a0Qhhj","url":"https://goerli.etherscan.io/address/0x1AcD717aDF8A3A1e4c23C6510cfbE76834E3f1bf","type":"smart_contract","addedAt":"2024-10-01T15:21:03.133Z","revision":1,"description":"Fee Recipient (testnet)","isPrimacyOfImpact":null},{"id":"3CVh9nM4ZusjhU06yfCqAd","url":"https://etherscan.io/address/0x0A7272e8573aea8359FEC143ac02AED90F822bD0","type":"smart_contract","addedAt":"2024-10-01T15:21:20.079Z","revision":1,"description":"Staking Contract","isPrimacyOfImpact":null},{"id":"5h5VLKpEikaWsfNGPwndqG","url":"https://goerli.etherscan.io/address/0xcd01846F1b37aCE16916969989C136e3c52ef7d2","type":"smart_contract","addedAt":"2024-10-01T15:21:36.924Z","revision":1,"description":"Staking Contract (testnet)","isPrimacyOfImpact":null},{"id":"5498bFa2QZM9Y7uIxiNH8D","url":"https://etherscan.io/address/0x1e68238ce926dec62b3fbc99ab06eb1d85ce0270","type":"smart_contract","addedAt":"2024-10-01T15:21:53.870Z","revision":1,"description":"Staking Contract Proxy","isPrimacyOfImpact":null},{"id":"3CvSKYIs1JRZkgjfTzaQlc","url":"https://goerli.etherscan.io/address/0xe8Ff2a04837aac535199eEcB5ecE52b2735b3543","type":"smart_contract","addedAt":"2024-10-01T15:22:13.549Z","revision":1,"description":"Staking Contract Proxy (testnet)","isPrimacyOfImpact":null}],"assetsBodyV2":"All code of Kiln can be found at [https://github.com/kilnfi/staking-contracts](https://github.com/kilnfi/staking-contracts). Documentation for the assets provided in the table can be found at [https://docs.kiln.fi/kiln-on-chain-v1/6eQVsjjelOTzT9cvtG8s/](https://docs.kiln.fi/kiln-on-chain-v1/6eQVsjjelOTzT9cvtG8s/).","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2024-10-01T13:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1SEs1ui9Ficgtj8iEcEZKG/204a23e8cfb04126d1a48548947cb448/Kiln_Defi.png","maxBounty":1000000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Staking"],"programOverview":"Kiln On-Chain (v1) enables non-custodial platforms to propose an ETH staking offer where users can stake on dedicated validators while remaining the only one able to access their staked assets. \n\nThe goal of these Ethereum Smart Contracts is to enable:\n\n- Operator to register its validation keys deposit data on the Smart Contract\n- Users to deposit on approved and available validation keys\n- Manage the Execution and Consensus Layer rewards and exited ETH\n- Perform the commission dispatching on these ETH when user performs a withdrawal action\n\nThis Bug Bounty is focused on the Staking Smart Contracts only, all items regarding dApps or validation infrastructure are out of scope. \n\nFor more information about Kiln On-Chain, please visit [https://www.kiln.fi/](https://www.kiln.fi/)\n\nKiln provides rewards in __USDC__. For more details about the payment process, please view the __Rewards by Threat Level__ section.\n\n__KYC Requirement__\n\nThe provision of KYC is required to receive a reward for this bug bounty program where the following information will be required to be provided:\n- If the claim comes from an individual:\n   - The first names, surnames, date and place of birth of the person concerned\n   - A Valid ID\n- If the claim comes from a business:\n   - Legal form, name, registration number and address of the registered office\n   - Valid certificate of incorporation\n   - List of shareholders/directors\n\nKYC information is only required on confirmation of the validity of a bug report.   \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nKiln adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms stated in this page.\n\n__Known Issue Assurance__\n\nKiln commits to providing Known Issue Assurance to bug submissions through their program. This means that Kiln will either disclose known issues publicly or at the very least privately via a self-reported bug submission in order to allow for a more objective and streamlined mediation process to prove that an issue is known. Otherwise, assuming the bug report itself is valid, it would result in the bug report being considered in-scope and due 100% of the reward with respect to the bug bounty program terms. \n\n__Immunefi Standard Badge__\n\nKiln has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/6427157117713-The-Immunefi-Standard-Badge-), which is given to projects that adhere to our best practices.","programType":["Smart Contract"],"project":"Kiln On-Chain v1","projectType":["Defi","Infrastructure"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below. \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical Smart Contract vulnerabilities that result in direct theft or permanent freezing of funds, the reward amount is 10% of the funds directly affected up to a maximum of **USD 1 000 000**. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of **USD 100 000** is to be rewarded in order to incentivize security researchers against withholding a bug report.   \n\n__Repeatable Attack Limitations__\n\nIn cases of repeatable attacks for smart contract bugs, only the first attack will be counted, regardless of whether the smart contract is upgradable, pausable, or killable.\n\n__Reward Calculation for High Level Reports__\n\nFor high Smart Contract vulnerabilities that result in direct theft or permanent freezing of unclaimed yield or commission, or the temporary freezing of unclaimed yield for more than 24hrs, the reward amount will be capped at 100% of the funds affected, up to a maximum of **USD 100 000**.  However, a minimum reward of **USD 20 000** is to be rewarded in order to incentivize security researchers against withholding a bug report.   \n\n__Responsible Disclosure Clause:__\n\nResearchers who submit valid vulnerability reports agree to adhere to the following responsible disclosure process:\n\n1. Upon confirmation of a valid vulnerability, Kiln will work diligently to develop and implement a fix.\n2. Once the fix is deployed to production, Kiln will notify the researcher and initiate a 1-month (30 calendar days) disclosure waiting period.\n3. During this waiting period, the researcher must maintain strict confidentiality regarding the vulnerability and shall not disclose any information about it to third parties or the public.\n4. After the 1-month period has elapsed following the production deployment of the fix, the researcher may publicly disclose the vulnerability, provided they have obtained written approval from Kiln regarding the content of the disclosure.\n5. The researcher agrees to coordinate with Kiln on the timing and content of any public disclosure to ensure all parties are prepared and to minimize potential risks to users.\n6. If the researcher discovers that the vulnerability has become publicly known before the end of the waiting period, they should immediately notify Kiln.\n7. Kiln reserves the right to request an extension of the waiting period in exceptional circumstances, which will be communicated to the researcher in writing.\n\n\n__Previous Audits__\n\nKiln has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.\n- [https://kilnfi.notion.site/EXTERNAL-AUDITS-479819dce90540d1a0800c0541d2352b](https://kilnfi.notion.site/EXTERNAL-AUDITS-479819dce90540d1a0800c0541d2352b)\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n\n- Smart Contract - Critical\n- Smart Contract - High\n- Smart Contract - Medium\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules). Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Other Terms and Information__\n\n- This bug bounty program will have a hard cap of **USDC 1 500 000**. In the event that multiple bug reports are submitted that exceed this amount, the rewards will be provided on a first come first served basis.\n\n- The following roles: Operator, Admin and Proxy Admin are trusted to behave properly and in the best interest of the users. They should not be considered as malicious.  Reports taking this assumption will be considered invalid.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Kiln team directly and are denominated in **USD**. However, payments are done in **USDC**","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"","slug":"kiln-on-chain-v1","tenPercentEconomicRule":false,"updatedDate":"2024-12-15T22:10:55.364Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn"],"responsiblePublicationCategory":"category_3","description":"","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"These impacts are out of scope for this bug bounty program. \n\n- Best practice recommendations\n- Triggering withdrawal from a Recipient as long as funds go to the right address\n- Any vulnerability regarding roles and privilege escalation on implementation  contracts is out of scope as all deployments are under TUP proxy.","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":5166,"type":"smart_contract","severity":"high","title":"Direct theft of any commission, whether at-rest or in-motion"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"}],"rewards":[{"id":9866,"severity":"critical","assetType":"smart_contract","maxReward":1000000,"minReward":100000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":9867,"severity":"high","assetType":"smart_contract","maxReward":100000,"minReward":20000,"rewardModel":"range"},{"id":9868,"severity":"medium","assetType":"smart_contract","maxReward":20000,"minReward":5000,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"2COmkUGOjyG2lhmoRjITbG","url":"https://github.com/AcronymFoundation/anvil-contracts/blob/main/contracts/LetterOfCredit.sol","type":"smart_contract","addedAt":"2024-11-11T10:00:28.000Z","revision":1,"description":"LetterOfCredit - 904 SLOC","isPrimacyOfImpact":null},{"id":"25haocmjtZpLLkyo7NX1kM","url":"https://etherscan.io/address/0x5d2725fdE4d7Aa3388DA4519ac0449Cc031d675f","type":"smart_contract","addedAt":"2024-11-11T10:00:28.000Z","revision":1,"description":"CollateralVault - 606 SLOC","isPrimacyOfImpact":null},{"id":"jUfsemLb5Axhhj1qfx2HQ","url":"https://github.com/AcronymFoundation/anvil-contracts/blob/main/contracts/PythPriceOracle.sol","type":"smart_contract","addedAt":"2024-11-11T10:00:28.000Z","revision":1,"description":"Pyth Price Oracle - 112","isPrimacyOfImpact":null}],"assetsBodyV2":"__Asset Accuracy Assurance__\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Reward Policy__\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n__Primacy of Impact vs Primacy of Rules__\n\nAnvil adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page.\n\n__KYC Requirement__\n\nAnvil will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\nSecurity researchers are required to submit KYC within 14 days of KYC being requested, else their rewards may be forfeited. Immunefi may make exceptions due to extenuating circumstances.\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this Audit Competition bug bounty and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Anvil has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/1fpYacM4YYH1AEYNIjbSvj8hv5A6f_ctn?usp=sharing)\n\nAll paid bug reports are available in original format [here](https://reports.immunefi.com/anvil-letters-of-credit)","boostedIntroLive":"$30,000 USD is available in rewards for finding bugs in Anvil's Letters Of Credit contract of 1622 nSLOC. \n\nKYC is required.\n\nAny technical questions and support requests can be asked directly to Anvil or Immunefi in the [Anvil Letters Of Credit Audit Competition Discord channel](https://discord.com/invite/immunefi).\n\nWhen the Audit Competition has ended Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nFor more information about Anvil, please visit https://anvil.xyz/","boostedIntroStartingIn":"$30,000 USD in rewards is available for finding bugs on Anvil LetterOfCredit contract. \n\nAnvil is a decentralized finance (DeFi) protocol for the issuance of fully secured credit. The protocol's Ethereum-based smart contracts allow users to deposit collateral in a vault, issue letters of credit, and supply assets to staking pools. Anvil's mission is to provide flexible building blocks to bring efficient and transparent collateralized finance into an increasingly decentralized world.\n\nFor more information about Anvil, please visit https://anvil.xyz/\n\n**KYC is required**\n\nAny technical questions can be asked directly to the Anvil technical team on Immunefi's [Immunefi’s Discord](https://discord.com/invite/immunefi) in the \"anvil-letters-of-credit\" channel.\n\nWhen the Audit Competition has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nA few days after the launch, Immunefi will publish Anvil's technical walkthrough on our official YouTube channel.","boostedLeaderboard":[{"high":0,"name":"perseverance","critical":2,"earnings":19861,"insights":0,"mediumLow":0,"totalValidBugs":2},{"high":0,"name":"max10afternoon","critical":1,"earnings":7139,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"FaisalAli19","critical":0,"earnings":1875,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"jovi","critical":0,"earnings":1125,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1pZrLOmiDyOSpJArm_tkvsQwJRe6PITn8/view?usp=sharing","ecosystem":null,"endDate":"2024-11-22T10:00:00.000Z","evaluationEndDate":"2024-12-13T16:41:08.388Z","features":["Boost","Vault","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2024-11-11T10:00:28.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3Hr2T9A9pZCCS0Oj9fCzjH/f8f737c77bdfe9814708931dc16676c6/image__21_.png","maxBounty":30000,"outOfScopeAndRules":"To be determined","pocPerTypeAndSeverity":["smart_contract - high","smart_contract - critical","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":null,"programOverview":"Anvil is a decentralized finance (DeFi) protocol for the issuance of fully secured credit. The protocol's Ethereum-based smart contracts allow users to deposit collateral in a vault, issue letters of credit, and supply assets to staking pools. Anvil's mission is to provide flexible building blocks to bring efficient and transparent collateralized finance into an increasingly decentralized world.\n\nFor more information about Anvil, please visit https://anvil.xyz/ \n\nAnvil provides rewards in USDT on Ethereum, denominated in USD. \n\nThis Audit Competition is running on mainnet. The following conditions apply:\n\n1. Anvil team will freeze the in-scope codebase for the duration of the Audit Competition\n2. Duplicates are rewarded","programType":["Smart Contract"],"project":"Audit Comp | Anvil: Letters of Credit","projectType":null,"rewardsBody":"The following reward terms are a summary. For the full details read our [Anvil: Letters of Credit Audit Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/29954569847697-Anvil-Letters-Of-Credit-Audit-Competition-Reward-Terms)\n\nA reward pool of $30,000 USD will be distributed among participants, even if no valid bugs are found. \n\nDuplicates and private known issues are valid for a reward.\n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/).\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.\n\n__Insight Rewards Payment Terms__\n\n*Insight Rewards*: Portion of the Rewards Pool\n\n*The \"Insight\" severity was introduced on Boost (Audit Competitions) & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi)\n\nDuplicates of Insight reports are not eligible for a reward.","rewardsPool":30000,"primaryPool":30000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDT","slug":"audit-comp-anvil-letters-of-credit","tenPercentEconomicRule":false,"updatedDate":"2024-12-13T17:10:53.238Z","impactsBody":"__Is this an upgrade of an existing system? If so, which? And what are the main differences?__\n\nNo. This is a new protocol. \n\n__Where do you suspect there may be bugs? Useful aspects of this question are:__\n\n**Which parts of the code are you most concerned about?**\n- Dynamic LOC calculations\n- Dynamic LOC liquidation mechanics\n- LOCs always being redeemable for their credited token value\n    - Note: ignore adverse market conditions as a concern\n\n**What attack vectors are you most concerned about?**\n- Tokens being stolen from the LetterOfCredit contract\n- Tokens being stuck in the LetterOfCredit contract\n- LOCs being created using an account’s collateral without that account’s permission\n\n**Which part(s) of the system do you want whitehats to attempt to break the most?**\n- LOC operations\n\n**Are there any assumed invariants that you want whitehats to attempt to break?**\n- LetterOfCredit\n    - LOCs should always be redeemable for their credited token amount (ignoring adverse market condition cases)\n    - Dynamic LOCs can only be converted by:\n        - The creator\n        - Any party presenting the creator’s signed authorization\n        - Anyone if the LOCs current CollateralFactor based on oracle price meets the LOC’s stored collateralFactorBasisPoints\n    - LOCs may only be redeemed by\n        - The LOC.beneficiary\n        - Any party presenting the beneficiary’s signed authorization\n    - The following LOC operations should always fail after a LOC’s expiration timestamp passes:\n        - redeemLOC()\n        - convertLOC()\n        - modifyLOCCollateral()\n        - extendLOC()\n    - A LOC may be canceled by:\n        - The LOC.beneficiary\n        - Any 3rd party presenting the beneficiary’s signed authorization\n        - Any party after the LOC is expired\n    - The result of cancelLOC() for a LOC with remaining collateral is always one of the following:\n        - The CollateralReservation is released in the CollateralVault, making any reserved collateral associated with the LOC available within the         LOC.creator’s vault account\n        - The collateral stored within the LOC contract for the converted LOC is sent directly to the LOC.creator’s address\n\n\n__What emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?__\n\nThis project is not a chain of its own and does not have the ability to rewrite history, so no emergency actions should be possible as a way to mitigate an otherwise possible theft. The `LetterOfCredit` contract is meant to be referenced by upgradeable proxies, so bug reports of “frozen” tokens that may be mitigated by a contract upgrade are less of a concern. Anvil will likely pay those out as low severity bugs.\n\n\n__What monitoring systems may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?__\n\nNone to our knowledge. \n\nThere are possible admin actions in `CollateralVault` and `LetterOfCredit`, including contract upgrades for the latter, but those are only possible via governance, which is much slower than any attack and could not reasonably front-run an attack. \n\n__What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?__\n\nThere are various roles defined in the `CollateralVault` and `LetterOfCredit` contracts that should be assumed to act in any way explicitly permitted by that role, and that is a valid non-bug use case. That is to say that if accounts with an Admin/Owner role, for instance, may withdraw tokens from the contract, registering an attack of the Admin/Owner stealing tokens is invalid because that is not theft – that is an explicitly permitted action.\n\nThat said, in the `CollateralVault` for instance, the design of the contract is such that the contract Owner should not be able to take tokens that are earmarked for an individual account (it may only take `contract balance - SUM(user account balance`). If an attack were to be found such that the owner could take funds that were earmarked for one or more accounts, that would be a valid bug because it undermines the trust assumptions of the contract. \n\n__What addresses would you consider any bug report requiring their involvement be out of scope, even if they exceed the privileges attributed to them?__\n\nNone that we can think of.\n\n\n__What external dependencies are there?__\n\nThere are external dependencies on ERC-20 tokens. Governance attacks, such as the approval of a malicious ERC-20 token is out of scope. \n\nThe `LetterOfCredit` contract depends on a PriceOracle to give it valid prices. Market-based oracle attacks are out of scope for this competition. If the `LetterOfCredit` contract’s logic incorrectly uses oracle data, though, that would be in scope.\n\nThere are also dependencies on open source contracts such as OpenZeppelin. While those are 3rd party contracts, they are referenced from within Anvil’s contracts, so any vulnerabilities in Anvil contracts made possible by issues in dependency contracts such as OZ are in scope.\n\n__Where might whitehats confuse out-of-scope code to be in-scope?__\n\n- The code for the `LetterOfCredit` contract is meant to be referenced by proxies as their implementation. Any use case that requires deploying and directly using the LetterOfCredit contract rather than via a proxy would be out of scope. \n- Since the `LetterOfCredit` contract is meant to be referenced by upgradeable proxies, finding some loophole in contract logic such that tokens reserved by that contract become stuck would be a lower severity bug than it would be if the contract were not upgradeable. For that reason, token theft as a bug is very much in scope, whereas issues that could be solved via a successful contract upgrade are less critical and therefore low impact .\n- Precision loss is not a valid bug since it is impossible to divide without the possibility of precision loss.\n- Using a signature before someone else uses a signature (i.e. front-running) is not a valid bug. If the signature permits an operation, that operation is welcome and encouraged.\n- “If you were to upgrade the `LetterOfCredit` contract to a contract with a bug, then it would have a bug” is not a valid bug. If there is an issue with the upgrade process itself, that is valid, but simply using the proxy pattern is not a valid bug.\n- The ILiquidator interface is meant to be implemented by sophisticated liquidators external to the protocol / protocol team. An example implementation is included in the codebase as the “UniswapLiquidator” contract, but that contract is not in scope.\n- Avoiding the CollateralVault protocol fee by claiming / withdrawing extremely small amounts repeatedly is not a feasible attack on Ethereum mainnet so it is out of scope.\n\n__Are there any unusual points about your protocol that may confuse whitehats?__\n\n- The concept of CollateralFactors is a bit nuanced. The same concept is used in Compound and other DeFi protocols. In the context of a LOC, a CollateralFactor is the percentage of the collateral token amount that would be necessary to liquidate to receive the LOC’s credited token amount, ignoring all fees and slippage. \n- The maximum CollateralFactor for LOC creation and the CollateralFactor at which point LOCs become liquidatable is stored for each distinct asset-pair that supports dynamic LOCs. It is assumed that all fees are baked into that configuration and that the CollateralFactor is padded to handle trading slippage, liquidator incentive, claim fee, etc.\n\n__What is the test suite setup information?__\n\nNo tests have been made public at the moment.\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- The fee applied to CollateralVault claims and withdrawals is the same, but the amount the fee is relative to is different such that the absolute fee assessed via withdraw() is higher than claimCollateral() when the amount released by the CollateralVault is the same.\n- ERC165 calls within CollateralVault may prevent addition/removal of collateralizable contracts. Governance should verify this will not be an issue when collateralizable contact addition is proposed.\n\n\n__Previous Audits__\n\nAnvil’s completed audit reports can be found at [https://docs.anvil.xyz/contracts/audits](https://docs.anvil.xyz/contracts/audits). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.","websiteUrl":"https://anvil.xyz","githubUrl":null,"eligibilityCriteria":["no_official_contributor","no_ofac_sdn","no_employee","no_auditor"],"responsiblePublicationCategory":null,"description":"Anvil is a decentralized finance (DeFi) protocol for the issuance of fully secured credit. The protocol's Ethereum-based smart contracts allow users to deposit collateral in a vault, issue letters of credit, and supply assets to staking pools. For more information about Anvil, please visit https://anvil.xyz/ ","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":5198,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds within the CollateralVault for at least 48 hours"},{"id":5201,"type":"smart_contract","severity":"high","title":"Smart contract unable to operate due to lack of token funds"},{"id":5204,"type":"smart_contract","severity":"low","title":"Temporary freezing of funds set to 48 hrs within the LetterOfCredit contract"},{"id":5205,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds (note: if a LetterOfCredit proxy update may fix the issue, it is temporary)"},{"id":5206,"type":"smart_contract","severity":"low","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[{"id":"1YkHqUbfnxAnca3Yundei6","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2024-10-16T08:00:00.000Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true},{"id":"5TT3o4uJyHjAqCdEYYtz2B","url":"https://etherscan.io/address/0x5d2725fdE4d7Aa3388DA4519ac0449Cc031d675f","type":"smart_contract","addedAt":"2024-10-16T08:00:00.000Z","revision":1,"description":"CollateralVault.sol - 606 SLOC","isPrimacyOfImpact":null},{"id":"4ywmkFrGN0DbBu2QrknIoS","url":"https://etherscan.io/address/0xd042C267758eDDf34B481E1F539d637e41db3e5a","type":"smart_contract","addedAt":"2024-10-16T08:00:00.000Z","revision":1,"description":"TimeBasedCollateralPool.sol - 778 SLOC","isPrimacyOfImpact":null}],"assetsBodyV2":"__Asset Accuracy Assurance__\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Reward Policy__\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n__Known Issue Assurance__\n\nAnvil commits to providing Known Issue Assurance to bug submissions through their program. This means that Anvil will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission. \n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.\n\n__Primacy of Impact vs Primacy of Rules__\n\nAnvil adheres to the Primacy of Impact for all impacts.\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see Best Practices: Primacy of Impact \nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__KYC Requirement__\n\nAnvil will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\nSecurity researchers are required to submit KYC within 14 days of KYC being requested, else their rewards may be forfeited. Immunefi may make exceptions due to extenuating circumstances.\n\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this Audit Competition bug bounty and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Anvil has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/17Wj9-nOE6kuMsw3D8Yvy85B0AoadMbkH?usp=sharing)\n\nAll paid bug reports are available in original format [here](https://reports.immunefi.com/anvil)","boostedIntroLive":"","boostedIntroStartingIn":"$50,000 USD in rewards is available for finding bugs on Anvil Vault\n\nAnvil is a decentralized finance (DeFi) protocol for the issuance of fully secured credit. The protocol's Ethereum-based smart contracts allow users to deposit collateral in a vault, issue letters of credit, and supply assets to staking pools. Anvil's mission is to provide flexible building blocks to bring efficient and transparent collateralized finance into an increasingly decentralized world.\n\n\nFor more information about Anvil, please visit https://anvil.xyz/\n\n**KYC is required**\n\nAny technical questions can be asked directly to the Anvil technical team on Immunefi's [Immunefi’s Discord](https://discord.com/invite/immunefi) in the \"anvil-audit-competition\" channel.\n\nWhen the Audit Competition has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nThe day after the launch, Anvil will give a live technical walkthrough.","boostedLeaderboard":[{"high":0,"name":"niroh","critical":1,"earnings":40282,"insights":1,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"gladiator111","critical":0,"earnings":3322,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"perseverance","critical":0,"earnings":2096,"insights":1,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"max10afternoon","critical":0,"earnings":1107,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Blockian","critical":0,"earnings":694,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"ox9527","critical":0,"earnings":626,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"MrMorningstar","critical":0,"earnings":417,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"zhuying","critical":0,"earnings":294,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Hoverfly9132","critical":0,"earnings":294,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"trtrth","critical":0,"earnings":294,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"savi0ur","critical":0,"earnings":294,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"ProfitableFrog6412","critical":0,"earnings":139,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"ihtishamsudo","critical":0,"earnings":139,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1T0yw5_D8hQJcC0259lEcDJbYh-tYkA0b/view?usp=sharing","ecosystem":null,"endDate":"2024-11-06T08:00:00.000Z","evaluationEndDate":"2024-12-09T08:00:00.000Z","features":["Boost","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2024-10-16T08:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2mGK0eYVaDmJRa9glTW4z7/f9526c17f5faa6b5007c29f6caf1226f/4D0J2eDi_500x500-3.png","maxBounty":50000,"outOfScopeAndRules":"These impacts are out of scope for this bug bounty program. \n\n__All Categories:__\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n\n__Blockchain/DLT & Smart Contract Specific:__\n\n- Incorrect data supplied by third party oracles\n    - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n\n__Prohibited Activities:__\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - medium","smart_contract - high","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":null,"programOverview":"Anvil is a decentralized finance (DeFi) protocol for the issuance of fully secured credit. The protocol's Ethereum-based smart contracts allow users to deposit collateral in a vault, issue letters of credit, and supply assets to staking pools. Anvil's mission is to provide flexible building blocks to bring efficient and transparent collateralized finance into an increasingly decentralized world.\n\nFor more information about Anvil, please visit https://anvil.xyz/ \n\nAnvil provides rewards in USDT on Ethereum, denominated in USD.\n\nKYC is required.\n\nThis Audit Competition is running on mainnet. The following conditions apply:\n\n1. Anvil team will freeze the codebase during the duration of the Audit Competition:\n2. Duplicates are rewarded","programType":["Smart Contract"],"project":"Audit Comp | Anvil","projectType":null,"rewardsBody":"The following reward terms are a summary. For the full details read our [Anvil Audit Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/29281157644689-Anvil-Audit-Competition-Reward-Terms)\n\nA reward pool of $50,000 USD will be distributed among participants, even if no valid bugs are found. \n\nDuplicates and private known issues are valid for a reward.\n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/).\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.\n\n__Insight Rewards Payment Terms__\n\n*Insight Rewards*: Portion of the Rewards Pool\n\n*The \"Insight\" severity was introduced on Boost (Audit Competitions) & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi)\n\nDuplicates of Insight reports are not eligible for a reward.","rewardsPool":50000,"primaryPool":50000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDT","slug":"audit-comp-anvil","tenPercentEconomicRule":false,"updatedDate":"2024-12-13T07:19:07.234Z","impactsBody":"__Is this an upgrade of an existing system? If so, which? And what are the main differences?__\n\nNo. This is a new protocol. \n\n__Where do you suspect there may be bugs? Useful aspects of this question are:__\n\n\n- Which parts of the code are you most concerned about?\n\nTimeBasedCollateralPool accounting\n- What attack vectors are you most concerned about?\nTokens being stuck in the CollateralVault or stolen from the TimeBasedCollateralPool or CollateralVault\n- Which part(s) of the system do you want whitehats to attempt to break the most?\nTimeBasedCollateralPool accounting\n- Are there any assumed invariants that you want whitehats to attempt to break?\n\n- **CollateralVault**\n\n1. Owner cannot take tokens associated with account balances, only balances that are not associated with accounts (max withdrawable by owner is - -- \n2. CollateralVault balance - SUM(accountBalances))\n3. Collateralizable contracts can only reserve & claim account tokens up to their account allowance, which decreases on reservation\n4. CollateralReservations may not be changed, claimed, or released by any party other than the reserving collateralizable contract\n5. CollateralReservations are resilient to contract governance actions (e.g. disabling the CollateralToken being used, changing the withdrawal fee, etc.)\n6. Account balances for distinct ERC-20 tokens will be accounted for separately at all times (never mixed up)\n\n- **TimeBasedCollateralPool**\n\n1. - Accounts always receive units proportional to their staked tokens for staking operations and receive tokens proportional to their pool units for unstaking operations\n2. - Tokens being unstaked are still claimable for at least 1 epoch after initiating unstaking\n3. - Tokens being unstaked are never claimable after the end of the epoch following the epoch in which unstaking was initiated\n4. - Units and balances for distinct ERC-20 tokens will be accounted for separately at all times (never mixed up)\n\n__What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?__\n\nERC-20 tokens that are subject to governance review ahead of support. That is to say that attacks that stem from malicious code within a token contract should be out of scope for this program, as any complex / non-standard ERC-20 token will be restricted by governance until proven safe. Fee-on-Transfer tokens, rebasing tokens, and tokens with upgradeable contracts should assume to never be supported, as well as other tokens that could present a security risk.  \n\n\n__What emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?__\n\n\n- For each emergency action, how does it work, how would it affect a bug report, and when would you utilize it?\n\nIf this is listed in your documentation, then a link to that part of the documentation would suffice.\n\n- Note that normally, not all emergency actions are accepted as a valid reason to invalidate or downgrade an otherwise valid bug report, such as chain rollbacks.\n\nThis project is not a chain of its own and does not have the ability to rewrite history, so no emergency actions should be possible as a way to mitigate an otherwise possible theft. The TimeBasedCollateralPool contract is meant to be referenced by upgradeable proxies, so bug reports of “frozen” tokens that may be mitigated by a contract upgrade are less of a concern and therefore out of scope. Anvil will likely pay those out as low severity bugs reported via our forthcoming bug bounty program, but not as a part of this Audit Competition. \n\n\n__What monitoring systems may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?__\n\nNone to our knowledge. \n\nThere are possible admin actions in CollateralVault and TimeBasedCollateralPool, including contract upgrades for the latter, but those are only possible via governance, which is much slower than any attack and could not reasonably front-run an attack. \n\n__What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?__\n\nThere are various roles defined in the CollateralVault and TimeBasedCollateralPool contracts that should be assumed to act in any way explicitly permitted by that role, and that is a valid non-bug use case. That is to say that if accounts with an Admin/Owner role, for instance, may withdraw tokens from the contract, registering an attack of the Admin/Owner stealing tokens is invalid because that is not theft – that is an explicitly permitted action.\n\nThat said, in the CollateralVault for instance, the design of the contract is such that the contract Owner should not be able to take tokens that are earmarked for an individual account (it may only take contract balance - SUM(user account balance). If an attack were to be found such that the owner could take funds that were earmarked for one or more accounts, that would be a valid bug because it undermines the trust assumptions of the contract. \n\n\n__What external dependencies are there?__\n\nThere are external dependencies on ERC-20 tokens. Governance attacks, such as the approval of a malicious ERC-20 token is out of scope. \n\nThere are also dependencies on open source contracts such as OpenZeppelin. While those are 3rd party contracts, they are referenced from within Anvil’s contracts, so any vulnerabilities in Anvil contracts made possible by issues in dependency contracts such as OZ are in scope.\n\n__Where might whitehats confuse out-of-scope code to be in-scope?__\n\nThe code for the TimeBasedCollateralPool contract is meant to be referenced by proxies as their implementation. A TimeBasedCollateralPool contract could be deployed and not initialized, since it is not meant to be called directly, leaving it open to some 3rd party initializing it. If that happens, it is not a valid attack on the contract, as it is not meant to be used directly.  \nSince the TimeBasedCollateralPool contract is meant to be referenced by upgradeable proxies, finding some loophole in contract logic such that tokens reserved by that contract become stuck would be a lower severity bug than it would be if the contract were not upgradeable. For that reason, token theft as a bug is very much in scope, whereas issues that could be solved via a successful contract upgrade are less critical and therefore out of scope.\n\n__Are there any unusual points about your protocol that may confuse whitehats?__\n\nThere is rather complicated accounting in TimeBasedCollateralPool to allow for permissionless time-based unstaking. While that design may be hard to understand on first read, contract-, function-, and code-level comments should provide useful context to help interpret the logic \nIn TimeBasedCollateralPool, the term “units” is used to represent an account’s proportional involvement in the pool. If not immediately apparent, please note units imply a percentage (account units / total pool units).\n\n\n__What is the test suite setup information?__\n\nNo tests have been made public at the moment.\n\n__Public Disclosure of Known Issues__\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\nThere are no known issues that fall within the defined scope of this program\n\n__Previous Audits__\nAnvil’s completed audit reports can be found at [https://docs.anvil.xyz/contracts/audits]. Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.","websiteUrl":"https://anvil.xyz","githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":null,"description":"Anvil is a decentralized finance (DeFi) protocol for the issuance of fully secured credit. The protocol's Ethereum-based smart contracts allow users to deposit collateral in a vault, issue letters of credit, and supply assets to staking pools. For more information about Anvil, please visit https://anvil.xyz/ \n","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":5172,"type":"smart_contract","severity":"low","title":"Temporary freezing of funds within the TimeBasedCollateralPool for at least 48 hours"},{"id":5173,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds within the CollateralVault for at least 48 hours"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[{"id":"6MyR9a29PegqH8KIXLWDam","url":"https://blog.openzeppelin.com/anvil-protocol-audit","auditor":"OpenZeppelin Audit # 2","date":"2024-10-11"},{"id":"71NlSunghGfxExpKqimarO","url":"https://blog.openzeppelin.com/anvil-audit","auditor":"OpenZeppelin Audit # 1","date":"2024-10-11"},{"id":"7bjB0FDqn65945QChaN5sY","url":"https://github.com/trailofbits/publications/blob/master/reviews/2023-12-acronym-foundation-securityreview.pdf","auditor":"Trail Of Bits Audit","date":"2023-12-23"}]},{"assets":[{"id":"3lfL4SqQTHXQOb59FnPYdE","url":"https://etherscan.io/address/0x4F604735c1cF31399C6E711D5962b2B3E0225AD3","type":"smart_contract","addedAt":"2022-11-23T18:42:18.349Z","revision":1,"description":"ERC1967Proxy for USDGLO on Ethereum","isPrimacyOfImpact":null},{"id":"7yvKnRiNLHFgUEyc8u9moM","url":"https://etherscan.io/address/0xf8dbe4f52b7d4fe90cd360aa4f49b7a66783c56f","type":"smart_contract","addedAt":"2022-11-23T18:42:39.778Z","revision":3,"description":"current implementation contract of USDGLO on Ethereum","isPrimacyOfImpact":null},{"id":"5VcCMSt1XkSGZSBKscU8UZ","url":"https://polygonscan.com/address/0x4F604735c1cF31399C6E711D5962b2B3E0225AD3","type":"smart_contract","addedAt":"2022-11-23T18:42:53.209Z","revision":1,"description":"ERC1967Proxy for USDGLO on Polygon","isPrimacyOfImpact":null},{"id":"1dSDF567FxqnjY4nJZTWGr","url":"https://polygonscan.com/address/0xf8dbe4f52b7d4fe90cd360aa4f49b7a66783c56f","type":"smart_contract","addedAt":"2022-11-23T18:43:07.532Z","revision":3,"description":"current implementation contract of USDGLO on Polygon","isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nIf an impact can be caused to any other asset managed by Global Income Coin that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project. This only applies to Critical impacts.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH","Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":null,"launchDate":"2022-02-14T15:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4P8QMkQfJs8betN40aGVhh/384de78ef91d39c953d0863b37c0f6fe/Global_Income_Coin_logo.jpeg","maxBounty":50000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Stablecoin"],"programOverview":"Glo is a fully backed stablecoin pegged to the US dollar. We're non-profit. Like other stablecoin companies, we earn interest from our reserves. The difference: we give all of it away to reduce extreme poverty. You can generate basic income for people in extreme poverty simply by owning Glo. More Glo adoption means more basic income for more people.\n\nFor more information about Glo, please visit [https://www.glodollar.org/](https://www.glodollar.org/)","programType":["Smart Contract"],"project":"Glo Dollar","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll High and Critical Smart Contract bug  reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nGlo requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. The information needed are name, address, date and full amount you claim, clearly stated on an invoice. The collection of this information will be done by the project team.\n\nPayouts are handled by the __Glo__ team directly and are denominated in USD. However, payouts are done in __USDC__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"glodollar","updatedDate":"2024-12-10T18:52:45.380Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Glo is a fully backed stablecoin pegged to the US dollar. We're non-profit. Like other stablecoin companies, we earn interest from our reserves. The difference: we give all of it away to reduce extreme poverty. You can generate basic income for people in extreme poverty simply by owning Glo. More Glo adoption means more basic income for more people.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":3671,"type":"smart_contract","severity":"low","title":"Smart contract fails to deliver promised returns, but doesn’t lose value"},{"id":3672,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 1 hour"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":3673,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":3674,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"},{"id":3675,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":9696,"severity":"critical","assetType":"smart_contract","fixedReward":50000,"rewardModel":"fixed","rewardCalculationPercentage":0},{"id":9697,"severity":"high","assetType":"smart_contract","fixedReward":2500,"rewardModel":"fixed"},{"id":9698,"severity":"medium","assetType":"smart_contract","fixedReward":1250,"rewardModel":"fixed"},{"id":9699,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"32dzH3QYHu7ZwvBE7HlJOZ","url":"https://optimistic.etherscan.io/address/0xf9cfb8a62f50e10adde5aa888b44cf01c5957055","type":"smart_contract","addedAt":"2023-09-08T13:00:00.000Z","revision":3,"description":"VeloPositionManage (LYF)","isPrimacyOfImpact":null},{"id":"6gI1JOwUp756wwJcitbI3P","url":"https://optimistic.etherscan.io/address/0xbb505c54d71e9e599cb8435b4f0ceec05fc71cbd","type":"smart_contract","addedAt":"2023-09-08T13:00:00.000Z","revision":3,"description":"LendingPool (LYF)","isPrimacyOfImpact":null},{"id":"7xqVuwDHNjrnPYs5Te7vB","url":"https://optimistic.etherscan.io/token/0x2dad3a13ef0c6366220f989157009e501e7938f8","type":"smart_contract","addedAt":"2023-09-08T13:00:00.000Z","revision":2,"description":"EXTRA (LYF)","isPrimacyOfImpact":null},{"id":"4q3ctgxjHcQgGX74zBZcI6","url":"https://optimistic.etherscan.io/address/0xb7d8613728efcfbb18bcd63deec06f64441d322a","type":"smart_contract","addedAt":"2023-09-08T13:00:00.000Z","revision":2,"description":"RewardDistributor (LYF)","isPrimacyOfImpact":null},{"id":"7ddm6z4UCuQN1Yi3f4HA4x","url":"https://optimistic.etherscan.io/address/0xe0bec4f45aef64cec9dcb9010d4beffb13e91466","type":"smart_contract","addedAt":"2023-09-08T13:00:00.000Z","revision":2,"description":"VeToken (LYF)","isPrimacyOfImpact":null},{"id":"6s9Uuw8xpgBnlWEJKq0t5","url":"https://immunefi.com","type":"smart_contract","addedAt":"2023-10-05T15:28:20.946Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true},{"id":"ZbvM1H4JImZC8farn8COO","url":"https://optimistic.etherscan.io/address/0x345D2827f36621b02B783f7D5004B4a2fec00186#code","type":"smart_contract","addedAt":"2024-11-26T12:49:38.326Z","revision":1,"description":"Pool_Proxy (Lending Market)","isPrimacyOfImpact":null},{"id":"15B3sZ8QVtngkn2p9RCpro","url":"https://optimistic.etherscan.io/address/0x0353b6221b23b8320202320ca450eeb9fb0de9e5#code","type":"smart_contract","addedAt":"2024-11-26T12:50:01.114Z","revision":1,"description":"Pool_Impl (Lending Market)","isPrimacyOfImpact":null},{"id":"531kc8VlXtsi6kzN51NzUU","url":"https://optimistic.etherscan.io/address/0x2B275176804dd01b6a90d61bDa3c80E3A470662E#code","type":"smart_contract","addedAt":"2024-11-26T12:50:20.117Z","revision":1,"description":"A_Token (Lending Market)","isPrimacyOfImpact":null},{"id":"58vhXI6hXVGpRW1LBbHkIM","url":"https://optimistic.etherscan.io/address/0xC0C88d2752C58263c2b7F4Ac6ecBedC78eDD5d5E#code","type":"smart_contract","addedAt":"2024-11-26T12:50:36.119Z","revision":1,"description":"Debt_Token (Lending Market)","isPrimacyOfImpact":null},{"id":"54j04vqrhhiQQMt0D6gASH","url":"https://optimistic.etherscan.io/address/0xc1504B3D0e72C717151957ceb0252FF8f93A9A1e#code","type":"smart_contract","addedAt":"2024-11-26T12:51:45.053Z","revision":1,"description":"PoolConfigurator (Lending Market)","isPrimacyOfImpact":null},{"id":"SkGDdJ24bAiL1kjofzddx","url":"https://optimistic.etherscan.io/address/0x9378C2e058D87DE7F9EDbF3574eD5B4128980ADC#code","type":"smart_contract","addedAt":"2024-11-26T12:52:04.253Z","revision":2,"description":"PoolConfiguratorImpl (Lending Market)","isPrimacyOfImpact":null},{"id":"5cjorSplWqqHyQHEOZ81cR","url":"https://optimistic.etherscan.io/address/0xA98cC6031Ba6908d73dC5615ca82B607096D721d#code","type":"smart_contract","addedAt":"2024-11-26T12:52:21.721Z","revision":2,"description":"PoolAddressProvider (Lending Market)","isPrimacyOfImpact":null},{"id":"6248upy3OjWfvEoCybK7bQ","url":"https://optimistic.etherscan.io/address/0x70Cdb45f5b0660c122708286198446d23872595f#code","type":"smart_contract","addedAt":"2024-11-26T12:53:00.217Z","revision":1,"description":"ACL_Manager (Lending Market)","isPrimacyOfImpact":null},{"id":"6CBTkGrEdwCRtc48c2xIvB","url":"https://optimistic.etherscan.io/address/0x90cF2763CC710B9Ce215584A89c77F70bbb96B44#code","type":"smart_contract","addedAt":"2024-12-10T18:03:25.670Z","revision":1,"description":"ExtraXAccountFactoryProxy","isPrimacyOfImpact":null},{"id":"45xmrn3Cq9BOqKLNaLQKzb","url":"https://optimistic.etherscan.io/address/0x345e8250cb11f61f0d8cfabac6be59a356309a58#code","type":"smart_contract","addedAt":"2024-12-10T18:03:41.257Z","revision":1,"description":"ExtraXAccountFactoryImpl","isPrimacyOfImpact":null},{"id":"6DG3qvYcHyBqNfhWZGnbLV","url":"https://optimistic.etherscan.io/address/0x1EEA0464D31F349D31FF7D318ce236F48AD92438#code","type":"smart_contract","addedAt":"2024-12-10T18:03:55.208Z","revision":1,"description":"ExtraXAccountCreatorSafe130","isPrimacyOfImpact":null},{"id":"2qIztJ3mwuzLs0XtQNjBe8","url":"https://optimistic.etherscan.io/address/0xd4b5D2A9F8e9Ec1883Ef997eB508EA6Cc12B240f#code","type":"smart_contract","addedAt":"2024-12-10T18:04:08.004Z","revision":1,"description":"ExtraXAccountCreatorCoinbase","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Optimism"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2023-09-08T13:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4JXYt1FfXPS1UNWVkuryvd/59e60a80562a52a0a4298df84a6f444e/photo_2023-08-22_06-36-56_copy.png","maxBounty":100000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Lending","Yield Aggregator"],"programOverview":"Extra Finance is a professional leveraged yield farming (LYF) protocol:\n\n__Leveraged Yield Farming (LYF):__\n\nBy offering up to 7x leverage, Extra Finance enables users to farm a diverse range of farming pools with customized farming strategies. Extra Finance also functions as a lending protocol, users can deposit funds to earn lending interest.\n\nThe Optimism Foundation is excited to announce its latest bug bounty matching program, specifically designed for Extra Finance. In collaboration with Immunefi, the Optimism Foundation aims to encourage and incentivize security researchers to find and responsibly disclose vulnerabilities. This will contribute to a safer ecosystem for all Optimism participants involved and showcase the foundation's commitment to security. \n\nTo participate, security researchers should focus on identifying critical and high Extra Finance-specific vulnerabilities that could potentially impact the wider Optimism ecosystem. Optimism will match any rewards offered by Extra Finance, contributing a total of 52,500 OP tokens.\n\nFor more information about Extra Finance, please visit [https://extrafi.io/](https://extrafi.io/) \n\nExtra Finance provides rewards in USDC. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__Lending Market:__\n\nExtrafi Xlend is a smart lending protocol offering features such as multi-accounts and liquidation-free borrowing. Its integrated smart accounts unlock advanced on-chain lending and borrowing strategies.\n\n__Primacy of Impact vs Primacy of Rules__\n\nExtra Finance adheres to the Primacy of Impact for the following severity levels:\n- Smart Contract - Critical\n- Smart Contract - High\n- Smart Contract - Medium\n\nIf a category’s severity level is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program as long as it involves an impact under that respective severity level. When submitting a report, just select the Primacy of Impact asset placeholder. If the team behind this project has multiple projects, those other projects are not covered under the Primacy of Impact of this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nTestnet and mock files are not covered under the Primacy of Impact.\n\nAll other severity levels not listed here are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program.\n\n\n__Immunefi Standard Badge__\n\nExtra Finance has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/6427157117713-The-Immunefi-Standard-Badge-), which is given to projects that adhere to our best practices.","programType":["Smart Contract"],"project":"Extra Finance","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below. \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical Smart Contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 100 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 15 000 is to be rewarded in order to incentivize security researchers against withholding a bug report.  \n\n__Repeatable Attack Limitations__\n\nIn cases of repeatable attacks for smart contract bugs, only the first attack will be counted, regardless of whether the smart contract is upgradable, pausable, or killable.\n\n__Previous Audits__\n\nExtra Finance has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.\n__LYF:__\n\n- [https://github.com/peckshield/publications/blob/master/audit_reports/PeckShield-Audit-Report-ExtraFi-v1.0.pdf](https://github.com/peckshield/publications/blob/master/audit_reports/PeckShield-Audit-Report-ExtraFi-v1.0.pdf)\n- [https://github.com/blocksecteam/audit-reports/blob/main/solidity/blocksec_extrafinance_v1.0-signed.pdf ](https://github.com/blocksecteam/audit-reports/blob/main/solidity/blocksec_extrafinance_v1.0-signed.pdf) \n\n__Lending Market:__\n\n- [https://github.com/peckshield/publications/blob/master/audit_reports/PeckShield-Audit-Report-ExtraFi-v1.0.pdf](https://github.com/peckshield/publications/blob/master/audit_reports/PeckShield-Audit-Report-ExtraFi-v1.0.pdf)\n\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n- Smart Contract - Critical\n- Smart Contract - High\n- Smart Contract - Medium\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules) Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Reward Payment Terms__\n\nAs part of the bug bounty matching program, Optimism will contribute __52,500__ OP tokens to match the rewards offered by Extra Finance. This means that for every reward paid out by Extra Finance to a security researcher, Optimism will provide an additional, matching reward, in OP tokens. The total reward pool for this program is __52,500__ OP tokens.\n\nPayouts are handled by the Extra Finance team directly and are denominated in USD. However, payments are done in USDC.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"extrafinance","updatedDate":"2024-12-10T18:05:48.109Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Extra Finance is a professional leveraged yield farming (LYF) protocol.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"}],"rewards":[{"id":7914,"severity":"high","assetType":"smart_contract","maxReward":15000,"minReward":3000,"rewardModel":"range"},{"id":7915,"severity":"medium","assetType":"smart_contract","maxReward":3000,"minReward":1000,"rewardModel":"range"},{"id":8246,"severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":15000,"rewardModel":"range","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"72sIqDELjgZ53ZAHZtriPn","url":"https://etherscan.io/address/0x9ea7b04da02a5373317d745c1571c84aad03321d","type":"smart_contract","addedAt":"2022-05-10T16:29:40.473Z","revision":2,"description":"Entry-points to the system","isPrimacyOfImpact":null},{"id":"33wq4lHanGxQhGt4yHF3tA","url":"https://etherscan.io/address/0xA50d4E7D8946a7c90652339CDBd262c375d54D99","type":"smart_contract","addedAt":"2022-05-10T16:29:42.020Z","revision":2,"description":"Entry-points to the system","isPrimacyOfImpact":null},{"id":"7K2fTrFSIASLL9UyF85ODW","url":"https://github.com/Gearbox-protocol/security/blob/main/bug-bounty/v3-scope.md","type":"smart_contract","addedAt":"2022-05-10T16:29:43.096Z","revision":2,"description":"The detailed lists of all deployed contracts eligible for the program","isPrimacyOfImpact":null},{"id":"5nfzRgy2b71rF1CdLEysXH","url":"https://wwwimmunefi.com","type":"smart_contract","addedAt":"2024-02-12T15:50:12.249Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true}],"assetsBodyV2":"If you have found a bug that you think is within the security interests of the protocol but is outside of the scope (e.g., the contract is not yet deployed), please notify the team anyway. You can decide ad-hoc together with them in such cases. 1/1 payouts have been done before based on this.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2022-02-08T13:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5GOsjS01FpGEPA6hXdth5H/ce653a8ad09690883d2184043b04d552/Gearbox_logo.jpeg","maxBounty":200000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - low","smart_contract - medium","smart_contract - high","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__Smart Contracts/Blockchain__\n\n  - Loss of Pools Funds\n  - Loss funds of Credit Account\n  - Loss of Treasury Funds\n  - Freezing of funds on Credit Account or in Pool for any amount of time\n  - Smart contract gas drainage\n  - Block stuffing without fund transfers blocked\n  - Smart contract fails to deliver promised returns, but doesn’t lose value","productType":["Options","Perpetuals"],"programOverview":"Gearbox is a generalized leverage protocol: it allows you to take leverage in one place and then use it across various DeFi protocols and platforms in a composable way. The protocol has two sides to it: passive liquidity providers who earn higher APY by providing liquidity; and active traders, farmers, or even other protocols who can borrow those assets to trade or farm with even x10 leverage.\n\nThe core vision is to become a backend composable leverage protocol that all kinds of users have but don’t even need to interact directly with any interface. \n\nFor more information about Gearbox, please visit: [https://docs.gearbox.finance/ ](https://docs.gearbox.finance/)\n\nDev docs are available at [https://dev.gearbox.fi/](https://dev.gearbox.fi/) \n\nTo see the dApp, please visit: [https://app.gearbox.fi/](https://app.gearbox.fi/). \n\nGearbox provides rewards denominated in __USD__, however payouts are done in __USDC__. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nGearbox adheres to the Primacy of Impact for the following impacts:\n\n  - Smart Contract: Critical\n  - Smart Contract: High\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Primacy of Impact vs Primacy of Rules__\n\nGearbox adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page. \n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules). A suggestion for a fix is preferred but not compulsory for Low and Medium Smart Contract bug reports. Explanations and statements are not accepted as PoC and code is required. \n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n  - [https://github.com/Gearbox-protocol/core-v2/issues](https://github.com/Gearbox-protocol/core-v2/issues)\n  - [https://github.com/Gearbox-protocol/core-v3/issues](https://github.com/Gearbox-protocol/core-v3/issues)\n  - [https://github.com/Gearbox-protocol/integrations-v3/issues](https://github.com/Gearbox-protocol/integrations-v3/issues)\n  - [https://github.com/Gearbox-protocol/oracles-v3/issues](https://github.com/Gearbox-protocol/oracles-v3/issues)\n  - [https://github.com/Gearbox-protocol/bots-v3/issues](https://github.com/Gearbox-protocol/bots-v3/issues)\n  - [https://github.com/Gearbox-protocol/gearbox-contracts/issues](https://github.com/Gearbox-protocol/gearbox-contracts/issues)\n  - [https://github.com/Gearbox-protocol/integrations-v2/issues](https://github.com/Gearbox-protocol/integrations-v2/issues)\n  - [https://github.com/Gearbox-protocol/governance/issues](https://github.com/Gearbox-protocol/governance/issues)\n  - [https://github.com/Gearbox-protocol/security/tree/main/disclosures](https://github.com/Gearbox-protocol/security/tree/main/disclosure)\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Gearbox has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","programType":["Smart Contract"],"project":"Gearbox","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nCritical smart contract vulnerabilities are capped at __10%__ of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of __USD 20 000__\n\n__Repeatable Attack Limitations__\n\n  - If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n  - For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\n  - High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of __USD 5 000__ to __USD 20 000__ depending on the funds at risk, capped at the maximum high reward.  \n\n  - In the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Payment Terms__\n\nPayouts are handled by the __Gearbox__ team directly and are denominated in __USD__. However, payments are done in __USDC__\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"gearbox","tenPercentEconomicRule":true,"updatedDate":"2024-12-07T18:55:18.183Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Gearbox is a generalized leverage protocol: it allows you to take leverage in one place and then use it across various DeFi protocols and platforms in a composable way. The protocol has two sides to it: passive liquidity providers who earn higher APY by providing liquidity; and active traders, farmers, or even other protocols who can borrow those assets to trade or farm with even x10 leverage.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":1807,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":1808,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation (unless related to Snapshot)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":1809,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":9550,"severity":"critical","assetType":"smart_contract","maxReward":200000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":9551,"severity":"high","assetType":"smart_contract","maxReward":20000,"minReward":5000,"rewardModel":"range"},{"id":9552,"severity":"medium","assetType":"smart_contract","maxReward":5000,"minReward":1000,"rewardModel":"range"},{"id":9553,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"6WV1ExQ8ki27poQLuldFvb","url":"https://github.com/gear-tech/gear/tree/master/common","type":"blockchain_dlt","addedAt":"2023-02-24T13:00:00.000Z","revision":1,"description":"Common","isPrimacyOfImpact":null},{"id":"kDE8rjYEXsR6GZ1rf8nj3","url":"https://github.com/gear-tech/gear/tree/master/core-backend/common","type":"blockchain_dlt","addedAt":"2023-02-24T13:00:00.000Z","revision":1,"description":"Core backend common","isPrimacyOfImpact":null},{"id":"56fZe5btMU4LPdbQqNpyth","url":"https://github.com/gear-tech/gear/tree/master/core-backend/sandbox","type":"blockchain_dlt","addedAt":"2023-02-24T13:00:00.000Z","revision":1,"description":"Core backend sandbox","isPrimacyOfImpact":null},{"id":"7sNxKSgXxGByg0OB1VSxvP","url":"https://github.com/gear-tech/gear/tree/master/core-processor","type":"blockchain_dlt","addedAt":"2023-02-24T13:00:00.000Z","revision":1,"description":"Core processor","isPrimacyOfImpact":null},{"id":"3bKQhxZ5CLOXSxfwwyoSQh","url":"https://github.com/gear-tech/gear/tree/master/core","type":"blockchain_dlt","addedAt":"2023-02-24T13:00:00.000Z","revision":1,"description":"Core","isPrimacyOfImpact":null},{"id":"5RnYG6RSPuktzC4xt2bFVg","url":"https://github.com/gear-tech/gear/tree/master/lazy-pages","type":"blockchain_dlt","addedAt":"2023-02-24T13:00:00.000Z","revision":1,"description":"Lazy pages","isPrimacyOfImpact":null},{"id":"1OzIDbz9FrUcsqoQWlPMSW","url":"https://github.com/gear-tech/gear/tree/master/node","type":"blockchain_dlt","addedAt":"2023-02-24T13:00:00.000Z","revision":1,"description":"Node","isPrimacyOfImpact":null},{"id":"17l1idjsEQn2VRuKrDTPQQ","url":"https://github.com/gear-tech/gear/tree/master/pallets","type":"blockchain_dlt","addedAt":"2023-02-24T13:00:00.000Z","revision":1,"description":"Pallets","isPrimacyOfImpact":null},{"id":"L4tBRIhMuHTcCMoeQFr8m","url":"https://github.com/gear-tech/gear/tree/master/runtime-interface","type":"blockchain_dlt","addedAt":"2023-02-24T13:00:00.000Z","revision":1,"description":"Runtime interface","isPrimacyOfImpact":null},{"id":"33IVettEYvN9uzN5gkjqVd","url":"https://github.com/gear-tech/gear/tree/master/runtime","type":"blockchain_dlt","addedAt":"2023-02-24T13:00:00.000Z","revision":1,"description":"Runtime","isPrimacyOfImpact":null}],"assetsBodyV2":"Gear Assets in scope table are specified to commit 22dfb9e43fe4fc608c747ca02e0e4ba7c5ccf123. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program. \n\nIf an impact can be caused to any other asset managed by Gear that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Kusama","Polkadot"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Rust"],"launchDate":"2023-02-24T13:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3gADW1x1UkGdcgCQwAwnSu/4a0c32a23978ba97b811797d8746f727/Gear_logo.jpeg","maxBounty":25000,"pocPerTypeAndSeverity":["blockchain_dlt - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["L1","Services"],"programOverview":"Gear protocol is an advanced WASM based smart contract platform capable of being deployed as a Kusama and Polkadot parachain, that enables developers to deploy their dApps in under 5 minutes in the easiest and most efficient way possible.\n\nFor more information about Gear, please visit [https://www.gear-tech.io/](https://www.gear-tech.io/).","programType":["Blockchain/DLT"],"project":"Gear","projectType":["Blockchain"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the  [Immunefi Vulnerability Severity Classification System V2.2.](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/) This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported. \n\nAll Critical Blockchain/DLT bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nThe following vulnerabilities are not eligible for a reward:\n- [https://github.com/gear-tech/gear/issues ](https://github.com/gear-tech/gear/issues)\n- Issues that cannot be reproduced on networks configured and currently run by Gear, (i.e.: Gear Test Network V6, Vara Network). Severity of issues that point out problems with the code and can _theoretically_ affect the above network list will be considered individually.\n\nGear requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. The information needed are Passport and Utility Bill. The collection of this information will be done by the project team.\n\nPayouts are handled by the __Gear__ team directly and are denominated in USD. However, payouts are done in __USDC__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"gear","updatedDate":"2024-12-07T18:46:43.274Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Gear protocol is an advanced WASM based smart contract platform capable of being deployed as a Kusama and Polkadot parachain, that enables developers to deploy their dApps in under 5 minutes in the easiest and most efficient way possible.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Issues that can be reproduced on networks configured and currently run by Gear, i.e.: \n1. Gear Test Network V6\n2. Vara Network\n\nSeverity of Issues that point out problems with the code and can __theoretically__ affect the above network list will be considered individually.\n\n- Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":3911,"type":"blockchain_dlt","severity":"low","title":"DoS of greater than 10% but less than 30% of validator or miner nodes and does not shut down the network"},{"id":3912,"type":"blockchain_dlt","severity":"low","title":"Underpricing transaction fees relative to computation time"},{"id":5,"type":"blockchain_dlt","severity":"high","title":"Unintended chain split (network partition)"},{"id":3913,"type":"blockchain_dlt","severity":"high","title":"Transient consensus failures"},{"id":3914,"type":"blockchain_dlt","severity":"high","title":"RPC API crash"},{"id":3915,"type":"blockchain_dlt","severity":"high","title":"Network unable to process internal message queue and requires maintenance mode to restart it"},{"id":3916,"type":"blockchain_dlt","severity":"medium","title":"High compute consumption by validator/mining nodes when blocks are not full"},{"id":3917,"type":"blockchain_dlt","severity":"medium","title":"Attacks against thin clients"},{"id":3918,"type":"blockchain_dlt","severity":"medium","title":"DoS of greater than 30% of validator or miner nodes and does not shut down the network"},{"id":1,"type":"blockchain_dlt","severity":"critical","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":2,"type":"blockchain_dlt","severity":"critical","title":"Unintended permanent chain split requiring hard fork (network partition requiring hard fork)"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":4,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hardfork)"}],"rewards":[{"id":9546,"severity":"critical","assetType":"blockchain_dlt","fixedReward":25000,"rewardModel":"fixed","rewardCalculationPercentage":0},{"id":9547,"severity":"high","assetType":"blockchain_dlt","fixedReward":10000,"rewardModel":"fixed"},{"id":9548,"severity":"medium","assetType":"blockchain_dlt","fixedReward":2000,"rewardModel":"fixed"},{"id":9549,"severity":"low","assetType":"blockchain_dlt","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"21zPm19TlbEQqK0SR1jK48","url":"https://etherscan.io/address/0x26805021988F1a45dC708B5FB75Fc75F21747D8c","type":"smart_contract","addedAt":"2022-02-09T12:45:07.989Z","revision":1,"description":"xGamma","isPrimacyOfImpact":null},{"id":"2zW4jVKz9ikehx9XfuQkKY","url":"https://etherscan.io/address/0xa8076ae31e4b6c64d07b1ed27889924a962a70d3","type":"smart_contract","addedAt":"2022-03-30T17:40:11.919Z","revision":2,"description":"Hypervisor","isPrimacyOfImpact":null},{"id":"5HYeXpcawP3e58xcFJJJrT","url":"https://etherscan.io/address/0x83de646a7125ac04950fea7e322481d4be66c71d","type":"smart_contract","addedAt":"2022-04-25T16:25:55.512Z","revision":2,"description":"UniProxy","isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-10-08T15:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2teADVeqlZjb4p9u7YbiMX/9c40208f8f56b9beb73bb3077228fa2c/Gamma_Logo.png","maxBounty":50000,"outOfScopeAndRules":"The following vulnerabilities are excluded from the rewards for this bug bounty program:\n\n  - Attacks that the reporter has already exploited themselves, leading to damage\n  - Attacks requiring access to leaked keys/credentials\n  - Attacks requiring access to privileged addresses (governance, strategist)\n  - Attacks which require differing operational configuration than targets supplied\n\n__Smart Contracts and Blockchain__\n\n  - Incorrect data supplied by third party oracles\n    - Not to exclude oracle manipulation/flash loan attacks\n  - Basic economic governance attacks (e.g. 51% attack)\n  - Lack of liquidity\n  - Best practice critiques\n  - Sybil attacks\n\nThe following activities are prohibited by this bug bounty program:\n\n  - Any testing with mainnet or public testnet contracts; all testing should be done on private testnets\n  - Any testing with pricing oracles or third party smart contracts\n  - Attempting phishing or other social engineering attacks against our employees and/or customers\n  - Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n  - Any denial of service attacks\n  - Automated testing of services that generates significant amounts of traffic\n  - Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the following types:\n\n__Smart Contracts and Blockchain__ \n\n  - Re-entrancy\n  - Logic errors\n    - including user authentication errors\n  - Solidity/EVM details not considered\n    - including integer over-/under-flow\n    - including rounding errors\n    - including unhandled exceptions\n    - Trusting trust/dependency vulnerabilities\n    - including composability vulnerabilities\n  - Oracle failure/manipulation\n  - Novel governance attacks\n  - Economic/financial attacks\n    - including flash loan attacks\n  - Congestion and scalability\n    - including running out of gas\n    - including block stuffing\n    - including susceptibility to frontrunning\n  - Consensus failures\n  - Cryptography problems\n    - Signature malleability\n    - Susceptibility to replay attacks\n    - Weak randomness\n    - Weak encryption\n  - Susceptibility to block timestamp manipulation\n  - Missing access controls / unprotected internal or debugging interfaces","productType":["AMM","Liquid Staking"],"programOverview":"Access active liquidity management on Uniswap v3. Gamma has developed a protocol, a management infrastructure, and a variety of strategies used by managers and market makers. As an LP, you can deposit your assets for Gamma to actively manage in Uniswap v3 positions, returning yield in the asset you deposit.\n\nFor more information about Gamma, please visit [https://www.gammastrategies.org/](https://www.gammastrategies.org/).   \n\nThis bug bounty program is focused on their smart contracts and is focused on preventing:\n\n  - Loss of user funds\n  - Theft of unclaimed yield or principal\n  - Freezing of unclaimed yield","programType":["Smart Contract"],"project":"Gamma","projectType":["Defi","Infrastructure"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. \n\nAll bug reports must come with a PoC in order to be considered for a reward. \n\nThe following known issues would be considered as out-of-scope of this bounty program: \n  - For the UniProxy contract, its deposit configuration is its operational context. Attacks which depend on different configuration than provided for their example hypervisor contract are not to be considered\n  - For the xGamma contract, an attack is possible wherein the attacker deposits just before and withdraws just after rebase. In our operational context, they do not send funds (rebase) to the xGamma contract outside of private rpc.\n\nPayouts are handled by the __Gamma__ team directly and are denominated in USD. However, payouts are done in either __GAMMA__, __ETH__ or __USDC__, up to the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"GAMMA, ETH or USDC","slug":"gamma","tenPercentEconomicRule":false,"updatedDate":"2024-12-07T18:43:32.008Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Access active liquidity management on Uniswap v3. Gamma has developed a protocol, a management infrastructure, and a variety of strategies used by managers and market makers. As an LP, you can deposit your assets for Gamma to actively manage in Uniswap v3 positions, returning yield in the asset you deposit.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Attacks which require differing operational configuration than targets supplied\n  - Best practice critiques\n","customProhibitedActivities":[],"impacts":[{"id":1099,"type":"smart_contract","severity":"medium","title":"Theft of unclaimed yield"},{"id":1100,"type":"smart_contract","severity":"medium","title":"Permanent freezing of unclaimed yield"},{"id":1101,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"}],"rewards":[{"id":9544,"severity":"critical","assetType":"smart_contract","fixedReward":50000,"rewardModel":"fixed","rewardCalculationPercentage":0},{"id":9545,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"5mUVD7W2sZtIhl2Y3K1zjY","url":"https://github.com/charmfinance/alpha-vaults-v2-contracts/blob/main/contracts/AlphaProVault.sol","type":"smart_contract","addedAt":"2022-02-18T12:10:01.730Z","revision":3,"description":null,"isPrimacyOfImpact":null},{"id":"2pYIfndfVifzo5ik4MSt5c","url":"https://github.com/charmfinance/alpha-vaults-v2-contracts/blob/main/contracts/AlphaProVaultFactory.sol","type":"smart_contract","addedAt":"2023-08-10T18:48:43.910Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"6d87rRrXhC3pwsnVeel4JI","url":"https://github.com/charmfinance/alpha-vaults-v2-contracts/blob/main/contracts/CloneFactory.sol","type":"smart_contract","addedAt":"2023-08-10T18:48:40.618Z","revision":1,"description":null,"isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-02-05T07:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6bbf7HCTEuoJ4f2qgaaCcp/0eed4177229bc1ff8b47064256e46a58/Charm-logo_Small.png","maxBounty":20000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the\nfollowing types:\n\n**Smart Contracts/Blockchain:**\n\n- Re-entrancy\n- Logic errors\n  - Including user authentication errors\n- Solidity/EVM details not considered\n  - Including integer over-/under-flow\n  - Including unhandled exceptions\n- Trusting trust/dependency vulnerabilities\n  - Including composability vulnerabilities\n- Oracle failure/manipulation\n- Novel governance attacks\n- Economic/financial attacks\n  - Including flash loan attacks\n- Congestion and scalability\n  - Including running out of gas\n  - Including block stuffing\n  - Including susceptibility to frontrunning\n- Consensus failures\n- Cryptography problems\n  - Signature malleability\n  - Susceptibility to replay attacks\n  - Weak randomness\n  - Weak encryption\n- Susceptibility to block timestamp manipulation\n- Missing access controls / unprotected internal or debugging interfaces","productType":["AMM","Options"],"programOverview":"Charm’s Alpha Vaults creates permissionless vaults to manage Uniswap liquidity. It uses Charm’s expertise in Decentralized Market Making Strategies to help anyone increase the liquidity of any Uniswap V3 pool. Using the vault, anyone can launch liquidity mining campaigns just like Uniswap V2, have full control over the vault’s strategy, increase token liquidity using concentrated liquidity, guarantee tokens will always be tradable, and achieve full decentralization. In addition, the vault’s shares are tokenized and ERC-20 compliant, which means LPs can deposit, withdraw, earn yield, and stake just like regular tokens.\n\nThe core contracts of Alpha Vaults version 2 are included within the scope of this bug bounty program.","programType":["Smart Contract"],"project":"Charm","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on\nthe [Immunefi Vulnerability Severity Classification System](/severity-system/). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nPayouts are handled by the **Charm** team directly and are denominated in\n**USD**. However, payouts are done in **ETH or USDC**.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC, ETH","slug":"charm","tenPercentEconomicRule":false,"updatedDate":"2024-12-04T15:22:44.700Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Charm’s Alpha Vaults creates permissionless vaults to manage Uniswap liquidity. It uses Charm’s expertise in Decentralized Market Making Strategies to help anyone increase the liquidity of any Uniswap V3 pool. Using the vault, anyone can launch liquidity mining campaigns just like Uniswap V2, have full control over the vault’s strategy, increase token liquidity using concentrated liquidity, guarantee tokens will always be tradable, and achieve full decentralization.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":96,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":97,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":98,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":9306,"severity":"critical","assetType":"smart_contract","fixedReward":20000,"rewardModel":"fixed","rewardCalculationPercentage":0},{"id":9307,"severity":"high","assetType":"smart_contract","fixedReward":7500,"rewardModel":"fixed"},{"id":9308,"severity":"medium","assetType":"smart_contract","fixedReward":3000,"rewardModel":"fixed"},{"id":9309,"severity":"low","assetType":"smart_contract","fixedReward":750,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"3TNKxhAJLFXvP0yQ2cnwNw","url":"https://github.com/cardano-foundation/cardano-wallet","type":"websites_and_applications","addedAt":"2024-03-28T02:42:00.000Z","revision":1,"description":"Wallet","isPrimacyOfImpact":null},{"id":"2X2oMx0ZfzsqRztHGmzYwA","url":"https://github.com/cardano-foundation/cardano-rosetta-java/wiki","type":"websites_and_applications","addedAt":"2024-12-03T09:04:58.334Z","revision":1,"description":"Rosetta Java","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Cardano"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":null,"launchDate":"2024-03-28T02:42:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/ut1FXa4hz88uiewTXQNFW/0cb596519d16dfdbdba0d2697d78bc6b/cardano-ada-logo_copy.png","maxBounty":10000,"pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["L1"],"programOverview":"The Cardano Foundation is tasked with advancing the public digital infrastructure Cardano, working to anchor it as a utility for financial and social systems. We develop infrastructure tooling—including where there may not be an immediate commercial use case—plus strengthen operational resilience, and drive diversity of on-infrastructure use cases as well as the development of sound and representative governance.\n\nFor more information about The Cardano Foundation, please visit [https://cardanofoundation.org/](https://cardanofoundation.org/).  \n\nThe Cardano Foundation provides rewards in fiat USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nThe Cardano Foundation adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page. \n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- https://github.com/cardano-foundation/cf-explorer-api \n- https://github.com/cardano-foundation/cf-explorer-authentication \n- https://github.com/cardano-foundation/cf-explorer-frontend","programType":["Websites and Applications"],"project":"Cardano Foundation","projectType":["Blockchain"],"rewardsBody":"__Reward Payment Terms__\n\nPayouts are handled by the Cardano Foundation team directly and are denominated in USD. However, payments are done in fiat USD via Bank Transfer. This bug bounty program will also have a hard cap of USD 100,000. In the event that multiple bug reports are submitted that exceed this amount, the rewards will be provided on a first come first served basis. All remaining valid reports will have their rewards considered on a case by case basis.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"","slug":"cardanofoundation","updatedDate":"2024-12-03T09:05:06.163Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"The Cardano Foundation is tasked with advancing the public digital infrastructure Cardano, working to anchor it as a utility for financial and social systems.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Disclosure of any wallets publicly displayed in non-protected section of the explorer","customProhibitedActivities":[],"impacts":[{"id":4763,"type":"websites_and_applications","severity":"low","title":"Taking down the application/website"},{"id":4764,"type":"websites_and_applications","severity":"high","title":"Execute arbitrary system commands"},{"id":4765,"type":"websites_and_applications","severity":"high","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:   Changing registration information"},{"id":4766,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as:  HTML injection without JavaScript, Replacing existing text with arbitrary text, Arbitrary file uploads, etc"},{"id":4767,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:  Email, Password of the victim etc."},{"id":4768,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as:  Email address, Wallet addresses linked to protected users area, Other types of Sensitive PII, etc."},{"id":4769,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:  Changing the name of user, Enabling/disabling notifications"},{"id":4770,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as:  Reflected HTML injection, Loading external site data"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"}],"rewards":[{"id":6125,"severity":"critical","assetType":"websites_and_applications","fixedReward":10000,"rewardModel":"fixed","otherImpactMaxReward":0},{"id":6126,"severity":"high","assetType":"websites_and_applications","fixedReward":5000,"rewardModel":"fixed"},{"id":6127,"severity":"medium","assetType":"websites_and_applications","fixedReward":2000,"rewardModel":"fixed"},{"id":6128,"severity":"low","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"2ABQVI0XooxG4OWiVE1F87","url":"https://etherscan.io/address/0x0c0420c7Aed04B67d8cCEf82563AF4C8F801f668","type":"smart_contract","addedAt":"2022-05-10T16:14:05.724Z","revision":3,"description":"Oracle Proxy","isPrimacyOfImpact":null},{"id":"6eYC6BA065RZ5ZOv77dFNL","url":"https://etherscan.io/address/0x320c3391d1dc3d36e0e1da26809db9e0463517c7","type":"smart_contract","addedAt":"2022-05-10T16:14:06.761Z","revision":1,"description":"Coin SI","isPrimacyOfImpact":null},{"id":"1vaTjzilbjjEs8dbHOrxXq","url":"https://etherscan.io/address/0x2438b33Ee508069bA1e3fEB0EE7eb1A47568ebae","type":"smart_contract","addedAt":"2022-05-10T16:14:07.841Z","revision":1,"description":"USDT SI","isPrimacyOfImpact":null},{"id":"2rFxLJFagREH1QzpEHfkku","url":"https://etherscan.io/address/0x257d6f962f23b7848792665ed9513a1ab72ecde4","type":"smart_contract","addedAt":"2022-05-10T16:14:08.843Z","revision":1,"description":"DAI SI","isPrimacyOfImpact":null},{"id":"11G5XOrpBJOejkGrg4uAGK","url":"https://etherscan.io/address/0xC06B71ec195cCAa98a57DD4bA9e90a7469c37D13","type":"smart_contract","addedAt":"2022-05-10T16:14:09.851Z","revision":1,"description":"LINK/USDC/WBTC/BTC SI","isPrimacyOfImpact":null},{"id":"3OGYXPXInwneRZx2tBWAtn","url":"https://etherscan.io/address/0x4acb9f0c1a266fbfbe455a4bbc85f14672a23b6f","type":"smart_contract","addedAt":"2022-05-10T16:14:11.427Z","revision":1,"description":"Observer","isPrimacyOfImpact":null},{"id":"2aed1MwctAd93Ly0V5R1lV","url":"https://etherscan.io/address/0x34E45203669aADd0d6ac342538AA7b62C9128f4a","type":"smart_contract","addedAt":"2022-05-10T16:14:12.527Z","revision":1,"description":"Manager Data Storage","isPrimacyOfImpact":null},{"id":"2cloFwtW0mH6DKf4lWWquj","url":"https://etherscan.io/address/0x913F2DEe2746CdA2ab34106c47aBC4a8f4e36fa5","type":"smart_contract","addedAt":"2022-05-10T16:14:13.531Z","revision":1,"description":"Token Manager","isPrimacyOfImpact":null},{"id":"2mMdAUqVqaYJ9J97ol2siE","url":"https://etherscan.io/address/0xFeD2edDBDF201D6b5469cbd6866d19808d8879fb","type":"smart_contract","addedAt":"2022-05-10T16:14:14.497Z","revision":1,"description":"Handler Manager","isPrimacyOfImpact":null},{"id":"6oOmJATuVdrJbGKm9WMBN6","url":"https://etherscan.io/address/0xCD9632707EC422759bE2A5b348f8178ff280A453","type":"smart_contract","addedAt":"2022-05-10T16:14:20.566Z","revision":1,"description":"Manager Slot Setter","isPrimacyOfImpact":null},{"id":"1X8o4pbIuTrXMpWFYVNLP","url":"https://etherscan.io/address/0xE2F26b242107F4C6eE48039555d7211D018AcE37","type":"smart_contract","addedAt":"2022-05-10T16:14:21.753Z","revision":1,"description":"Manager Flash Loan","isPrimacyOfImpact":null},{"id":"1XCs8VMIgb0QuIMcYVnjuv","url":"https://etherscan.io/address/0xFd514b33a361b82fE5D89070DB6917Cd4F73285D","type":"smart_contract","addedAt":"2022-05-10T16:14:22.766Z","revision":1,"description":"Ether Liquidation Manager","isPrimacyOfImpact":null},{"id":"6sVdCuqZjmnzdzvCxCBYDi","url":"https://etherscan.io/address/0xbb0aee2fe7e9d73a5dc3354136231a617717db03","type":"smart_contract","addedAt":"2022-05-10T16:14:23.770Z","revision":1,"description":"Coin Handler Data Storage","isPrimacyOfImpact":null},{"id":"5PsFFef0i08XNoMOumzqR6","url":"https://etherscan.io/address/0xfdc7d058bede981ea865fb64d06382a2206a1c42","type":"smart_contract","addedAt":"2022-05-10T16:14:24.847Z","revision":1,"description":"USDT Handler Date Storage","isPrimacyOfImpact":null},{"id":"6qdk27ONP6sDKafWDKit5d","url":"https://etherscan.io/address/0x4596302baaaeae0732fbdd9cdf7aec5e83c3cfba","type":"smart_contract","addedAt":"2022-05-10T16:14:25.838Z","revision":1,"description":"DAI Handler Data Storage","isPrimacyOfImpact":null},{"id":"5DMVX1YkrAljbBgwIjf5ES","url":"https://etherscan.io/address/0xe4c383fb3d7046ce7f9e5c537493cd192e9ae23c","type":"smart_contract","addedAt":"2022-05-10T16:14:26.852Z","revision":1,"description":"LINK Handler Data Storage","isPrimacyOfImpact":null},{"id":"nFP3Tr42UHn6SI1VtOTkm","url":"https://etherscan.io/address/0x23219FF3b4d838C94a8C8AE37ab3FF0Ac0743047","type":"smart_contract","addedAt":"2022-05-10T16:14:27.915Z","revision":1,"description":"USDC Handler Data Storage","isPrimacyOfImpact":null},{"id":"1Jk60N2vTJi9yj6sQBssMF","url":"https://etherscan.io/address/0x2ed04cE9a032B9A101975172F59A8d33E877bB1f","type":"smart_contract","addedAt":"2022-05-10T16:14:29.380Z","revision":1,"description":"WBTC Handler Data Storage","isPrimacyOfImpact":null},{"id":"6eG3OMmPgowRpopgOx6KPM","url":"https://etherscan.io/address/0x7146Ed71b1cb0D90E705eF20066b3453809E89e8","type":"smart_contract","addedAt":"2022-05-10T16:14:30.349Z","revision":1,"description":"BTC Handler Data Storage","isPrimacyOfImpact":null},{"id":"hONxcaomNiJj9ofxk0bDz","url":"https://etherscan.io/address/0xcbf361d934e2ac49b2c47c2910ea9489ab955829","type":"smart_contract","addedAt":"2022-05-10T16:14:31.469Z","revision":1,"description":"Coin Interest Model","isPrimacyOfImpact":null},{"id":"2muAJmuRaBQ8EJuytzvQdt","url":"https://etherscan.io/address/0x29ecabde2c57b6d4183f915ebca1a25804a60db1","type":"smart_contract","addedAt":"2022-05-10T16:14:32.553Z","revision":1,"description":"USDT Interest Model","isPrimacyOfImpact":null},{"id":"3Itct8YzADnlISpnlBWLSd","url":"https://etherscan.io/address/0x105ea44ffa77f517e31f20d7c22ebebf739bbf87","type":"smart_contract","addedAt":"2022-05-10T16:14:33.685Z","revision":1,"description":"DAI Interest Model","isPrimacyOfImpact":null},{"id":"3pHtfim6cxfqtY2Sb0qF68","url":"https://etherscan.io/address/0x7560ad17e2a0b790019734bf4f9790323cd68cb6","type":"smart_contract","addedAt":"2022-05-10T16:14:34.682Z","revision":1,"description":"LINK Interest Model","isPrimacyOfImpact":null},{"id":"4zZPFQNuVtRTEfMw9I3X3Y","url":"https://etherscan.io/address/0x24231014199e0c1a8ec2d963389008d85b658f7d","type":"smart_contract","addedAt":"2022-05-10T16:14:35.723Z","revision":1,"description":"USDC Interest Model","isPrimacyOfImpact":null},{"id":"2naJLnZTeliI5OP8ktgUea","url":"https://etherscan.io/address/0x75A7Ce14E9a07428384c63dc7dD0adeFe3B229C2","type":"smart_contract","addedAt":"2022-05-10T16:14:36.699Z","revision":1,"description":"WBTC Interest Model","isPrimacyOfImpact":null},{"id":"3zzVOqhnOFvfrbQT6PZqdq","url":"https://etherscan.io/address/0x614661d42d81eb446f740424CCAc24F09e97417e","type":"smart_contract","addedAt":"2022-05-10T16:14:37.681Z","revision":1,"description":"BTC Interest Model","isPrimacyOfImpact":null},{"id":"7IGokubB476KRa82XCigtt","url":"https://etherscan.io/address/0x13000c4a215efe7e414bb329b2f11c39bcf92d78","type":"smart_contract","addedAt":"2022-05-10T16:14:38.715Z","revision":1,"description":"Coin Handler Proxy","isPrimacyOfImpact":null},{"id":"3w4S5aAP7u0go6JN4k6Adv","url":"https://etherscan.io/address/0x808c3ba97268dbf9695b1ec10729e09c7e67a9e3","type":"smart_contract","addedAt":"2022-05-10T16:14:39.716Z","revision":1,"description":"USDT Handler Proxy","isPrimacyOfImpact":null},{"id":"fgyuwJCG3Ks8d2si2cmxf","url":"https://etherscan.io/address/0xd76b7060f1b646fa14740ff6ac670a4f0a6fc5e3","type":"smart_contract","addedAt":"2022-05-10T16:14:40.719Z","revision":1,"description":"DAI Handler Proxy","isPrimacyOfImpact":null},{"id":"7G32bP8xUqJ4SuqYBSOeTE","url":"https://etherscan.io/address/0x25567603eb61a4a49f27e433652b5b8940d10682","type":"smart_contract","addedAt":"2022-05-10T16:14:41.706Z","revision":1,"description":"LINK Handler Proxy","isPrimacyOfImpact":null},{"id":"6SuNSfp2aSvnFwDL3yR38u","url":"https://etherscan.io/address/0x128647690C7733593aA3Dd149EeBC5e256E79217","type":"smart_contract","addedAt":"2022-05-10T16:14:42.720Z","revision":1,"description":"USDC Handler Proxy","isPrimacyOfImpact":null},{"id":"5saUstpVZdMqaXgZwMFXez","url":"https://etherscan.io/address/0x93948Aa8488F522d5b079AF84fe411FBCE476e9f","type":"smart_contract","addedAt":"2022-05-10T16:14:43.714Z","revision":1,"description":"WBTC Handler Proxy","isPrimacyOfImpact":null},{"id":"2ut6REZyteHk2WQN0cmgK4","url":"https://etherscan.io/address/0x986Eb51E67e154901ff9B482835788B8f3054076","type":"smart_contract","addedAt":"2022-05-10T16:14:44.752Z","revision":1,"description":"BTC Handler Proxy","isPrimacyOfImpact":null},{"id":"39dhFJwNEQxLPs22PkX0c4","url":"https://etherscan.io/address/0x9c06a381bfDE2a14d8961057cb81a34b72fb0Fb6","type":"smart_contract","addedAt":"2022-05-10T16:14:45.788Z","revision":1,"description":"Coin SI Handler Date Storage","isPrimacyOfImpact":null},{"id":"MWNrKHJaY1jWydA1DlxJo","url":"https://etherscan.io/address/0xba9b7567EF2B441c99f32a3Fb0EeAa248281586d","type":"smart_contract","addedAt":"2022-05-10T16:14:46.803Z","revision":1,"description":"LINK SI Handler Date Storage","isPrimacyOfImpact":null},{"id":"7yheUlgv4mttIhleIP8Vwf","url":"https://etherscan.io/address/0x3fF1Dd4646f0db3B0a1FD8bB3AD7bE906E26F1A0","type":"smart_contract","addedAt":"2022-05-10T16:14:47.804Z","revision":1,"description":"DAI SI Handler Date Storage","isPrimacyOfImpact":null},{"id":"33qnVEDptWbcLDkld4uENh","url":"https://etherscan.io/address/0xDb684577F71F8FeBfe6aF208461e948EaE255025","type":"smart_contract","addedAt":"2022-05-10T16:14:48.917Z","revision":1,"description":"USDT SI Handler Date Storage","isPrimacyOfImpact":null},{"id":"5w6E8dHnYrnfORoETLkahR","url":"https://etherscan.io/address/0xD0D87Cd79965841780022419bF3b8e0BeC0e0500","type":"smart_contract","addedAt":"2022-05-10T16:14:49.908Z","revision":1,"description":"USDC SI Handler Date Storage","isPrimacyOfImpact":null},{"id":"1g8QkMkPjdUGQOLMz91Hpo","url":"https://etherscan.io/address/0x83e0bDD46831ee2b00fBfeb8e0488C7CD14284C0","type":"smart_contract","addedAt":"2022-05-10T16:14:50.924Z","revision":1,"description":"WBTC SI Handler Date Storage","isPrimacyOfImpact":null},{"id":"7qUH7UgiCrQse7MHNMIa4a","url":"https://etherscan.io/address/0x2146922c1D5a8A553afBC051da276814dD0629C0","type":"smart_contract","addedAt":"2022-05-10T16:14:51.910Z","revision":1,"description":"BTC SI Handler Date Storage","isPrimacyOfImpact":null},{"id":"5Uit9T1zJ1OTzk38js2FCS","url":"https://etherscan.io/address/0x64d18fd81A30150b8F881CB424677F178eA25C33","type":"smart_contract","addedAt":"2022-05-10T16:14:52.943Z","revision":1,"description":"Coin Handler","isPrimacyOfImpact":null},{"id":"3DnIitNt0et3vVeWWW0t6i","url":"https://etherscan.io/address/0x47Be3d1DEF039Bd85e7570864bB5148E7491A65F","type":"smart_contract","addedAt":"2022-05-10T16:14:54.215Z","revision":1,"description":"Token Handler","isPrimacyOfImpact":null}],"assetsBodyV2":"Only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-10-21T13:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/wWFjbdt3jrcKZ4OmOjvBc/84c670c9370bc2b2feb25fb721191d45/Bifi_logo.jpeg","maxBounty":100000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the following types:\n\n__Smart Contracts and Blockchain __\n\n  - Re-entrancy\n  - Logic errors\n    - including user authentication errors\n  - Solidity/EVM details not considered\n    - including integer over-/under-flow\n    - including rounding errors\n    - including unhandled exceptions\n  - Trusting trust/dependency vulnerabilities\n    - including composability vulnerabilities\n  - Oracle failure/manipulation\n  - Novel governance attacks\n  - Economic/financial attacks\n    - including flash loan attacks\n  - Congestion and scalability\n    - including running out of gas\n    - including block stuffing\n    - including susceptibility to frontrunning\n  - Consensus failures\n  - Cryptography problems\n    - Signature malleability\n    - Susceptibility to replay attacks\n    - Weak randomness\n    - Weak encryption\n  - Susceptibility to block timestamp manipulation\n  - Missing access controls / unprotected internal or debugging interfaces","productType":["Crosschain Liquidity","Lending","Staking"],"programOverview":"BiFi is the Multichain DeFi Project built on BIFROST, the Universal Multichain Middleware. BiFi aims to create a decentralized financial infrastructure that connects all the capital markets currently isolated on each blockchain, and creates new products and services that interoperate across multiple blockchains. \n\nThis bug bounty program is focused on their smart contracts and app and is focused on preventing:\n\n  - Thefts and freezing of principal of any amount\n  - Thefts and freezing of unclaimed yield of any amount\n  - Thefts and freezing of governance funds\n  - Thefts and freezing of permission among contracts\n  - Manipulations of the contract functionality (DoS, Malicious Re-entrancy, etc.)","programType":["Smart Contract"],"project":"BiFi","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. \n\nAll bug reports require a PoC written in code to be eligible for a reward. Remember, you must attach a PoC written in code separately for quick analysis by our security engineers. Reports without a PoC will not be accepted, even if the issue is so obvious that a PoC is not needed. \n\nThe PoC must be reproducible, and if dependencies are required to run the PoC (e.g., Install hardhat and fork chain), the process of installing all dependencies must also be described, along with appropriate comments or explanations.\n\nFor an example of well-written PoC code, see the example below.\n\n  - [https://github.com/immunefi-team/polygon-transferwithsig?tab=readme-ov-file](https://github.com/immunefi-team/polygon-transferwithsig?tab=readme-ov-file)\n\n\n__Readability__\n\nRemember, reports must be readable for review. If the description is lacking or difficult for the BiFi project to understand, the BiFi team may require additional clarification or reject the report. Best report may be readable to a CS engineer who knows nothing about the basic vulnerability. For complex vulnerabilities, illustrations may be helpful. \n\n__Feasibility__\n\nVulnerabilities that require manipulation outside the scope of BiFi, require administrator privileges to reproduce the attack, are non-reproducible bugs, or are not feasible for an attacker will not be rewarded.\n\nHere are examples \n\n  - Manipulation of the BiFi external pricing oracle\n  - Vulnerabilities that require gaining administrator privileges or manipulation\n  - Spending more in gas fees to execute the attack than the amount gained from the attack\n  - These are the parts of the evaluation that are excluded.\n\n__The following vulnerabilities are not eligible for a reward:__\n\n  - Using a single on-chain price oracle as a price feed source (e.g., Uniswap, Sushiswap)\n  - Decimal discrepancy that the BiFi team is aware of \n\n__Previous Audit__\n\nBiFi has had its code audited by Theori, which are web3 security specialists. Any unresolved findings from that audit will be excluded from the rewards.\n[https://github.com/bifrost-platform/BIFI/tree/master/docs ](https://github.com/bifrost-platform/BIFI/tree/master/docs)\n\n__Vulnerability Testing__\n\nAny activity on the Mainnet or Testnet to prove or validate the above vulnerabilities is strictly prohibited. PoC activities must be performed on a forked local chain. Testing performed on-chain for a bug bounty will be excluded from the reward.\n\nPayouts are handled by the __BiFi__ team directly and are denominated in __USD__. However, payouts are done in __BFC, ETH, Stablecoin (USDT or USDC)__  with the choice of the ratio at the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"BFC, ETH, USDT, USDC","slug":"bifi","tenPercentEconomicRule":false,"updatedDate":"2024-12-02T18:49:04.477Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"BiFi is the Multichain DeFi Project built on BIFROST, the Universal Multichain Middleware. BiFi aims to create a decentralized financial infrastructure that connects all the capital markets currently isolated on each blockchain, and creates new products and services that interoperate across multiple blockchains. ","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":1138,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":1139,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":8946,"severity":"critical","assetType":"smart_contract","fixedReward":100000,"rewardModel":"fixed","rewardCalculationPercentage":0},{"id":8947,"severity":"high","assetType":"smart_contract","fixedReward":20000,"rewardModel":"fixed"},{"id":8948,"severity":"medium","assetType":"smart_contract","fixedReward":2000,"rewardModel":"fixed"},{"id":8949,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"19ihUll2hqTC4fg3x2qcbf","url":"https://polygonscan.com/address/0xD126BA764D2fA052Fc14Ae012Aef590Bc6aE0C4f#code","type":"smart_contract","addedAt":"2022-05-10T15:43:18.209Z","revision":1,"description":"polygon-bifi-maxi strategy","isPrimacyOfImpact":null},{"id":"7nE7FmppVzybNDREnRNU9Z","url":"https://polygonscan.com/address/0xfEcf784F48125ccb7d8855cdda7C5ED6b5024Cb3#code","type":"smart_contract","addedAt":"2022-05-10T15:43:19.163Z","revision":1,"description":"polygon-bifi-maxi vault","isPrimacyOfImpact":null},{"id":"tZNsCTIgcabQ6HVQEL52a","url":"https://polygonscan.com/address/0x0C0C75AF434519AB96E34EB3bbEea726324d6264#code","type":"smart_contract","addedAt":"2022-05-10T15:43:20.176Z","revision":1,"description":"curve-poly-atricrypto strategy","isPrimacyOfImpact":null},{"id":"2amQfBMHMYbdEsWx25fOfW","url":"https://polygonscan.com/address/0x3dab1aCB811dc4C8b2FdC77812552f4d4Efd0A8c#code","type":"smart_contract","addedAt":"2022-05-10T15:43:21.256Z","revision":1,"description":"curve-poly-atricrypto vault","isPrimacyOfImpact":null},{"id":"3m2hwQ7jCmBU4KsHbm6COT","url":"https://polygonscan.com/address/0xAccf2f81F8c13e8D97ee272D141b6f4B613aB46D#code","type":"smart_contract","addedAt":"2022-05-10T15:43:22.303Z","revision":1,"description":"curve-poly-ren strategy","isPrimacyOfImpact":null},{"id":"2d5esccg8YoplejRvs2f6P","url":"https://polygonscan.com/address/0x8c9d3Bc4425773BD2F00C4a2aC105c5Ad73c8141#code","type":"smart_contract","addedAt":"2022-05-10T15:43:23.315Z","revision":1,"description":"curve-poly-ren vault","isPrimacyOfImpact":null},{"id":"4vw6Fztwj3PRpqhXlAYGKy","url":"https://polygonscan.com/address/0xC32CCCfF0777C145e7d658081D141ec8A38f8133#code","type":"smart_contract","addedAt":"2022-05-10T15:43:24.293Z","revision":1,"description":"boneswap-quick-wmatic-bone strategy","isPrimacyOfImpact":null},{"id":"6m6gfOzaUjVfTasl14n4Zn","url":"https://polygonscan.com/address/0xe9CAf4DfeaB51114a619C8104C38a309ccA236E1#code","type":"smart_contract","addedAt":"2022-05-10T15:43:25.263Z","revision":1,"description":"boneswap-quick-wmatic-bone vault","isPrimacyOfImpact":null},{"id":"1juRnlUInHtUpWl9qJh6nq","url":"https://polygonscan.com/address/0x3dE892BBc1cC1D22F069a4A985F58052244Acc5e#code","type":"smart_contract","addedAt":"2022-05-10T15:43:26.240Z","revision":1,"description":"boneswap-sushi-wmatic-bone strategy","isPrimacyOfImpact":null},{"id":"1tgb6EITz5TeKpPm32SN9g","url":"https://polygonscan.com/address/0x9fc153db31a5CeF1Cd326De31FEb37C7499eebC8","type":"smart_contract","addedAt":"2022-05-10T15:43:27.221Z","revision":1,"description":"boneswap-sushi-wmatic-bone vault","isPrimacyOfImpact":null},{"id":"2dlP4eN0ALRfevGsuhy9AK","url":"https://polygonscan.com/address/0x5a2448b0306D24C2ed3AE3186f32bbB023B8dCf9","type":"smart_contract","addedAt":"2022-05-10T15:43:28.168Z","revision":1,"description":"boneswap-ape-wmatic-bone strategy","isPrimacyOfImpact":null},{"id":"6U5C4M051D5YsvkBBGQtij","url":"https://polygonscan.com/address/0x7D59B0cAC35d431fe5B2F3aAED2FB70050B2113D","type":"smart_contract","addedAt":"2022-05-10T15:43:29.348Z","revision":1,"description":"boneswap-ape-wmatic-bone vault","isPrimacyOfImpact":null},{"id":"4F5PqX9qPgOxQuWmLRHI5u","url":"https://polygonscan.com/address/0x7207E31f503981DC0D57cC04AD4713DCBD5C0010","type":"smart_contract","addedAt":"2022-05-10T15:43:30.331Z","revision":1,"description":"boneswap-quick-usdc-bone strategy","isPrimacyOfImpact":null},{"id":"2fyboHodmQnQDCNX1B9u1d","url":"https://polygonscan.com/address/0x1001844Cb9Bc3B89a60ce4f4773dBa3B27115230","type":"smart_contract","addedAt":"2022-05-10T15:43:31.307Z","revision":1,"description":"boneswap-quick-usdc-bone vault","isPrimacyOfImpact":null},{"id":"XoTbbjUH4sgwB2vDvgmoo","url":"https://polygonscan.com/address/0x1Fff1654DBE0aa26cbc0e754a7BA641B89B95910","type":"smart_contract","addedAt":"2022-05-10T15:43:32.302Z","revision":1,"description":"dfyn-route-dfyn strategy","isPrimacyOfImpact":null},{"id":"55qW6kav5zJz9nvactxszK","url":"https://polygonscan.com/address/0xad88D6B731DCb567a3E13407f1E7B0649Bad82D2","type":"smart_contract","addedAt":"2022-05-10T15:43:33.512Z","revision":1,"description":"dfyn-route-dfyn vault","isPrimacyOfImpact":null},{"id":"25vtmihphZ7rLwI9PzGoo4","url":"https://polygonscan.com/address/0x827D4f4f92281690aD0591aFa0F90450A785199F","type":"smart_contract","addedAt":"2022-05-10T15:43:34.782Z","revision":1,"description":"dfyn-sx-dfyn strategy","isPrimacyOfImpact":null},{"id":"2L6RauWJw80Z9Z2d88U3CP","url":"https://polygonscan.com/address/0x970283Df294f9cedD2187bf84782AB75617Be31c","type":"smart_contract","addedAt":"2022-05-10T15:43:35.869Z","revision":1,"description":"dfyn-sx-dfyn vault","isPrimacyOfImpact":null},{"id":"6SnRVRsx4QabgZ9fKHFJvQ","url":"https://polygonscan.com/address/0xF68536DA80F58c3dEF57fB06ADA7998a1E2Cee97","type":"smart_contract","addedAt":"2022-05-10T15:43:36.875Z","revision":1,"description":"dfyn-ez-dfyn strategy","isPrimacyOfImpact":null},{"id":"1d8Qo2XF0hVV6vYMUnOmUt","url":"https://polygonscan.com/address/0x0E765383bea3a166A87a042132422f5F29fDb217","type":"smart_contract","addedAt":"2022-05-10T15:43:37.878Z","revision":1,"description":"dfyn-ez-dfyn vault","isPrimacyOfImpact":null},{"id":"3VkCxnQvcAqCfz5halrtwP","url":"https://polygonscan.com/address/0x8c5E402F3F43958Ecb83b10aD9bE98Fd026C52c6","type":"smart_contract","addedAt":"2022-05-10T15:43:38.894Z","revision":1,"description":"dfyn-uft-dfyn strategy","isPrimacyOfImpact":null},{"id":"2EYzWXBiVoXE3Bnn51LwY5","url":"https://polygonscan.com/address/0xD239D193809b04fD24CB0Cd56A99A3F9dB069C9d","type":"smart_contract","addedAt":"2022-05-10T15:43:39.978Z","revision":1,"description":"dfyn-uft-dfyn vault","isPrimacyOfImpact":null},{"id":"lN4VuSsa8ra7h9cE7CSUT","url":"https://polygonscan.com/address/0xcd170fa0C80Ea060a9Df6bf91BfF24cBDC4e0f30","type":"smart_contract","addedAt":"2022-05-10T15:43:41.009Z","revision":1,"description":"polycat-dfyn-fish-matic strategy","isPrimacyOfImpact":null},{"id":"217DRTTPFjzqnLMDxxNBwi","url":"https://polygonscan.com/address/0x9f3B96a2Dd55aa904bC5476Ffe66E74a53f6b420","type":"smart_contract","addedAt":"2022-05-10T15:43:41.952Z","revision":1,"description":"polycat-dfyn-fish-matic vault","isPrimacyOfImpact":null},{"id":"1VmW2DotcDND9wellVfXGN","url":"https://polygonscan.com/address/0xf2F5C13686b79b92dC73F6Bb1D2663329658EC87","type":"smart_contract","addedAt":"2022-05-10T15:43:43.176Z","revision":1,"description":"polypup-bone strategy","isPrimacyOfImpact":null},{"id":"4kODRyM2kJd1DQ7HCD7QwK","url":"https://polygonscan.com/address/0x8Fa291074B9E28055fFdBCd4C1C1Dad67B9a130A","type":"smart_contract","addedAt":"2022-05-10T15:43:44.159Z","revision":1,"description":"polypup-bone vault","isPrimacyOfImpact":null},{"id":"7hEJPsOPLOt63ClXC2QsiC","url":"https://polygonscan.com/address/0xE44D57D43478e50a7CE720a407Dc43fec9ADB584","type":"smart_contract","addedAt":"2022-05-10T15:43:45.189Z","revision":1,"description":"polypup-pup strategy","isPrimacyOfImpact":null},{"id":"xDyAu0rrFrwxLZbrnjd3m","url":"https://polygonscan.com/address/0xBe1C35d3349555Ba9eEa38AB1A21a6Db0Bb0fCdD","type":"smart_contract","addedAt":"2022-05-10T15:43:46.196Z","revision":1,"description":"polypup-pup vault","isPrimacyOfImpact":null},{"id":"tel2FpRUhkH8paJ9D2Ujs","url":"https://polygonscan.com/address/0x315324Bcd724b8CF01FfE6d04F029328f595e126","type":"smart_contract","addedAt":"2022-05-10T15:43:47.184Z","revision":1,"description":"polypup-usdc-bone strategy","isPrimacyOfImpact":null},{"id":"3jH0qZeU5jRQ9ubhcjuVYl","url":"https://polygonscan.com/address/0x8Ce906F6f383c31b09B1D2A5f2c9f480b87ceb58","type":"smart_contract","addedAt":"2022-05-10T15:43:48.208Z","revision":1,"description":"polypup-usdc-bone vault","isPrimacyOfImpact":null},{"id":"2vfpfW4BVaOonbk72T9zH","url":"https://polygonscan.com/address/0xF8f071033bfF4100B4b010cE11F95c95950F69b6","type":"smart_contract","addedAt":"2022-05-10T15:43:49.194Z","revision":1,"description":"polypup-wmatic-bone strategy","isPrimacyOfImpact":null},{"id":"4cSH2owZEbQoKzWugzdKiz","url":"https://polygonscan.com/address/0x6C433f102A6b8582a43222e335C73873538161b7","type":"smart_contract","addedAt":"2022-05-10T15:43:50.201Z","revision":1,"description":"polypup-wmatic-bone vault","isPrimacyOfImpact":null},{"id":"47Uv3CFI56cpFKPnp3oKLU","url":"https://polygonscan.com/address/0x0F5cdA7EaFC6dc0D10a131c9BD946C1F6634F9d0","type":"smart_contract","addedAt":"2022-05-10T15:43:51.177Z","revision":1,"description":"polypup-usdc-pup strategy","isPrimacyOfImpact":null},{"id":"2nZfLTlxcwQ1K5pGxKvO9z","url":"https://polygonscan.com/address/0xB1893a79fcCe73aEfc878e5AC918698Ee0110444","type":"smart_contract","addedAt":"2022-05-10T15:43:52.330Z","revision":1,"description":"polypup-usdc-pup vault","isPrimacyOfImpact":null},{"id":"2Jgwbr0kqK1pk88wvqnGVy","url":"https://polygonscan.com/address/0x1Fb8021FcAB1b54B3f2C6D9D8562DC16CF1fAe21","type":"smart_contract","addedAt":"2022-05-10T15:43:53.311Z","revision":1,"description":"polypup-wmatic-pup strategy","isPrimacyOfImpact":null},{"id":"2EDJ7GprEONZClm6CmqJ0f","url":"https://polygonscan.com/address/0x37884333d34eeE3EAe83439CE4608E69E7081116","type":"smart_contract","addedAt":"2022-05-10T15:43:54.326Z","revision":1,"description":"polypup-wmatic-pup vault","isPrimacyOfImpact":null},{"id":"5CoYy7SSSK8CVTSDClLbKj","url":"https://polygonscan.com/address/0xB63e910A2DcD6362f7F631542a700C3139b6185a","type":"smart_contract","addedAt":"2022-05-10T15:43:55.327Z","revision":1,"description":"ape-matic-usdt strategy","isPrimacyOfImpact":null},{"id":"36EqqdpKeFDuicu9IOOyaM","url":"https://polygonscan.com/address/0x1BE356364a1e849af2F7a513Fc46dAB6063Db485","type":"smart_contract","addedAt":"2022-05-10T15:43:56.486Z","revision":1,"description":"ape-matic-usdt vault","isPrimacyOfImpact":null},{"id":"6pcr9zRm7ui3CDZZXDS2ht","url":"https://polygonscan.com/address/0x0603141F2D39264BCE263a2107fA2045cC435b47","type":"smart_contract","addedAt":"2022-05-10T15:43:57.499Z","revision":1,"description":"ape-matic-dai strategy","isPrimacyOfImpact":null},{"id":"1UJB2tmnqVOmNpHBKtvxq4","url":"https://polygonscan.com/address/0x584611DA226b4d4C0c4D880E6f1E0c0E8522f3AE","type":"smart_contract","addedAt":"2022-05-10T15:43:58.580Z","revision":1,"description":"ape-matic-dai vault","isPrimacyOfImpact":null},{"id":"1xK8GpkAb1P2jgQNzVigTb","url":"https://polygonscan.com/address/0xa7377CDb25BfA2889B6e4c9463Cd0858A57aB315","type":"smart_contract","addedAt":"2022-05-10T15:43:59.657Z","revision":1,"description":"quick-eth-ramp strategy","isPrimacyOfImpact":null},{"id":"73xopBjOonQFxivQAbJWzI","url":"https://polygonscan.com/address/0x94242E121F056FA7F0892452e6a17678124981c1","type":"smart_contract","addedAt":"2022-05-10T15:44:00.689Z","revision":1,"description":"quick-eth-ramp vault","isPrimacyOfImpact":null},{"id":"66jiPBAmiW6F9Xbi4i6YN8","url":"https://polygonscan.com/address/0x4F0b982A75C49E3652d98a2d00BC84CCa7532AfF","type":"smart_contract","addedAt":"2022-05-10T15:44:01.701Z","revision":1,"description":"quick-usdc-rusd strategy","isPrimacyOfImpact":null},{"id":"19ImJbx3mo4QeNtxnvDBiv","url":"https://polygonscan.com/address/0x2b17aD11c5e9553c79a18F33Df4dE565eF0ad5b0","type":"smart_contract","addedAt":"2022-05-10T15:44:02.702Z","revision":1,"description":"quick-usdc-rusd vault","isPrimacyOfImpact":null},{"id":"43eFKy1i5WPjeFYq64wvuw","url":"https://polygonscan.com/address/0xA82b0a53Dc044C7B885D32FA4EEaA4FeD7528773","type":"smart_contract","addedAt":"2022-05-10T15:44:03.716Z","revision":1,"description":"polyyeld-ape-wmatic-yeld strategy","isPrimacyOfImpact":null},{"id":"6ltFzCwPs4iukW7ZMq7HIF","url":"https://polygonscan.com/address/0xd73AEF83c08264C5600C3a17f009B6f8c0226221","type":"smart_contract","addedAt":"2022-05-10T15:44:04.744Z","revision":1,"description":"polyyeld-ape-wmatic-yeld vault","isPrimacyOfImpact":null},{"id":"16zFMUGf4931edEIJlHVuH","url":"https://polygonscan.com/address/0x46FfF3f004afeE180CF96cCa92560a94A696044B","type":"smart_contract","addedAt":"2022-05-10T15:44:05.810Z","revision":1,"description":"sushi-wbtc-ibbtc strategy","isPrimacyOfImpact":null},{"id":"1zz6i88PMUe9V3mLqZIuWk","url":"https://polygonscan.com/address/0xD35B3733c2ceaf3635bE246B2c6C42f10e5b6B78","type":"smart_contract","addedAt":"2022-05-10T15:44:06.925Z","revision":1,"description":"sushi-wbtc-ibbtc vault","isPrimacyOfImpact":null},{"id":"7shu6ZKQzrNYx0XJxp9tpj","url":"https://polygonscan.com/address/0xebcAD445f52231887c493995F4413A57c09f5f00","type":"smart_contract","addedAt":"2022-05-10T15:44:07.954Z","revision":1,"description":"ape-eth-matic strategy","isPrimacyOfImpact":null},{"id":"v7vobLsL6fSnf6WuWy74k","url":"https://polygonscan.com/address/0xc24Cf5fA29E619f2D5ccbEC46F2295876c3722ff","type":"smart_contract","addedAt":"2022-05-10T15:44:09.044Z","revision":1,"description":"ape-eth-matic vault","isPrimacyOfImpact":null},{"id":"1Vi0ljaZgbz8vJIqUcySke","url":"https://polygonscan.com/address/0xE81436bdf7162e46cac9D58CfAC5ec31e9475446","type":"smart_contract","addedAt":"2022-05-10T15:44:10.239Z","revision":1,"description":"ape-btc-matic strategy","isPrimacyOfImpact":null},{"id":"2Dt6SFlw78DotaZXn2MTiW","url":"https://polygonscan.com/address/0x76F0e4a08c1e85d020dfD7C66B991ecd4A7551AF","type":"smart_contract","addedAt":"2022-05-10T15:44:11.732Z","revision":1,"description":"ape-btc-matic vault","isPrimacyOfImpact":null},{"id":"5ElYYrIULQgZ8eOcTTkffS","url":"https://polygonscan.com/address/0x35D578CBeFf8F7A4e1c3Beed0D8CC42D71A08A27","type":"smart_contract","addedAt":"2022-05-10T15:44:12.734Z","revision":1,"description":"ape-bnb-matic strategy","isPrimacyOfImpact":null},{"id":"5cPsANzp2xktLz0Xi78r4G","url":"https://polygonscan.com/address/0x6888f67662d1f442C4428129e0Bdb27a275e0a65","type":"smart_contract","addedAt":"2022-05-10T15:44:13.730Z","revision":1,"description":"ape-bnb-matic vault","isPrimacyOfImpact":null},{"id":"ZI01HCawZnXyQK3FlRSVK","url":"https://polygonscan.com/address/0x453054B9C2CD3dF1c57E0866241f460B78eE3ebB","type":"smart_contract","addedAt":"2022-05-10T15:44:14.903Z","revision":1,"description":"ape-banana-matic strategy","isPrimacyOfImpact":null},{"id":"3Q9TG0oy5tPRlVYd0kLbRj","url":"https://polygonscan.com/address/0xADA7F98fb2594E76914EB593e74B348A498Ea5Bd","type":"smart_contract","addedAt":"2022-05-10T15:44:15.907Z","revision":1,"description":"ape-banana-matic vault","isPrimacyOfImpact":null},{"id":"1scP9VKcpv5D3UTLwRX1TI","url":"https://polygonscan.com/address/0x966fC9Ee8500b470C653c339c8fa0a68520CC3ea","type":"smart_contract","addedAt":"2022-05-10T15:44:17.304Z","revision":1,"description":"polyyeld-sushi-wmatic-yeld strategy","isPrimacyOfImpact":null},{"id":"2PxPiM5ucJHNYX5YSBtsH9","url":"https://polygonscan.com/address/0x0Ca850eEfE051ED244846A2939e218ec6D44a0b2","type":"smart_contract","addedAt":"2022-05-10T15:44:18.329Z","revision":1,"description":"polyyeld-sushi-wmatic-yeld vault","isPrimacyOfImpact":null},{"id":"4NFPzAfSrt7qYDh59thPw","url":"https://polygonscan.com/address/0x7593747a19a50451bBe6E0f1D427D4F80796f684","type":"smart_contract","addedAt":"2022-05-10T15:44:19.336Z","revision":1,"description":"polyyeld-quick-usdc-yeld strategy","isPrimacyOfImpact":null},{"id":"4r7rcH7TD7jHXQWYuPmLjW","url":"https://polygonscan.com/address/0x9a8390F3F74E7f367B5f948dd04495B67a54a5F4","type":"smart_contract","addedAt":"2022-05-10T15:44:20.371Z","revision":1,"description":"polyyeld-quick-usdc-yeld vault","isPrimacyOfImpact":null},{"id":"3valDEYsjpch5z2i5TYgHn","url":"https://polygonscan.com/address/0x703372131e77aE0c69B51e41A901315087A314D2","type":"smart_contract","addedAt":"2022-05-10T15:44:21.424Z","revision":1,"description":"sushi-usdc-bifi strategy","isPrimacyOfImpact":null},{"id":"12DsxsmxMcFnH6QX6FvUsJ","url":"https://polygonscan.com/address/0x03F69AAF4c8512f533Da46cC9eFd49C4969e3CB8","type":"smart_contract","addedAt":"2022-05-10T15:44:22.416Z","revision":1,"description":"sushi-usdc-bifi vault","isPrimacyOfImpact":null},{"id":"4N9BNp2zOgVDJEhB62sCR6","url":"https://polygonscan.com/address/0x1a09FD524D6a7c99903648Bfa8535D43B4F215c2","type":"smart_contract","addedAt":"2022-05-10T15:44:23.413Z","revision":1,"description":"quick-pbnb-quick strategy","isPrimacyOfImpact":null},{"id":"417R4X3qLbY4O5g1EqwcZy","url":"https://polygonscan.com/address/0x1A90Ea15e00a6c647478e86e3A3DB1aC1eB23cE5","type":"smart_contract","addedAt":"2022-05-10T15:44:24.452Z","revision":1,"description":"quick-pbnb-quick vault","isPrimacyOfImpact":null},{"id":"3eYWvAiaRV34SoQbpcADuf","url":"https://polygonscan.com/address/0x47c1772E850F627Bf41f52e44219d9bDab66D963","type":"smart_contract","addedAt":"2022-05-10T15:44:25.481Z","revision":1,"description":"quick-usdc-pbnb strategy","isPrimacyOfImpact":null},{"id":"68yqVUNrm3Lbx2g1erTBe8","url":"https://polygonscan.com/address/0x61f55dc5243398D57acd5d6265e228da65C4Cb52","type":"smart_contract","addedAt":"2022-05-10T15:44:26.508Z","revision":1,"description":"quick-usdc-pbnb vault","isPrimacyOfImpact":null},{"id":"4XMqwLSlWoDGBTNhcToAaX","url":"https://polygonscan.com/address/0x4ee0f311b55Dd983FBe82A0EEEa06429726Da932","type":"smart_contract","addedAt":"2022-05-10T15:44:27.521Z","revision":1,"description":"quick-dai-usdt strategy","isPrimacyOfImpact":null},{"id":"7e8n60QqJXJ8fcGp0eheIN","url":"https://polygonscan.com/address/0x8F1F1FB23A208041e1f4Bf4A3b4E165bcCA25Bbb","type":"smart_contract","addedAt":"2022-05-10T15:44:28.507Z","revision":1,"description":"quick-dai-usdt vault","isPrimacyOfImpact":null},{"id":"3Ic0xeCvEm6aZqDocPDWgc","url":"https://polygonscan.com/address/0x401Fa12777e303CBbFa0Ce8c95014d3CA1ee02c0","type":"smart_contract","addedAt":"2022-05-10T15:44:29.664Z","revision":1,"description":"quick-eth-fff strategy","isPrimacyOfImpact":null},{"id":"2qKT7IlIR3WOZjjByuqQGh","url":"https://polygonscan.com/address/0xa5b0E0f38BC86723a9893B828a4B9595ecb22F42","type":"smart_contract","addedAt":"2022-05-10T15:44:30.678Z","revision":1,"description":"quick-eth-fff vault","isPrimacyOfImpact":null},{"id":"7DMJhzPBoZcQtlL5O2SH1B","url":"https://polygonscan.com/address/0xaf9DD4c1d755402868fFE2A0B7C0E8a6664a0f2F","type":"smart_contract","addedAt":"2022-05-10T15:44:31.693Z","revision":1,"description":"wexpoly-wbtc-usdc strategy","isPrimacyOfImpact":null},{"id":"1J9Bwfib7Yg9DPna3k9PeE","url":"https://polygonscan.com/address/0x5c7fd860fC0072cFef2Cc4aB17CC7fF25B639d8b","type":"smart_contract","addedAt":"2022-05-10T15:44:32.980Z","revision":1,"description":"wexpoly-wbtc-usdc vault","isPrimacyOfImpact":null},{"id":"1XEMjSoAFrs3KNH1cqW7YO","url":"https://polygonscan.com/address/0x8E82b1A03698d0597D3414F6CC5C57005480DEf4","type":"smart_contract","addedAt":"2022-05-10T15:44:33.971Z","revision":1,"description":"wexpoly-wbtc-eth strategy","isPrimacyOfImpact":null},{"id":"1XWWzMmKjMMkGUv8ltEnrL","url":"https://polygonscan.com/address/0x75A59e8d6611e90e7A8e439Cb59D9f78e738d16F","type":"smart_contract","addedAt":"2022-05-10T15:44:35.027Z","revision":1,"description":"wexpoly-wbtc-eth vault","isPrimacyOfImpact":null},{"id":"4MibqbXKuqvYTCWTYdHNtC","url":"https://polygonscan.com/address/0xE91262c6Cf7B28948EF6f8a6B554758791c31340","type":"smart_contract","addedAt":"2022-05-10T15:44:36.175Z","revision":1,"description":"wexpoly-matic-eth strategy","isPrimacyOfImpact":null},{"id":"4CxrIPpH77kqWFZ7Rf9gCz","url":"https://polygonscan.com/address/0xCB171DF46CA6FF7AfEF6c4935128204435E4F05C","type":"smart_contract","addedAt":"2022-05-10T15:44:37.258Z","revision":1,"description":"wexpoly-matic-eth vault","isPrimacyOfImpact":null},{"id":"6B3qB7RqfOlkigNFL68h5w","url":"https://polygonscan.com/address/0xC0F43f3d242fEDd9FD82e5a5856E577d908a083A","type":"smart_contract","addedAt":"2022-05-10T15:44:38.272Z","revision":1,"description":"wexpoly-polydoge-matic strategy","isPrimacyOfImpact":null},{"id":"AcV0gNJWFFNtZjBlFvy0W","url":"https://polygonscan.com/address/0xdf4E615e05713f9Be712bb999B3190Fd238bb77A","type":"smart_contract","addedAt":"2022-05-10T15:44:39.372Z","revision":1,"description":"wexpoly-polydoge-matic vault","isPrimacyOfImpact":null},{"id":"3yltx4Jj4XCdv6v8qWBXxS","url":"https://polygonscan.com/address/0x156463c7a644726994b658B5164edA0B6D68544E","type":"smart_contract","addedAt":"2022-05-10T15:44:40.551Z","revision":1,"description":"wexpoly-snx-eth strategy","isPrimacyOfImpact":null},{"id":"4v1hURwpKWWNWBOFX6HeLf","url":"https://polygonscan.com/address/0xf7e1226F6f98D1981e88Da328347F0E2131A2864","type":"smart_contract","addedAt":"2022-05-10T15:44:42.338Z","revision":1,"description":"wexpoly-snx-eth vault","isPrimacyOfImpact":null},{"id":"4ttzv13hbv53efAjRSpLG","url":"https://polygonscan.com/address/0x038A80FA19191FF6A1788cEb6f503FB0FDf83aE8","type":"smart_contract","addedAt":"2022-05-10T15:44:43.370Z","revision":1,"description":"wexpoly-link-eth strategy","isPrimacyOfImpact":null},{"id":"4soQewZT7OgblXddZb7S9Y","url":"https://polygonscan.com/address/0x23Ee6ED971ae7731F53913D9f8a45C7C1af3D6D5","type":"smart_contract","addedAt":"2022-05-10T15:44:44.375Z","revision":1,"description":"wexpoly-link-eth vault","isPrimacyOfImpact":null},{"id":"5ZHHUzYHvxv80mTeiBjvTa","url":"https://polygonscan.com/address/0x038A80FA19191FF6A1788cEb6f503FB0FDf83aE8","type":"smart_contract","addedAt":"2022-05-10T15:44:45.417Z","revision":1,"description":"wexpoly-aave-eth strategy","isPrimacyOfImpact":null},{"id":"5UMKD2E46rRQ3hi7KP0lKw","url":"https://polygonscan.com/address/0x23Ee6ED971ae7731F53913D9f8a45C7C1af3D6D5","type":"smart_contract","addedAt":"2022-05-10T15:44:46.421Z","revision":1,"description":"wexpoly-aave-eth vault","isPrimacyOfImpact":null},{"id":"1dxfmX0mIO8eXbTvRuNd8E","url":"https://polygonscan.com/address/0x23679B038eb6f090f9b0f121A1F29b7cA3993F77","type":"smart_contract","addedAt":"2022-05-10T15:44:47.490Z","revision":1,"description":"wexpoly-dai-eth strategy","isPrimacyOfImpact":null},{"id":"z5ebugKRM97QORthlSPZh","url":"https://polygonscan.com/address/0xc4cC677bb8b7E6EEA6409Ee2af9F434BAB004192","type":"smart_contract","addedAt":"2022-05-10T15:44:49.223Z","revision":1,"description":"wexpoly-dai-eth vault","isPrimacyOfImpact":null},{"id":"2R94c7HBXELEAt8DshpeY8","url":"https://polygonscan.com/address/0x1C5e120604537B44B635f9c932A26Abf7bb97E4E","type":"smart_contract","addedAt":"2022-05-10T15:44:50.313Z","revision":1,"description":"wexpoly-usdc-dai strategy","isPrimacyOfImpact":null},{"id":"5b1PDdxc83z875eXKBh3uZ","url":"https://polygonscan.com/address/0x3a3a9784Af130d692E19A3f1C1b13eF44301D0f7","type":"smart_contract","addedAt":"2022-05-10T15:44:51.335Z","revision":1,"description":"wexpoly-usdc-dai vault","isPrimacyOfImpact":null},{"id":"5C63AlEs2EkDz3e1bAavYB","url":"https://polygonscan.com/address/0x107711a7f61c2867B72E0Dd926755dDeEe75F9f0","type":"smart_contract","addedAt":"2022-05-10T15:44:52.794Z","revision":1,"description":"wexpoly-matic-usdc strategy","isPrimacyOfImpact":null},{"id":"4Po1hzD57Ur1tXU1HqU30e","url":"https://polygonscan.com/address/0x5E7156F7c0B5E2005000C38beb38540ba9c283df","type":"smart_contract","addedAt":"2022-05-10T15:44:53.840Z","revision":1,"description":"wexpoly-matic-usdc vault","isPrimacyOfImpact":null},{"id":"5g627MWwGszLJajG8Mj3ot","url":"https://polygonscan.com/address/0xea025B73A536F876d63022629B1d4a2271556056","type":"smart_contract","addedAt":"2022-05-10T15:44:54.809Z","revision":1,"description":"quick-usdc-mimatic strategy","isPrimacyOfImpact":null},{"id":"4XXxv0I2deidNCtG9xWzDz","url":"https://polygonscan.com/address/0xeCBb84E73760d0E22BDBeE79490c691386B5008F","type":"smart_contract","addedAt":"2022-05-10T15:44:55.828Z","revision":1,"description":"quick-usdc-mimatic vault","isPrimacyOfImpact":null},{"id":"5GFlBvYlX4rBDsaDqHN218","url":"https://polygonscan.com/address/0x9ED77C14DE83a24c9E1Ca97472a22a86d90EEA0c","type":"smart_contract","addedAt":"2022-05-10T15:44:56.910Z","revision":1,"description":"quick-usdc-mimatic strategy","isPrimacyOfImpact":null},{"id":"6y3f5691ra4CGpAL2jHUL3","url":"https://polygonscan.com/address/0x0B7FEA4506006f1bA0718585cFAb638424A86d94","type":"smart_contract","addedAt":"2022-05-10T15:44:57.920Z","revision":1,"description":"wexpoly-usdc-usdt strategy","isPrimacyOfImpact":null},{"id":"1GPrW8U0kG57xijlytejmg","url":"https://polygonscan.com/address/0x58C55B5675B106b440635E2c550A771f4E256D35","type":"smart_contract","addedAt":"2022-05-10T15:44:59.083Z","revision":1,"description":"wexpoly-usdc-usdt vault","isPrimacyOfImpact":null},{"id":"un35KurPJDHfCJuTC9lbC","url":"https://polygonscan.com/address/0x6a440102015bf4D81D56fBc2fd4F27797D183931","type":"smart_contract","addedAt":"2022-05-10T15:45:00.112Z","revision":1,"description":"wexpoly-wex-usdc strategy","isPrimacyOfImpact":null},{"id":"FSUF7Ff22jl5ynKj4p90m","url":"https://polygonscan.com/address/0xe3B5a0d5dFDCD6dE7e22a5c2B6b957aB76d2A085","type":"smart_contract","addedAt":"2022-05-10T15:45:01.130Z","revision":1,"description":"wexpoly-wex-usdc vault","isPrimacyOfImpact":null},{"id":"6P9rIFyUy7UTxypHAVErbl","url":"https://polygonscan.com/address/0xcb6e386Ad643a6D77C940BF69303cEBD34c04757","type":"smart_contract","addedAt":"2022-05-10T15:45:02.152Z","revision":1,"description":"wexpoly-wex strategy","isPrimacyOfImpact":null},{"id":"6BP2937L4iWtL6gNx9k8B","url":"https://polygonscan.com/address/0xcb6e386Ad643a6D77C940BF69303cEBD34c04757","type":"smart_contract","addedAt":"2022-05-10T15:45:03.275Z","revision":1,"description":"wexpoly-wex vault","isPrimacyOfImpact":null},{"id":"1tx6eH41Xd5c00hOQQi7z3","url":"https://polygonscan.com/address/0x0D62f1b1BF511E155e357184dcfC1e8D54B41a5f","type":"smart_contract","addedAt":"2022-05-10T15:45:04.295Z","revision":1,"description":"wexpoly-wex-matic strategy","isPrimacyOfImpact":null},{"id":"43hzg50eahvV7KGDaCWAk","url":"https://polygonscan.com/address/0xe09888EEab19bce85e67eDC59521F3f290B1BCcE","type":"smart_contract","addedAt":"2022-05-10T15:45:05.468Z","revision":1,"description":"wexpoly-wex-matic vault","isPrimacyOfImpact":null},{"id":"6Z2QGHCnIou0iVILizYIEs","url":"https://polygonscan.com/address/0xb15B8E50b79b4D6723DC297aD6313B9Dc3c51Db3","type":"smart_contract","addedAt":"2022-05-10T15:45:06.438Z","revision":1,"description":"wexpoly-bifi-matic strategy","isPrimacyOfImpact":null},{"id":"7iEZ0etj6sGx1MBw1b6RbU","url":"https://polygonscan.com/address/0x247303D4Be227Aa87Bd52F05aDDAD772794DE394","type":"smart_contract","addedAt":"2022-05-10T15:45:07.504Z","revision":1,"description":"wexpoly-bifi-matic vault","isPrimacyOfImpact":null},{"id":"3QxbIaR7GLDIXeiFVn2ytX","url":"https://polygonscan.com/address/0x12B5EC1cFa07732540F3d9D4eCF040328bc1EEdC","type":"smart_contract","addedAt":"2022-05-10T15:45:08.515Z","revision":1,"description":"sushi-eth-wfil strategy","isPrimacyOfImpact":null},{"id":"2CGDGaVlxVCUsbWXlNNZqU","url":"https://polygonscan.com/address/0xA4fB94990f99A8C1290e83d40DB9C648fD868D14","type":"smart_contract","addedAt":"2022-05-10T15:45:09.486Z","revision":1,"description":"sushi-eth-wfil vault","isPrimacyOfImpact":null},{"id":"IhQiH5tqoJPDerzS3CO1C","url":"https://polygonscan.com/address/0x197c055e30c2e882A1BE6822480c688100658BEd","type":"smart_contract","addedAt":"2022-05-10T15:45:10.521Z","revision":1,"description":"quick-usdc-dai strategy","isPrimacyOfImpact":null},{"id":"35hKO0MDZTynQ1KYXCL7oN","url":"https://polygonscan.com/address/0x0dFd8c4dd493d8f87Be362878E41537Ca7Ee4d9e","type":"smart_contract","addedAt":"2022-05-10T15:45:12.007Z","revision":1,"description":"quick-usdc-dai vault","isPrimacyOfImpact":null},{"id":"4MVxXqGm8c7UJgzhn5vgC1","url":"https://polygonscan.com/address/0x4b0e4CDEA00C90F786bd817751159f46EA38A58D","type":"smart_contract","addedAt":"2022-05-10T15:45:13.049Z","revision":1,"description":"quick-quick-uni strategy","isPrimacyOfImpact":null},{"id":"2wCzRb5K2Q9i36NzYU323a","url":"https://polygonscan.com/address/0xaF34573353aBd160889889D52d7841B2bBCE7Cf9","type":"smart_contract","addedAt":"2022-05-10T15:45:14.216Z","revision":1,"description":"quick-quick-uni vault","isPrimacyOfImpact":null},{"id":"M7jQ9hINnCASMN5Uz9L31","url":"https://polygonscan.com/address/0xD208C42cd08a5CaD8C53add2365153e8e24EbdF9","type":"smart_contract","addedAt":"2022-05-10T15:45:15.229Z","revision":1,"description":"quick-link-quick strategy","isPrimacyOfImpact":null},{"id":"7oZtlT9akCxfLtpoaLRsZh","url":"https://polygonscan.com/address/0xdD32ca42a5bab4073D319BC26bb4e951e767Ba6E","type":"smart_contract","addedAt":"2022-05-10T15:45:16.268Z","revision":1,"description":"quick-link-quick vault","isPrimacyOfImpact":null},{"id":"3TuLwYdkXobdwx5Islwi2R","url":"https://polygonscan.com/address/0x53F816063523D9883C83863CbD5D8EAF9Ffc4641","type":"smart_contract","addedAt":"2022-05-10T15:45:17.304Z","revision":1,"description":"polycat-fish strategy","isPrimacyOfImpact":null},{"id":"DdgxXmYLRHTFx5FMtA3o0","url":"https://polygonscan.com/address/0xcC16BbE4987920a17F5C4a92C1Ab4dbDfB0B9790","type":"smart_contract","addedAt":"2022-05-10T15:45:18.332Z","revision":1,"description":"polycat-fish vault","isPrimacyOfImpact":null},{"id":"xiVfPqvH43eCIx67488lV","url":"https://polygonscan.com/address/0x2F6Ebc03469De09FE6D933e4FA56772dF400BfA6","type":"smart_contract","addedAt":"2022-05-10T15:45:19.309Z","revision":1,"description":"quick-usdc-eth strategy","isPrimacyOfImpact":null},{"id":"74tNLzxugrOkNOMKfDjRGF","url":"https://polygonscan.com/address/0x5d4B83B3011B1E14e55185c5D432987e76f6DE3C","type":"smart_contract","addedAt":"2022-05-10T15:45:20.297Z","revision":1,"description":"quick-usdc-eth vault","isPrimacyOfImpact":null},{"id":"6KGRzpbziQy8poLVrGXqOi","url":"https://polygonscan.com/address/0x9B14a16609b0Bf5DA858115b4537e2CD01B3133C","type":"smart_contract","addedAt":"2022-05-10T15:45:21.338Z","revision":1,"description":"quick-dai-eth strategy","isPrimacyOfImpact":null},{"id":"4aBZ980SBlFsIxj1kgoJ7w","url":"https://polygonscan.com/address/0x9DA4048550C1a73686E594f726310F0b0585fBA3","type":"smart_contract","addedAt":"2022-05-10T15:45:22.965Z","revision":1,"description":"quick-dai-eth vault","isPrimacyOfImpact":null},{"id":"VLvy6HR8Z8zxWno0UTtSe","url":"https://polygonscan.com/address/0x4E0e85692b239e57128103b4Ad6f39Ac3BBE0c15","type":"smart_contract","addedAt":"2022-05-10T15:45:24.048Z","revision":1,"description":"quick-fff-quick strategy","isPrimacyOfImpact":null},{"id":"4JhJ5Mi2CKWlXwKY3UzM4W","url":"https://polygonscan.com/address/0x2D4cf116A59e24Dd0aB8821c93AE87658a9483b6","type":"smart_contract","addedAt":"2022-05-10T15:45:25.003Z","revision":1,"description":"quick-fff-quick vault","isPrimacyOfImpact":null},{"id":"4C5eb5hzBFXeWLOccFmJIz","url":"https://polygonscan.com/address/0x3777a06B71B2Aaf105e855693C56768117712B6F","type":"smart_contract","addedAt":"2022-05-10T15:45:25.993Z","revision":1,"description":"aave-wbtc strategy","isPrimacyOfImpact":null},{"id":"4dYB7jclnADq2YBsCVSKB","url":"https://polygonscan.com/address/0xD3395577febc6AdaB25490a69955ebC47040766C","type":"smart_contract","addedAt":"2022-05-10T15:45:27.065Z","revision":1,"description":"aave-wbtc vault","isPrimacyOfImpact":null},{"id":"5QAfeF8jwAFCHO8CyDe6Jw","url":"https://polygonscan.com/address/0x55a10618c7E9489ceE047705cD003df6d9e09195","type":"smart_contract","addedAt":"2022-05-10T15:45:28.113Z","revision":1,"description":"aave-eth strategy","isPrimacyOfImpact":null},{"id":"SRg1QK7BxEXlDMdoQc6Wb","url":"https://polygonscan.com/address/0x77276a7c9Ff3a6cbD334524d6F1f6219D039ac0E","type":"smart_contract","addedAt":"2022-05-10T15:45:29.193Z","revision":1,"description":"aave-eth vault","isPrimacyOfImpact":null},{"id":"4JXbqXJnWHWT2TB0mqjpJt","url":"https://polygonscan.com/address/0x2ABB0ea3A5C038f60E677Bf14d2F6095786650Ae","type":"smart_contract","addedAt":"2022-05-10T15:45:30.174Z","revision":1,"description":"polycat-sushi-fish-matic strategy","isPrimacyOfImpact":null},{"id":"4RJIpy5rVdm6CN4tf315Gx","url":"https://polygonscan.com/address/0xefA8E30cE4cc433cEA1B3b6006D69731A4FBd485","type":"smart_contract","addedAt":"2022-05-10T15:45:31.184Z","revision":1,"description":"polycat-sushi-fish-matic vault","isPrimacyOfImpact":null},{"id":"1TZdVTLCRAqJM74x8IpNY2","url":"https://polygonscan.com/address/0x92E586d7dB14483C103c2e0FE6A596F8b55DA752","type":"smart_contract","addedAt":"2022-05-10T15:45:32.215Z","revision":1,"description":"polycat-quick-fish-matic strategy","isPrimacyOfImpact":null},{"id":"5tWQ0TjvJS2l1lj0YtZVte","url":"https://polygonscan.com/address/0x7eE71053102d54Fc843BaEBaf07277C2b6dB64f1","type":"smart_contract","addedAt":"2022-05-10T15:45:33.484Z","revision":1,"description":"polycat-quick-fish-matic vault","isPrimacyOfImpact":null},{"id":"6CoGF4lyIIipXUq9ZsVJcb","url":"https://polygonscan.com/address/0x441b8Ad6Cfa6707E7A8F1398c2067996611fbc66","type":"smart_contract","addedAt":"2022-05-10T15:45:34.481Z","revision":1,"description":"sushi-grt-eth strategy","isPrimacyOfImpact":null},{"id":"1XD038MZ6ax8lF2JDUIzNs","url":"https://polygonscan.com/address/0x8efCf419813F9E018cCaCda36151e5079c274fa4","type":"smart_contract","addedAt":"2022-05-10T15:45:35.510Z","revision":1,"description":"sushi-grt-eth vault","isPrimacyOfImpact":null},{"id":"3dxjl3iLtrwwWTa2tmpGUN","url":"https://polygonscan.com/address/0x3bb6D727622A35816916C3e04920ADd7800BAB0E","type":"smart_contract","addedAt":"2022-05-10T15:45:36.506Z","revision":1,"description":"sushi-frax-fxs strategy","isPrimacyOfImpact":null},{"id":"1TKNeN9tzuL6KtOIntIckB","url":"https://polygonscan.com/address/0xddD5F39d044Dbaeef7b348cf04C3628acd3F1D8f","type":"smart_contract","addedAt":"2022-05-10T15:45:37.537Z","revision":1,"description":"sushi-frax-fxs vault","isPrimacyOfImpact":null},{"id":"7thjViKjUrQ6IXUhEghuD3","url":"https://polygonscan.com/address/0xE4cd42e17bbc54455c5855eCF4Bd46D51dA5133C","type":"smart_contract","addedAt":"2022-05-10T15:45:38.557Z","revision":1,"description":"sushi-frax-usdc strategy","isPrimacyOfImpact":null},{"id":"4FttmfKASumOSE5P3dNAIG","url":"https://polygonscan.com/address/0x5B19A2e8E5878cF2b1E9b1AC7CEA50346671B2Fc","type":"smart_contract","addedAt":"2022-05-10T15:45:39.744Z","revision":1,"description":"sushi-frax-usdc vault","isPrimacyOfImpact":null},{"id":"1Vi2CkhmYpQ67NIPbogGxb","url":"https://polygonscan.com/address/0x7fB420eB7D5B19131f40E8D0422202cF0B46d458","type":"smart_contract","addedAt":"2022-05-10T15:45:40.809Z","revision":1,"description":"sushi-wmatic-woofy strategy","isPrimacyOfImpact":null},{"id":"2xYzlkJjBt2WjpG1as2SX6","url":"https://polygonscan.com/address/0x544551E4E7D7bDd1CfbD55F07e304F5C9fD514Dd","type":"smart_contract","addedAt":"2022-05-10T15:45:41.970Z","revision":1,"description":"sushi-wmatic-woofy vault","isPrimacyOfImpact":null},{"id":"7EjFhCaMefjTVv81j16hHF","url":"https://polygonscan.com/address/0xeb38761E6b58Bb9acB4F52077d9eEbFf7D0248Bd","type":"smart_contract","addedAt":"2022-05-10T15:45:43.135Z","revision":1,"description":"sushi-usdc-dai strategy","isPrimacyOfImpact":null},{"id":"2GkfjdAF0yn8Q6zD9w2GEw","url":"https://polygonscan.com/address/0x75424BE5378621AeC2eEF25965f40FeB59039B52","type":"smart_contract","addedAt":"2022-05-10T15:45:44.414Z","revision":1,"description":"sushi-usdc-dai vault","isPrimacyOfImpact":null},{"id":"64cV4XVYgM2Ky4CRbt6BfX","url":"https://polygonscan.com/address/0x98F332EC4D39fB943080813B381b88D57b432124","type":"smart_contract","addedAt":"2022-05-10T15:45:45.499Z","revision":1,"description":"sushi-snx-eth strategy","isPrimacyOfImpact":null},{"id":"7e3bdWli83sbRuN0c7SRsd","url":"https://polygonscan.com/address/0x3AD9cd8d75f7a711Caea58e725425A9dC0D249c4","type":"smart_contract","addedAt":"2022-05-10T15:45:46.729Z","revision":1,"description":"sushi-snx-eth vault","isPrimacyOfImpact":null},{"id":"2vrqmPBuNrkjLtQaOYrlGU","url":"https://polygonscan.com/address/0xa425DeadFf443f3574F02585CE5154BBd5D14213","type":"smart_contract","addedAt":"2022-05-10T15:45:47.852Z","revision":1,"description":"quick-bifi-eth strategy","isPrimacyOfImpact":null},{"id":"15QkWiwAdGmemWhEBvurcJ","url":"https://polygonscan.com/address/0x21bA98fCb000dFeD8eC3B94cB41BeA51A601A94c","type":"smart_contract","addedAt":"2022-05-10T15:45:48.845Z","revision":1,"description":"quick-bifi-eth vault","isPrimacyOfImpact":null},{"id":"3w8GOi0d4OvexUL5adWBTq","url":"https://polygonscan.com/address/0xA9319b8F327dBB744c63e6b9FfaDf9A93C30687c","type":"smart_contract","addedAt":"2022-05-10T15:45:49.865Z","revision":1,"description":"quick-bifi-quick strategy","isPrimacyOfImpact":null},{"id":"3sNsXU1aZnxQQNyFLUHLIw","url":"https://polygonscan.com/address/0xCC2755476B0573F0ee0D5a754Bb6fE720c3641Bb","type":"smart_contract","addedAt":"2022-05-10T15:45:50.835Z","revision":1,"description":"quick-bifi-quick vault","isPrimacyOfImpact":null},{"id":"54VAfsTgyJvMEYK34M0Fni","url":"https://polygonscan.com/address/0x658F5577b5a161A4aC2F0bb513af49ece812f077","type":"smart_contract","addedAt":"2022-05-10T15:45:51.881Z","revision":1,"description":"quick-degen-quick strategy","isPrimacyOfImpact":null},{"id":"65W0jadyv60DDXqt6vYF44","url":"https://polygonscan.com/address/0xe942A8Ef245EAC3CEa951486e3Df5764C79b9621","type":"smart_contract","addedAt":"2022-05-10T15:45:52.849Z","revision":1,"description":"quick-degen-quick vault","isPrimacyOfImpact":null},{"id":"4fywIRJpltL5J3eFKJBWGx","url":"https://polygonscan.com/address/0x05b6e52227985C401eDd5d1635DcEa204857a81d","type":"smart_contract","addedAt":"2022-05-10T15:45:53.839Z","revision":1,"description":"quick-cc10-quick strategy","isPrimacyOfImpact":null},{"id":"24LNguMuntLpun4zttP7HT","url":"https://polygonscan.com/address/0x226a18Fb5eb7d9d1c4Eb1b5Cff957E0F1e3fd9Ed","type":"smart_contract","addedAt":"2022-05-10T15:45:54.853Z","revision":1,"description":"quick-cc10-quick vault","isPrimacyOfImpact":null},{"id":"55RcB4k5alBgfOJ9Nbgm14","url":"https://polygonscan.com/address/0x1848FBA9Ac7B4783F513d336171037941a637c55","type":"smart_contract","addedAt":"2022-05-10T15:45:55.881Z","revision":1,"description":"quick-defi5-quick strategy","isPrimacyOfImpact":null},{"id":"iL3PIUjLHbWT3hT1a6Es5","url":"https://polygonscan.com/address/0x191E0b3B023fd8911c1D7632086A46C0D2dB39ed","type":"smart_contract","addedAt":"2022-05-10T15:45:56.914Z","revision":1,"description":"quick-defi5-quick vault","isPrimacyOfImpact":null},{"id":"2B34sYAPpEkhxdabe2Tc2I","url":"https://polygonscan.com/address/0x15b0A1c6463261Ef4941b9212F09d54f2CD51899","type":"smart_contract","addedAt":"2022-05-10T15:45:57.941Z","revision":1,"description":"quick-btc-usdc strategy","isPrimacyOfImpact":null},{"id":"5KTwi2BDQ9xiS6EoKb6ipc","url":"https://polygonscan.com/address/0x91a55E4b057119e20334258f7C5EAB8822491CEb","type":"smart_contract","addedAt":"2022-05-10T15:45:58.993Z","revision":1,"description":"quick-btc-usdc vault","isPrimacyOfImpact":null},{"id":"6CSHVfhOMY8LQ7RK5gyjYp","url":"https://polygonscan.com/address/0x75bC3FC2Cd3756f0dC7dc5211CE44fAcDd9B005E","type":"smart_contract","addedAt":"2022-05-10T15:46:00.020Z","revision":1,"description":"quick-matic-usdc strategy","isPrimacyOfImpact":null},{"id":"569BjyqAIhf871YpuhO9pw","url":"https://polygonscan.com/address/0xC1A2e8274D390b67A7136708203D71BF3877f158","type":"smart_contract","addedAt":"2022-05-10T15:46:01.154Z","revision":1,"description":"quick-matic-usdc vault","isPrimacyOfImpact":null},{"id":"JSifkU161IGilQOgqKZnl","url":"https://polygonscan.com/address/0xB682a2F1e6C87819e9aDEdBe366548B59Ab122E8","type":"smart_contract","addedAt":"2022-05-10T15:46:02.229Z","revision":1,"description":"quick-vision-eth strategy","isPrimacyOfImpact":null},{"id":"2V0cbBFTZ9yh6uAmQ2KWlH","url":"https://polygonscan.com/address/0xAbA81D550C326DFf2cE0D31bC7Aa6289d576591E","type":"smart_contract","addedAt":"2022-05-10T15:46:03.284Z","revision":1,"description":"quick-vision-eth vault","isPrimacyOfImpact":null},{"id":"2F6oTkgR1Bim76zLqWb3To","url":"https://polygonscan.com/address/0x748f243931b841F2C4d6f298abB85d7A23FE7c2a","type":"smart_contract","addedAt":"2022-05-10T15:46:04.243Z","revision":1,"description":"curve-am3crv strategy","isPrimacyOfImpact":null},{"id":"7MNK1QDRy2iifJ0qeP9oke","url":"https://polygonscan.com/address/0xAA7C2879DaF8034722A0977f13c343aF0883E92e","type":"smart_contract","addedAt":"2022-05-10T15:46:05.616Z","revision":1,"description":"curve-am3crv vault","isPrimacyOfImpact":null},{"id":"3h9KsNuJWOLIg4c9cPMkcU","url":"https://polygonscan.com/address/0xaEaF5294Cc6FAcB023c0999A0b1786C4C0b3d520","type":"smart_contract","addedAt":"2022-05-10T15:46:06.803Z","revision":1,"description":"quick-degen-eth strategy","isPrimacyOfImpact":null},{"id":"4hSoJvgMJaCszw5oyor82r","url":"https://polygonscan.com/address/0xF7A5eC9168B4C5688b3ad599Aa5c8E1922fEacAE","type":"smart_contract","addedAt":"2022-05-10T15:46:08.552Z","revision":1,"description":"quick-degen-eth vault","isPrimacyOfImpact":null},{"id":"5mQXAaSaYwNzhXSsMxORI3","url":"https://polygonscan.com/address/0x9e6d524b000066e60284E2Ee14437d071B6b498F","type":"smart_contract","addedAt":"2022-05-10T15:46:09.555Z","revision":1,"description":"quick-cc10-eth strategy","isPrimacyOfImpact":null},{"id":"YfjkOhxtzw3hgsTEx2JX7","url":"https://polygonscan.com/address/0x6F6bbbCA49b4b2cE0E27eb0156977048AC3434B9","type":"smart_contract","addedAt":"2022-05-10T15:46:10.572Z","revision":1,"description":"quick-cc10-eth vault","isPrimacyOfImpact":null},{"id":"5EZ1I3nDum0aAohCBPtOhu","url":"https://polygonscan.com/address/0x9E75f8298e458B76382870982788988A0799195b","type":"smart_contract","addedAt":"2022-05-10T15:46:11.632Z","revision":1,"description":"pzap-pzap-usdc strategy","isPrimacyOfImpact":null},{"id":"65qDCsHetirtp40tmQEOYh","url":"https://polygonscan.com/address/0xBA4FA9A5e1e573fA5267970238af5Edf40727315","type":"smart_contract","addedAt":"2022-05-10T15:46:12.731Z","revision":1,"description":"pzap-pzap-usdc vault","isPrimacyOfImpact":null},{"id":"51fIlrTFYjhwMeULL8CcVV","url":"https://polygonscan.com/address/0x6677c03B2c7Da09dfbD869daeec3ccFd4eCC4B5F","type":"smart_contract","addedAt":"2022-05-10T15:46:13.831Z","revision":1,"description":"pzap-pzap-matic strategy","isPrimacyOfImpact":null},{"id":"5KfuM9eYcSFustzyT40b6w","url":"https://polygonscan.com/address/0xf2984c27B963A14F9f3B7326096c54fb05d5b9AF","type":"smart_contract","addedAt":"2022-05-10T15:46:14.917Z","revision":1,"description":"pzap-pzap-matic vault","isPrimacyOfImpact":null},{"id":"2HaFxgcyHAPfalFqAFDHFK","url":"https://polygonscan.com/address/0xc7506185DD847346B34e495C3Ffd8F9d34824F5F","type":"smart_contract","addedAt":"2022-05-10T15:46:15.924Z","revision":1,"description":"cometh-bifi-eth strategy","isPrimacyOfImpact":null},{"id":"7zgnitUgly6ff8jnAPhlTR","url":"https://polygonscan.com/address/0x9649e6E5c689f21BC27B47CE4177f7c5f7281E20","type":"smart_contract","addedAt":"2022-05-10T15:46:16.975Z","revision":1,"description":"cometh-bifi-eth vault","isPrimacyOfImpact":null},{"id":"7x10jKC3iOw8s1Ou6kEKWH","url":"https://polygonscan.com/address/0xd8d7DB8272C02fcf784a6794b4e51647258c0660","type":"smart_contract","addedAt":"2022-05-10T15:46:18.045Z","revision":1,"description":"cometh-bifi-must strategy","isPrimacyOfImpact":null},{"id":"6ZWD5oqONXGDREQ6emQGen","url":"https://polygonscan.com/address/0x66b3d910c30f2305EA0078E06DF65e0c1745ceF0","type":"smart_contract","addedAt":"2022-05-10T15:46:19.044Z","revision":1,"description":"cometh-bifi-must vault","isPrimacyOfImpact":null},{"id":"2v6lE0JUQ87cWa5C8jYWSb","url":"https://polygonscan.com/address/0x57FdEB65b71e6aD212088E63E85825e314F2Ea62","type":"smart_contract","addedAt":"2022-05-10T15:46:20.141Z","revision":1,"description":"aave-matic strategy","isPrimacyOfImpact":null},{"id":"4L5gluSwz92zsQ670qaswM","url":"https://polygonscan.com/address/0x1d23ecC0645B07791b7D99349e253ECEbe43f614","type":"smart_contract","addedAt":"2022-05-10T15:46:21.329Z","revision":1,"description":"aave-matic vault","isPrimacyOfImpact":null},{"id":"5fFDehwAE6HQ12DztwNdTc","url":"https://polygonscan.com/address/0x8F755873546F4D0EDf7d41fF8604C8A632113eB7","type":"smart_contract","addedAt":"2022-05-10T15:46:22.350Z","revision":1,"description":"aave-aave strategy","isPrimacyOfImpact":null},{"id":"19vQN2UiO9NGG9NkXi8SLR","url":"https://polygonscan.com/address/0xe4b3CCbB1E48c579Ea3D764Fb258Bc908e46487E","type":"smart_contract","addedAt":"2022-05-10T15:46:23.345Z","revision":1,"description":"aave-aave vault","isPrimacyOfImpact":null},{"id":"HK7qmGQryvgogllvAvFnt","url":"https://polygonscan.com/address/0xb29cCE04365400409d476e95410547275D1F86Cf","type":"smart_contract","addedAt":"2022-05-10T15:46:24.740Z","revision":1,"description":"aave-dai strategy","isPrimacyOfImpact":null},{"id":"3h9dEePelcz2K2gqFQ8Hcb","url":"https://polygonscan.com/address/0x9B36ECeaC46B70ACfB7C2D6F3FD51aEa87C31018","type":"smart_contract","addedAt":"2022-05-10T15:46:25.817Z","revision":1,"description":"aave-dai vault","isPrimacyOfImpact":null},{"id":"3jUxuwMKTe4NFWbqKIX7dD","url":"https://polygonscan.com/address/0x4Dcbd7A18d04343aFa534f945ad13E096ebd9Ae1","type":"smart_contract","addedAt":"2022-05-10T15:46:27.264Z","revision":1,"description":"aave-usdc strategy","isPrimacyOfImpact":null},{"id":"5VMJiBRB5OQBkSRPnujrMK","url":"https://polygonscan.com/address/0xE71f3C11D4535a7F8c5FB03FDA57899B2C9c721F","type":"smart_contract","addedAt":"2022-05-10T15:46:28.262Z","revision":1,"description":"aave-usdc vault","isPrimacyOfImpact":null},{"id":"2cKZwXTTLDZNSE2VgNxxhk","url":"https://polygonscan.com/address/0xCF0354f8dAB741b889e753cCe1656327fe6ce474","type":"smart_contract","addedAt":"2022-05-10T15:46:29.286Z","revision":1,"description":"sushi-crv-eth strategy","isPrimacyOfImpact":null},{"id":"oX76PEipYeuFJ1eFYMwb3","url":"https://polygonscan.com/address/0xE695fCeD8fD93eeE54204a7fC33323a60d41865A","type":"smart_contract","addedAt":"2022-05-10T15:46:30.377Z","revision":1,"description":"sushi-crv-eth vault","isPrimacyOfImpact":null},{"id":"1S55twOAC1b434zrFwna1L","url":"https://polygonscan.com/address/0x5FCcFcd07D03FfdDa3A560d3af15d2bd7AaeE21d","type":"smart_contract","addedAt":"2022-05-10T15:46:31.649Z","revision":1,"description":"sushi-usdc-usdt strategy","isPrimacyOfImpact":null},{"id":"4CKvc0S5w0XnJqere0yKBl","url":"https://polygonscan.com/address/0xB6B89a05ad8228b98d0D8a77e1a695c54500db3b","type":"smart_contract","addedAt":"2022-05-10T15:46:32.689Z","revision":1,"description":"sushi-usdc-usdt vault","isPrimacyOfImpact":null},{"id":"7b9xY7eeVNApkr9d3WcNYu","url":"https://polygonscan.com/address/0x0536984a70BE296A35feD83DC8fF5d30338AbeA1","type":"smart_contract","addedAt":"2022-05-10T15:46:33.748Z","revision":1,"description":"sushi-link-eth strategy","isPrimacyOfImpact":null},{"id":"qX63auWCIFF2nEzObXVyJ","url":"https://polygonscan.com/address/0xaE65a66B3c7f8cc1ba71cEA740C953aBa0F3Ce8b","type":"smart_contract","addedAt":"2022-05-10T15:46:34.801Z","revision":1,"description":"sushi-link-eth vault","isPrimacyOfImpact":null},{"id":"6Tc433usKkcmtMoFTjoVEk","url":"https://polygonscan.com/address/0xe1B9EB8eAf3F278800AcE13a815DDdc24673F0C6","type":"smart_contract","addedAt":"2022-05-10T15:46:35.840Z","revision":1,"description":"quick-mocean-matic strategy","isPrimacyOfImpact":null},{"id":"6VtK7UXbbVSXesddtonQcq","url":"https://polygonscan.com/address/0x82303a4b2c821204A84AB2a068eC8EDf3Bc23061","type":"smart_contract","addedAt":"2022-05-10T15:46:36.838Z","revision":1,"description":"quick-mocean-matic vault","isPrimacyOfImpact":null},{"id":"10IN9Kpd3ZPb5qdFJkqNmz","url":"https://polygonscan.com/address/0x5E70Ad3438Fe87e0ec89CF15a53aFb2caC39cC6C","type":"smart_contract","addedAt":"2022-05-10T15:46:37.870Z","revision":1,"description":"quick-any-quick strategy","isPrimacyOfImpact":null},{"id":"5i9NlN681zTcMYjx8t86dC","url":"https://polygonscan.com/address/0x2849095eE44eCd5f60Ed04f94e5BB45623A8e75a","type":"smart_contract","addedAt":"2022-05-10T15:46:38.906Z","revision":1,"description":"quick-any-quick vault","isPrimacyOfImpact":null},{"id":"e06JbOQZBugXsyktjZhFw","url":"https://polygonscan.com/address/0x57b3D28fe4824d42c1F8d2786B89bC89e8c68d66","type":"smart_contract","addedAt":"2022-05-10T15:46:40.231Z","revision":1,"description":"quick-frax-quick strategy","isPrimacyOfImpact":null},{"id":"2EP801PxJn25ES7Nhu6C1F","url":"https://polygonscan.com/address/0x442ca31De7E6732455e60e3641Ac076fa7a0905f","type":"smart_contract","addedAt":"2022-05-10T15:46:41.220Z","revision":1,"description":"quick-frax-quick vault","isPrimacyOfImpact":null},{"id":"72fARTgE7ApuAxShyImqBF","url":"https://polygonscan.com/address/0x71e2c040F3B9670C693215509A0c0846D221756a","type":"smart_contract","addedAt":"2022-05-10T15:46:42.380Z","revision":1,"description":"sushi-aave-eth strategy","isPrimacyOfImpact":null},{"id":"3IVuq75xpwCEy5pyKT4SVD","url":"https://polygonscan.com/address/0x866a910F3375d0dEBDdD904A36B3940aFcD29900","type":"smart_contract","addedAt":"2022-05-10T15:46:43.397Z","revision":1,"description":"sushi-aave-eth vault","isPrimacyOfImpact":null},{"id":"5aqztia2y441MeHYusK2ls","url":"https://polygonscan.com/address/0xB982421883c5c022181b67cBC6b4709A564A6728","type":"smart_contract","addedAt":"2022-05-10T15:46:44.447Z","revision":1,"description":"sushi-eth-dai strategy","isPrimacyOfImpact":null},{"id":"4BszJnlAAEqttFmigzw5nR","url":"https://polygonscan.com/address/0x6b6ca47520dDC9333B8bD09a1e64204648B63274","type":"smart_contract","addedAt":"2022-05-10T15:46:45.719Z","revision":1,"description":"sushi-eth-dai vault","isPrimacyOfImpact":null},{"id":"53dsqotVoNNTH1rbudtfZu","url":"https://polygonscan.com/address/0x170712B04A24FdBCC021Dd461Afd048c8cF2348d","type":"smart_contract","addedAt":"2022-05-10T15:46:46.733Z","revision":1,"description":"sushi-btc-eth strategy","isPrimacyOfImpact":null},{"id":"6m6uaCitiJ4Xp9f2D6nc1d","url":"https://polygonscan.com/address/0x6530E351074f1f9fdf254dC7d7d8A44324E158a4","type":"smart_contract","addedAt":"2022-05-10T15:46:47.727Z","revision":1,"description":"sushi-btc-eth vault","isPrimacyOfImpact":null},{"id":"PSU6XuYdigqMAR6zmf746","url":"https://polygonscan.com/address/0xc4cb1Dc51eAD37fD19d0C24EC6136Dbb639789cA","type":"smart_contract","addedAt":"2022-05-10T15:46:48.804Z","revision":1,"description":"sushi-eth-usdt strategy","isPrimacyOfImpact":null},{"id":"4dg76Ru5UVP8E36BVl0AOK","url":"https://polygonscan.com/address/0xE8417099971151CD5CfAE264e25634Fac05cA2b3","type":"smart_contract","addedAt":"2022-05-10T15:46:49.968Z","revision":1,"description":"sushi-eth-usdt vault","isPrimacyOfImpact":null},{"id":"3aVU0mAM2jxl2uIR17wAV","url":"https://polygonscan.com/address/0xB4cc236af16e8FBEf8600C2D482901E84AB723c4","type":"smart_contract","addedAt":"2022-05-10T15:46:51.032Z","revision":1,"description":"sushi-usdc-eth strategy","isPrimacyOfImpact":null},{"id":"35u4yHXcPLD6De8gRlodOu","url":"https://polygonscan.com/address/0xE4DB97A2AAFbfef40D1a4AE8B709f61d6756F8e1","type":"smart_contract","addedAt":"2022-05-10T15:46:52.146Z","revision":1,"description":"sushi-usdc-eth vault","isPrimacyOfImpact":null},{"id":"1EBZxzVzgDRoiYsbSO1lZa","url":"https://polygonscan.com/address/0x8A8E3aBAb418671bdb7A47E45d2Fcd7726e46D74","type":"smart_contract","addedAt":"2022-05-10T15:46:53.218Z","revision":1,"description":"sushi-matic-eth strategy","isPrimacyOfImpact":null},{"id":"cNAE1p7MsqdRmK7frBTyv","url":"https://polygonscan.com/address/0xC8e809a9180d637Cc23dAf60b41B70CA1ad5Fc08","type":"smart_contract","addedAt":"2022-05-10T15:46:54.348Z","revision":1,"description":"sushi-matic-eth vault","isPrimacyOfImpact":null},{"id":"Zam8cUFi8wpd8XvwyIwdf","url":"https://polygonscan.com/address/0xa54e6dc91FCb22a24437e8650266BfE9590a2820","type":"smart_contract","addedAt":"2022-05-10T15:46:55.378Z","revision":1,"description":"cometh-azuki-eth strategy","isPrimacyOfImpact":null},{"id":"35Z8xIeclqpuoiGM62agkj","url":"https://polygonscan.com/address/0xe95d14D09a8F6034C582bd993A2F2aA8ecEC72f0","type":"smart_contract","addedAt":"2022-05-10T15:46:56.400Z","revision":1,"description":"cometh-azuki-eth vault","isPrimacyOfImpact":null},{"id":"36AqpVl7no81dbZt9PZevl","url":"https://polygonscan.com/address/0xfb7344a4cF25CDe5aaF6415107a8deF769FC200B","type":"smart_contract","addedAt":"2022-05-10T15:46:57.500Z","revision":1,"description":"cometh-doki-eth strategy","isPrimacyOfImpact":null},{"id":"71YlhKFoxlf2fZby4nZBDN","url":"https://polygonscan.com/address/0x383489a0A5deA3f1499c638e0258F7e6a68a253f","type":"smart_contract","addedAt":"2022-05-10T15:46:59.073Z","revision":1,"description":"cometh-doki-eth vault","isPrimacyOfImpact":null},{"id":"2Yzs9VlhJbPkq06HNJf3lJ","url":"https://polygonscan.com/address/0xdd3E5c7787eB38a362bBF3D395FC9f27924B7317","type":"smart_contract","addedAt":"2022-05-10T15:47:00.244Z","revision":1,"description":"quick-usdc-usdt strategy","isPrimacyOfImpact":null},{"id":"2t4XYnU0ZeMA1bQpecrCMv","url":"https://polygonscan.com/address/0x4462817b53E76b722c2D174D0148ddb81452f1dE","type":"smart_contract","addedAt":"2022-05-10T15:47:01.436Z","revision":1,"description":"quick-usdc-usdt vault","isPrimacyOfImpact":null},{"id":"6Zjgip8ekiYvZN7Gjarl4c","url":"https://polygonscan.com/address/0x0BF58A328C7739D8b097B1d4199f48AA3F1b2788","type":"smart_contract","addedAt":"2022-05-10T15:47:02.503Z","revision":1,"description":"cometh-must-eth strategy","isPrimacyOfImpact":null},{"id":"3VDEjyHLDMduem2dL8N0mZ","url":"https://polygonscan.com/address/0x7CE2332fAF6328986C75e3A8fCc1CB79621aeB1F","type":"smart_contract","addedAt":"2022-05-10T15:47:03.687Z","revision":1,"description":"cometh-must-eth vault","isPrimacyOfImpact":null},{"id":"7hU7MJQngOtAF99rUFlEVw","url":"https://polygonscan.com/address/0x481E3e463a78eC1DC6f02e664491C7d94F6d82a5","type":"smart_contract","addedAt":"2022-05-10T15:47:04.686Z","revision":1,"description":"quick-eth-btc strategy","isPrimacyOfImpact":null},{"id":"5ERB1um39ZFhB0spLnMmsC","url":"https://polygonscan.com/address/0xf26607237355D7c6183ea66EC908729E9c6eEB6b","type":"smart_contract","addedAt":"2022-05-10T15:47:05.679Z","revision":1,"description":"quick-eth-btc vault","isPrimacyOfImpact":null},{"id":"3XyAZL4LhjtzQd06ly30rY","url":"https://polygonscan.com/address/0x470052FEd23A2887e3e679c3D8544529DA8B272f","type":"smart_contract","addedAt":"2022-05-10T15:47:06.734Z","revision":1,"description":"quick-ubt-eth strategy","isPrimacyOfImpact":null},{"id":"GaIzu7pwl6nBgzbVS2PSs","url":"https://polygonscan.com/address/0x942aa6324E5D0C102d3Ad6607495ac5e798a991a","type":"smart_contract","addedAt":"2022-05-10T15:47:07.857Z","revision":1,"description":"quick-ubt-eth vault","isPrimacyOfImpact":null},{"id":"ksdDekjOuh155ZR1jmyqm","url":"https://polygonscan.com/address/0xc1C1eB984218B9570beA53C0Dad14283a6E9E81C","type":"smart_contract","addedAt":"2022-05-10T15:47:08.858Z","revision":1,"description":"quick-defi5-eth strategy","isPrimacyOfImpact":null},{"id":"2xjSX0pYoFsUGXi1Ty1Oiv","url":"https://polygonscan.com/address/0x53e674D5cC969930420d73E4b79Ee0D46cCdf6c4","type":"smart_contract","addedAt":"2022-05-10T15:47:09.836Z","revision":1,"description":"quick-defi5-eth vault","isPrimacyOfImpact":null},{"id":"1Ojelt6T74eVQpBpZdazIv","url":"https://polygonscan.com/address/0x88F2ADA49F24fF14005633e66050f763b2E07b7f","type":"smart_contract","addedAt":"2022-05-10T15:47:10.890Z","revision":1,"description":"quick-wise-eth strategy","isPrimacyOfImpact":null},{"id":"7jxTKH8D5YObiqarmGR2bJ","url":"https://polygonscan.com/address/0x76cE86B1e1b7a3983B26F7E57B2A0C8896f7eB0D","type":"smart_contract","addedAt":"2022-05-10T15:47:11.915Z","revision":1,"description":"quick-wise-eth vault","isPrimacyOfImpact":null},{"id":"6u4KehjDWsKcwnQ9Z6s5XZ","url":"https://polygonscan.com/address/0x06A1f520555222758eaE4dA0573351FdaD1e7843","type":"smart_contract","addedAt":"2022-05-10T15:47:12.927Z","revision":1,"description":"quick-cel-eth strategy","isPrimacyOfImpact":null},{"id":"6188ygRIzvtg8k4gvZdMEm","url":"https://polygonscan.com/address/0xeF1870FddC25586636bf8a3d7cCf4d298f6E072e","type":"smart_contract","addedAt":"2022-05-10T15:47:14.036Z","revision":1,"description":"quick-cel-eth vault","isPrimacyOfImpact":null},{"id":"4ziJReWSsXvmnfHNRpPDCc","url":"https://polygonscan.com/address/0x3177389Fa69a226f52A079FDd0a564C813baB53B","type":"smart_contract","addedAt":"2022-05-10T15:47:15.146Z","revision":1,"description":"quick-quick-eth strategy","isPrimacyOfImpact":null},{"id":"44ol7GxWGgL6GIiRjKz3qU","url":"https://polygonscan.com/address/0x66df1B2d22759D03A9f37BAaAc826089e56a5936","type":"smart_contract","addedAt":"2022-05-10T15:47:16.164Z","revision":1,"description":"quick-quick-eth vault","isPrimacyOfImpact":null},{"id":"5KPhxt2OBvWJWobnAySr0f","url":"https://polygonscan.com/address/0x1F38c4b1D4990652FC5E433583e81f4F828988a0","type":"smart_contract","addedAt":"2022-05-10T15:47:17.192Z","revision":1,"description":"quick-aave-eth strategy","isPrimacyOfImpact":null},{"id":"1IwISVfCE4c1kmU91fWY93","url":"https://polygonscan.com/address/0x752948B4493d2Ee09c95F944A76005aEBF410087","type":"smart_contract","addedAt":"2022-05-10T15:47:18.186Z","revision":1,"description":"quick-aave-eth vault","isPrimacyOfImpact":null},{"id":"2v6ya8sIqrKo3MYrSIjOcD","url":"https://polygonscan.com/address/0x9C50880a547A7a247E2C8cA5b444624D3A2AB81B","type":"smart_contract","addedAt":"2022-05-10T15:47:19.348Z","revision":1,"description":"quick-link-eth strategy","isPrimacyOfImpact":null},{"id":"2pF1cAyqvOAdBj3riby9yT","url":"https://polygonscan.com/address/0xaB4105375FbE5F502B0da986F46ADf7a21762e52","type":"smart_contract","addedAt":"2022-05-10T15:47:20.509Z","revision":1,"description":"quick-link-eth vault","isPrimacyOfImpact":null},{"id":"2loOZfwA7S7Ke9UzRvdqJo","url":"https://polygonscan.com/address/0x2C3d263b560b2700fcf19e78f2EBD4d59EB7b3c5","type":"smart_contract","addedAt":"2022-05-10T15:47:21.541Z","revision":1,"description":"quick-eth-usdt strategy","isPrimacyOfImpact":null},{"id":"37VdDodb88hWQ0uFmbEol4","url":"https://polygonscan.com/address/0xC422261EdC5dB679CAd9BC403e886351De540e77","type":"smart_contract","addedAt":"2022-05-10T15:47:23.085Z","revision":1,"description":"quick-eth-usdt vault","isPrimacyOfImpact":null},{"id":"UQMORyjLO6vD2fyEqtjA8","url":"https://polygonscan.com/address/0x46CB7f33E4cc10B34c0d0fece66fd4830B869B46","type":"smart_contract","addedAt":"2022-05-10T15:47:24.076Z","revision":1,"description":"quick-eth-matic strategy","isPrimacyOfImpact":null},{"id":"1MR05EPtNaiBwtCTGsuy6B","url":"https://polygonscan.com/address/0x8b89477dFde285849E1B07947E25012206F4D674","type":"smart_contract","addedAt":"2022-05-10T15:47:25.396Z","revision":1,"description":"quick-eth-matic vault","isPrimacyOfImpact":null},{"id":"3RNufSjvHeygjIbtpr0JTN","url":"https://polygonscan.com/address/0x79807CCE3e75dcDb8641C834e8065dD1Cee12a2A","type":"smart_contract","addedAt":"2022-05-10T15:47:26.526Z","revision":1,"description":"quick-quick-matic strategy","isPrimacyOfImpact":null},{"id":"62mEeF1dYBWJUXNouCuD1k","url":"https://polygonscan.com/address/0xa008B727ddBa283Ddb178b47BB227Cdbea5C1bfD","type":"smart_contract","addedAt":"2022-05-10T15:47:27.766Z","revision":1,"description":"quick-quick-matic vault","isPrimacyOfImpact":null},{"id":"4Q3pZRIMyfPZInaioQ7PxM","url":"https://polygonscan.com/address/0xb0F9c6FBcfE226EEAD3AE8b019ce4666cE223a78","type":"smart_contract","addedAt":"2022-05-10T15:47:29.584Z","revision":1,"description":"cometh-eth-matic strategy","isPrimacyOfImpact":null},{"id":"7H3zmOOiM4O4nldCcM68JT","url":"https://polygonscan.com/address/0xa5aaE3a55cA356C62b5425AA4bFC212542B17777","type":"smart_contract","addedAt":"2022-05-10T15:47:30.636Z","revision":1,"description":"cometh-eth-matic vault","isPrimacyOfImpact":null},{"id":"3Fschx6KwUwp26TYWvxAIX","url":"https://polygonscan.com/address/0xA338D34c5de06B88197609956a2dEAAfF7Af46c8","type":"smart_contract","addedAt":"2022-05-10T15:47:31.634Z","revision":1,"description":"cometh-matic-must strategy","isPrimacyOfImpact":null},{"id":"5plP6Y1hunlNDCiesMStHA","url":"https://polygonscan.com/address/0x7f6fE34C51d5352A0CF375C0Fbe03bD19eCD8460","type":"smart_contract","addedAt":"2022-05-10T15:47:32.669Z","revision":1,"description":"cometh-matic-must vault","isPrimacyOfImpact":null},{"id":"15Q10kGB6MgF78L9O9cb9i","url":"https://polygonscan.com/address/0xf6fD90FE8f057a63F0368B0B551D5e52C7Ae821F","type":"smart_contract","addedAt":"2022-05-10T15:47:33.804Z","revision":1,"description":"cometh-usdc-must strategy","isPrimacyOfImpact":null},{"id":"1YMyLmWeH92QvyB6PT1FD7","url":"https://polygonscan.com/address/0x8a198BCbF313A5565c64A7Ed61FaA413eB4E0931","type":"smart_contract","addedAt":"2022-05-10T15:47:34.948Z","revision":1,"description":"cometh-usdc-must vault","isPrimacyOfImpact":null},{"id":"69OefgQ4IQ2SvfsNGYPHmY","url":"https://polygonscan.com/address/0x540A9f99bB730631BF243a34B19fd00BA8CF315C","type":"smart_contract","addedAt":"2022-05-10T15:47:35.996Z","revision":1,"description":"Zap QuickSwap","isPrimacyOfImpact":null},{"id":"1tTeHwdFWWXZ3zFRdFUIG0","url":"https://polygonscan.com/address/0x872c9DCE4B107042933AFD51E8A704631f7EE076","type":"smart_contract","addedAt":"2022-05-10T15:47:37.055Z","revision":1,"description":"Zap Cometh","isPrimacyOfImpact":null},{"id":"5ZDdfbUU1x6fXJz30l2FHo","url":"https://polygonscan.com/address/0xf039fe26456901F863c873556f40fb207C6c9C18","type":"smart_contract","addedAt":"2022-05-10T15:47:38.061Z","revision":1,"description":"Zap Sushi","isPrimacyOfImpact":null},{"id":"53HJolYS1v0LDVBKMQLdt0","url":"https://polygonscan.com/address/0x0EA7b115D96C4dF61B3e7d6757f0050F23492929","type":"smart_contract","addedAt":"2022-05-10T15:47:39.206Z","revision":1,"description":"Zap Wault","isPrimacyOfImpact":null},{"id":"4zqiP9PM080G5hx48ctyfK","url":"https://polygonscan.com/address/0xaAa3477c6b326e2E416Af7506A30F4519bC9960F","type":"smart_contract","addedAt":"2022-05-10T15:47:40.219Z","revision":1,"description":"Zap ApeSwap","isPrimacyOfImpact":null},{"id":"7fIz6v8L3nKdNddR5BvYck","url":"https://polygonscan.com/address/0x1A53c6FCa349c23f573CEdd3F8AFE70c02CcEC39","type":"smart_contract","addedAt":"2022-05-10T15:47:41.333Z","revision":1,"description":"Zap DYFN","isPrimacyOfImpact":null},{"id":"3eotWOqxgLRfeOeA8s9xZP","url":"https://app.beefy.finance/","type":"websites_and_applications","addedAt":"2022-05-13T15:11:36.691Z","revision":1,"description":null,"isPrimacyOfImpact":null}],"assetsBodyV2":"Only web/app vulnerabilities that __directly__ affect the web/app assets listed in this table are accepted within the bug bounty program. All others are out-of-scope.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-07-15T16:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4RRpze2TX8zrUXZRASuA5J/7b80332fae613b69171bc40baf22b097/BeefyFinance_Small.png","maxBounty":75000,"pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the following types as long as they result in an impact stated in the Impacts in Scope section:\n\n__Smart Contracts and Blockchain__ \n\n  - Re-entrancy\n  - Logic errors\n    - including user authentication errors\n  - Solidity/EVM details not considered\n    - including integer over-/under-flow\n    - including rounding errors\n    - including unhandled exceptions\n  - Trusting trust/dependency vulnerabilities\n    - including composability vulnerabilities\n  - Oracle failure/manipulation\n  - Novel governance attacks\n  - Economic/financial attacks\n    - including flash loan attacks\n  - Congestion and scalability\n    - including running out of gas\n    - including block stuffing\n    - including susceptibility to frontrunning\n  - Consensus failures\n  - Cryptography problems\n    - Signature malleability\n    - Susceptibility to replay attacks\n    - Weak randomness\n    - Weak encryption\n  - Susceptibility to block timestamp manipulation\n  - Missing access controls / unprotected internal or debugging interfaces\n\n__Websites and Apps__\n\n  - Remote Code Execution\n  - Trusting trust/dependency vulnerabilities\n  - Vertical Privilege Escalation\n  - XML External Entities Injection\n  - SQL Injection\n  - LFI/RFI\n  - Horizontal Privilege Escalation\n  - Stored XSS\n  - Reflective XSS with impact\n  - CSRF with impact\n  - Direct object reference\n  - Internal SSRF\n  - Session fixation\n  - Insecure Deserialization\n  - DOM XSS\n  - SSL misconfigurations\n  - SSL/TLS issues (weak crypto, improper setup)\n  - URL redirect\n  - Clickjacking (must be accompanied with PoC)\n  - Misleading Unicode text (e.g. using right to left override characters)","productType":["Yield Aggregator"],"programOverview":"Beefy Finance is a Decentralized, Multi-Chain Yield Optimizer platform that allows its users to earn compound interest on their crypto holdings. Through a set of investment strategies secured and enforced by smart contracts, Beefy Finance automatically maximizes the user rewards from various liquidity pools (LPs),‌ ‌automated market making (AMM) projects,‌ ‌and‌ ‌other yield‌ farming ‌opportunities in the DeFi ecosystem.\nThe main product offered by Beefy Finance are the 'Vaults' in which users stake their crypto tokens. The investment strategy tied to the specific vault will automatically increase the user’s deposited token amount by compounding arbitrary yield farm reward tokens back into their initially deposited asset. Despite what the name 'Vault' suggests, user funds are never locked in any vault on Beefy Finance: users can always withdraw at any moment in time.\n\nFor more information about Beefy Finance, please visit [https://www.beefy.finance/](https://www.beefy.finance/).  \n\nThe bug bounty program covers its smart contracts and apps and is focused on the prevention of the following negative impacts:\n\n  - Significant Vault hack/exploit\n  - Theft of Governance Funds \n  - Website down/DDOS attack","programType":["Smart Contract","Websites and Applications"],"project":"Beefy Finance","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. \n\nAll web and app bugs must come with a PoC in order to be accepted. All web and app bug reports without a PoC will be rejected with a request for a PoC.\n\nAll bug reports must come with a suggestion on how to fix the vulnerability in order to be considered for a reward.\n\nPayouts are handled by the __Beefy Finance__ team directly and are denominated in USD. Payouts are done in a stablecoin, __BTC__, or __ETH__, at the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"BTC, ETH","slug":"beefyfinance","updatedDate":"2024-12-02T18:46:02.247Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Beefy Finance is a Decentralized, Multi-Chain Yield Optimizer platform that allows its users to earn compound interest on their crypto holdings. Through a set of investment strategies secured and enforced by smart contracts, Beefy Finance automatically maximizes the user rewards from various liquidity pools (LPs),‌ ‌automated market making (AMM) projects,‌ ‌and‌ ‌other yield‌ farming ‌opportunities in the DeFi ecosystem. The main product offered by Beefy Finance are the 'Vaults' in which users stake their crypto tokens.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Attacks requiring privileged access from within the organization\n  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":653,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction such as iframing leading to modifying the backend/browser state ("},{"id":654,"type":"websites_and_applications","severity":"low","title":"Any impact involving a publicly released CVE without a working PoC"},{"id":655,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links such as social media handles, etc."},{"id":656,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as locking up the victim from login, cookie bombing, etc."},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":657,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc."},{"id":658,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as email or password of the victim, etc."},{"id":659,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information such as email address, phone number, physical address, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":660,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":661,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as changing the first/last name of user, or en/disabling notification"},{"id":662,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without Javascript (Reflected) such as reflected HTML injection or loading external site data"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":663,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":664,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":665,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and blockchain keys(this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":666,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc."},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":667,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions"}],"rewards":[{"id":8940,"severity":"medium","assetType":"smart_contract","fixedReward":2000,"rewardModel":"fixed"},{"id":8941,"severity":"low","assetType":"smart_contract","fixedReward":500,"rewardModel":"fixed"},{"id":8942,"severity":"critical","assetType":"websites_and_applications","fixedReward":25000,"rewardModel":"fixed","otherImpactMaxReward":0},{"id":8943,"severity":"high","assetType":"websites_and_applications","fixedReward":10000,"rewardModel":"fixed"},{"id":8944,"severity":"medium","assetType":"websites_and_applications","fixedReward":4000,"rewardModel":"fixed"},{"id":8945,"severity":"low","assetType":"websites_and_applications","fixedReward":2000,"rewardModel":"fixed"},{"id":8938,"severity":"critical","assetType":"smart_contract","fixedReward":75000,"rewardModel":"fixed","rewardCalculationPercentage":0},{"id":8939,"severity":"high","assetType":"smart_contract","fixedReward":15000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"kjatSliFYzXPjM91YTTTz","url":"https://etherscan.io/address/0xa03492a9a663f04c51684a3c172fc9c4d7e02edc","type":"smart_contract","addedAt":"2022-02-10T10:42:34.917Z","revision":1,"description":"Ante Pool Factory","isPrimacyOfImpact":null},{"id":"3O6fIsIkfj3N5ZCFWeuQbF","url":"https://etherscan.io/address/0xE48f6A36f3712E389ce666BCEcD88BA60c30aE50","type":"smart_contract","addedAt":"2022-02-10T10:43:28.448Z","revision":1,"description":"Ante Pool","isPrimacyOfImpact":null},{"id":"5a4ngCk05RJaiF5CjSS9Wk","url":"https://etherscan.io/address/0x5f3555Febf9bF4930ad581dB008f8b0F6239C6Fc","type":"smart_contract","addedAt":"2022-02-10T10:43:14.101Z","revision":1,"description":"Ante Pool","isPrimacyOfImpact":null},{"id":"3oHD6NFcwNbCpzJmXn3Inv","url":"https://etherscan.io/address/0xFc2Bd420ae071a812Ea238C5916198024E00fE33","type":"smart_contract","addedAt":"2022-02-10T10:45:15.904Z","revision":1,"description":"Ante Pool","isPrimacyOfImpact":null},{"id":"OIg9vGoEfyx60C3SzkLAJ","url":"https://etherscan.io/address/0x28b549845B6fE1939783ba0bDb3ba1a598da0394","type":"smart_contract","addedAt":"2022-02-10T10:44:15.428Z","revision":1,"description":"Ante Pool","isPrimacyOfImpact":null},{"id":"Mk5i7yVqTO9gGOi41CxnP","url":"https://etherscan.io/address/0x6e1000a6088Eb3dD1493492626E556F6d9A17BD1","type":"smart_contract","addedAt":"2022-02-10T10:44:39.713Z","revision":1,"description":"Ante Pool","isPrimacyOfImpact":null},{"id":"6TJAyo9dduqCbWgArpkWwn","url":"https://etherscan.io/address/0x22075f4cD76299822Eb8D1546f5DcF775c90AA87","type":"smart_contract","addedAt":"2022-02-10T10:45:08.930Z","revision":1,"description":"Ante Pool","isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2022-01-05T18:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4CENEoWKC4YGCHgAxZ1f4U/1e4a8244ff3ba31e495992ea3dc67ddc/Ante_logo.png","maxBounty":25000,"pocPerTypeAndSeverity":["smart_contract - low","smart_contract - medium","smart_contract - high","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__Smart Contracts/Blockchain__\n\n__Smart Contracts__ \n\nCritical\n  - Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield\n  - Permanent freezing of funds\n  - Insolvency\n  - Loss of funds in Ante Pool that is not triggered by a valid withdrawal of funds by the user who deposited or settlement (in the case of a failed Ante Test)\n  - Inability for stakers or challengers to withdraw funds from the pool (except in the case of a failed Ante Test) \n  - AntePool triggers test failure workflow when underlying AnteTest did not revert or fail\n\nHigh\n  - Theft of unclaimed yield\n  - Permanent freezing of unclaimed yield\n  - Temporary freezing of funds for 48 hours\n  - Incorrect payment to stakers from challenger decay mechanism (aside from inaccuracy described above)\n  - Incorrect loss of funds from challengers due to challenger decay mechanism  (aside from inaccuracy described above)\n  - Incorrect payout to challengers on settlement following a failed Ante Test\n  - Withdrawal of staked funds by stakers without waiting for 24 hr window to pass following initialization of unstake\n\nMedium\n  - Smart contract unable to operate due to lack of funds \n  - Block stuffing for profit\n  - Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)\n  - Theft of gas\n  - Unbounded gas consumption \n\nLow\n  - Smart contract fails to deliver promised returns, but doesn’t lose value","productType":["Staking"],"programOverview":"Ante Finance enables blockchain protocols and developers to create incentivized, real-time, and autonomous guarantees for any smart contract system on any blockchain. Ante envisions becoming the global Schelling point for decentralized trust.\n\nFor more information about Ante, please visit [https://www.ante.finance/](https://www.ante.finance/). \n\nThis bug bounty program is focused on their smart contracts and is focused on preventing:\n\n  - Theft or freezing of user funds aside from normal functioning of AntePool contract\n  - Incorrect calculation of rewards for stakers/challengers beyond error bounds described in technical doc\n  - Incorrect calculation of decay payments beyond error bounds described in technical doc\n  - False positive triggering of test failure on AntePool even if underlying test did not fail or revert","programType":["Smart Contract"],"project":"Ante Finance","projectType":["Blockchain","Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nThe following vulnerabilities are not eligible for a reward:\n\n  - Challenger decay calculation is inaccurate and slightly overestimates the decay paid by challengers (overall error is < 1%/year even in the worst case scenario). Calculation is more accurate the more often updateDecay() is called.\n  - Staker and challenger balances are slightly underestimated due to rounding issues in intermediate calculations, overall loss is small relative to total pool balance flux (< 0.1%)\n  - Test verification can be frontrun by challengers who stake small amounts of ether in every pool.\n  - checkTest gas usage can be unbounded as it scales linearly with number of unique challengers\n  - Any exploits related to malicious actors cloning and redeploying our contracts (i.e., deploying their own version of AntePoolFactory or deploying AntePools without the use of our AntePoolFactory contract)\n  - Any exploits related to using malicious AnteTests to steal/lock user funds\n\nIn addition to Immunefi’s Vulnerability Severity Classification System, Ante classifies the following vulnerabilities as follows. In case of discrepancy, the one below will be followed. \n\n  - Medium\n    - AntePool contract consumes unbounded gas aside from (i) known scaling of checkTest gas usage with number of challengers or (ii) due to malicious AnteTests that consume unbounded gas \n\nAnte requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. The information needed is the bug bounty hunter's full name, scan of ID, country and a self-certification that the bug bounty hunter is not a sanctioned person or otherwise prohibited by law from receiving payment from Ante. The collection of this information will be done by the Ante team. \n\nPayouts are handled by the __Ante__ team directly and are denominated in USD. However, payouts are done in __USDC__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"antefinance","tenPercentEconomicRule":false,"updatedDate":"2024-12-02T18:33:01.800Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Ante Finance enables blockchain protocols and developers to create incentivized, real-time, and autonomous guarantees for any smart contract system on any blockchain. Ante envisions becoming the global Schelling point for decentralized trust.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiquesAttacks that are already known or outlined in any audits, https://github.com/antefinance/ante-v05-core/tree/v0.5/audit","customProhibitedActivities":[],"impacts":[{"id":1360,"type":"smart_contract","severity":"low","title":"Smart contract fails to deliver promised returns, but doesn’t lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":1361,"type":"smart_contract","severity":"high","title":"Incorrect payment to stakers from challenger decay mechanism (aside from inaccuracy described above)"},{"id":1362,"type":"smart_contract","severity":"high","title":"Incorrect loss of funds from challengers due to challenger decay mechanism  (aside from inaccuracy described above)"},{"id":1363,"type":"smart_contract","severity":"high","title":"Incorrect payout to challengers on settlement following a failed Ante Test"},{"id":1364,"type":"smart_contract","severity":"high","title":"Withdrawal of staked funds by stakers without waiting for 24 hr window to pass following initialization of unstake"},{"id":1365,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of funds"},{"id":1366,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":1367,"type":"smart_contract","severity":"critical","title":"Insolvency"},{"id":1368,"type":"smart_contract","severity":"critical","title":"Loss of funds in Ante Pool that is not triggered by a valid withdrawal of funds by the user who deposited or settlement (in the case of a failed Ante Test)"},{"id":1369,"type":"smart_contract","severity":"critical","title":"Inability for stakers or challengers to withdraw funds from the pool (except in the case of a failed Ante Test)"},{"id":1370,"type":"smart_contract","severity":"critical","title":"AntePool triggers test failure workflow when underlying AnteTest did not revert or fail"}],"rewards":[{"id":8920,"severity":"critical","assetType":"smart_contract","fixedReward":25000,"rewardModel":"fixed","rewardCalculationPercentage":0},{"id":8921,"severity":"high","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":8922,"severity":"medium","assetType":"smart_contract","fixedReward":2500,"rewardModel":"fixed"},{"id":8923,"severity":"low","assetType":"smart_contract","fixedReward":500,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"4d9zuvr1wnmjoERWH1CnzZ","url":"https://etherscan.io/address/0x53773E034d9784153471813dacAFF53dBBB78E8c","type":"smart_contract","addedAt":"2022-02-10T08:05:08.135Z","revision":2,"description":"STETH Theta Vault","isPrimacyOfImpact":null},{"id":"58esOvETf0FJn6ItQwOEs5","url":"https://etherscan.io/address/0xA1Da0580FA96129E753D736a5901C31Df5eC5edf","type":"smart_contract","addedAt":"2022-02-10T08:05:40.991Z","revision":2,"description":"RETH Theta Vault","isPrimacyOfImpact":null},{"id":"30E1Xzn4vieAnAZQQdiJMc","url":"https://etherscan.io/address/0xDD9d1B7dEaB1A843A1B584d2CA5903B8A4735deF","type":"smart_contract","addedAt":"2022-02-10T08:06:20.224Z","revision":2,"description":"UNI Theta Vault","isPrimacyOfImpact":null},{"id":"7jBt35FxbYhiKWajvx2PnV","url":"https://etherscan.io/address/0xe63151A0Ed4e5fafdc951D877102cf0977Abd365","type":"smart_contract","addedAt":"2023-05-26T16:59:02.087Z","revision":1,"description":"AAVE Theta Vault","isPrimacyOfImpact":null},{"id":"2jQcNaTsiwE8ZzDGZjvnn9","url":"https://etherscan.io/address/0x84c2b16fa6877a8ff4f3271db7ea837233dfd6f0","type":"smart_contract","addedAt":"2023-05-26T16:58:59.034Z","revision":1,"description":"Ribbon Earn USDC","isPrimacyOfImpact":null},{"id":"3f2mnmZENYjkaZ7iJW5lLn","url":"https://etherscan.io/address/0xce5513474e077f5336cf1b33c1347fdd8d48ae8c","type":"smart_contract","addedAt":"2023-05-26T16:58:55.942Z","revision":1,"description":"Ribbon Earn STETH","isPrimacyOfImpact":null},{"id":"3lPWjNmI7NT0chf11H4VOR","url":"https://snowtrace.io/address/0x6BF686d99A4cE17798C45d09C21181fAc29A9fb3","type":"smart_contract","addedAt":"2023-05-26T16:58:52.834Z","revision":1,"description":"sAVAX Theta Vault (Avalanche Chain)","isPrimacyOfImpact":null},{"id":"5jyAEunRoR6utUBf9JtFjY","url":"https://snowtrace.io/address/0x98d03125c62DaE2328D9d3cb32b7B969e6a87787","type":"smart_contract","addedAt":"2023-05-26T16:58:50.130Z","revision":1,"description":"AVAX Theta Vault (Avalanche Chain)","isPrimacyOfImpact":null},{"id":"3PnbQI6tbvdYxUhTFrFjfr","url":"https://bscscan.com/address/0x70b9C89FCFeE3310eA6675A707427676FdC2d437","type":"smart_contract","addedAt":"2023-05-26T16:58:47.185Z","revision":1,"description":"BNB Theta Vault (Binance Chain)","isPrimacyOfImpact":null},{"id":"51ZyD8EQDGag600rPXnpke","url":"https://solscan.io/account/2YNj4egax5WV1zSgq9hwJFNzHSYZo2rU7S8BZuMdQMKW","type":"smart_contract","addedAt":"2023-05-26T16:58:43.788Z","revision":1,"description":"SOL Theta Vault (Solana Chain)","isPrimacyOfImpact":null},{"id":"MLqZXjDazHuLE3tmkVYM7","url":"https://etherscan.io/address/0x5feda53467125c7789c30376f91082b1fcae4989","type":"smart_contract","addedAt":"2023-05-26T16:58:41.193Z","revision":1,"description":"OTC Wrapper","isPrimacyOfImpact":null},{"id":"4B2ap3rVu9gQl2VkQQJq9x","url":"https://etherscan.io/address/0xc272F964A74AB7d2b4fD4bA27F6cc27887b833a7","type":"smart_contract","addedAt":"2023-05-26T16:58:38.561Z","revision":1,"description":"OTC Margin Requirements","isPrimacyOfImpact":null},{"id":"2kByIvctLMNAuAwWrRtuiG","url":"https://arbiscan.io/address/0x80d40e32fad8be8da5c6a42b8af1e181984d137c","type":"smart_contract","addedAt":"2024-09-17T15:21:20.338Z","revision":1,"description":"Aevo Deposit Contract Arbitrum","isPrimacyOfImpact":null},{"id":"4CXFz2CNif1kiWpFkhvOkz","url":"https://etherscan.io/address/0x4082C9647c098a6493fb499EaE63b5ce3259c574","type":"smart_contract","addedAt":"2024-09-17T15:21:36.604Z","revision":1,"description":"Aevo Deposit Contract Ethereum","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Avalanche","BSC","ETH","Solana"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-04-12T07:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1ORcP6RE6HcGhV4bTAv8AN/8ce035bee832701401c4576fda63117c/Ribbon-logo.svg","maxBounty":300000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the\nfollowing types:\n\n**Smart Contracts/Blockchain:**\n\n- Re-entrancy\n- Logic errors\n  - including user authentication errors\n- Solidity/EVM details not considered\n  - including integer over-/under-flow\n  - including unhandled exceptions\n- Trusting trust/dependency vulnerabilities\n  - including composability vulnerabilities\n- Economic/financial attacks\n  - including flash loan attacks\n- Susceptibility to block timestamp manipulation\n- Missing access controls / unprotected internal or debugging interfaces","productType":["Derivatives","Yield Aggregator"],"programOverview":"Aevo is a new protocol that creates crypto structured products for DeFi. Structured products are packaged financial instruments that use a\ncombination of derivatives to achieve some specific risk-return objective, such as betting on volatility, enhancing yields or principal protection.  \n\nOne of its products, Theta Vault, is a yield-focused strategy on ETH and WBTC. The first Theta Vault will run a covered call strategy, which earns yield on a weekly basis through writing out of the money covered calls and collecting the premiums.\n\nThe bug bounty program is focused around its smart contracts and is mostly concerned with the loss of user funds.\n\nFor more information about Aevo, please visit https://aevo.xyz","programType":["Smart Contract"],"project":"Aevo","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on\nthe [Immunefi Vulnerability Severity Classification System](/severity-system/). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nSmart Contracts Critical:\n  - Loss of user funds:\n    - 1% of all assets at risk, minimum __50 000 USD__, maximum __300 000 USD__\n  - Loss of non-user funds (e.g. treasury):\n    - 1% of assets at risk, minimum __50 000 USD__ , maximum __150 000 USD__\n\nSmart Contracts High:\n  - 1% of all assets at risk when attack persists for 1 month minimum __10 000 USD__, maximum of __50 000 USD__\n\nSmart Contracts Medium:\n  - 1% of all assets at risk when attack persists for 1 month minimum __5 000 USD__, maximum __25 000 USD__\n\nSmart Contracts Low:\n  - __2 000 USD__\n\nPayouts are handled by the **Aevo** team directly and are denominated in USD. However, payouts are done in **USDC**.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"Aevo","tenPercentEconomicRule":false,"updatedDate":"2024-12-02T18:06:18.451Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Aevo is a new protocol that creates crypto structured products for DeFi. Structured products are packaged financial instruments that use a combination of derivatives to achieve some specific risk-return objective, such as betting on volatility, enhancing yields or principal protection.  ","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques\n \n-  Oracle failure/manipulation\n- Novel governance attacks \n- Congestion and scalability\n  - including running out of gas\n  - including block stuffing\n  - including susceptibility to frontrunning\n- Consensus failures\n- Cryptography problems\n  - Signature malleability\n  - Susceptibility to replay attacks\n  - Weak randomness\n- Weak encryption","customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":276,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":277,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":278,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":8901,"severity":"critical","assetType":"smart_contract","maxReward":300000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":0},{"id":8902,"severity":"high","assetType":"smart_contract","maxReward":50000,"minReward":10000,"rewardModel":"range"},{"id":8903,"severity":"medium","assetType":"smart_contract","maxReward":25000,"minReward":5000,"rewardModel":"range"},{"id":8904,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"4pMeSm8Z3dDmQo0eyJynL3","url":"https://explorer.zksync.io/address/0x8FdA5a7a8dCA67BBcDd10F02Fa0649A937215422","type":"smart_contract","addedAt":"2023-12-11T15:00:00.000Z","revision":1,"description":"UniswapV3Factory","isPrimacyOfImpact":null},{"id":"aTs3dhtDoMOintVQ4mc8r","url":"https://explorer.zksync.io/address/0x0c68a7C72f074d1c45C16d41fa74eEbC6D16a65C","type":"smart_contract","addedAt":"2023-12-11T15:00:00.000Z","revision":1,"description":"UniswapInterfaceMulticall","isPrimacyOfImpact":null},{"id":"6VEw8lFkaRL6i8vM3vkq2r","url":"https://explorer.zksync.io/address/0xBb79274aD9C7f68A5B6a7E31F431175BB889b557","type":"smart_contract","addedAt":"2023-12-11T15:00:00.000Z","revision":1,"description":"ProxyAdmin","isPrimacyOfImpact":null},{"id":"5mGSdXgftthTAjydMaCLNd","url":"https://explorer.zksync.io/address/0xe10FF11b809f8EE07b056B452c3B2caa7FE24f89","type":"smart_contract","addedAt":"2023-12-11T15:00:00.000Z","revision":1,"description":"TickLens","isPrimacyOfImpact":null},{"id":"7AstVZyDQP0KnqkEqPCqKG","url":"https://explorer.zksync.io/address/0x7d67b8Ff4AbFfc020641F5e430fbeEd03897674d","type":"smart_contract","addedAt":"2023-12-11T15:00:00.000Z","revision":1,"description":"NFTDescriptor","isPrimacyOfImpact":null},{"id":"4PDMDVRhoEDshhCk3tkkUL","url":"https://explorer.zksync.io/address/0xa819De78cAB1163F8605809392068EdE3BFcDd1E","type":"smart_contract","addedAt":"2023-12-11T15:00:00.000Z","revision":1,"description":"NonfungibleTokenPositionDescriptor","isPrimacyOfImpact":null},{"id":"59eC6BsI9ekEoYB3y4RMKA","url":"https://explorer.zksync.io/address/0xAeaBf2d69698C6810D2596fAE86099790A13Ee81","type":"smart_contract","addedAt":"2023-12-11T15:00:00.000Z","revision":1,"description":"TransparentUpgradeableProxy","isPrimacyOfImpact":null},{"id":"60P3R7x8TKaPJugcG5E0eg","url":"https://explorer.zksync.io/address/0x0616e5762c1E7Dc3723c50663dF10a162D690a86","type":"smart_contract","addedAt":"2023-12-11T15:00:00.000Z","revision":1,"description":"NonfungiblePositionManager","isPrimacyOfImpact":null},{"id":"3HE1jaNia2c339UJfEDBIq","url":"https://explorer.zksync.io/address/0x611841b24E43C4ACfd290B427a3D6cf1A59dac8E","type":"smart_contract","addedAt":"2023-12-11T15:00:00.000Z","revision":1,"description":"V3Migrator","isPrimacyOfImpact":null},{"id":"5TCjSNHByjvB4PBkJGXxaI","url":"https://explorer.zksync.io/address/0xf84268FA8EB857c2e4298720C1C617178F5e78e1","type":"smart_contract","addedAt":"2023-12-11T15:00:00.000Z","revision":1,"description":"UniswapV3Staker","isPrimacyOfImpact":null},{"id":"36J5uxdMynEg0bWvkSDFyf","url":"https://explorer.zksync.io/address/0x8Cb537fc92E26d8EBBb760E632c95484b6Ea3e28","type":"smart_contract","addedAt":"2023-12-11T15:00:00.000Z","revision":1,"description":"QuoterV2","isPrimacyOfImpact":null},{"id":"5HF3wCuvhC3EBRdCnABhwd","url":"https://explorer.zksync.io/address/0x99c56385daBCE3E81d8499d0b8d0257aBC07E8A3","type":"smart_contract","addedAt":"2023-12-11T15:00:00.000Z","revision":1,"description":"SwapRouter02","isPrimacyOfImpact":null},{"id":"2qKzPvJXxqUrYs8FbyI4Rr","url":"https://explorer.zksync.io/address/0x0000000000225e31d15943971f47ad3022f714fa","type":"smart_contract","addedAt":"2023-12-11T15:00:00.000Z","revision":1,"description":"Permit2","isPrimacyOfImpact":null},{"id":"AvAjsGuulVMpBPqsN9Bz2","url":"https://explorer.zksync.io/address/0x28731BCC616B5f51dD52CF2e4dF0E78dD1136C06","type":"smart_contract","addedAt":"2023-12-11T15:00:00.000Z","revision":1,"description":"UniversalRouter","isPrimacyOfImpact":null},{"id":"1itdrOO1XNx82z6l7EmwaU","url":"https://explorer.zksync.io/address/0x8D8CDc86e8457DBa82D5Bc39A4451Ed7f4D744C7","type":"smart_contract","addedAt":"2023-12-11T15:00:00.000Z","revision":1,"description":"UnsupportedProtocol","isPrimacyOfImpact":null}],"assetsBodyV2":"Please note, only bugs discovered within the outlined assets, detailed in the program scope, will be eligible for a reward.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2023-12-11T15:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6uQ7ghxK15yAaPxvsSK9bS/c480bde584506ffbcd1acc9f64983048/2023-12-11_18.00.28.png","maxBounty":20000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["DEX"],"programOverview":"The Uniswap Protocol is a decentralized cryptocurrency exchange that uses a set of smart contracts to execute trades. It is an open source project and falls into the category of a DeFi product because it uses smart contracts to facilitate trades.\n\nzkSync Era is a layer 2 rollup that uses zero-knowledge proofs to scale Ethereum without compromising on security or decentralization. Since it's EVM compatible (Solidity/Vyper), 99% of Ethereum projects can redeploy without refactoring or re-auditing a single line of code. zkSync Era also uses an LLVM-based compiler that will eventually let developers write smart contracts in C++, Rust and other popular languages.\n\nThis program is based on Uniswap V3 on zkSync. \n\nFor more information about the Uniswap Protocol,  please visit [https://docs.uniswap.org/](https://docs.uniswap.org/)\n\nThis project is being run by the Uniswap Foundation. The Foundation provides rewards in USDC, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \nThis bug bounty program is intended to identify and reward bugs in code specific to the zkSync deployment of Uniswap V3. It does not cover any issues related to the Ethereum network, the Uniswap Protocol, or any other third-party.\n\n__KYC Requirement__\n\nUniswap Foundation may request a government ID during the process.\n\n__Eligibility Requirement__ \n\nPer Uniswap Foundation’s guidelines to be eligible for a reward under this Program, you must:\n- Discover a previously-unreported, non-public vulnerability that is not previously known by the team and within the scope of this Program.\n- Be the first to disclose the unique vulnerability in compliance with the disclosure requirements.\n- Provide sufficient information to enable our engineers to reproduce\n- Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n- Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of any of the assets in scope.\n- Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n- Not engage in any unlawful conduct when disclosing the bug including through threats, demands, or any other coercive tactics.\n- Not be subject to US sanctions or reside in a US-embargoed country.\n- Not be one of our current or former employees, or a vendor or contractor who has been involved in the development of the code of the bug in question.\n- Comply with all the eligibility requirements of the Program.\n.\n\n__Primacy of Impact vs Primacy of Rules__\n\nUniswap Foundation adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms stated in this page.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Uniswap Foundation has satisfied the requirements for the [Immunefi Standard Badge.](https://immunefisupport.zendesk.com/hc/en-us/articles/6427157117713-The-Immunefi-Standard-Badge-)","programType":["Smart Contract"],"project":"Uniswap on zkSync","projectType":["Exchange"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 20 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 10 000 is to be rewarded in order to incentivize security researchers against withholding a bug report.\n\n__Repeatable Attack Limitations__\n\nIf the blockchain/DLT component or smart contract where the vulnerability exists can be upgraded/paused/killed, only the initial attacks within the first hour will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading, pausing, or in some cases, killing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\nFor critical repeatable attacks on blockchain/DLT components or smart contracts that can not be upgraded/paused/killed, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are considered at the full amount of funds at risk, capped at the maximum high reward. This is to incentivize security researchers to uncover and responsibly disclose vulnerabilities that may have not have significant monetary value today, but could still be damaging to the project if it goes unaddressed.   \n\nIn the event of temporary freezing, the reward increases at a multiplier of two from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lenghents, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.    \n\n__Reward Payment Terms__\n\nPayouts are handled by the Uniswap Foundation team directly and are denominated in USD. However, payments are done in USDC\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"uniswaponzksync","updatedDate":"2024-12-02T15:27:24.459Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_2","description":"The Uniswap Protocol is a decentralized cryptocurrency exchange that uses a set of smart contracts to execute trades. It is an open source project and falls into the category of a DeFi product because it uses smart contracts to facilitate trades.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Any issues related to the Ethereum network, the Uniswap protocol, or any other third-party.  ","customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":4654,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for more than 24 hours"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":8851,"severity":"critical","assetType":"smart_contract","maxReward":20000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":8852,"severity":"high","assetType":"smart_contract","fixedReward":10000,"rewardModel":"fixed"},{"id":8853,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":8854,"severity":"low","assetType":"smart_contract","fixedReward":2000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"4x8i0vXGwP1MBPkZG5rPc2","url":"https://optimistic.etherscan.io/address/0x9D4736EC60715e71aFe72973f7885DCBC21EA99b","type":"smart_contract","addedAt":"2023-06-29T09:00:00.000Z","revision":1,"description":"Distributor","isPrimacyOfImpact":null},{"id":"63S0LJcjW5hg3pTMMiy6SP","url":"https://optimistic.etherscan.io/address/0x8391fE399640E7228A059f8Fa104b8a7B4835071","type":"smart_contract","addedAt":"2023-06-29T09:00:00.000Z","revision":1,"description":"GaugeFactory","isPrimacyOfImpact":null},{"id":"2Lj2w4spOgZtvK4W24a0qq","url":"https://optimistic.etherscan.io/address/0xF4c67CdEAaB8360370F41514d06e32CcD8aA1d7B","type":"smart_contract","addedAt":"2023-06-29T09:00:00.000Z","revision":1,"description":"FactoryRegistry","isPrimacyOfImpact":null},{"id":"YqCvamfhaoBBZN4QHBmtA","url":"https://optimistic.etherscan.io/address/0x987E7922367B23C4A5fa34C8C5B1385174A095d6","type":"smart_contract","addedAt":"2023-06-29T09:00:00.000Z","revision":1,"description":"GaugeSinkDrain","isPrimacyOfImpact":null},{"id":"5q2np0NgLw1UNY0fmLnZ22","url":"https://optimistic.etherscan.io/address/0xcDd9585005095ac7447d1fDbC990C5CFB805cff0","type":"smart_contract","addedAt":"2023-06-29T09:00:00.000Z","revision":1,"description":"ManagedRewardsFactory","isPrimacyOfImpact":null},{"id":"3YbnMHGMwOhqNZwLpdVxgz","url":"https://optimistic.etherscan.io/address/0x6dc9E1C04eE59ed3531d73a72256C0da46D10982","type":"smart_contract","addedAt":"2023-06-29T09:00:00.000Z","revision":1,"description":"Minter","isPrimacyOfImpact":null},{"id":"23ahozjvTViwToiAdYYPOo","url":"https://optimistic.etherscan.io/address/0xF1046053aa5682b4F9a81b5481394DA16BE5FF5a","type":"smart_contract","addedAt":"2023-06-29T09:00:00.000Z","revision":1,"description":"PoolFactory","isPrimacyOfImpact":null},{"id":"2Xin3ZQpk0pxaNl6KQ3cI1","url":"https://optimistic.etherscan.io/address/0xa062aE8A9c5e11aaA026fc2670B0D65cCc8B2858","type":"smart_contract","addedAt":"2023-06-29T09:00:00.000Z","revision":1,"description":"Router","isPrimacyOfImpact":null},{"id":"4tJvJ98tY3rttEkiO9oelm","url":"https://optimistic.etherscan.io/address/0x585Af0b397AC42dbeF7f18395426BF878634f18D","type":"smart_contract","addedAt":"2023-06-29T09:00:00.000Z","revision":1,"description":"SinkConverter","isPrimacyOfImpact":null},{"id":"487GSTQvFOdDwaO9Yfe1G1","url":"https://optimistic.etherscan.io/address/0xda03Dc399aF3F1545748243aAFbC5050A63B17eC","type":"smart_contract","addedAt":"2023-06-29T09:00:00.000Z","revision":1,"description":"SinkDrain","isPrimacyOfImpact":null},{"id":"IIVyeVfK9XGhqLptRa0Bo","url":"https://optimistic.etherscan.io/address/0x5aeE5F0E6C2055EbD776DB25F48f6c9A68ABcdaE","type":"smart_contract","addedAt":"2023-06-29T09:00:00.000Z","revision":1,"description":"SinkManager","isPrimacyOfImpact":null},{"id":"5VHmOrh7Fv638wVA1sQqYm","url":"https://optimistic.etherscan.io/address/0x45fF00822E8235b86Cb605ac8295c14628cE78a4","type":"smart_contract","addedAt":"2023-06-29T09:00:00.000Z","revision":1,"description":"SinkManagerFacilitator","isPrimacyOfImpact":null},{"id":"3J2RFbysnHIbnsPfHiCOik","url":"https://optimistic.etherscan.io/address/0x9560e827aF36c94D2Ac33a39bCE1Fe78631088Db","type":"smart_contract","addedAt":"2023-06-29T09:00:00.000Z","revision":1,"description":"VELO","isPrimacyOfImpact":null},{"id":"5sF7IpavnrbrNG8ZLzdNVD","url":"https://optimistic.etherscan.io/address/0x41C914ee0c7E1A5edCD0295623e6dC557B5aBf3C","type":"smart_contract","addedAt":"2023-06-29T09:00:00.000Z","revision":1,"description":"Voter","isPrimacyOfImpact":null},{"id":"6XjI42dUzc1B4abKi6rWtn","url":"https://optimistic.etherscan.io/address/0xFAf8FD17D9840595845582fCB047DF13f006787d","type":"smart_contract","addedAt":"2023-06-29T09:00:00.000Z","revision":1,"description":"VotingEscrow","isPrimacyOfImpact":null},{"id":"64hfdSeJ1O1KEUNn4eEbKK","url":"https://optimistic.etherscan.io/address/0x756E7C245C69d351FfFBfb88bA234aa395AdA8ec","type":"smart_contract","addedAt":"2023-06-29T09:00:00.000Z","revision":1,"description":"VotingRewardsFactory","isPrimacyOfImpact":null},{"id":"Iim5QH6AHc63l3kjPT5qJ","url":"https://optimistic.etherscan.io/address/0x95885af5492195f0754be71ad1545fe81364e531#code","type":"smart_contract","addedAt":"2023-07-19T16:13:56.419Z","revision":1,"description":"Pool","isPrimacyOfImpact":null},{"id":"1heOk3LW4ZMKsW51e4tXyp","url":"https://immunefi.com","type":"smart_contract","addedAt":"2023-10-05T15:28:29.706Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true},{"id":"16X6ndUkNLCdTzFPOc1OAo","url":"https://optimistic.etherscan.io/address/0x548118C7E0B865C2CfA94D15EC86B666468ac758#code","type":"smart_contract","addedAt":"2024-03-20T14:35:03.856Z","revision":1,"description":"CLFactory","isPrimacyOfImpact":null},{"id":"5CU3NzJDmMSiH0uXSWvodT","url":"https://optimistic.etherscan.io/address/0xE0A596c403E854FFb9C828aB4f07eEae04A05D37#code","type":"smart_contract","addedAt":"2024-03-20T14:35:24.855Z","revision":1,"description":"CLPool","isPrimacyOfImpact":null},{"id":"zzo0UxL8rt4vQR6vExzjb","url":"https://optimistic.etherscan.io/address/0xA9c319945f706dd1809819321a2e31C9A169e9c1#code","type":"smart_contract","addedAt":"2024-03-20T14:35:42.263Z","revision":1,"description":"CustomSwapFeeModule","isPrimacyOfImpact":null},{"id":"P3YQlCukaVY4w4ojHpob6","url":"https://optimistic.etherscan.io/address/0x5A993209065ea74b50E23a378ddB7068189345D0#code","type":"smart_contract","addedAt":"2024-03-20T14:35:57.232Z","revision":1,"description":"CustomUnstakedFeeModule","isPrimacyOfImpact":null},{"id":"2iMxnvnm3O1AWp2bQxQXfw","url":"https://optimistic.etherscan.io/address/0x282AC0eA96493650F1A5E5e5d20490C782F1592a#code","type":"smart_contract","addedAt":"2024-03-20T14:36:14.434Z","revision":1,"description":"CLGaugeFactory","isPrimacyOfImpact":null},{"id":"kMEi7Ybq7QdOHk8W8Y72c","url":"https://optimistic.etherscan.io/address/0x6D600CC5F14B81665606Ca1985605464BA332Bad#code","type":"smart_contract","addedAt":"2024-03-20T14:36:28.752Z","revision":1,"description":"CLGauge","isPrimacyOfImpact":null},{"id":"57bvdtnFY5frkG0ZezuEN5","url":"https://optimistic.etherscan.io/address/0xbB5DFE1380333CEE4c2EeBd7202c80dE2256AdF4#code","type":"smart_contract","addedAt":"2024-03-20T14:36:43.241Z","revision":1,"description":"NonfungiblePositionManager","isPrimacyOfImpact":null},{"id":"3qGHKeUwDPg0FaqEm89I8H","url":"https://optimistic.etherscan.io/address/0xf7a15F27533c2Db26341220C1e0B939B56dEfeda#code","type":"smart_contract","addedAt":"2024-11-13T10:54:28.632Z","revision":1,"description":"Emergency Council","isPrimacyOfImpact":null},{"id":"3aHUqOAESbDPfdNAvcTOLw","url":"https://optimistic.etherscan.io/address/0x42e403b73898320f23109708b0ba1ae85838c445#code","type":"smart_contract","addedAt":"2024-11-13T10:54:44.700Z","revision":1,"description":"RootGuageFactory","isPrimacyOfImpact":null},{"id":"6c4s4JjXqHjsWRZeB3h8wu","url":"https://optimistic.etherscan.io/address/0x12B64dF29590b4F0934070faC96e82e580D60232#code","type":"smart_contract","addedAt":"2024-11-13T10:54:59.838Z","revision":1,"description":"RootLockbox","isPrimacyOfImpact":null},{"id":"3m4YerJLFemumSWA359avC","url":"https://optimistic.etherscan.io/address/0xF278761576f45472bdD721EACA19317cE159c011#code","type":"smart_contract","addedAt":"2024-11-13T10:55:17.440Z","revision":1,"description":"RootMessageBridge","isPrimacyOfImpact":null},{"id":"3rEp3rweIO1fgb63jopUkY","url":"https://optimistic.etherscan.io/address/0xF385603a12Be8b7B885222329c581FDD1C30071D#code","type":"smart_contract","addedAt":"2024-11-13T10:55:30.793Z","revision":1,"description":"RootMessageModule","isPrimacyOfImpact":null},{"id":"zWJUsiN6toBykf3dsY22W","url":"https://optimistic.etherscan.io/address/0x31832f2a97Fd20664D76Cc421207669b55CE4BC0#code","type":"smart_contract","addedAt":"2024-11-13T10:55:45.084Z","revision":1,"description":"RootPoolFactory","isPrimacyOfImpact":null},{"id":"42N6WSx54PxMYdNLKMPm5B","url":"https://optimistic.etherscan.io/address/0x10499d88Bd32AF443Fc936F67DE32bE1c8Bb374C#code","type":"smart_contract","addedAt":"2024-11-13T10:56:09.355Z","revision":1,"description":"RootPoolImplementation","isPrimacyOfImpact":null},{"id":"5kk6CmVN2fiyQpf94xmjp8","url":"https://optimistic.etherscan.io/address/0xA7287a56C01ac8Baaf8e7B662bDB41b10889C7A6#code","type":"smart_contract","addedAt":"2024-11-13T10:56:19.474Z","revision":1,"description":"RootTokenBridge","isPrimacyOfImpact":null},{"id":"1OwzIb8oXJ6uy8hBUInUZK","url":"https://optimistic.etherscan.io/address/0x7dc9fd82f91B36F416A89f5478375e4a79f4Fb2F#code","type":"smart_contract","addedAt":"2024-11-13T10:56:35.294Z","revision":1,"description":"RootVotingRewardsFactory","isPrimacyOfImpact":null},{"id":"7Fix1yxGGM8X6areQmc22z","url":"https://optimistic.etherscan.io/address/0x73CaE4450f11f4A33a49C880CE3E8E56a9294B31#code","type":"smart_contract","addedAt":"2024-11-13T10:56:47.136Z","revision":1,"description":"RootXFactory","isPrimacyOfImpact":null},{"id":"ud4oPg8qGUfWk90JY8Skc","url":"https://optimistic.etherscan.io/address/0x7f9AdFbd38b669F03d1d11000Bc76b9AaEA28A81#code","type":"smart_contract","addedAt":"2024-11-13T10:57:02.382Z","revision":1,"description":"RootXVELO","isPrimacyOfImpact":null},{"id":"1TRYCVzqWoEZeF6MfS257K","url":"https://modescan.io/address/0x42e403b73898320f23109708b0ba1Ae85838C445/contract/34443/code","type":"smart_contract","addedAt":"2024-11-13T10:57:14.863Z","revision":1,"description":"LeafGuageFactory","isPrimacyOfImpact":null},{"id":"343o7knVLXHQb99LCpzx0l","url":"https://modescan.io/address/0xF278761576f45472bdD721EACA19317cE159c011/contract/34443/code","type":"smart_contract","addedAt":"2024-11-13T10:57:29.582Z","revision":1,"description":"LeafMessageBridge","isPrimacyOfImpact":null},{"id":"40xQVqNnVISN6e3B8BTQVl","url":"https://modescan.io/address/0xF385603a12Be8b7B885222329c581FDD1C30071D/contract/34443/code","type":"smart_contract","addedAt":"2024-11-13T10:57:43.727Z","revision":1,"description":"LeafMessageModule","isPrimacyOfImpact":null},{"id":"1igAhNE3bQACjzIk5lfske","url":"https://modescan.io/address/0x31832f2a97Fd20664D76Cc421207669b55CE4BC0/contract/34443/code","type":"smart_contract","addedAt":"2024-11-13T10:57:58.309Z","revision":1,"description":"LeafPoolFactory","isPrimacyOfImpact":null},{"id":"65brmJqaPGhE2KfdHfQqO8","url":"https://modescan.io/address/0x10499d88Bd32AF443Fc936F67DE32bE1c8Bb374C/contract/34443/code","type":"smart_contract","addedAt":"2024-11-13T10:58:11.827Z","revision":2,"description":"LeafPoolImplementation","isPrimacyOfImpact":null},{"id":"2LbERYsdxUjxODL58R2Gdl","url":"https://modescan.io/address/0xA7287a56C01ac8Baaf8e7B662bDB41b10889C7A6/contract/34443/code","type":"smart_contract","addedAt":"2024-11-13T10:58:37.584Z","revision":1,"description":"LeafTokenBridge","isPrimacyOfImpact":null},{"id":"4hFEhuCnQ2Zcc1JqL22J3T","url":"https://explorer.mode.network/address/0x7dc9fd82f91B36F416A89f5478375e4a79f4Fb2F?tab=contract","type":"smart_contract","addedAt":"2024-11-13T10:58:51.822Z","revision":1,"description":"LeafVotingRewardsFactory","isPrimacyOfImpact":null},{"id":"6wVOHIWQ4PAgvVY07MTpbJ","url":"https://explorer.mode.network/address/0x73CaE4450f11f4A33a49C880CE3E8E56a9294B31?tab=contract","type":"smart_contract","addedAt":"2024-11-13T10:59:04.619Z","revision":1,"description":"LeafXFactory","isPrimacyOfImpact":null},{"id":"6w8OCijJFS4f7wQEy2xDjY","url":"https://modescan.io/address/0x7f9AdFbd38b669F03d1d11000Bc76b9AaEA28A81/contract/34443/code","type":"smart_contract","addedAt":"2024-11-13T10:59:16.316Z","revision":1,"description":"LeafXVELO","isPrimacyOfImpact":null},{"id":"6wQcWaSIlPS0ckWR4Rk0id","url":"https://optimistic.etherscan.io/address/0xeAD23f606643E387a073D0EE8718602291ffaAeB#code","type":"smart_contract","addedAt":"2024-11-13T10:59:29.476Z","revision":1,"description":"RootCLGuageFactory","isPrimacyOfImpact":null},{"id":"6l9VBix6OPNkGzleP3pawd","url":"https://optimistic.etherscan.io/address/0x04625B046C69577EfC40e6c0Bb83CDBAfab5a55F#code","type":"smart_contract","addedAt":"2024-11-13T10:59:45.368Z","revision":1,"description":"RootCLPoolFactory","isPrimacyOfImpact":null},{"id":"6b5mXjWtR7NqyG0kmfpfJ8","url":"https://optimistic.etherscan.io/address/0x321f7Dfb9B2eA9131B8C17691CF6e01E5c149cA8#code","type":"smart_contract","addedAt":"2024-11-13T10:59:59.513Z","revision":1,"description":"RootCLPool","isPrimacyOfImpact":null},{"id":"7HkaBdPCuVgecPRhpAcRdG","url":"https://modescan.io/address/0xeAD23f606643E387a073D0EE8718602291ffaAeB/contract/34443/code","type":"smart_contract","addedAt":"2024-11-13T11:00:12.721Z","revision":1,"description":"LeafCLGuageFactory","isPrimacyOfImpact":null},{"id":"3vLixSJBwb6qgffLiY2ijO","url":"https://modescan.io/address/0x04625B046C69577EfC40e6c0Bb83CDBAfab5a55F/contract/34443/code","type":"smart_contract","addedAt":"2024-11-13T11:00:36.046Z","revision":1,"description":"LeafCLPoolFactory","isPrimacyOfImpact":null},{"id":"JbsJd1HzmljE3a9t4kqPj","url":"https://modescan.io/address/0x321f7Dfb9B2eA9131B8C17691CF6e01E5c149cA8/contract/34443/code","type":"smart_contract","addedAt":"2024-11-13T11:00:45.988Z","revision":1,"description":"LeafCLPool","isPrimacyOfImpact":null},{"id":"4AfRAcLGJA4gnBlzmLwnYZ","url":"https://modescan.io/address/0x991d5546C4B442B4c5fdc4c8B8b8d131DEB24702/contract/34443/code","type":"smart_contract","addedAt":"2024-11-13T11:01:03.110Z","revision":1,"description":"LeafNonFungiblePositionManager","isPrimacyOfImpact":null},{"id":"4PJMdW64NjoftW5btvnJF4","url":"https://modescan.io/address/0x479Bec910d4025b4aC440ec27aCf28eac522242B/contract/34443/code","type":"smart_contract","addedAt":"2024-11-13T11:01:16.872Z","revision":1,"description":"LeafCustomSwapFeeModule","isPrimacyOfImpact":null},{"id":"PXUEqPfQEWvqt5Or0k5xR","url":"https://modescan.io/address/0x03Cd805861CC6D9891e4908BAcD0472a3341E90C/contract/34443/code","type":"smart_contract","addedAt":"2024-11-13T11:01:44.643Z","revision":1,"description":"LeafCustomUnstakedFeeModule","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Optimism"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2023-06-29T09:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1wE9LGw9ezKeFgCpStoSFM/5696f7e72b6c7ff3f8ad5cec3c8cb36d/velodrome.svg","maxBounty":100000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["AMM","DEX","Staking"],"programOverview":"Velodrome Finance is a revolutionary new AMM based on Solidly launched on Optimism. The Optimism Foundation is excited to announce its latest bug bounty matching program, specifically designed for Velodrome Finance - a next-generation AMM that combines the best of Curve, Convex and Uniswap, designed to serve as Optimism's central liquidity hub. \n\nIn collaboration with Immunefi, the Optimism Foundation aims to encourage and incentivize security researchers to find and responsibly disclose vulnerabilities. This will contribute to a safer ecosystem for all Optimism participants involved and showcase the foundation's commitment to security. \n\nTo participate, security researchers should focus on identifying critical and high Velodrome-specific vulnerabilities that could potentially impact the wider Optimism ecosystem. Optimism will match any rewards offered by Velodrome, contributing a total of 152.5K OP tokens.\n\nFor more information about Velodrome Finance, please visit [Velodrome Finance.](https://app.velodrome.finance/)\n\nVelodrome Finance provides rewards in USDC and OP. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__\n\nThe provision of KYC is required to receive a reward for this bug bounty program where the following information will be required to be provided:\n- A legal/individual entity to issue a payment/invoice for/on-behalf of the security researcher.\n\nKYC information is only required on confirmation of the validity of a bug report.   \n\n__Primacy of Impact vs Primacy of Rules__\n\nVelodrome Finance adheres to the Primacy of Impact for the following impacts:\n\n- Smart Contract: Critical: Protocol insolvency\n- Smart Contract: High: Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)\n- Smart Contract: High: Theft of unclaimed royalties\n- Smart Contract: High: Permanent freezing of unclaimed royalties\n- Smart Contract: High: Temporary freezing of funds\n- Smart Contract: High: Temporary freezing NFTs\n- Smart Contract: Medium: Smart contract unable to operate due to lack of token funds\n- Smart Contract: Medium: Block stuffing\n- Smart Contract: Medium: Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)\n- Smart Contract: Medium: Theft of gas\n- Smart Contract: Medium: Unbounded gas consumption\n- Smart Contract: Low: Contract fails to deliver promised returns, but doesn't lose value\n\nIf an impact is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program. When submitting a report, just select the Primacy of Impact asset placeholder. If the team behind this project has multiple projects, those other projects are not covered under the Primacy of Impact of this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nTestnet and mock files are not covered under the Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program.\n\nThe Spearbit audit was completed on 16th of June, 2023 and the report was published on 17th of July, 2023:\n\n[https://github.com/spearbit/portfolio/raw/master/pdfs/Velodrome-Spearbit-Security-Review.pdf](https://github.com/spearbit/portfolio/raw/master/pdfs/Velodrome-Spearbit-Security-Review.pdf)\n\nSlipstream audit was completed by Spearbit on 5th of December 2023 and the report was published on 22nd of January 2024:\n\n[https://github.com/spearbit/portfolio/blob/master/pdfs/Velodrome-Spearbit-Security-Review-Nov23.pdf](https://github.com/spearbit/portfolio/blob/master/pdfs/Velodrome-Spearbit-Security-Review-Nov23.pdf)\n\n__Immunefi Standard Badge__\n\nVelodrome Finance has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/6427157117713-The-Immunefi-Standard-Badge-), which is given to projects that adhere to our best practices.","programType":["Smart Contract"],"project":"Velodrome Finance","projectType":["Defi","NFT"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below. \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical Smart Contract bugs, the reward amount is 20% of the funds directly affected up to a maximum of USD $100,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD $50,000 is to be rewarded in order to incentivize security researchers against withholding a bug report.   \n\n__Repeatable Attack Limitations__\n\nIn cases of repeatable attacks for smart contract bugs, only the first attack is considered if the smart contracts where the vulnerability exists can be upgraded, paused, or killed. If the attack impacts a smart contract directly holding funds that cannot be upgraded or paused, the amount of funds at risk will be calculated with the first attack being at 100% of the funds that could be stolen and then a reduction of 25% from the amount of the first attack for every 1800 blocks the attack needs for subsequent attacks from the first attack, rounded down. \n\n__Reward Calculation for High Level Reports__\n\nHigh smart contract vulnerabilities will be capped at up to 100% of the funds affected. In the event of temporary freezing, the reward doubles for every additional 30 blocks that the funds or NFTs could be temporarily frozen, rounded down to the nearest multiple of 30, up to the hard cap of USD $20,000.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n- Smart Contract, Critical\n- Smart Contract, High\n- Smart Contract, Medium\n- Smart Contract, Low\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules) Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Reward Payment Terms__\n\nAs part of the bug bounty matching program, Optimism will contribute __152,500__ OP tokens to match the rewards offered by Velodrome. This means that for every reward paid out by Velodrome to a security researcher, Optimism will provide an additional, matching reward, in OP tokens. The total reward pool for this program is __152,500__ OP tokens\n\nPayouts are handled by the Velodrome Finance team directly and are denominated in USD. However, payments are done in USDC and OP. The payment scheme involves three forms of currency: USD Coin (USDC), Velodrome Token (VELO), and Optimism Token (OP). 50% of the total payout is made in USD Coin or VELO and the remaining 50% of the payout is made in OP.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability. For avoidance of doubt, if the reward amount is USD 5 000 and the average price is USD 1.75 per token, then the reward will be 2857.142857 units of that token.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC, VELO, OP","slug":"velodromefinance","updatedDate":"2024-11-29T16:06:24.836Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn"],"responsiblePublicationCategory":"category_3","description":"Velodrome Finance is a revolutionary new AMM based on Solidly launched on Optimism. The Optimism Foundation is excited to announce its latest bug bounty matching program, specifically designed for Velodrome Finance - a next-generation AMM that combines the best of Curve, Convex and Uniswap, designed to serve as Optimism's central liquidity hub. ","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice recommendations\n- Loss of rewards / rebases from burning an nft prior to collecting the rewards / rebases.\n- Centralization risk\n- Fee-on-transfer / non-standard ERC20 token compatibility issues.\n- Attacks contingent on malicious governance (might be counted under 51% attack).","customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":4319,"type":"smart_contract","severity":"high","title":"Temporary freezing NFTs"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":8685,"severity":"critical","assetType":"smart_contract","fixedReward":100000,"rewardModel":"fixed","rewardCalculationPercentage":0},{"id":8686,"severity":"high","assetType":"smart_contract","fixedReward":40000,"rewardModel":"fixed"},{"id":8687,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":8688,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"3TyRO8lasbBVW8173jXdTK","url":"https://etherscan.io/address/0x311aEA58Ca127B955890647413846E351df32554","type":"smart_contract","addedAt":"2022-03-04T17:17:19.007Z","revision":1,"description":"Timelock","isPrimacyOfImpact":null},{"id":"2JijRKkO1cvgbO9AT0qwTV","url":"https://etherscan.io/address/0xe212829Ca055eD63279753971672c693C6C6d088","type":"smart_contract","addedAt":"2022-03-04T17:17:16.545Z","revision":1,"description":"WP_PRICE_PROVIDER_V1","isPrimacyOfImpact":null},{"id":"1Y1C820a3EbntTAki1b8Dh","url":"https://etherscan.io/address/0xE4A1E73157EB4b58b1347E2BE2df7ac83467b288","type":"smart_contract","addedAt":"2022-03-04T17:17:14.942Z","revision":1,"description":"WE_PIGGY_PRICE_ORACLE_V1","isPrimacyOfImpact":null},{"id":"3q4vZdlzwPXkuKqCzNL0Rn","url":"https://etherscan.io/address/0x0C8c1ab017c3C0c8A48dD9F1DB2F59022D190f0b","type":"smart_contract","addedAt":"2022-03-04T17:17:12.370Z","revision":1,"description":"COMPTROLLER","isPrimacyOfImpact":null},{"id":"6jbDhi1VmoG9PT7BJcudel","url":"https://etherscan.io/address/0x8158B34fF8A36dD9E4519d62C52913C24ad5554b","type":"smart_contract","addedAt":"2022-03-04T17:17:10.628Z","revision":1,"description":"STABLECOIN_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"4AhakRI13hU4MvjwmrfKnM","url":"https://etherscan.io/address/0xA0a75821220bfC74f8012d5D5745FE472F510075","type":"smart_contract","addedAt":"2022-03-04T17:17:08.247Z","revision":1,"description":"BTC_ETH_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"3D5dwxrPBMrVkE9Sh6QdXH","url":"https://etherscan.io/address/0x678C86dBD6965D65Bf74b73d75b615A37428a87d","type":"smart_contract","addedAt":"2022-03-04T17:17:05.633Z","revision":1,"description":"MAINSTREAM_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"3bpTSZVSRl15OAypkLiDTO","url":"https://etherscan.io/address/0x82413f75f0DA101e0FE7F6FF6cBa3461F7e04f29","type":"smart_contract","addedAt":"2022-03-04T17:17:03.473Z","revision":1,"description":"P_UNI","isPrimacyOfImpact":null},{"id":"36TdqoHeHbQazrngjZY3BT","url":"https://etherscan.io/address/0x82dE3959c09f665a82C794fAfC1eb34CFCb555Ee","type":"smart_contract","addedAt":"2022-03-04T17:16:59.876Z","revision":1,"description":"P_YFII","isPrimacyOfImpact":null},{"id":"6JitC15BWerAUGrfMsGMlB","url":"https://etherscan.io/address/0x85166b72c87697a6acfF24101B43Fd54fE28a179","type":"smart_contract","addedAt":"2022-03-04T17:16:57.572Z","revision":1,"description":"P_DAI","isPrimacyOfImpact":null},{"id":"6bZHTJcewZVWklLpbCJzj5","url":"https://etherscan.io/address/0x5cFad792C4Df1323188180778AeC58E00eAcE32a","type":"smart_contract","addedAt":"2022-03-04T17:16:54.622Z","revision":1,"description":"P_USDT","isPrimacyOfImpact":null},{"id":"kl4OtdrbQF6u3HceeIpC7","url":"https://etherscan.io/address/0xf8E5b9738BF63ADFFf36a849F9b9C9617c8D8c1f","type":"smart_contract","addedAt":"2022-03-04T17:16:52.515Z","revision":1,"description":"P_USDC","isPrimacyOfImpact":null},{"id":"3as81mFLvB1uHyUfluKNBu","url":"https://etherscan.io/address/0xc12B9D620bFCB48be3e0CCbf0ea80C717333b46F","type":"smart_contract","addedAt":"2022-03-04T17:16:49.804Z","revision":1,"description":"P_WBTC","isPrimacyOfImpact":null},{"id":"52iA1fDE7ywmcMatJm8yVX","url":"https://etherscan.io/address/0x27A94869341838D5783368a8503FdA5fbCd7987c","type":"smart_contract","addedAt":"2022-03-04T17:16:47.464Z","revision":1,"description":"P_ETH","isPrimacyOfImpact":null},{"id":"3qNi3uhadA34LF86Fe7qFc","url":"https://etherscan.io/address/0x97F3763F8C0bE87Cab0e99Ee4b7806acA772FeDA","type":"smart_contract","addedAt":"2022-03-04T17:16:45.066Z","revision":1,"description":"MAX_IMILLION","isPrimacyOfImpact":null},{"id":"64anODQW3pEbL3zUlbY62x","url":"https://etherscan.io/address/0x3e5496E50793E72e6143a15Bed1c2535F0B0b9b0","type":"smart_contract","addedAt":"2022-03-04T17:16:43.086Z","revision":1,"description":"PIGGY_DISTRIBUTION","isPrimacyOfImpact":null},{"id":"68mrgTKAvsU7ZgDaKyB9oD","url":"https://etherscan.io/address/0x690Aa2591e57180cBA5A6123e9D462907A5e1c95","type":"smart_contract","addedAt":"2022-03-04T17:16:41.282Z","revision":1,"description":"P_LRC","isPrimacyOfImpact":null},{"id":"1Ab2Y7zh6t029sECYyp7Ch","url":"https://etherscan.io/address/0x4008e986b7eb0Ff82c916cF0d8AF9956215DdeF5","type":"smart_contract","addedAt":"2022-03-04T17:16:38.654Z","revision":1,"description":"XLON_ORACLE_ADAPTER","isPrimacyOfImpact":null},{"id":"7JOIjFfLroDC8bPpEg7P2e","url":"https://etherscan.io/address/0xEf86384Cf696929C3227428f539e740EE12fcdc7","type":"smart_contract","addedAt":"2022-03-04T17:16:35.395Z","revision":1,"description":"pxLON","isPrimacyOfImpact":null},{"id":"648skd9pLRWe7ENAzTnjh2","url":"https://etherscan.io/address/0x959F30F765a44273EcCaA0FAc094160aa7c238E2","type":"smart_contract","addedAt":"2022-03-04T17:16:32.821Z","revision":1,"description":"P_RAI","isPrimacyOfImpact":null},{"id":"6Sbd1C35iDMAKD7CzEkvFU","url":"https://etherscan.io/address/0x6F620EC89B8479e97A6985792d0c64F237566746","type":"smart_contract","addedAt":"2022-03-04T17:16:31.099Z","revision":1,"description":"WPC","isPrimacyOfImpact":null},{"id":"34SLMz8WyuyQudx8lTUgdg","url":"https://etherscan.io/address/0x6afca10b87becc9d48374bad028a815aa861d3cb#code","type":"smart_contract","addedAt":"2022-03-04T17:16:29.287Z","revision":1,"description":"WE_PIGGY_PRICE_ORACLE_V1 (Implementation)","isPrimacyOfImpact":null},{"id":"1XKu7ouOxnaLv44DeoiOv4","url":"https://etherscan.io/address/0x81ed5efd9477106f898733e47e9ec7738fa3e00c#code","type":"smart_contract","addedAt":"2022-03-04T17:16:27.391Z","revision":1,"description":"Comptroller(Implementation)","isPrimacyOfImpact":null},{"id":"7ikpXHdZrsrL7yI6np6o3C","url":"https://etherscan.io/address/0xd828f7029cc58c4e9cab3b1e0726cefab411bc65#codevvv","type":"smart_contract","addedAt":"2022-03-04T17:16:25.384Z","revision":1,"description":"STABLECOIN_JUMP_RATE_MODEL (Implementation)","isPrimacyOfImpact":null},{"id":"3878j5m0Rpj4c2H5AKJ29m","url":"https://etherscan.io/address/0x465461657b4175c1676ecea1fb0e8d0174d8d7f6#code","type":"smart_contract","addedAt":"2022-03-04T17:16:23.323Z","revision":1,"description":"PERC20 (Implementation)","isPrimacyOfImpact":null},{"id":"5nyOH3n46YpF76gPhFTrhX","url":"https://etherscan.io/address/0x6c26c3abd3b8ac89adeb34db9d3a9fbb54a0060a#code","type":"smart_contract","addedAt":"2022-03-04T17:16:21.135Z","revision":1,"description":"P_ETH (Implementation)","isPrimacyOfImpact":null},{"id":"3QAT8ALv5O4YIjZ2Qe1iy4","url":"https://etherscan.io/address/0x5601911e4bd18349a4e2a200676a87896fdb7dc0#code","type":"smart_contract","addedAt":"2022-03-04T17:16:19.302Z","revision":2,"description":"PIGGY_DISTRIBUTION (Implementation)","isPrimacyOfImpact":null},{"id":"6oyAcL5Yuj3Xn5fuT8OwFN","url":"https://etherscan.io/address/0xf1f06e7971db11d609eabf5e495e8913314cf651#code","type":"smart_contract","addedAt":"2022-04-26T05:49:43.058Z","revision":1,"description":"STABLECOIN_JUMP_RATE_MODEL (Implementation)","isPrimacyOfImpact":null},{"id":"2YBcD6lquzntlCKsDrwHBM","url":"https://explorer.harmony.one/address/0xb205d0AeF84C666FBBe441C61DC04fEb844444E6","type":"smart_contract","addedAt":"2022-04-26T05:51:53.138Z","revision":1,"description":"WP_PRICE_PROVIDER_V1","isPrimacyOfImpact":null},{"id":"3Xel7CwBTVVYRE1AeJONZR","url":"https://explorer.harmony.one/address/0x6F620EC89B8479e97A6985792d0c64F237566746","type":"smart_contract","addedAt":"2022-04-26T05:53:26.538Z","revision":1,"description":"WPC","isPrimacyOfImpact":null},{"id":"478YMrbZKM8eejMo9quxuT","url":"https://github.com/WePiggy/wepiggy-contracts/blob/harmony/contracts/oracle/WePiggyPriceOracleV1.sol","type":"smart_contract","addedAt":"2022-04-26T05:54:52.402Z","revision":1,"description":"WE_PIGGY_PRICE_ORACLE_V1","isPrimacyOfImpact":null},{"id":"3xp9HX4Xw0xns630AVfuL","url":"https://github.com/WePiggy/wepiggy-contracts/blob/harmony/contracts/comptroller/Comptroller.sol","type":"smart_contract","addedAt":"2022-03-04T17:16:13.111Z","revision":1,"description":"COMPTROLLER","isPrimacyOfImpact":null},{"id":"1SngN5Y2dqSQg1NBLydJn0","url":"https://github.com/WePiggy/wepiggy-contracts/blob/harmony/contracts/rate/JumpRateModel.sol","type":"smart_contract","addedAt":"2022-03-04T17:16:11.510Z","revision":1,"description":"STABLECOIN_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"6fujDG48xXb9uDyo1T9UNJ","url":"https://github.com/WePiggy/wepiggy-contracts/blob/harmony/contracts/rate/JumpRateModel.sol","type":"smart_contract","addedAt":"2022-03-04T17:16:09.836Z","revision":1,"description":"BTC_ETH_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"DccyQvzwK4CUUNrHx2E4g","url":"https://github.com/WePiggy/wepiggy-contracts/blob/harmony/contracts/rate/JumpRateModel.sol","type":"smart_contract","addedAt":"2022-03-04T17:16:07.776Z","revision":1,"description":"MAINSTREAM_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"BQDrAAVPrQvRtA1no3sPS","url":"https://github.com/WePiggy/wepiggy-contracts/blob/harmony/contracts/token/PEther.sol","type":"smart_contract","addedAt":"2022-03-04T17:16:00.066Z","revision":1,"description":"P_ONE","isPrimacyOfImpact":null},{"id":"lCLbsv7IYyhvQk4xKotDD","url":"https://github.com/WePiggy/wepiggy-contracts/blob/harmony/contracts/token/PERC20.sol","type":"smart_contract","addedAt":"2022-03-04T17:15:57.278Z","revision":1,"description":"P_BUSD","isPrimacyOfImpact":null},{"id":"20JDY2YRe6pGg9x1UpqPME","url":"https://github.com/WePiggy/wepiggy-contracts/blob/harmony/contracts/token/PERC20.sol","type":"smart_contract","addedAt":"2022-03-04T17:15:55.770Z","revision":1,"description":"P_USDT","isPrimacyOfImpact":null},{"id":"1kCAotAIQQ004o0uR2jeNy","url":"https://github.com/WePiggy/wepiggy-contracts/blob/harmony/contracts/token/PERC20.sol","type":"smart_contract","addedAt":"2022-03-04T17:15:53.898Z","revision":1,"description":"P_USDC","isPrimacyOfImpact":null},{"id":"3ANHIzDG55Cr9EQegvleHI","url":"https://github.com/WePiggy/wepiggy-contracts/blob/harmony/contracts/token/PERC20.sol","type":"smart_contract","addedAt":"2022-03-04T17:15:49.092Z","revision":1,"description":"P_DAI","isPrimacyOfImpact":null},{"id":"1hcSZ6OgHJBaVb6iu0aqw6","url":"https://github.com/WePiggy/wepiggy-contracts/blob/harmony/contracts/token/PERC20.sol","type":"smart_contract","addedAt":"2022-03-04T17:15:46.748Z","revision":1,"description":"P_ETH","isPrimacyOfImpact":null},{"id":"4Tvfdxt2XKXofiZSl55euk","url":"https://github.com/WePiggy/wepiggy-contracts/blob/harmony/contracts/token/PERC20.sol","type":"smart_contract","addedAt":"2022-03-04T17:15:44.542Z","revision":1,"description":"P_WBTC","isPrimacyOfImpact":null},{"id":"3cUD6zTLPT6G3LPQskYo12","url":"https://github.com/WePiggy/wepiggy-contracts/blob/harmony/contracts/token/Maximillion.sol","type":"smart_contract","addedAt":"2022-03-04T17:15:42.447Z","revision":1,"description":"MAX_IMILLION","isPrimacyOfImpact":null},{"id":"7Ltwj83YT9O6FapY6NuKC2","url":"https://github.com/WePiggy/wepiggy-contracts/blob/harmony/contracts/farm/PiggyDistribution.sol","type":"smart_contract","addedAt":"2022-03-04T17:15:36.606Z","revision":1,"description":"PIGGY_DISTRIBUTION","isPrimacyOfImpact":null},{"id":"Tgswa2L7JayUuMAlgm15d","url":"https://polygonscan.com/address/0x4C78015679FabE22F6e02Ce8102AFbF7d93794eA","type":"smart_contract","addedAt":"2022-03-04T17:15:34.168Z","revision":1,"description":"WP_PIGGY_PRICE_PROVIDER_V1","isPrimacyOfImpact":null},{"id":"6OMg3IYRyB2Xkkdpn4lGNg","url":"https://polygonscan.com/address/0x5Ea2321aBFF78E81702cE877319cD775E0dc865B","type":"smart_contract","addedAt":"2022-03-04T17:15:40.942Z","revision":1,"description":"WE_PIGGY_PRICE_ORACLE_V1","isPrimacyOfImpact":null},{"id":"yNf2hP3PWqVsKHjDQZ3TU","url":"https://polygonscan.com/address/0x3ae45395f0EdC9e72c26c8DfacA1035DdDdA5464","type":"smart_contract","addedAt":"2022-03-04T17:15:39.209Z","revision":1,"description":"dQUICK_ORACLE","isPrimacyOfImpact":null},{"id":"7LLoYLXqAarbqMWuiYt3vF","url":"https://polygonscan.com/address/0x451032C55F813338b6e73c1c4B24217614165454","type":"smart_contract","addedAt":"2022-03-04T17:15:30.800Z","revision":1,"description":"STABLECOIN_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"LYwXkcUbeWPKgr06refh0","url":"https://polygonscan.com/address/0xa43BF6193a89D28edB529ab5ca9Ad7506798f9f1","type":"smart_contract","addedAt":"2022-03-05T16:48:59.358Z","revision":1,"description":"BTC_ETH_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"4FUiDOfNvI9BjBYD8fhKvL","url":"https://polygonscan.com/address/0xd58fb16Eace4693b2c641cae6850A82763C00a34","type":"smart_contract","addedAt":"2022-04-26T06:03:27.286Z","revision":1,"description":"MAINSTREAM_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"3FeT420AuFvFI6fIDPs80o","url":"https://polygonscan.com/address/0xFfceAcfD39117030314A07b2C86dA36E51787948","type":"smart_contract","addedAt":"2022-03-05T16:49:04.549Z","revision":1,"description":"COMPTROLLER","isPrimacyOfImpact":null},{"id":"4qwbKcyjJSwFj8ztJLuAb","url":"https://polygonscan.com/address/0x16b321C99Ab31A84D565ea484F035693718c3E71","type":"smart_contract","addedAt":"2022-03-05T16:49:07.577Z","revision":1,"description":"PIGGY_DISTRIBUTION","isPrimacyOfImpact":null},{"id":"49Lvk3mienN20DOeB9fsfZ","url":"https://polygonscan.com/address/0xd1121aDe04EE215524aeFbF7f8D45029214d668D","type":"smart_contract","addedAt":"2022-03-05T16:49:09.638Z","revision":1,"description":"MAX_IMILLION","isPrimacyOfImpact":null},{"id":"2ZYkUepCcVvmoBsl9osqZA","url":"https://polygonscan.com/address/0xC1B02E52e9512519EDF99671931772E452fb4399","type":"smart_contract","addedAt":"2022-03-05T16:49:14.745Z","revision":1,"description":"P_MATIC","isPrimacyOfImpact":null},{"id":"5LJxXI1jGfIROtMN2p9GVb","url":"https://polygonscan.com/address/0x12D803497D1e58dD4D4A4F455D754f1d0F937C8b","type":"smart_contract","addedAt":"2022-03-05T16:49:17.306Z","revision":1,"description":"P_USDC","isPrimacyOfImpact":null},{"id":"AHa4I8lSn2KnGeBTzYRiP","url":"https://polygonscan.com/address/0x0C8c1ab017c3C0c8A48dD9F1DB2F59022D190f0b","type":"smart_contract","addedAt":"2022-03-05T16:49:19.852Z","revision":1,"description":"P_USDT","isPrimacyOfImpact":null},{"id":"4xV2KVGw2IwOmlnBsBF1Dv","url":"https://polygonscan.com/address/0x5cFad792C4Df1323188180778AeC58E00eAcE32a","type":"smart_contract","addedAt":"2022-03-05T16:49:23.483Z","revision":1,"description":"P_DAI","isPrimacyOfImpact":null},{"id":"fvdwZOJuUjZjg2ehgvPgt","url":"https://polygonscan.com/address/0xf4B6d5d432F1C7A9EfC9E0b04acDe479F9FD1f72","type":"smart_contract","addedAt":"2022-03-05T16:49:26.180Z","revision":1,"description":"P_WETH","isPrimacyOfImpact":null},{"id":"28gXIeOPeIECTZ6uofPuQn","url":"https://polygonscan.com/address/0xf19200b30a0416322d58e6B6b1d6B5F832936729","type":"smart_contract","addedAt":"2022-03-05T16:49:28.355Z","revision":1,"description":"P_WBTC","isPrimacyOfImpact":null},{"id":"5xjdTNSUNTaw55eLq4i3DL","url":"https://polygonscan.com/address/0x1b1CD0fDb6592fe482026b8E47706EAC1ee94a7c","type":"smart_contract","addedAt":"2022-03-05T16:49:30.104Z","revision":1,"description":"P_SUSHI","isPrimacyOfImpact":null},{"id":"5bPd5AguikA5VUIyZSWNhd","url":"https://polygonscan.com/address/0x3A9CAD689a510A7C410EE1bE17929cdf78efAC8C","type":"smart_contract","addedAt":"2022-03-05T16:49:32.139Z","revision":1,"description":"P_LINK","isPrimacyOfImpact":null},{"id":"5uW45XJdgQmA1xi4RgkMj4","url":"https://polygonscan.com/address/0xc28E11040c529a6828c20A641f8F75B7C0ea92E3","type":"smart_contract","addedAt":"2022-03-05T16:49:33.779Z","revision":1,"description":"P_CRV","isPrimacyOfImpact":null},{"id":"6KtGbVbr8dOzjO3ejhX6Ky","url":"https://polygonscan.com/address/0xd0199bA93031bA37aA4e17C885a47edeeb23aE04","type":"smart_contract","addedAt":"2022-03-05T16:49:36.097Z","revision":1,"description":"P_DQUICK","isPrimacyOfImpact":null},{"id":"3v35CLTwzu9M7qaHtRGWM1","url":"https://polygonscan.com/address/0x6F620EC89B8479e97A6985792d0c64F237566746","type":"smart_contract","addedAt":"2022-03-05T16:49:38.653Z","revision":1,"description":"WPC","isPrimacyOfImpact":null},{"id":"eM4NJM7whaPmDzDo8LjMK","url":"https://polygonscan.com/address/0x7a5c6998eef25004a60a08986c4a20a3fc44f58d#code","type":"smart_contract","addedAt":"2022-03-05T16:49:41.202Z","revision":1,"description":"WE_PIGGY_PRICE_ORACLE_V1(Implementation)","isPrimacyOfImpact":null},{"id":"5q5vDlPc7ZM1CmxypITJeI","url":"https://polygonscan.com/address/0xbbf1c250e46ee41b3d01a9d0d15da19dad7c3845#code","type":"smart_contract","addedAt":"2022-03-05T16:49:43.456Z","revision":1,"description":"STABLECOIN_JUMP_RATE_MODEL(Implementation)","isPrimacyOfImpact":null},{"id":"6z3eZYIojrxAFZfwlq8gvl","url":"https://polygonscan.com/address/0x81c0e0b46ec6717698bb13f9190608af4b203b15#code","type":"smart_contract","addedAt":"2022-03-05T16:49:45.742Z","revision":1,"description":"COMPTROLLER (Implementation)","isPrimacyOfImpact":null},{"id":"7nQmgRDVjFJXFK8o9tHtHO","url":"https://polygonscan.com/address/0xb5f4c61e002125caf2f96a54aa7128bde32ffd15#code","type":"smart_contract","addedAt":"2022-03-05T16:49:47.612Z","revision":1,"description":"PIGGY_DISTRIBUTION(Implementation)","isPrimacyOfImpact":null},{"id":"20V8Y68k1UTABQ16bEqiEh","url":"https://polygonscan.com/address/0xa08c94ca9071043d316537d9d3bf1bb31ef78de3#code","type":"smart_contract","addedAt":"2022-03-05T16:49:50.002Z","revision":1,"description":"P_MATIC(Implementation)","isPrimacyOfImpact":null},{"id":"5sDWUk4rExw2KlPVFPBxdk","url":"https://polygonscan.com/address/0xa10b953f75e022316d5285288e9bd46d2a55b785#code","type":"smart_contract","addedAt":"2022-03-05T16:49:53.234Z","revision":1,"description":"P_WETH(Implementation)","isPrimacyOfImpact":null},{"id":"1eeVkmngeFjMvt7fnqtngi","url":"https://polygonscan.com/address/0x2b8b4d10008ea6176cfd53cf26d5207bccf8d03f#code","type":"smart_contract","addedAt":"2022-03-05T16:49:59.904Z","revision":1,"description":"PIGGY_DISTRIBUTION(Implementation)","isPrimacyOfImpact":null},{"id":"2Y6prKENGIOVg6n9xI44HC","url":"https://arbiscan.io/address/0x896aecb9E73Bf21C50855B7874729596d0e511CB","type":"smart_contract","addedAt":"2022-03-05T16:50:01.777Z","revision":1,"description":"WE_PIGGY_PRICE_ORACLE_V1","isPrimacyOfImpact":null},{"id":"60s06czqzRjNRseNPuR3V1","url":"https://arbiscan.io/address/0x04d2944394b70d6e56fcf1CaD3aa6b5a43Ec8A5C","type":"smart_contract","addedAt":"2022-03-05T16:50:04.092Z","revision":1,"description":"WP_PIGGY_PRICE_PROVIDER_ARB","isPrimacyOfImpact":null},{"id":"4TloH4VFpG6JUuyLQhzRUd","url":"https://arbiscan.io/address/0x5676Eb997C30140606965CeBd4CA829Ab89A6CaC","type":"smart_contract","addedAt":"2022-03-05T16:50:06.962Z","revision":1,"description":"STABLECOIN_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"11UPo1SyAfMc3MXdHhi1HI","url":"https://arbiscan.io/address/0x0944eB1060cBD8a7923b1e7b7a10a17603261D2C","type":"smart_contract","addedAt":"2022-03-05T16:50:09.587Z","revision":1,"description":"BTC_ETH_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"1T49mfU0mRvFP1FK7bRfxj","url":"https://arbiscan.io/address/0x6d4D85C417aabdD2923165d5C66D92BA2eC56104","type":"smart_contract","addedAt":"2022-03-05T16:50:11.945Z","revision":1,"description":"MAINSTREAM_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"6BPYvO5Uhxkkmg4XHI3pPd","url":"https://arbiscan.io/address/0xaa87715E858b482931eB2f6f92E504571588390b","type":"smart_contract","addedAt":"2022-03-05T16:50:14.315Z","revision":1,"description":"COMPTROLLER","isPrimacyOfImpact":null},{"id":"14fCTEgxM1fr3Je2Hrmt7H","url":"https://arbiscan.io/address/0x77401FF895BDe043d40aae58F98de5698682c12a","type":"smart_contract","addedAt":"2022-03-05T16:50:16.317Z","revision":1,"description":"PIGGY_DISTRIBUTION","isPrimacyOfImpact":null},{"id":"68aBFVvLdGvvSLVdIBbGv7","url":"https://arbiscan.io/address/0x417FDfC74503d8008AeEB53248E5C0f1960c2C1d","type":"smart_contract","addedAt":"2022-03-05T16:50:18.273Z","revision":1,"description":"MAX_IMILLION","isPrimacyOfImpact":null},{"id":"61ImG8hXsktiI2zU294OcS","url":"https://arbiscan.io/address/0x17933112E9780aBd0F27f2B7d9ddA9E840D43159","type":"smart_contract","addedAt":"2022-03-05T16:50:20.277Z","revision":1,"description":"P_ETH","isPrimacyOfImpact":null},{"id":"JOmQ5nleUUSxMyKTprWiO","url":"https://arbiscan.io/address/0x3393cD223f59F32CC0cC845DE938472595cA48a1","type":"smart_contract","addedAt":"2022-03-05T16:50:22.003Z","revision":1,"description":"P_WBTC","isPrimacyOfImpact":null},{"id":"6YcEaDFjEayYxnrJEqTMoM","url":"https://arbiscan.io/address/0x2Bf852e22C92Fd790f4AE54A76536c8C4217786b","type":"smart_contract","addedAt":"2022-03-05T16:50:24.025Z","revision":1,"description":"P_USDC","isPrimacyOfImpact":null},{"id":"5YQFGCRb2sxpL1G95Mdia9","url":"https://arbiscan.io/address/0x8F87c9c6Efe9CA6997d6FEC8BC930C1fEd90ccC7","type":"smart_contract","addedAt":"2022-03-05T16:50:27.294Z","revision":1,"description":"P_LINK","isPrimacyOfImpact":null},{"id":"6UkiMkjq7KE8TMR9cvYZHL","url":"https://arbiscan.io/address/0xB65Ab7e1c6c1Ba202baed82d6FB71975D56F007C","type":"smart_contract","addedAt":"2022-03-05T16:50:30.187Z","revision":1,"description":"P_USDT","isPrimacyOfImpact":null},{"id":"6x6CnHXZiEdWmhTxR0Ragd","url":"https://arbiscan.io/address/0xDe39Adfb2025D2aA51f6fD967e7C1753215f1905","type":"smart_contract","addedAt":"2022-03-05T16:50:32.048Z","revision":1,"description":"P_DAI","isPrimacyOfImpact":null},{"id":"5xXsIMBNP5FGhGEyqoJvST","url":"https://arbiscan.io/address/0x6F620EC89B8479e97A6985792d0c64F237566746","type":"smart_contract","addedAt":"2022-03-05T16:50:34.478Z","revision":1,"description":"WPC","isPrimacyOfImpact":null},{"id":"7KHaQxeKVseFyIWdCoN4aZ","url":"https://arbiscan.io/address/0xa43bf6193a89d28edb529ab5ca9ad7506798f9f1#code","type":"smart_contract","addedAt":"2022-03-05T16:50:36.788Z","revision":1,"description":"WE_PIGGY_PRICE_ORACLE_V1 (Implementation)","isPrimacyOfImpact":null},{"id":"7E6Mlu3XGXFysv77SPECcc","url":"https://arbiscan.io/address/0x3157e0bbdc7e5dea0f4c33a0ad7211b9a4ff19ee#code","type":"smart_contract","addedAt":"2022-04-26T06:10:45.664Z","revision":1,"description":"STABLECOIN_JUMP_RATE_MODEL (Implementation)","isPrimacyOfImpact":null},{"id":"zk3emmDCWtRyn4h2mLCiQ","url":"https://arbiscan.io/address/0xf0fe1cb691c4153bbcf7ef03cd26e1d85848042a#code","type":"smart_contract","addedAt":"2022-04-26T06:11:06.380Z","revision":1,"description":"COMPTROLLER (Implementation)","isPrimacyOfImpact":null},{"id":"UZcjwHdnMrPGsWBQKQQlk","url":"https://arbiscan.io/address/0xcd5f13b00014853e063ce6c795d89bfd9ba67270#code","type":"smart_contract","addedAt":"2022-04-26T06:11:29.321Z","revision":1,"description":"PIGGY_DISTRIBUTION (Implementation)","isPrimacyOfImpact":null},{"id":"43N2HjoW5f3lEqxOsp1tVX","url":"https://arbiscan.io/address/0x811cd5cb4cc43f44600cfa5ee3f37a402c82aec2#code","type":"smart_contract","addedAt":"2022-04-26T06:11:49.641Z","revision":1,"description":"P_ETH (Implementation)","isPrimacyOfImpact":null},{"id":"6b1LNy04KlBioPmWNJa4sk","url":"https://arbiscan.io/address/0x22f934a1bb68ea7e7893ef8f76249afe904af6ae#code","type":"smart_contract","addedAt":"2022-04-26T06:12:09.231Z","revision":1,"description":"P_WBTC (Implementation)","isPrimacyOfImpact":null},{"id":"4sTbVkaGrkxqAHQBmKHFbU","url":"https://bscscan.com/address/0x4C78015679FabE22F6e02Ce8102AFbF7d93794eA","type":"smart_contract","addedAt":"2022-04-26T06:25:17.241Z","revision":1,"description":"WP_PRICE_PROVIDER_V1","isPrimacyOfImpact":null},{"id":"2m3izuL401kejXuDnMnRkW","url":"https://bscscan.com/address/0xFfceAcfD39117030314A07b2C86dA36E51787948","type":"smart_contract","addedAt":"2022-04-26T06:25:35.355Z","revision":1,"description":"WE_PIGGY_PRICE_ORACLE_V1","isPrimacyOfImpact":null},{"id":"slXPVAwfkWWApTqt9yOTx","url":"https://bscscan.com/address/0xb205d0AeF84C666FBBe441C61DC04fEb844444E6","type":"smart_contract","addedAt":"2022-04-26T06:25:52.812Z","revision":1,"description":"WPC","isPrimacyOfImpact":null},{"id":"20CLRWY1InmtDAHPYKjPnA","url":"https://bscscan.com/address/0xE6320460Aca9E4A4385058EEfD7D4D70123fC9c9","type":"smart_contract","addedAt":"2022-04-26T06:26:11.635Z","revision":1,"description":"PIGGY_DISTRIBUTION","isPrimacyOfImpact":null},{"id":"1IrTHyIbpYBzdhKtMpsl2w","url":"https://bscscan.com/address/0x8c925623708A94c7DE98a8e83e8200259fF716E0","type":"smart_contract","addedAt":"2022-03-05T16:50:41.148Z","revision":1,"description":"COMPTROLLER","isPrimacyOfImpact":null},{"id":"3knJMV344z0DoPAu0LAmH7","url":"https://bscscan.com/address/0xC1B02E52e9512519EDF99671931772E452fb4399","type":"smart_contract","addedAt":"2022-03-05T16:50:43.692Z","revision":1,"description":"STABLECOIN_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"1mYnrR0RaANSvtWMK9n3je","url":"https://bscscan.com/address/0xd1121aDe04EE215524aeFbF7f8D45029214d668D","type":"smart_contract","addedAt":"2022-03-05T16:50:46.051Z","revision":1,"description":"BTC_ETH_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"3eYi1IZj9IOnYTUGon1Ykg","url":"https://bscscan.com/address/0x621CE6596E0B9CcF635316BFE7FdBC80C3029Bec","type":"smart_contract","addedAt":"2022-03-05T16:50:47.748Z","revision":1,"description":"MAINSTREAM_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"3AXJ2NQI6RdIl6dIRfyHps","url":"https://bscscan.com/address/0xe212829Ca055eD63279753971672c693C6C6d088","type":"smart_contract","addedAt":"2022-03-05T16:50:49.918Z","revision":1,"description":"MAX_IMILLION","isPrimacyOfImpact":null},{"id":"4pjGAP7UIg7V2HqHUYerrz","url":"https://bscscan.com/address/0x33A32f0ad4AA704e28C93eD8Ffa61d50d51622a7","type":"smart_contract","addedAt":"2022-03-05T16:50:53.292Z","revision":1,"description":"P_BNB","isPrimacyOfImpact":null},{"id":"4Rk6NcWvoIAb6DoB6BChEm","url":"https://bscscan.com/address/0x849C37A029B38D3826562697Ccc40c34477C6293","type":"smart_contract","addedAt":"2022-03-05T16:50:54.869Z","revision":1,"description":"P_ETH","isPrimacyOfImpact":null},{"id":"3hqS1Jla7MlXNDbM0REki3","url":"https://bscscan.com/address/0x311aEA58Ca127B955890647413846E351df32554","type":"smart_contract","addedAt":"2022-03-05T16:50:56.867Z","revision":1,"description":"P_BTCB","isPrimacyOfImpact":null},{"id":"1mzDN5fOPknUA3FIRrQFEq","url":"https://bscscan.com/address/0x12D803497D1e58dD4D4A4F455D754f1d0F937C8b","type":"smart_contract","addedAt":"2022-03-05T16:50:59.418Z","revision":1,"description":"P_DAI","isPrimacyOfImpact":null},{"id":"6WVRv5VasmDj9JL8v92aMw","url":"https://bscscan.com/address/0x2a8Cd78bFb91ACF53f589961D213d87c956e0d7f","type":"smart_contract","addedAt":"2022-03-05T16:51:01.788Z","revision":1,"description":"P_USDT","isPrimacyOfImpact":null},{"id":"2PyN73WrEiWA4G5JkvfsrR","url":"https://bscscan.com/address/0x2B7F68170a598E507B19Bca41ED745eABc936B3F","type":"smart_contract","addedAt":"2022-03-05T16:51:04.129Z","revision":1,"description":"P_USDC","isPrimacyOfImpact":null},{"id":"3zCsDMDv1XRk1AmTnKSXTD","url":"https://bscscan.com/address/0x2dd8FFA7923a17739F70C34759Af7650e44EA3BE","type":"smart_contract","addedAt":"2022-03-05T16:51:06.601Z","revision":1,"description":"P_BUSD","isPrimacyOfImpact":null},{"id":"6oEDbwDlrjTaQ2plSgekXG","url":"https://bscscan.com/address/0x811Cd5CB4cC43F44600Cfa5eE3F37a402C82aec2","type":"smart_contract","addedAt":"2022-03-05T16:51:09.593Z","revision":1,"description":"P_DOT","isPrimacyOfImpact":null},{"id":"4h6vIzLt55AGXk77gpNAwM","url":"https://bscscan.com/address/0x17933112E9780aBd0F27f2B7d9ddA9E840D43159","type":"smart_contract","addedAt":"2022-03-05T16:51:11.629Z","revision":1,"description":"P_UNI","isPrimacyOfImpact":null},{"id":"5CjWTuw9CdJ8xszgfGJSd8","url":"https://bscscan.com/address/0x417FDfC74503d8008AeEB53248E5C0f1960c2C1d","type":"smart_contract","addedAt":"2022-03-05T16:51:14.910Z","revision":1,"description":"P_CAKE","isPrimacyOfImpact":null},{"id":"68WupC9n3pUtqPW5JxyX7Q","url":"https://bscscan.com/address/0x6a05BD123d780055c38526cC05d3c9B90D0E471c","type":"smart_contract","addedAt":"2022-03-05T16:51:16.811Z","revision":1,"description":"P_LTC","isPrimacyOfImpact":null},{"id":"1U0Linc0f7Gc3szx6ProTx","url":"https://bscscan.com/address/0x00FF07204C3b27D72cF83Ef521Adb7066167561a","type":"smart_contract","addedAt":"2022-03-05T16:51:18.683Z","revision":1,"description":"P_LINK","isPrimacyOfImpact":null},{"id":"6Yph1swy9sIUeFlAv6NJ3V","url":"https://bscscan.com/address/0xBc52BCE2C73Fec358ABBf047c50377183B9EAd0d","type":"smart_contract","addedAt":"2022-03-05T16:51:20.886Z","revision":1,"description":"P_ADA","isPrimacyOfImpact":null},{"id":"3jNBnnkD4dPoNdWBpX1QYi","url":"https://bscscan.com/address/0xDF21D42a0fC6746718F2CFe2798F91C9d7277F32","type":"smart_contract","addedAt":"2022-03-05T16:51:22.877Z","revision":1,"description":"P_FIL","isPrimacyOfImpact":null},{"id":"6QRhYQ7QmTqEq0eEi14P2s","url":"https://bscscan.com/address/0x23cf81eeAA61C1C7607Ee1a3Bfcff1f99AC26c85","type":"smart_contract","addedAt":"2022-03-05T16:51:25.254Z","revision":1,"description":"P_NULS","isPrimacyOfImpact":null},{"id":"4t9eJlZSNoQbbiCZw2DFzA","url":"https://bscscan.com/address/0x33d295Aaa719fD756310eB42DE2847d0E7Be294E","type":"smart_contract","addedAt":"2022-03-05T16:51:27.909Z","revision":1,"description":"P_MASK","isPrimacyOfImpact":null},{"id":"2RISCmwaHlGFrHArabVZ9x","url":"https://bscscan.com/address/0x6F620EC89B8479e97A6985792d0c64F237566746","type":"smart_contract","addedAt":"2022-03-05T16:51:30.233Z","revision":1,"description":"WPC","isPrimacyOfImpact":null},{"id":"5ml6cFDqKDfrTW0Fgwdw9e","url":"https://bscscan.com/address/0xd58fb16eace4693b2c641cae6850a82763c00a34#code","type":"smart_contract","addedAt":"2022-03-05T16:51:32.364Z","revision":1,"description":"WE_PIGGY_PRICE_ORACLE_V1 (Implementation)","isPrimacyOfImpact":null},{"id":"12GNOhy4hasTrX0RlDOXQw","url":"https://bscscan.com/address/0x4dccd53c9f1e2cb5eb9cda98bb41bf7694760ea7#code","type":"smart_contract","addedAt":"2022-03-05T16:51:34.959Z","revision":1,"description":"PIGGY_DISTRIBUTION (Implementation)","isPrimacyOfImpact":null},{"id":"16XhXCkrwXuxsOQ8hurrbM","url":"https://bscscan.com/address/0x77401ff895bde043d40aae58f98de5698682c12a#code","type":"smart_contract","addedAt":"2022-03-05T16:51:36.754Z","revision":1,"description":"Comptroller (Implementation)","isPrimacyOfImpact":null},{"id":"4tIH98BMbLbht7GG8LfILz","url":"https://bscscan.com/address/0x3401d01e31bb6defcfc7410c312c0181e19b9dd5#code","type":"smart_contract","addedAt":"2022-03-05T16:51:38.711Z","revision":1,"description":"STABLECOIN_JUMP_RATE_MODEL(Implementation)","isPrimacyOfImpact":null},{"id":"3er695AbzavmK7v2yJmH2y","url":"https://bscscan.com/address/0x8e1e582879cb8bac6283368e8ede458b63f499a5#code","type":"smart_contract","addedAt":"2022-03-05T16:51:41.270Z","revision":1,"description":"P_BNB (Implementation)","isPrimacyOfImpact":null},{"id":"2gvNTx3raM970l6FhT6Kvz","url":"https://bscscan.com/address/0x75dcd2536a5f414b8f90bb7f2f3c015a26dc8c79#code","type":"smart_contract","addedAt":"2022-03-05T16:51:43.253Z","revision":1,"description":"P_ETH(Implementation)","isPrimacyOfImpact":null},{"id":"32rS0NnSkFabqVU0mwfeeS","url":"https://www.oklink.com/en/oec/address/0x4c78015679fabe22f6e02ce8102afbf7d93794ea","type":"smart_contract","addedAt":"2022-03-05T16:51:46.413Z","revision":1,"description":"WP_PRICE_PROVIDER_V1","isPrimacyOfImpact":null},{"id":"6QLtWapBvqQEI4M9fZzzZF","url":"https://www.oklink.com/en/oec/address/0xffceacfd39117030314a07b2c86da36e51787948","type":"smart_contract","addedAt":"2022-03-05T16:51:49.883Z","revision":1,"description":"WE_PIGGY_PRICE_ORACLE_V1","isPrimacyOfImpact":null},{"id":"4YADukRycPPxY3N3Iv4w5Z","url":"https://www.oklink.com/en/oec/address/0xaa87715e858b482931eb2f6f92e504571588390b","type":"smart_contract","addedAt":"2022-03-05T16:51:52.346Z","revision":1,"description":"COMPTROLLER","isPrimacyOfImpact":null},{"id":"4S8SzrRs7u69R6JgZfq0w5","url":"https://www.oklink.com/en/oec/address/0x8c925623708a94c7de98a8e83e8200259ff716e0","type":"smart_contract","addedAt":"2022-03-05T16:51:54.766Z","revision":1,"description":"BTC_ETH_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"3uG2bDBx1moXsmDlAsvip7","url":"https://www.oklink.com/en/oec/address/0x77401ff895bde043d40aae58f98de5698682c12a","type":"smart_contract","addedAt":"2022-03-05T16:51:56.381Z","revision":1,"description":"STABLECOIN_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"5BgER2zQezOa6kRwXZJCTn","url":"https://www.oklink.com/en/oec/address/0x3401d01e31bb6defcfc7410c312c0181e19b9dd5","type":"smart_contract","addedAt":"2022-03-05T16:51:58.762Z","revision":1,"description":"MAINSTREAM_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"76ZS11McQm9hP32KhZHkgU","url":"https://www.oklink.com/en/oec/address/0x12d803497d1e58dd4d4a4f455d754f1d0f937c8b","type":"smart_contract","addedAt":"2022-03-05T16:52:01.221Z","revision":1,"description":"MAX_IMILLION","isPrimacyOfImpact":null},{"id":"NAS0Nbcqg18xY29SbjDYk","url":"https://www.oklink.com/en/oec/address/0x3ec77d16a5dbfbf2e22be99a4533fa4333343a3b","type":"smart_contract","addedAt":"2022-03-05T16:52:03.666Z","revision":1,"description":"PIGGY_DISTRIBUTION","isPrimacyOfImpact":null},{"id":"58NgisMQcG7yHErmvKSpfK","url":"https://www.oklink.com/en/oec/address/0x621ce6596e0b9ccf635316bfe7fdbc80c3029bec","type":"smart_contract","addedAt":"2022-03-05T16:52:05.669Z","revision":1,"description":"P_OKT","isPrimacyOfImpact":null},{"id":"23E5kj3c6zxRaOLgnlMcaP","url":"https://www.oklink.com/en/oec/address/0x8e1e582879cb8bac6283368e8ede458b63f499a5","type":"smart_contract","addedAt":"2022-03-05T16:52:07.733Z","revision":1,"description":"P_OKB","isPrimacyOfImpact":null},{"id":"7HY1SMiLi4CWo7n6pAAR1e","url":"https://www.oklink.com/en/oec/address/0x33a32f0ad4aa704e28c93ed8ffa61d50d51622a7","type":"smart_contract","addedAt":"2022-03-05T16:52:09.613Z","revision":1,"description":"P_BTCK","isPrimacyOfImpact":null},{"id":"5vHwMZZ4xIRIkdxzg5VUkN","url":"https://www.oklink.com/en/oec/address/0x75dcd2536a5f414b8f90bb7f2f3c015a26dc8c79","type":"smart_contract","addedAt":"2022-03-05T16:52:14.993Z","revision":1,"description":"P_ETHK","isPrimacyOfImpact":null},{"id":"5VdFb0ekX7t5FSv4Z3pN2C","url":"https://www.oklink.com/en/oec/address/0x849c37a029b38d3826562697ccc40c34477c6293","type":"smart_contract","addedAt":"2022-03-05T16:52:23.589Z","revision":1,"description":"P_USDC","isPrimacyOfImpact":null},{"id":"20vth9NyizopX8xPLxQCiK","url":"https://www.oklink.com/en/oec/address/0x311aea58ca127b955890647413846e351df32554","type":"smart_contract","addedAt":"2022-03-05T16:52:30.930Z","revision":1,"description":"P_DAIK","isPrimacyOfImpact":null},{"id":"4paYnS1uurSDuih4lQaY7I","url":"https://www.oklink.com/en/oec/address/0xadf040519fe24ba9df6670599b2de7fd6049772f","type":"smart_contract","addedAt":"2022-03-05T16:52:35.010Z","revision":1,"description":"P_USDT","isPrimacyOfImpact":null},{"id":"28eRK8oFIruFqYeQGu7AeV","url":"https://www.oklink.com/en/oec/address/0xe0bac94cd406ef59065b083ba347fcc95dfdd3a2","type":"smart_contract","addedAt":"2022-03-05T16:52:37.416Z","revision":1,"description":"P_DOTK","isPrimacyOfImpact":null},{"id":"3yT3kPJEPkCoF7ynvgjzS4","url":"https://www.oklink.com/en/oec/address/0xea567f5355765ec40b70caa09a8836ae696d06d6","type":"smart_contract","addedAt":"2022-03-05T16:52:40.243Z","revision":1,"description":"P_UNIK","isPrimacyOfImpact":null},{"id":"4ysBBg6lvp11zN886n8RHm","url":"https://www.oklink.com/en/oec/address/0x733c7DDeC16aF34a998e17A122c70FBA10910258","type":"smart_contract","addedAt":"2022-03-05T16:52:42.566Z","revision":1,"description":"P_LINKK","isPrimacyOfImpact":null},{"id":"kQzotU8OatVYybS53dhjr","url":"https://www.oklink.com/en/oec/address/0xD6a78766514CdFC1a1fA188a7782b52313133705","type":"smart_contract","addedAt":"2022-03-05T16:52:45.595Z","revision":1,"description":"P_ETCK","isPrimacyOfImpact":null},{"id":"JW19W0M9xCnOT6kw2tsCx","url":"https://www.oklink.com/en/oec/address/0x12BD9eDE4941f2c4aC8Fc9B4F15C1D9FC960B8AC","type":"smart_contract","addedAt":"2022-03-05T16:52:48.241Z","revision":1,"description":"P_SUSHIK","isPrimacyOfImpact":null},{"id":"4hIrdQWL2eSyeKIbZVZCbp","url":"https://www.oklink.com/en/oec/address/0x6067fd56Dc969bffc5441F96c9389a95CcD8D32b","type":"smart_contract","addedAt":"2022-03-05T16:52:49.932Z","revision":1,"description":"P_FILK","isPrimacyOfImpact":null},{"id":"5dkxKvKjW66Vd6mKbniqLa","url":"https://www.oklink.com/en/oec/address/0x324Dab2dfE9f1341577e91b991D9d8e16419A190","type":"smart_contract","addedAt":"2022-03-05T16:52:52.215Z","revision":1,"description":"P_WBTCK","isPrimacyOfImpact":null},{"id":"Tqz0kstolazGgx5RBgKgq","url":"https://www.oklink.com/en/oec/address/0x6F620EC89B8479e97A6985792d0c64F237566746","type":"smart_contract","addedAt":"2022-03-05T16:52:55.593Z","revision":1,"description":"WPC","isPrimacyOfImpact":null},{"id":"4FIFLrsD3rEghgofDe20OH","url":"https://www.oklink.com/en/oec/address/0xd58fb16eace4693b2c641cae6850a82763c00a34","type":"smart_contract","addedAt":"2022-03-05T16:52:57.757Z","revision":1,"description":"WE_PIGGY_PRICE_ORACLE_V1 (Implementation)","isPrimacyOfImpact":null},{"id":"3kGlGiWnWI0cGoLeznpQb9","url":"https://www.oklink.com/en/oec/address/0xf0fe1cb691c4153bbcf7ef03cd26e1d85848042a","type":"smart_contract","addedAt":"2022-03-05T16:52:59.967Z","revision":1,"description":"COMPTROLLER(Implementation)","isPrimacyOfImpact":null},{"id":"2aT9lAaRMFXgAW8uw67Nhl","url":"https://www.oklink.com/en/oec/address/0x9a9b2bf1d1c96332c55d0b6acb8c2b441381116d","type":"smart_contract","addedAt":"2022-03-05T16:53:03.058Z","revision":1,"description":"BTC_ETH_JUMP_RATE_MODEL (Implementation)","isPrimacyOfImpact":null},{"id":"Rr0W8tZGl7DJwk10k73qJ","url":"https://www.oklink.com/en/oec/address/0x070f93412559a95bdd7f30c2b597578dcb34bc25","type":"smart_contract","addedAt":"2022-03-05T16:53:08.532Z","revision":1,"description":"PIGGY_DISTRIBUTION(Implementation)","isPrimacyOfImpact":null},{"id":"13rd1Rmw3Hsjc8S1YJkFha","url":"https://www.oklink.com/en/oec/address/0xd1121ade04ee215524aefbf7f8d45029214d668d","type":"smart_contract","addedAt":"2022-03-05T16:53:11.136Z","revision":1,"description":"P_OKT (Implementation)","isPrimacyOfImpact":null},{"id":"1B5kUV2DIJIgcdweHTz4pc","url":"https://www.oklink.com/en/oec/address/0xc1b02e52e9512519edf99671931772e452fb4399","type":"smart_contract","addedAt":"2022-03-05T16:53:13.416Z","revision":1,"description":"P_OKB(Implementation)","isPrimacyOfImpact":null},{"id":"5tONiJeaM73QLowcTaljO5","url":"https://moonriver.moonscan.io/address/0xb205d0AeF84C666FBBe441C61DC04fEb844444E6","type":"smart_contract","addedAt":"2022-03-05T16:53:15.660Z","revision":1,"description":"WP_PRICE_PROVIDER_V1","isPrimacyOfImpact":null},{"id":"1tQr837cDsamFHE70FcXtB","url":"https://moonriver.moonscan.io/address/0xFfceAcfD39117030314A07b2C86dA36E51787948","type":"smart_contract","addedAt":"2022-03-05T16:53:24.391Z","revision":1,"description":"WE_PIGGY_PRICE_ORACLE_V1","isPrimacyOfImpact":null},{"id":"19LLDnAAcCcj0NdEggtCYt","url":"https://moonriver.moonscan.io/address/0x9a9b2bF1d1c96332C55d0B6aCb8C2B441381116d","type":"smart_contract","addedAt":"2022-03-05T16:53:24.360Z","revision":1,"description":"COMPTROLLER","isPrimacyOfImpact":null},{"id":"43R5w78va8g9RBPNsN7rRJ","url":"https://moonriver.moonscan.io/address/0x389844367fFa7660c6d98ae0f792d2473Ad72405","type":"smart_contract","addedAt":"2022-03-05T16:53:24.365Z","revision":1,"description":"PIGGY_DISTRIBUTION","isPrimacyOfImpact":null},{"id":"24xlJyNT7OIPI5YmEYyh8I","url":"https://moonriver.moonscan.io/address/0x8c925623708A94c7DE98a8e83e8200259fF716E0","type":"smart_contract","addedAt":"2022-03-05T16:53:25.460Z","revision":1,"description":"STABLECOIN_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"6P3VY56BrpFpxXSwF7j1zN","url":"https://moonriver.moonscan.io/address/0x3401D01E31BB6DefcFc7410c312C0181E19b9dd5","type":"smart_contract","addedAt":"2022-03-05T16:53:28.553Z","revision":1,"description":"BTC_ETH_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"4DqF5sd9AZIYYbhcJN5e27","url":"https://moonriver.moonscan.io/address/0xC1B02E52e9512519EDF99671931772E452fb4399","type":"smart_contract","addedAt":"2022-03-05T16:53:35.208Z","revision":1,"description":"MAINSTREAM_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"7ddsW2dFOemBJWfUbvwg9v","url":"https://moonriver.moonscan.io/address/0x2dd8FFA7923a17739F70C34759Af7650e44EA3BE","type":"smart_contract","addedAt":"2022-03-05T16:54:16.787Z","revision":1,"description":"MAX_IMILLION","isPrimacyOfImpact":null},{"id":"3yeA99Zj3PDmVmYzevini","url":"https://moonriver.moonscan.io/address/0x621CE6596E0B9CcF635316BFE7FdBC80C3029Bec","type":"smart_contract","addedAt":"2022-03-05T16:54:19.515Z","revision":1,"description":"P_MOVR","isPrimacyOfImpact":null},{"id":"2aZ48klBNJT5BYF0et7H4j","url":"https://moonriver.moonscan.io/address/0x33A32f0ad4AA704e28C93eD8Ffa61d50d51622a7","type":"smart_contract","addedAt":"2022-03-05T16:54:22.176Z","revision":1,"description":"P_BUSD","isPrimacyOfImpact":null},{"id":"6vRsHeXKLIAC3IdHgkL3NT","url":"https://moonriver.moonscan.io/address/0x75DCd2536a5f414B8F90Bb7F2F3c015a26dc8c79","type":"smart_contract","addedAt":"2022-03-05T16:54:24.715Z","revision":1,"description":"P_USDT","isPrimacyOfImpact":null},{"id":"2RtMmynhihY08cauk4r0fe","url":"https://moonriver.moonscan.io/address/0x849C37A029B38D3826562697Ccc40c34477C6293","type":"smart_contract","addedAt":"2022-03-05T16:54:27.075Z","revision":1,"description":"P_USDC","isPrimacyOfImpact":null},{"id":"7uyrdxc2gtzwHbbn6TuGbt","url":"https://moonriver.moonscan.io/address/0x311aEA58Ca127B955890647413846E351df32554","type":"smart_contract","addedAt":"2022-03-05T16:54:29.227Z","revision":1,"description":"P_DAI","isPrimacyOfImpact":null},{"id":"1Yb70Odv3f6kneIwx5uUo","url":"https://moonriver.moonscan.io/address/0x12D803497D1e58dD4D4A4F455D754f1d0F937C8b","type":"smart_contract","addedAt":"2022-03-05T16:54:32.469Z","revision":1,"description":"P_ETH","isPrimacyOfImpact":null},{"id":"6tstCRLeAurZabOXv9t3f9","url":"https://moonriver.moonscan.io/address/0x2a8Cd78bFb91ACF53f589961D213d87c956e0d7f","type":"smart_contract","addedAt":"2022-03-05T16:54:35.337Z","revision":1,"description":"P_WBTC","isPrimacyOfImpact":null},{"id":"LfhKF2facjKmrapt69G2a","url":"https://moonriver.moonscan.io/address/0x2B7F68170a598E507B19Bca41ED745eABc936B3F","type":"smart_contract","addedAt":"2022-03-05T16:54:38.214Z","revision":1,"description":"P_BNB","isPrimacyOfImpact":null},{"id":"1XQ5gdy6qibe93VI316cwl","url":"https://moonriver.moonscan.io/address/0x6F620EC89B8479e97A6985792d0c64F237566746","type":"smart_contract","addedAt":"2022-03-05T16:54:40.006Z","revision":1,"description":"WPC","isPrimacyOfImpact":null},{"id":"6dFFLGCzWdkXURP1ARKRzC","url":"https://optimistic.etherscan.io/address/0xf18D727C034f47AE2C0FE221C1cf4A15f0557b5F","type":"smart_contract","addedAt":"2022-03-05T16:54:42.549Z","revision":1,"description":"WE_PIGGY_PRICE_ORACLE_V1","isPrimacyOfImpact":null},{"id":"5vSwWPl8CQvGylXAj3ptX","url":"https://optimistic.etherscan.io/address/0xd58fb16Eace4693b2c641cae6850A82763C00a34","type":"smart_contract","addedAt":"2022-03-05T16:54:44.305Z","revision":1,"description":"STABLECOIN_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"4UgCdrb2wiXwyv6uCg0BRF","url":"https://optimistic.etherscan.io/address/0x5Ea2321aBFF78E81702cE877319cD775E0dc865B","type":"smart_contract","addedAt":"2022-03-05T16:54:46.837Z","revision":1,"description":"BTC_ETH_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"4YrNylP3wLTBAWlPM3SQcd","url":"https://optimistic.etherscan.io/address/0xFfceAcfD39117030314A07b2C86dA36E51787948","type":"smart_contract","addedAt":"2022-03-05T16:54:49.773Z","revision":1,"description":"MAINSTREAM_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"42Lwk0b6n7tydrQIcs8D9u","url":"https://optimistic.etherscan.io/address/0x896aecb9E73Bf21C50855B7874729596d0e511CB","type":"smart_contract","addedAt":"2022-03-05T16:54:52.113Z","revision":1,"description":"COMPTROLLER","isPrimacyOfImpact":null},{"id":"1VTy4SoSHmv83SxADuvmo5","url":"https://optimistic.etherscan.io/address/0x3157e0bbDc7E5DEa0f4c33a0Ad7211B9a4FF19Ee","type":"smart_contract","addedAt":"2022-03-05T16:54:54.848Z","revision":1,"description":"PIGGY_DISTRIBUTION","isPrimacyOfImpact":null},{"id":"7FBqygnS9lYrrpq9H74Tjd","url":"https://optimistic.etherscan.io/address/0x2B7F68170a598E507B19Bca41ED745eABc936B3F","type":"smart_contract","addedAt":"2022-03-05T16:54:57.397Z","revision":1,"description":"MAX_IMILLION","isPrimacyOfImpact":null},{"id":"2KxLuzp5It8QXkgOjww5JH","url":"https://optimistic.etherscan.io/address/0x8e1e582879Cb8baC6283368e8ede458B63F499a5","type":"smart_contract","addedAt":"2022-03-05T16:54:59.961Z","revision":1,"description":"P_ETH","isPrimacyOfImpact":null},{"id":"73lYVYqUOigA9zRwYfsnBp","url":"https://optimistic.etherscan.io/address/0x811Cd5CB4cC43F44600Cfa5eE3F37a402C82aec2","type":"smart_contract","addedAt":"2022-03-05T16:55:04.353Z","revision":1,"description":"P_USDC","isPrimacyOfImpact":null},{"id":"7BAd7xi466bWoBmOGn8Yay","url":"https://optimistic.etherscan.io/address/0x8158B34fF8A36dD9E4519d62C52913C24ad5554b","type":"smart_contract","addedAt":"2022-03-05T16:55:08.301Z","revision":1,"description":"P_USDT","isPrimacyOfImpact":null},{"id":"7FFLzH7Mh0U7uf4uDuOwRe","url":"https://optimistic.etherscan.io/address/0xc12B9D620bFCB48be3e0CCbf0ea80C717333b46F","type":"smart_contract","addedAt":"2022-03-05T16:55:11.249Z","revision":1,"description":"P_DAI","isPrimacyOfImpact":null},{"id":"6m5LP26KHDt1uFrfnyKmLG","url":"https://optimistic.etherscan.io/address/0x48a5322c3021d5eD5CE4293112141045d12c7EFC","type":"smart_contract","addedAt":"2022-03-05T16:55:13.367Z","revision":1,"description":"P_BTC","isPrimacyOfImpact":null},{"id":"1okXIbcTvGXQYYAozXs9po","url":"https://optimistic.etherscan.io/address/0x8F00a5E13b3F2AaAddc9708AD5c77FbCc300b0EE","type":"smart_contract","addedAt":"2022-03-05T16:55:15.075Z","revision":1,"description":"P_LINK","isPrimacyOfImpact":null},{"id":"2fqbqY3fzCOD7wjmFzxn9A","url":"https://optimistic.etherscan.io/address/0x6F620EC89B8479e97A6985792d0c64F237566746","type":"smart_contract","addedAt":"2022-03-05T16:55:17.266Z","revision":1,"description":"WPC","isPrimacyOfImpact":null},{"id":"5adkZGr53kmzQq0tjegSyP","url":"https://hecoinfo.com/address/0x4C78015679FabE22F6e02Ce8102AFbF7d93794eA","type":"smart_contract","addedAt":"2022-03-05T16:55:22.892Z","revision":1,"description":"WP_PRICE_PROVIDER_V1","isPrimacyOfImpact":null},{"id":"2rC1WIPTkRhXHGbPqUuS9E","url":"https://hecoinfo.com/address/0xFfceAcfD39117030314A07b2C86dA36E51787948","type":"smart_contract","addedAt":"2022-03-05T16:55:27.937Z","revision":1,"description":"WE_PIGGY_PRICE_ORACLE_V1","isPrimacyOfImpact":null},{"id":"6NK2Tz4ss2FDgEZTOEOkbL","url":"https://hecoinfo.com/address/0x3401D01E31BB6DefcFc7410c312C0181E19b9dd5","type":"smart_contract","addedAt":"2022-03-05T16:55:30.633Z","revision":1,"description":"COMPTROLLER","isPrimacyOfImpact":null},{"id":"2ltrkvptuL5UkARSeA2tKT","url":"https://hecoinfo.com/address/0x8b4397A92D53916f24a8E06777CEf4485281224C","type":"smart_contract","addedAt":"2022-03-05T16:55:33.956Z","revision":1,"description":"PIGGY_DISTRIBUTION","isPrimacyOfImpact":null},{"id":"7Cl3EPzNbQUpJA1ZyLC7VF","url":"https://hecoinfo.com/address/0xd1121aDe04EE215524aeFbF7f8D45029214d668D","type":"smart_contract","addedAt":"2022-03-05T16:55:38.483Z","revision":1,"description":"STABLECOIN_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"3E5bpYOLgK8hgd5fxboMJg","url":"https://hecoinfo.com/address/0x621CE6596E0B9CcF635316BFE7FdBC80C3029Bec","type":"smart_contract","addedAt":"2022-03-05T16:55:39.081Z","revision":1,"description":"BTC_ETH_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"1z04D6jvZWgCz8vSTmldQw","url":"https://hecoinfo.com/address/0x8e1e582879Cb8baC6283368e8ede458B63F499a5","type":"smart_contract","addedAt":"2022-03-05T16:55:40.519Z","revision":1,"description":"MAINSTREAM_JUMP_RATE_MODEL","isPrimacyOfImpact":null},{"id":"5nMZByVFaQ8P88GA5p0bs8","url":"https://hecoinfo.com/address/0x8158B34fF8A36dD9E4519d62C52913C24ad5554b","type":"smart_contract","addedAt":"2022-03-05T16:55:45.355Z","revision":1,"description":"MAX_IMILLION","isPrimacyOfImpact":null},{"id":"6RoefYOtrvDUJdt4hX4ku8","url":"https://hecoinfo.com/address/0x75DCd2536a5f414B8F90Bb7F2F3c015a26dc8c79","type":"smart_contract","addedAt":"2022-03-05T16:55:48.701Z","revision":1,"description":"P_HT","isPrimacyOfImpact":null},{"id":"5eTkuLWEbImqcQuYjmvYGC","url":"https://hecoinfo.com/address/0x311aEA58Ca127B955890647413846E351df32554","type":"smart_contract","addedAt":"2022-03-05T16:55:51.540Z","revision":1,"description":"P_HUSD","isPrimacyOfImpact":null},{"id":"4pIdlXYDPqvPoNdazX9AzA","url":"https://hecoinfo.com/address/0x12D803497D1e58dD4D4A4F455D754f1d0F937C8b","type":"smart_contract","addedAt":"2022-03-05T16:55:59.026Z","revision":1,"description":"P_USDT","isPrimacyOfImpact":null},{"id":"eUZVVtgZtLDoCutbtaCuE","url":"https://hecoinfo.com/address/0x2a8Cd78bFb91ACF53f589961D213d87c956e0d7f","type":"smart_contract","addedAt":"2022-03-05T16:55:57.533Z","revision":1,"description":"P_USDC","isPrimacyOfImpact":null},{"id":"4yoCdj6Dvv27bNe2pD2wBs","url":"https://hecoinfo.com/address/0x2B7F68170a598E507B19Bca41ED745eABc936B3F","type":"smart_contract","addedAt":"2022-03-05T16:56:07.710Z","revision":1,"description":"P_ETH","isPrimacyOfImpact":null},{"id":"3kUYFVgOp75I45FFZ2CnME","url":"https://hecoinfo.com/address/0x2dd8FFA7923a17739F70C34759Af7650e44EA3BE","type":"smart_contract","addedAt":"2022-03-05T16:56:10.375Z","revision":1,"description":"P_HBTC","isPrimacyOfImpact":null},{"id":"6nqTrdu7HXM7uUnj0rmzds","url":"https://hecoinfo.com/address/0x811Cd5CB4cC43F44600Cfa5eE3F37a402C82aec2","type":"smart_contract","addedAt":"2022-03-05T16:56:12.294Z","revision":1,"description":"P_HPT","isPrimacyOfImpact":null},{"id":"290VMe55XluW6UZNGki8Py","url":"https://hecoinfo.com/address/0x17933112E9780aBd0F27f2B7d9ddA9E840D43159","type":"smart_contract","addedAt":"2022-03-05T16:56:14.408Z","revision":1,"description":"P_HDOT","isPrimacyOfImpact":null},{"id":"6lhsV4BW9CwOvqXZEBSKn4","url":"https://hecoinfo.com/address/0x417FDfC74503d8008AeEB53248E5C0f1960c2C1d","type":"smart_contract","addedAt":"2022-03-05T16:56:16.519Z","revision":1,"description":"P_HLTC","isPrimacyOfImpact":null},{"id":"7cTo3rrHfLR61j0QRSYkaX","url":"https://hecoinfo.com/address/0xe212829Ca055eD63279753971672c693C6C6d088","type":"smart_contract","addedAt":"2022-03-05T16:56:19.469Z","revision":1,"description":"P_HBCH","isPrimacyOfImpact":null},{"id":"1Sr2DYaTxoCIsdudVA8Q3u","url":"https://hecoinfo.com/address/0x30ac79B557973771c931D8d765E0728261A742a0","type":"smart_contract","addedAt":"2022-03-05T16:56:22.257Z","revision":1,"description":"P_MDX","isPrimacyOfImpact":null},{"id":"cneTwvlGpc2NQ5MiuZ1nS","url":"https://hecoinfo.com/address/0x0C8c1ab017c3C0c8A48dD9F1DB2F59022D190f0b","type":"smart_contract","addedAt":"2022-03-05T16:56:24.559Z","revision":1,"description":"P_HFIL","isPrimacyOfImpact":null},{"id":"1nLIqHVGNNyXZknxLESpLB","url":"https://hecoinfo.com/address/0xd828F7029CC58C4E9Cab3B1E0726CEFab411bc65","type":"smart_contract","addedAt":"2022-03-05T16:56:26.233Z","revision":1,"description":"P_UNI","isPrimacyOfImpact":null},{"id":"1olV6n9wJ5Ixd9ZiCFoFcK","url":"https://hecoinfo.com/address/0xC24230002c3386F0bCe325CB04FAC789fE66460a","type":"smart_contract","addedAt":"2022-03-05T16:56:28.809Z","revision":1,"description":"P_DAI","isPrimacyOfImpact":null},{"id":"02Du2UpD8v8wpEA0dkKDa","url":"https://hecoinfo.com/address/0x6F620EC89B8479e97A6985792d0c64F237566746","type":"smart_contract","addedAt":"2022-03-05T16:56:30.715Z","revision":1,"description":"WPC","isPrimacyOfImpact":null},{"id":"3c2rbSri0MnnZ5EV9OnMzq","url":"https://app.wepiggy.com/","type":"websites_and_applications","addedAt":"2022-03-05T16:56:33.260Z","revision":1,"description":"(Desktop)","isPrimacyOfImpact":null},{"id":"6JTmVSOUJNDulDE3lGtPOK","url":"https://m.app.wepiggy.com/","type":"websites_and_applications","addedAt":"2022-03-05T16:56:37.023Z","revision":1,"description":"(Mobile)","isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["BSC","ETH","Heco","Optimism","Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["JavaScript","Solidity"],"launchDate":"2022-01-29T03:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1iWS1dR7yOp9ZAHmS9eIwn/2882e2948b9dd77ffcf1b9f5c8570b11/WePiggy_Logo_Small.png","maxBounty":100000,"pocPerTypeAndSeverity":["websites_and_applications - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__Smart Contracts/Blockchain__\n\n  - Loss of user funds staked (principal) by freezing or theft\n  - Loss of governance funds\n  - Theft of unclaimed yield\n  - Freezing of unclaimed yield for at least 24 hours\n\n__Web/App__\n\n  - Shell access on server","productType":["Asset Management","L2","Lending"],"programOverview":"WePiggy is an open source, non-custodial crypto asset lending market protocol. In WePiggy's market, users can deposit their crypto assets to earn interest, or borrow others by paying interests.\n\nFor more information about WePiggy, please visit [https://www.wepiggy.com/](https://www.wepiggy.com/).  \n\nThis bug bounty program is focused on their smart contracts and app and is focused on preventing:\n\n  - Thefts and freezing of principal of any amount\n  - Thefts and freezing of unclaimed yield of any amount\n  - Theft of governance funds","programType":["Smart Contract","Websites and Applications"],"project":"WePiggy","projectType":["Defi","NFT"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nAll web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. All bug reports must come with a suggestion for a fix to be considered for a reward.\n\nAll known issues highlight in the following audit reports are considered to be out-of-scope:\n  - [https://github.com/WePiggy/wepiggy-contracts/tree/master/docs/audits ](https://github.com/WePiggy/wepiggy-contracts/tree/master/docs/audits)\n\nWePiggy requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. The information needed are the name, affiliated company (if any) and an email address or Telegram handle.\n\nIn addition, WePiggy has the following requirements for bug bounty hunters to be eligible for rewards:\n  - Be at least 18 years of age.\n  - Be reporting in an individual capacity, or if employed by a company, reporting with the company's written approval to submit a disclosure to WePiggy.\n  - Not be a current or former WePiggy employee, vendor, contractor, or employee of a WePiggy vendor or contractor.\n\nPayouts are handled by the __WePiggy__ team directly and are denominated in USD. However, payouts are done in __USDC__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"wepiggy","tenPercentEconomicRule":false,"updatedDate":"2024-11-29T14:29:02.338Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_official_contributor","no_employee"],"responsiblePublicationCategory":null,"description":"WePiggy is an open source, non-custodial crypto asset lending market protocol. In WePiggy's market, users can deposit their crypto assets to earn interest, or borrow others by paying interests.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques\n  - Attacks requiring privileged access from within the organization","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":1773,"type":"smart_contract","severity":"high","title":"Freezing of unclaimed yield for at least 24 hours"},{"id":1774,"type":"smart_contract","severity":"critical","title":"Loss of user funds staked (principal) by freezing or theft"},{"id":1775,"type":"smart_contract","severity":"critical","title":"Loss of governance funds"},{"id":1776,"type":"websites_and_applications","severity":"critical","title":"Shell access on server"}],"rewards":[{"id":8623,"severity":"critical","assetType":"smart_contract","fixedReward":100000,"rewardModel":"fixed","rewardCalculationPercentage":0},{"id":8624,"severity":"high","assetType":"smart_contract","fixedReward":4000,"rewardModel":"fixed"},{"id":8625,"severity":"critical","assetType":"websites_and_applications","fixedReward":25000,"rewardModel":"fixed","otherImpactMaxReward":0}],"audits":[]},{"assets":[{"id":"75zBRG82EVjreHhzBy9TM3","url":"https://github.com/shardeum/validator-gui/tree/dev","type":"websites_and_applications","addedAt":"2024-09-04T12:00:00.000Z","revision":1,"description":"Validator gui [3200]","isPrimacyOfImpact":null},{"id":"6kiMAhZHTmwZKBZQJGVytr","url":"https://github.com/shardeum/validator-cli/tree/dev","type":"websites_and_applications","addedAt":"2024-09-04T12:00:00.000Z","revision":1,"description":"Command line app [1895]","isPrimacyOfImpact":null},{"id":"4TKp0eKeuNbNXiBV9ZzS1Y","url":"https://github.com/shardeum/archive-server/tree/dev","type":"websites_and_applications","addedAt":"2024-09-04T12:00:00.000Z","revision":1,"description":"Archive server [13717]","isPrimacyOfImpact":null},{"id":"jPrgpaXGDV0GbIOggufE3","url":"https://github.com/shardeum/json-rpc-server/tree/dev","type":"websites_and_applications","addedAt":"2024-09-04T12:00:00.000Z","revision":1,"description":"Json rpc server [7957]","isPrimacyOfImpact":null},{"id":"11gGxRzqlLJj4HKsHIXRed","url":"https://immunefi.com","type":"websites_and_applications","addedAt":"2024-09-04T12:00:00.000Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true}],"assetsBodyV2":"Shardeum’s up to date codebase can be found at [https://github.com/shardeum/](https://github.com/shardeum/).\n\n__Mid-Contest Code Updates__\n\nIn this contest bug fixes may be applied mid-contest. This is required for Shardeum to test changes on their beta networks in preparation for an imminent mainnet launch.\n\nThe project is to keep changes private as far as possible. When changes need to be made public, then the changelog will be updated here & in the [Shardeum Audit Competition Discord channel](https://discord.com/invite/immunefi?utm_source=immunefi). Publicly fixed bugs are invalid and the scope is updated to the new code.\n\nAll bug reports before the fix was public will earn a reward. All bug reports after are invalid. If a new bug is introduced by their fix then it is valid for a reward.\n\n__Mid-Contest Changelog__\n\nCurrently none.\n\nPOCs should be tested against the most recent changes on the /tree/dev github repo.\n\n__Asset Accuracy Assurance__\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Reward Policy__\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward equal to that of a bug one severity lower.\n\n__Known Issue Assurance__\n\nShardeum commits to providing Known Issue Assurance to bug submissions through their program. This means that Shardeum will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission. \n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.\n\n__Primacy of Impact vs Primacy of Rules__\n\nShardeum adheres to the Primacy of Impact for all impacts.\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact). \n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this audit competition and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Shardeum has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/10zwZIGt0QMig_FJrHhkTztIxN57RnanT?usp=sharing)\n\nAll paid bug reports are available in original format [here](https://reports.immunefi.com/shardeum-ancillaries-ii)","boostedIntroLive":"$100,000 USD is available in rewards for finding bugs in Shardeum's codebase of about 27000 nSLOC. There is no KYC required.\n\nShardeum team will respond within 24 hours on weekdays to all bug reports. Any technical questions and support requests can be asked directly to Shardeum or Immunefi in the [Shardeum Audit Competition Discord channel](https://discord.com/invite/immunefi).\n\nIn this contest bug fixes may be applied mid-contest. Further details are in the 'Assets In Scope' section.\n\nWhen the Audit Competition has ended Immunefi will publish an event-specific leaderboard and bug reports from the event.","boostedIntroStartingIn":"$100,000 USD in rewards is available for finding bugs on Shardeum Ancillaries II. This Boost is a successor of Shardeum's Ancillaries Boost and will only cover the Web2 aspects of the project. \n\nNo KYC is required.\n\nAny technical questions can be asked directly to the Shardeum technical team on [Immunefi’s Discord](https://discord.com/invite/immunefi) in the \"shardeum-ancillaries-boost\" channel.\n\nIn a few days after the launch, Shardeum will give a live technical walkthrough, hosted in the Immunefi Discord.\n\nWhen the Boost has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.","boostedLeaderboard":[{"high":0,"name":"periniondon630","critical":2,"earnings":67596,"insights":0,"mediumLow":0,"totalValidBugs":2},{"high":2,"name":"blocksmith0","critical":0,"earnings":17980,"insights":2,"mediumLow":0,"totalValidBugs":2},{"high":1,"name":"hulkvision","critical":0,"earnings":4267,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"Blockian","critical":0,"earnings":3827,"insights":1,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"anton_quantish","critical":0,"earnings":2816,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Ouabala","critical":0,"earnings":1757,"insights":3,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"gln","critical":0,"earnings":1081,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"sujan_shetty","critical":0,"earnings":676,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1qzfoiJKJegSGoylCu_ZvPjOrtkJ64Sgx/view?usp=sharing","ecosystem":["Shardeum"],"endDate":"2024-10-16T12:00:00.000Z","evaluationEndDate":"2024-11-28T10:00:00.000Z","features":["Boost","Managed Triage: Time Saver","Vault"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Typescript","Rust"],"launchDate":"2024-09-04T12:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6O1D4wPpM4PSjiCqxkQUtX/0a261a8eb6a99945842a08750ba37b36/Shardeum_Logo_Icon_Light_-_Square__1_.png","maxBounty":100000,"outOfScopeAndRules":"These impacts are out of scope for this bug bounty program. \n\n__All Categories:__\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n\n__Websites and Apps__\n\n- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n- This does not exclude reflected HTML injection with or without JavaScript\n- This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering\n\n__Prohibited Activities:__\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["websites_and_applications - low","websites_and_applications - medium","websites_and_applications - high","websites_and_applications - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["L1"],"programOverview":"Shardeum is an EVM-based, linearly scalable network offering low gas fees forever while maintaining true decentralization and (hopefully) solid security. Shardeum is a large project and as such, will be split over two concurrent audit competitions. This audit competition, called Ancillaries II, will cover the Web2 aspects of the project. This will cover three components: The validator GUI, validator CLI, Archive Server, and the RPC server.\n\nFor more information about Shardeum, please visit [https://shardeum.org/](https://shardeum.org/).\n\nShardeum provides rewards in USDC, denominated in USD.","programType":["Websites and Applications"],"project":"Audit Comp | Shardeum: Ancillaries II","projectType":["Blockchain"],"rewardsBody":"The following reward terms are a summary, for the full details read our [Shardeum Ancillaries II Audit Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/28077740315537-Shardeum-Ancillaries-II-Audit-Competition-Reward-Terms)\n\nThe reward pool will be entirely distributed among participants. The size depends on the bugs found:\n- If one or more Critical severity bugs are found, **the reward pool will be 100% of the respective reward pool, $100,000 USD**\n- If one or more High severity bugs are found, **the reward pool will be 75% of the respective reward pool, $75,000 USD**\n- If one or more Medium severity bugs are found, **the reward pool will be 50% of the respective reward pool, $50,000 USD**\n- If Low severity bugs or no bugs are found, **the reward pool will be 25% of the respective reward pool, $25,000 USD**\n\n**Duplicates of Insight reports are not eligible for a reward.**\n\nFor this Audit Competition, duplicates and private known issues are valid for a reward. \n\nPrivate known issues will unlock higher reward pools according to their severity level without any downgrade. For example, a Critical severity bug which was a private known issue would unlock the reward pool conditional on a Critical severity bug being found.\n\nRewards are distributed according to the impact of the vulnerability based on the Immunefi [Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Payment Terms__\n\nPayouts are handled by the Shardeum team directly and are denominated in USD. However, payments are done in USDC.\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.\n\n__Insight Rewards Payment Terms__\n\nInsight Rewards: Portion of the Rewards Pool\n\nThe \"Insight\" severity was introduced on Audit Competition & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi).","rewardsPool":100000,"primaryPool":100000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"shardeum-ancillaries-ii-boost","tenPercentEconomicRule":false,"updatedDate":"2024-11-28T10:54:38.558Z","impactsBody":"__Proof of Concept (PoC) Requirements__\n\nPOCs should be tested against the most recent changes on the /tree/dev github repo.\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Whitehat Educational Resources & Technical Info__\n\n- Shardeum’s up to date codebase can be found at [https://github.com/shardeum/](https://github.com/shardeum/)\n- Shardeum’s youtube page: [https://www.youtube.com/@Shardeum](https://www.youtube.com/@Shardeum)\n- Previous tech walkthroughs: [https://www.youtube.com/watch?v=U2ZHqQchBgA](https://www.youtube.com/watch?v=U2ZHqQchBgA), [https://www.youtube.com/watch?v=Lt-jI8FAQcQ](https://www.youtube.com/watch?v=Lt-jI8FAQcQ)\n- Whitepaper: [https://docs.shardeum.org/docs/whitepaper](https://docs.shardeum.org/docs/whitepaper)\n- Documentation: [https://docs.shardeum.org/](https://docs.shardeum.org/)\n\n__Where do you suspect there may be bugs?__\n\n- **Which parts of the code are you most concerned about?**\n     - Communication between the archiver and validators\n     - Communication between the RPC and the validators\n     - The GUI\n\n- **What attack vectors are you most concerned about?**\n     - Priv escalation from the GUI\n     - Crashing archivers\n     - Priv escalation in  archivers. Archivers will not be public at launch\n     - Priv escalation in RPC\n\n- **Which part(s) of the system do you want whitehats to attempt to break the most?**\n     - Archiver and RPC server. We want them to break all of it obviously but we believe these two components need more attention\n\n__Where might whitehats confuse out-of-scope code to be in-scope?__\n\nThe default config in the dev branch is in scope. Whitehats are free to configure, patch, and modify their own malicious hosts however they want. However, target service must be running the default config in dev. This is to prevent the whitehats from wasting time reporting things we specifically allow in debug mode. If the researchers can enable debug mode options remotely then that is valid and can be paid out.\n\nAttacks that require the network to still be initializing/bootstrapping are out of scope. Wait until the network mode reaches “processing” + 15 cycles after startup before launching attacks. The rules for staking/join are a little different and the network will not be public during this time. Attacks on a network that is repairing itself (was once in “processing” mode but has since degraded to “safety” or “recovery”) are in scope.\n\nAttacks that require lots of network traffic, large messages, or many connections are at risk of being degraded to insight.\n\n0day vulnerabilities in dependencies will have a max impact of insight. Any other vuln in dependencies is out of scope.\n\nAny report based on unit tests, simulations, or anything not a fully functioning service, will have a max impact of low.\n\nSmart contracts and smart contract related code/functions are out of scope\n\nFinally, the more nodes that are required to launch an attack, the more at risk the vuln is of being downgraded. If it takes 33% (for example) of the nodes in the network being malicious to cause damage, then it becomes difficult to distinguish the impact from a brute-force/51% attack, which is completely out of scope.\n\n__Are there any unusual points about your protocol that may confuse whitehats?__\n\nThe archive server is designed to store the history of the network. Archivers are not a part of the core protocol, do not have any part in consensus, and do not affect joining/rotation. Another quirk is that currently, the transaction history is not chained. The cycle certificates are chained which contains information like joined and lost nodes per cycle, active nodes, archiver list, standby list, etc. The transaction history will have a Merkle root published while the chaining is developed.\n\n\n__What is the test suite setup information?__\n\nHere is a helpful PoC scaffolding. Even though it targets the Core II audit competition, it may still be helpful here\n\n[https://gist.github.com/kun6fup4nd4/162d491e07d0a84344abbf33bc602502](https://gist.github.com/kun6fup4nd4/162d491e07d0a84344abbf33bc602502)\n\nRPC: [https://github.com/shardeum/json-rpc-server/tree/localtest#running-tests](https://github.com/shardeum/json-rpc-server/tree/localtest#running-tests)\n\nArchiver: No specific doc, however an archiver is launched with the local network when following the directions here: [https://github.com/shardeum/shardeum?tab=readme-ov-file#running-the-network-locally](https://github.com/shardeum/shardeum?tab=readme-ov-file#running-the-network-locally).\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk.\n- [List of Known Issues for Shardeum | Core II and Shardeum | Ancillaries II Audit Competitions](https://immunefisupport.zendesk.com/hc/en-us/articles/28112833600401-List-of-Known-Issues-for-Shardeum-Core-II-and-Shardeum-Ancillaries-II-Audit-Competitions)\n- The list of previously discovered vulnerabilities will be published in a few days.\n\n__Previous Audits__\n\nShardeum’s completed audit reports can be found here: [Arcadia (draft)](https://docs.google.com/document/d/1OlmijVY2ga_7QEe8DYU-NTEXfAqMRpuwlduIofjmEwA/edit#heading=h.5uoc4mfz7mn4), [HashCloack](https://docs.google.com/document/d/1n11d40JZYgL33-F-Lw6FMuBP9AJSXvyg-xBpJhwOkUE/edit). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Shardeum is an EVM-based, linearly scalable network offering low gas fees forever while maintaining true decentralization and solid security.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":5063,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links, such as:  Social media handles, etc."},{"id":5064,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction:  Iframing leading to modifying the backend/browser state (must demonstrate impact with PoC)"},{"id":5065,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as: Locking up the victim from login, Cookie bombing, etc."},{"id":5066,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as: Email address, Phone number, Physical address, etc."},{"id":5067,"type":"websites_and_applications","severity":"high","title":"Taking down the application/website"},{"id":5068,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover with already-connected wallet interaction"},{"id":5069,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as: HTML injection without JavaScript, Replacing existing text with arbitrary text, Arbitrary file uploads, etc"},{"id":5070,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:  Email Password of the victim etc."},{"id":5071,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as: Email address, Phone number, Physical address, etc."},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":5072,"type":"websites_and_applications","severity":"medium","title":"Injection of malicious HTML or XSS through metadata"},{"id":5073,"type":"websites_and_applications","severity":"medium","title":"Subdomain takeover without already-connected wallet interaction"},{"id":5074,"type":"websites_and_applications","severity":"medium","title":"RPC API crash affecting projects with greater than or equal to 25% of the market capitalization on top of the respective layer"},{"id":5075,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction: Changing the first/last name of user, Enabling/disabling notifications"},{"id":5076,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as: Reflected HTML injection, Loading external site data"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":5077,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:   /etc/shadow, database passwords, blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":5078,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as: Changing registration information, Commenting, Voting, Making trades, Withdrawals, etc."},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":5079,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as: Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":true}],"audits":[]},{"assets":[{"id":"1IIQS3rQenRZz28tzYsUJH","url":"https://github.com/shardeum/shardus-core/tree/dev","type":"blockchain_dlt","addedAt":"2024-09-04T12:00:00.000Z","revision":1,"description":"Core [53000]","isPrimacyOfImpact":null},{"id":"6hJyOnA3lEYtpzabdZ4m8g","url":"https://github.com/shardeum/shardeum/tree/dev","type":"blockchain_dlt","addedAt":"2024-09-04T12:00:00.000Z","revision":2,"description":"Validator [22461]","isPrimacyOfImpact":null},{"id":"1KJLM6CryMGriez1rqg6EG","url":"https://immunefi.com","type":"blockchain_dlt","addedAt":"2024-09-04T12:00:00.000Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true}],"assetsBodyV2":"Shardeum’s up to date codebase can be found at [https://github.com/shardeum/](https://github.com/shardeum/).\n\nA note on Shardeum and Shardus Core scope: the default config in the dev branch is in scope. Whitehats are free to configure, patch, and modify their own malicious nodes however they want. However, target nodes must be running the default config in dev. This is to prevent the whitehats from wasting time reporting things we specifically allow in debug mode. The only exception is minNodes and maxNodes settings, which allow different size networks to be created. Certain vulnerabilities may only exist in certain network sizes, and we do not wish to limit Whitehat activity and participation for lack of computing power attempting to run a large local network. However, network-wide attacks that only work under 128 nodes may be rejected or reduced in severity at our discretion. If the researchers can enable debug mode options remotely then that is valid and can be paid out.\n\nAttacks that require the network to still be initializing/bootstrapping are out of scope. Wait until the network mode reaches “processing” + 15 cycles after startup before launching attacks. The rules for staking/join are a little different and the network will not be public during this time. Attacks on a network that is repairing itself (was once in “processing” mode but has since degraded to “safety” or “recovery”) are in scope.\n\nAttacks that require lots of network traffic, large messages, or many connections are at risk of being degraded to insight.\n\n0day vulnerabilities in dependencies will have a max impact of insight. Any other vuln in dependencies is out of scope.\n\nAny report based on unit tests, simulations, or anything not a fully functioning network, will have a max impact of low.\n\nSmart contracts are out of scope\n\nFinally, the more nodes that are required to launch an attack, the more at risk the vuln is of being downgraded. If it takes 33% (for example) of the nodes in the network being malicious to cause damage, then it becomes difficult to distinguish the impact from a brute-force/51% attack, which is completely out of scope.\n\n__Mid-Contest Code Updates__\n\nIn this contest bug fixes may be applied mid-contest. This is required for Shardeum to test changes on their beta networks in preparation for an imminent mainnet launch.\n\nThe project is to keep changes private as far as possible. When changes need to be made public, then the changelog will be updated here & in the [Shardeum Audit Competition Discord channel](https://discord.com/invite/immunefi?utm_source=immunefi). Publicly fixed bugs are invalid and the scope is updated to the new code.\n\nAll bug reports before the fix was public will earn a reward. All bug reports after are invalid. If a new bug is introduced by their fix then it is valid for a reward.\n\n__Mid-Contest Changelog__\n\n**Shardeum**\n- fix: subtracting slashing penalty twice - [#158](https://github.com/shardeum/shardeum/pull/158/commits/22f537f277962a6379bb49b60f504a03332129b5)\n- Remove unused method getDebugString - [#281](https://github.com/shardeum/shardus-core/pull/281/commits/2b42c2f4d8e68c70aa2d712f4778a539e436f596)\n\n**Shardus Core**\n- add cycle to unjoin request - [#279](https://github.com/shardeum/shardus-core/pull/279/commits/46e437bc54537a835534f497d37775ae391cfda0)\n- getStoredCycleByTimestamp() adjusted slightly to return exclusive lower bound and inclusive upper bound - [d1a3507](https://github.com/shardeum/shardus-core/commit/d1a350783ce2f72ec51129643e7290b4de2500d7)\n- comment out deprecated and unused \"gossip-final-state\" handler - [#272](https://github.com/shardeum/shardus-core/pull/272/commits/30e43d4c4a8a2282b11d1476f70a2f80681affdf)\n- added signature verification to gossipValidJoinRequests handler - [#280](https://github.com/shardeum/shardus-core/pull/280/commits/ef57a48ee9bf7332844360b3d6c7fdac8f4bcceb)\n- Improved error handling and input validation around join routes - [#286](https://github.com/shardeum/shardus-core/pull/286/commits/e18d7bd080f18311bf98024d5573d4cc5769f423)\n- fix: foreign socket stream unsubscribing archiver on behalf of another socket stream - [#264](https://github.com/shardeum/shardus-core/pull/264/commits/7f75e01a85dc89bb21c5798ef15b288cca5787bb)\n- fix(api): added account limit to get_account_data_with_queue_hints - [#283](https://github.com/shardeum/shardus-core/pull/283/commits/14d4b483e21b41151110971323bf71dfa82d6aa0)\n\nPOCs should be tested against the most recent changes on the /tree/dev github repo.\n\n__Asset Accuracy Assurance__\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Reward Policy__\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward equal to that of a bug one severity lower.\n\n__Known Issue Assurance__\n\nShardeum commits to providing Known Issue Assurance to bug submissions through their program. This means that Shardeum will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission. \n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.\n\n__Primacy of Impact vs Primacy of Rules__\n\nShardeum adheres to the Primacy of Impact for all impacts.\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact). \n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this audit competition and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Shardeum has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/1pNu7kiBqxRl_H7Ouqcy4qXF8MG8o5M6Y)\n\nAll paid bug reports are available in original format [here](https://reports.immunefi.com/shardeum-core-ii)","boostedIntroLive":"$150,000 USD is available in rewards for finding bugs in Shardeum's codebase of about 75000 nSLOC. There is no KYC required.\n\nAny technical questions and support requests can be asked directly to Shardeum or Immunefi in the [Shardeum Audit Competition Discord channel](https://discord.com/invite/immunefi).\n\nIn this contest bug fixes may be applied mid-contest. Further details are in the 'Assets In Scope' section.\n\nWhen the Audit Competition has ended Immunefi will publish an event-specific leaderboard and bug reports from the event.","boostedIntroStartingIn":"$150,000 USD in rewards is available for finding bugs on Shardeum Core II. This Boost is a successor of Shardeum's Core Boost and will cover two components: Shardus Core Protocol and Shardeum Validator Nodes.\n\nNo KYC is required.\n\nAny technical questions can be asked directly to the Shardeum technical team on [Immunefi’s Discord](https://discord.com/invite/immunefi) in the \"shardeum-core-boost\" channel.\n\nWhen the Boost has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nIn a few days after the launch, Shardeum will give a live technical walkthrough, hosted in the Immunefi Discord. \n\nJoin our Discord for more updates.","boostedLeaderboard":[{"high":0,"name":"Merkle_Bonsai","critical":3,"earnings":59735,"insights":3,"mediumLow":0,"totalValidBugs":3},{"high":0,"name":"periniondon630","critical":3,"earnings":51401,"insights":0,"mediumLow":0,"totalValidBugs":3},{"high":0,"name":"throwing5tone7","critical":2,"earnings":32197,"insights":0,"mediumLow":0,"totalValidBugs":2},{"high":0,"name":"gln","critical":0,"earnings":1667,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Ouabala","critical":0,"earnings":1667,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"gladiator111","critical":0,"earnings":1667,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"dldLambda","critical":0,"earnings":1667,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/10Pk2wYk1AUEq69RnmhBTeikYtHTHoSZo/view?usp=sharing","ecosystem":["Shardeum"],"endDate":"2024-10-16T12:00:00.000Z","evaluationEndDate":"2024-11-27T10:00:00.000Z","features":["Boost","Managed Triage: Time Saver","Vault"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Typescript"],"launchDate":"2024-09-04T12:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3pQP9TMw0MizXDfwmOSf40/40fec7480d34cc54384000dd1045ab00/Shardeum_Logo_Icon_Light_-_Square__1_.png","maxBounty":150000,"outOfScopeAndRules":"These impacts are out of scope for this bug bounty program. \n\n__All Categories:__\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n\n__Blockchain/DLT & Smart Contract Specific:__\n\n- Incorrect data supplied by third party oracles\n    - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n\n__Prohibited Activities:__\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["blockchain_dlt - low","blockchain_dlt - medium","blockchain_dlt - high","blockchain_dlt - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["L1"],"programOverview":"Shardeum is an EVM-based, linearly scalable network offering low gas fees forever while maintaining true decentralization and (hopefully) solid security. Shardeum is a large project and as such, will be split over two concurrent audit competitions. This audit competition, called Core II, will cover the Web3 aspects of the project. This will cover two components: Shardus Core Protocol and Shardeum Validator Nodes.\n\nFor more information about Shardeum, please visit [https://shardeum.org/](https://shardeum.org/).\n\nShardeum provides rewards in USDC, denominated in USD.","programType":["Blockchain/DLT"],"project":"Audit Comp | Shardeum: Core II","projectType":["Blockchain"],"rewardsBody":"The following reward terms are a summary, for the full details read our [Shardeum Core II Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/28077659023505-Shardeum-Core-II-Audit-Competition-Reward-Terms)\n\nThe reward pool will be entirely distributed among participants. The size depends on the bugs found:\n- If one or more Critical severity bugs are found, **the reward pool will be 100% of the respective reward pool, $150,000 USD**\n- If one or more High severity bugs are found, **the reward pool will be 75% of the respective reward pool, $112,500 USD**\n- If one or more Medium severity bugs are found, **the reward pool will be 50% of the respective reward pool, $75,000 USD**\n- If Low severity bugs or no bugs are found, **the reward pool will be 25% of the respective reward pool, $37,500 USD**\n\n**Duplicates of Insight reports are not eligible for a reward.**\n\nFor this Audit Competition, duplicates and private known issues are valid for a reward. \n\nPrivate known issues will unlock higher reward pools according to their severity level without any downgrade. For example, a Critical severity bug which was a private known issue would unlock the reward pool conditional on a Critical severity bug being found.\n\nRewards are distributed according to the impact of the vulnerability based on the Immunefi [Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Payment Terms__\n\nPayouts are handled by the Shardeum team directly and are denominated in USD. However, payments are done in USDC.\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.\n\n__Insight Rewards Payment Terms__\n\nInsight Rewards: Portion of the Rewards Pool\n\nThe \"Insight\" severity was introduced on Audit Competition & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi).","rewardsPool":150000,"primaryPool":150000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"shardeum-core-ii-boost","tenPercentEconomicRule":false,"updatedDate":"2024-11-27T12:09:54.757Z","impactsBody":"__Proof of Concept (PoC) Requirements__\n\nPOCs should be tested against the most recent changes on the /tree/dev github repo.\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Whitehat Educational Resources & Technical Info__\n\n- Shardeum’s up to date codebase can be found at [https://github.com/shardeum/](https://github.com/shardeum/)\n- Shardeum’s youtube page: [https://www.youtube.com/@Shardeum](https://www.youtube.com/@Shardeum)\n- Previous tech walkthroughs: [https://www.youtube.com/watch?v=U2ZHqQchBgA](https://www.youtube.com/watch?v=U2ZHqQchBgA), [https://www.youtube.com/watch?v=Lt-jI8FAQcQ](https://www.youtube.com/watch?v=Lt-jI8FAQcQ)\n- Whitepaper: [https://docs.shardeum.org/docs/whitepaper](https://docs.shardeum.org/docs/whitepaper)\n- Documentation: [https://docs.shardeum.org/](https://docs.shardeum.org/)\n\n__Where do you suspect there may be bugs?__\n\n- **Which parts of the code are you most concerned about?**\n\nWe are concerned with the web3 and business logic within both repositories in this audit competition. Things like transaction queuing, slashing, and consensus. This includes any internal transactions or things involving the global account.\n\n- **What attack vectors are you most concerned about?**\n\nParsing/signature errors, cheating the rotation system, cheating the slashing, and transaction processing. We received quite a few message parsing and signature related reports in the previous audit competitions and feel like there may still be some vulns to find.\n\n- **Which part(s) of the system do you want whitehats to attempt to break the most?**\n\nTransaction queuing, slashing, and consensus.\n\n- **Are there any assumed invariants that you want whitehats to attempt to break?**\n\nSum of EOA account balances before attack == Sum of EOA account balances after attack + transaction fees. This should cover SHM disappearing from the network or being created out of thin ai\n\n__Where might whitehats confuse out-of-scope code to be in-scope?__\n\nA note on Shardeum and Shardus Core scope: the default config in the dev branch is in scope. Whitehats are free to configure, patch, and modify their own malicious nodes however they want. However, target nodes must be running the default config in dev. This is to prevent the whitehats from wasting time reporting things we specifically allow in debug mode. The only exception is minNodes and maxNodes settings, which allow different size networks to be created. Certain vulnerabilities may only exist in certain network sizes, and we do not wish to limit Whitehat activity and participation for lack of computing power attempting to run a large local network. However, network-wide attacks that only work under 128 nodes may be rejected or reduced in severity at our discretion. If the researchers can enable debug mode options remotely then that is valid and can be paid out.\n\nAttacks that require the network to still be initializing/bootstrapping are out of scope. Wait until the network mode reaches “processing” + 15 cycles after startup before launching attacks. The rules for staking/join are a little different and the network will not be public during this time. Attacks on a network that is repairing itself (was once in “processing” mode but has since degraded to “safety” or “recovery”) are in scope.\n\nAttacks that require lots of network traffic, large messages, or many connections are at risk of being degraded to insight.\n\n0day vulnerabilities in dependencies will have a max impact of insight. Any other vuln in dependencies is out of scope.\n\nAny report based on unit tests, simulations, or anything not a fully functioning network, will have a max impact of low.\n\nSmart contracts are out of scope\n\nFinally, the more nodes that are required to launch an attack, the more at risk the vuln is of being downgraded. If it takes 33% (for example) of the nodes in the network being malicious to cause damage, then it becomes difficult to distinguish the impact from a brute-force/51% attack, which is completely out of scope.\n\n__Are there any unusual points about your protocol that may confuse whitehats?__\n\nPlease consider how your vulnerability will behave on a network with a shard size of 128 nodes. We will accept reports with a PoC on a smaller network, but the severity may be affected if the impact is less feasible on network with a shard size of 128 nodes.\n\n__What is the test suite setup information?__\n\n[https://gist.github.com/kun6fup4nd4/162d491e07d0a84344abbf33bc602502](https://gist.github.com/kun6fup4nd4/162d491e07d0a84344abbf33bc602502)\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n- [List of Known Issues for Shardeum | Core II and Shardeum | Ancillaries II Audit Competitions](https://immunefisupport.zendesk.com/hc/en-us/articles/28112833600401-List-of-Known-Issues-for-Shardeum-Core-II-and-Shardeum-Ancillaries-II-Audit-Competitions)\n- The list of previously discovered vulnerabilities will be published in a few days.\n\n__Previous Audits__\n\nShardeum’s completed audit reports can be found here: [Arcadia (draft)](https://docs.google.com/document/d/1OlmijVY2ga_7QEe8DYU-NTEXfAqMRpuwlduIofjmEwA/edit#heading=h.5uoc4mfz7mn4), [HashCloack](https://docs.google.com/document/d/1n11d40JZYgL33-F-Lw6FMuBP9AJSXvyg-xBpJhwOkUE/edit). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Shardeum is an EVM-based, linearly scalable network offering low gas fees forever while maintaining true decentralization and solid security.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":13,"type":"blockchain_dlt","severity":"low","title":"Modification of transaction fees outside of design parameters"},{"id":12,"type":"blockchain_dlt","severity":"low","title":"Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":5059,"type":"blockchain_dlt","severity":"high","title":"Blocking Specific Transactions"},{"id":5060,"type":"blockchain_dlt","severity":"medium","title":"Causing network processing nodes to process transactions from the transaction queue beyond set parameters"},{"id":9,"type":"blockchain_dlt","severity":"medium","title":"Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours"},{"id":10,"type":"blockchain_dlt","severity":"medium","title":"Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":1,"type":"blockchain_dlt","severity":"critical","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":4,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hardfork)"},{"id":5061,"type":"blockchain_dlt","severity":"critical","title":"Bypassing Staking Requirements"},{"id":5062,"type":"blockchain_dlt","severity":"critical","title":"Bypassing Slashing"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true}],"audits":[]},{"assets":[{"id":"3PMFspRiiFcgWzej3XJ9uk","url":"https://sepolia.etherscan.io/address/0x7e184179b1F95A9ca398E6a16127f06b81Cb37a3","type":"smart_contract","addedAt":"2024-08-20T08:00:25.000Z","revision":2,"description":"stBTC - 552","isPrimacyOfImpact":null},{"id":"3fMKyFzodJw6f6Ypl6x4zv","url":"https://sepolia.etherscan.io/address/0xd5EbDD6fF384a465D56562D3a489c8CCE1B92dd0","type":"smart_contract","addedAt":"2024-08-20T08:00:25.000Z","revision":2,"description":"MezoAllocator - 253","isPrimacyOfImpact":null},{"id":"4GQrMkoUmuCeZiMzZSQ5Ha","url":"https://sepolia.etherscan.io/address/0x6c2c643c90383Cba125E4b8DD01344eA35A75F27","type":"smart_contract","addedAt":"2024-08-20T08:00:25.000Z","revision":2,"description":"BitcoinDepositor - 355","isPrimacyOfImpact":null},{"id":"2smMScLVlUldQJnmkCk0jB","url":"https://sepolia.etherscan.io/address/0xF4011FD0C77Bd4d909Ae05c7390b88455294dAeA","type":"smart_contract","addedAt":"2024-08-20T08:00:25.000Z","revision":2,"description":"BitcoinRedeemer - 180","isPrimacyOfImpact":null},{"id":"6SYykUU8W0LlcgaCe8BvzW","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2024-08-20T08:00:25.000Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true}],"assetsBodyV2":"__Asset Accuracy Assurance__\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Reward Policy__\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n__Known Issue Assurance__\n\nAcre commits to providing Known Issue Assurance to bug submissions through their program. This means that Acre Finance will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission. \n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.\n\n__Primacy of Impact vs Primacy of Rules__\n\nAcre adheres to the Primacy of Impact for the following impacts:\n\n**Critical**\n\n- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield\n- Permanent freezing of funds\n- Protocol insolvency\n\n\n**High**\n\n- Theft of unclaimed yield\n- Permanent freezing of unclaimed yield\n- Temporary freezing of funds\n\n\n**Medium**\n\n- Smart contract unable to operate due to lack of token funds\n- Block stuffing\n- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)\n- Theft of gas\n- Unbounded gas consumption\n\n**Low**\n\n- Contract fails to deliver promised returns, but doesn't lose value\n\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see Best Practices: Primacy of Impact \nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this [Program Type]ed bug bounty and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Acre has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/1B7bBTfp7vrZkC8Emw2H9kBa3TF-O93X-?usp=sharing)\n\nAll paid bug reports are available in original format [here](https://reports.immunefi.com/acre)","boostedIntroLive":"","boostedIntroStartingIn":"$50,000 USD in rewards is available for finding bugs on Acre.\n\nAcre is a liquid staked Bitcoin protocol. Users deposit BTC and receive stBTC representing their deposited BTC. The deposited BTC is deployed to Bitcoin layers that use BTC as their Proof-of-Stake asset, generating rewards for stBTC holders.\n\nAcre allows BTC holders to earn rewards on their BTC via stBTC. Acre provides a simple method for Bitcoin holders to benefit from the growth of Bitcoin scaling without losing exposure to BTC price.  \n\nNo KYC is required.\n\nAcre will respond within 24 hours on weekdays to all bug reports. Any technical questions can be asked directly to the Acre technical team on Immunefi's [Immunefi’s Discord](https://discord.com/invite/immunefi) in the \"acre-boost\" channel.\n\nWhen the Boost has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nAcre will give a live technical walkthrough, hosted in the Immunefi Discord. Sign up below to be notified with more details.","boostedLeaderboard":[{"high":0,"name":"brivan","critical":0,"earnings":11416,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Dliteofficial","critical":0,"earnings":9155,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"trachev","critical":0,"earnings":8425,"insights":0,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"nnez","critical":0,"earnings":8425,"insights":0,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"magtentic","critical":0,"earnings":3942,"insights":0,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"Bx4","critical":0,"earnings":3662,"insights":0,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"sammytm","critical":0,"earnings":2585,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"dash","critical":0,"earnings":2390,"insights":1,"mediumLow":1,"totalValidBugs":1}],"boostedSummaryReport":"https://drive.google.com/file/d/1ld8VgCkCMxBm65MuAcI8AFjjyAoYTBf6/view?usp=drive_link","ecosystem":null,"endDate":"2024-09-03T08:00:00.000Z","evaluationEndDate":"2024-11-19T12:13:45.904Z","features":["Boost","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2024-08-20T08:00:25.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/0cbT2nwEwQOYtYtnErdn5/29aa15cc2c2cdcec374f927e50bf9b58/ACRE_logo.png","maxBounty":50000,"outOfScopeAndRules":"These impacts are out of scope for this bug bounty program\n\n__All Categories:__\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n\n__Blockchain/DLT & Smart Contract Specific:__\n\n- Incorrect data supplied by third party oracles\n- Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n\n__Prohibited Activities:__\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"The following impacts are accepted within this bug bounty program, including those listed under \"Primacy of Impact\" in the Resources > Resources & Documentation section.","productType":null,"programOverview":"Acre is a liquid staked Bitcoin protocol. Users deposit BTC and receive stBTC representing their deposited BTC. The deposited BTC is deployed to Bitcoin layers that use BTC as their Proof-of-Stake asset, generating rewards for stBTC holders.\nAcre allows BTC holders to earn rewards on their BTC via stBTC. Acre provides a simple method for Bitcoin holders to benefit from the growth of Bitcoin scaling without losing exposure to BTC price.  \nStrictly designed for a \"bitcoin in, bitcoin out\" experience, Acre is a portal to broad exposure by supporting Bitcoin scaling with minimal user effort. Acre supports native BTC deposits via Thresholds programmable and decentralized BTC bridge.\nAcre's goal is to offer the benefits of earning rewards on idle BTC without deep technical know-how. It is important to note that each transaction within the Acre protocol is completely visible on-chain for everyone to monitor.\n\nFor more information about Acre, please visit https://acre.fi\nAcre provides rewards in USDC, denominated in USD.","programType":["Smart Contract"],"project":"Audit Comp | Acre","projectType":null,"rewardsBody":"The following reward terms are a summary, for the full details read our [Acre Audit Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/27470648000273-ACRE-Audit-Competition-Reward-Terms)\n\nThe reward pool of **$50,000 USD** will be entirely distributed among participants. \n\n- 10% of the total reward pool or a maximum of $50k, whichever is lower, is allocated to guaranteed rewards for Insight reports, regardless of whether 0 or more bugs are found or not.\n\nFor this audit competition, duplicates and private known issues are valid for a reward.\n\nRewards are distributed according to the impact of the vulnerability based on the Immunefi [Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Payment Terms__\n\nPayouts are handled by the Acre team directly and are denominated in USD. However, payments are done in USDC\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.\n\n__Insight Rewards Payment Terms__\n\nInsight Rewards: Portion of the Rewards Pool\n\n* The \"Insight\" severity was introduced on Audit Competition & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi). Duplicates of Insight reports weren't rewarded in any previous Audit Competitions, neither they will be rewarded in this Audit Competition or any other Audit Competition going forward.","rewardsPool":50000,"primaryPool":50000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"boost-acre","tenPercentEconomicRule":false,"updatedDate":"2024-11-19T12:19:46.549Z","impactsBody":"__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules\n\n__Whitehat Educational Resources & Technical Info__\n\n- Technical documentation currently lives on GitHub: https://github.com/thesis/acre/tree/main/solidity\n- For a non-technical overview, please see our docs: https://docs.acre.fi\n\n__Is this an upgrade of an existing system? If so, which? And what are the main differences?__\n\nThis is not an upgrade.\n\n__Where do you suspect there may be bugs? Useful aspects of this question are:__\n\nThe stBTC contract is based on the ERC4626 token vault. Attacks resulting in breaking the vault invariants and manipulating the shares conversion ratio are considered significant threats. We want to focus on users funds security.\n\n__What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?__\n\nAcre’s stBTC implements the ERC-4626 tokenized vault standard. By staking tBTC, users acquire a liquid staking token called stBTC, commonly referred to as \"shares\". Users have the flexibility to redeem stBTC, enabling them to withdraw their deposited tBTC along with the accrued yield. stBTC is a non-rebasing ERC4626 token.\n\n__What emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?__\n\nPausing stBTC contract, upgarde of contracts, adjusting minimum deposit limits\n\n\n__What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?__\n\nContracts Owners, Pause Admin, Mezo Portal, Maintainers\n\n__What addresses would you consider any bug report requiring their involvement be out of scope, even if they exceed the privileges attributed to them?__\n\nContracts Owners, Pause Admin\n\n__What external dependencies are there?__\n\nIn order to support a native bitcoin-in, bitcoin-out experience, Acre has integrated Threshold Network’s tBTC bridge, which is an existing technology. Deposited funds are allocated to the Mezo Portal contract.\n\n__Where might whitehats confuse out-of-scope code to be in-scope?__\n\nExternal libraries are out-of-scope (i.e. @openzeppelin).\n\n__What is the test suite setup information?__\n\nhttps://github.com/thesis/acre/tree/main/solidity#testing\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n__Previous Audits__\n\nAcre’s completed audit reports can be found at:\n\n- https://github.com/Thesis-Defense/Security-Audit-Reports/blob/main/PDFs/240517_Thesis_Defense-Acre_Smart_Contracts_Security_Audit_Report.pdf\n- https://github.com/Thesis-Defense/Security-Audit-Reports/blob/main/PDFs/240808_Thesis_Defense-Mezo-Acre_stBTC_Smart_Contracts_Security_Audit_Report.pdf\n\nAny unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.","websiteUrl":"https://acre.fi","githubUrl":"https://github.com/thesis/acre/tree/main/solidity/contracts","eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Acre is the liquidity layer for Bitcoin scaling. Users deposit BTC and receive stBTC representing their deposited BTC. The deposited BTC is deployed to Bitcoin layers that use BTC as their Proof-of-Stake asset, generating rewards for stBTC holders.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[{"id":"6OpJsebyaFzjVVFnkqrZcW","url":"https://polygonscan.com/address/0xDbc52cd5b8EdA1A7BCBABb838ca927d23E3673e5","type":"smart_contract","addedAt":"2023-12-13T10:56:13.693Z","revision":1,"description":"ASSET (Polygon)","isPrimacyOfImpact":null},{"id":"1pY0WVgnig33eMNNN8oeVF","url":"https://polygonscan.com/address/0x58E0e4b0C6D99bEbC95a2be635a677D947b5C912","type":"smart_contract","addedAt":"2023-12-13T10:56:16.706Z","revision":1,"description":"ASSETCreate","isPrimacyOfImpact":null},{"id":"1qNszSoDSxSxJZsEWrG298","url":"https://polygonscan.com/address/0x1f980CFDf257792f2D85523094cD6B7210CAb509","type":"smart_contract","addedAt":"2023-12-13T10:56:18.460Z","revision":1,"description":"CATALYST","isPrimacyOfImpact":null},{"id":"434tQANEAd8C8vMryuEdvG","url":"https://polygonscan.com/address/0x687B573233791b96b51a47B6FCB8D7D9eceF118e","type":"smart_contract","addedAt":"2023-12-13T10:56:20.528Z","revision":1,"description":"Marketplace","isPrimacyOfImpact":null},{"id":"7ljICAoH8IfRmCm7GQ8R2w","url":"https://polygonscan.com/address/0x4063c6Ccd3D9541E53A514E83fba3843A7848E2F","type":"smart_contract","addedAt":"2023-12-13T10:56:22.212Z","revision":1,"description":"RoyaltyManager","isPrimacyOfImpact":null},{"id":"7t1kdos08im7tY8HbFrJhx","url":"https://polygonscan.com/address/0xafd5f5c6e72f0f6441e4abf2ae8ff23dee21a87a","type":"smart_contract","addedAt":"2023-12-13T10:56:24.038Z","revision":1,"description":"RoyaltySplitter","isPrimacyOfImpact":null},{"id":"2Cotw4ZmNuNMZZ5JgiEz57","url":"https://etherscan.io/address/0x5CC5B05a8A13E3fBDB0BB9FcCd98D38e50F90c38","type":"smart_contract","addedAt":"2022-07-05T15:00:00.000Z","revision":3,"description":"LAND","isPrimacyOfImpact":null},{"id":"7z5QusHIMumrprepeQgPDv","url":"https://etherscan.io/address/0x6cE82874EAf6E7602fD21Cf8bBDEd82705680A99","type":"smart_contract","addedAt":"2022-07-05T15:00:00.000Z","revision":2,"description":"LAND Tunnel","isPrimacyOfImpact":null},{"id":"65aZLyhZQEYXPWAF8oeCQF","url":"https://etherscan.io/address/0x3845badade8e6dff049820680d1f14bd3903a5d0","type":"smart_contract","addedAt":"2022-07-05T15:00:00.000Z","revision":1,"description":"SAND","isPrimacyOfImpact":null},{"id":"5tuxb9WsPQ7KSLrPvbGnUr","url":"https://etherscan.io/address/0x942DaEbbec2ab2307223E58E2C4360d4EBf88FA4","type":"smart_contract","addedAt":"2022-07-05T15:00:00.000Z","revision":1,"description":"EstateSalesWithAuth","isPrimacyOfImpact":null},{"id":"nMmlM6PBe3zy94uybxzb4","url":"https://polygonscan.com/address/0xa6e383bda26e4c52a3a3a3463552c42494669abd","type":"smart_contract","addedAt":"2022-07-05T15:00:00.000Z","revision":1,"description":"SAND Staking Pool","isPrimacyOfImpact":null},{"id":"5U2FZ0iPA87MR4g4vDRGgU","url":"https://polygonscan.com/address/0x7695b9ac52e49f1a8c4c554a072edb225eebfe70","type":"smart_contract","addedAt":"2022-07-05T15:00:00.000Z","revision":1,"description":"SAND Staking Pool Contribution Calculator","isPrimacyOfImpact":null},{"id":"QzeODKkw8UFTCSGJocaDY","url":"https://polygonscan.com/address/0xbbba073c31bf03b8acf7c28ef0738decf3695683","type":"smart_contract","addedAt":"2022-07-05T15:00:00.000Z","revision":1,"description":"SAND","isPrimacyOfImpact":null},{"id":"nDzDxhXMIYJQyabZtm2ej","url":"https://polygonscan.com/address/0x9d305a42a3975ee4c1c57555bed5919889dce63f","type":"smart_contract","addedAt":"2022-07-05T15:00:00.000Z","revision":2,"description":"LAND","isPrimacyOfImpact":null},{"id":"75jUwSK3DmrEDwOSwqdZy0","url":"https://polygonscan.com/address/0x21B083e128fa7BcC31214a0c000B56Fd4372EEa8","type":"smart_contract","addedAt":"2022-07-05T15:00:00.000Z","revision":2,"description":"LAND Tunnel","isPrimacyOfImpact":null},{"id":"3peFa2ygqBjUvG854xCUeN","url":"https://polygonscan.com/address/0xc3f3ef3929392fdc697c5800d6cd18af73377a8f","type":"smart_contract","addedAt":"2023-03-16T15:12:00.882Z","revision":4,"description":"Avatar collections","isPrimacyOfImpact":null},{"id":"2OUsfwmQhmNFEKvrvQ87pZ","url":"https://polygonscan.com/address/0x5cd67Daa17F708d6489E7Bb7648b7D0B823eA7bF","type":"smart_contract","addedAt":"2023-03-16T22:11:07.619Z","revision":1,"description":"Staking v4 - SAND Staking pool Rewards Calculator","isPrimacyOfImpact":null},{"id":"2hv2kynEtpq0g3KgVunC4v","url":"https://polygonscan.com/address/0x6b4831e24F0cd73d4150EF4694aA87d6c104A774","type":"smart_contract","addedAt":"2023-03-16T22:11:21.165Z","revision":1,"description":"Staking v4 - SAND Staking pool Contribution Rules","isPrimacyOfImpact":null},{"id":"2WfbiPuLeHcUOvBfMpi8ZH","url":"https://polygonscan.com/address/0xD3A9CAa25393765c05ce9f332B5E33b5E33D8B8F","type":"smart_contract","addedAt":"2023-03-16T22:11:56.201Z","revision":1,"description":"Staking v4 - SAND Staking pool","isPrimacyOfImpact":null},{"id":"7gxHhoecDdfoA1QGaBs4IJ","url":"https://polygonscan.com/address/0x3eF580A4A6B862183558625126bcC186436bfF4a","type":"smart_contract","addedAt":"2023-07-05T13:57:36.233Z","revision":1,"description":"Collection Factory","isPrimacyOfImpact":null},{"id":"VElFYNVtFxQUJzt30nWVd","url":"https://polygonscan.com/address/0x90262e888bbf1f5f375a9286da324f2aeeeebec2","type":"smart_contract","addedAt":"2023-07-05T13:57:33.256Z","revision":1,"description":"Avatar collections v2","isPrimacyOfImpact":null},{"id":"3vVgG6QQTz61fg7zeKlfQe","url":"https://etherscan.io/address/0xa342f5d851e866e18ff98f351f2c6637f4478db5","type":"smart_contract","addedAt":"2023-12-13T10:56:28.489Z","revision":1,"description":"ASSET (Ethereum) ","isPrimacyOfImpact":null},{"id":"ltpohmVrayaXGvfBd5GiA","url":"https://bscscan.com/address/0xac531Eb26Ca1d21b85126De8FB87E80E09002DcF","type":"smart_contract","addedAt":"2024-09-27T07:22:52.300Z","revision":1,"description":"SAND on BSC","isPrimacyOfImpact":null},{"id":"4LEX6TnPmCl126lHSO5fRP","url":"https://basescan.org/address/0xac531Eb26Ca1d21b85126De8FB87E80E09002DcF","type":"smart_contract","addedAt":"2024-09-27T07:23:06.615Z","revision":1,"description":"SAND on BASE","isPrimacyOfImpact":null},{"id":"4ntZa6HfH6IEqQosRgxEb0","url":"https://etherscan.io/address/0xac531Eb26Ca1d21b85126De8FB87E80E09002DcF","type":"smart_contract","addedAt":"2024-09-27T07:23:21.134Z","revision":1,"description":"OFTAdapterForSand","isPrimacyOfImpact":null},{"id":"4eIXMGQgVbIwZkEguTH4N1","url":"https://polygonscan.com/address/0x214d52880b1e4E17d020908cd8EAa988FfDD4020","type":"smart_contract","addedAt":"2024-11-15T14:25:41.925Z","revision":1,"description":"MultiGiveaway","isPrimacyOfImpact":null},{"id":"2bbGVhRuwXRMr7ctxwiazJ","url":"https://polygonscan.com/address/0x3d49b60783dB5FA4341355f31e4D9CBa63E53035","type":"smart_contract","addedAt":"2024-11-18T12:23:57.470Z","revision":1,"description":"InstantGiveaway","isPrimacyOfImpact":null}],"assetsBodyV2":"For proxy contracts, only the current implementation and any further updates to the implementation contracts are considered in scope.\n\nAll smart contracts of The Sandbox can be found at [https://github.com/thesandboxgame/sandbox-smart-contracts](https://github.com/thesandboxgame/sandbox-smart-contracts). However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH","Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2022-07-05T15:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6JrIhCrEMoZplnS6zBi2vc/87eca69d81f586ce017aba75db5e456e/The_Sandbox_Logo.png","maxBounty":200000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - low","smart_contract - medium","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Gaming","Staking","Token"],"programOverview":"The Sandbox is a virtual gaming world where players can build, own, and monetize gaming experiences in the metaverse.\n\nFor more information about The Sandbox, please visit [https://www.sandbox.game/](https://www.sandbox.game/)","programType":["Smart Contract"],"project":"The Sandbox","projectType":["Defi","NFT"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nRewards for critical smart contract vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of __USD 50 000__ and a maximum reward of __USD 200 000__ for Critical smart contract bug reports. In cases of repeatable attacks, only the first attack is considered unless the smart contract cannot be upgraded or paused.\n\nHigh severity smart contract vulnerabilities will be further capped at up to 100% of the funds affected. In the event of temporary freezing, the reward doubles for every additional 5 blocks that the funds could be temporarily frozen, rounded down to the nearest multiple of 5, up to the hard cap of 20 000 USD. This is implemented in order to account for the increased relative impact based on the duration of the freezing of funds.\n\nAll calculations of the amount of funds at risk are done based on the time the bug report is submitted.\n\nThe Sandbox requires all bug bounty hunters to complete the program’s KYC requirements if they are submitting a report and wanting a reward. The information needed is an ID photo along with a scan of a utility bill to show residency proof.\n\nBug reports from compensated team members of any The Sandbox core units will not be eligible for a reward. Employees and team members of third-party suppliers to core units that operate in a technical capacity and have assets covered in this bug bounty program will also not be eligible for a reward. All team members of the audit companies The Sandbox works with, and its third-party suppliers, including Immunefi itself and its subsidiaries, are not eligible for a reward.\n\nBug reports from team members and third-party suppliers of businesses and organizations that are not a The Sandbox Core Unit but have assets considered as critical infrastructure covered under the bug bounty program are also not eligible for the bug bounty program.\n\nBug reports covering previously-discovered bugs are not eligible for the program. If a bug report covers a known issue, it may be rejected together with proof of the issue being known before escalation of the bug report.\n\nThe following issues are considered known and are not eligible for a reward:\n  - __Contract:__ ERC20BasicApproveExtension (Ethereum & Polygon)\n    __Method:__ paidCall\n    __Description:__ The paidCall method when called on Sand contract can add an allowance for the caller to transfer Sand tokens owned by the contract itself. However, the contract will have a sand balance only if users send it to the contract address by mistake.\n  - __Contract:__ all the implementation contracts\n    __Description:__ the implementation contracts’ lack of initialization will end up with anyone owning/managing/minting tokens.\n\nAll issues previously highlighted in the following audit reports are also considered out of scope:\n[https://github.com/thesandboxgame/sandbox-smart-contracts/tree/master/packages/core/documentation/audits](https://github.com/thesandboxgame/sandbox-smart-contracts/tree/master/packages/core/documentation/audits)  \n\nPayouts are handled by the __The Sandbox__ team directly and are denominated in USD. Payouts are done in __SAND__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"SAND","slug":"thesandbox","updatedDate":"2024-11-19T08:29:28.497Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_official_contributor","no_auditor"],"responsiblePublicationCategory":null,"description":"The Sandbox is a virtual gaming world where players can build, own, and monetize gaming experiences in the metaverse.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":2903,"type":"smart_contract","severity":"low","title":"Smart contract fails to deliver promised returns, but doesn’t lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":2904,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for any amount of time"},{"id":2905,"type":"smart_contract","severity":"high","title":"Temporary freezing NFTs"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":2906,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":2907,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":2908,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":9082,"severity":"critical","assetType":"smart_contract","maxReward":200000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":9083,"severity":"high","assetType":"smart_contract","maxReward":20000,"rewardModel":"up_to"},{"id":9084,"severity":"medium","assetType":"smart_contract","fixedReward":2000,"rewardModel":"fixed"},{"id":9085,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"7N0vaSsTkwrl6P6UEjCZQm","url":"https://github.com/alexgo-io/alex-v1/blob/dev/clarity/contracts/pool/alex-launchpad-v1-1.clar","type":"smart_contract","addedAt":"2022-02-09T13:43:21.107Z","revision":2,"description":"ALEX Launchpad v1.1","isPrimacyOfImpact":null},{"id":"18D6Md4dRFvGZzNtIiqDG3","url":"https://github.com/alexgo-io/alex-v1/blob/dev/clarity/contracts/pool/alex-reserve-pool.clar","type":"smart_contract","addedAt":"2022-02-09T13:43:55.113Z","revision":1,"description":"ALEX Reserve Pool","isPrimacyOfImpact":null},{"id":"4qAoKrS3TkH8n5JEuionF","url":"https://github.com/alexgo-io/alex-v1/blob/dev/clarity/contracts/pool/fixed-weight-pool-v1-01.clar","type":"smart_contract","addedAt":"2022-02-09T13:44:29.687Z","revision":2,"description":"Fixed Weight Pool","isPrimacyOfImpact":null},{"id":"4ULE2Yl2Rnd1B2dBITAbyz","url":"https://github.com/alexgo-io/alex-v1/blob/dev/clarity/contracts/pool/simple-weight-pool-alex.clar","type":"smart_contract","addedAt":"2022-02-09T13:45:10.299Z","revision":2,"description":"Simple Weight Pool (ALEX)","isPrimacyOfImpact":null},{"id":"4FIwofSkZlhrbXCxaeb8rA","url":"https://github.com/alexgo-io/alex-v1/blob/dev/clarity/contracts/alex-vault.clar","type":"smart_contract","addedAt":"2022-02-09T13:45:55.525Z","revision":2,"description":"ALEX Vault","isPrimacyOfImpact":null},{"id":"1HLYAH5XoUz4yW2AU4Y5aj","url":"https://github.com/alexgo-io/alex-dao/blob/main/contracts/executor-dao.clar","type":"smart_contract","addedAt":"2022-02-09T13:46:42.575Z","revision":2,"description":"ALEX DAO","isPrimacyOfImpact":null},{"id":"3xN50CzipGnomCqLZLXEUx","url":"https://github.com/alexgo-io/alex-dao/blob/main/contracts/extensions/age000-governance-token.clar","type":"smart_contract","addedAt":"2022-02-09T13:47:24.406Z","revision":2,"description":"ALEX Governance Token","isPrimacyOfImpact":null},{"id":"2xGOLPYOyP0z6f2Dqnht2Y","url":"https://github.com/alexgo-io/alex-dao/blob/main/contracts/extensions/age001-proposal-voting.clar","type":"smart_contract","addedAt":"2022-04-26T05:29:53.494Z","revision":1,"description":"AGE 001","isPrimacyOfImpact":null},{"id":"b63909e3evZbUNRqn85qx","url":"https://github.com/alexgo-io/alex-dao/blob/main/contracts/extensions/age002-emergency-proposals.clar","type":"smart_contract","addedAt":"2022-04-26T05:30:07.371Z","revision":1,"description":"AGE 002","isPrimacyOfImpact":null},{"id":"DYLZmtXS9gyDsZfP7iBPj","url":"https://github.com/alexgo-io/alex-dao/blob/main/contracts/extensions/age003-emergency-execute.clar","type":"smart_contract","addedAt":"2022-04-26T05:30:27.162Z","revision":1,"description":"AGE 003","isPrimacyOfImpact":null},{"id":"3lCb33XbHmHn0P5ohvTRkM","url":"https://github.com/alexgo-io/alex-v1/blob/dev/clarity/contracts/pool/collateral-rebalancing-pool.clar","type":"smart_contract","addedAt":"2022-04-26T05:30:46.032Z","revision":1,"description":"Collateral Rebalancing Pool","isPrimacyOfImpact":null},{"id":"4bPKzHS11ZzEL6AdhOnceU","url":"https://github.com/alexgo-io/alex-v1/blob/dev/clarity/contracts/pool/yield-token-pool.clar","type":"smart_contract","addedAt":"2022-04-26T05:31:04.851Z","revision":1,"description":"Yield Token Pool","isPrimacyOfImpact":null},{"id":"6NZyeTet94bCkFhx5e6QWM","url":"https://github.com/alexgo-io/alex-v1/blob/dev/clarity/contracts/auto-token/auto-alex.clar","type":"smart_contract","addedAt":"2022-04-26T05:31:27.017Z","revision":1,"description":"AutoALEX","isPrimacyOfImpact":null},{"id":"1OxKS1rE3Qagpw2QwLsvhT","url":"https://github.com/alexgo-io/alex-bridge-contracts","type":"smart_contract","addedAt":"2023-04-21T03:49:55.501Z","revision":1,"description":"Bridge","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH","Stacks"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Clarity","Solidity"],"launchDate":"2021-12-13T00:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5tF3UdYVrbkjGeIg96gbd/d8bdfa09ca4945ae30cb4d6e90b029d7/ALEX_logo.jpeg","maxBounty":100000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__Smart Contracts__\n\n__Critical__\n  - Any governance voting result manipulation\n  - Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield\n  - Permanent freezing of funds\n  - Miner-extractable value (MEV)\n  - Protocol insolvency\n\n__High__\n  - Theft of unclaimed yield\n  - Permanent freezing of unclaimed yield\n  - Temporary freezing of funds for a minimum period of 1 day","productType":["Bridge","DEX","Launchpad","Lending"],"programOverview":"At ALEX, we build DeFi primitives targeting developers looking to build ecosystem on Bitcoin, enabled by Stacks. As such, we focus on trading, lending and borrowing of crypto assets with Bitcoin as the settlement layer and Stacks as the smart contract layer. At the core of this focus is the automated market making (\"AMM\") protocol, which allows users to exchange one crypto asset with another trustlessly.\n\nFor more information about ALEX, please visit [https://alexgo.io/](https://alexgo.io/). \n\nThis bug bounty program is focused on their smart contracts and is focused on preventing:\n\n  - Thefts and freezing of principal of any amount\n  - Thefts and freezing of unclaimed yield of any amount\n  - Theft of governance funds \n  - Governance activity disruption","programType":["Smart Contract"],"project":"ALEX","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nAll High and Critical Smart Contract bug reports require a PoC in order to be considered for a reward.  Explanations and statements are not accepted as PoC and code is required. \n\nCritical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of __USD 20 000__ paid in __ALEX__. Additionally, the maximum reward is capped at __USD 100 000)__ paid in __ALEX__, even if 10% of the damage in USD equivalent is greater than the __USD 100 000__. \n\nThe following vulnerabilities are not eligible for a reward:\n\n  - All vulnerabilities marked in the CoinFabrik Security Review [Pool / Equation](https://cdn.alexlab.co/pdf/AlexGo_Audit_202111_Pool_Equation.pdf), [Launchpad / Vault / Reserve](https://cdn.alexlab.co/pdf/AlexGo_Audit_202201_Launchpad_Vault_Reserve.pdf)\n  - All vulnerabilities marked in the CoinFabrik Security Review [DAO](https://cdn.alexlab.co/pdf/AlexGo_Audit_202202_DAO.pdf)\n  - All vulnerabilities marked in the CoinFabrik Security Review [Launchpad v1.1 / AutoALEX / Collateral Rebalancing Pool](https://cdn.alexlab.co/pdf/AlexGo_Audit_202204_Launchpadv1.1_AutoALEX_CRP.pdf)\n  - All vulnerabilities marked in the CoinFabrik Security Review [Bridge Endpoints](https://cdn.alexlab.co/pdf/ALEX_Audit_bridge_coinfabrik_202212.pdf)\n  - All vulnerabilities marked in the CoinFabrik Security Review [Bridge backend and endpoints](https://cdn.alexlab.co/pdf/ALEX_Audit_Bridge_2023-04.pdf)\n  - All vulnerabilities marked in the [Least Authority Security Review](https://cdn.alexlab.co/pdf/Least_Authority_ALEX_Protocol_Smart_Contracts_Final_Audit_Report.pdf) \n\nALEX requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. The information needed are Name, Email address, Stacks wallet address, and Identity Proof (Passport, / Driving License / National ID). The collection of this information will be done by the ALEX team.\n\nPayouts are handled by the __ALEX__ team directly. Payouts are done in __ALEX__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"ALEX","slug":"alex","tenPercentEconomicRule":true,"updatedDate":"2024-11-18T16:03:51.734Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"At ALEX, we build DeFi primitives targeting developers looking to build ecosystem on Bitcoin, enabled by Stacks. As such, we focus on trading, lending and borrowing of crypto assets with Bitcoin as the settlement layer and Stacks as the smart contract layer.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":1455,"type":"smart_contract","severity":"high","title":"Freezing of unclaimed yield"},{"id":1456,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for a minimum period of 1 day"},{"id":1457,"type":"smart_contract","severity":"critical","title":"Loss of user funds staked (principal) by freezing or theft"},{"id":1458,"type":"smart_contract","severity":"critical","title":"Vote manipulation"},{"id":1459,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"}],"rewards":[{"id":6812,"severity":"high","assetType":"smart_contract","maxReward":20000,"rewardModel":"up_to"},{"id":8354,"severity":"critical","assetType":"smart_contract","maxReward":100000,"rewardModel":"up_to","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"1ItWQA8xxRBzY6agN4uTSG","url":"https://www.mintscan.io/juno/wasm/contract/juno1dlp8avgc2r6t4nnsv4yydc6lc73rjtjqvdcee9r2kf0uwuef7v0smljy8w","type":"smart_contract","addedAt":"2023-04-06T17:00:00.000Z","revision":1,"description":"stakeeasy","isPrimacyOfImpact":null},{"id":"7AWM4SLaYpoKqYHqkTfc6E","url":"https://www.mintscan.io/juno/wasm/contract/juno1dd0k0um5rqncfueza62w9sentdfh3ec4nw4aq4lk5hkjl63vljqscth9gv","type":"smart_contract","addedAt":"2023-04-06T17:00:00.000Z","revision":1,"description":"seJUNO","isPrimacyOfImpact":null},{"id":"2INNoQUldmnM18uO1sF24X","url":"https://www.mintscan.io/juno/wasm/contract/juno1wwnhkagvcd3tjz6f8vsdsw5plqnw8qy2aj3rrhqr2axvktzv9q2qz8jxn3","type":"smart_contract","addedAt":"2023-04-06T17:00:00.000Z","revision":1,"description":"bJUNO","isPrimacyOfImpact":null},{"id":"gRIrRzMri7oNK0ct8bSnB","url":"https://www.mintscan.io/juno/wasm/contract/juno10njts2m24u03cx7tq97de44y8pcv4y87apya2894n9ut9gcmhx6sxug0fe","type":"smart_contract","addedAt":"2023-04-06T17:00:00.000Z","revision":1,"description":"reward","isPrimacyOfImpact":null},{"id":"3w4duc5cwGPFvmv4syfy5P","url":"https://immunefi.com","type":"smart_contract","addedAt":"2023-10-05T15:29:39.930Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true}],"assetsBodyV2":"Impacts only apply to assets in active use by the project like contracts on mainnet or web/app assets used in production. Any impact that applies to assets not in active use, like test or mock files, are out-of-scope of the bug bounty program unless explicitly mentioned as in-scope. \n\n__Smart Contracts__ \n\n- __Smart Contracts - PoC__, Smart Contract bug reports are to include a runnable Proof of Concept (PoC) in order to prove impact.  \n- For more information on PoCs please visit: [Proof of Concept (PoC) Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\nWhitehats we highly encourage you to review any potential subdomains and what specific port(s) are in scope. Even though the domain may be the same, different ports may point to different assets.  \n\n__Dev Environment and Documentation:__\n\nStakeEasy has included dev documentation and/or instructions to help in reviewing code and exploring for bugs:\n- [https://docs.stakeeasy.finance/docs/guides/userflow](https://docs.stakeeasy.finance/docs/guides/userflow)\n- [https://github.com/arufa-research/stakeeasy-juno-contracts/tree/master/contracts/staking_contract](https://github.com/arufa-research/stakeeasy-juno-contracts/tree/master/contracts/staking_contract)\n- [https://github.com/arufa-research/stakeeasy-juno-contracts](https://github.com/arufa-research/stakeeasy-juno-contracts)\n\n__Impacts to other assets:__ \n\nHackers are encouraged to submit issues outside of the outlined Impacts and Assets in Scope. \n\nIf whitehats can demonstrate a critical impact on code in production for an asset not in scope, StakeEasy encourages you to submit your bug report using the “primacy of impact exception” asset. \n\n__Impacts in Scope:__\n\n(For Blockchain/DLTR and Smart Contracts Only) This program is considered to be governed by Primacy of Impact. For more information on what this means visit: [Best Practice - Primacy of Impact vs Primacy of Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact). \n\nImpacts are based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/).\n\nAt Immunefi, we classify bugs on a simplified 5-level scale:\n- Critical\n- High\n- Medium\n- Low\n- None\n\n__Other Impacts to other assets:__\n\nHackers are encouraged to submit issues outside of the outlined Impacts and Assets in Scope. \n\nIf whitehats can demonstrate a critical impact of code in production for an asset not in scope, StakeEasy encourages you to submit your bug report using the “primacy of impact exception” asset as outlined below.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Cosmos"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Rust"],"launchDate":"2023-04-06T17:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4s94Lbcn5eQZMNdQQAnRdh/b8398b7e1a98f780c5a9dcb4d43a8eb3/RXmjQ0Dg_400x400.jpg","maxBounty":8000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are considered out-of-scope and ineligible for payout.","productType":["Liquid Staking"],"programOverview":"StakeEasy is a liquid staking protocol for Cosmos ecosystem.\n\nFor more information about StakeEasy, please visit [https://www.stakeeasy.finance/  ](https://www.stakeeasy.finance/)\n\n__This program meets the following Immunefi Standards and Best Practices:__\n\n| __Immunefi Best Practice__     | __Meets Criteria__     |\n| ---------- | ---------- |\n| All listed smart contracts verified on block explorers       | Yes       |\n| Blockchain/DLT or Smart Contract adhere to  “Primacy of Impact”       | Yes       |\n| Has provided a list of Audit and Known Issue       | N/A       |\n| Agreed to comply with [Immunefi Vulnerability Severity Classification System](https://docs.google.com/document/d/12A5HPT_N1LSmgNYrl5Kg-RI09t_VJlKp0vlvrYBgVaU/edit?usp=sharing)       | Yes       |\n| Meets Immunefi Standards for Critical Payouts       | No       |\n\n__For Whitehats:__ It is highly recommended that you review the details of this program in full. Although many Bug Bounty programs have standard terms and conditions, each also has their own unique details that are critical to your success.  \n\nPrior to submitting a report please review the [Immunefi Bug Report Template and Best Practices](https://immunefisupport.zendesk.com/hc/en-us/articles/12435277406481-Bug-Report-Template).","programType":["Smart Contract"],"project":"StakeEasy","projectType":["Defi"],"rewardsBody":"Please review how rewards are distributed based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale system with separate scales for Smart Contracts. \n\n__Payouts and Payout Requirements:__\n\nPayouts are handled by the StakeEasy team directly and are denominated in USD. However, payouts are done in USDT. StakeEasy commits to honoring payouts according to the terms set out in this program at the time of report submission, and to treat this program as the agreement and source of truth concerning bug reports and responsible disclosures. \n\nFor the purposes of determining report validity, this is a Primacy of Impact program. \n\nLearn more about report validity best practices here: [Best Practice - Primacy of Impact vs Primacy of Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact). \n\nStakeEasy __does not__ have a Know Your Customer (KYC) requirement for bug bounty payouts. \n\n__Audit Discoveries and Known Issues:__\n\nBug reports covering previously-discovered bugs are not eligible for any reward through the bug bounty program. If a bug report covers a known issue, it may be rejected together with proof of the issue being known before escalation of the bug report via Immunefi. \n\n__Previous audits and known issues can be found at:__\n- [https://drive.google.com/file/d/1R6fK9fzvH8Td2ow0jrwosD2pqHfANvPP/view](https://drive.google.com/file/d/1R6fK9fzvH8Td2ow0jrwosD2pqHfANvPP/view)","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDT","slug":"stakeeasy","updatedDate":"2024-11-18T14:08:22.761Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"StakeEasy is a liquid staking protocol for Cosmos ecosystem.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":null,"defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques","customProhibitedActivities":["The following activities are prohibited by this bug bounty program. Violation of these rules can result in a temporary suspension or permanent ban from the Immunefi platform at the sole discretion of the Immunefi team, which may also result in: 1) the forfeiture and loss of access to all bug submissions, and 2) zero payout.","Please note that Immunefi has no tolerance for spam/low-quality/incomplete bug reports, “beg bounty” behavior, and misrepresentation of assets and severity. Immunefi exists to protect the global crypto community, not facilitate grift."],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":4001,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 4 days"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":4002,"type":"smart_contract","severity":"medium","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":4003,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":8339,"severity":"critical","assetType":"smart_contract","fixedReward":8000,"rewardModel":"fixed","rewardCalculationPercentage":10},{"id":6663,"severity":"high","assetType":"smart_contract","fixedReward":3000,"rewardModel":"fixed"},{"id":6664,"severity":"medium","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"3gAtKN2SvFH8yF0jEzkFFE","url":"https://etherscan.io/address/0xD502F487e1841Fdc805130e13eae80c61186Bc98","type":"smart_contract","addedAt":"2022-02-14T13:09:59.354Z","revision":1,"description":"IntegralToken","isPrimacyOfImpact":null},{"id":"5RGbshAbio0sWkmrHv5tbX","url":"https://etherscan.io/address/0xc8805cebd927941a3b26e2edced20d666fb118ba","type":"smart_contract","addedAt":"2022-02-14T13:10:01.646Z","revision":2,"description":"TimeRelease","isPrimacyOfImpact":null},{"id":"2IjYr8NQUzmeM2AzTRLnEg","url":"https://etherscan.io/address/0x36bD665392236b20bd42e161f02Bf0ae1d9441Ff","type":"smart_contract","addedAt":"2022-02-14T13:10:05.618Z","revision":2,"description":"Integral Staking  (6 Months)","isPrimacyOfImpact":null},{"id":"3OvEtzIKuIUq0Pv3w3UdrE","url":"https://etherscan.io/address/0xFFc0EAC1a1aE79C697607229Aca43Ef422625a40","type":"smart_contract","addedAt":"2022-02-14T13:10:07.470Z","revision":2,"description":"Integral Staking (3 Years)","isPrimacyOfImpact":null},{"id":"4Vac69v0V9U78DB3JCxC69","url":"https://etherscan.io/address/0xC480b33eE5229DE3FbDFAD1D2DCD3F3BAD0C56c6","type":"smart_contract","addedAt":"2022-04-01T19:05:55.480Z","revision":2,"description":"SIZE Factory","isPrimacyOfImpact":null},{"id":"hz5AKhh9wVAck7vrAUAXK","url":"https://etherscan.io/address/0x35cb375799b28c8d6b7c5c8d494ed180ae2e60cb","type":"smart_contract","addedAt":"2022-09-21T19:37:32.959Z","revision":4,"description":"SIZE Delay","isPrimacyOfImpact":null},{"id":"10LWwEKaAL6U3yW1e0J0dV","url":"https://etherscan.io/address/0xF4418d9fe76A788F2868a558dD216549aD2d869B","type":"smart_contract","addedAt":"2023-11-09T06:52:02.744Z","revision":1,"description":"Fee governor","isPrimacyOfImpact":null},{"id":"4yVswyojoIVlc8rO3ljKRd","url":"https://arbiscan.io/address/0x0800fcf3d8b46d56510f8360a4a4d9301cd78d91","type":"smart_contract","addedAt":"2023-11-27T08:01:59.151Z","revision":1,"description":"Fee governor (Arbitrum)","isPrimacyOfImpact":null},{"id":"dH0Y40F8XDRhqztVePbXn","url":"https://arbiscan.io/address/0xa400bad76f6bc487ef6acfcda3d68edd2a513d2a","type":"smart_contract","addedAt":"2022-10-26T15:11:43.932Z","revision":4,"description":"SIZE (Arbitrum) Delay","isPrimacyOfImpact":null},{"id":"7dA7nLFsFs0gRXmoSLnHX3","url":"https://etherscan.io/address/0x2fe16Dd18bba26e457B7dD2080d5674312b026a2","type":"smart_contract","addedAt":"2022-04-01T19:08:53.526Z","revision":2,"description":"SIZE Pair (WETH-USDC)","isPrimacyOfImpact":null},{"id":"1x0hyjm4NQWaQ0oFONovpN","url":"https://arbiscan.io/address/0x4bca34ad27df83566016b55c60dd80a9eb14913b","type":"smart_contract","addedAt":"2022-10-26T15:12:22.267Z","revision":1,"description":"SIZE (Arbitrum) Pair (USDC-WETH)","isPrimacyOfImpact":null},{"id":"1k6Mco0hGpHxbXTaZJ1sVo","url":"https://etherscan.io/address/0x33B1ee377D97Ef58B5cba81e69aFdb2a4008dBB2","type":"smart_contract","addedAt":"2022-09-21T19:42:02.214Z","revision":1,"description":"Merkle Time Release (1)","isPrimacyOfImpact":null},{"id":"7EhlbclFkNbpGTO7N1Tj0z","url":"https://etherscan.io/address/0x6A16630e78f95eEBB11a74dE0bA1503B9D0984d0","type":"smart_contract","addedAt":"2022-09-21T19:41:58.859Z","revision":1,"description":"Merkle Time Release (2)","isPrimacyOfImpact":null},{"id":"3lVW8XIteClisVVKjD3T0b","url":"https://etherscan.io/address/0xd25c6DA73ADBbB68508778621621568E07a1f284","type":"smart_contract","addedAt":"2022-09-21T19:41:56.019Z","revision":1,"description":"Merkle Time Release (3)","isPrimacyOfImpact":null},{"id":"3aBCxHOCFS5d4QsijkrzxF","url":"https://etherscan.io/address/0x2c66Ea3f4D8D056A20FFa14fCFC7956BBEfeB5FD","type":"smart_contract","addedAt":"2022-09-21T19:41:53.181Z","revision":1,"description":"Merkle Time Release (4)","isPrimacyOfImpact":null},{"id":"3stlBjsfx6dAW0bYzP26CA","url":"https://etherscan.io/address/0x1c857a1e3a9687dd788A1B3921de34210708991E","type":"smart_contract","addedAt":"2022-09-21T19:41:50.748Z","revision":1,"description":"Merkle Time Release (5)","isPrimacyOfImpact":null},{"id":"eUgkRzDLF0yLbimLGSOCt","url":"https://etherscan.io/address/0x5ADbc8e7458f5ba581BD8d3F4eC46Cd765a6706b","type":"smart_contract","addedAt":"2022-09-21T19:41:47.591Z","revision":1,"description":"Merkle Time Release (6)","isPrimacyOfImpact":null},{"id":"2lxnnGsfjCAUktsG5bTplE","url":"https://etherscan.io/address/0x851456EBEE49c8A2A4dd66Fe3D19c431Dd8F56AE","type":"smart_contract","addedAt":"2022-09-21T19:41:44.996Z","revision":1,"description":"Merkle Time Release (7)","isPrimacyOfImpact":null},{"id":"4tYkg8zQk1RR2SnbBpvSLy","url":"https://etherscan.io/address/0xe96f5A2680981AEc61C4980F2F7B9ad666698e61","type":"smart_contract","addedAt":"2022-09-21T19:41:42.832Z","revision":1,"description":"Merkle Time Release (8)","isPrimacyOfImpact":null},{"id":"5olJR31EADMx9ffPvyuRz","url":"https://etherscan.io/address/0x048f0e7ea2CFD522a4a058D1b1bDd574A0486c46","type":"smart_contract","addedAt":"2023-07-06T19:07:11.063Z","revision":1,"description":"SIZE Pair (WETH-USDT)","isPrimacyOfImpact":null},{"id":"4xuDbiHjKHDJf3sLF21vYC","url":"https://etherscan.io/address/0x37f6df71b40c50b2038329cabf5fda3682df1ebf","type":"smart_contract","addedAt":"2023-07-06T19:07:08.823Z","revision":1,"description":" SIZE Pair (WETH-WBTC)","isPrimacyOfImpact":null},{"id":"NTSAI81uu6YO3iKmnsVhr","url":"https://etherscan.io/address/0x6ec472b613012a492693697FA551420E60567eA7","type":"smart_contract","addedAt":"2023-07-06T19:07:06.992Z","revision":1,"description":"SIZE Pair (USDC-USDT)","isPrimacyOfImpact":null},{"id":"2wYizmVxxuUMkziiK3n6X9","url":"https://etherscan.io/address/0xd17b3c9784510E33cD5B87b490E79253BcD81e2E","type":"smart_contract","addedAt":"2023-11-09T06:52:38.991Z","revision":1,"description":"SIZE Rrelayer","isPrimacyOfImpact":null},{"id":"4XnST2lRQAfvjULMpTduO7","url":"https://arbiscan.io/address/0x3c6951fdb433b5b8442e7aa126d50fbfb54b5f42","type":"smart_contract","addedAt":"2023-11-27T07:56:53.386Z","revision":1,"description":"SIZE Relayer (Arbitrum)","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2021-04-15T07:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5dHTFAc230t6p8vYxgilO2/38e96d7cbe65593285dfec560c736985/Integral-logo.jpg","maxBounty":25000,"pocPerTypeAndSeverity":[],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the\nfollowing types:\n\n**Smart Contracts/Blockchain:**\n\n- Re-entrancy\n- Logic errors\n  - including user authentication errors\n- Solidity/EVM details not considered\n  - including integer over-/under-flow\n  - including unhandled exceptions\n- Trusting trust/dependency vulnerabilities\n  - including composability vulnerabilities\n- Oracle failure/manipulation\n- Novel governance attacks\n- Economic/financial attacks\n  - including flash loan attacks\n- Congestion and scalability\n  - including running out of gas\n  - including block stuffing\n  - including susceptibility to frontrunning\n- Consensus failures\n- Cryptography problems\n  - Signature malleability\n  - Susceptibility to replay attacks\n  - Weak randomness\n  - Weak encryption\n- Susceptibility to block timestamp manipulation\n- Missing access controls / unprotected internal or debugging interfaces\n\n\n__Eligibility__\n\nTo be eligible for a reward under this Program, you must:\n  - Be the first to disclose the unique vulnerability in compliance with the disclosure requirements above.\n  - Provide sufficient information to enable our team to reproduce and fix the vulnerability.\n  - Not engage in any unlawful conduct when disclosing the bug including through threats, demands, or any other coercive tactics.\n  - Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of Integral.\n  - Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n  - Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n  - Be at least 18 years of age.\n  - Comply with all the eligibility and disclosure requirements of the Program.\n  - The vulnerability must not already be known by the Integral team.","productType":["AMM","DEX"],"programOverview":"At Integral we build on-chain trading products and tools to rival those of centralized exchanges. Our mission is to serve DeFi users who care about self-custody, decentralization, security, and financial usability. Integral SIZE is a TWAP based DEX with zero price impact swaps on Ethereum. In addition, traders enjoy a MEV-resistant and low-fee trading experience. Further information about Integral can be found here [https://docs.integral.link](https://docs.integral.link).\n\nThe bug bounty program is focused around its smart contracts and is mostly concerned with:\n\n  - Direct theft of any user funds from smart contracts, whether at-rest or in-motion\n  - Loss of user funds through freezing, theft, manipulation of the pools, or denial of service to smart contracts.","programType":["Smart Contract"],"project":"Integral","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on\nthe [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nAll bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. All bug reports without a PoC will not be accepted under this bug bounty program.\n\nThe final reward for critical bounty payouts is capped at 10% of economic damage up to USD 25 000, primarily based on the funds at risk, at the discretion of the team. However, the minimum reward is USD 10 000.\n\n__Repeatable Attack Limitations__\n\nIn cases of repeatable attacks for smart contract bugs, only the first attack will be counted, regardless of whether the smart contract is upgradable, pausable, or killable.\n\nThe following scenarios are not eligible for a reward:\n  - Exploits that require access to the admin keys\n  - Cases involving risks of losses to the pools in case the assets in the pools decrease in price\n  - Cases involving risks of impermanent losses in the pools\n  - Exploits or arbitrages which are not economically practical to execute\n  - Exploits or arbitrages which rely on predicting future price movements, and/or price differentials between either the delay or the relayer contract, and other on-chain or off-chain venues regardless of whether it is realistic to execute such exploits or arbitrages.\n  - Cases involving dynamic pool ratios due to the nature of the design\n  - Cases involving dynamic pool ratios due to the nature of the design including but not limited to large changes of pool ratios due to orderflow, temporary guardrail pauses on LP withdrawal when pool ratios are extremely skewed. \n  - Exploits due to issues with hosting providers which cannot be fixed by changing any configuration on our side will be given an Informational classification or lower, these exploits should be reported using the bug bounty program of the hosting providers instead\n\nPayouts are handled by the Integral team directly and are denominated in USD. However, payouts are done in DAI, USDT, USDC, ETH, or ITGR, at the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"DAI, USDT, USDC, ETH, or ITGR","slug":"integral","tenPercentEconomicRule":true,"updatedDate":"2024-11-18T14:00:08.992Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn"],"responsiblePublicationCategory":null,"description":"At Integral we build on-chain trading products and tools to rival those of centralized exchanges. Our mission is to serve DeFi users who care about self-custody, decentralization, security, and financial usability. Integral SIZE is a TWAP based DEX with zero price impact swaps on Ethereum. In addition, traders enjoy a MEV-resistant and low-fee trading experience.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":185,"type":"smart_contract","severity":"low","title":"Any other minor smart contract vulnerabilities not mentioned above"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":186,"type":"smart_contract","severity":"high","title":"Any governance voting result manipulation"},{"id":187,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":188,"type":"smart_contract","severity":"medium","title":"Temporary freezing of funds"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"}],"rewards":[{"id":8333,"severity":"critical","assetType":"smart_contract","maxReward":25000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":6598,"severity":"high","assetType":"smart_contract","fixedReward":10000,"rewardModel":"fixed"},{"id":6599,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":6600,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"4AHkbbH2oO5Uenqti9iL3y","url":"https://blockpi.io/","type":"websites_and_applications","addedAt":"2022-11-11T03:00:00.000Z","revision":1,"description":"Main Web App","isPrimacyOfImpact":null},{"id":"2SyJJoWb5gmhEWJqeI5ueC","url":"https://dashboard.blockpi.io/","type":"websites_and_applications","addedAt":"2022-11-11T03:00:00.000Z","revision":1,"description":"Dashboard","isPrimacyOfImpact":null}],"assetsBodyV2":"Only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nIf an impact can be caused to any other asset managed by BlockPI that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project. This only applies to Critical and High impacts.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","Avalanche","BSC","Base","Cronos","ETH","Fantom","Gnosis","Klaytn","Linea","Meter","Oasis","Optimism","Polygon","Scroll","Starknet","Viction","zkSync"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":null,"launchDate":"2022-11-11T03:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7zua6OFbUgptQngH9PyKkE/b18feda35f0f62a79659db0b7646cdf6/BlockPI_logo.jpeg","maxBounty":10000,"pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - low","websites_and_applications - medium","websites_and_applications - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Services"],"programOverview":"BlockPI Network is a distributed multichain acceleration layer. Now it provides high-quality, robust, and efficient RPC service. To avoid the single-point of failure and limitation of scalability, the network is designed to be a distributed structure with expandable\nworking nodes.\n\nFor more information about BlockPI, please visit [https://blockpi.io/](https://blockpi.io/) and go to the documentation at [https://docs.blockpi.io/](https://docs.blockpi.io/)","programType":["Websites and Applications"],"project":"BlockPI Network","projectType":["Infrastructure"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope and a suggestion for a fix in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nPayouts are handled by the __BlockPI__ team directly and are denominated in USD. However, payouts are done in __USDC__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"blockpinetwork","updatedDate":"2024-11-18T13:55:17.088Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"BlockPI Network is a distributed multichain acceleration layer. Now it provides high-quality, robust, and efficient RPC service. To avoid the single-point of failure and limitation of scalability, the network is designed to be a distributed structure with expandable working nodes.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":3547,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction such as iframing leading to modifying the backend/browser state (demonstrate impact with PoC)"},{"id":3548,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links such as social media handles, etc."},{"id":3549,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as locking up the victim from login, cookie bombing, etc."},{"id":3550,"type":"websites_and_applications","severity":"low","title":"Redirecting users to malicious websites (Open Redirect)"},{"id":3551,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc."},{"id":3552,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as email or password of the victim, etc."},{"id":3553,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information such as email address, phone number, physical address, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":3554,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as changing the first/last name of user, or en/disabling notification"},{"id":3555,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without Javascript (Reflected) such as reflected HTML injection or loading external site data"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":3556,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and blockchain keys(this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":3557,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc."},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":3558,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions"}],"rewards":[{"id":6538,"severity":"critical","assetType":"websites_and_applications","maxReward":10000,"minReward":5000,"rewardModel":"range","otherImpactMaxReward":0},{"id":6539,"severity":"high","assetType":"websites_and_applications","fixedReward":2000,"rewardModel":"fixed"},{"id":6540,"severity":"medium","assetType":"websites_and_applications","fixedReward":1500,"rewardModel":"fixed"},{"id":6541,"severity":"low","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"1AJrAV9SnzGOWPikSm5IHG","url":"https://github.com/harvestfi/harvest-strategy","type":"smart_contract","addedAt":"2022-04-07T13:36:24.989Z","revision":2,"description":null,"isPrimacyOfImpact":null},{"id":"Rc0ZcDwUfA4VWPhUQh8dq","url":"https://github.com/harvestfi/harvest-strategy-polygon","type":"smart_contract","addedAt":"2023-04-03T22:28:01.803Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"6G7UuIQAqfSNvljSLfIC6Z","url":"https://github.com/harvestfi/harvest-strategy-arbitrum","type":"smart_contract","addedAt":"2023-04-03T22:28:25.802Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"4J5y3bzSPBdboitw7brs7l","url":"https://github.com/harvestfi/harvest-strategy-arbitrum","type":"smart_contract","addedAt":"2024-03-15T13:32:23.375Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"1vy2sqJoaBUUtGOFQIpZ9n","url":"https://harvest.finance/","type":"websites_and_applications","addedAt":"2022-04-07T13:37:00.549Z","revision":1,"description":null,"isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","BSC","ETH","Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["JavaScript","Solidity"],"launchDate":"2020-12-02T07:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6D2KOw280UzI3PrzjpsdD7/38eaf1bd703f4109b6795eaeebd210cf/Harvestfinance-logo.gif","maxBounty":100000,"pocPerTypeAndSeverity":["websites_and_applications - high","websites_and_applications - critical","websites_and_applications - medium","smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the following types:\n\n **Smart Contracts and Blockchain**\n\n- Re-entrancy\n- Logic errors\n  - including user authentication errors\n- Solidity/EVM details not considered\n  - including integer over-/under-flow\n  - including rounding errors\n  - including unhandled exceptions\n- Trusting trust/dependency vulnerabilities\n  - including composability vulnerabilities\n- Oracle failure/manipulation\n- Novel governance attacks\n- Economic/financial attacks\n  - including flash loan attacks\n- Congestion and scalability\n  - including running out of gas\n  - including block stuffing\n  - including susceptibility to frontrunning\n- Consensus failures\n- Cryptography problems\n- Signature malleability\n- Susceptibility to replay attacks\n- Weak randomness\n- Weak encryption\n- Susceptibility to block timestamp manipulation\n- Missing access controls / unprotected internal or debugging interfaces\n\n**Websites and Apps** \n\n- Remote Code Execution\n- Trusting trust/dependency vulnerabilities\n- Vertical Privilege Escalation\n- XML External Entities Injection\n- SQL Injection\n- LFI/RFI\n- Horizontal Privilege Escalation\n- Stored XSS\n- Reflective XSS with impact\n- CSRF with impact\n- Direct object reference\n- Internal SSRF\n- Session fixation\n- Insecure Deserialization\n- DOM XSS\n- SSL misconfigurations\n- SSL/TLS issues (weak crypto, improper setup)\n- URL redirect\n- Clickjacking (must be accompanied with PoC)\n- Misleading Unicode text (e.g. using right to left override characters)","productType":["L2","Yield Aggregator"],"programOverview":"Harvest Finance automatically farms the highest yield available from the newest DeFi protocols and optimizes the yields that are received using the latest farming techniques.\n\nHarvest Finance is primarily interested in securing its smart contracts, which can be found in repositories of the following Github Organisation: https://github.com/harvestfi. Specific repositories that contain in-scope assets are listed in the table below. Primary areas of concern are anything that causes loss of user funds or frozen funds from a smart contract hack. Note that not all contracts in these repositories are deployed and in active use by the protocol. Only contracts in active use are within the scope of the bug bounty.\n\nHarvest Finance is secondarily interested in securing its website, which can be found at https://harvest.finance/. Web vulnerability disclosures will be rewarded at a lower rate, relative to smart contract vulnerability disclosures.","programType":["Smart Contract","Websites and Applications"],"project":"Harvest Finance","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on\nthe [Immunefi Vulnerability Severity Classification System](/severity-system/). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from the consequence of exploitation to the privilege required to the likelihood of a successful exploit. \n\nThe final reward amount for critical smart contract bugs is capped at 10% of \neconomic damage based on the vulnerability reported with a minimum payout of \n**USD 50 000**.\n\nTheft of yield/interest is considered as Medium for this bug bounty program.\n\nAll smart contract reports must include a PoC to be accepted. The PoC should provide clear proof of the vulnerability in a locally forked blockchain environment. All bug reports without a PoC will be rejected and require the submitter to resubmit with a PoC. \n\nThe following table is used for the classification of web and app bug reports. In the event of conflict with the Immunefi Vulnerability Severity Classification System, the classification on this table will be what is considered.\n\n| Severity | Vulnerability |\n| :-- | :-: |\n| **Critical** | Deletion of site data, XSS/CSRF, ACE |\n| **High** | Denial of Service, DoS ampliciation |\n| **Medium** | Incorrect modification of user data, leaking user data |\n\nAll web and app bug reports must include a PoC to be accepted. All web and app bug reports without a PoC will be rejected and require the submitter to resubmit with a PoC. \n\nVulnerabilities that require moderator-approved access to be exploited will only receive a maximum of 20% of the advertised reward. For Critical Smart Contract and Blockchain vulnerability reports, this 20% is applied after the cap of 10% of economic damage.  \n\nPayouts are handled by the **Harvest Finance** team directly and are denominated in USD. Payouts up to **USD 100 000** are paid in **USDC**.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"harvest","tenPercentEconomicRule":true,"updatedDate":"2024-11-18T13:44:21.767Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Harvest Finance automatically farms the highest yield available from the newest DeFi protocols and optimizes the yields that are received using the latest farming techniques.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":144,"type":"smart_contract","severity":"low","title":"Unbounded gas consumption"},{"id":145,"type":"smart_contract","severity":"low","title":"Theft of gas"},{"id":146,"type":"smart_contract","severity":"low","title":"Miner-extractable value (MEV)"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":147,"type":"websites_and_applications","severity":"high","title":"Denial of service"},{"id":148,"type":"websites_and_applications","severity":"high","title":"DoS amplification"},{"id":149,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc"},{"id":150,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as the email or password of the victim, etc"},{"id":151,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information such as email address, phone number, physical address, etc"},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":152,"type":"smart_contract","severity":"medium","title":"Smart contracts unable to operate due to a lack of token funds"},{"id":153,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":154,"type":"smart_contract","severity":"medium","title":"Theft of unclaimed yield due to Harvest contract issue"},{"id":155,"type":"smart_contract","severity":"medium","title":"Permanent freezing of unclaimed yield due to Harvest contract issue"},{"id":156,"type":"websites_and_applications","severity":"medium","title":"Incorrect modification of user data"},{"id":157,"type":"websites_and_applications","severity":"medium","title":"Leaking user data"},{"id":158,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as changing the name of a user, or enabling/disabling notifications"},{"id":159,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without Javascript (Reflected) such as reflected HTML injection or loading external site data"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":160,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":161,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at rest or in motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":162,"type":"websites_and_applications","severity":"critical","title":"Deletion of site data"},{"id":163,"type":"websites_and_applications","severity":"critical","title":"XSS/CSRF"},{"id":164,"type":"websites_and_applications","severity":"critical","title":"ACE"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":165,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and blockchain keys(this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":166,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":167,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions"}],"rewards":[{"id":8328,"severity":"critical","assetType":"smart_contract","maxReward":100000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":6528,"severity":"high","assetType":"smart_contract","fixedReward":10000,"rewardModel":"fixed"},{"id":6529,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":6530,"severity":"low","assetType":"smart_contract","fixedReward":2500,"rewardModel":"fixed"},{"id":6531,"severity":"critical","assetType":"websites_and_applications","fixedReward":5000,"rewardModel":"fixed","otherImpactMaxReward":0},{"id":6532,"severity":"high","assetType":"websites_and_applications","fixedReward":2500,"rewardModel":"fixed"},{"id":6533,"severity":"medium","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"5jMJPsPTOUJQ5AQ8wSGfFa","url":"https://github.com/neo-project/examples/blob/master/csharp/NEP17/NEP17.cs","type":"smart_contract","addedAt":"2022-04-04T13:36:05.276Z","revision":3,"description":" Official NEP17 Standard","isPrimacyOfImpact":null},{"id":"3zDPMYsOp33uQUNEV7NxSC","url":"https://github.com/flamingo-finance/flamingo-contract-staking-n3/tree/main/FLM","type":"smart_contract","addedAt":"2022-04-04T13:36:44.633Z","revision":3,"description":" FLM","isPrimacyOfImpact":null},{"id":"3ohGEk11O3N9LqOKVEZ0DT","url":"https://github.com/flamingo-finance/flamingo-contract-swap","type":"smart_contract","addedAt":"2022-04-04T13:36:46.799Z","revision":4,"description":"Swap","isPrimacyOfImpact":null},{"id":"5O59aFFBtZztNjGHtYWxg2","url":"https://github.com/flamingo-finance/flamingo-contract-swap/tree/master/Swap/flamingo-contract-swap/FlamingoSwapPair","type":"smart_contract","addedAt":"2022-04-04T13:38:17.953Z","revision":2,"description":"Swap Pairs","isPrimacyOfImpact":null},{"id":"7wIaHSNJrmvILFTHuCn3rh","url":"https://github.com/flamingo-finance/flamingo-contract-staking-n3","type":"smart_contract","addedAt":"2022-04-04T13:38:21.132Z","revision":2,"description":"Staking Vault","isPrimacyOfImpact":null},{"id":"22Wgkgc3c3uPwn4U0FBGnL","url":"https://flamingo.finance/","type":"websites_and_applications","addedAt":"2022-04-04T13:38:23.021Z","revision":3,"description":"Main Web App","isPrimacyOfImpact":null}],"assetsBodyV2":"Assets in Scope Listed Below.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Neo"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["C#"],"launchDate":"2022-02-14T21:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2F4VGKaboWEaBfj1yfdpj/5597728d3c7bbd22b3814cb79d71ccde/Flamingo_Finance_logo.jpeg","maxBounty":1000000,"pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"NEO","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__Smart Contracts/Blockchain__\n\n  - Smart contract hacks that lead to users losing funds\n  - Smart contract hacks that lead to smart contracts malfunctioning\n  - Smart contract exploits in general\n  - Loss of user funds staked (principal) by freezing or theft\n  - Theft of unclaimed yield\n  - Freezing of unclaimed yield\n  - Temporary freezing of funds for more than one day\n\n__Web/App__\n\n  - Thefts and freezing of unclaimed yield of any amount\n  - Thefts and freezing of principal of any amount\n  - Website goes down\n  - Access to admin accounts without authorization (Cloudflare accounts, service management cloud software, e-mails, etc.)","productType":["AMM","DAO","DEX","Perpetuals","Staking"],"programOverview":"Flamingo is an interoperable, full-stack decentralized finance protocol built on the Neo blockchain. Flamingo is comprised of five main components, including Wrapper - a crosschain asset gateway, Swap - an on-chain liquidity provider, Vault - a one-stop asset manager, Perp - an AMM-based perpetual contract trading platform, and also DAO - a decentralized governance mechanism. FLM is the governance token of Flamingo and will be 100% distributed to the community based on participation.\n\nFor more information about Flamingo Finance, please visit [https://flamingo.finance/](https://flamingo.finance/).  \n\nThis bug bounty program is focused on their smart contracts, website and app and is focused on preventing:\n\n  - Thefts and freezing of unclaimed yield of any amount (including frontend code injection attacks)\n  - Thefts and freezing of principal of any amount (including frontend code injection attacks)\n  - Website goes down\n  - Access to admin accounts without authorization (Service management cloud software, e-mails, etc.)\n  - Smart contract hacks that lead to users losing funds\n  - Smart contract hacks that leads to smart contracts malfunctioning\n  - Smart contract exploits in general","programType":["Smart Contract","Websites and Applications"],"project":"Flamingo Finance","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nAll web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. All High and Critical Smart Contract bug reports require a PoC to be eligible for a reward. Explanations and statements are not accepted as PoC and code is required. \n\nCritical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of __USD 50 000__.\n\nPayouts are handled by the __Flamingo Finance__ team directly and are denominated in USD. However, payouts are done in __GAS__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"GAS","slug":"flamingofinance","tenPercentEconomicRule":true,"updatedDate":"2024-11-18T13:21:31.231Z","impactsBody":"These accepted impacts are then based on the severity classification system of this bug bounty program. When submitting a bug report, please select the severity level you feel best corresponds to the severity classification system as long as the impact itself is one of the listed items.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Flamingo is an interoperable, full-stack decentralized finance protocol built on the Neo blockchain. Flamingo is comprised of five main components, including Wrapper - a crosschain asset gateway, Swap - an on-chain liquidity provider, Vault - a one-stop asset manager, Perp - an AMM-based perpetual contract trading platform, and also DAO - a decentralized governance mechanism.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques\n- URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)","customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":1880,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc"},{"id":1881,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as email or password of the victim, etc"},{"id":1882,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information such as email address, phone number, physical address, etc"},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":1883,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":1884,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as changing the user name, or enabling/disabling notifications"},{"id":1885,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without Javascript (Reflected) such as reflected HTML injection or loading external site data"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":1886,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands on critical infrastructure"},{"id":1887,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data that might result in loss of funds from a running server such as /etc/shadow, database passwords, and blockchain keys(this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":1888,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, commenting, voting, making trades, withdrawals, etc"},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":1889,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions"}],"rewards":[{"id":8324,"severity":"critical","assetType":"smart_contract","maxReward":1000000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":6509,"severity":"high","assetType":"smart_contract","maxReward":40000,"rewardModel":"up_to"},{"id":6510,"severity":"medium","assetType":"smart_contract","fixedReward":4000,"rewardModel":"fixed"},{"id":6511,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":6512,"severity":"critical","assetType":"websites_and_applications","fixedReward":25000,"rewardModel":"fixed","otherImpactMaxReward":0},{"id":6513,"severity":"high","assetType":"websites_and_applications","fixedReward":10000,"rewardModel":"fixed"},{"id":6514,"severity":"medium","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"Z4tfGB9Loabx04gdxP15P","url":"https://app.hashflow.com/","type":"websites_and_applications","addedAt":"2022-05-04T04:43:42.388Z","revision":1,"description":null,"isPrimacyOfImpact":null}],"assetsBodyV2":"If an impact can be caused to any other asset managed by Hashflow that isn’t on this table but for which the impact is in the Impacts in Scope section, you are encouraged to submit it for the consideration of the project. However the submitted bug for out of scope subdomains is not subject to this program impact ranking and bounty amount listed below","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","Avalanche","BSC","ETH","Optimism","Polygon","Solana"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":null,"launchDate":"2022-03-29T20:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/747gU6QyVl6pKVbOP64hW/f73ddabdc42fa47f42bddc5d163b06b7/Hashflow_logo.jpeg","maxBounty":40000,"pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__Websites and Applications__\n\n__Critical__\n  - Ability to execute system commands\n  - Extract Sensitive data/files from the server such as /etc/passwd\n  - Stealing User Cookies\n  - Taking Down the application/website\n  - Bypassing Authentication\n  - Signing transactions for other users\n  - Redirection of user deposits and withdrawals\n  - Subdomain takeover resulting in financial loss (applicable for subdomains with addresses published)\n  - Wallet interaction modification resulting in financial loss\n  - Direct theft of user funds \n  - Tampering with transactions submitted to the user’s wallet\n  - Submitting malicious transactions to an already-connected wallet\n\n__High__\n  - Spoofing content on the target application (Persistent)\n  - Users Confidential information disclosure such as Email\n  - Subdomain Takeover without financial loss (applicable for subdomains with no addresses published)\n  - Privilege escalation to access unauthorized functionalities\n\n__Medium__\n  - Changing details of other users without direct financial impact (CSRF)\n  - Third-Party API keys leakage that demonstrates loss of funds or modification on the website.\n  - Redirecting users to malicious websites (Open Redirect)\n\n__Low__\n  - Framing sensitive pages leading to financial loss (ClickJacking)\n  - Any impact involving a publicly released CVE without a working PoC\n  - Broken Link Hijacking","productType":["DEX Aggregator","Staking"],"programOverview":"Hashflow is the most powerful DeFi trading experience that gives you tight spreads, zero slippage and MEV-resistance.\n\nFor more information about Hashflow, please visit [https://www.hashflow.com/](https://www.hashflow.com/). \n\nThis bug bounty program is focused on their website and app, and is focused on preventing:\n\n  - Ability to execute system commands\n  - Extract Sensitive data/files from the server such as /etc/passwd\n  - Stealing User Cookies\n  - Taking Down the application/website\n  - Bypassing Authentication\n  - Signing transactions for other users\n  - Redirection of user deposits and withdrawals\n  - Subdomain takeover resulting in financial loss (applicable for subdomains with addresses published)\n  - Wallet interaction modification resulting in financial loss\n  - Direct theft of user funds \n  - Tampering with transactions submitted to the user’s wallet\n  - Submitting malicious transactions to an already-connected wallet","programType":["Websites and Applications"],"project":"Hashflow","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nAll web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nPayouts are handled by the __Hashflow__ team directly and are denominated in USD. However, payouts are done in __USDC__, __USDT__ __and__ __DAI__, with the choice of the ratio at the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC, USDT and DAI","slug":"hashflow","updatedDate":"2024-11-18T13:12:04.976Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Hashflow is the most powerful DeFi trading experience that gives you tight spreads, zero slippage and MEV-resistance.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":2219,"type":"websites_and_applications","severity":"low","title":"Framing sensitive pages leading to financial loss (ClickJacking)"},{"id":2220,"type":"websites_and_applications","severity":"low","title":"Bypassing Authentication"},{"id":2221,"type":"websites_and_applications","severity":"high","title":"Spoofing content on the target application (Persistent)"},{"id":2222,"type":"websites_and_applications","severity":"high","title":"Users Confidential information disclosure such as Email"},{"id":2223,"type":"websites_and_applications","severity":"high","title":"Privilege escalation to access unauthorized functionalities"},{"id":2224,"type":"websites_and_applications","severity":"medium","title":"Changing details of other users without direct financial impact (CSRF)"},{"id":2225,"type":"websites_and_applications","severity":"medium","title":"Third-Party API keys leakage that demonstrates loss of funds or modification on the website"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":2226,"type":"websites_and_applications","severity":"critical","title":"Ability to execute system commands"},{"id":2227,"type":"websites_and_applications","severity":"critical","title":"Extract Sensitive data/files from the server such as /etc/passwd"},{"id":2228,"type":"websites_and_applications","severity":"critical","title":"Signing transactions for other users"},{"id":2229,"type":"websites_and_applications","severity":"critical","title":"Redirection of user deposits and withdrawals"},{"id":2230,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover resulting in financial loss (applicable for in-scope subdomain with user wallet addresses published)"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":2231,"type":"websites_and_applications","severity":"critical","title":"Wallet interaction modification resulting in financial loss"},{"id":2232,"type":"websites_and_applications","severity":"critical","title":"Tampering with transactions submitted to the user’s wallet"},{"id":2233,"type":"websites_and_applications","severity":"critical","title":"Submitting malicious transactions to an already-connected wallet"}],"rewards":[{"id":6493,"severity":"critical","assetType":"websites_and_applications","fixedReward":40000,"rewardModel":"fixed","otherImpactMaxReward":0},{"id":6494,"severity":"high","assetType":"websites_and_applications","fixedReward":20000,"rewardModel":"fixed"},{"id":6495,"severity":"medium","assetType":"websites_and_applications","fixedReward":5000,"rewardModel":"fixed"},{"id":6496,"severity":"low","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"f9BFrgfDvcF4IG7ji0z9H","url":"https://github.com/ImpossibleFinance/launchpad-contracts","type":"smart_contract","addedAt":"2022-02-09T14:05:39.513Z","revision":1,"description":null,"isPrimacyOfImpact":null}],"assetsBodyV2":"The ImpossibleRouter01.sol smart contract is considered as out-of-scope of the bug bounty program.\n\n*Please note that the current settings in the repository are optimized for running our test cases. These settings include changing the duration of “ONE_DAY” to 50 binance smart chain blocks (as opposed to 28800) and commenting out require statements in modifiers such as onlyGovernance in ImpossiblePair.sol and setRouter in ImpossibleFactory.sol. Specifically, we are aware that with these settings, if a router is not initialized upon contract deployment, an adversary can call setRouter and link a malicious router which takes advantage of how cheapSwap in ImpossiblePair.sol doesn’t perform K invariant checks. The scope of the bug bounty covers the “production version” of these contracts in which the 3 variables are uncommented instead of commented.*","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","BSC","ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-06-18T13:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3Yc7Opcyc9vocdZJaHxz2L/d0c09ecc727b2188b63b168d60755767/Impossible.jpeg","maxBounty":94000,"pocPerTypeAndSeverity":[],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the following types:\n\n  - Re-entrancy\n  - Logic errors\n    - including user authentication errors\n  - Solidity/EVM details not considered\n    - including integer over-/under-flow\n    - including unhandled exceptions\n  - Trusting trust/dependency vulnerabilities\n    - including composability vulnerabilities\n  - Oracle failure/manipulation\n  - Novel governance attacks\n  - Economic/financial attacks\n    - including flash loan attacks\n  - Congestion and scalability\n    - including running out of gas\n    - including block stuffing\n    - including susceptibility to frontrunning\n  - Consensus failures\n  - Cryptography problems\n    - Signature malleability\n    - Susceptibility to replay attacks\n    - Weak randomness\n    - Weak encryption\n  - Susceptibility to block timestamp manipulation\n  - Missing access controls / unprotected internal or debugging interfaces","productType":["DEX","Launchpad","Staking"],"programOverview":"Impossible Finance uses decentralised financial protocols to give everyone the same access to financial products, which were previously only available to institutions and select individuals. Impossible Finance has a vision to level the playing field by building a fair, more accessible open financial system for all.\n\nFurther resources regarding Impossible Finance can be found on their website, [https://impossible.finance/](https://impossible.finance/).  \n\nThe bug bounty program is focused around its smart contracts and is mostly concerned with the loss of user funds and other smart contract risks.","programType":["Smart Contract"],"project":"Impossible Finance","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nSmart Contract critical payouts have a maximum total payout of 10% of the funds that are directly potentially affected with a payout floor of USD 50 000. The estimated maximum payout is based on the Total Value Locked (TVL) in the Impossible Finance but is explicitly only an estimate and only the actual active amount at the time of reporting will be considered. The actual active amount of staked funds can be found on [https://farms.impossible.finance/farms](https://farms.impossible.finance/farms). \n\n__KYC__\n\nCountry of residence is required for KYC process\n\nPayouts are handled by the __Impossible Finance__ team directly and are denominated in USD. However, payouts are done in __BUSD__. For Critical payouts, up to 80% of the reward may be in the project token, __IF__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"BUSD","slug":"impossiblefinance","tenPercentEconomicRule":false,"updatedDate":"2024-11-18T12:50:36.114Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Impossible Finance uses decentralised financial protocols to give everyone the same access to financial products, which were previously only available to institutions and select individuals. Impossible Finance has a vision to level the playing field by building a fair, more accessible open financial system for all.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":585,"type":"smart_contract","severity":"low","title":"Smart contract fails to deliver promised returns, but doesn’t lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":586,"type":"smart_contract","severity":"high","title":"Any governance voting result manipulation"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":587,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for a minimum period of 7 days"},{"id":588,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of funds"},{"id":589,"type":"smart_contract","severity":"medium","title":"Miner-extractable value (MEV)"},{"id":590,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":8319,"severity":"critical","assetType":"smart_contract","maxReward":94000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":6470,"severity":"high","assetType":"smart_contract","fixedReward":20000,"rewardModel":"fixed"},{"id":6471,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":6472,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"3DaKpSzo27YYnFl74AxaKJ","url":"https://github.com/88mphapp/88mph-contracts","type":"smart_contract","addedAt":"2022-02-16T18:04:50.375Z","revision":2,"description":"Core","isPrimacyOfImpact":null}],"assetsBodyV2":"The Mocks folder is not considered as in-scope of this bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Avalanche","ETH","Fantom","Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-07-03T11:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/zXb98ZktA4Iz4lbX9K9DZ/7644b389e284d4405290d8eadea36627/88mph_logo.png","maxBounty":25000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the following types:\n\n__Smart Contracts__\n\n  - Re-entrancy\n  - Logic errors\n    - including user authentication errors\n  - Solidity/EVM details not considered\n    - including integer over-/under-flow\n    - including unhandled exceptions\n  - Trusting trust/dependency vulnerabilities\n    - including composability vulnerabilities\n  - Oracle failure/manipulation\n  - Novel governance attacks\n  - Economic/financial attacks\n    - including flash loan attacks\n  - Congestion and scalability\n    - including running out of gas\n    - including block stuffing\n    - including susceptibility to frontrunning\n  - Consensus failures\n  - Cryptography problems\n    - Signature malleability\n    - Susceptibility to replay attacks\n    - Weak randomness\n    - Weak encryption\n  - Susceptibility to block timestamp manipulation\n  - Missing access controls / unprotected internal or debugging interfaces","productType":["Bridge","Lending","Liquid Staking","Yield Aggregator"],"programOverview":"88mph is a DeFi protocol for providing fixed-term fixed-rate interest. It does so by pooling deposits with differing maturations and fixed-rates together and putting the funds in a yield-generating protocol, such as Compound, Aave, and yEarn, to earn floating-rate interest. The debt incurred by the promised fixed-rate interest of a deposit is offered as floating-rate bonds (or fundings as referred to in the contracts), which someone can purchase in exchange for the floating-rate interest generated by the corresponding deposit. Buyers of floating-rate bonds thus speculate on the floating-rate yield generated by the underlying protocol, while decreasing the debt of the pool and the risk of insolvency.\n\n88mph is interested in securing its V3 smart contracts and is primarily interested in preventing the loss of user funds, permanent impairment of the protocol state, or severe damage to the protocol state, in addition to any issue that might cause user dissatisfaction or minimal failure.","programType":["Smart Contract"],"project":"88mphV3","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nAll Critical and High Smart Contract bug reports require a PoC and a suggestion for a fix to be eligible for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nCritical smart contract vulnerabilities are capped at __10%__ of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of __USD 10 000__. \n\nPayouts are handled by the 88mph team directly and are denominated in __USD__. However, payouts are done in __MPH__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"MPH","slug":"88mphv3","tenPercentEconomicRule":false,"updatedDate":"2024-11-18T12:03:58.572Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"88mph is a DeFi protocol for providing fixed-term fixed-rate interest. It does so by pooling deposits with differing maturations and fixed-rates together and putting the funds in a yield-generating protocol, such as Compound, Aave, and yEarn, to earn floating-rate interest.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Attacks that rely on spamming\n  - Attacks that rely on Denial of Service\n  - Any physical attacks against 88mph property or data centers\n  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":620,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for any amount of time"},{"id":621,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":622,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"}],"rewards":[{"id":6169,"severity":"high","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":8290,"severity":"critical","assetType":"smart_contract","fixedReward":25000,"rewardModel":"fixed","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"5aUDZ9q69rcMvR9s0AsBur","url":"https://github.com/DODOEX/contractV2/tree/main","type":"smart_contract","addedAt":"2022-04-07T13:11:28.146Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"1fkxBhXuwloqJpWFI5ALjM","url":"https://github.com/DODOEX/dodo-route-contract/blob/main/contracts/SmartRoute/DODORouteProxy.sol","type":"smart_contract","addedAt":"2022-12-27T12:16:21.403Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"6TQHEMshKredGvNtH4E93","url":"https://github.com/DODOEX/dodo-limit-order/blob/main/src/DODOLimitOrder.sol","type":"smart_contract","addedAt":"2023-02-21T23:04:07.092Z","revision":1,"description":null,"isPrimacyOfImpact":null}],"assetsBodyV2":"The following smart contracts [DODOMemberSystem](https://github.com/DODOEX/contractV2/tree/main/contracts/DODOMemberSystem/) and [https://github.com/DODOEX/contractV2/tree/main/contracts/external](https://github.com/DODOEX/contractV2/tree/main/contracts/external) are not included in this bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","Aurora","Avalanche","BSC","Base","Conflux","ETH","Linea","Manta","Mantle","Optimism","Polygon","Scroll"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-05-25T05:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3gUM6wDJxYyzDVoWpLQX4o/b521d1e6620ff23b80cc0c439666a5d1/DODO.svg","maxBounty":100000,"pocPerTypeAndSeverity":[],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["AMM","Bridge","Crosschain Liquidity","DEX","Liquid Staking"],"programOverview":"DODO is a decentralized exchange platform powered by the Proactive Market Maker (PMM) algorithm. It features highly capital-efficient liquidity pools that support single-token provision, reduce impermanent loss, and minimize slippage for traders. The trading platform also offers SmartTrade, a decentralized liquidity aggregation service that routes to and compares various liquidity sources to quote the optimal prices between any two tokens. In addition, DODO removed all roadblocks hindering liquidity pool creation for the issuance of new assets - asset ratios, liquidity depths, fee rates, and other parameters can all be freely customized and configured in real-time. Based on this breakthrough, DODO has developed Crowdpooling, a permissionless, equal opportunity liquidity offering mechanic, as well as customizable technical solutions geared towards professional on-chain market makers.\n\nMore information about DODO can be found on their website, [https://dodoex.io/](https://dodoex.io/).   \n\nThis bug bounty program is focused around its smart contracts and is mostly concerned with the prevention of the loss of user funds.","programType":["Smart Contract"],"project":"DODO","projectType":["Defi","Exchange"],"rewardsBody":"Rewards for Smart Contract vulnerabilities are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. \n\nThe calculation of the final reward amounts will be based on the economic impact of the discovered vulnerabilities, as well as the level of difficulty in discovering these vulnerabilities. As for the economic impact, this is capped at 10% of economic damage, which accounts for direct funds at risk as well as other aspects at the discretion of the DODO team. \n\nTo qualify for a reward, please include as much information about the vulnerability as possible in your report, including:\n\n  - The conditions on which reproducing the bug is contingent\n  - The steps needed to reproduce the bug or, preferably, a proof of concept\n  - The potential implications of the vulnerability being abused\n\n\nPayouts up to __USD 100 000__ are handled by the __DODO__ team directly and are denominated in USD. However, payouts are done in __DODO__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"DODO","slug":"dodo","tenPercentEconomicRule":true,"updatedDate":"2024-11-18T12:03:26.280Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"DODO is a decentralized exchange platform powered by the Proactive Market Maker (PMM) algorithm. It features highly capital-efficient liquidity pools that support single-token provision, reduce impermanent loss, and minimize slippage for traders. The trading platform also offers SmartTrade, a decentralized liquidity aggregation service that routes to and compares various liquidity sources to quote the optimal prices between any two tokens.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"The following contracts are out of scope and NO bounty will be paid:\n\n- contracts/CollateralVault/\n- contracts/DODODrops\n- contracts/Factory/Registries/DODONFTRegistry.sol\n- contracts/Factory/DODONFT.sol\n- contracts/Factory/DODONFT1155.sol\n- contracts/Factory/NFTTokenFactory.sol\n- contracts/GeneralizedFragment/\n- contracts/NFTPool/\n- contracts/SmartRoute/helper/DODONFTRouteHelper.sol\n- contracts/SmartRoute/proxies/DODODropsProxy.sol\n- contracts/SmartRoute/proxies/DODONFTPoolProxy.sol\n- contracts/SmartRoute/proxies/DODONFTProxy.sol\n- contracts/SmartRoute/DODONFTApprove.sol\n\n\n- Best practice critiques\n  - FeeRouteProxy exclusions: FeeRouteProxy.sol won't left any tokens in normal swap, so we don't abandon using tokens in the proxy through specific swap method\n","customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":495,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":496,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":497,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":6161,"severity":"high","assetType":"smart_contract","maxReward":10000,"rewardModel":"up_to"},{"id":6162,"severity":"medium","assetType":"smart_contract","maxReward":5000,"rewardModel":"up_to"},{"id":6163,"severity":"low","assetType":"smart_contract","maxReward":1000,"rewardModel":"up_to"},{"id":8289,"severity":"critical","assetType":"smart_contract","maxReward":100000,"rewardModel":"up_to","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"39I4UubBcljARlt90OaRGQ","url":"https://etherscan.io/address/0x4aa42145Aa6Ebf72e164C9bBC74fbD3788045016","type":"smart_contract","addedAt":"2022-05-10T15:42:40.273Z","revision":2,"description":"XDaiForeignBridge: DAI-xDAI TokenBridge contract on the Ethereum Mainnet ","isPrimacyOfImpact":null},{"id":"6VGumskpUySCP01OvbYYMn","url":"https://blockscout.com/xdai/mainnet/address/0x7301CFA0e1756B71869E93d4e4Dca5c7d0eb0AA6","type":"smart_contract","addedAt":"2022-05-10T15:42:41.409Z","revision":2,"description":"HomeBridgeErcToNative: DAI-xDAI TokenBridge contract on the Gnosis chain","isPrimacyOfImpact":null},{"id":"4oQoN6nat7OLKqL8ib88eC","url":"https://etherscan.io/address/0x88ad09518695c6c3712AC10a214bE5109a655671","type":"smart_contract","addedAt":"2022-05-10T15:42:42.480Z","revision":2,"description":"ForeignOmnibridge: OmniBridge contract on the Ethereum Mainnet","isPrimacyOfImpact":null},{"id":"1TEVjuzA8DmpOMImDZWzs3","url":"https://blockscout.com/xdai/mainnet/address/0xf6A78083ca3e2a662D6dd1703c939c8aCE2e268d","type":"smart_contract","addedAt":"2022-05-10T15:42:43.435Z","revision":2,"description":"HomeOmnibridge: OmniBridge contract on the Gnosis chain","isPrimacyOfImpact":null}],"assetsBodyV2":"The smart contract regarding native xDAI bridging (XDaiForeignBridge and HomeBridgeErcToNative)  can be found at [https://github.com/gnosischain/tokenbridge-contracts/tree/xdaibridge-upgrade-sda](https://github.com/gnosischain/tokenbridge-contracts/tree/xdaibridge-upgrade-sda). The smart contracts regarding arbitrary ERC20 bridging (ForeignOmnibridge and HomeOmnibridge) can be found at [https://github.com/gnosischain/omnibridge/tree/master](https://github.com/gnosischain/omnibridge/tree/master).\n\nOnly those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nIf an impact can be caused to any other asset managed by Gnosis that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["BSC","ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2022-02-11T04:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6ibSou9KOCjwRMOviQ4op0/76c3c2bda63a9c0c8c8432d71f234f8c/Aatar_green_white.png","maxBounty":2000000,"pocPerTypeAndSeverity":["smart_contract - high","smart_contract - critical","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the\nfollowing types:\n\n**Smart Contracts/Blockchain:**\n\n- Re-entrancy\n- Logic errors\n  - including user authentication errors\n- Solidity/EVM details not considered\n  - including integer over-/under-flow\n  - including unhandled exceptions\n- Trusting trust/dependency vulnerabilities\n  - including composability vulnerabilities\n- Oracle failure/manipulation\n- Novel governance attacks\n- Economic/financial attacks\n  - including flash loan attacks\n- Congestion and scalability\n  - including running out of gas\n  - including block stuffing\n  - including susceptibility to frontrunning\n- Consensus failures\n- Cryptography problems\n  - Signature malleability\n  - Susceptibility to replay attacks\n  - Weak randomness\n  - Weak encryption\n- Susceptibility to block timestamp manipulation\n- Missing access controls / unprotected internal or debugging interfaces","productType":["Crosschain Liquidity","L1"],"programOverview":"Gnosis Chain is an EVM compatible, community-owned network that prioritizes credible neutrality and resiliency, open to everyone without privilege or prejudice. Secured by over 165k validators around the world, Gnosis Chain has all the tooling you are used to and trust-minimized bridges to mainnet.\n\nFor more information about Gnosis Chain, please visit [https://www.gnosis.io/](https://www.gnosis.io/).\n\nThis bug bounty program is focused on the bridges smart contracts that move assets in between Mainnet and Gnosis chain. The xDai bridge is used to bridge DAI on mainnet and the native xDai coin on Gnosis chain. For more information see [https://docs.gnosischain.com/bridges/tokenbridge/xdai-bridge](https://docs.gnosischain.com/bridges/tokenbridge/xdai-bridge). The OmniBridge is a native token bridge that mints the canonical representation of bridged assets on Gnosis. For more information see [https://docs.gnosischain.com/bridges/tokenbridge/omnibridge](https://docs.gnosischain.com/bridges/tokenbridge/omnibridge).\n\n__Disclosure of Information relating to Bug Reports:__ Security researchers may not publish any information about their bug reports (even after any vulnerabilities have been fixed and the security researcher has been paid) unless Gnosis provides written consent in the bug report submission thread.","programType":["Smart Contract"],"project":"Gnosis Chain","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nAll smart contract bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward.\n\nCritical and High smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team.\n\nPayouts are handled by the __Gnosis Chain__ team directly and are denominated in __USD__. However, payouts are done in __USDC or xDAI__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC or xDAI","slug":"gnosischain","updatedDate":"2024-11-18T12:02:21.416Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Gnosis Chain is an EVM compatible, community-owned network that prioritizes credible neutrality and resiliency, open to everyone without privilege or prejudice. Secured by over 165k validators around the world, Gnosis Chain has all the tooling you are used to and trust-minimized bridges to mainnet.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":56,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least  1 week"},{"id":57,"type":"smart_contract","severity":"high","title":"Temporary freezing NFTs for at least  1 week"},{"id":58,"type":"smart_contract","severity":"high","title":"Miner-extractable value (MEV)"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":59,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":60,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"}],"rewards":[{"id":6154,"severity":"high","assetType":"smart_contract","maxReward":50000,"minReward":10000,"rewardModel":"range"},{"id":6155,"severity":"medium","assetType":"smart_contract","maxReward":10000,"minReward":1000,"rewardModel":"range"},{"id":8288,"severity":"critical","assetType":"smart_contract","maxReward":2000000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"3XV8hLBZinuHUVb97Rel11","url":"https://etherscan.io/address/0xd0Dd053392db676D57317CD4fe96Fc2cCf42D0b4","type":"smart_contract","addedAt":"2023-12-01T09:00:00.000Z","revision":1,"description":"Drips","isPrimacyOfImpact":null},{"id":"2e0qPZ88dRTzCStudQyBA3","url":"https://etherscan.io/address/0xb0C9B6D67608bE300398d0e4FB0cCa3891E1B33F","type":"smart_contract","addedAt":"2023-12-01T09:00:00.000Z","revision":1,"description":"Drips Logic","isPrimacyOfImpact":null},{"id":"2jmqfQqHDyPfedawwGaewO","url":"https://etherscan.io/address/0x60F25ac5F289Dc7F640f948521d486C964A248e5","type":"smart_contract","addedAt":"2023-12-01T09:00:00.000Z","revision":1,"description":"Caller","isPrimacyOfImpact":null},{"id":"4N5qgoFoziuWiB1tLKA8l5","url":"https://etherscan.io/address/0x1455d9bD6B98f95dd8FEB2b3D60ed825fcef0610","type":"smart_contract","addedAt":"2023-12-01T09:00:00.000Z","revision":1,"description":"AddressDriver","isPrimacyOfImpact":null},{"id":"2bCCtOTtcCJsEtnhrWFxve","url":"https://etherscan.io/address/0x3Ea1e774f98cc4C6359bbCB3238E3e60365Fa5c9","type":"smart_contract","addedAt":"2023-12-01T09:00:00.000Z","revision":1,"description":"AddressDriver Logic","isPrimacyOfImpact":null},{"id":"3uh0tmvHQIya2u0GIXGtIi","url":"https://etherscan.io/address/0xcf9c49B0962EDb01Cdaa5326299ba85D72405258","type":"smart_contract","addedAt":"2023-12-01T09:00:00.000Z","revision":1,"description":"NFTDriver","isPrimacyOfImpact":null},{"id":"1t3yU5tp0nfrVgAFaHresP","url":"https://etherscan.io/address/0x3B11537D0d4276Ba9e41FFe04e9034280bd7af50","type":"smart_contract","addedAt":"2023-12-01T09:00:00.000Z","revision":1,"description":"NFTDriver Logic","isPrimacyOfImpact":null},{"id":"2u8D6rN46lzEqPuOo466PG","url":"https://etherscan.io/address/0x1212975c0642B07F696080ec1916998441c2b774","type":"smart_contract","addedAt":"2023-12-01T09:00:00.000Z","revision":1,"description":"ImmutableSplitsDriver","isPrimacyOfImpact":null},{"id":"3iNprT3MK2Xtr6TEKTx8IG","url":"https://etherscan.io/address/0x2c338CDf00dFd5A9B3B6b0b78BB95352079AAF71","type":"smart_contract","addedAt":"2023-12-01T09:00:00.000Z","revision":1,"description":"ImmutableSplitsDriver Logic","isPrimacyOfImpact":null},{"id":"7eQ5hKYx5XZLUjRmisFcBK","url":"https://etherscan.io/address/0x770023d55D09A9C110694827F1a6B32D5c2b373E","type":"smart_contract","addedAt":"2023-12-01T09:00:00.000Z","revision":1,"description":"RepoDriver","isPrimacyOfImpact":null},{"id":"7BJgQkrTZ8yKuy9Nd12d9D","url":"https://etherscan.io/address/0xa928d4b087AD35C46BA83331d8eEddb83152319b","type":"smart_contract","addedAt":"2023-12-01T09:00:00.000Z","revision":1,"description":"RepoDriver AnyApi Operator","isPrimacyOfImpact":null},{"id":"nwoOX3mOB2X2HMEJGp0gB","url":"https://etherscan.io/address/0xfC446dB5E1255e837E95dB90c818C6fEb8e93ab0","type":"smart_contract","addedAt":"2023-12-01T09:00:00.000Z","revision":1,"description":"RepoDriver Logic","isPrimacyOfImpact":null}],"assetsBodyV2":"Unless explicitly listed, only pages of the web/app assets in addition to the direct link are considered in-scope of the bug bounty program. Other subdomains are not considered as in-scope. However, for subdomain takeovers that lead to an impact on the in-scope asset, please refer to our page about [Reported Subdomain Takeovers.](https://immunefisupport.zendesk.com/hc/en-us/articles/14352199704593-Reported-Subdomain-Takeovers)","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2023-12-01T09:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/nYC6PqIgLjot92oyzZKKN/d72cb6d440cb994d48f49425acfca766/photo_2023-11-20_11-01-45_copy_2.jpg","maxBounty":100000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["DAO","Services"],"programOverview":"Drips is an Ethereum protocol and web app that makes it easy for organizations and individuals to provide direct financial support to developers of free and open source software (FOSS).\n\nIn essence, Drips serves as an off-the-shelf solution for direct and recurring financial support, allowing organizations to effortlessly allocate ongoing ERC-20 tokens to the projects they consider essential and to link their success to the success of their dependents.\n\nIn Drips, funders provide financial support to FOSS developers by creating Drip Lists.  A Drip List is a collection of Ethereum addresses, ENS names and Git repositories curated by an individual user or organization and packaged together under one title. This list is accompanied by a percentage of funds to be allocated to each item on the list. These lists are publicly available, shareable on the web and open for anyone to fund.\n\nDrips also includes a built-in capability to allow funders to provide continuous, recurring support to FOSS projects over time, which we refer to as “streaming”. Funders who create a stream have the ability to cancel the remainder of a stream at any time and reclaim any un-streamed funds, providing them with complete control and the freedom to adapt their support based on evolving circumstances.\n\nFinally, to enable funders to support FOSS projects that do not have Ethereum addresses at the time the funds are sent, Drips also includes an optional, oracle-based identity solution, powered by Chainlink. This feature enables users to directly send funds to the owners of public software repositories on Github, which the owner of the repository can claim at a later time by adding a FUNDING.json file to the root of the repository’s default branch.\n\nFor more information about Drips, please visit [https://www.drips.network/ ](https://www.drips.network/) \n\nDrips provides rewards in USDC. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__Primacy of Impact vs Primacy of Rules__\n\nDrips adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms stated in this page.","programType":["Smart Contract"],"project":"Drips","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below. \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical Smart Contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 100 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 50 000 is to be rewarded in order to incentivize security researchers against withholding a bug report. \n\nAll other impacts that would be classified as Critical, or an impact resulting in a theft of funds that does not fall under this definition, would be rewarded 50 000.\n\n__Repeatable Attack Limitations__\n\nIn cases of repeatable attacks for smart contract bugs, only the first attack will be counted, regardless of whether the smart contract is upgradable, pausable, or killable.\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs acknowledged below are not eligible for any reward through the bug bounty program. \n- [https://hackmd.io/6_EgTHw6TVGlfxls0iKMAQ?view](https://hackmd.io/6_EgTHw6TVGlfxls0iKMAQ?view)\n\n__Previous Audits__\n\nDrips has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.\n- [https://docs.drips.network/assets/files/Spearbit_Drips_Network_Security_Review-d5cda225c36d4c2f1185e154431812b5.pdf](https://docs.drips.network/assets/files/Spearbit_Drips_Network_Security_Review-d5cda225c36d4c2f1185e154431812b5.pdf)\n- [https://docs.drips.network/assets/files/Drips_Audit_Report-c2efbc01f0ce28c8847226339d63c3a7.pdf](https://docs.drips.network/assets/files/Drips_Audit_Report-c2efbc01f0ce28c8847226339d63c3a7.pdf)\n- [https://code4rena.com/reports/2023-01-drips](https://code4rena.com/reports/2023-01-drips)\n- [https://docs.drips.network/assets/files/Certora_Radicle_Drips_Report-a557b047cd7806033d47cfcba1ce334e.pdf](https://docs.drips.network/assets/files/Certora_Radicle_Drips_Report-a557b047cd7806033d47cfcba1ce334e.pdf)\n\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the all Smart contract and Web/App severity levels\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules) Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Other Terms and Information__\n\nExceptions to the PoC requirement for smart contract bugs may be made in cases where the vulnerability is objectively evident from simply mentioning the vulnerability and where it exists. However, the bug reporter may be required to provide a PoC at any point in time.\n\nFor smart contract-related vulnerabilities, in order to be eligible for a reward, the vulnerability must exist both in the deployed smart contract on Ethereum Mainnet and the GitHub file in the Assets in Scope table.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Drips team directly and are denominated in USD. However, payments are done in USDC.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"drips","updatedDate":"2024-11-18T12:01:03.677Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Drips is an Ethereum protocol and web app that makes it easy for organizations and individuals to provide direct financial support to developers of free and open source software (FOSS).","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":28,"type":"smart_contract","severity":"high","title":"Temporary freezing of NFTs"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":4617,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield."},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":6151,"severity":"high","assetType":"smart_contract","fixedReward":40000,"rewardModel":"fixed"},{"id":6152,"severity":"medium","assetType":"smart_contract","fixedReward":20000,"rewardModel":"fixed"},{"id":8287,"severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10}],"audits":[]},{"assets":[],"assetsBodyV2":"","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/1VgdUm6pKoeeb5wdDBgYnIYVThMGkRwAr?usp=sharing)\n\nAll paid bug reports are available in original format [here](https://reports.immunefi.com/swaylend_iop)","boostedIntroLive":"$45,000 USD is available in rewards for finding bugs in Swaylend's codebase of 2400 nSLOC. There is no KYC required.\n\nAny technical questions and support requests can be asked directly to Swaylend or Immunefi in the [Swaylend | IOP - Discord channel](https://discord.com/invite/immunefi?utm_source=immunefi).\n\nWhen the Boost has ended Immunefi will publish an event-specific leaderboard and bug reports from the event.","boostedIntroStartingIn":"$45,000 USD in rewards is available for finding bugs on Swaylend which is lending protocol on Fuel Network. **For this Invite-Only Program, all whitehats who found at least 1 valid report in Fuel's Attackathon are invited.**\n\nNo KYC is required.\n\nAny technical questions can be asked directly to the Swaylend technical team on [Immunefi’s Discord](https://discord.com/invite/immunefi) in the \"swaylend-iop\" channel.\n\nWhen the Boost has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nIn a few days after the launch, Swaylend will give a live technical walkthrough.\n\nJoin our Discord for more updates.","boostedLeaderboard":[{"high":2,"name":"SeveritySquad","critical":1,"earnings":20383,"insights":1,"mediumLow":4,"totalValidBugs":7},{"high":1,"name":"jasonxiale","critical":1,"earnings":15462,"insights":5,"mediumLow":3,"totalValidBugs":5},{"high":0,"name":"ret2happy","critical":1,"earnings":5530,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"SimaoAmaro","critical":0,"earnings":1895,"insights":0,"mediumLow":3,"totalValidBugs":4},{"high":1,"name":"savi0ur","critical":0,"earnings":1730,"insights":1,"mediumLow":0,"totalValidBugs":1}],"boostedSummaryReport":"https://drive.google.com/file/d/1s6DrkneOU3E4D0bUL8RhxOK-0rQsWe1j/view?usp=sharing","ecosystem":["Fuel Network"],"endDate":"2024-10-22T12:00:00.000Z","evaluationEndDate":"2024-11-18T11:38:53.502Z","features":["IOP (Invite Only Program)","Managed Triage: Time Saver"],"hideAssetsInScope":false,"immunefiStandard":true,"inviteOnly":true,"kyc":false,"language":["Rust"],"launchDate":"2024-10-01T08:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1MwMoCPG00myFl6Ks1kTss/424500da4b09dc12b04927d2752c2960/Swaylend_logo.png","maxBounty":45000,"outOfScopeAndRules":"These impacts are out of scope for this bug bounty program. \n\n__All Categories:__\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n\n__Blockchain/DLT & Smart Contract Specific:__\n\n- Incorrect data supplied by third party oracles\n    - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n\n__Prohibited Activities:__\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":null,"programOverview":"Swaylend is a leading lending protocol on the Fuel network. It is a fork of Compound V3.\n\nFor more information about  Swaylend, please visit https://swaylend.com/.\n\nSwaylend provides rewards in UDSC, denominated in USD.\n\nPOCs should be tested against the most recent changes / fixes at this link, so https://github.com/Swaylend/swaylend-monorepo/tree/9132747331188b86dd8cbf9a1ca37b811d08dddb\n\nPlease refer to this changelog page: https://immunefisupport.zendesk.com/hc/en-us/articles/29137422160657-Swaylend-IOP-Code-Update-Changelog","programType":["Smart Contract"],"project":"IOP | Swaylend","projectType":null,"rewardsBody":"The following reward terms are a summary, for the full details read our [Swaylend IOP Reward Distribution Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/28665038043025-Swaylend-IOP-Audit-Competition-Reward-Terms). \n\nA reward pool of $45,000 USD will be distributed among participants, even if no valid bugs are found. \n\nDuplicates and private known issues are valid for a reward.\n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/).\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.\n\n__Insight Rewards Payment Terms__\n\nInsight* Rewards: Portion of the Rewards Pool\n\n*The \"Insight\" severity was introduced on Audit Competition & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi)","rewardsPool":45000,"primaryPool":45000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"iop-swaylend","tenPercentEconomicRule":false,"updatedDate":"2024-11-18T11:48:17.205Z","impactsBody":"**Proof of Concept (PoC) Requirements**\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n**Eligibility Criteria**\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this audit competition and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Ionic has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","websiteUrl":"https://swaylend.com/","githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"**Swaylend's Invite-Only Program is a form of Audit Competition which is exclusively accessible to a select group of security researchers who have submitted at least 1 valid report during Fuel Attackathon event. These researchers will share a flat reward pool for every valid bug found.**\n","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":5093,"type":"smart_contract","severity":"high","title":"Temporary (1 hr) freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[{"id":"15GkxscQjaGIOcBRk9Y5yF","url":"https://www.halborn.com/audits/swaylend","auditor":"Halborn","date":"2024-09-17"}]},{"assets":[{"id":"2oXv0M4ijaSzk1c3ZeDMN0","url":"https://etherscan.io/address/0xf42ecdc112365ff79a745b4cf7d4c266bd6e4b25","type":"smart_contract","addedAt":"2022-09-29T18:00:00.000Z","revision":1,"description":"ExchangeIssuanceZeroEx","isPrimacyOfImpact":null},{"id":"2lZ1Hc0IDUiYxjh5ORQOkz","url":"https://etherscan.io/address/0xb7cc88a13586d862b97a677990de14a122b74598","type":"smart_contract","addedAt":"2022-09-29T18:00:00.000Z","revision":1,"description":"ExchangeIssuanceLeveraged","isPrimacyOfImpact":null},{"id":"3wx0b1K3SnO5BVCMV6Pean","url":"https://etherscan.io/address/0xD2463675a099101E36D85278494268261a66603A","type":"smart_contract","addedAt":"2022-09-29T19:01:19.659Z","revision":1,"description":"Controller","isPrimacyOfImpact":null},{"id":"zRv3hQiUjLtdTded2IqLS","url":"https://etherscan.io/address/0x2758BF6Af0EC63f1710d3d7890e1C263a247B75E","type":"smart_contract","addedAt":"2022-09-29T19:01:33.054Z","revision":1,"description":"SetTokenCreator","isPrimacyOfImpact":null},{"id":"2gMVTTwMhjGnIlwz0Qnbhh","url":"https://etherscan.io/address/0xa0a98EB7Af028BE00d04e46e1316808A62a8fd59","type":"smart_contract","addedAt":"2022-09-29T19:01:46.641Z","revision":1,"description":"DebtIssuanceModuleV2","isPrimacyOfImpact":null},{"id":"225XOVthrijMK7Rd9uDm3o","url":"https://etherscan.io/address/0x165EDF07Bb61904f47800e13F5120E64C4B9A186","type":"smart_contract","addedAt":"2022-09-29T19:02:01.836Z","revision":1,"description":"StreamingFeeModule","isPrimacyOfImpact":null},{"id":"6suZakmEBEU2mR4FfHYN56","url":"https://etherscan.io/address/0xb9083dee5e8273E54B9DB4c31bA9d4aB7C6B28d3","type":"smart_contract","addedAt":"2022-09-29T19:02:14.301Z","revision":1,"description":"IntegrationRegistry","isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nThe current  implementation and any further updates to the implementation contracts are considered in scope. When reporting a bug, please make sure to select the relevant proxy smart contract as the target, if applicable. \n\nIf an impact can be caused to any other asset managed by Index Coop that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project. This only applies to Critical impacts.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2022-09-29T18:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3bVqHG0B3LVOmdevJeeJoC/e4f00313e22321dc6118c5c0ab544b4e/Index_Coop_logo.jpeg","maxBounty":200000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Asset Management","DAO","Yield Aggregator"],"programOverview":"Index Coop is a decentralized autonomous organization that powers on-chain structured products that make crypto simpler, safer & more accessible to all. Our products democratizes access to complex DeFi strategies through suites of sector indices, leveraged tokens and automated yield strategies. As of September 2021, Index Coop supported 79.3% of on-chain structured product TVL. For more information about Index Coop, please visit [https://indexcoop.com/](https://indexcoop.com/).","programType":["Smart Contract"],"project":"Index Coop","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll High and Critical Smart Contract reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nCritical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of __USD 50 000__. \n\nPayouts are handled by the __Index Coop__ team directly and are denominated in USD. However, payouts are done in __USDC__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"indexcoop","updatedDate":"2024-11-18T11:33:48.617Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Index Coop is a decentralized autonomous organization that powers on-chain structured products that make crypto simpler, safer & more accessible to all. Our products democratizes access to complex DeFi strategies through suites of sector indices, leveraged tokens and automated yield strategies. As of September 2021, Index Coop supported 79.3% of on-chain structured product TVL.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"Please note that there is a bug in the ExchangeIssuanceZeroEx contract whereby tokens in the contract can be withdrawn by anyone, instead of just the contract owner. This issue was reported through ImmuneFi, and marked as closed after payment to the whitehat. Index Coop engineers decided that the vulnerability was not worth fixing because the amounts at risk are small. Therefore, the vulnerability for withdrawing funds from this contract should be considered out of scope. \n\n  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":3300,"type":"smart_contract","severity":"high","title":"Any governance voting result manipulation"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":3301,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for any amount of time"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":6146,"severity":"high","assetType":"smart_contract","fixedReward":20000,"rewardModel":"fixed"},{"id":8286,"severity":"critical","assetType":"smart_contract","maxReward":200000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"1CUQYIF94opUrvyP9DUThH","url":"https://github.com/sweatco/sweat-near/tree/main","type":"smart_contract","addedAt":"2023-03-31T18:00:00.000Z","revision":2,"description":"FT Token","isPrimacyOfImpact":null},{"id":"1GaJXbZYqcZ1nr7QSvKvmU","url":"https://github.com/sweatco/sweat-jar/commit/663beb1883ae81cc0bd6b35945cb0749ab853d3f","type":"smart_contract","addedAt":"2023-11-14T17:29:02.163Z","revision":2,"description":"DeFi","isPrimacyOfImpact":null},{"id":"3SdkAPIZLct8r4pwXrH08O","url":"https://github.com/sweatco/sweat-claim/tree/main","type":"smart_contract","addedAt":"2024-02-07T09:44:32.318Z","revision":1,"description":" DeFi","isPrimacyOfImpact":null}],"assetsBodyV2":"The following assets can have their deployment addresses found at:\n- FT Token - [https://nearblocks.io/address/token.sweat ](https://nearblocks.io/address/token.sweat)\n- SWEAT DeFi Jars - [ https://nearblocks.io/address/jars.sweat]( https://nearblocks.io/address/jars.sweat)\n- SWEAT Claim - [https://nearblocks.io/address/claim.sweat](https://nearblocks.io/address/claim.sweat)\n\nHowever, only those in the Assets in Scope table are considered as in-scope of the bug bounty program. Only the master branch is in-scope\n\nIf an impact can be caused to any other asset managed by Sweat Foundation that isn’t on this table, but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for consideration by the project.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Near"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["JavaScript","Rust"],"launchDate":"2023-03-31T18:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4cIP56xUCfhgaqmMzDeCMD/03d7201e7ff61ab8816864799a459338/SWEAT_CIRCLE_LOGO.png","maxBounty":2000000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Staking","Token"],"programOverview":"With over 120M users, Sweat Economy is a global ecosystem designed to reward and inspire movement. The Sweat Wallet is a crypto app that rewards people with a cryptocurrency, SWEAT, for their steps, which are verified by a separate app, Sweatcoin. SWEAT is built on the NEAR blockchain, and the Sweat Wallet is by far the most used DApp on this network. The token has much utility; it can be used to access rewards, like BTC, USDT and Macbooks, or used in staking and DeFi functions like crypto swap, and as fuel for Sweat Hero, a peer-to-peer NFT game.\n\nFor more information, visit [https://sweateconomy.com/.](https://sweateconomy.com/)","programType":["Smart Contract"],"project":"Sweat Economy","projectType":["Defi","NFT"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. \n\nRewards for critical smart contract vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of __USD 50 000__  for Critical smart contract bug reports.\n\nKnown issues highlighted in the following audit reports are considered out of scope: \n- [https://github.com/sweatco/sweat-near/security/policy](https://github.com/sweatco/sweat-near/security/policy)\n- [https://github.com/sweatco/sweat-jar/security/policy](https://github.com/sweatco/sweat-jar/security/policy)\n- [https://github.com/sweatco/sweat-claim/security/policy](https://github.com/sweatco/sweat-claim/security/policy)\n\nPayouts are handled by the __Sweat Foundation__ directly and are denominated in USD. However, payouts are done in __USDT__ (ERC20/NEP141) and __SWEAT__ (ERC20/NEP141), at the discretion of the project.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"SWEAT","slug":"sweateconomy","updatedDate":"2024-11-18T11:32:47.373Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"With over 120M users, Sweat Economy is a global ecosystem designed to reward and inspire movement. The Sweat Wallet is a crypto app that rewards people with a cryptocurrency, SWEAT, for their steps, which are verified by a separate app, Sweatcoin. SWEAT is built on the NEAR blockchain, and the Sweat Wallet is by far the most used DApp on this network.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":3958,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 24 hours"},{"id":3959,"type":"smart_contract","severity":"high","title":"Temporary freezing NFTs for at least 24 hours"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":3960,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of SWEAT"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"}],"rewards":[{"id":6144,"severity":"high","assetType":"smart_contract","fixedReward":25000,"rewardModel":"fixed"},{"id":8285,"severity":"critical","assetType":"smart_contract","maxReward":2000000,"minReward":50000,"rewardModel":"range","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"7Cdh70RE8zr62ah69YIAYh","url":"https://arbiscan.io/address/0xD9dEd6f9959176F0A04dcf88a0d2306178A736a6#code","type":"smart_contract","addedAt":"2022-04-12T02:33:37.967Z","revision":1,"description":"Governor","isPrimacyOfImpact":null},{"id":"6ARfxaFDvHF8y38ShPC0ks","url":"https://arbiscan.io/address/0xD8E8328501E9645d16Cf49539efC04f734606ee4#code","type":"smart_contract","addedAt":"2022-04-12T02:33:34.603Z","revision":1,"description":"Controller","isPrimacyOfImpact":null},{"id":"1d6eBKZTRr3nMNN39NmN5Y","url":"https://arbiscan.io/address/0x289ba1701C2F088cf0faf8B3705246331cB8A839#code","type":"smart_contract","addedAt":"2022-04-12T02:33:32.131Z","revision":1,"description":"LivepeerToken","isPrimacyOfImpact":null},{"id":"2VHNORN0e4S6Ls1VlhwdWq","url":"https://arbiscan.io/address/0xc20DE37170B45774e6CD3d2304017fc962f27252","type":"smart_contract","addedAt":"2022-04-12T02:33:28.850Z","revision":1,"description":"Minter","isPrimacyOfImpact":null},{"id":"1u5kFokTDnbVJv0uXGTLTh","url":"https://arbiscan.io/address/0x35Bcf3c30594191d53231E4FF333E8A770453e40#code","type":"smart_contract","addedAt":"2022-04-12T02:33:26.977Z","revision":1,"description":"Bonding Manager (Proxy)","isPrimacyOfImpact":null},{"id":"4nAId0h2gZRYDmpdkL6Fmr","url":"https://arbiscan.io/address/0x6b397f20DC227B4E23fEc20BBDBe166d0DFFC452","type":"smart_contract","addedAt":"2022-04-12T02:33:23.795Z","revision":5,"description":"Bonding Manager (Target)","isPrimacyOfImpact":null},{"id":"5DAqzgbZ5ks8YcBWZuVnJg","url":"https://arbiscan.io/address/0xa8bB618B1520E284046F3dFc448851A1Ff26e41B#code","type":"smart_contract","addedAt":"2022-04-12T02:33:20.734Z","revision":1,"description":"TicketBroker (Proxy)","isPrimacyOfImpact":null},{"id":"4IF01CbBuEbQBPZFFeUlol","url":"https://arbiscan.io/address/0xD906D192e2503Aafd1BC5F5fc4163E842D5B1d6e","type":"smart_contract","addedAt":"2022-04-12T02:33:18.686Z","revision":1,"description":"TicketBroker (Target)","isPrimacyOfImpact":null},{"id":"4JiHYDxONqoMFlTDYQZJ53","url":"https://arbiscan.io/address/0xdd6f56DcC28D3F5f27084381fE8Df634985cc39f#code","type":"smart_contract","addedAt":"2022-04-12T02:33:16.697Z","revision":1,"description":"RoundsManager (Proxy)","isPrimacyOfImpact":null},{"id":"2CJfXWXNbtG2JrUGvfPcVl","url":"https://arbiscan.io/address/0x92d804Ed49D92438aEA6fe552BD9163aacb7E841#code","type":"smart_contract","addedAt":"2022-04-12T02:33:14.416Z","revision":1,"description":"RoundsManager (Target)","isPrimacyOfImpact":null},{"id":"54Nd7FYH0pfsZ3DXuwYw22","url":"https://arbiscan.io/address/0xC92d3A360b8f9e083bA64DE15d95Cf8180897431#code","type":"smart_contract","addedAt":"2022-04-12T02:33:10.363Z","revision":1,"description":"ServiceRegistry (Proxy)","isPrimacyOfImpact":null},{"id":"4KmuzIeDli8Bz3bfvC8S4G","url":"https://arbiscan.io/address/0x38093CDca43aeCd7bb474983519A246e93A3b0a7#code","type":"smart_contract","addedAt":"2022-04-12T02:33:07.675Z","revision":1,"description":"ServiceRegistry (Target)","isPrimacyOfImpact":null},{"id":"2CnNEtvoZ4bIBDopCGbJuC","url":"https://arbiscan.io/address/0xC45f6918F7Bcac7aBc8fe05302b3cDF39776cdeb#code","type":"smart_contract","addedAt":"2022-04-12T02:33:04.371Z","revision":1,"description":"SortedDoublyLL","isPrimacyOfImpact":null},{"id":"Iy8uEGapWrQzHIqF2YvCC","url":"https://arbiscan.io/address/0x8bb50806D60c492c0004DAD5D9627DAA2d9732E6#code","type":"smart_contract","addedAt":"2022-04-12T02:33:01.204Z","revision":1,"description":"PollCreator","isPrimacyOfImpact":null},{"id":"dioPU1xGFWvEkzrawW550","url":"https://arbiscan.io/address/0x10736ffaCe687658F88a46D042631d182C7757f7#code","type":"smart_contract","addedAt":"2022-04-12T02:32:58.120Z","revision":1,"description":"MerkleSnapshot","isPrimacyOfImpact":null},{"id":"3UMmUf7MWRg0o0ZGwb3WY2","url":"https://arbiscan.io/address/0xfdb06109032AD3671a8f14f5f2E78f4B9E81b567#code","type":"smart_contract","addedAt":"2022-04-12T02:32:55.785Z","revision":1,"description":"DelegatorPool","isPrimacyOfImpact":null},{"id":"3ufwbcwvbgi0S47kk9Aly7","url":"https://arbiscan.io/address/0xd78b6bD09cd28A83cFb21aFa0DA95c685A6bb0B1#code","type":"smart_contract","addedAt":"2022-04-12T02:32:51.987Z","revision":1,"description":"L2LPTDataCache","isPrimacyOfImpact":null},{"id":"2ZymNdGRj17ex9z1wKwGma","url":"https://arbiscan.io/address/0x6D2457a4ad276000A615295f7A80F79E48CcD318#code","type":"smart_contract","addedAt":"2022-04-12T02:32:50.110Z","revision":1,"description":"L2PTGateway","isPrimacyOfImpact":null},{"id":"5ZYck5BhhvLunmb5S7q9LT","url":"https://arbiscan.io/address/0x148D5b6B4df9530c7C76A810bd1Cdf69EC4c2085#code","type":"smart_contract","addedAt":"2022-04-12T02:32:47.886Z","revision":1,"description":"L2Migrator (Proxy)","isPrimacyOfImpact":null},{"id":"124lsvhcePLhRn2wgGKSXN","url":"https://arbiscan.io/address/0x93BB030735747708b4D33093A98d4c804Cd6B58C","type":"smart_contract","addedAt":"2022-04-12T02:32:44.779Z","revision":1,"description":"L2Migrator (Target)","isPrimacyOfImpact":null},{"id":"48WXjN9eI8Q14si4hwxIM5","url":"https://etherscan.io/address/0x6A23F4940BD5BA117Da261f98aae51A8BFfa210A#code","type":"smart_contract","addedAt":"2022-04-12T02:32:41.977Z","revision":1,"description":"L1Escrow","isPrimacyOfImpact":null},{"id":"35pjN33XgCfei1RwUsq9yb","url":"https://etherscan.io/address/0x1d24838b35A9c138Ac157A852e19e948aD6323D7#code","type":"smart_contract","addedAt":"2022-04-12T02:32:38.865Z","revision":1,"description":"L1LPTDataCache","isPrimacyOfImpact":null},{"id":"5eA9TmBzp5C2UBaQFe7vFf","url":"https://etherscan.io/address/0x6142f1C8bBF02E6A6bd074E8d564c9A5420a0676#code","type":"smart_contract","addedAt":"2022-04-12T02:32:36.888Z","revision":1,"description":"L1LPTGateway","isPrimacyOfImpact":null},{"id":"6ugrr3oxL6fv1CeBceb6dK","url":"https://etherscan.io/address/0x21146B872D3A95d2cF9afeD03eE5a783DaE9A89A#code","type":"smart_contract","addedAt":"2022-04-12T02:32:33.876Z","revision":1,"description":"L1Migrator","isPrimacyOfImpact":null},{"id":"1PRB92FHthoDEc00RlfRzF","url":"https://etherscan.io/address/0x8dDDB96CF36AC8860f1DE5C7c4698fd499FAB405#code","type":"smart_contract","addedAt":"2022-04-12T02:32:30.700Z","revision":1,"description":"BridgeMinter","isPrimacyOfImpact":null},{"id":"59ZoRvD4GpRzXwxNy7WoUm","url":"https://arbiscan.io/address/0x0B9C254837E72Ebe9Fe04960C43B69782E68169A","type":"smart_contract","addedAt":"2023-10-16T15:41:28.252Z","revision":1,"description":" BondingVotes (Proxy)","isPrimacyOfImpact":null},{"id":"3IjoNUdBKndd3aRYcokmdn","url":"https://arbiscan.io/address/0x68AF80376Bc1CA0C25a83b28e5570E8c7bdD3119","type":"smart_contract","addedAt":"2023-10-16T15:41:25.161Z","revision":1,"description":"BondingVotes (Target)","isPrimacyOfImpact":null},{"id":"kMHoU7FXSsPrezO4ABjjN","url":"https://arbiscan.io/address/0xf82C1FF415F1fCf582554fDba790E27019c8E8C4","type":"smart_contract","addedAt":"2023-10-16T15:41:22.947Z","revision":1,"description":"Treasury","isPrimacyOfImpact":null},{"id":"kXQE4SNkUVTkvCfhrcPal","url":"https://arbiscan.io/address/0xcFE4E2879B786C3aa075813F0E364bb5acCb6aa0","type":"smart_contract","addedAt":"2023-10-16T15:41:21.006Z","revision":1,"description":"LivepeerGovernor (Proxy)","isPrimacyOfImpact":null},{"id":"68hiZaKh1uq3yXqY3VNeZ0","url":"https://arbiscan.io/address/0xd2Ce37BCB287CaDc40647f567C2D3C4220901634","type":"smart_contract","addedAt":"2023-10-16T15:41:19.192Z","revision":1,"description":"LivepeerGovernor (Target)","isPrimacyOfImpact":null}],"assetsBodyV2":"Livepeer Smart ContractsHowever, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2022-02-25T04:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3UUkKoNVTz0RMrIhQnL0v8/042be0217ef163209cec501313440815/Livepeer_logo.jpeg","maxBounty":40000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__Smart Contracts__\n\n__Critical__\n  - Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield\n  - Permanent freezing of funds\n  - Insolvency\n  - Unintended issuance of LPT on L1\n  - Unexpected calls to functions that should only be called by authorized addresses (i.e. Governor)\n\n__High__\n  - Theft of unclaimed yield\n  - Permanent freezing of unclaimed yield\n  - Temporary freezing of funds\n  - Any unexpected balance inflation when transitioning between L1 and L2\n\n__Medium__\n  - Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)\n  - Theft of gas\n  - Unbounded gas consumption or any other gas drainage\n\n__Low__\n  - Smart contract has unexpected behavior but doesn’t lose value\n\nIn case of discrepancy between [Immunefi Vulnerability Severity Classification System V2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2/) and Livepeer’s classification above, Livepeer classification will be followed.","productType":["Services"],"programOverview":"Livepeer is a decentralized video streaming network built on the Ethereum blockchain. The Livepeer network already includes over 70,000 GPUs, which is enough aggregated power to encode all of the video streaming through Twitch, YouTube and Facebook combined. Through the power of open source software, the harnessing of underutilized resources like compute and bandwidth, and the use of cryptoeconomic incentives for bootstrapping and participation, there is an opportunity to deliver an infrastructure that can power video streaming applications at a highly efficient price, and infinite scale.\n\nFor more information about Livepeer, please visit [https://livepeer.org/](https://livepeer.org/).  \n\nThis bug bounty program is focused on their smart contracts and is focused on preventing:\n\n  - Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield\n  - Permanent freezing of funds\n  - Insolvency\n  - Unintended issuance of LPT on L1\n  - Unexpected calls to functions that should only be called by authorized addresses (i.e. Governor)","programType":["Smart Contract"],"project":"Livepeer","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nAll web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nAll vulnerabilities marked in the [security review](https://code4rena.com/reports/2022-01-livepeer) are not eligible for a reward.\n\nLivepeer requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. The information needed is Visual Proof of Identity. The collection of this information will be done by the project team. \n\nRewards for critical vulnerabilities are capped at 10% of the economic damage (following the linked examples) with the primary focus on possible loss of funds for Orchestrators, Delegators and Broadcasters at the Smart Contract level only. If there is a repeatable attack, only the first attack is considered unless further attacks cannot be mitigated via an upgrade or pause.\n\nRewards for high vulnerabilities will depend on the amount of unclaimed yield that is on the line and how long the funds can be frozen.\n\nPayouts are handled by the __Livepeer__ team directly and are denominated in USD. However, payouts are done in __USDC__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"livepeer","tenPercentEconomicRule":true,"updatedDate":"2024-11-18T11:27:27.461Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Livepeer is a decentralized video streaming network built on the Ethereum blockchain. The Livepeer network already includes over 70,000 GPUs, which is enough aggregated power to encode all of the video streaming through Twitch, YouTube and Facebook combined.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques\n  - Oracle failure/manipulation\n  - Consensus failure","customProhibitedActivities":[],"impacts":[{"id":1930,"type":"smart_contract","severity":"low","title":"Smart contract has unexpected behavior but doesn’t lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":1931,"type":"smart_contract","severity":"high","title":"Any unexpected balance inflation when transitioning between L1 and L2"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":1932,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption or any other gas drainage"},{"id":1933,"type":"smart_contract","severity":"medium","title":"Manipulation of protocol governance vote or treasury voting that does not effect the result of the vote"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":1934,"type":"smart_contract","severity":"critical","title":"Insolvency"},{"id":1935,"type":"smart_contract","severity":"critical","title":"Unintended issuance of LPT on L1"},{"id":1936,"type":"smart_contract","severity":"critical","title":"Unexpected calls to functions that should only be called by authorized addresses (i.e. Governor)"},{"id":1937,"type":"smart_contract","severity":"critical","title":"Direct manipulation treasury voting that manipulate the outcome of the vote resulting in drained funds from the treasury"}],"rewards":[{"id":6115,"severity":"high","assetType":"smart_contract","maxReward":15000,"rewardModel":"up_to"},{"id":6116,"severity":"medium","assetType":"smart_contract","fixedReward":2500,"rewardModel":"fixed"},{"id":6117,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":8281,"severity":"critical","assetType":"smart_contract","maxReward":40000,"rewardModel":"up_to","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"50FoOHvttNB5LhAvsgblzI","url":"https://etherscan.io/address/0xfEB516d9D946dD487A9346F6fee11f40C6945eE4","type":"smart_contract","addedAt":"2023-12-27T09:00:00.000Z","revision":1,"description":"WildcatArchController","isPrimacyOfImpact":null},{"id":"41fw2HSXKThBnDsXDmMFa5","url":"https://etherscan.io/address/0xFd31007613C9F671df6A8D4234901324986Bfd13","type":"smart_contract","addedAt":"2023-12-27T09:00:00.000Z","revision":1,"description":"WildcatMarketControllerFactory","isPrimacyOfImpact":null},{"id":"44bn0jaMlV7GGPHnrDQ8d2","url":"https://etherscan.io/address/0x437e0551892C2C9b06d3fFd248fe60572e08CD1A","type":"smart_contract","addedAt":"2023-12-27T09:00:00.000Z","revision":1,"description":"WildcatSanctionsSentinel","isPrimacyOfImpact":null},{"id":"4EJQWoacsgFByIY1JLuzQs","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2023-12-27T09:00:00.000Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2023-12-27T09:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1R2U4bK3NgSW5iWZEdTTct/c4eded61a678371160198811819eafaf/TIzDmOkk_400x400.png","maxBounty":10000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Lending","Staking"],"programOverview":"The Wildcat Protocol is a hands-off credit facilitation protocol that enables the deployment of markets by pre-authorised (KYC’d through protocol) borrowers. Market parameters are arbitrarily parameterisable subject to these parameters falling within the bounds of controllers registered with the protocol registry. Borrowers must - at present - select their own lender lists explicitly. Participants in markets can optionally choose to sign a master loan agreement that dictates their behaviour. Wildcat markets make use of novel implementations of withdrawals, collateralisation and penalties for failure to maintain adequate reserves. Rebasing ‘market tokens’ are issued in exchange for deposits, inflating according to the active interest rate to ensure 1:1 parity for claiming underlying assets.\n\nFor more information about Wildcat Protocol, please visit [https://www.wildcat.finance/.  ](https://www.wildcat.finance/)\n\nWildcat Protocol provides rewards in USDC. For more details about the payment process, please view the Rewards by Threat Level section further below.  \n\n__KYC Requirement__\n\nThe provision of KYC is required to receive a reward for this bug bounty program where the following information will be required to be provided:\n- Full name\n- Address\n- Passport\n\nKYC information is only required on confirmation of the validity of a bug report.   \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 10 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 7 500 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Primacy of Impact vs Primacy of Rules__\n\nWildcat Protocol adheres to the Primacy of Impact for the following severity levels:\n- Smart Contract, Critical\n- Smart Contract, High\n- Smart Contract, Medium\n- Smart Contract, Low\n\nIf a category’s severity level is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program as long as it involves an impact under that respective severity level. When submitting a report, just select the Primacy of Impact asset placeholder. If the team behind this project has multiple projects, those other projects are not covered under the Primacy of Impact of this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nTestnet and mock files are not covered under the Primacy of Impact.\n\nAll other severity levels not listed here are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program.\n\n\n__Immunefi Standard Badge__\n\nWildcat Protocol has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/6427157117713-The-Immunefi-Standard-Badge-), which is given to projects that adhere to our best practices. \n\n__Invoicing Information__\n\nIf needed by the security researcher, Wildcat Protocol is able to provide the necessary information for the proper issuance of an invoice. This includes:\n- Company name and address\n- Registered company number (British Virgin Islands)","programType":["Smart Contract"],"project":"Wildcat Protocol","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below. \n\n__Previous Audits__\n\nWildcat Protocol has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.\n- [https://hackmd.io/@geistermeister/r15gj_y1p ](https://hackmd.io/@geistermeister/r15gj_y1p)\n- [https://code4rena.com/contests/2023-10-the-wildcat-protocol](https://code4rena.com/contests/2023-10-the-wildcat-protocol)\n\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards ](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards)which by default states what a Projects should or should not cite when downgrading a bug report’s impact, severity, and/or payout amount. These standards are continuously being developed and updated  with help of the community and encompasses fair guidelines where the project clearly commits, and the security researcher can be assured that the project cannot arbitrarily downgrade the program based on theoretical counter measures, such as a [chain rollback. ](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n- Smart Contract, Critical\n- Smart Contract, High\n- Smart Contract, Medium\n- Smart Contract, Low\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules) Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Wildcat Protocol team directly and are denominated in USD. However, payments are done in USDC.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"wildcatprotocol","updatedDate":"2024-11-18T11:26:29.989Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn"],"responsiblePublicationCategory":"category_2","description":"The Wildcat Protocol is a hands-off credit facilitation protocol that enables the deployment of markets by pre-authorised (KYC’d through protocol) borrowers. Market parameters are arbitrarily parameterisable subject to these parameters falling within the bounds of controllers registered with the protocol registry. Borrowers must - at present - select their own lender lists explicitly.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":null,"defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"}],"rewards":[{"id":6111,"severity":"high","assetType":"smart_contract","maxReward":7500,"minReward":5000,"rewardModel":"range"},{"id":6112,"severity":"medium","assetType":"smart_contract","fixedReward":3000,"rewardModel":"fixed"},{"id":6113,"severity":"low","assetType":"smart_contract","fixedReward":2000,"rewardModel":"fixed"},{"id":8280,"severity":"critical","assetType":"smart_contract","maxReward":10000,"minReward":7500,"rewardModel":"range","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"3rQN5UPPmuzKfGeq4fXvly","url":"https://etherscan.io/address/0xD721A90dd7e010c8C5E022cc0100c55aC78E0FC4","type":"smart_contract","addedAt":"2022-04-21T18:30:00.000Z","revision":1,"description":"AddressRegistry","isPrimacyOfImpact":null},{"id":"5rtTjU57G4tpy9dWPY0Jkx","url":"https://etherscan.io/address/0x226124E83868812D3Dae87eB3C5F28047E1070B7","type":"smart_contract","addedAt":"2022-04-21T18:30:00.000Z","revision":1,"description":"LockManager","isPrimacyOfImpact":null},{"id":"4lCK8z1wyNFdGK9kcz2fEv","url":"https://etherscan.io/address/0x120a3879da835A5aF037bB2d1456beBd6B54d4bA","type":"smart_contract","addedAt":"2022-04-21T18:30:00.000Z","revision":1,"description":"RevestToken","isPrimacyOfImpact":null},{"id":"dW8gb7KEJhRp288ePGv26","url":"https://etherscan.io/address/0xA81bd16Aa6F6B25e66965A2f842e9C806c0AA11F","type":"smart_contract","addedAt":"2022-04-21T18:30:00.000Z","revision":1,"description":"TokenVault","isPrimacyOfImpact":null},{"id":"3D5guC4ChhrvKnb3D0d6fV","url":"https://etherscan.io/address/0x412c1197E1d7F1C0FDF22998737D3E329eF42F1B","type":"smart_contract","addedAt":"2022-04-21T18:30:00.000Z","revision":2,"description":"Revest","isPrimacyOfImpact":null},{"id":"7yjeqmaETuS3FMxvGYqsgJ","url":"https://etherscan.io/address/0xa4e7f2a1edb5ad886baa09fb258f8aca7c934ba6","type":"smart_contract","addedAt":"2022-04-21T18:30:00.000Z","revision":1,"description":"RewardsHandler","isPrimacyOfImpact":null},{"id":"3MisLAAfdXf0qmINouGTVG","url":"https://etherscan.io/address/0xe952bda8c06481506e4731C4f54CeD2d4ab81659","type":"smart_contract","addedAt":"2022-04-21T18:30:00.000Z","revision":1,"description":"FNFTHandler","isPrimacyOfImpact":null},{"id":"7EyuoJSRvIV0g9ogkFkvze","url":"https://etherscan.io/address/0xED232B965F7d4162F64cD820Cd042Da2a4B0db18","type":"smart_contract","addedAt":"2022-04-21T18:30:00.000Z","revision":2,"description":"MetadataHandler","isPrimacyOfImpact":null},{"id":"6IMzdhD8DSJ3IvsoMum2Ih","url":"https://etherscan.io/address/0xED941C481A6F602e47C871A6Ac53fcE4798cD992","type":"smart_contract","addedAt":"2022-04-21T18:30:00.000Z","revision":2,"description":"ChainlinkOracleDispatch","isPrimacyOfImpact":null},{"id":"4r9kBZKeGNlTfmZtowtQuX","url":"https://etherscan.io/address/0xeb3bc40acebabf62d31b0d52fe3ff327b7c82cbc","type":"smart_contract","addedAt":"2022-04-21T18:30:00.000Z","revision":1,"description":"Binary Combo Lock","isPrimacyOfImpact":null},{"id":"1ihp5djUg46xslWDGtMTGr","url":"https://etherscan.io/address/0xfd7e5a314b46b41a97d0c5ee6f2a9559e877a756","type":"smart_contract","addedAt":"2022-04-21T18:30:00.000Z","revision":1,"description":"Supply Lock","isPrimacyOfImpact":null},{"id":"57ZwojFInmlSb1Q0eUjFCp","url":"https://etherscan.io/address/0x07317ed9204c9e76df03f106ceffd5b021c5f6a5","type":"smart_contract","addedAt":"2022-04-21T18:30:00.000Z","revision":1,"description":"Admin Time Lock","isPrimacyOfImpact":null},{"id":"1mR0DXIWv1EHv9f06fehio","url":"https://etherscan.io/address/0x86169239aeeedefb9a571c952b809f2681c0e209","type":"smart_contract","addedAt":"2022-04-21T18:30:00.000Z","revision":1,"description":"Staking","isPrimacyOfImpact":null},{"id":"1rSFAXQZrVCn1q95oZLWa1","url":"https://ftmscan.com/address/0xb80f5a586bc247d993e6dbacd8add211ec6b0ca5","type":"smart_contract","addedAt":"2022-04-21T18:30:00.000Z","revision":1,"description":"Revest-Liquid Driver Integration","isPrimacyOfImpact":null},{"id":"5e0TThGJ7Fm1sPvq1ODHHD","url":"http://revest.finance/","type":"websites_and_applications","addedAt":"2022-05-02T18:12:01.065Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"3leUpVcCqyiDp6N9cAwrYo","url":"https://app.revest.finance/","type":"websites_and_applications","addedAt":"2022-05-02T18:12:25.338Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"buiDR4MlpsuM7vbU0lInU","url":"https://github.com/Revest-Finance/RevestAPI","type":"websites_and_applications","addedAt":"2022-05-02T18:12:48.488Z","revision":1,"description":null,"isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nIf any Critical or High severity impact can be caused to any other asset managed by Revest that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","Avalanche","ETH","Fantom","Optimism","Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2022-04-21T18:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/oEI86MyqQE32RNCaYIwcF/76d447372eee111fc91728c8b1e167cd/Revest_Logo.svg","maxBounty":100000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","websites_and_applications - critical","websites_and_applications - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__Smart Contracts__\n\nCritical\n  - Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield\n  - Permanent freezing of funds\n  - Miner-extractable value (MEV)\n  - Protocol Insolvency\n  - Reentrancy attacks that steal user value\n  - Gaining control of contracts (ownership)\n  - Utilization of IOutputReceiver, IOutputReceiverV2, and IOutputReceiverV3 callbacks to enable malicious reentrancy attacks that steal user funds from TokenVault\n  - Ability to mint or burn more NFTs than are intended in a way that allows for theft of user funds\n  - Ability to mint or burn NFTs from an unauthorized address\n\nHigh\n  - Theft of unclaimed yield\n  - Permanent freezing of unclaimed yield\n  - Temporary freezing of funds for at least one hour \n  - Remapping of user-positions to make value temporarily inaccessible\n  - Malicious modification of locks to either:\n  - Enable the early-release of funds (including through oracle manipulation)\n  - Delay the intended release of funds\n  - Utilization of IOracleDispatch callbacks to enable malicious reentrancy attacks\n  - Utilization of IAddressLock callbacks to enable malicious reentrancy attacks \n  - Manipulation of oracle to lead to early or delayed release of value\n\nMedium\n  - Smart contract unable to operate due to lack of token funds \n  - Block stuffing for profit\n  - Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)\n  - Theft of gas\n  - Unbounded gas consumption \n\nLow\n  - Smart contract fails to deliver promised returns, but doesn’t lose value\n\n__Web/App__\n\nCritical\n  - Execute arbitrary system commands\n  - Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and private keys(this does not include non-sensitive environment variables, open source code, or usernames)\n  - Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc.\n  - Subdomain takeover with already-connected wallet interaction\n  - Direct theft of user funds\n  - Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions \n\nHigh\n  - Taking down the application/website","productType":["Staking"],"programOverview":"Revest Finance proposes a new protocol for the packaging, transfer, and storage of fungible ERC-20 tokens as non-fungible tokenized financial instruments, leveraging the ERC-1155 Non-Fungible Token (NFT) standard for ease of access and universality of commerce. \n\nUsing this product, ownership of underlying assets may be traded in ways that do not affect the value of the underlying asset, leading to a new meta-layer of commerce. Discover the mechanics, governance, and monetization of this protocol with targeted use-cases.\n\nFor more information about Revest, please visit [https://revest.finance/](https://revest.finance/).","programType":["Smart Contract","Websites and Applications"],"project":"Revest","projectType":["Defi","NFT"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll Critical/High severity bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. In addition, Critical bug reports must also come with a suggestion for a fix in order to be considered for a reward. \n\nThe following known issues are considered to be out of scope of this program: \n  - All previously highlighted issues in the audit report here: [https://solidity.finance/audits/Revest/](https://solidity.finance/audits/Revest/)\n  - A reentrancy vulnerability in FNFTHandler, where the active contract is currently being replaced (However, any new variations of attacks that can be executed on the new active contract would still be considered as in scope). \n  - A known vulnerability in TokenVault within the “handleMultipleDeposits” method. This is understood, documented, and will never be called by live code.\n  - Any bugs relating to vulnerabilities in their oracles and the UniswapV3 oracle full coverage problem (Impacted oracles are currently disabled from their UI). Vulnerability is understood to never lead to theft-of-value, only early-unlocks.\n\nRewards for critical smart contract vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of __USD 50 000__ for Critical smart contract bug reports. \n\nCritical website and application bug reports will be rewarded with __USD 30 000__ only if the impact leads to a direct loss in funds or a manipulation of the votes or the voting result, as well as the modification of its display leading to a misrepresentation of the result or vote. All other impacts that would be classified as Critical would be rewarded no more than __USD 10 000__.\n\nPayouts are handled by the __Revest__ team directly and are denominated in USD. However, payouts are done in __USDC__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"revest","updatedDate":"2024-11-18T09:46:55.665Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Revest Finance proposes a new protocol for the packaging, transfer, and storage of fungible ERC-20 tokens as non-fungible tokenized financial instruments, leveraging the ERC-1155 Non-Fungible Token (NFT) standard for ease of access and universality of commerce. ","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":2401,"type":"smart_contract","severity":"low","title":"Smart contract fails to deliver promised returns, but doesn’t lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":2402,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least one hour"},{"id":2403,"type":"smart_contract","severity":"high","title":"Remapping of user-positions to make value temporarily inaccessible"},{"id":2404,"type":"smart_contract","severity":"high","title":"Malicious modification of locks to enable the early-release of funds (including through oracle manipulation)"},{"id":2405,"type":"smart_contract","severity":"high","title":"Malicious modification of locks to delay the intended release of funds"},{"id":2406,"type":"smart_contract","severity":"high","title":"Utilization of IAddressLock callbacks to enable malicious reentrancy attacks"},{"id":2407,"type":"smart_contract","severity":"high","title":"Utilization of IOracleDispatch callbacks to enable malicious reentrancy attacks"},{"id":2408,"type":"websites_and_applications","severity":"high","title":"Taking down the application/website"},{"id":2409,"type":"smart_contract","severity":"high","title":"Manipulation of oracle to lead to early or delayed release of value"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":2410,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":2411,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":2412,"type":"smart_contract","severity":"critical","title":"Reentrancy attacks that steal user value"},{"id":2413,"type":"smart_contract","severity":"critical","title":"Utilization of IOutputReceiver, IOutputReceiverV2, and IOutputReceiverV3 callbacks to enable malicious reentrancy attacks that steal user funds from TokenVault"},{"id":2414,"type":"smart_contract","severity":"critical","title":"Gaining control of contracts (ownership)"},{"id":2415,"type":"smart_contract","severity":"critical","title":"Ability to mint or burn more NFTs than are intended in a way that allows for theft of user funds"},{"id":2416,"type":"smart_contract","severity":"critical","title":"Ability to mint or burn NFTs from an unauthorized address"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":2417,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and private keys(this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":2418,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc."},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":2419,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions"}],"rewards":[{"id":6055,"severity":"high","assetType":"smart_contract","maxReward":40000,"rewardModel":"up_to"},{"id":6056,"severity":"medium","assetType":"smart_contract","maxReward":5000,"rewardModel":"up_to"},{"id":6057,"severity":"low","assetType":"smart_contract","maxReward":1000,"rewardModel":"up_to"},{"id":6058,"severity":"critical","assetType":"websites_and_applications","maxReward":30000,"rewardModel":"up_to","otherImpactMaxReward":0},{"id":6059,"severity":"high","assetType":"websites_and_applications","fixedReward":5000,"rewardModel":"fixed"},{"id":8274,"severity":"critical","assetType":"smart_contract","maxReward":100000,"rewardModel":"up_to","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"21btOo3h0jPg5kq4VGDc02","url":"https://github.com/neo-project/neo","type":"blockchain_dlt","addedAt":"2022-02-10T10:38:42.416Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"7CuK6JOuVnXeUdgTgAzsxz","url":"https://github.com/neo-project/neo-vm","type":"blockchain_dlt","addedAt":"2022-02-10T10:38:47.061Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"22r6KHyTHaoZ2pMRPMmQFh","url":"https://github.com/neo-project/neo-compiler","type":"blockchain_dlt","addedAt":"2022-02-10T10:38:49.493Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"1F3780h6koRE9LZX4qzq6e","url":"https://github.com/neo-project/neo-gui","type":"blockchain_dlt","addedAt":"2022-02-10T10:38:52.141Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"6MfLlE77vG7XVUGPFaKbq6","url":"https://github.com/neo-project/neo-devpack-dotnet","type":"blockchain_dlt","addedAt":"2022-02-10T10:38:55.963Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"6HSDPDtK0QDGahIUT6VEWL","url":"https://github.com/neo-project/neo-node","type":"blockchain_dlt","addedAt":"2022-02-10T10:38:58.761Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"2pQdrZVMJdIq7OgnUPMaPG","url":"https://github.com/neo-project/neo-modules","type":"blockchain_dlt","addedAt":"2022-02-10T10:39:01.443Z","revision":1,"description":null,"isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["C#"],"launchDate":"2022-01-07T04:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/58geaDlgfAExuX3WhGHYI/3d1a9283f18f6a95528789acd9cfd89c/OCDuOiZ__400x400.png","maxBounty":10000,"pocPerTypeAndSeverity":[],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Vulnerabilities fitting in any of the following descriptions will not be eligible for the rewards:\n  - Those published or known ones are not eligible for rewards.\n  - If you unveil such vulnerabilities before Neo fixes or publish them, the reward becomes null and void.\n  - Participants who use submitted vulnerabilities to damage the Neo ecosystem, infringe on users' interests and perform pilferage on users' assets will be disqualified for rewards; meanwhile, Neo is rightful to resort to justice.","productType":["L1"],"programOverview":"Neo is a distributed network which utilizes blockchain technology and digital identity to digitize assets and automate the management of digital assets using smart contracts. Neo network has two tokens, NEO representing the right to manage Neo blockchain and GAS representing the right to use the Neo Blockchain.\n\nThe purpose of the Neo vulnerability bounty program is to be proactive about blockchain security by providing a channel for security researchers to report potential security vulnerabilities identified related to our underlying infrastructure. Everyone who finds the vulnerabilities can submit a bug report through Immunefi. Neo will try their best to investigate those eligible vulnerabilities and fix the valid issues. All rewards will be paid in the equivalent amount of NEO.\n\nNote: Higher rewards will be paid out in case of vulnerabilities of certain interest and criticality. Before reporting any issues, please check the following disclosures on responsibilities, program rules, and reporting manner notice.\n\nFor more information about Neo, please visit [https://neo.org/](https://neo.org/).  \n\nThis bug bounty program has a different reward timeline than other bug bounty programs on Immunefi, though the 48 hours for acknowledgement is observed. Please check the “Program Rules and Response Terms” section for more information.","programType":["Blockchain/DLT"],"project":"Neo","projectType":["Blockchain"],"rewardsBody":"Bounties are paid out after a risk assessment ([OWASP risk rating methodology](https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology)) has been made by the Neo DAU team. There are four rates of severity, Critical, High, Medium, Low. All rewards will be paid in the equivalent amount of NEO. Roughly speaking, we calculate the severity of an issue with the following formula:\n\nSeverity = Impact * Likelihood\nBase bounty amounts related to severity are as follows:\n\n| Vulnerability Severity | Bounty | Example |\n| :-- | :-: | --: |\n| **Critical** | Up to $10,000 | Issues leading to severe asset loss | \n| **High** | Up to $5,000 | Issues leading to total networks failure |\n| **Medium** | Up to $2,000 | Single node failure |\n| **Low** | Up to $500 | Other valid issues |\n\nTo be eligible for a reward, bug bounty hunters must never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to the Neo production network and testing network, you can investigate with your own built private chain on a private network. The full rules of the bug bounty program can be found further below, which need to be followed. \n\nAll bug reports must include the following in the report:\n  - Asset - What software asset the vulnerability is related to (e.g. Neo core software/products)\n  - Severity - Your opinion on the severity of the issue (e.g. high, moderate, low)\n  - Summary - Add a summary of the vulnerability\n  - Description - Any additional details about this vulnerability\n  - Steps - Steps to reproduce, getting Neo staff or technical team clearly informed of every detailed step.\n  - Supporting Material/References - Source code to replicate, list any additional material (e.g. screenshots, logs, etc.)\n  - Impact - What security impact could an attacker achieve?\n  - Your name and country.\n\nNeo may require more KYC information to be submitted over the Immunefi bug reporting dashboard at its discretion.\n\nPayouts are handled by the __Neo__ team directly and are denominated in USD. However, payouts are done in __NEO__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"NEO","slug":"neo","tenPercentEconomicRule":false,"updatedDate":"2024-11-15T10:52:46.416Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Neo is a distributed network which utilizes blockchain technology and digital identity to digitize assets and automate the management of digital assets using smart contracts. Neo network has two tokens, NEO representing the right to manage Neo blockchain and GAS representing the right to use the Neo Blockchain.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"The level of feedback on its website and social media channels. Rewards will be distributed within three (3) days following the official announcement. Neo reserves the right to the final interpretation of the event.\n\nTo finally achieve the self-worthy reward the submitters should abide by the following event rules:\n  - Only issues related to stability and security with design and implementation are within the scope, vulnerabilities with the Neo website and related infrastructure on the Neo blockchain are out of the scope. Find more details at the Scope of Vulnerability Bounty Program.\n  - Submitted reports should contain detailed reproduction procedures, in the absence of which, the reports will be excluded from the rewarding list. The more detailed the proof of vulnerabilities and the descriptions are, the higher your reward will be.\n  - For those who report the same vulnerability, the reward goes to whoever comes first.\n  - Serial vulnerabilities caused by one vulnerability will be considered as one vulnerability, e.g., a series of computing errors caused by data overflow.","customProhibitedActivities":[],"impacts":[{"id":1609,"type":"blockchain_dlt","severity":"low","title":"Any other low (OWASP) issue"},{"id":1610,"type":"blockchain_dlt","severity":"high","title":"Issues leading to total network failure"},{"id":1611,"type":"blockchain_dlt","severity":"medium","title":"Single node failure"},{"id":1612,"type":"blockchain_dlt","severity":"critical","title":"Issues leading to severe asset loss"}],"rewards":[{"id":3269,"severity":"critical","assetType":"blockchain_dlt","maxReward":10000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":3270,"severity":"high","assetType":"blockchain_dlt","maxReward":5000,"rewardModel":"up_to"},{"id":3271,"severity":"medium","assetType":"blockchain_dlt","maxReward":2000,"rewardModel":"up_to"},{"id":3272,"severity":"low","assetType":"blockchain_dlt","maxReward":500,"rewardModel":"up_to"}],"audits":[]},{"assets":[{"id":"4rtpxvLC8IbNqgQJZ18AXQ","url":"https://etherscan.io/address/0xc1f33e0cf7e40a67375007104b929e49a581bafe","type":"smart_contract","addedAt":"2022-12-22T23:00:00.000Z","revision":1,"description":"SPOT ERC-20","isPrimacyOfImpact":null},{"id":"2dObx6d73jQk2tsqNupyNA","url":"https://etherscan.io/address/0x38f600e08540178719bf656e6b43fc15a529c393","type":"smart_contract","addedAt":"2022-12-22T23:00:00.000Z","revision":1,"description":"Router","isPrimacyOfImpact":null},{"id":"7AThHGnCj7iOaeQAEk30aV","url":"https://etherscan.io/address/0x2b135C839d61808E1eC6F84151CD9429B0920374","type":"smart_contract","addedAt":"2022-12-22T23:00:00.000Z","revision":2,"description":"Bond Factory","isPrimacyOfImpact":null},{"id":"1Wqs6AZM262jUCVatkxpi1","url":"https://etherscan.io/address/0x2E2E49eDCd5ce08677Bab6d791C863f1361B52F2","type":"smart_contract","addedAt":"2022-12-22T23:00:00.000Z","revision":2,"description":"Bond Issuer","isPrimacyOfImpact":null},{"id":"2LXCIyQgiFnr6ofpAgnz1A","url":"https://app.spot.cash","type":"websites_and_applications","addedAt":"2022-12-22T23:00:00.000Z","revision":1,"description":"Web/App","isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nKnown issues highlighted in the following audit reports are considered out of scope: \n\n- [https://github.com/ampleforth/ampleforth-audits/tree/master/spot/v1.0.0](https://github.com/ampleforth/ampleforth-audits/tree/master/spot/v1.0.0)\n\nThe following known issues are also considered out of scope of this program: \n\n- MEV around rebases\n- Insolvency\n\nIf an impact can be caused to any other asset managed by SPOT that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity","Typescript"],"launchDate":"2022-12-22T23:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6rCsA47lat2NRRvjQNB1cE/bd1a3c990aabecec1ea6ed43daf18b8d/Screenshot_2024-11-15_at_1.35.17___AM.png","maxBounty":10000,"pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Derivatives"],"programOverview":"SPOT is a perpetual note backed by fully collateralized AMPL derivatives. SPOT can fulfill many properties of modern day stablecoins but is not pegged to any particular value. Its price will likely float within a range similar to AMPL and you can think of SPOT as a derivative that strips away most of AMPL's supply volatility.\n\nFor more information about SPOT, please visit [https://app.spot.cash  ](https://app.spot.cash)","programType":["Smart Contract","Websites and Applications"],"project":"SPOT","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nPayouts are handled by the __SPOT__ team directly and are denominated in USD. However, payouts are done in __AMPL, SPOT, ETH, USDC__, or __USDT__ at the choice of the whitehat.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"AMPL, SPOT, ETH, USDC, or USDT","slug":"spot","updatedDate":"2024-11-14T20:35:54.712Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"SPOT is a perpetual note backed by fully collateralized AMPL derivatives. SPOT can fulfill many properties of modern day stablecoins but is not pegged to any particular value. Its price will likely float within a range similar to AMPL and you can think of SPOT as a derivative that strips away most of AMPL's supply volatility.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Issues related to the frontend without concrete impact and PoC\n- Best practices issues without concrete impact and PoC\n- Best practice critiques\n","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":3771,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc."},{"id":3772,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as email or password of the victim, etc."},{"id":3773,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information such as email address, phone number, physical address, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":3774,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":3775,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":3776,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":3777,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and blockchain keys(this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":3778,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc."},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":3779,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions"},{"id":3780,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through NFT metadata"}],"rewards":[{"id":5659,"severity":"high","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":5660,"severity":"medium","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":5661,"severity":"critical","assetType":"websites_and_applications","fixedReward":2000,"rewardModel":"fixed"},{"id":5662,"severity":"high","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed"},{"id":8259,"severity":"critical","assetType":"smart_contract","fixedReward":10000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"6U0UTSunatG5iIugyhZl9c","url":"https://etherscan.io/address/0xf621Fb08BBE51aF70e7E0F4EA63496894166Ff7F#code","type":"smart_contract","addedAt":"2022-08-18T09:30:00.000Z","revision":2,"description":"MetaRouter","isPrimacyOfImpact":null},{"id":"3s1cHutA02JIUYEZAOX6Zn","url":"https://etherscan.io/address/0xfCEF2Fe72413b65d3F393d278A714caD87512bcd#code","type":"smart_contract","addedAt":"2022-08-18T09:30:00.000Z","revision":2,"description":"MetaRouterGateway","isPrimacyOfImpact":null},{"id":"6Oo6MfLNkMgWQNKUwf9iUp","url":"https://bscscan.com/address/0x44487a445a7595446309464A82244B4bD4e325D5#code","type":"smart_contract","addedAt":"2022-08-18T09:30:00.000Z","revision":2,"description":"MetaRouter","isPrimacyOfImpact":null},{"id":"1giLh98n7NjgKqIOdSRENy","url":"https://bscscan.com/address/0x5c97D726bf5130AE15408cE32bc764e458320D2f#code","type":"smart_contract","addedAt":"2022-08-18T09:30:00.000Z","revision":2,"description":"MetaRouterGateway","isPrimacyOfImpact":null},{"id":"3O5ALoL4pZtEMWBuxpCJE5","url":"https://snowtrace.io/address/0x6F0f6393e45fE0E7215906B6f9cfeFf53EA139cf#code","type":"smart_contract","addedAt":"2022-08-18T09:30:00.000Z","revision":2,"description":"MetaRouter","isPrimacyOfImpact":null},{"id":"2xg5EsZfGkR3uZevqmREnl","url":"https://snowtrace.io/address/0x4cfA66497Fa84D739a0f785FBcEe9196f1C64e4a#code","type":"smart_contract","addedAt":"2022-08-18T09:30:00.000Z","revision":4,"description":"MetaRouterGateway","isPrimacyOfImpact":null},{"id":"315gDhhMWmJkzSOGe0ZbZi","url":"https://polygonscan.com/address/0xa260E3732593E4EcF9DdC144fD6C4c5fe7077978#code","type":"smart_contract","addedAt":"2022-08-18T09:30:00.000Z","revision":2,"description":"MetaRouter","isPrimacyOfImpact":null},{"id":"2nJ8klFdFbAD3QmYs1swfa","url":"https://polygonscan.com/address/0xAb83653fd41511D638b69229afBf998Eb9B0F30c#code","type":"smart_contract","addedAt":"2022-08-18T09:30:00.000Z","revision":2,"description":"MetaRouterGateway","isPrimacyOfImpact":null}],"assetsBodyV2":"Only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Avalanche","BSC","ETH","Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2022-08-18T09:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1iaWGdtWL8bWK160VFHjey/fed9cc2230e6ca767667c230eac6f52c/Screenshot_2024-11-15_at_12.57.39___AM_Small.png","maxBounty":100000,"pocPerTypeAndSeverity":["smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["AMM","Bridge","Crosschain Liquidity","DAO","DEX"],"programOverview":"Symbiosis is a cross-chain engine and interchain communication Protocol.\nOur know-how — any to any token swaps regardless of the blockchain networks, both EVM and non-EVM supported. \n\nBesides, Symbiosis has presented an [inter-blockchain messaging](https://medium.com/symbiosis-fi/seamless-cross-chain-interoperability-for-web3-using-symbiosis-b16ee81b54ae) protocol, i.e. can be used to integrate with AAVE, Cream, and virtually any DeFi protocol. A use-case: instant liquidity provision with any token the user has at her hands. \n\nFor seamless integration with third party devs / projects, we have Symbiosis API and SDK.\n\nFor more information about Symbiosis, please visit [https://symbiosis.finance](https://symbiosis.finance/).","programType":["Smart Contract"],"project":"Symbiosis","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported. \n\nAll Critical severity bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. In addition, all Critical severity bug reports must also come with a suggestion for a fix to be considered for a reward. \n\nAll known issues previously highlighted in the following audit reports are considered out of scope: \n  - [https://github.com/symbiosis-finance/audits](https://github.com/symbiosis-finance/audits) \n\nPayouts are handled by the __Symbiosis__ team directly and are denominated in USD. However, payouts are done in __USDT__(ERC20), __USDT__(BEP20), __USDC__(ERC20) or __USDC__(Polygon), at the discretion of the bug report submitter.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC, USDT","slug":"symbiosis","updatedDate":"2024-11-14T20:25:00.605Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Symbiosis is a cross-chain engine and interchain communication Protocol. Our know-how — any to any token swaps regardless of the blockchain networks, both EVM and non-EVM supported. ","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":3083,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds (ERC-20 tokens), whether at-rest or in-motion, other than unclaimed yield"},{"id":3084,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds (ERC-20 tokens)"}],"rewards":[{"id":8249,"severity":"critical","assetType":"smart_contract","fixedReward":100000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"12wvfhdsswf00gM1pCzf1D","url":"https://github.com/CoreumFoundation/coreum","type":"blockchain_dlt","addedAt":"2023-12-20T09:00:00.000Z","revision":1,"description":"Coreum Blockchain","isPrimacyOfImpact":null},{"id":"1Xk86mOsoAzvZHMO0XD6BE","url":"https://immunefi.com/","type":"blockchain_dlt","addedAt":"2023-12-20T09:00:00.000Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true}],"assetsBodyV2":"Unless explicitly listed, only pages of the web/app assets in addition to the direct link are considered in-scope of the bug bounty program. Other subdomains are not considered as in-scope. However, for subdomain takeovers that lead to an impact on the in-scope asset, please refer to our page about [Reported Subdomain Takeovers.](https://immunefisupport.zendesk.com/hc/en-us/articles/14352199704593-Reported-Subdomain-Takeovers)\n\nOther helpful links include:\n- Coreum documentation and tutorials - [https://docs.coreum.dev](https://docs.coreum.dev)\n- Coreum smart tokens - [https://docs.coreum.dev/tutorials/smart-tokens/main.html](https://docs.coreum.dev/tutorials/smart-tokens/main.html)\n- Coreum code examples - [https://github.com/CoreumFoundation/tutorials](https://github.com/CoreumFoundation/tutorials)","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Go","Rust"],"launchDate":"2023-12-20T09:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/crJXSyRL6Phpmff7hq91J/cbd0406e1e8ddf23fa6a41837ef228e0/3174316_original.png","maxBounty":25000,"pocPerTypeAndSeverity":["blockchain_dlt - critical","blockchain_dlt - high","blockchain_dlt - medium","blockchain_dlt - low"],"primaryPaymentWallet":"OtherNonEVML1","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["L1","Wallet"],"programOverview":"Coreum addresses the existing limitations of the current blockchains and empowers a solid foundation for future decentralized projects. Coreum’s unique approach is to provide built-in, on-chain solutions to process transactions in a deterministic way to ensure a fast, secure, cheap, and green network for various use cases.\n\nFor more information about Coreum, please visit [https://www.coreum.com/](https://www.coreum.com/)\n\nCoreum provides rewards in COREUM. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nCoreum adheres to the Primacy of Impact for their entire program\nIf a category’s severity level is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program as long as it involves an impact under that respective severity level. When submitting a report, just select the Primacy of Impact asset placeholder. If the team behind this project has multiple projects, those other projects are not covered under the Primacy of Impact of this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nTestnet and mock files are not covered under the Primacy of Impact.\n\nAll other severity levels not listed here are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program.\n\n\n__Immunefi Standard Badge__\n\nCoreum has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/6427157117713-The-Immunefi-Standard-Badge-), which is given to projects that adhere to our best practices.","programType":["Blockchain/DLT"],"project":"Coreum","projectType":["Blockchain"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below. \n\nFor critical Blockchain/DLT bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 25 000, but may also consider subsequent impacts on other projects built on the respective blockchain, as well as PR and brand reputation risk, capped at the maximum critical reward USD 25 000. \n\nTo incentivize security researchers and ensure bug reports are not withheld, a minimum reward USD 3 000  will be provided. \n\nFor Total Network Shutdown, the maximum payment of 25 000 will be rewarded.\n\n__Repeatable Attack Limitations__\n\nIf the blockchain/DLT component where the vulnerability exists can be upgraded/paused/killed, only the initial attacks within the first hour will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading, pausing, or in some cases, killing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of USD 3 000. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs acknowledged below are not eligible for any reward through the bug bounty program. \n- Previously known vulnerabilities in Tendermint(CometBFT) and or/any other fork of these. \n- Previously known vulnerabilities in Cosmos-SDK and or/any other fork of these. \n- Previously known vulnerabilities in CosmWasm and or/any other fork of these. \n- Previously known vulnerabilities in IBC and or/any other fork of these. \n- Any other vulnerabilities that come from Third-Party services and SDKs. \n- Public Zero-day vulnerabilities\n- Any issue on the issue tracker: [https://github.com/CoreumFoundation/coreum/issues ](https://github.com/CoreumFoundation/coreum/issues)\n- Any issue found on open pull requests: [https://github.com/CoreumFoundation/coreum/pulls ](https://github.com/CoreumFoundation/coreum/pulls)\n   - The bridge is out of scope - Coreum to XRPL and XRPL to Coreum\n\n__Previous Audits__\n\nCoreum has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.\n- [https://skynet.certik.com/projects/coreum](https://skynet.certik.com/projects/coreum)\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n- Blockchain/DLT - Critical\n- Blockchain/DLT - High\n- Blockchain/DLT - Medium\n- Blockchain/DLT - Low\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules) Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Other Terms and Information__\n\nPayouts are handled by the Coreum team directly and are denominated in USD. However, payouts are done in COREUM. This bug bounty program will have a hard cap of USD 500 000. In the event that multiple bug reports are submitted that exceed this amount, the rewards will be provided on a first come first served basis.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Coreum team directly and are denominated in USD. However, payments are done in COREUM.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability. For avoidance of doubt, if the reward amount is USD 5 000 and the average price is USD 1.75 per token, then the reward will be 2857.142857 units of that token.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"COREUM","slug":"coreum","updatedDate":"2024-11-14T13:38:07.228Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Coreum addresses the existing limitations of the current blockchains and empowers a solid foundation for future decentralized projects. Coreum’s unique approach is to provide built-in, on-chain solutions to process transactions in a deterministic way to ensure a fast, secure, cheap, and green network for various use cases.","knownIssues":[],"defaultOutOfScopeBlockchain":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":["- Phishing attacks or scams","- Previously known vulnerabilities in Tendermint(CometBFT) and or/any other fork of these.","- Previously known vulnerabilities in Cosmos-SDK and or/any other fork of these.","- Previously known vulnerabilities in CosmWasm and or/any other fork of these.","- Previously known vulnerabilities in IBC and or/any other fork of these.","- Any other vulnerabilities that come from Third-Party services and SDKs.","- Public Zero-day vulnerabilities","- Denial of service (DoS) / Distributed Denial of Service(DDOS) / Spamming","- Email services configuration DKIM and SPF records.","- Any issue on the issue tracker: [https://github.com/CoreumFoundation/coreum/issues ](https://github.com/CoreumFoundation/coreum/issues)","- Any issue found on open pull requests: [https://github.com/CoreumFoundation/coreum/pulls](https://github.com/CoreumFoundation/coreum/pulls)","- The bridge is out of scope"],"impacts":[{"id":12,"type":"blockchain_dlt","severity":"low","title":"Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":13,"type":"blockchain_dlt","severity":"low","title":"Modification of transaction fees outside of design parameters"},{"id":6,"type":"blockchain_dlt","severity":"high","title":"Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments"},{"id":7,"type":"blockchain_dlt","severity":"high","title":"Causing network processing nodes to process transactions from the mempool beyond set parameters"},{"id":4661,"type":"blockchain_dlt","severity":"high","title":"RPC API crash affecting projects with greater than or equal to 25% of the market capitalization on top of the respective layer"},{"id":9,"type":"blockchain_dlt","severity":"medium","title":"Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours"},{"id":10,"type":"blockchain_dlt","severity":"medium","title":"Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":1,"type":"blockchain_dlt","severity":"critical","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":4662,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hard fork)"}],"rewards":[{"id":5430,"severity":"critical","assetType":"blockchain_dlt","maxReward":25000,"minReward":3000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":5431,"severity":"high","assetType":"blockchain_dlt","fixedReward":3000,"rewardModel":"fixed"},{"id":5432,"severity":"medium","assetType":"blockchain_dlt","fixedReward":2000,"rewardModel":"fixed"},{"id":5433,"severity":"low","assetType":"blockchain_dlt","fixedReward":1000,"rewardModel":"fixed"}],"audits":[]},{"assets":[],"assetsBodyV2":"","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":true,"immunefiStandard":true,"inviteOnly":true,"kyc":false,"language":["Solidity"],"launchDate":"2021-11-30T18:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7CCYGOBFsU41GSuxkFGa16/7e0eeb6ee440d7433975d3832e762a74/Tetu_Logo___1_.jpeg","maxBounty":2000,"pocPerTypeAndSeverity":["smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the following types:\n\n__Smart Contracts and Blockchain__ \n\n  - Re-entrancy\n  - Logic errors\n    - including user authentication errors\n  - Solidity/EVM details not considered\n    - including integer over-/under-flow\n    - including rounding errors\n    - including unhandled exceptions\n  - Trusting trust/dependency vulnerabilities\n    - including composability vulnerabilities\n  - Oracle failure/manipulation\n  - Novel governance attacks\n  - Economic/financial attacks\n    - including flash loan attacks\n  - Congestion and scalability\n    - including running out of gas\n    - including block stuffing\n    - including susceptibility to frontrunning\n  - Consensus failures\n  - Cryptography problems\n    - Signature malleability\n    - Susceptibility to replay attacks\n    - Weak randomness\n    - Weak encryption\n  - Susceptibility to block timestamp manipulation\n  - Missing access controls / unprotected internal or debugging interfaces","productType":["Asset Management","DEX","Lending","Token","Yield Aggregator"],"programOverview":"TETU is a DeFi application built on Polygon that implements automated yield farming strategies in order to provide investors with a safe and secure method of receiving high and stable yield on their investments. Tetu's innovative solutions provide automated yield aggregation and distribution through xTETU.\n\nTetu's development focus is to build a self-sustaining yield management ecosystem that provides stable and attractive yields for users. Tetu aims to make the development of automated and decentralized Yield management solutions the main structure of the protocol.\n\nFor more information about Tetu, please visit [https://tetu.io/](https://tetu.io/).  \n\nThis bug bounty program is focused on their smart contracts and app and is focused on preventing:\n\n  - Thefts and freezing of principal of any amount\n  - Thefts and freezing of unclaimed yield of any amount\n  - Theft of governance funds \n  - Governance activity disruption","programType":["Smart Contract"],"project":"Tetu","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. \n\nAll critical smart contract bug reports must come with a PoC and a suggestion for a fix in order to be considered for a reward. \n\nCritical smart contract vulnerabilities are further capped at 10% of economic damage, primarily taking into account the funds at risk. However, the maximum reward is capped at USD 2 000, even if 10% of the damage is greater than USD 2 000. \n\nVulnerabilities that require moderator-approved access in order to be exploited will only receive a maximum of 20% of the advertised reward. For Critical Smart Contract and Blockchain vulnerability reports, this 20% is applied after the cap of 10% of economic damage.  \n\nPayouts are handled by the Tetu team directly and are done in USDT.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDT","slug":"tetu","tenPercentEconomicRule":true,"updatedDate":"2024-11-13T19:30:35.058Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"TETU is a DeFi application built on Polygon that implements automated yield farming strategies in order to provide investors with a safe and secure method of receiving high and stable yield on their investments. Tetu's innovative solutions provide automated yield aggregation and distribution through xTETU.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":1350,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":30049,"severity":"critical","assetType":"smart_contract","maxReward":2000,"rewardModel":"up_to","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"52mh6YEFW6Zqk1AfPgMuH2","url":"https://bscscan.com/address/0xB562127efDC97B417B3116efF2C23A29857C0F0B","type":"smart_contract","addedAt":"2024-01-24T14:38:31.583Z","revision":1,"description":"DeXe DAO ","isPrimacyOfImpact":null},{"id":"6yzR6M1bgoeRJ9i7VE2zxu","url":"https://bscscan.com/address/0x46B46629B674b4C0b48B111DEeB0eAfd9F84A1c0","type":"smart_contract","addedAt":"2024-01-24T14:42:38.839Z","revision":1,"description":"ContractsRegistry","isPrimacyOfImpact":null},{"id":"7eTveMwAVnpgKFgYujOkOW","url":"https://bscscan.com/address/0x427a1214f12117b1AD48C817c203c5CF3Eb7E7C4","type":"smart_contract","addedAt":"2024-01-24T14:42:36.717Z","revision":1,"description":"UserRegistry","isPrimacyOfImpact":null},{"id":"1YpSpcgVh5qpCph1tjE1MR","url":"https://bscscan.com/address/0xaB9d2a2347D5fF5B760C0226C52d5C673b8D9e44","type":"smart_contract","addedAt":"2024-01-24T14:42:34.274Z","revision":1,"description":"CoreProperties","isPrimacyOfImpact":null},{"id":"3kf2rGbc2vdboVDRFcFpfN","url":"https://bscscan.com/address/0xc7730074736c10ed0d3F928A10Ee4162DA9a7983","type":"smart_contract","addedAt":"2024-01-24T14:42:32.028Z","revision":1,"description":"PriceFeed","isPrimacyOfImpact":null},{"id":"U9g5NTEqfs2hwRiUt4cSg","url":"https://bscscan.com/address/0x892B3292cF80CB298b7fA20D04EF4732640db404","type":"smart_contract","addedAt":"2024-01-24T14:42:29.919Z","revision":1,"description":"ERC721Expert","isPrimacyOfImpact":null},{"id":"6A6l1YOunoASMXJlYaGxvR","url":"https://bscscan.com/address/0x85f86ef7E72e86BdEAb5F65e2B76A2c551f22109","type":"smart_contract","addedAt":"2024-01-24T14:42:27.995Z","revision":1,"description":"PoolFactory ","isPrimacyOfImpact":null},{"id":"7BuPqlLi0Gxw5HvQrtd7rt","url":"https://bscscan.com/address/0xFEB26AAB75638440B3CEFe8B10de6118972f9C6B","type":"smart_contract","addedAt":"2024-01-24T14:42:26.238Z","revision":1,"description":"PoolRegistry","isPrimacyOfImpact":null},{"id":"3WfRR1GHvxftZXzOIwr0bT","url":"https://bscscan.com/address/0x41260f637a993ce714Ece1ee9875F489e483e9b3","type":"smart_contract","addedAt":"2024-01-24T14:42:23.362Z","revision":1,"description":"SphereXEngine","isPrimacyOfImpact":null},{"id":"3YUgEkaDoNavKOuwSPY1wn","url":"https://bscscan.com/address/0x4fa2092E32934Dd3823E58C79ceD0e410a5B0D4b","type":"smart_contract","addedAt":"2024-01-24T14:42:20.010Z","revision":1,"description":"PoolSphereXEngine","isPrimacyOfImpact":null},{"id":"4HYfZT6dn9zLJVjQ7E7U4N","url":"https://www.immunefi.com","type":"smart_contract","addedAt":"2024-01-24T14:42:16.634Z","revision":1,"description":"Primacy of Impacts","isPrimacyOfImpact":true}],"assetsBodyV2":"How DEXE Protocol works: [https://whitepaper.dexe.network/](https://whitepaper.dexe.network/)","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":["Vault"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Python","Typescript","Go"],"launchDate":"2024-01-23T20:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5ZQ0i4NAKMQyO19x7Z65k8/257b06a35dfa48dcdb2ec16351267695/71133570.png","maxBounty":500000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["DAO"],"programOverview":"DeXe Protocol is an innovative infrastructure of 50+ smart contracts for building and governing effective DAOs.\n\nFor more information about DeXe Protocol, please visit [dexe.network](https://dexe.network/)\n\nDeXe Protocol provides rewards in __USDC__, denominated in __USD__. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__ \n\nDeXe Protocol will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n  - Full name \n  - Date of birth\n  - Proof of address (either a redacted bank statement with address or a recent utility bill)\n  - Copy of Passport or other Government issued ID\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nDeXe Protocol adheres to the Primacy of Impact for the following impacts:\n\n  - Smart Contracts: Critical\n  - Smart Contracts: High\n  - Smart Contracts: Medium\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see Best Practices: Primacy of Impact \nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.\n\n__Known Issue Assurance__\n\nDeXe Protocol commits to providing Known Issue Assurance to bug submissions through their program. This means that DeXe Protocol will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission. \n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.\n\n__Previous Audits__\n\nDeXe Protocol’s completed audit reports can be found in the following links:\n\n  - [https://github.com/dexe-network/DeXe-Protocol/blob/master/audits/README.md](https://github.com/dexe-network/DeXe-Protocol/blob/master/audits/README.md)\n  - [https://github.com/dexe-network/DeXe-Protocol/blob/master/audits/ambisafe-2023-07-18.pdf](https://github.com/dexe-network/DeXe-Protocol/blob/master/audits/ambisafe-2023-07-18.pdf)\n  - [https://github.com/dexe-network/DeXe-Protocol/blob/master/audits/ambisafe-2023-11-10.pdf](https://github.com/dexe-network/DeXe-Protocol/blob/master/audits/ambisafe-2023-11-10.pdf)\n  - [https://github.com/dexe-network/DeXe-Protocol/blob/master/audits/certik-2023-05-04.pdf](https://github.com/dexe-network/DeXe-Protocol/blob/master/audits/certik-2023-05-04.pdf)\n  - [https://github.com/dexe-network/DeXe-Protocol/blob/master/audits/cyfrin-2023-11-10.pdf](https://github.com/dexe-network/DeXe-Protocol/blob/master/audits/cyfrin-2023-11-10.pdf)\n  - [https://github.com/dexe-network/DeXe-Protocol/blob/master/audits/hacken-2023-05-22.pdf](https://github.com/dexe-network/DeXe-Protocol/blob/master/audits/hacken-2023-05-22.pdf)\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, DeXe Protocol has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","programType":["Smart Contract"],"project":"DeXe Protocol","projectType":["Infrastructure"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is __10%__ of the funds directly affected up to a maximum of __USD 500 000__. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of __USD 10 000__ is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\n  - If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attacks within the first hour will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n  - For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to __10%__ of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\n  - High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of __USD 5 000 to USD 10 000__ depending on the funds at risk, capped at the maximum high reward. \n\n  - In the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Payment Terms__\n\nPayouts are handled by the __DeXe Protocol__ team directly and are denominated in __USD__. All medium rewards will be paid out in __USDC__. All high rewards will be paid out in $DeXe. All critical rewards will be paid out in $DeXe with a 6-month linear vesting schedule.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"dexeprotocol","updatedDate":"2024-11-13T15:46:02.266Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"DeXe Protocol is an innovative infrastructure of 50+ smart contracts for building and governing effective DAOs.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":28,"type":"smart_contract","severity":"high","title":"Temporary freezing of NFTs"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":4735,"severity":"high","assetType":"smart_contract","maxReward":10000,"minReward":5000,"rewardModel":"range"},{"id":4736,"severity":"medium","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":8174,"severity":"critical","assetType":"smart_contract","maxReward":500000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"5tsWwDlvDtCHoJKepFuIKF","url":"https://github.com/marinade-finance/liquid-staking-program","type":"smart_contract","addedAt":"2022-02-11T12:54:55.576Z","revision":1,"description":null,"isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Solana"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Rust"],"launchDate":"2021-12-01T18:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2frWdK3ryfQBfzOadBi4xf/4a0a61ac6b3dccfb39bf6474b2e09f1f/Marinade_icon_white.png","maxBounty":250000,"pocPerTypeAndSeverity":["smart_contract - high","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the following types:\n\n__Smart Contracts and Blockchain __\n\n  - Re-entrancy\n  - Logic errors\n    - including user authentication errors\n  - Trusting trust/dependency vulnerabilities\n    - including composability vulnerabilities\n  - Oracle failure/manipulation\n  - Novel governance attacks\n  - Economic/financial attacks\n    - including flash loan attacks\n  - Congestion and scalability\n    - including running out of gas\n    - including block stuffing\n    - including susceptibility to frontrunning\n  - Consensus failures\n  - Cryptography problems\n    - Signature malleability\n    - Susceptibility to replay attacks\n    - Weak randomness\n    - Weak encryption\n  - Susceptibility to block timestamp manipulation\n  - Missing access controls / unprotected internal or debugging interfaces","productType":["Staking"],"programOverview":"Marinade.Finance is the first non-custodial liquid staking protocol built on Solana. You can stake your SOL tokens with Marinade and receive \"marinated SOL\" tokens (mSOL) that you can use in decentralized finance (DeFi).\n\nThe price of mSOL goes up relative to SOL each epoch, with rewards being accrued into the underlying staked SOL. Marinade stakes in 400+ validators that are selected automatically by an open-source fair formula based on performance, commission and decentralization.\n\nMarinade includes mSOL->SOL swap, so you can “Unstake Now!” and receive your SOL immediately with a small fee. You can also directly exchange between mSOL and SOL on secondary markets at the current rate. Finally, you can unstake your SOL with zero-fee by waiting 4-6 days for the Solana cool-down period (delayed-unstake). \n\nAs of November 2021, Marinade’s TVL is around 1.5b USD\n\nFor more information about Marinade Finance, please visit [https://marinade.finance/](https://marinade.finance/) and [https://docs.marinade.finance](https://docs.marinade.finance) \n\nThis bug bounty program is focused on their smart contracts and is focused on preventing:\n\n  - Loss of user funds staked (principal) by freezing or theft\n  - Loss of governance funds\n  - Theft of unclaimed yield\n  - Freezing of unclaimed yield\n  - Temporary freezing of funds\n  - Unable to call smart contract","programType":["Smart Contract"],"project":"Marinade","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. \n\nAll smart contract bug reports must come with a PoC in order to be considered for a reward.\n\nCritical vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum of __USD 50 000__ for Critical bug reports.\n\nPayouts are handled by the __Marinade Finance__ team directly and are denominated in USD. However, payouts are done in __mSOL__ and __MNDE__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"mSOL, MNDE","slug":"marinade","tenPercentEconomicRule":true,"updatedDate":"2024-11-12T15:28:47.750Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Marinade.Finance is the first non-custodial liquid staking protocol built on Solana. You can stake your SOL tokens with Marinade and receive \"marinated SOL\" tokens (mSOL) that you can use in decentralized finance (DeFi).","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":1401,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds excluding DOS attacks"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":4502,"severity":"high","assetType":"smart_contract","maxReward":15000,"rewardModel":"up_to"},{"id":8163,"severity":"critical","assetType":"smart_contract","maxReward":250000,"rewardModel":"up_to","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"5HpruAcPsEvrnDh8tLbL1E","url":"https://etherscan.io/address/0xd0092632b9ac5a7856664eec1abb6e3403a6a36a","type":"smart_contract","addedAt":"2022-02-18T11:55:44.014Z","revision":1,"description":"OneTokenFactory","isPrimacyOfImpact":null},{"id":"Lk2Gzhajg0HcQRqY2i4Vg","url":"https://etherscan.io/address/0x14356bf935d6a62f3b87ab89f729217599bc108d","type":"smart_contract","addedAt":"2022-02-18T11:55:46.709Z","revision":1,"description":"OneTokenV1","isPrimacyOfImpact":null},{"id":"5BW8OE3kra1qBqo37ADe3v","url":"https://etherscan.io/address/0x81c9932bd9a87e454710ef83551ac32dd808630e","type":"smart_contract","addedAt":"2022-02-18T11:55:49.993Z","revision":1,"description":"Basic Null Controller","isPrimacyOfImpact":null},{"id":"7iqVH0J9hdktWFk8G3h1ye","url":"https://etherscan.io/address/0x58254B405E85359Fc7Eb3b8856bA82A4dD7C82E2","type":"smart_contract","addedAt":"2022-02-18T11:55:51.845Z","revision":1,"description":"Incremental Mint Master","isPrimacyOfImpact":null},{"id":"6sDBXwLpwggsNGOCi2ynyG","url":"https://github.com/ichifarm/ichi-oneToken","type":"smart_contract","addedAt":"2022-02-18T11:55:56.824Z","revision":1,"description":null,"isPrimacyOfImpact":null}],"assetsBodyV2":"Vulnerabilities affecting the four listed smart contracts are prioritized over the other smart contracts found on the GitHub link. Testnet smart contracts and other assets that are not smart contracts are not included in this bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2021-06-17T15:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4sIm0crvpmamzvcEeYiPf3/0b6dd39dc320f99744fb16f6cecf4f28/Ichi.jpeg","maxBounty":50000,"pocPerTypeAndSeverity":[],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the following types:\n\n  - Re-entrancy\n  - Logic errors\n    - including user authentication errors\n  - Solidity/EVM details not considered\n    - including integer over-/under-flow\n    - including unhandled exceptions\n  - Trusting trust/dependency vulnerabilities\n    - including composability vulnerabilities\n  - Oracle failure/manipulation\n  - Novel governance attacks\n  - Economic/financial attacks\n    - including flash loan attacks\n  - Congestion and scalability\n    - including running out of gas\n    - including block stuffing\n    - including susceptibility to frontrunning\n  - Consensus failures\n  - Cryptography problems\n    - Signature malleability\n    - Susceptibility to replay attacks\n    - Weak randomness\n    - Weak encryption\n  - Susceptibility to block timestamp manipulation\n  - Missing access controls / unprotected internal or debugging interfaces","productType":["Stablecoin"],"programOverview":"ICHI is a self-sustaining, community governed platform that enables any other cryptocurrency community to create and govern their own in-house, non-custodial oneToken (a stablecoin valued at $1). \n\nICHI is the governance token of the ichi.org community and platform. It is hard capped at 5M tokens.  Each ICHI is a vote on allowed oracles, collateral, investment strategies, etc in exchange for protocol governance rewards.\n\noneTokens are the governance tokens of specific oneToken systems.  Each oneToken is a vote on treasury allocations, specific stablecoins parameters (like minting and redeeming fees), and on adoption programs.\n\nMore information about Ichi can be found on their website, [https://www.ichi.org/](https://www.ichi.org/).  \n\nThis bug bounty program is focused around its smart contracts and is mostly concerned with the prevention of the loss of user funds.","programType":["Smart Contract"],"project":"Ichi","projectType":["Defi"],"rewardsBody":"Rewards for Smart Contract vulnerabilities are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. \n\nPayouts are handled by the __ICHI__ team directly and are denominated in USD. However, payouts are done in __USDC__ for rewards up to __USD 10 000__. For payouts greater, the reward is paid in __xICHI__. Critical payouts are done over a 6-month period distributed every month with the utilization of a Sablier contract","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"xICHI","slug":"ichi","tenPercentEconomicRule":false,"updatedDate":"2024-11-12T12:44:04.171Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"ICHI is a self-sustaining, community governed platform that enables any other cryptocurrency community to create and govern their own in-house, non-custodial oneToken (a stablecoin valued at $1). ","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":581,"type":"smart_contract","severity":"low","title":"Low Smart Contract Impact"},{"id":582,"type":"smart_contract","severity":"high","title":"High Smart Contract Impact"},{"id":583,"type":"smart_contract","severity":"medium","title":"Medium Smart Contract Impact"},{"id":584,"type":"smart_contract","severity":"critical","title":"Critical Smart Contract Impact"}],"rewards":[{"id":4313,"severity":"high","assetType":"smart_contract","fixedReward":20000,"rewardModel":"fixed"},{"id":4314,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":4315,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":8153,"severity":"critical","assetType":"smart_contract","fixedReward":50000,"rewardModel":"fixed","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"6BIog3fUoB93zxhc698VpW","url":"https://voyager.online/contract/0x02a85bd616f912537c50a49a4076db02c00b29b2cdc8a197ce92ed1837fa875b","type":"smart_contract","addedAt":"2023-11-22T09:00:00.000Z","revision":2,"description":"Oracle","isPrimacyOfImpact":null},{"id":"742rjptdkZAf6nRxWXIe3v","url":"https://voyager.online/contract/0x024a55b928496ef83468fdb9a5430fe031ac386b8f62f5c2eb7dd20ef7237415","type":"smart_contract","addedAt":"2023-11-22T09:00:00.000Z","revision":2,"description":"PublisherRegistry","isPrimacyOfImpact":null},{"id":"7tnaYPAVjZrvaB5EefH4mb","url":"https://voyager.online/contract/0x49eefafae944d07744d07cc72a5bf14728a6fb463c3eae5bca13552f5d455fd#readContract","type":"smart_contract","addedAt":"2023-11-22T09:00:00.000Z","revision":2,"description":"TWAP/Volatility","isPrimacyOfImpact":null},{"id":"6e50pM12ySv8CccgRgLTxK","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2023-11-22T09:00:00.000Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2023-11-22T09:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4oI0gXaVamuG4KdqVG0LC1/fd67ba15a8d6811a385faa1c2a175bf0/Group__3_.png","maxBounty":50000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Oracle"],"programOverview":"Pragma is the leading Oracle on StarkNet, recognised for providing the most reliable data feeds to its ecosystem. This network relies on three types of data sources: First Party, Third Party, and On-chain data.\n\nWhat sets the Pragma Oracle infrastructure apart is its entirely on-chain nature. This means that protocols using Pragma benefit from data that matches the verifiability, transparency, and security of the smart contracts they use.\n\nMoreover, Pragma is pioneering computational feeds. These feeds merge its high-quality, real-time market data in unique ways, ensuring that everything remains on-chain and verifiable through the use of zero-knowledge computation.\n\nPragma is the decentralized, transparent and composable oracle network, leveraging  zero-knowledge cryptography. We partner with the biggest market makers and the most liquid exchanges who sign and timestamp their own high quality, robust data and send it directly on-chain. Our feeds are live on StarkNet mainnet, where they are powering the next generation of ambitious protocols such as zkLend, Nostra, Carmine and more. \n\nFor more information about Pragma, please visit [pragma.build](https://www.pragma.build/)\n\nPragma provides rewards in USDC. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__\n\nThe provision of KYC is required to receive a reward for this bug bounty program where the following information will be required to be provided:\n- Twitter\n- Email\n- Proof of identity (picture next to the Passport/ID)\n\nKYC information is only required on confirmation of the validity of a bug report.   \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nPragma adheres to the Primacy of Impact for the following severity levels:\n- Smart Contract - Critical\n- Smart Contract - High\n- Smart Contract - Medium\n\nIf a category’s severity level is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program as long as it involves an impact under that respective severity level. When submitting a report, just select the Primacy of Impact asset placeholder. If the team behind this project has multiple projects, those other projects are not covered under the Primacy of Impact of this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nAll other severity levels not listed here are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program.\n\n__Immunefi Standard Badge__\n\nPragma has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/6427157117713-The-Immunefi-Standard-Badge-), which is given to projects that adhere to our best practices.","programType":["Smart Contract"],"project":"Pragma Oracle","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below. \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical Smart Contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 50 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 5 000 is to be rewarded in order to incentivize security researchers against withholding a bug report.   \n\n__Repeatable Attack Limitations__\n\nIn cases of repeatable attacks for smart contract bugs, only the first attack will be counted, regardless of whether the smart contract is upgradable, pausable, or killable.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n- Smart Contract + Critical + PoC Required\n- Smart Contract + High + PoC Required\n- Smart Contract + Medium + PoC Required\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules) Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs acknowledged below are not eligible for any reward through the bug bounty program. \n- [https://github.com/NethermindEth/PublicAuditReports/blob/main/NM0147-FINAL_PRAGMA.pdf](https://github.com/NethermindEth/PublicAuditReports/blob/main/NM0147-FINAL_PRAGMA.pdf)\n\n__Reward Payment Terms__\n\nPayouts are handled by the Pragma team directly and are denominated in USD. However, payments are done in USDC.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"pragmaoracle","updatedDate":"2024-11-11T13:44:29.750Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Pragma is the leading Oracle on StarkNet, recognised for providing the most reliable data feeds to its ecosystem. This network relies on three types of data sources: First Party, Third Party, and On-chain data.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":4596,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results."},{"id":4597,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield."},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":4598,"type":"smart_contract","severity":"critical","title":"Allow unauthorized actors to manipulate/publish any data entry"}],"rewards":[{"id":3830,"severity":"high","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":3831,"severity":"medium","assetType":"smart_contract","fixedReward":2500,"rewardModel":"fixed"},{"id":8123,"severity":"critical","assetType":"smart_contract","maxReward":50000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"66ug3UUajXo5kfrOcsWpde","url":"https://polygonscan.com/address/0x47E2aFB074487682Db5Db6c7e41B43f913026544#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"AccessManager","isPrimacyOfImpact":null},{"id":"5Rhqb0Pk5QbA4EJf4gbuXn","url":"https://polygonscan.com/address/0xccd55D27aE681682f5Ed2B04EF21069D4EC24982#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"CashFlowLender koala","isPrimacyOfImpact":null},{"id":"7Lt9tw9SlawC5AzDjqq9KK","url":"https://polygonscan.com/address/0x0917c28B736746F9A32652CD2c66e918Cc9d26C9#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"CashFlowLender koala partner B","isPrimacyOfImpact":null},{"id":"4vc0JHsW9zAmFjRB64H5C","url":"https://polygonscan.com//address/0x1858A315C225a692bA40c3FC7a143362E31A85e8#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"ERC4626CashFlowLender Barker","isPrimacyOfImpact":null},{"id":"3d5CTv2bgwRS7DMSYH6kzs","url":"https://polygonscan.com/address/0x48Ff8B1493c6A3545Aea3F0812f1303E2f958bF4#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"ERC4626CashFlowLender Spot","isPrimacyOfImpact":null},{"id":"3rMlQsBnsvNVhOK9BxnaXJ","url":"https://polygonscan.com/address/0xe7DC8CDb94f0A44a930294AcC8F2f28DFD3cdEaE#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"EuroCashFlowLender Revo High","isPrimacyOfImpact":null},{"id":"6Zp7rPlVRnoDOPYPy7p8UR","url":"https://polygonscan.com/address/0x2bB7644221CfcC35A1C99ed7167391Ff82Fe4C08#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"EuroCashFlowLender Revo Low","isPrimacyOfImpact":null},{"id":"3YiLQvaHj9Np2prNlPPCo3","url":"https://polygonscan.com/address/0x1C48Accaf6f8106883AA1973A45F02525652DEfC#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"eToken Jr IZ","isPrimacyOfImpact":null},{"id":"3q4WmzGgy7uZ2bBE7PsWFi","url":"https://polygonscan.com/address/0x8d2Ee82c4172B2138B06b8037d769cBfAf9C0274#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"eToken Jr Koala","isPrimacyOfImpact":null},{"id":"63cMwYsSadOKBT7IpeKBpl","url":"https://polygonscan.com/address/0xE36D6585F0c200195b196C66644C519e7674b476#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"eToken Jr StormStrong","isPrimacyOfImpact":null},{"id":"4BM27JAlhNGzsU4txZDAtJ","url":"https://polygonscan.com//address/0x9F967c614c9573cc4eabE68ae0354E5d11F7eC9D#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"eToken Jr. Barker","isPrimacyOfImpact":null},{"id":"516OHNLbr0wrbCZHoBfOob","url":"https://polygonscan.com/address/0xBC33c283A37d46ABA17BC5F8C27b27242688DeC6#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"eToken Jr. Koala BMA","isPrimacyOfImpact":null},{"id":"6J3SH6s8qjq15bPYtGrmvG","url":"https://polygonscan.com/address/0x6A0e61C757e384eB1E4A2b94F7E02E68e4b4515e#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"eToken Jr. Revo","isPrimacyOfImpact":null},{"id":"1TtxHoky8spPk80Wxy4mLF","url":"https://polygonscan.com//address/0x6229D78658305a301E177f9dAEa3a0799fd1528C#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"eToken Jr. Spot","isPrimacyOfImpact":null},{"id":"5qpA4k7Nurn9CueUI4nGMS","url":"https://polygonscan.com/address/0x55bAe6690d46EA94D7F05DF7c80A85E322421fB6#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"eToken Sr","isPrimacyOfImpact":null},{"id":"b19aLueZkpemaULrR3f1S","url":"https://polygonscan.com/address/0xF383eF2D31E1d4a19B3e04ca2937DB6A8DA9f229#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"eToken Sr. BMA","isPrimacyOfImpact":null},{"id":"73V6K2NJ9T6pdgJKKwwyFr","url":"https://polygonscan.com/address/0xD74A28274C4B1a116aDd9857FC0E8F5e8fAC2497#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"PolicyPool","isPrimacyOfImpact":null},{"id":"4PYJlMX049wqml3M3zEtWF","url":"https://polygonscan.com//address/0xa5A8c6b6cb08dB75F5d487F0838D0743871d80a7#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"PremiumsAccount Barker","isPrimacyOfImpact":null},{"id":"3DmDJtxTICQPB9yOiehGWR","url":"https://polygonscan.com/address/0x4f43B8F252887F814ED689346fdb5Bd266394520#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"PremiumsAccount IZ","isPrimacyOfImpact":null},{"id":"45Ohyo9M8IblRE2XO8NKl7","url":"https://polygonscan.com/address/0xCCf5C404d32eB6E777088AB13837a1b8dCBA9328#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"PremiumsAccount Koala","isPrimacyOfImpact":null},{"id":"1TSOvN2zeqVucquN8R1LTA","url":"https://polygonscan.com/address/0xc1A74eaC52a195E54E0cd672A9dAB023292C6100#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"PremiumsAccount Koala BMA","isPrimacyOfImpact":null},{"id":"11XP7LJoiz1zbZlyJDc4AT","url":"https://polygonscan.com/address/0x47f35B4876138b5d96FfDed1e46aE6b58E6e7B31#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"PremiumsAccount Revo","isPrimacyOfImpact":null},{"id":"2FSAzTxcbnRsGZYEolvSGc","url":"https://polygonscan.com/address/0x42118Df6EBb18346ca425f1c67AC739E95aD9358#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"PremiumsAccount Spot","isPrimacyOfImpact":null},{"id":"1yB0vhyvqKWg3jn4Lo4KbN","url":"https://polygonscan.com/address/0x06347eA3dA6a5B44eEAe3B8F4a65992Ae073e6F4#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"PremiumsAccount StormStrong","isPrimacyOfImpact":null},{"id":"39BC0Z5lUCenGbg4TC6jMK","url":"https://polygonscan.com/address/0x0CE31c3BB29E33afbf8ae8f0912838C9d657AE12#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"QuadrataWhitelist","isPrimacyOfImpact":null},{"id":"6komivbgxZjTKpUAUVBNC3","url":"https://polygonscan.com/address/0x99b2949F4b12bF14F9AD66De374Cd5A2BF6a0C15#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"LPManualWhitelist","isPrimacyOfImpact":null},{"id":"4K5SwC0LzMpOGOpgDPujCP","url":"https://polygonscan.com//address/0x174F4498aF0a5102234Ad24d16Ed6E698E48Fa65","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"RestrictedExecutor","isPrimacyOfImpact":null},{"id":"3Y8BGCt8LrBzt9DQXAYp1o","url":"https://polygonscan.com//address/0xA2f279160deBaC2260FFD9e7D43118C9c211683C#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"RiskModule Barker","isPrimacyOfImpact":null},{"id":"3Ip1EbtTcUSWhuvon26JgY","url":"https://polygonscan.com/address/0x4D85a3e264bb58Ccfa48607F39Ef01e59893121C#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"RiskModule FortuneCredit","isPrimacyOfImpact":null},{"id":"6EJfY6dLLbfQZFX3Qfgdp6","url":"https://polygonscan.com/address/0xa65c9dE776d1f30c095EFF9C775E001a1d366df8#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"RiskModule koala","isPrimacyOfImpact":null},{"id":"3FFNNYCVqPvLX3j1541ZG5","url":"https://polygonscan.com/address/0x3eaB5b880b83607288744F35E778D60d0cd6539f#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"RiskModule Koala BizAway BMA","isPrimacyOfImpact":null},{"id":"3oQz6QNOGskqjTdJGuoQH4","url":"https://polygonscan.com//address/0x37fE456EFF897CB5dDF040A5e95f399EaBc162ca#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"RiskModule koala partner B","isPrimacyOfImpact":null},{"id":"2CLzjZKdIOxuQyVpNn8Xbl","url":"https://polygonscan.com/address/0xDfC75aa0CEAb89c40cd4B78E7F4179632fe06e93#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"RiskModule Revo High","isPrimacyOfImpact":null},{"id":"6iwRrYgSVIo8mPZxeZ5eci","url":"https://polygonscan.com/address/0x42842f88c3ea0eB39f3303A80a03f7F55DB31b28#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"RiskModule Revo Low","isPrimacyOfImpact":null},{"id":"7FZ3HM4zqjm0G19Ym8P4tn","url":"https://polygonscan.com//address/0xe64b6B463c3B3Cb3475fb940B64Ef6f946D6F460#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"RiskModule Spot","isPrimacyOfImpact":null},{"id":"1FfFnt4nxb6x40SSwllE0N","url":"https://polygonscan.com/address/0xdad2dFE1450618e1C90c86bdb0895BcFCaDD4Df5#readProxyContract","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"RiskModule StormStrong","isPrimacyOfImpact":null},{"id":"7pkXQ6H7y4ODSfckZn115j","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2024-01-11T12:00:00.000Z","revision":1,"description":"Primacy of impact","isPrimacyOfImpact":true}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2024-01-11T12:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3kltb2UQupC7WCpGRmzlrt/a5f82b3d942a3dbe1242589f9e26b8e0/Logo_Mark_copy.png","maxBounty":30000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Insurance Aggregator"],"programOverview":"Ensuro is a blockchain protocol building a decentralized capital provider for insurance risk. We use smart contracts to curate competitive insurance portfolios. We allow anyone to invest in insurance risk and reap its benefits. By opening up the insurance market to new players, we fuel innovation for established and upcoming insurance partners.\n\nFor more information about Ensuro, please visit https://ensuro.co/\n\nEnsuro provides rewards in USDC, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n\n__KYC Requirement__ \n\nEnsuro will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nEnsuro adheres to the Primacy of Impact for the following severity level:\n\n- Smart Contract - Critical\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- ERC4626 inflation attack (mitigated by access control)\n- Front run on pool loss by whitelisted LPs\n- Front run on policy creation with offchain signature\n\n__Previous Audits__\n\nEnsuro’s completed audit reports can be found at https://github.com/ensuro/ensuro/tree/main/audits. Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Ensuro has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","programType":["Smart Contract"],"project":"Ensuro","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3. \n](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 30 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 5 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report. \n\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attacks within the first hour will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\nFor critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are considered at the full amount of funds at risk, capped at the maximum high reward. This is to incentivize security researchers to uncover and responsibly disclose vulnerabilities that may not have significant monetary value today, but could still be damaging to the project if it goes unaddressed.   \n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Payment Terms__\n\nPayouts are handled by the Ensuro team directly and are denominated in USD. However, payments are done in USDC\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"ensuro","updatedDate":"2024-11-09T23:12:17.074Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":["no_ofac_sdn","no_official_contributor","no_employee","no_auditor"],"responsiblePublicationCategory":"category_3","description":"Ensuro is a blockchain protocol building a decentralized capital provider for insurance risk. We use smart contracts to curate competitive insurance portfolios. We allow anyone to invest in insurance risk and reap its benefits. By opening up the insurance market to new players, we fuel innovation for established and upcoming insurance partners.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":4704,"type":"smart_contract","severity":"low","title":"Theft of gas"},{"id":4705,"type":"smart_contract","severity":"low","title":"Unbounded gas consumption"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":4706,"type":"smart_contract","severity":"high","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":4707,"type":"smart_contract","severity":"high","title":"Direct theft of non-user funds (for example, Ensuro treasury funds, reserve funds, etc.)"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":4708,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs of active policies, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":3488,"severity":"high","assetType":"smart_contract","maxReward":5000,"minReward":2000,"rewardModel":"range"},{"id":3489,"severity":"medium","assetType":"smart_contract","fixedReward":2000,"rewardModel":"fixed"},{"id":3490,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":8104,"severity":"critical","assetType":"smart_contract","maxReward":30000,"minReward":5000,"rewardModel":"range","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"4SDQco9kV9vhUOsbpYJlHU","url":"https://goerli.etherscan.io/address/0xf3ccc289edd9cc65d7498b23ee95f2fb96e28f37","type":"smart_contract","addedAt":"2024-01-17T21:05:47.000Z","revision":1,"description":"Refinancing.sol","isPrimacyOfImpact":null},{"id":"18D60rHoHKtkRJHhGjJXVa","url":"https://goerli.etherscan.io/address/0x55aa082CbD1Cbbd8E7AEC5eAd57c70c7Ea8983C1","type":"smart_contract","addedAt":"2024-01-17T21:05:47.000Z","revision":1,"description":"RefinancingAdapter.sol","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2024-01-17T21:05:47.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/HqwzWvSnmNI9I7cTzrKoN/85160e53c1ed3c39688480b83571e418/NFTfi_logo_copy.png","maxBounty":20000,"pocPerTypeAndSeverity":["smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Lending"],"programOverview":"NFTfi is the leading liquidity protocol for NFTs. NFTfi allows NFT owners to use the assets (NFTs) they own to access the liquidity they need by receiving secured loans from liquidity providers, peer-to-peer, in a completely trustless manner.\n\nFor more information about NFTfi, please visit https://www.nftfi.com/ \n\nNFTfi provides rewards in USDC, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n\n__Refinancing Feature Description__\n\nRefinancing is a feature that allows the borrower with an existing loan to refinance to a loan with better terms, using the same collateral. \n\nIt works by allowing the borrower with an existing loan to accept any other valid offer on the same collateral. The new offer is typically with a new lender, but could also be with the original lender.\nRefinancing between different types of loans\n\nThe contracts implementing the feature are one layer above the loan contracts and facillitates refinancing of loans between any of the loan contracts. You can refinance \n\n- a \"Direct loan\" to another \"Direct loan\"\n- a \"collection offer loan\" to another \"collection offer loan\"\n- a \"Direct loan\" to a \"collection offer loan\"\n- a \"collection offer loan\" to another \"Direct loan\"\n\n__Refinancing mechanism__\n\n- The refinancing contract takes over the borrowers loan position by taking ownership of the the Obligation Receipt (this requires the borrower to mint the O.R. and approve the Refinancing contract to transfer it)\n- The refinancing contract takes out a flashloan from DyDx and pays off the old loan\n- The refinancing contract initiates the new loan using the collateral NFT released from the old loan\n- Based on the relation of the old loan's principal and the new one's, the Refinancing contract either takes the deficit from the borrower or pays out a surplus (in the deficit-case, the borrower must approve the transfer of the erc20)\n- The refinancing contract pays off the flashloan\n- The refinancing contract transfers the borrower rights of the new loan by transferring the O.R to the borrower of the original loan\n\n__Limitations__\n\nRefinancing is only possible if the original and new loan have the same loan denomination.\n\nIf the currency of the source loan is not supported by DyDx (e.g. wstETH), we do a 2-way swap on uniswap at the beginning and the end of the process by swapping to WETH.\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nNFTfi adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page. \n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n\n__Previous Audits__\n\nNFTfi’s completed audit reports can be found at\n\n- First Refinancing audit - https://drive.google.com/file/d/1hTW5eRUiklZg1_2Xo8zvYUSS-FHxD49r\n- Second Refinancing audit (with added functionality) -  https://drive.google.com/file/d/1SnmYjH-0OYP6Wbu9F5jMb19dD9Mf2ixu\n- Third Refinancing audit (with added functionality) - https://drive.google.com/file/d/1HmKuN25_TYRWGAV9wn07OPK-sOYUKObg \n- Also relevant to this codebase: USDC blacklist vulnerability -  https://drive.google.com/file/d/1vSJ86Ev51sJ56xtU5OZcZ_spgWidiacm\n\nAny unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, NFTfi has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","programType":["Smart Contract"],"project":"NFTfi (Testnet Refi)","projectType":["NFT"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs on testnet assets, the reward is paid as a flat amount of USD 20 000. This is because there are no actual funds at risk on the testnet, hence limits objective calculation. \n\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact.\n\n__Reward Payment Terms__\n\nPayouts are handled by the NFTfi team directly and are denominated in USD. However, payments are done in USDC.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"nftfitestnetrefi","updatedDate":"2024-11-09T20:21:46.614Z","impactsBody":"Impacts that depend on NFTfi registering faulty NFT Adapters, Refinancing adapters, NFT collections or ERC20 loan denominations are out of scope. That is, only impacts in the scope of currently registered and enabled adapters, NFT collections and loan denominations.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"NFTfi is the leading liquidity protocol for NFTs. NFTfi allows NFT owners to use the assets (NFTs) they own to access the liquidity they need by receiving secured loans from liquidity providers, peer-to-peer, in a completely trustless manner.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":4709,"type":"smart_contract","severity":"critical","title":"Theft or permanent freezing of NFT loan collateral during the Refinancing process of paying off the old loan and refinancing to a new loan."},{"id":4710,"type":"smart_contract","severity":"critical","title":"Direct theft or permanent freezing of any lender or borrower  funds during the Refinancing process of paying off the old loan and refinancing to a new loan."}],"rewards":[{"id":8103,"severity":"critical","assetType":"smart_contract","fixedReward":20000,"rewardModel":"fixed","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"5xcksgmilajjYQTHRSs7g3","url":"https://nearblocks.io/address/contract.main.burrow.near#","type":"smart_contract","addedAt":"2023-02-08T18:00:00.000Z","revision":1,"description":"Burrow main contract","isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nIssues that are not directly caused by bugs in Burrow’s smart contracts should be considered out of scope. This includes:\n1. bad debt due to rapid changing market conditions\n2. price manipulation due to external data source exploit","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":null,"launchDate":"2023-02-08T18:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/D7UlWRymDBGzPOH2gUXdC/49de0cd1e1d6cbdc922e162888fa437b/brrr.svg","maxBounty":250000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Lending"],"programOverview":"Burrow is a decentralized, non-custodial pool-based interest rates platform that enables users to supply assets to earn interest, and to borrow against them to unlock liquidity. Burrow is similar in nature to Aave, Compound, and other pool-based protocols. Burrow runs natively on the NEAR blockchain, a layer 1, proof-of-stake, sharded blockchain with a WebAssembly runtime. The Burrow protocol's smart contracts are written in Rust.\n\nFor more information about Burrow, please visit [https://burrow.finance/](https://burrow.finance/)","programType":["Smart Contract"],"project":"Burrow","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [ Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported. \n\nAll Critical, High, and Medium bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. In addition, all bug reports must come with a suggestion for a fix in order to be considered for a reward. \n\nRewards for critical smart contract vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of USD 25 000 for Critical smart contract bug reports.\n\nHigh smart contract vulnerabilities are capped at 10% of economic damage, primarily based on value at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward for high vulnerabilities of __USD 5 000__.\n\nMedium smart contract vulnerabilities are capped at 10% of economic damage, primarily based on value at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward for medium vulnerabilities of __USD 1 000__.\n\nKnown issues highlighted in the following audit reports are considered out of scope:\n- [https://docs.burrow.cash/product-docs/introduction/audits-and-risks](https://docs.burrow.cash/product-docs/introduction/audits-and-risks)\n\nBurrow requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. For individuals, the information needed is proof of address and government-issued photo ID for each authorized representative. For companies, the requirements will vary based on the type of the entity. \nPayouts are handled by the __Burrow__ team directly and are denominated in USD. However, payouts are done in __USDC__ or __USDT__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC or USDT","slug":"burrow","updatedDate":"2024-11-09T20:05:15.421Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Burrow is a decentralized, non-custodial pool-based interest rates platform that enables users to supply assets to earn interest, and to borrow against them to unlock liquidity. Burrow is similar in nature to Aave, Compound, and other pool-based protocols. Burrow runs natively on the NEAR blockchain, a layer 1, proof-of-stake, sharded blockchain with a WebAssembly runtime.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":3838,"type":"smart_contract","severity":"low","title":"Smart contract fails to deliver promised returns, but doesn’t lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":3839,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 24 hours"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":3840,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":3444,"severity":"high","assetType":"smart_contract","maxReward":25000,"minReward":5000,"rewardModel":"range"},{"id":3445,"severity":"medium","assetType":"smart_contract","maxReward":5000,"minReward":1000,"rewardModel":"range"},{"id":3446,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":8101,"severity":"critical","assetType":"smart_contract","maxReward":250000,"minReward":25000,"rewardModel":"range","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"784h3DEGbl4DwYUahQIrRj","url":"https://github.com/Segment-Finance/protocol/tree/master/packages/protocol/contracts/Comptroller","type":"smart_contract","addedAt":"2024-02-16T08:00:00.000Z","revision":2,"description":"Primacy of Impact","isPrimacyOfImpact":true},{"id":"5IA1OGJaGbMTFgmseGAk3U","url":"https://bscscan.com/address/0x57E09c96DAEE58B77dc771B017de015C38060173","type":"smart_contract","addedAt":"2024-02-16T15:15:55.839Z","revision":1,"description":"Unitroller","isPrimacyOfImpact":null},{"id":"67vAcwyv0tZAtOY2CRybBD","url":"https://bscscan.com/address/0xDEb81884F0405aAa777744A57E8F1097E0C92fa5","type":"smart_contract","addedAt":"2024-02-16T15:16:17.366Z","revision":1,"description":"Comptroller: Diamond","isPrimacyOfImpact":null},{"id":"7cgZtbutAaxIvUlvNfPvq8","url":"https://bscscan.com/address/0xEEBE1ABC85014b114D691Ec1F0d72C38001b3D3D","type":"smart_contract","addedAt":"2024-02-16T15:16:34.794Z","revision":1,"description":"Diamond: MarketFacet","isPrimacyOfImpact":null},{"id":"6glEAVl6hsrTCL6TbOcUvC","url":"https://bscscan.com/address/0x07B9b9bDc4DC65F177F7B45320338eC05f47F45E","type":"smart_contract","addedAt":"2024-02-16T15:16:50.101Z","revision":1,"description":"Diamond: PolicyFacet","isPrimacyOfImpact":null},{"id":"3Jm8RdIJEViYY3jMZhyZmL","url":"https://bscscan.com/address/0x674B1C283fF5Ca1Fd7c9Cd4caA0a55311Dd8cd61","type":"smart_contract","addedAt":"2024-02-16T15:17:04.223Z","revision":1,"description":"Diamond: RewardFacet","isPrimacyOfImpact":null},{"id":"4xP7tS4Mn2zMbsl1Rb8zm7","url":"https://bscscan.com/address/0xaDbfba66c5634825a720C2f23bE36ae42367c0bF","type":"smart_contract","addedAt":"2024-02-16T15:17:19.338Z","revision":1,"description":"Diamond: SetterFacet","isPrimacyOfImpact":null},{"id":"1JhDZ4HyKZKAjZo8No7HTk","url":"https://bscscan.com/address/0x8969b89D5f38359fBE95Bbe392f5ad82dd93e226","type":"smart_contract","addedAt":"2024-02-16T15:17:35.966Z","revision":1,"description":"SeToken Delegator: e.g. seUSDC","isPrimacyOfImpact":null},{"id":"4NWUFSWKfXpIFi8Zw43MpK","url":"https://bscscan.com/address/0x9c1f9b823b5aa5352831f050178FdD9B3503677F","type":"smart_contract","addedAt":"2024-02-16T15:17:50.582Z","revision":1,"description":"SeToken Delegate","isPrimacyOfImpact":null},{"id":"7Ln4JMYYVp5LvzfBuyAj5x","url":"https://bscscan.com/address/0x3A833e6E977E0442E3CBE911507F8D9178F134B9","type":"smart_contract","addedAt":"2024-02-16T15:18:05.497Z","revision":1,"description":"STreasury","isPrimacyOfImpact":null},{"id":"2DKiGUf9IfwSwXUTfqwmd4","url":"https://bscscan.com/address/0x5de40c1152c990492eaeaeecc4ecaab788bbc4fd","type":"smart_contract","addedAt":"2024-02-16T15:18:19.827Z","revision":1,"description":"SEF","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2024-02-16T08:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/DaASghpEheyPu5pTRyx1i/f6ed578976877416a788d0a727114b67/SegmentFi_logo.png","maxBounty":100000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Staking"],"programOverview":"Segment Finance, as a decentralized lending and borrowing platform on the BNB and opBNB Chains, extends its functionalities beyond the framework of the initial Compound Protocol fork. It offers not only the default lending-borrowing pool but also features isolated pools. These isolated pools are designed to offer specialized lending and borrowing services for a variety of assets, enhancing the platform's flexibility and appeal to a diverse user base.\n\nThe platform's architecture ensures that these isolated pools operate with distinct risk parameters, allowing for tailored risk management strategies. This design is particularly beneficial for assets with varying risk profiles, ensuring that each pool can maintain its stability and security independently of the others.\n\nFurthermore, Segment Finance integrates advanced smart contract functionalities to automate many of the processes involved in lending and borrowing. This includes automatic interest rate adjustments based on supply and demand dynamics, as well as innovative collateral management systems to protect lenders' assets.\n\nIn addition, Segment Finance seeks to innovate in the DeFi space by exploring cross-chain functionalities. This would potentially allow users to lend and borrow assets across different blockchain networks, significantly expanding the platform's utility and reach.\n\nFor more information about Segment Finance, please visit [https://www.segment.finance/.](https://www.segment.finance/)\n\nSegment Finance provides rewards in USDT, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__KYC Requirement__ \n\nSegment Finance will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:\n- Full name;\n- Affiliated company (if any);\n- E-mail address.\n\n\n__Primacy of Impact vs Primacy of Rules__\n\nSegment Finance adheres to the Primacy of Impact for the following impacts:\n- Smart Contract - Critical\n- Smart Contract - High\n- Smart Contract - Medium \n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n__Previous Audits__\n\nSegment Finance’s completed audit reports can be found at [https://github.com/verichains/public-audit-reports/blob/main/Verichains%20Public%20Audit%20Report%20-%20Segment%20Finance%20Pool%20Register%20-%20v1.0.pdf](https://github.com/verichains/public-audit-reports/blob/main/Verichains%20Public%20Audit%20Report%20-%20Segment%20Finance%20Pool%20Register%20-%20v1.0.pdf)\n\nAny unfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Segment Finance has satisfied the requirements for the [Immunefi Standard Badge.](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209)","programType":["Smart Contract"],"project":"Segment Finance","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs on testnet assets, the reward is paid as a flat amount of USD 25 000. This is because there are no actual funds at risk on the testnet, hence limits objective calculation. \n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attacks within the first hour will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\n__Reward Payment Terms__\n\nPayouts are handled by the Segment Finance team directly and are denominated in USD. However, payments are done in USDT\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDT","slug":"segmentfinance","updatedDate":"2024-11-09T19:51:43.962Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Segment Finance, as a decentralized lending and borrowing platform on the BNB and opBNB Chains, extends its functionalities beyond the framework of the initial Compound Protocol fork. It offers not only the default lending-borrowing pool but also features isolated pools.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":3399,"severity":"high","assetType":"smart_contract","maxReward":25000,"minReward":10000,"rewardModel":"range"},{"id":3400,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":8098,"severity":"critical","assetType":"smart_contract","maxReward":100000,"minReward":25000,"rewardModel":"range","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"2YHQua8qqhKsxAdf74N7R1","url":"https://snowtrace.io/address/0xb42CfaD450B46FDc9cAC5FBF14Bc2e6091AfC35c","type":"smart_contract","addedAt":"2024-01-08T13:00:00.000Z","revision":1,"description":"ClaimNodeOp","isPrimacyOfImpact":null},{"id":"gNSf51rVqIKVfJ6urV2A6","url":"https://snowtrace.io/address/0x4169CF88c7Ed811E6f6e61917c5b915BeA49476c","type":"smart_contract","addedAt":"2024-01-08T13:00:00.000Z","revision":1,"description":"ClaimProtocolDAO","isPrimacyOfImpact":null},{"id":"5lILCWnI5yWtiSz5qxn9Tf","url":"https://snowtrace.io/address/0xb84fA022c7fE1CE3a1F94C49f2F13236C3d1Ed08","type":"smart_contract","addedAt":"2024-01-08T13:00:00.000Z","revision":1,"description":"MinipoolManager","isPrimacyOfImpact":null},{"id":"48rk1q9wMFCXvsKDukmUDl","url":"https://snowtrace.io/address/0x7fff419c562Dd8b3cf16C335a01CDb37ea1B6a3B","type":"smart_contract","addedAt":"2024-01-08T13:00:00.000Z","revision":1,"description":"MultisigManager","isPrimacyOfImpact":null},{"id":"Y4y1VVqlzzpTlap4CNqFs","url":"https://snowtrace.io/address/0x9189d18F453b1Ec1F02E40A8e3711334f9eA210B","type":"smart_contract","addedAt":"2024-01-08T13:00:00.000Z","revision":1,"description":"Ocyticus","isPrimacyOfImpact":null},{"id":"3RC0WnUJdPFhhEqF39DKNY","url":"https://snowtrace.io/address/0x30fb915258D844E9dC420B2C3AA97420AEA16Db7","type":"smart_contract","addedAt":"2024-01-08T13:00:00.000Z","revision":1,"description":"Oracle","isPrimacyOfImpact":null},{"id":"B8H98Rt1eunRm87zmAZGO","url":"https://snowtrace.io/address/0xb84fA022c7fE1CE3a1F94C49f2F13236C3d1Ed08","type":"smart_contract","addedAt":"2024-01-08T13:00:00.000Z","revision":1,"description":"ProtocolDAO","isPrimacyOfImpact":null},{"id":"sSBfINKHuHwjsbgJmAV0O","url":"https://snowtrace.io/address/0xAA8FD06cc3f1059b6d35870Bbf625C1Bac7c1B1D","type":"smart_contract","addedAt":"2024-01-08T13:00:00.000Z","revision":1,"description":"RewardsPool","isPrimacyOfImpact":null},{"id":"5bqMrXQnw2dD5a2mcGLeqD","url":"https://snowtrace.io/address/0x1cEa17F9dE4De28FeB6A102988E12D4B90DfF1a9","type":"smart_contract","addedAt":"2024-01-08T13:00:00.000Z","revision":1,"description":"Storage","isPrimacyOfImpact":null},{"id":"3ISOCMiKIHhltzkUewPwnu","url":"https://snowtrace.io/address/0xB6dDbf75e2F0C7FC363B47B84b5C03959526AecB","type":"smart_contract","addedAt":"2024-01-08T13:00:00.000Z","revision":1,"description":"Staking","isPrimacyOfImpact":null},{"id":"3LeQGKrk0Fd6doZbhKt7gr","url":"https://snowtrace.io/address/0xf80Eb498bBfD45f5E2d123DFBdb752677757843E","type":"smart_contract","addedAt":"2024-01-08T13:00:00.000Z","revision":1,"description":"TokenggAVAXImpl","isPrimacyOfImpact":null},{"id":"14cOLwc6edxZS9syKPXIdX","url":"https://snowtrace.io/address/0x5313c309CD469B751Ad3947568D65d4a70B247cF","type":"smart_contract","addedAt":"2024-01-08T13:00:00.000Z","revision":1,"description":"TokenggAVAXProxyAdmin","isPrimacyOfImpact":null},{"id":"4RchpXXTBusXgB9GNI3ZPZ","url":"https://snowtrace.io/address/0xA25EaF2906FA1a3a13EdAc9B9657108Af7B703e3","type":"smart_contract","addedAt":"2024-01-08T13:00:00.000Z","revision":1,"description":"TokenggAVAX","isPrimacyOfImpact":null},{"id":"2vf769CFj8TTgjnxsVbsht","url":"https://snowtrace.io/address/0x69260B9483F9871ca57f81A90D91E2F96c2Cd11d","type":"smart_contract","addedAt":"2024-01-08T13:00:00.000Z","revision":1,"description":"TokenGGP","isPrimacyOfImpact":null},{"id":"273gTyTrjZqPTV1ajk9QJj","url":"https://snowtrace.io/address/0xd45Cb6F5AcA41AfAAAeBdBE4EFBA49c1bC41E6BA","type":"smart_contract","addedAt":"2024-01-08T13:00:00.000Z","revision":1,"description":"Vault","isPrimacyOfImpact":null},{"id":"5duZDREd7FnFfYgXwPnIGl","url":"https://snowtrace.io/address/0x6C104D5b914931BA179168d63739A297Dc29bCF3","type":"smart_contract","addedAt":"2024-01-08T13:00:00.000Z","revision":1,"description":"Guardian Multisig","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":null,"launchDate":"2024-01-08T13:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7D8TvOsj4PH1qfO1mbZhyw/99f2c9c83f9fd72a3170ba246fb6917c/token_flat.png","maxBounty":50000,"pocPerTypeAndSeverity":["smart_contract - high","smart_contract - critical","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Staking"],"programOverview":"GoGoPool is the first permissionless staking protocol built for Avalanche Subnets, allowing node operators to launch validators cheaper and in one-click using the GGP token. Currently, we cater to node operators and liquid stakers.\n\nFor more information about GoGoPool, please visit [https://www.gogopool.com/](https://www.gogopool.com/)\n\nGoGoPool provides rewards in GGP, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nGoGoPool adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page. \n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n- Vulnerability Reports: [https://docs.gogopool.com/security/vulnerability-reports](https://docs.gogopool.com/security/vulnerability-reports)\n\n__Previous Audits__\n\nGoGoPool’s completed audit reports can be found at [https://docs.gogopool.com/security/audits.](https://docs.gogopool.com/security/audits) Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, GoGoPool has satisfied the requirements for the [Immunefi Standard Badge.](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209)","programType":["Smart Contract"],"project":"GoGoPool","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 50 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD USD 20 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\nFor critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 5 000 to USD 20 000 depending on the funds at risk, capped at the maximum high reward.  \n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional [24h] that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lenghents, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\n__Reward Payment Terms__\n\nPayouts are handled by the GoGoPool team directly and are denominated in USD. However, payments are done in GGP.\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"GGP","slug":"gogopool","updatedDate":"2024-11-09T19:50:55.139Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"GoGoPool is the first permissionless staking protocol built for Avalanche Subnets, allowing node operators to launch validators cheaper and in one-click using the GGP token. Currently, we cater to node operators and liquid stakers.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":3429,"severity":"high","assetType":"smart_contract","maxReward":20000,"minReward":5000,"rewardModel":"range"},{"id":3430,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":8100,"severity":"critical","assetType":"smart_contract","maxReward":50000,"minReward":20000,"rewardModel":"range","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"5V6ZqbTMpuSjZAjW8kRdS9","url":"https://github.com/Cryptorubic/multi-proxy-rubic/blob/master/src/Periphery/ERC20Proxy.sol","type":"smart_contract","addedAt":"2023-07-31T10:00:00.000Z","revision":2,"description":"Smart Contract Sources","isPrimacyOfImpact":null},{"id":"49kXvRNHDMuEdguPi80PI2","url":"https://etherscan.io/address/0x3335733c454805df6a77f825f266e136FB4a3333#code","type":"smart_contract","addedAt":"2023-07-31T10:00:00.000Z","revision":2,"description":"RBC on ETH","isPrimacyOfImpact":null},{"id":"7rQidLE3Z6XNh0Ga2IV0kU","url":"https://arbiscan.io/address/0x3335733c454805df6a77f825f266e136fb4a3333#code","type":"smart_contract","addedAt":"2023-07-31T10:00:00.000Z","revision":2,"description":"RBC on ARB","isPrimacyOfImpact":null},{"id":"4GOi9bLiyrBbpNJxkz5HZ2","url":"https://immunefi.com","type":"smart_contract","addedAt":"2023-10-05T15:28:50.818Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true}],"assetsBodyV2":"Impacts only apply to assets in active use by the project like contracts on mainnet or web/app assets used in production. Any impact that applies to assets not in active use, like test or mock files, are out-of-scope of the bug bounty program unless explicitly mentioned as in-scope. \n\n__Smart Contracts__ \n\n- __Smart Contracts - PoC__, Smart Contract bug reports are required to include a runnable Proof of Concept (PoC) in order to prove impact.  \n- For more information on PoCs please visit: [Proof of Concept (PoC) Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\nWhitehats are highly encouraged to review any potential subdomains and what specific port(s) are in scope. Even though the domain may be the same, different ports may point to different assets. Award not guaranteed but possible.  \n\n\n__Impacts to other assets__\n\nHackers are encouraged to submit issues outside of the outlined Impacts and Assets in Scope. \n\nIf whitehats can demonstrate a critical impact on code in production for an asset not in scope, Rubic encourages you to submit your bug report using the “primacy of impact exception” asset.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2023-07-31T10:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4zKQP6ZY7W70qsIOV0gs8m/26da22b1236330cdc5804ee5aa73b4b7/Rubic_logo.jpeg","maxBounty":25000,"pocPerTypeAndSeverity":["smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are considered out-of-scope and ineligible for payout.","productType":["Crosschain Liquidity","DEX Aggregator"],"programOverview":"Rubic is a Cross-Chain Tech Aggregator for users & dApps. Rubic aggregates 60+ chains, 90+ DEXs & bridges, and enables swapping of 15,500+ assets in 1 click.\t\t\n\nFor more information about Rubic, please visit [https://rubic.exchange/. ](https://rubic.exchange/) \n\n__For Whitehats:__ It is highly recommended that you review the details of this program in full. Although many Bug Bounty programs have standard terms and conditions, each also has their own unique details that are critical to your success.  \n\nPrior to submitting a report please review the Immunefi [Bug Report Template and Best Practices.](https://immunefisupport.zendesk.com/hc/en-us/articles/12435277406481-Bug-Report-Template)","programType":["Smart Contract"],"project":"Rubic","projectType":["Defi"],"rewardsBody":"__Reward Distribution__\n\nPlease review how rewards are distributed based on the [Immunefi Vulnerability Severity Classification System V2.3.](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/) This is a simplified 5-level scale system with separate scales for Smart Contracts and Websites/Apps.\n\n__Payouts and Payout Requirements__\n\nPayouts are handled by the Rubic team directly and are denominated in USD. However, payouts are done in RUBIC. Rubic commits to honoring payouts according to the terms set out in this program at the time of report submission, and to treat this program as the agreement and source of truth concerning bug reports and responsible disclosures. \n\nFor the purposes of determining report validity, this is a Primacy of Impact program. \n\nLearn more about report validity best practices here: [Best Practice - Primacy of Impact vs Primacy of Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact) \n\n__KYC Requirements__\n\nRubic does not have a Know Your Customer (KYC) requirement for bug bounty payouts. \n\n__Audit Discoveries and Known Issues__\n\nBug reports covering previously-discovered bugs are not eligible for any reward through the bug bounty program. If a bug report covers a known issue, it may be rejected together with proof of the issue being known before escalation of the bug report via Immunefi. \n\n__Previous audits and known issues can be found at:__\n\n- Audit report - [https://github.com/mixbytes/audits_public/tree/master/Rubic ](https://github.com/mixbytes/audits_public/tree/master/Rubic)","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"RUBIC","slug":"rubic","updatedDate":"2024-11-06T15:35:26.579Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Rubic is a Cross-Chain Tech Aggregator for users & dApps. Rubic aggregates 60+ chains, 90+ DEXs & bridges, and enables swapping of 15,500+ assets in 1 click.\t\t","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques\n- Broken link hijacking is out of scope","customProhibitedActivities":["The following activities are prohibited by this bug bounty program. Violation of these rules can result in a temporary suspension or permanent ban from the Immunefi platform at the sole discretion of the Immunefi team, which may also result in: 1) the forfeiture and loss of access to all bug submissions, and 2) zero payout.","Please note that Immunefi has no tolerance for spam/low-quality/incomplete bug reports, “beg bounty” behavior, and misrepresentation of assets and severity. Immunefi exists to protect the global crypto community, not facilitate grift."],"impacts":[{"id":4377,"type":"smart_contract","severity":"critical","title":"Direct theft of ERC20 user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"}],"rewards":[{"id":8092,"severity":"critical","assetType":"smart_contract","fixedReward":25000,"rewardModel":"fixed","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"7dJdyoBbKgVROISZxzmshi","url":"https://etherscan.io/address/0xd0a40eB7FD94eE97102BA8e9342243A2b2E22207","type":"smart_contract","addedAt":"2023-08-25T21:00:00.000Z","revision":2,"description":"DirectLoanOffer","isPrimacyOfImpact":null},{"id":"443blbNgaTtz3SvpqrPbOg","url":"https://etherscan.io/address/0xD0C6e59B50C32530C627107F50Acc71958C4341F","type":"smart_contract","addedAt":"2023-08-25T21:00:00.000Z","revision":2,"description":"DirectLoanCollectionOffer","isPrimacyOfImpact":null},{"id":"CEwHutRSkLFXJerNDDajx","url":"https://sepolia.etherscan.io/address/0xDc7866c27502F251a178f15cFcDaf5F2E086f267#code","type":"smart_contract","addedAt":"2024-03-19T19:48:20.723Z","revision":1,"description":"NFTfiToken","isPrimacyOfImpact":null},{"id":"2oEugVSqaPE0o7VUXHz6D2","url":"https://sepolia.etherscan.io/address/0x8282e8F6486bF4571c85212f7b663b7f3e364AA6#code","type":"smart_contract","addedAt":"2024-03-19T19:48:34.238Z","revision":1,"description":"DistributorRegistry","isPrimacyOfImpact":null},{"id":"4rwwkYcrYJL6nm5o28FbFc","url":"https://sepolia.etherscan.io/address/0x21B370B67ebA2013c8d9852D0353e607559b6312#code","type":"smart_contract","addedAt":"2024-03-19T19:48:48.910Z","revision":1,"description":"DistributorTokenLock","isPrimacyOfImpact":null},{"id":"37GmfPig3syFN4kJbJ5xa","url":"https://sepolia.etherscan.io/address/0x593647b3Af6d9A4ec733Aa61cb9465C1bc8c7f6f#code","type":"smart_contract","addedAt":"2024-03-19T19:49:03.586Z","revision":1,"description":"ExternalTokenLock","isPrimacyOfImpact":null},{"id":"252oFxihwHv3718upK7gz3","url":"https://sepolia.etherscan.io/address/0xe7f463877a15779e85cac25c3ff30b0038452418#code","type":"smart_contract","addedAt":"2024-03-19T19:49:21.067Z","revision":1,"description":"MerkleDistributor(OG)","isPrimacyOfImpact":null},{"id":"6pR6yLMaptg519nvg4uwAO","url":"https://sepolia.etherscan.io/address/0xbF09b56Fa38df4f5E34C84C513484B3E3ca4b661#code","type":"smart_contract","addedAt":"2024-03-19T19:49:57.301Z","revision":1,"description":"MerkleDistributor(S1)","isPrimacyOfImpact":null},{"id":"5X44PKkHUch7isPByUKuLG","url":"https://sepolia.etherscan.io/address/0x8e27f4D8b491401474BD4d1B32707816a803fabd#code","type":"smart_contract","addedAt":"2024-03-19T19:50:12.319Z","revision":1,"description":"MerkleDistributor(S2)","isPrimacyOfImpact":null},{"id":"sJPEUbaygXawjpKMTD9Yu","url":"https://sepolia.etherscan.io/address/0x26cf76A34195aC384a9DEA08746bC68F3d628aE8#code","type":"smart_contract","addedAt":"2024-03-19T19:50:26.605Z","revision":1,"description":"TokenUtilityAccounting","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2023-08-25T21:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7QcWk4sIEf6d5SiZ1LxUh/01a8a8cd58c1e51eeb6c5b20d68c4ec5/NFTfi_logo_copy.png","maxBounty":20000,"pocPerTypeAndSeverity":["smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Lending"],"programOverview":"NFTfi is the leading liquidity protocol for NFTs. NFTfi allows NFT owners to use the assets (NFTs) they own to access the liquidity they need by receiving secured loans from liquidity providers, peer-to-peer, in a completely trustless manner.\n\nFor more information about NFTfi, please visit [https://www.nftfi.com/ ](https://www.nftfi.com/) \n\nNFTfi provides rewards in USDC. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nNFTfi adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms stated in this page.\n\n\n__Immunefi Standard Badge__\n\nNFTfi has satisfied the requirements for the [Immunefi Standard Badge,](https://immunefisupport.zendesk.com/hc/en-us/articles/6427157117713-The-Immunefi-Standard-Badge-) which is given to projects that adhere to our best practices.","programType":["Smart Contract"],"project":"NFTfi","projectType":["Defi","NFT"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below. \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical smart contract bugs on testnet assets, the reward is paid as a flat amount of USD 20 000. This is because there are no actual funds at risk on the testnet, hence limits objective calculation. \n\n\n__Repeatable Attack Limitations__\n\nIn cases of repeatable attacks for smart contract bugs, only the first attack will be counted, regardless of whether the smart contract is upgradable, pausable, or killable.\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs acknowledged below are not eligible for any reward through the bug bounty program. \n\n- It is possible to create an offer with an editable bundle to steal customer's funds.\n\nThe `PermittedNFTsAndTypeRegistry` ([https://etherscan.io/address/0xadde73498902f61bfcb702e94c31c13c534879ac](https://etherscan.io/address/0xadde73498902f61bfcb702e94c31c13c534879ac)) defines which NFTs are permitted.\n\nThe following address is allowed: **0xf8CB0341563213BF33EaFFc7a6775Ed0Eb6c1401** (`NftfiBundler.sol`)\n\naddress bundle = hub.getContract(ContractKeys.NFTFI_BUNDLER);\nrequire(_loanTerms.nftCollateralContract != bundle, \"Collateral cannot be bundle\");\n\n[https://github.com/NFTfi-Genesis/nftfi.eth/blob/ae6625a0e9dbf4841bda279d0848d4b0512d6fb2/V2/contracts/loans/direct/loanTypes/DirectLoanFixedOffer.sol#L169C17-L169C17](https://github.com/NFTfi-Genesis/nftfi.eth/blob/ae6625a0e9dbf4841bda279d0848d4b0512d6fb2/V2/contracts/loans/direct/loanTypes/DirectLoanFixedOffer.sol#L169C17-L169C17)\n\nIn a practical scenario, the NFTfi frontend will not display offers from the `NftfiBundler.sol` collection but the deployed smart contracts do allow them to be created and accepted.\n\n- Create offers with a wrapped collateral (that can be unwrapped) to steal user funds\nThe `wrapCollateral(...)` function inside the new `DirectLoanFixedOffer.sol` will:\n\n1- Create an NFT that is wrapper for the asset in custody (which can be unwrapped and left empty)\n\n2- Approve the wrapper in the `PermittedNFTsAndTypeRegistry`.\n\n3- Update the loan and set this wrapper as the asset in escrow instead of the NFT.\n\nAfter this loan finishes, the wrapper can be used in other loans - attacker front-runs user calls to `acceptOffer(...)` to empty the wrapper and sends them an empty wrapper.\n\nIn practice the NFTfi front-end will not display offers from this collection (the wrapper) but the deployed smart contracts do allow them to be created and accepted.\n\n- It is possible to have some NFTs change ownership (and state) while in escrow such that the loan cannot be resolved (repaid or liquidated) - for example ENS domain names expiring and being re-registered by a new owner while the loan is in progress.\n\n__Previous Audits__\n\nNFTfi has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.\n- [https://drive.google.com/file/d/1gKMFWlhyPxYICTpNgCHJS4cgFrgB-h05/view?usp=drive_link](https://drive.google.com/file/d/1gKMFWlhyPxYICTpNgCHJS4cgFrgB-h05/view?usp=drive_link)\n- Token audit - https://drive.google.com/file/d/1cJ6DAXcS_DqCJzeZ3w9CvdlWBiFvlBd0/view?usp=sharing\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n- Smart Contract - Critical\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules). Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Reward Payment Terms__\n\nPayouts are handled by the NFTfi team directly and are denominated in USD. However, payments are done in USDC.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"nftfi","updatedDate":"2024-11-05T18:21:27.182Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"NFTfi is the leading liquidity protocol for NFTs. NFTfi allows NFT owners to use the assets (NFTs) they own to access the liquidity they need by receiving secured loans from liquidity providers, peer-to-peer, in a completely trustless manner.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":null,"defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":3811,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs inside escrow in the loan contract"},{"id":3812,"type":"smart_contract","severity":"critical","title":"MerkleDistributors should not allow claims to the locking contract for addresses and amounts not specified in the MerkleRoot (note: funds can be drained by the contract owner at any time)"},{"id":3813,"type":"smart_contract","severity":"critical","title":"TokenLock contracts should not allow funds to be withdrawn to addresses  that did not lock the funds"}],"rewards":[{"id":8091,"severity":"critical","assetType":"smart_contract","fixedReward":20000,"rewardModel":"fixed","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"1MeobOQNdqGsKJ188CTXoV","url":"https://play.google.com/store/apps/details?id=io.horizontalsystems.bankwallet","type":"websites_and_applications","addedAt":"2022-04-12T02:50:13.993Z","revision":1,"description":"Native Mobile App","isPrimacyOfImpact":null},{"id":"5BX6z2n532WMy5geP0K98b","url":"https://itunes.apple.com/app/bank-bitcoin-wallet/id1447619907?ls=1&mt=8","type":"websites_and_applications","addedAt":"2022-04-12T02:50:16.106Z","revision":1,"description":"Native Mobile App","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Kotlin"],"launchDate":"2022-03-04T04:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4aNgN7QLwG3UL0uXAwCJJd/681686d79ae211b93ca98d3e90b98166/Unstoppable_Wallet_logo.png","maxBounty":10000,"pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__Apps__\n\n__Critical__\n  - Ability to execute system commands\n  - Extract Sensitive data/files from the server such as /etc/passwd\n  - Bypassing Authentication\n  - Taking Down the application\n  - Redirection of user deposits and withdrawals\n  - Wallet interaction modification resulting in financial loss\n  - Tampering with transactions submitted to the user’s wallet\n  - Submitting malicious transactions to an already-connected wallet\n\n__High__\n  - Spoofing content on the target application (Persistent)\n  - Privilege escalation to access unauthorized functionalities","productType":["Asset Management","Wallet"],"programOverview":"Unstoppable wallet is a non-custodial cryptocurrency asset management application for iOS and Android  with a focus on self-custody, open access to markets and privacy.\n\nFor more information about Unstoppable Wallet, please visit [https://unstoppable.money/](https://unstoppable.money/). \n\nThis bug bounty program is focused on their application and is focused on preventing:\n\n  - Ability to execute system commands\n  - Extract Sensitive data/files from the server such as /etc/passwd\n  - Bypassing Authentication\n  - Taking Down the application\n  - Redirection of user deposits and withdrawals\n  - Wallet interaction modification resulting in financial loss\n  - Tampering with transactions submitted to the user’s wallet\n  - Submitting malicious transactions to an already-connected wallet","programType":["Websites and Applications"],"project":"Unstoppable Wallet","projectType":["Blockchain","Defi","NFT"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. \n\nAll web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope and a suggestion for fix in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nPayouts are handled by the __Unstoppable Wallet__ team directly and are denominated in USD. However, payouts are done in __ETH and BTC__, with the choice of the ratio at the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"BTC, ETH","slug":"unstoppablewallet","tenPercentEconomicRule":false,"updatedDate":"2024-11-04T15:55:49.393Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Unstoppable wallet is a non-custodial cryptocurrency asset management application for iOS and Android  with a focus on self-custody, open access to markets and privacy.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":1942,"type":"websites_and_applications","severity":"high","title":"Privilege escalation to access unauthorized functionalities"},{"id":1943,"type":"websites_and_applications","severity":"high","title":"Spoofing content on the target application (Persistent)"},{"id":1944,"type":"websites_and_applications","severity":"critical","title":"Ability to execute system commands"},{"id":1945,"type":"websites_and_applications","severity":"critical","title":"Extract Sensitive data/files from the server such as /etc/passwd"},{"id":1946,"type":"websites_and_applications","severity":"critical","title":"Bypassing Authentication"},{"id":1947,"type":"websites_and_applications","severity":"critical","title":"Taking Down the application"},{"id":1948,"type":"websites_and_applications","severity":"critical","title":"Redirection of user deposits and withdrawals"},{"id":1949,"type":"websites_and_applications","severity":"critical","title":"Wallet interaction modification resulting in financial loss"},{"id":1950,"type":"websites_and_applications","severity":"critical","title":"Tampering with transactions submitted to the user’s wallet"},{"id":1951,"type":"websites_and_applications","severity":"critical","title":"Submitting malicious transactions to an already-connected wallet"}],"rewards":[{"id":1744,"severity":"critical","assetType":"websites_and_applications","fixedReward":10000,"rewardModel":"fixed"},{"id":1745,"severity":"high","assetType":"websites_and_applications","fixedReward":3000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"3DB2VNokJdoSvqjtqkZsjW","url":"https://etherscan.io/address/0x8a4B4C2aCAdeAa7206Df96F00052e41d74a015CE","type":"smart_contract","addedAt":"2022-04-26T06:44:20.657Z","revision":1,"description":"Staking","isPrimacyOfImpact":null},{"id":"1WA46DjZCBg08oipFYff7z","url":"https://etherscan.io/address/0xCb4A7569a61300C50Cf80A2be16329AD9F5F8F9e","type":"smart_contract","addedAt":"2022-04-26T06:44:42.903Z","revision":1,"description":"State Guardian Network","isPrimacyOfImpact":null},{"id":"5nLnG0Wx6MgDCq5xLUoJhV","url":"https://etherscan.io/address/0xb01fd7Bc0B3c433e313bf92daC09FF3942212b42","type":"smart_contract","addedAt":"2022-04-26T06:44:58.780Z","revision":1,"description":"Staking Rewards","isPrimacyOfImpact":null},{"id":"1FkEsqjxk3UXJkuAmbw1xB","url":"https://etherscan.io/address/0x61f85fF2a2f4289Be4bb9B72Fc7010B3142B5f41","type":"smart_contract","addedAt":"2022-04-26T06:45:17.031Z","revision":1,"description":"Farming Rewards","isPrimacyOfImpact":null},{"id":"7kVBqaSzXfT2Fr2721zVJK","url":"https://etherscan.io/address/0xea129aE043C4cB73DcB241AAA074F9E667641BA0","type":"smart_contract","addedAt":"2022-04-26T06:45:31.053Z","revision":1,"description":"Governance","isPrimacyOfImpact":null},{"id":"6Em3UGxNMH7msTocU4U0io","url":"https://etherscan.io/address/0x5803457E3074E727FA7F9aED60454bf2F127853b","type":"smart_contract","addedAt":"2022-04-26T06:45:43.835Z","revision":1,"description":"Viewer","isPrimacyOfImpact":null},{"id":"3qVHMCLQ3kr9uxHLc7h9vR","url":"https://etherscan.io/address/0x5427FEFA711Eff984124bFBB1AB6fbf5E3DA1820","type":"smart_contract","addedAt":"2022-04-26T06:48:18.213Z","revision":1,"description":"Ethereum 1","isPrimacyOfImpact":null},{"id":"7z5WgQ8LkqlvhzGq47chjb","url":"https://bscscan.com/address/0xdd90E5E87A2081Dcf0391920868eBc2FFB81a1aF","type":"smart_contract","addedAt":"2022-04-26T06:48:49.711Z","revision":1,"description":"BSC 56","isPrimacyOfImpact":null},{"id":"2I8Th5kRW3Aji1xHLOBDYF","url":"https://arbiscan.io/address/0x1619DE6B6B20eD217a58d00f37B9d47C7663feca","type":"smart_contract","addedAt":"2022-04-26T06:49:10.483Z","revision":1,"description":"Arbitrum 42161","isPrimacyOfImpact":null},{"id":"49dwRd3KKAdTk9tFuJaS3P","url":"https://polygonscan.com/address/0x88DCDC47D2f83a99CF0000FDF667A468bB958a78","type":"smart_contract","addedAt":"2022-04-26T06:49:30.079Z","revision":1,"description":"Polygon 137","isPrimacyOfImpact":null},{"id":"48uRR3EmgF0CGhuewkW8yA","url":"https://snowtrace.io/address/0xef3c714c9425a8F3697A9C969Dc1af30ba82e5d4","type":"smart_contract","addedAt":"2022-04-26T06:49:46.077Z","revision":1,"description":"Avalanche 43114","isPrimacyOfImpact":null},{"id":"A8VjXof5GKVo6oRMiRmNr","url":"https://ftmscan.com/address/0x374B8a9f3eC5eB2D97ECA84Ea27aCa45aa1C57EF","type":"smart_contract","addedAt":"2022-04-26T06:50:00.636Z","revision":1,"description":"Fantom 250","isPrimacyOfImpact":null},{"id":"4AGOrJMPjVEOdZwlqDIxt7","url":"https://optimistic.etherscan.io/address/0x9D39Fc627A6d9d9F8C831c16995b209548cc3401","type":"smart_contract","addedAt":"2022-04-26T06:50:15.099Z","revision":1,"description":"Optimism 10","isPrimacyOfImpact":null},{"id":"4vD18pnJNacsndqZa79Kf8","url":"https://blockexplorer.boba.network/address/0x841ce48F9446C8E281D3F1444cB859b4A6D0738C","type":"smart_contract","addedAt":"2022-04-26T06:50:30.475Z","revision":1,"description":"Boba 288","isPrimacyOfImpact":null},{"id":"2LRNFMtY79rnvqbBQGziLv","url":"https://cbridge.celer.network/#/transfer","type":"websites_and_applications","addedAt":"2022-04-26T06:50:53.362Z","revision":1,"description":"cBridge Web App","isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program. For cBridge contracts (multiple instances on different chains), there will not be duplicated counting of bugs. One bug that exists in all contracts will be counted as a single bug.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","Avalanche","BSC","Base","ETH","Fantom","Moonbeam","Optimism","Polygon"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["JavaScript","Solidity"],"launchDate":"2021-11-18T13:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/13hITYqQMxBrQvjeOzbRhl/b7ca8569a07d3a2212aeac6a92244110/Celer_Logo.jpeg","maxBounty":2000000,"outOfScopeAndRules":"The following vulnerabilities are excluded from the rewards for this bug bounty program:\n\n  - Attacks that the reporter has already exploited themselves, leading to damage\n  - Attacks requiring access to leaked keys/credentials\n  - Attacks requiring access to privileged addresses (governance, strategist)\n\n__Smart Contracts and Blockchain__\n\n  - Incorrect data supplied by third party oracles\n    - Not to exclude oracle manipulation/flash loan attacks\n  - Basic economic governance attacks (e.g. 51% attack)\n  - Lack of liquidity\n  - Best practice critiques\n  - Sybil attacks\n\n__Websites and Apps__\n\n  - Theoretical vulnerabilities without any proof or demonstration\n  - Content spoofing / Text injection issues\n  - Self-XSS\n  - Captcha bypass using OCR\n  - CSRF with no security impact (logout CSRF, change language, etc.)\n  - Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)\n  - Server-side information disclosure such as IPs, server names, and most stack traces\n  - Vulnerabilities used to enumerate or confirm the existence of users or tenants\n  - Vulnerabilities requiring unlikely user actions\n  - URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)\n  - Lack of SSL/TLS best practices\n  - DDoS vulnerabilities\n  - Attacks requiring privileged access from within the organization\n  - Feature requests\n  - Best practices\n\nThe following activities are prohibited by this bug bounty program:\n\n  - Any testing with mainnet or public testnet contracts; all testing should be done on private testnets\n  - Any testing with pricing oracles or third party smart contracts\n  - Attempting phishing or other social engineering attacks against our employees and/or customers\n  - Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n  - Any denial of service attacks\n  - Automated testing of services that generates significant amounts of traffic\n  - Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["websites_and_applications - critical","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the following types:\n\n__Smart Contracts and Blockchain__ \n\n  - Re-entrancy\n  - Logic errors\n    - including user authentication errors\n  - Solidity/EVM details not considered\n    - including integer over-/under-flow\n    - including unhandled exceptions\n  - Trusting trust/dependency vulnerabilities\n    - including composability vulnerabilities\n  - Oracle failure/manipulation\n  - Novel governance attacks\n  - Economic/financial attacks\n    - including flash loan attacks\n  - Consensus failures\n  - Cryptography problems\n    - Signature malleability\n    - Susceptibility to replay attacks\n    - Weak randomness\n    - Weak encryption\n\n__Websites and Apps__\n\n  - Remote Code Execution\n  - Trusting trust/dependency vulnerabilities\n  - Vertical Privilege Escalation\n  - XML External Entities Injection\n  - SQL Injection\n  - LFI/RFI\n  - Horizontal Privilege Escalation\n  - Stored XSS\n  - Reflective XSS with impact\n  - CSRF with impact\n  - Direct object reference\n  - Internal SSRF\n  - Session fixation\n  - Insecure Deserialization\n  - DOM XSS\n  - SSL misconfigurations\n  - SSL/TLS issues (weak crypto, improper setup)\n  - URL redirect\n  - Clickjacking (must be accompanied with PoC)\n  - Misleading Unicode text (e.g. using right to left override characters)","productType":["Crosschain Liquidity","L1","Wallet"],"programOverview":"Celer cBridge is a multi-chain interoperability system that provides the best-in-class cross-chain token bridging experience with deep liquidity for users, highly efficient and easy-to-use liquidity management for both cBridge node operators and Liquidity Providers who do not want to operate cBridge nodes, and developer-oriented features such as general message bridging for cases like cross-chain DEX and NFTs. All of the above is made possible by the Celer State Guardian Network (SGN), a tendermint PoS blockchain that acts as a messaging fabric interconnecting different blockchains. State Guardian Network acts as a sidechain on Ethereum with staking and governance functionality rooted in Ethereum. $CELR validators and delegators are rewarded in the system via block reward and part of the transaction fee generated by cBridge. \n\nFor more information about cBridge architecture, please visit \n\nThis bug bounty program is focused on their smart contracts and app and is focused on preventing:\n\n  - Thefts and permanent freezing of any funds in liquidity pool smart contract or staking contracts\n  - Thefts and permanent freezing of unclaimed yield rewards\n  - The only web vulnerabilities in scope are those which lead directly and unequivocally to loss of user funds, a direct breach of data, and the deletion of site data","programType":["Smart Contract","Websites and Applications"],"project":"Celer","projectType":["Blockchain","Defi","NFT"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. \n\nThere are some modifications from the above Severity Classification for this bug bounty program:\n\nCritical Level Security - Modified: \n  - Empty or permanent freeze the contract's holdings (e.g. economic attacks, flash loans, reentrancy, MEV, logic errors, integer over-/under-flow)\n\nMedium Level Security - Excluded: \n  - Griefing denial of service (i.e. attacker spends as much in gas as damage to the contract)\n  - Gas griefing\n\nAll web/app bug reports must come with a PoC in order to be considered for a reward. All High and Critical Smart Contract bug reports require a PoC and a suggestion for a fix to be eligible for a reward. \nCritical Smart Contract and Blockchain bug reports are further capped at 10% of economic damage up to USD 2,000,000, which primarily takes into consideration the funds at risk but may include branding and PR aspects at the discretion of the team. However, they have a minimum reward of USD 150,000. \n\nThe following vulnerabilities are not eligible for a reward:\n\n  - Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).\n  - Previously known vulnerabilities in Tendermint and or/any other fork of these.\n  - Previously known vulnerabilities in cosmos-sdk and or/any other fork of these.\n  - Previously known vulnerable libraries without a working Proof of Concept.\n  - Attacks requiring MITM or physical access to a user's device.\n  - Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n  - Any griefing attacks on the system or smart contract trying to spend gas costs or liquidity lockup to incur gas costs and computational overhead  for the validators and operators of the network.\n  - Liquidity value reduction or arbitraging incurred due to the pricing mechanisms of the system and LP’s own operations. \n  - Attacks involving getting access to privileged admin keys \n  - Delay of cross-chain transfer (fund security not compromised) due to network/rpc error from the blockchain endpoint being used by SGN validators\n  - Security issues related to connected blockchains of cBridge is not in the scope\n  - As to the current implementation, it is possible (with low probability) that a user triggered transaction (e.g., add liquidity, send fund, delegate stake) is not automatically synced to the sgn, or the sgn failed to automatically submit the fund relay transaction to the destination chain (e.g., due to chain rpc endpoint failure). Such cases do not introduce fund security, and can be recovered through manual CLI tools. Related improvements will be included in later releases.\n\nCeler Network requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. The information needed is acquired through mutually agreed third-party KYC solutions. The collection of this information will be done by the Celer Network team.\n\nPayouts are handled by the __Celer Network__ team directly and are denominated in USD. However, payouts are done in __ETH__, __CELR__, __or a stablecoin__, with the choice of the ratio at the discretion of the team.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"ETH, CELR, or a stablecoin","slug":"celer","tenPercentEconomicRule":true,"updatedDate":"2024-11-04T14:43:54.551Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Celer cBridge is a multi-chain interoperability system that provides the best-in-class cross-chain token bridging experience with deep liquidity for users, highly efficient and easy-to-use liquidity management for both cBridge node operators and Liquidity Providers who do not want to operate cBridge nodes, and developer-oriented features such as general message bridging for cases like cross-chain DEX and NFTs.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":1345,"type":"smart_contract","severity":"critical","title":"Thefts and permanent freezing of any funds in liquidity pool smart contract or staking contracts"},{"id":1346,"type":"websites_and_applications","severity":"critical","title":"The only web vulnerabilities in scope are those which lead directly and unequivocally to loss of user funds, a direct breach of data, and the deletion of site data"},{"id":1347,"type":"smart_contract","severity":"critical","title":"Thefts and permanent freezing of unclaimed yield rewards"}],"rewards":[{"id":1457,"severity":"critical","assetType":"websites_and_applications","fixedReward":15000,"rewardModel":"fixed"},{"id":8087,"severity":"critical","assetType":"smart_contract","maxReward":2000000,"rewardModel":"up_to","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"5PDgLtbtz0c1yiQad1AoZN","url":"https://etherscan.io/address/0xaF52695E1bB01A16D33D7194C28C42b10e0Dbec2#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":1,"description":"voterProxy","isPrimacyOfImpact":null},{"id":"7yh9NF4eB3NqRR6yN50SZ1","url":"https://etherscan.io/address/0xC0c293ce456fF0ED870ADd98a0828Dd4d2903DBF#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":1,"description":"aura","isPrimacyOfImpact":null},{"id":"3ZYM4EVD1QReSUogpLTyiy","url":"https://etherscan.io/address/0x59A5ccD34943CD0AdCf5ce703EE9F06889E13707#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":1,"description":"minter","isPrimacyOfImpact":null},{"id":"4dP2fZlpvm79KVrveE56EE","url":"https://etherscan.io/address/0xA57b8d98dAE62B26Ec3bcC4a365338157060B234#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":2,"description":"booster","isPrimacyOfImpact":null},{"id":"22iPEkol6uY9vuhnItObbd","url":"https://etherscan.io/address/0x228a142081b456a9fF803d004504955032989f04#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":2,"description":"boosterOwner","isPrimacyOfImpact":null},{"id":"3pgqSgYv9KUTnuXpTYwhpZ","url":"https://etherscan.io/address/0xbc8d9caf4b6bf34773976c5707ad1f2778332dca#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":2,"description":"rewardFactory & BaseRewardPool4626","isPrimacyOfImpact":null},{"id":"3wGN0n9zr8aaWpfR3vLjdY","url":"https://etherscan.io/address/0x3eC040DbF7D953216F4C89A2e665d5073445f5Ba#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":2,"description":"tokenFactory","isPrimacyOfImpact":null},{"id":"5bQPNAR0CMvdBvn99Phg9X","url":"https://etherscan.io/address/0xf5E2cFde016bd55BEF42a5A4bAad7E21cd39720d#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":2,"description":"proxyFactory","isPrimacyOfImpact":null},{"id":"W5KAIbWrRe0DSy1EQ4ZvW","url":"https://etherscan.io/address/0x54da426EFBB93fbaB5CF81bef03F9B9F00A3E915#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":2,"description":"stashFactory","isPrimacyOfImpact":null},{"id":"nqTYWn8ClxzqAs5HHUoug","url":"https://etherscan.io/address/0x37C3EBfD4b0cF66DF19a413e92dd21E556915F98#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":2,"description":"extraRewardStashV3","isPrimacyOfImpact":null},{"id":"4LoRfbQoumVH8tw358XCZA","url":"https://etherscan.io/address/0x616e8BfA43F920657B3497DBf40D6b1A02D4608d#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":1,"description":"auraBAL","isPrimacyOfImpact":null},{"id":"p44q3rabu4BU9clI5AS1o","url":"https://etherscan.io/address/0x6641a8c1d33bd3dec8dd85e69c63cafb5bf36388#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":1,"description":"auraBALBpt","isPrimacyOfImpact":null},{"id":"77EmDpltzs0vL01VnRF83a","url":"https://etherscan.io/address/0x00A7BA8Ae7bca0B10A32Ea1f8e2a1Da980c6CAd2#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":2,"description":"cvxCrvRewards","isPrimacyOfImpact":null},{"id":"2LnkcJ8ErkEq6vEnZAvhLm","url":"https://etherscan.io/address/0xC47162863a12227E5c3B0860715F9cF721651C0c#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":1,"description":"initialCvxCrvStaking","isPrimacyOfImpact":null},{"id":"1PKXRG4y8yuDDGbUeqVK26","url":"https://etherscan.io/address/0xeAd792B55340Aa20181A80d6a16db6A0ECd1b827#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":1,"description":"crvDepositor","isPrimacyOfImpact":null},{"id":"7f4QHLlG2AnXZhFXuQUQPS","url":"https://etherscan.io/address/0x68655AD9852a99C87C0934c7290BB62CFa5D4123#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":1,"description":"crvDepositorWrapper","isPrimacyOfImpact":null},{"id":"6qCI1U1Dg6L09eVD2PVIyX","url":"https://etherscan.io/address/0xb58eb197c35157e6f3351718c4c387d284562be5#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":2,"description":"poolManager","isPrimacyOfImpact":null},{"id":"4lIE9une8BHoFNfaB9XPHO","url":"https://etherscan.io/address/0x3Fa73f1E5d8A792C80F426fc8F84FBF7Ce9bBCAC#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":1,"description":"auraLocker (vlAURA)","isPrimacyOfImpact":null},{"id":"1WbwltGttD2mNAMhAGGlra","url":"https://etherscan.io/address/0xd9e863B7317a66fe0a4d2834910f604Fd6F89C6c#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":1,"description":"cvxStakingProxy","isPrimacyOfImpact":null},{"id":"1olq4Rp3EosUFfBUdxIWl1","url":"https://etherscan.io/address/0x1ab80F7Fb46B25b7e0B2cfAC23Fc88AC37aaf4e9#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":1,"description":"chef","isPrimacyOfImpact":null},{"id":"3DmuFoP9mBD0wKXria3Y82","url":"https://etherscan.io/address/0xa7429af4DeB16827dAd0e71D8AEEa9C2bF70e32c#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":1,"description":"balLiquidityProvider","isPrimacyOfImpact":null},{"id":"3vZHHeHBxu1qdepH1IImMX","url":"https://etherscan.io/address/0x4043569200F7a7a1D989AbbaBC2De2Bde1C20D1E#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":1,"description":"penaltyForwarder","isPrimacyOfImpact":null},{"id":"27edYjlYmxw3eWBeumO7IP","url":"https://etherscan.io/address/0xA3739b206097317c72EF416F0E75BB8f58FbD308#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":1,"description":"extraRewardsDistributor","isPrimacyOfImpact":null},{"id":"74wiAQ2sx0WJCLaO9FshvJ","url":"https://etherscan.io/address/0x2c809Ec701C088099c911AF9DdfA4A1Db6110F3c#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":2,"description":"poolManagerProxy","isPrimacyOfImpact":null},{"id":"4VlY16OyhGUrPG8y8UtrVE","url":"https://etherscan.io/address/0xa72932Aea1392b0Da9eDc34178dA2B29EcE2de54#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":2,"description":"poolManagerSecondaryProxy","isPrimacyOfImpact":null},{"id":"4cU4zUvR0bRJXIXLCLacFr","url":"https://etherscan.io/address/0x5bd3fCA8D3d8c94a6419d85E0a76ec8Da52d836a#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":1,"description":"vestedEscrows","isPrimacyOfImpact":null},{"id":"20whUlcNTXHoXnLrduQdjg","url":"https://etherscan.io/address/0x24346652e0e2aE0CE05c781501fDF4Fe4553fAc6#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":1,"description":"https://etherscan.io/address/0x24346652e0e2aE0CE05c781501fDF4Fe4553fAc6#code","isPrimacyOfImpact":null},{"id":"1muhgKzLQ2GfMPF9VTi5bH","url":"https://etherscan.io/address/0x45025Ebc38647bcf7Edd2b40CfDaF3fbfE1538F5#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":1,"description":"vestedEscrows","isPrimacyOfImpact":null},{"id":"kqT2oYxKdK21n2pFHon03","url":"https://etherscan.io/address/0x43B17088503F4CE1AED9fB302ED6BB51aD6694Fa#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":1,"description":"vestedEscrows","isPrimacyOfImpact":null},{"id":"30KmzqGQsXVft8zXcdxYw8","url":"https://etherscan.io/address/0xfd72170339ac6d7bdda09d1eaca346b21a30d422#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":1,"description":"vestedEscrows","isPrimacyOfImpact":null},{"id":"2NeXG3yeTsf5WCqdgZC3I4","url":"https://etherscan.io/address/0x45EB1A004373b1D8457134A2C04a42d69D287724#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":1,"description":"drops","isPrimacyOfImpact":null},{"id":"vlypnxM53YXKJxoImBn2Y","url":"https://etherscan.io/address/0x1a661CF8D8cd69dD2A423F3626A461A24280a8fB#code","type":"smart_contract","addedAt":"2022-06-16T19:00:00.000Z","revision":1,"description":"drops","isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program. \n\nIf an impact can be caused to any other asset managed by Aura Finance that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project. This only applies to Critical impacts.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2022-06-16T19:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5K5gW86YPxCmDeFWSeD5fi/f83f639d8527d85e7243e4e4331aa2ed/Aura_Finance_logo.jpeg","maxBounty":1000000,"pocPerTypeAndSeverity":["smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Bridge","Staking","Yield Aggregator"],"programOverview":"Aura Finance is a protocol built on top of the [Balancer system](https://app.balancer.fi/#/) to provide maximum incentives to Balancer liquidity providers and BAL stakers (into [veBAL](https://forum.balancer.fi/t/introducing-vebal-tokenomics/2512)) through social aggregation of BAL deposits and Aura’s native token.\n\nFor more information about Aura Finance, please visit [https://aura.finance/](https://aura.finance/)","programType":["Smart Contract"],"project":"Aura Finance","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll Critical Smart Contract bug reports require a PoC to be eligible for a reward. Explanations and statements are not accepted as PoC and code is required.\n\nCritical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of __USD 50 000__. \n\nThe following vulnerabilities are not eligible for a reward:\n  - All vulnerabilities marked in the [Peckshield security review](https://drive.google.com/file/d/1S5jnMddjbVUsAdVZtmcIRlL4WhVueSzp/view?usp=sharing) \n  - All vulnerabilities marked in the [Halborn security review](https://drive.google.com/file/d/1vsZ9aAVJ8mobLaJ5-XDejcHdRFK1StjM/view?usp=sharing) \n  - All vulnerabilities marked in the [Code4rena security review](https://github.com/aurafinance/aura-contracts/blob/main/audits/Code4rena-Audit-Report-AuraFinance-v1.0.pdf)\n\nPayouts are handled by the __Aura Finance__ team directly and are denominated in USD. However, payouts are done in __USDC__ and __AURA__, with the choice of the ratio at the discretion of the team, and at least 50% of payouts will be in USDC.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"aurafinance","updatedDate":"2024-10-31T15:48:35.456Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Aura Finance is a protocol built on top of the [Balancer system](https://app.balancer.fi/#/) to provide maximum incentives to Balancer liquidity providers and BAL stakers (into [veBAL](https://forum.balancer.fi/t/introducing-vebal-tokenomics/2512)) through social aggregation of BAL deposits and Aura’s native token.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":null,"defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"}],"rewards":[{"id":8086,"severity":"critical","assetType":"smart_contract","maxReward":1000000,"rewardModel":"up_to","rewardCalculationPercentage":10}],"audits":[]},{"assets":[{"id":"1GGIxgapoemsD6RbRN9Lcq","url":"https://moonriver.moonscan.io/address/0xf36AE63d89983E3aeA8AaaD1086C3280eb01438D","type":"smart_contract","addedAt":"2022-05-10T15:53:26.340Z","revision":1,"description":"Moonriver: Factory","isPrimacyOfImpact":null},{"id":"2SrEwt2je8MA6L5j8keepr","url":"https://moonriver.moonscan.io/address/0xe6fe3db4c5a2e4a9ab3301201b38724e578b35ca","type":"smart_contract","addedAt":"2022-05-10T15:53:27.302Z","revision":1,"description":"Moonriver: Router","isPrimacyOfImpact":null},{"id":"23110YDNK0D9j9XYUgfnk4","url":"https://moonriver.moonscan.io/address/0xafaff19679ab6baf75ed8098227be189ba47ba0f","type":"smart_contract","addedAt":"2022-05-10T15:53:28.320Z","revision":1,"description":"Moonriver: Farming","isPrimacyOfImpact":null},{"id":"3mdKA6NdHAJtHJm8gkgyVS","url":"https://moonbeam.moonscan.io/address/0xF49255205Dfd7933c4D0f25A57D40B1511F92fEF","type":"smart_contract","addedAt":"2022-05-10T15:53:29.432Z","revision":1,"description":"Moonbeam: Factory","isPrimacyOfImpact":null},{"id":"y5esOJtXRE7l0j35BVwDf","url":"https://moonbeam.moonscan.io/address/0x7a3909c7996efe42d425cd932fc44e3840fcab71","type":"smart_contract","addedAt":"2022-05-10T15:53:30.543Z","revision":1,"description":"Moonbeam: Router","isPrimacyOfImpact":null},{"id":"2g980lLkvqXFmZm3hHbmTq","url":"https://moonbeam.moonscan.io/address/0xa226877393fc4e3b5f2b43a1bae3c5d72c918c2d","type":"smart_contract","addedAt":"2022-05-10T15:53:32.038Z","revision":1,"description":"Moonbeam: Farming","isPrimacyOfImpact":null},{"id":"dT2P3T3qhxKMpyS7RrG2w","url":"https://dex.zenlink.pro/","type":"websites_and_applications","addedAt":"2022-05-13T15:13:26.816Z","revision":1,"description":null,"isPrimacyOfImpact":null}],"assetsBodyV2":"However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Polkadot"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2022-03-23T03:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1sf04Bet0DRuk2xEOwg9y9/b63f1befa81f5caf204e26c44bb40258/Zenlink_Logo.svg","maxBounty":30000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","websites_and_applications - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__Smart Contracts__\n\n__Critical__\n  - Any governance voting result manipulation\n  - Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield\n  - Permanent freezing of funds\n  - Miner-extractable value (MEV)\n  - Protocol Insolvency\n\n__High__\n  - Theft of unclaimed yield\n  - Permanent freezing of unclaimed yield\n  - Temporary freezing of funds for at least 2 days\n\n__Medium__\n  - Smart contract unable to operate due to lack of token funds \n  - Block stuffing for profit\n  - Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)\n  - Theft of gas\n  - Unbounded gas consumption \n\n__Web/App__\n\n__Critical__\n  - Ability to execute system commands\n  - Extract Sensitive data/files from the server such as /etc/passwd\n  - Stealing User Cookies\n  - Taking Down the application/website\n  - Bypassing Authentication\n  - Signing transactions for other users\n  - Redirection of user deposits and withdrawals\n  - Subdomain takeover resulting in financial loss (applicable for subdomains with addresses published)\n  - Wallet interaction modification resulting in financial loss\n  - Direct theft of user funds \n  - Tampering with transactions submitted to the user’s wallet\n  - Submitting malicious transactions to an already-connected wallet","productType":["Crosschain Liquidity","DEX","DEX Aggregator"],"programOverview":"Zenlink DEX Protocol is the underlying unified and universal cross-chain DEX Protocol, which enables parachains to quickly have DEX functionality and share liquidity with other parachains. In addition, Zenlink DEX Aggregator can connect to all DEX DApps on Polkadot, which together form the Zenlink DEX Network with full liquidity.\n\nFor more information about Zenlink, please visit [https://zenlink.pro/en/](https://zenlink.pro/en/).   \n\nThis bug bounty program is focused on their smart contracts and app and is focused on preventing:\n\n  - Any governance voting result manipulation\n  - Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield\n  - Permanent freezing of funds\n  - Taking Down the application/website\n  - Redirection of user deposits and withdrawals\n  - Wallet interaction modification resulting in financial loss","programType":["Smart Contract","Websites and Applications"],"project":"Zenlink","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. In addition, all bug reports must come with a suggestion for a fix in order to be considered for a reward. \n\nAll issues previously highlighted in the following audit reports are also considered as out of scope: \n  - [https://github.com/zenlinkpro/zenlink-security-audit](https://github.com/zenlinkpro/zenlink-security-audit) \n\nZenlink requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. The information needed is the name, country of residence and a passport photo. \n\nPayouts are handled by the __Zenlink__ team directly and are denominated in USD. However, payouts are done in __ZLK__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"ZLK","slug":"zenlink","updatedDate":"2024-10-30T18:19:51.585Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Zenlink DEX Protocol is the underlying unified and universal cross-chain DEX Protocol, which enables parachains to quickly have DEX functionality and share liquidity with other parachains. In addition, Zenlink DEX Aggregator can connect to all DEX DApps on Polkadot, which together form the Zenlink DEX Network with full liquidity.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":2123,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 2 days"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":2124,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":2125,"type":"smart_contract","severity":"critical","title":"Any governance voting result manipulation"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":2126,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":2127,"type":"websites_and_applications","severity":"critical","title":"Ability to execute system commands"},{"id":2128,"type":"websites_and_applications","severity":"critical","title":"Extract Sensitive data/files from the server such as /etc/passwd"},{"id":2129,"type":"websites_and_applications","severity":"critical","title":"Stealing User Cookies"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":2130,"type":"websites_and_applications","severity":"critical","title":"Bypassing Authentication"},{"id":2131,"type":"websites_and_applications","severity":"critical","title":"Signing transactions for other users"},{"id":2132,"type":"websites_and_applications","severity":"critical","title":"Redirection of user deposits and withdrawals"},{"id":2133,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover resulting in financial loss (applicable for subdomains with addresses published)"},{"id":2134,"type":"websites_and_applications","severity":"critical","title":"Wallet interaction modification resulting in financial loss"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":2135,"type":"websites_and_applications","severity":"critical","title":"Tampering with transactions submitted to the user’s wallet"},{"id":2136,"type":"websites_and_applications","severity":"critical","title":"Submitting malicious transactions to an already-connected wallet"}],"rewards":[{"id":8267,"severity":"critical","assetType":"smart_contract","fixedReward":30000,"rewardModel":"fixed"},{"id":5715,"severity":"high","assetType":"smart_contract","fixedReward":8000,"rewardModel":"fixed"},{"id":5716,"severity":"medium","assetType":"smart_contract","fixedReward":3000,"rewardModel":"fixed"},{"id":5717,"severity":"critical","assetType":"websites_and_applications","fixedReward":2000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"2EHfncMOaDTWgSflTBw08N","url":"https://etherscan.io/address/0xFC87753Df5Ef5C368b5FBA8D4C5043b77e8C5b39","type":"smart_contract","addedAt":"2024-02-21T04:00:00.000Z","revision":1,"description":"aETH","isPrimacyOfImpact":null},{"id":"1TGj5WiB1Qiv1Yxe7ZEY11","url":"https://etherscan.io/address/0xF1617882A71467534D14EEe865922de1395c9E89","type":"smart_contract","addedAt":"2024-02-21T04:00:00.000Z","revision":1,"description":"saETH","isPrimacyOfImpact":null},{"id":"2w7o5YZpPVbrmbzV2KcY2W","url":"https://etherscan.io/address/0x5341864D99B50155F782C562Bd15Ac4a0A3C117e","type":"smart_contract","addedAt":"2024-02-21T04:00:00.000Z","revision":1,"description":"CorePrimary","isPrimacyOfImpact":null},{"id":"4flLE7mrcIgHARgsR8Oqy9","url":"https://etherscan.io/address/0xD691b1c47a578f51aDa825A8565cAfceB401EdaC","type":"smart_contract","addedAt":"2024-02-21T04:00:00.000Z","revision":1,"description":"RewardOracle","isPrimacyOfImpact":null},{"id":"3cmBrwdhdkswtDQxyYqcUg","url":"https://etherscan.io/address/0x25a01dBde45cc5Bb7071EB3c3b2F983ea923bec5","type":"smart_contract","addedAt":"2024-02-21T04:00:00.000Z","revision":1,"description":"StETHMinter","isPrimacyOfImpact":null},{"id":"1IaifihdubjUQ56IWD9LMc","url":"https://app.aspidanet.com/","type":"websites_and_applications","addedAt":"2024-02-21T04:00:00.000Z","revision":1,"description":"Web/App","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":null,"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":null,"launchDate":"2024-02-21T04:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/ilcdFkczlesjMYkfsHw7J/b42b36fd70e1b812d3dfcd024598ed60/-K5ojatV_400x400_copy.png","maxBounty":50000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","websites_and_applications - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Staking"],"programOverview":"Aspida is a native liquid staking network which provides security, liquidity and optimized native rewards. It features easy accessibility, allowing users across different layers/networks to earn staking ETH yield.\n\nBy prioritizing both asset security and user convenience, Aspida offers unparalleled liquidity and flexibility, empowering users to exit their positions whenever they choose. With its user-friendly interface and non-custodial approach, Aspida streamlines the staking process, allowing individuals to profit safely and effortlessly.\n\nFor more information about Aspida, please visit https://aspidanet.com/\n\nAspida provides rewards in USDC, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. \n\n__Primacy of Impact vs Primacy of Rules__\n\nAspida adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms stated in this page.\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n\n__Previous Audits__\n\nAspida’s completed audit reports can be found at https://github.com/mixbytes/audits_public/tree/master/Aspida%20Network. Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Aspida has satisfied the requirements for the [Immunefi Standard Badge.](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209)","programType":["Smart Contract","Websites and Applications"],"project":"Aspida","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\nFor critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 50 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 10 000  is to be rewarded in order to incentivize security researchers against withholding a critical bug report.\n\n\n__Repeatable Attack Limitations__\n\nIf the smart contract where the vulnerability exists can be upgraded or paused, only the initial attacks within the first hour will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n\nFor critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Reward Calculation for High Level Reports__\n\nHigh vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are considered at the full amount of funds at risk, capped at the maximum high reward. This is to incentivize security researchers to uncover and responsibly disclose vulnerabilities that may have not have significant monetary value today, but could still be damaging to the project if it goes unaddressed.   \n\nIn the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lenghents, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.\n\nFor critical web/apps bug reports will be rewarded with USD 5 000, only if the impact leads to:\n\n- A loss of funds involving an attack that does not require any user action\n- Private key or private key generation leakage leading to unauthorized access to user funds \n\nAll other impacts that would be classified as Critical would be rewarded a flat amount of USD 3 000. The rest of the severity levels are paid out according to the Impact in Scope table.  \n\n__Reward Payment Terms__\n\nPayouts are handled by the Aspida team directly and are denominated in USD. However, payments are done in USDC\n\nThe calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"aspida","updatedDate":"2024-10-30T09:00:00.772Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Aspida is a native liquid staking network which provides security, liquidity and optimized native rewards. It features easy accessibility, allowing users across different layers/networks to earn staking ETH yield.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Content spoofing / Text injection issues\n- Attacks requiring privileged access from within the organization\n- Issues related to the frontend without concrete impact and PoC\n- Best practices issues without concrete impact and PoC\n- Vulnerabilities primarily caused by browser/plugin defects\n- URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)\n","customProhibitedActivities":[],"impacts":[{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":4751,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:   /etc/shadow, database passwords, blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":4752,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:   Changing registration information, Commenting, Voting, Making trades, Withdrawals, etc."},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":4753,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:  Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions"}],"rewards":[{"id":9208,"severity":"critical","assetType":"smart_contract","maxReward":50000,"minReward":10000,"rewardModel":"range","rewardCalculationPercentage":10},{"id":9209,"severity":"high","assetType":"smart_contract","maxReward":10000,"minReward":5000,"rewardModel":"range"},{"id":9210,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":9211,"severity":"critical","assetType":"websites_and_applications","fixedReward":1000,"rewardModel":"fixed","otherImpactMaxReward":10}],"audits":[]},{"assets":[{"id":"1h10eNJ0xHga6Zeo4Yj6W7","url":"https://basescan.org/address/0x2A375567f5E13F6bd74fDa7627Df3b1Af6BfA5a6#code","type":"smart_contract","addedAt":"2024-06-07T15:38:40.211Z","revision":3,"description":"WooracleV2 - Swap","isPrimacyOfImpact":null},{"id":"59hTLMVNUG52Bja63zFcYt","url":"https://basescan.org/address/0xEd9e3f98bBed560e66B89AaC922E29D4596A9642#code","type":"smart_contract","addedAt":"2024-06-11T08:00:05.339Z","revision":2,"description":"WooPPV2.2 - Swap","isPrimacyOfImpact":null},{"id":"62JwAqTX4MILwxVFihN1HE","url":"https://basescan.org/address/0x4c4AF8DBc524681930a27b2F1Af5bcC8062E6fB7#code","type":"smart_contract","addedAt":"2024-06-11T08:01:02.614Z","revision":2,"description":"WooRouterV2 - Swap","isPrimacyOfImpact":null},{"id":"3y7naOrnovKfDzUMmUXJt0","url":"https://basescan.org/address/0x4c4AF8DBc524681930a27b2F1Af5bcC8062E6fB7#code","type":"smart_contract","addedAt":"2024-06-11T08:02:44.879Z","revision":3,"description":"CrossswapRouterv3.1 - Swap","isPrimacyOfImpact":null},{"id":"4huLmNOrTalJOfU0OVWQVo","url":"https://basescan.org/address/0xC4E9B633685461E7B7A807D12a246C81f96F31B8#code","type":"smart_contract","addedAt":"2024-06-11T08:04:41.869Z","revision":3,"description":"IntegrationHelper(token info) - Swap","isPrimacyOfImpact":null},{"id":"1C2K5Qw43l1rqHMGL4QtPn","url":"https://basescan.org/address/0x44dF096D2600C6a6db77899dB3DE3AeCff746cb8#code","type":"smart_contract","addedAt":"2024-06-11T08:04:54.073Z","revision":3,"description":"USDC_SuperChargerVaultV2 - Earn","isPrimacyOfImpact":null},{"id":"7J8iBsj4qMvparamaO3h8k","url":"https://basescan.org/address/0x73Bd3C7e44E1c228713A24448e9B7250391ACa15#code","type":"smart_contract","addedAt":"2024-06-11T08:05:03.883Z","revision":3,"description":"USDC_LendingManager - Earn","isPrimacyOfImpact":null},{"id":"YTrmnCQR8QpD5va7E8MfK","url":"https://basescan.org/address/0xa1bb8a8ED84A37a8c93a10Df5153E612f58e34E5#code","type":"smart_contract","addedAt":"2024-06-11T08:05:13.418Z","revision":2,"description":"USDC_WithdrawManagerV2 - Earn","isPrimacyOfImpact":null},{"id":"3UotYUAK5jzggYirvReuVb","url":"https://basescan.org/address/0xf2bE87391e2040D4CB1F646fbb023C074315E94E#code","type":"smart_contract","addedAt":"2024-06-11T08:05:22.832Z","revision":2,"description":"USDC_VaultV2 - Earn","isPrimacyOfImpact":null},{"id":"5uAuyGCE39zXzF0Hi5MqBu","url":"https://basescan.org/address/0x6875eb0496b6BAA0527c5915d78b9BcdC800e98f#code","type":"smart_contract","addedAt":"2024-06-11T08:05:31.392Z","revision":2,"description":"USDC_AaveStrat - Earn","isPrimacyOfImpact":null},{"id":"4MTvCgfYXcBT5NYbLzQlLr","url":"https://basescan.org/address/0xb772122C4a37fe1754B46AB1799b909351e8Cb43#code","type":"smart_contract","addedAt":"2024-06-11T08:05:41.259Z","revision":2,"description":"ETH_SuperChargerVaultV2 - Earn","isPrimacyOfImpact":null},{"id":"3nRgnZCPod7wzLmO79DaJ4","url":"https://basescan.org/address/0x913E116cD0E279763B0419798c0bA18F9311B390#code","type":"smart_contract","addedAt":"2024-06-11T08:05:49.177Z","revision":2,"description":"ETH_LendingManager - Earn","isPrimacyOfImpact":null},{"id":"7MgUYwK3tXsmnmzeBQ8U9R","url":"https://basescan.org/address/0xe61Acb121a2B538dF495A85C4E50dD8581de4ed0#code","type":"smart_contract","addedAt":"2024-06-11T08:06:02.910Z","revision":2,"description":"ETH_WithdrawManagerV2 - Earn","isPrimacyOfImpact":null},{"id":"3Bd8um2lIgcfPPSuUl4R3O","url":"https://basescan.org/address/0x5A958b9E4370Da91498F494105BBe4C4123C513f#code","type":"smart_contract","addedAt":"2024-06-11T08:06:17.261Z","revision":2,"description":"ETH_VaultV2 - Earn","isPrimacyOfImpact":null},{"id":"2uR1Js7RntPsSZYcfjy8pd","url":"https://basescan.org/address/0x160020B09DeD3d862f7f851B5c50632BcF2062FF#code","type":"smart_contract","addedAt":"2024-06-11T08:06:46.385Z","revision":2,"description":"ETH_AaveStrat - Earn","isPrimacyOfImpact":null},{"id":"3r1sJPUM0S456KPoU62sXC","url":"https://arbiscan.io/address/0xCf4EA1688bc23DD93D933edA535F8B72FC8934Ec#code","type":"smart_contract","addedAt":"2024-06-11T08:06:56.289Z","revision":2,"description":"WooracleV2_2_1 - Swap","isPrimacyOfImpact":null},{"id":"1bActoUxLvWM4anO9zcy3X","url":"https://arbiscan.io/address/0xEd9e3f98bBed560e66B89AaC922E29D4596A9642#code","type":"smart_contract","addedAt":"2024-06-11T08:07:08.259Z","revision":3,"description":"WooPPV2.1 - Swap","isPrimacyOfImpact":null},{"id":"1OpOBF2bG3Dw93ZrqskA8T","url":"https://arbiscan.io/address/0x4c4AF8DBc524681930a27b2F1Af5bcC8062E6fB7#code","type":"smart_contract","addedAt":"2024-06-11T08:07:20.324Z","revision":2,"description":"WooRouterV2 - Swap","isPrimacyOfImpact":null},{"id":"7iAmJS3XtOmAW5nLaU8VuU","url":"https://arbiscan.io/address/0xCa10E8825FA9F1dB0651Cd48A9097997DBf7615d#code","type":"smart_contract","addedAt":"2024-06-11T08:07:31.410Z","revision":2,"description":"CrosswapRouterV3.1 - Swap","isPrimacyOfImpact":null},{"id":"3OYqDg4JL2WsfN0bqBAUbA","url":"https://arbiscan.io/address/0x28D2B949024FE50627f1EbC5f0Ca3Ca721148E40#code","type":"smart_contract","addedAt":"2024-06-11T08:07:41.216Z","revision":2,"description":"IntegrationHelper (token info) - Swap","isPrimacyOfImpact":null},{"id":"6gcvf4YrtEfHEmg0O4krGc","url":"https://arbiscan.io/address/0xa6000B7D3634534266a2eCc4D478f5Cdc1e65bD3#code","type":"smart_contract","addedAt":"2024-06-11T08:08:02.314Z","revision":2,"description":"USDC_Rewarder - Stake","isPrimacyOfImpact":null},{"id":"6a5C3jqy1xXDODPO2F5bdL","url":"https://arbiscan.io/address/0x2CFa72E7f58dc82B990529450Ffa83791db7d8e2#code","type":"smart_contract","addedAt":"2024-06-11T08:08:17.788Z","revision":2,"description":"WooBuyBackSwap - Stake","isPrimacyOfImpact":null},{"id":"71waOclpu0WbD8FBaJYsQF","url":"https://arbiscan.io/address/0x401ff5f78B52EDb57aB019c8988e0Be933AaABCb#code","type":"smart_contract","addedAt":"2024-06-11T08:08:25.928Z","revision":2,"description":"ARBRewarder - Stake","isPrimacyOfImpact":null},{"id":"qwJqjWzapxZ2E7nwur7fF","url":"https://arbiscan.io/address/0xa74bB3643da439E89010743909d0493abca743d7#code","type":"smart_contract","addedAt":"2024-06-11T08:08:34.539Z","revision":2,"description":"MpRewarder - Stake","isPrimacyOfImpact":null},{"id":"Qzmdgz9qGZOr48P2jlpKm","url":"https://arbiscan.io/address/0x1c29986FF01c65665393E55C73Ade2aa6dA957DF#code","type":"smart_contract","addedAt":"2024-06-11T08:08:44.038Z","revision":2,"description":"RewardBooster - Stake","isPrimacyOfImpact":null},{"id":"vXCVyrKpxOSPOJAuZ0ffL","url":"https://arbiscan.io/address/0xa9E245C1FA7E17263Cc7C896488A3da8072924Fb#code","type":"smart_contract","addedAt":"2024-06-11T08:08:55.045Z","revision":2,"description":"WooStakingManager - Stake","isPrimacyOfImpact":null},{"id":"6YNgn5APVAplDKafGZrm8d","url":"https://arbiscan.io/address/0x2CFa72E7f58dc82B990529450Ffa83791db7d8e2#code","type":"smart_contract","addedAt":"2024-06-11T08:09:06.133Z","revision":2,"description":"WooStakingLocal - Stake","isPrimacyOfImpact":null},{"id":"2KWSafJSdBMB0DF8On6jiH","url":"https://arbiscan.io/address/0x93E63fc2146D596AFe4583D03cfe496FFcad5A04#code","type":"smart_contract","addedAt":"2024-06-11T08:09:14.429Z","revision":2,"description":"WooStakingController - Stake","isPrimacyOfImpact":null},{"id":"5fja5JgZh6XCihy1TYARes","url":"https://arbiscan.io/address/0x63a015b5E305EDcA94b9B0c27461547b3F4eA1e3#code","type":"smart_contract","addedAt":"2024-06-11T08:09:31.346Z","revision":2,"description":"WooStakingCompounder - Stake","isPrimacyOfImpact":null},{"id":"2YGJsrDEOZZwOezNsxBK3U","url":"https://arbiscan.io/address/0xc0f8C29e3a9A7650a3F642e467d70087819926d6#code","type":"smart_contract","addedAt":"2024-06-11T08:09:42.314Z","revision":2,"description":"RewardMasterchef - Earn","isPrimacyOfImpact":null},{"id":"19IkLJEkiCShNdnu9mImJK","url":"https://arbiscan.io/address/0xbe6c4bF84521D84d362A6408c873FCB05c0296E5#code","type":"smart_contract","addedAt":"2024-06-11T08:09:52.007Z","revision":2,"description":"USDC_AAVEStrategy - Earn","isPrimacyOfImpact":null},{"id":"2IjUJixPbunGDfZAsd4AIj","url":"https://arbiscan.io/address/0xA780432f495E5C6851fd7903FE49ad77C952F7D8#code","type":"smart_contract","addedAt":"2024-06-11T08:10:01.390Z","revision":2,"description":"WooSuperChargerVaultV2_USDC - Earn","isPrimacyOfImpact":null},{"id":"3jE1Z30hfG8uRv0B2SsIPU","url":"https://arbiscan.io/address/0x79A5453865a39f67D3FfC7964cd760F1763Be767#code","type":"smart_contract","addedAt":"2024-06-11T08:10:10.408Z","revision":2,"description":"WooLendingManager_USDC - Earn","isPrimacyOfImpact":null},{"id":"60zCw8GfK6cuvvjSvXm96u","url":"https://arbiscan.io/address/0xE76c97897A9c3f8aAAfC3Fe86457Fe460553D3FE#code","type":"smart_contract","addedAt":"2024-06-11T08:10:27.869Z","revision":2,"description":"WooWithdrawManagerV2_USDC - Earn","isPrimacyOfImpact":null},{"id":"2xp8mpjQ98OJvwCJZddqiQ","url":"https://arbiscan.io/address/0x38506FBB751eBFfcF887CF5d4C7390eC0c503796#code","type":"smart_contract","addedAt":"2024-06-11T08:10:36.958Z","revision":2,"description":"FarmingVault_USDC - Earn","isPrimacyOfImpact":null},{"id":"5FZMXKuz2SyyfiGwIjfPPM","url":"https://arbiscan.io/address/0x181d8Eb2EEff20C647073c4798111Cbd1B423A60#code","type":"smart_contract","addedAt":"2024-06-11T08:10:55.744Z","revision":2,"description":"ExternalReward_USDC - Earn","isPrimacyOfImpact":null},{"id":"2s8JJoNrx8MOKS0BkZ7JtC","url":"https://arbiscan.io/address/0xd2fdaB19b94B59C5F0E75Dd9813365Df815b56B1#code","type":"smart_contract","addedAt":"2024-06-11T08:11:04.746Z","revision":3,"description":"SuperChargerVault_WBTC - Earn","isPrimacyOfImpact":null},{"id":"5ZVfJxGOQhuhrH31AFbMGN","url":"https://arbiscan.io/address/0xFEecEdbc3c292db79347473a2B976a463c3aC2D6#code","type":"smart_contract","addedAt":"2024-06-11T08:11:15.103Z","revision":2,"description":"LendingManager_WBTC - Earn","isPrimacyOfImpact":null},{"id":"1zqK6ePFw4ui0qGfxYp5OL","url":"https://arbiscan.io/address/0xD05b953cFD75426711a904F76eb3241bad5D03ac#code","type":"smart_contract","addedAt":"2024-06-11T08:11:25.282Z","revision":3,"description":"WithdrawManager_WBTC - Earn","isPrimacyOfImpact":null},{"id":"V03HZgrgODzQcZJNlOWsC","url":"https://arbiscan.io/address/0xea6790425aFa71d802E017Ef5b6257e42C28554a#code","type":"smart_contract","addedAt":"2024-06-11T08:30:55.345Z","revision":2,"description":"FarmingVault_WBTC - Earn","isPrimacyOfImpact":null},{"id":"4xFIWdFvyyHj9G9wD6DRgM","url":"https://arbiscan.io/address/0x9D71a7B0022b0C402f15808d781F0f31A63abE15#code","type":"smart_contract","addedAt":"2024-06-11T08:31:04.834Z","revision":3,"description":"VoidStrategy_WBTC - Earn","isPrimacyOfImpact":null},{"id":"1bxNXXLOnd2ebF4cq0pYKx","url":"https://arbiscan.io/address/0xa397fba8c5c1aef9137601c185f6ab0e9cf43662#code","type":"smart_contract","addedAt":"2024-06-11T08:31:20.380Z","revision":2,"description":"ExternalRewar_WBTC - Earn","isPrimacyOfImpact":null},{"id":"38YQLqPorod9e8n78gf2Rm","url":"https://arbiscan.io/address/0xdF0006994c46F4d006eCb2b5aF3e212D94df23e1#code","type":"smart_contract","addedAt":"2024-06-11T08:31:28.144Z","revision":2,"description":"ExternalReward_ARB - Earn","isPrimacyOfImpact":null},{"id":"5pL6O6DlK3drGvpY0iJJEB","url":"https://arbiscan.io/address/0x7f3F2A499c00c2D7018300F99A232896fD295Bb1#code","type":"smart_contract","addedAt":"2024-06-11T08:31:36.782Z","revision":2,"description":"SuperChargerVault_ARB - Earn","isPrimacyOfImpact":null},{"id":"01puHPjkGsaCAHqxCKB3RV","url":"https://arbiscan.io/address/0x6Fc2c9f904a98cAeeEF6aABA6De625b5698F3f08#code","type":"smart_contract","addedAt":"2024-06-11T08:31:45.426Z","revision":2,"description":"LendingManager_ARB - Earn","isPrimacyOfImpact":null},{"id":"69G2WxA5AIBIP030BOoJwF","url":"https://arbiscan.io/address/0xBFe3d22B223909A06469854E7Af374ab449F09AC#code","type":"smart_contract","addedAt":"2024-06-11T08:31:55.764Z","revision":2,"description":"WithdrawManager_ARB - Earn","isPrimacyOfImpact":null},{"id":"XevzEy68AdHimxSQ9O5hq","url":"https://arbiscan.io/address/0x2Aa18AB5d65449892519057d965706f051823a31#code","type":"smart_contract","addedAt":"2024-06-11T08:32:04.828Z","revision":2,"description":"FarmingVault_ARB - Earn","isPrimacyOfImpact":null},{"id":"4dNzUcEs6mHIqRV8KldiIw","url":"https://arbiscan.io/address/0xf80475ef92DF49527FC63A53b967d8064d476f02#code","type":"smart_contract","addedAt":"2024-06-11T08:32:13.429Z","revision":2,"description":"VoidStrategy_ARB - Earn","isPrimacyOfImpact":null},{"id":"3FHc7c6ZihtqSvuRWzqGSV","url":"https://arbiscan.io/address/0xba452bCc4BC52AF2fe1190e7e1dBE267ad1C2d08#code","type":"smart_contract","addedAt":"2024-06-11T08:32:27.433Z","revision":2,"description":"SuperChargerVault_ETH - Earn","isPrimacyOfImpact":null},{"id":"1OejTnwPIa0HOnBuUmOnoi","url":"https://arbiscan.io/address/0x5C7Ff24fa7Af62BC25AD6747A6193183B4bb7Bc5#code","type":"smart_contract","addedAt":"2024-06-11T08:32:39.040Z","revision":2,"description":"LendingManager_ETH - Earn","isPrimacyOfImpact":null},{"id":"5aljmEkNwvmzozo5IpuE5N","url":"https://arbiscan.io/address/0xE77ADf3936F70a2Ed44f26CeD01d26c1430EAd6a#code","type":"smart_contract","addedAt":"2024-06-11T08:32:46.814Z","revision":2,"description":"WithdrawManager_ETH - Earn","isPrimacyOfImpact":null},{"id":"zoWTeudHt5kqBS0gpBa9a","url":"https://arbiscan.io/address/0x478E7F3FE49931C601e2399DdaEE8EEf2eEF6F13#code","type":"smart_contract","addedAt":"2024-06-11T08:33:04.879Z","revision":2,"description":"farmingvault_ETH - Earn","isPrimacyOfImpact":null},{"id":"7zM87SWuz0nalPjmsCZySx","url":"https://arbiscan.io/address/0xfBBfcCAE3f76AFc0979f20920b4d04d608F873bF#code","type":"smart_contract","addedAt":"2024-06-11T08:33:21.855Z","revision":2,"description":"ExternalReward_ETH - Earn","isPrimacyOfImpact":null},{"id":"7LC6NcflIAH1X3a6YP6Xub","url":"https://arbiscan.io/address/0xE22CB2F3758e204f26e82a936Cc675741F7645dd#code","type":"smart_contract","addedAt":"2024-06-11T08:41:33.118Z","revision":2,"description":"ETH_AAVEStrategy - Earn","isPrimacyOfImpact":null},{"id":"7qLgI2p6PtZO4KrsFDqXBv","url":"https://optimistic.etherscan.io/address/0xEd9e3f98bBed560e66B89AaC922E29D4596A9642#code","type":"smart_contract","addedAt":"2024-06-11T08:33:31.225Z","revision":2,"description":"WooracleV2_2 - Swap","isPrimacyOfImpact":null},{"id":"1vupcrKWcXwWJTVDqNsndq","url":"https://optimistic.etherscan.io/address/0xEd9e3f98bBed560e66B89AaC922E29D4596A9642#code","type":"smart_contract","addedAt":"2024-06-11T08:41:51.543Z","revision":2,"description":"WooPPV2 - Swap","isPrimacyOfImpact":null},{"id":"7D4nIJSQu1V8VGhiETJLkw","url":"https://optimistic.etherscan.io/address/0x4c4AF8DBc524681930a27b2F1Af5bcC8062E6fB7#code","type":"smart_contract","addedAt":"2024-06-11T08:42:00.039Z","revision":2,"description":"WooRouterV2 - Swap","isPrimacyOfImpact":null},{"id":"1UOQkeMVf8fBOpFfjx6HLs","url":"https://optimistic.etherscan.io/address/0xCa10E8825FA9F1dB0651Cd48A9097997DBf7615d#code","type":"smart_contract","addedAt":"2024-06-11T08:42:15.639Z","revision":2,"description":"CrosswapRouter v3.1 - Swap","isPrimacyOfImpact":null},{"id":"1btoSgiifBgtPnOr0wuM15","url":"https://optimistic.etherscan.io/address/0x96329d66074EB8386Ae8bFD6698B2E3FDA87e15E#code","type":"smart_contract","addedAt":"2024-06-11T08:42:25.648Z","revision":2,"description":"IntegrationHelper (token info) - Swap","isPrimacyOfImpact":null},{"id":"1GrcFSgoIBBzc23BEu8Tiy","url":"https://optimistic.etherscan.io/address/0xba91ffD8a2B9F68231eCA6aF51623B3433A89b13#code","type":"smart_contract","addedAt":"2024-06-11T08:42:34.546Z","revision":2,"description":"StakeProxy - Stake","isPrimacyOfImpact":null},{"id":"2aY9vREANDhMnzPJqrOWgn","url":"https://optimistic.etherscan.io/address/0xc0f8C29e3a9A7650a3F642e467d70087819926d6#code","type":"smart_contract","addedAt":"2024-06-11T08:42:44.939Z","revision":2,"description":"RewardMasterchef - Earn","isPrimacyOfImpact":null},{"id":"48311QN7l7CLCjyXTZYiz7","url":"https://optimistic.etherscan.io/address/0x18aa88bb25b8f15FDbE329f789dD000bf679753E#code","type":"smart_contract","addedAt":"2024-06-11T08:42:54.639Z","revision":2,"description":"USDC_SuperChargerVaultV2 - Earn","isPrimacyOfImpact":null},{"id":"28zznkmYakm8f8k5BTplf3","url":"https://optimistic.etherscan.io/address/0x4bAa5Fd82A455f2BfEFF4FBB91969288D7DE7316#code","type":"smart_contract","addedAt":"2024-06-11T08:43:03.200Z","revision":2,"description":"USDC_LendingManager - Earn","isPrimacyOfImpact":null},{"id":"6ekGdDvehVne1URLEFk9Wc","url":"https://optimistic.etherscan.io/address/0x2500AD59b46fF4B96f8e1EaC3fE1f78eAF955777#code","type":"smart_contract","addedAt":"2024-06-11T08:43:12.879Z","revision":2,"description":"USDC_WithdrawManagerV2 - Earn","isPrimacyOfImpact":null},{"id":"4vjjxulCaiwxGmOLAy0p0R","url":"https://optimistic.etherscan.io/address/0x73504eaCB100c7576146618DC306c97454CB3620#code","type":"smart_contract","addedAt":"2024-06-11T08:43:23.494Z","revision":2,"description":"USDC_VaultV2 - Earn","isPrimacyOfImpact":null},{"id":"yhbSw8ISWFq4OCpSNuKhx","url":"https://optimistic.etherscan.io/address/0x63Fdc50AA784f4A979517D2dCc91227634aE1234#code","type":"smart_contract","addedAt":"2024-06-11T08:43:32.625Z","revision":2,"description":"USDC_StrategyAave - Earn","isPrimacyOfImpact":null},{"id":"1YXGmPmzDY6wZsXE7O4KNM","url":"https://optimistic.etherscan.io/address/0xB54e1d90d845d888d39dcaCBd54a3EEc0d8853B2#code","type":"smart_contract","addedAt":"2024-06-11T08:43:44.537Z","revision":2,"description":"SuperChargerVault_ETH - Earn","isPrimacyOfImpact":null},{"id":"37WXfK4nJphXiKj0BDgM39","url":"https://optimistic.etherscan.io/address/0x1dDd225ef26714Bb8055dDCEaEE2589ba09c89ed#code","type":"smart_contract","addedAt":"2024-06-11T08:43:58.615Z","revision":2,"description":"LendingManager_ETH - Earn","isPrimacyOfImpact":null},{"id":"6STNPhOUxqxYXlmSORmNke","url":"https://optimistic.etherscan.io/address/0x91741863A48f0B29fC0B6D10b3cdE2122feB58f7#code","type":"smart_contract","addedAt":"2024-06-11T08:44:08.351Z","revision":2,"description":"WithdrawManager_ETH - Earn","isPrimacyOfImpact":null},{"id":"1ojGvYw52j4zhAvht6splE","url":"https://optimistic.etherscan.io/address/0x7e1996945eA8866DE873179DC1677E93A4380107#code","type":"smart_contract","addedAt":"2024-06-11T08:44:23.717Z","revision":2,"description":"farmingvault_ETH - Earn","isPrimacyOfImpact":null},{"id":"2McpDLU4JgmNGyrw0OLXsa","url":"https://optimistic.etherscan.io/address/0x31aE608cBadD1214D6A3d5dcf49E45Fb18E2a48E#code","type":"smart_contract","addedAt":"2024-06-11T08:44:33.864Z","revision":2,"description":"ETH_StrategyAave - Earn","isPrimacyOfImpact":null},{"id":"6H5WEX2MAZFlanPYfEkBDy","url":"https://optimistic.etherscan.io/address/0xcA7184eA1cb4cF04d49Bf219c49a39231299dA26#code","type":"smart_contract","addedAt":"2024-06-11T08:44:46.528Z","revision":2,"description":"SuperChargerVault_OP - Earn","isPrimacyOfImpact":null},{"id":"fuPQqlsh31PU3tV4Nc9a6","url":"https://optimistic.etherscan.io/address/0xD2635bc7e4E4F63B2892eD80D0b0f9Dff7eDA899#code","type":"smart_contract","addedAt":"2024-06-11T08:45:44.511Z","revision":2,"description":"LendingManager_OP - Earn","isPrimacyOfImpact":null},{"id":"6EWdn4TdXkxpdV1vn5z7ID","url":"https://optimistic.etherscan.io/address/0x0FAd8f10746171C0616cE4B7B4E2e9439a9a02E2#code","type":"smart_contract","addedAt":"2024-06-11T08:45:55.450Z","revision":2,"description":"WithdrawManager_OP - Earn","isPrimacyOfImpact":null},{"id":"1NOaZsBjirt4mTalBMor2g","url":"https://optimistic.etherscan.io/address/0xa8452E2d63B29783ED2E5ca0d8D4Fe0cC2161D5B#code","type":"smart_contract","addedAt":"2024-06-11T08:46:05.493Z","revision":2,"description":"farmingvault_OP - Earn","isPrimacyOfImpact":null},{"id":"Y8mZT2kREBcg5T5yvPE4O","url":"https://optimistic.etherscan.io/address/0xDa4B53F75921C109fED0ffd8AD9f22430B4c3438#code","type":"smart_contract","addedAt":"2024-06-11T08:46:17.255Z","revision":2,"description":"voidstrategy_OP - Earn","isPrimacyOfImpact":null},{"id":"1F4RO3sdP0xM6PLdn5Ngdw","url":"https://polygonscan.com/address/0x2A8Ede62D0717C8C92b88639ecf603FDF31A8428#code","type":"smart_contract","addedAt":"2024-06-11T08:46:30.293Z","revision":2,"description":"WooracleV2_2 - Swap","isPrimacyOfImpact":null},{"id":"2nsWS7a8WwGhKjr1oC0ylP","url":"https://polygonscan.com/address/0xEd9e3f98bBed560e66B89AaC922E29D4596A9642#code","type":"smart_contract","addedAt":"2024-06-11T08:46:41.318Z","revision":2,"description":"WooPPV2 - Swap","isPrimacyOfImpact":null},{"id":"4yH4FsoUgcqwp21KE5koQF","url":"https://polygonscan.com/address/0x4c4AF8DBc524681930a27b2F1Af5bcC8062E6fB7#code","type":"smart_contract","addedAt":"2024-06-11T08:46:53.383Z","revision":2,"description":"WooRouterV2 - Swap","isPrimacyOfImpact":null},{"id":"66iEh9CHh7TYqiaZTJt0DR","url":"https://polygonscan.com/address/0xCa10E8825FA9F1dB0651Cd48A9097997DBf7615d#code","type":"smart_contract","addedAt":"2024-06-11T08:47:09.578Z","revision":2,"description":"CrosswapRouterV3.1 - Swap","isPrimacyOfImpact":null},{"id":"5qFXtdYfCtVgdqSOvKzBA7","url":"https://polygonscan.com/address/0x7Ba560eB735AbDCf9a3a5692272652A0cc81850d#code","type":"smart_contract","addedAt":"2024-06-11T08:50:05.378Z","revision":2,"description":"IntegrationHelper (token info) - Swap","isPrimacyOfImpact":null},{"id":"5Q5iZXCJD2EX9v8T4k8oaP","url":"https://polygonscan.com/address/0xba91ffD8a2B9F68231eCA6aF51623B3433A89b13#code","type":"smart_contract","addedAt":"2024-06-11T08:50:20.577Z","revision":2,"description":"StakeProxy - Stake","isPrimacyOfImpact":null},{"id":"5qI2q0wxcTFRp9um3nPVUV","url":"https://polygonscan.com/address/0xc0f8C29e3a9A7650a3F642e467d70087819926d6#code","type":"smart_contract","addedAt":"2024-06-11T08:50:31.636Z","revision":3,"description":"RewardMasterchef - Earn","isPrimacyOfImpact":null},{"id":"5h1XSJwgCIefZa48scP8pc","url":"https://polygonscan.com/address/0x1109E03516eB25eAb2150D0b274B8D4F5F3cF549#code","type":"smart_contract","addedAt":"2024-06-11T08:50:41.746Z","revision":2,"description":"USDC_SuperChargerVaultV2 - Earn","isPrimacyOfImpact":null},{"id":"2dlQSnKig5sjn9GDC76U5Q","url":"https://polygonscan.com/address/0x697c97A37bc00C2306f2b08CA14F3d55dB6Ffccd#code","type":"smart_contract","addedAt":"2024-06-11T08:50:53.310Z","revision":2,"description":"USDC_LendingManager - Earn","isPrimacyOfImpact":null},{"id":"1JqXyQFr4jvq5vBKzFtMp0","url":"https://polygonscan.com/address/0x3Fe2c827FF572B8fe03b7d16695c88F21448B3B9#code","type":"smart_contract","addedAt":"2024-06-11T08:51:03.406Z","revision":2,"description":"USDC_WithdrawManagerV2 - Earn","isPrimacyOfImpact":null},{"id":"21DVsDSDgYiktKc97CM9Sw","url":"https://polygonscan.com/address/0x28F88A809cCc085956AB9f978067698d25de014C#code","type":"smart_contract","addedAt":"2024-06-11T08:51:14.053Z","revision":2,"description":"USDC_VaultV2 - Earn","isPrimacyOfImpact":null},{"id":"2hrJ4AjPgeis5JRONNg1Gj","url":"https://polygonscan.com/address/0xCf43416C0b63039d87986a32D3E4cfA2f47e31A6#code","type":"smart_contract","addedAt":"2024-06-11T08:51:23.921Z","revision":2,"description":"USDC_StrategyAave - Earn","isPrimacyOfImpact":null},{"id":"60N7pXo6m8TlEzd1K39eWy","url":"https://polygonscan.com/address/0x8Ec402bD731AB88928104ccF8ee5bb41d5FEC784#code","type":"smart_contract","addedAt":"2024-06-11T08:51:32.513Z","revision":2,"description":"USDC_WOO_rewarder - Earn","isPrimacyOfImpact":null},{"id":"2blMGDxEd7MnZ9Du1tm6aY","url":"https://polygonscan.com/address/0x9DD5dD86b978f17628f01307A83347d9Ec9B0699#code","type":"smart_contract","addedAt":"2024-06-11T08:51:41.571Z","revision":2,"description":"SuperChargerVault_MATIC - Earn","isPrimacyOfImpact":null},{"id":"2FEPjJdzTab13DyrdscWic","url":"https://polygonscan.com/address/0x9f46a7F7AFd5a595C782E57B5DAe1FcC01BFF18D#code","type":"smart_contract","addedAt":"2024-06-11T08:51:53.149Z","revision":2,"description":"LendingManager_MATIC - Earn","isPrimacyOfImpact":null},{"id":"1ipvk9N2GZ1ozIKMfBbTJB","url":"https://polygonscan.com/address/0x382A9b0bC5D29e96c3a0b81cE9c64d6C8F150Efb#code","type":"smart_contract","addedAt":"2024-06-11T08:53:16.304Z","revision":2,"description":"WithdrawManager_MATIC - Earn","isPrimacyOfImpact":null},{"id":"1oucXQFzrbxUzMjeAvyWtY","url":"https://polygonscan.com/address/0xD5BEfE3Fecdf1C941c58119a4e395806Eea0C343#code","type":"smart_contract","addedAt":"2024-06-11T08:53:27.691Z","revision":2,"description":"farmingvault_MATIC - Earn","isPrimacyOfImpact":null},{"id":"4UGbYu6OOp3pgOpFAIYdqL","url":"https://polygonscan.com/address/0xee840247598726a71C234F6ED9B770dBb8e03f20#code","type":"smart_contract","addedAt":"2024-06-11T08:53:39.362Z","revision":2,"description":"VoidStrategy_MATIC - Earn","isPrimacyOfImpact":null},{"id":"2wyBdOiKjUpoOkN9xSehUD","url":"https://polygonscan.com/address/0x6dE98Df2005efd6793FC615bf0231de2086ae82D#code","type":"smart_contract","addedAt":"2024-06-11T08:53:50.808Z","revision":2,"description":"ExternalReward_MATIC - Earn","isPrimacyOfImpact":null},{"id":"2tAYBnV1CYnvLlh4RbPNeo","url":"https://polygonscan.com/address/0xeDBB74dA05D58b22F07184BB79ED9124791799Ac#code","type":"smart_contract","addedAt":"2024-06-11T08:54:01.257Z","revision":2,"description":"SuperChargerVault_ETH - Earn","isPrimacyOfImpact":null},{"id":"3PWZfmq8kZVxtU1GJTkdRp","url":"https://polygonscan.com/address/0x01E42CE7CDcb7a2EAaE0BB8BdCe52F0bBb63f139#code","type":"smart_contract","addedAt":"2024-06-11T08:54:10.006Z","revision":2,"description":"LendingManager_ETH - Earn","isPrimacyOfImpact":null},{"id":"14ZL4ymp8k3TSf4owVjBOU","url":"https://polygonscan.com/address/0x7f78213da92552D00Bd676466aB2ef8A9287Fd4C#code","type":"smart_contract","addedAt":"2024-06-11T08:54:18.753Z","revision":2,"description":"WithdrawManager_ETH - Earn","isPrimacyOfImpact":null},{"id":"2N4bRLF2PGxLpbboj7VgcW","url":"https://polygonscan.com/address/0x99Ad6e3c00DFBcd80b7593B1Cd8Fb8a9F1a2d230#code","type":"smart_contract","addedAt":"2024-06-11T08:54:30.098Z","revision":2,"description":"Farmingvault_ETH - Earn","isPrimacyOfImpact":null},{"id":"10BLUBRyUuiufh9Ofw2aKH","url":"https://polygonscan.com/address/0x33706009ce9Fb3b96C0F6Bd88126B44445E77d5b#code","type":"smart_contract","addedAt":"2024-06-11T08:54:38.981Z","revision":2,"description":"VoidStrategy_ETH - Earn","isPrimacyOfImpact":null},{"id":"3HlDtZwtylD7K0ofDhqZeB","url":"https://polygonscan.com/address/0x076AFF456b04A84aDB3Eb207Cb1e28EA3baB9BdB#code","type":"smart_contract","addedAt":"2024-06-11T08:55:04.411Z","revision":2,"description":"ExternalReward_ETH - Earn","isPrimacyOfImpact":null},{"id":"3I8MxL69MS5Jp4ixvyFEWL","url":"https://etherscan.io/address/0xAd6cA80Fe4D3c54f6433fF725d744772AaE87711#code","type":"smart_contract","addedAt":"2024-06-11T08:55:13.888Z","revision":2,"description":"WooTokenOFTAdapter - OFT","isPrimacyOfImpact":null},{"id":"1nyu0HCzzU8E2rI8DK4GGW","url":"https://etherscan.io/address/0x4c4AF8DBc524681930a27b2F1Af5bcC8062E6fB7#code","type":"smart_contract","addedAt":"2024-06-11T08:55:24.252Z","revision":2,"description":"WooRouter - Swap","isPrimacyOfImpact":null},{"id":"1NgMQ2FiE02QvnVeVKIfmv","url":"https://etherscan.io/address/0xCa10E8825FA9F1dB0651Cd48A9097997DBf7615d#code","type":"smart_contract","addedAt":"2024-06-11T08:55:36.025Z","revision":2,"description":"CrossswapRouterV3.1 - Swap","isPrimacyOfImpact":null},{"id":"1LDI2XoKOOdbk0L8k8SZ1e","url":"https://etherscan.io/address/0xba91ffD8a2B9F68231eCA6aF51623B3433A89b13#code","type":"smart_contract","addedAt":"2024-06-11T08:55:46.148Z","revision":2,"description":"Stakeproxy - Stake","isPrimacyOfImpact":null},{"id":"42abjNjmF1lLen5TkNkDCb","url":"https://snowtrace.io/address/0x2A375567f5E13F6bd74fDa7627Df3b1Af6BfA5a6/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T08:56:29.588Z","revision":2,"description":"WooracleV2_2 - Swap","isPrimacyOfImpact":null},{"id":"FGu1IF0jaRb4WSsbTOzfA","url":"https://snowtrace.io/address/0xEd9e3f98bBed560e66B89AaC922E29D4596A9642/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T08:56:55.445Z","revision":2,"description":"WooPPV2 - Swap","isPrimacyOfImpact":null},{"id":"3wWCLRqJUQusB7ivAbaYNw","url":"https://snowtrace.io/address/0x4c4AF8DBc524681930a27b2F1Af5bcC8062E6fB7/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T08:57:11.283Z","revision":2,"description":"WooRouterV2 - Swap","isPrimacyOfImpact":null},{"id":"3vxp3FLnSUNWVNrnYymUJH","url":"https://snowtrace.io/address/0xCa10E8825FA9F1dB0651Cd48A9097997DBf7615d/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T08:57:28.180Z","revision":2,"description":"CrossswapRouterV3.1 - Swap","isPrimacyOfImpact":null},{"id":"fh98cbedWeAMHT4Q5KGPo","url":"https://snowtrace.io/address/0x020630613E296c3E9b06186f630D1bF97A2B6Ad1/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T08:58:19.048Z","revision":2,"description":"IntegrationHelper (token info) - Swap","isPrimacyOfImpact":null},{"id":"4KOT4Esu39Q7wDLD6kRQsl","url":"https://snowtrace.io/address/0x3Bd96847C40De8b0F20dA32568BD15462C1386E3/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T08:58:27.157Z","revision":2,"description":"StakeProxy - Stake","isPrimacyOfImpact":null},{"id":"59TSl4SvrMSFSJqHQP8T7n","url":"https://snowtrace.io/address/0xc0f8C29e3a9A7650a3F642e467d70087819926d6/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T08:58:34.616Z","revision":2,"description":"RewardMasterchef - Earn","isPrimacyOfImpact":null},{"id":"tiyfy9KiFK3nZOz0MjU4B","url":"https://snowtrace.io/address/0x866810349B2e28E411669911bB0babb06cc60625/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T08:58:58.853Z","revision":2,"description":"SuperChargerVault_AVAX - Earn","isPrimacyOfImpact":null},{"id":"4JHg4aJpP8w6fwLVis0lEw","url":"https://snowtrace.io/address/0x385E063DeA8908d06BE024de85dA5B8DA4b10F73/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T08:59:08.029Z","revision":2,"description":"LendingManager_AVAX - Earn","isPrimacyOfImpact":null},{"id":"6lV3B4bhMByYafdZtnoFb8","url":"https://snowtrace.io/address/0x755e4Af9E77a91999693947B02975c584D1B56F6/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T08:59:16.868Z","revision":2,"description":"WithdrawManager_AVAX - Earn","isPrimacyOfImpact":null},{"id":"6a92XGPQtS2K2XvQhHFVCX","url":"https://snowtrace.io/address/0xdA442c468f77F4f90032aE8ca99850eEA2091Bfe/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T08:59:25.666Z","revision":2,"description":"farmingvault_AVAX - Earn","isPrimacyOfImpact":null},{"id":"2SKRjN985SsFq86NV7Y6fd","url":"https://snowtrace.io/address/0x76e1775b5207d616506462aBb7292BaA2bdf5D05/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T08:59:35.364Z","revision":2,"description":"AVAX_AAVEstrat - Earn","isPrimacyOfImpact":null},{"id":"3N8plrdW2dauTZIjxr3hME","url":"https://snowtrace.io/address/0x91921908259559d19da415E8E407dC533BFA61EB/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T08:59:44.250Z","revision":2,"description":"ExternalReward_AVAX - Earn","isPrimacyOfImpact":null},{"id":"5sUFdACbXwF99ErcgYqpQn","url":"https://snowtrace.io/address/0x11B29AE3037F4526e4AA56952318e0d01ADA836A/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T08:59:54.664Z","revision":3,"description":"SuperChargerVault_USDC - Earn","isPrimacyOfImpact":null},{"id":"6UB7uSKMC0WKbZblMFVCFu","url":"https://snowtrace.io/address/0xc8Ec7f48a82a07D95110ff26FAacde9757Dd9Dc7/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T09:00:05.595Z","revision":2,"description":"LendingManager_USDC - Earn","isPrimacyOfImpact":null},{"id":"2x2VT5uEzjtNfEumt3Zukw","url":"https://snowtrace.io/address/0x1bB2ebecfbb4F78D83FB0A21cB415383779602C9/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T09:00:30.386Z","revision":2,"description":"WithdrawManager_USDC - Earn","isPrimacyOfImpact":null},{"id":"DvZRjrPKWex4mEIgZm623","url":"https://snowtrace.io/address/0x305F06749B98D5AA5AE48B08395615ae9466DE4D/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T09:00:43.668Z","revision":2,"description":"farmingvault_USDC - Earn","isPrimacyOfImpact":null},{"id":"5TFRRVMnb1A9Onnn6EYeSx","url":"https://snowtrace.io/address/0x7bcB0CC7ee1158827a1e29254E83Bd55799855C5/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T09:00:52.882Z","revision":2,"description":"USDC_AAVEstrat - Earn","isPrimacyOfImpact":null},{"id":"3SJdHmJTg47TyXv3FQxDMk","url":"https://snowtrace.io/address/0x65003ba7c8E30e7B15903F70B36924057adfD070/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T09:01:06.450Z","revision":2,"description":"ExternalReward_USDC - Earn","isPrimacyOfImpact":null},{"id":"4fwLa4csUMxJKkstaG8pJd","url":"https://snowtrace.io/address/0x1CD7B33Faf4F172146BcBB841C7AdDC96802e6c4/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T09:01:18.642Z","revision":3,"description":"SuperChargerVault_BTC.b - Earn","isPrimacyOfImpact":null},{"id":"54bYibwmS2Fv4tbdRilX2k","url":"https://snowtrace.io/address/0x697c97A37bc00C2306f2b08CA14F3d55dB6Ffccd/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T09:01:28.183Z","revision":2,"description":"LendingManager_BTC.b - Earn","isPrimacyOfImpact":null},{"id":"07Oru9ZMGuQFjcr0BMeja","url":"https://snowtrace.io/address/0xA429B468d222bb31Ff256f3D08DDC0A2D8a59664/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T09:01:45.091Z","revision":2,"description":"WithdrawManager_BTC.b - Earn","isPrimacyOfImpact":null},{"id":"1NVjxRJvClbOeUsD1CtoGu","url":"https://snowtrace.io/address/0x34C3847a9d8ff02cB50ce76d9AB6B51c610EbCde/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T09:01:58.104Z","revision":2,"description":"farmingvault_BTC.b - Earn","isPrimacyOfImpact":null},{"id":"6xwAmOew4PwqghJf6qXKdN","url":"https://snowtrace.io/address/0xA5e994315157e776fe0c310E48e70eb7fe8a4af3/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T09:02:13.658Z","revision":2,"description":"VoidStrategy_BTC.b - Earn","isPrimacyOfImpact":null},{"id":"4QS2MSti2cujIwVeFqijsk","url":"https://snowtrace.io/address/0xA5025842791224238F5606dB1f8863c87A5A9Dc1/contract/43114/code","type":"smart_contract","addedAt":"2024-06-11T09:02:23.499Z","revision":2,"description":"ExternalReward_BTC.b - Earn","isPrimacyOfImpact":null},{"id":"juJUrrMSSxhghEzH7nUNS","url":"https://bscscan.com/address/0xCa10E8825FA9F1dB0651Cd48A9097997DBf7615d#code","type":"smart_contract","addedAt":"2024-06-11T09:02:32.891Z","revision":2,"description":"CrossRouterv4 - Swap","isPrimacyOfImpact":null},{"id":"1QgSuPbldb5JPGp3X0d5uC","url":"https://bscscan.com/address/0xAA9c15cd603428cA8ddD45e933F8EfE3Afbcc173#code","type":"smart_contract","addedAt":"2024-06-11T09:02:42.591Z","revision":2,"description":"IntegrationHelper (token info) - Swap","isPrimacyOfImpact":null},{"id":"52iJn0qUTrC6vZW6AbaJqZ","url":"https://bscscan.com/address/0x2A375567f5E13F6bd74fDa7627Df3b1Af6BfA5a6#code","type":"smart_contract","addedAt":"2024-06-11T09:02:54.610Z","revision":2,"description":"WooracleV2_2 - Swap","isPrimacyOfImpact":null},{"id":"2E5CSvmLaN64iRmKMmzax7","url":"https://bscscan.com/address/0xEd9e3f98bBed560e66B89AaC922E29D4596A9642#code","type":"smart_contract","addedAt":"2024-06-11T09:03:04.376Z","revision":2,"description":"WooPPV2 - Swap","isPrimacyOfImpact":null},{"id":"6F6aeY3vnxeSpRN2zJgF84","url":"https://bscscan.com/address/0x4c4AF8DBc524681930a27b2F1Af5bcC8062E6fB7#code","type":"smart_contract","addedAt":"2024-06-11T09:03:18.975Z","revision":2,"description":"Woorouter - Swap","isPrimacyOfImpact":null},{"id":"4kiA1kyIqkazxnYxLpJieG","url":"https://bscscan.com/address/0xba91ffD8a2B9F68231eCA6aF51623B3433A89b13#code","type":"smart_contract","addedAt":"2024-06-11T09:03:45.108Z","revision":2,"description":"WOOStakingProxy - Stake","isPrimacyOfImpact":null},{"id":"68DiDRJ81atYrQW69emutc","url":"https://bscscan.com/address/0xc0f8C29e3a9A7650a3F642e467d70087819926d6#code","type":"smart_contract","addedAt":"2024-06-11T09:04:01.824Z","revision":2,"description":"RewardMasterchef - Earn","isPrimacyOfImpact":null},{"id":"48LvNyaQYNnX5KZ40W5vp2","url":"https://bscscan.com/address/0x7eb8D4CcFDBD9dF8d3520E9C5b5edf6a5Cbe4CaD#code","type":"smart_contract","addedAt":"2024-06-11T09:04:09.894Z","revision":2,"description":"SuperChargerVault_BNB - Earn","isPrimacyOfImpact":null},{"id":"11Akwluube4MWi6KT9zstn","url":"https://bscscan.com/address/0x438baAfF63Af83549020feAD36C7de167384463a#code","type":"smart_contract","addedAt":"2024-06-11T09:04:19.521Z","revision":2,"description":"LendingManager_BNB - Earn","isPrimacyOfImpact":null},{"id":"2jwtHEV0RSoxlCKdJkCkoO","url":"https://bscscan.com/address/0x2698946AD5988759fa29093e9aF99eeA12a31bb4#code","type":"smart_contract","addedAt":"2024-06-11T09:04:28.324Z","revision":2,"description":"WithdrawManager_BNB - Earn","isPrimacyOfImpact":null},{"id":"16rLwi11Zuv7hT0KGQWgVV","url":"https://bscscan.com/address/0x85f16155c6c7dA460969DDB33dbD2c7E90Ca07EC#code","type":"smart_contract","addedAt":"2024-06-11T09:04:37.606Z","revision":2,"description":"FarmingVault_BNB - Earn","isPrimacyOfImpact":null},{"id":"5eaosiU55HTr8VvwSqms1x","url":"https://bscscan.com/address/0x2a8b29301C910AE1Ae17156E4f7B01eb8f72Eb05#code","type":"smart_contract","addedAt":"2024-06-11T09:04:46.662Z","revision":2,"description":"VoidStrategy_BNB - Earn","isPrimacyOfImpact":null},{"id":"1ysWS7izPzqZkZQzlwC2C2","url":"https://bscscan.com/address/0xf5d6560356Cc5d7FCBf4CA20736Af88B7cfa2Ad1#code","type":"smart_contract","addedAt":"2024-06-11T09:04:56.770Z","revision":2,"description":"ExternalReward_BNB - Earn","isPrimacyOfImpact":null},{"id":"6oVfschblPwqp12jUeUrcI","url":"https://bscscan.com/address/0x5CB9ba4a6f05c4125D61172E1b2C1DBe3afb3158#code","type":"smart_contract","addedAt":"2024-06-11T09:05:06.483Z","revision":2,"description":"SuperChargerVault_USDT - Earn","isPrimacyOfImpact":null},{"id":"6TNvUgnXaiE5nXJM2cVu8W","url":"https://bscscan.com/address/0x0510e56EDb651Fa39c3330d2f5Bf8FbECDFcc53B#code","type":"smart_contract","addedAt":"2024-06-11T09:05:15.598Z","revision":2,"description":"LendingManager_USDT - Earn","isPrimacyOfImpact":null},{"id":"61whkBAOvvwFc7D62WTVzQ","url":"https://bscscan.com/address/0x3cBB7F9a4e1E8a8430f1d400DF269B80B6872DeB#code","type":"smart_contract","addedAt":"2024-06-11T09:05:25.286Z","revision":2,"description":"WithdrawManager_USDT - Earn","isPrimacyOfImpact":null},{"id":"7vRu6v9WIlCuXNpGU94ZbM","url":"https://bscscan.com/address/0xE897b4200E3B2380469E8Dd3F987Dc62A7ADeAD7#code","type":"smart_contract","addedAt":"2024-06-11T09:05:36.453Z","revision":2,"description":"FarmingVault_USDT - Earn","isPrimacyOfImpact":null},{"id":"1ddAXT7AaBAJr1BUqT965a","url":"https://bscscan.com/address/0x497aBdf1438C673e6a74033098d4eb14a7f3C60f#code","type":"smart_contract","addedAt":"2024-06-11T09:05:45.397Z","revision":2,"description":"VoidStrategy_USDT - Earn","isPrimacyOfImpact":null},{"id":"4KvSXe9iqwLdhG28ph793G","url":"https://bscscan.com/address/0xdecc5458A0fDe482Ae04aB13BD6866cfcfA8cF4B#code","type":"smart_contract","addedAt":"2024-06-11T09:05:55.169Z","revision":3,"description":"ExternalReward_USDT - Earn","isPrimacyOfImpact":null},{"id":"3M24vKNUbVlxXh2oM051bz","url":"https://explorer.zksync.io/address/0xAe45cBE2d1E90358CbD216bC16f2C9267a4EA80a#contract","type":"smart_contract","addedAt":"2024-06-11T09:06:04.462Z","revision":2,"description":"WooracleV2_2 - Swap","isPrimacyOfImpact":null},{"id":"3nFRzbR1ZuXRuNO64vGiiC","url":"https://explorer.zksync.io/address/0xE656d70bc3550e3EEE9dE7dC79367A44Fd13d975#contract","type":"smart_contract","addedAt":"2024-06-11T09:06:12.660Z","revision":2,"description":"WooPPV2 - Swap","isPrimacyOfImpact":null},{"id":"4KFs7p8NWOM95CtE40nfEe","url":"https://explorer.zksync.io/address/0x09873bfECA34F1Acd0a7e55cDA591f05d8a75369#contract","type":"smart_contract","addedAt":"2024-06-11T09:06:24.099Z","revision":3,"description":"WooRouterV2 - Swap","isPrimacyOfImpact":null},{"id":"ck2JQx9YIN89x3RIk1Bbo","url":"https://explorer.zksync.io/address/0x636DfeB023463F176f87D61E3B604231986bd935#contract","type":"smart_contract","addedAt":"2024-06-11T09:06:35.286Z","revision":3,"description":"IntegrationHelper (token info) - Swap","isPrimacyOfImpact":null},{"id":"5tPPACByNFZT184j9cU1oy","url":"https://explorer.zksync.io/address/0xA8bbAB0aC88382A0f507B9E93CDbe65ffa1F50D1#contract","type":"smart_contract","addedAt":"2024-06-11T09:10:37.334Z","revision":3,"description":"SuperChargerVault_USDC - Earn","isPrimacyOfImpact":null},{"id":"3aJxtz8WZPupyPH74clUwN","url":"https://explorer.zksync.io/address/0xa681B14Ea827280213DFCBDE48D8695A745F41Ab#contract","type":"smart_contract","addedAt":"2024-06-11T09:10:48.985Z","revision":2,"description":"LendingManager_USDC - Earn","isPrimacyOfImpact":null},{"id":"37eVJvAWhgnjw5PvZC1Ggx","url":"https://explorer.zksync.io/address/0xa5A3235Ab50Df36A67784D7F40d2631292cBfB08#contract","type":"smart_contract","addedAt":"2024-06-11T09:11:02.356Z","revision":2,"description":"WithdrawManager_USDC - Earn","isPrimacyOfImpact":null},{"id":"472vmaj6JWOmQEBNoLCiqX","url":"https://explorer.zksync.io/address/0xAC41281Fa4648c22E1a01Deb821AcD2C64616966#contract","type":"smart_contract","addedAt":"2024-06-11T09:11:11.853Z","revision":3,"description":"FarmingVault_USDC - Earn","isPrimacyOfImpact":null},{"id":"4rQvIAVTxP4UQf8vsRGevr","url":"https://explorer.zksync.io/address/0xFf44b22E9146e30520c89237Ebb06DB4f5153e9B#contract","type":"smart_contract","addedAt":"2024-06-11T09:11:21.933Z","revision":2,"description":"VoidStrategy_USDC - Earn","isPrimacyOfImpact":null},{"id":"3oc9l0u33zHzkNOLLXMnFX","url":"https://explorer.zksync.io/address/0x1d686250BBffA9Fe120B591F5992DD7fC0FD99a4#contract","type":"smart_contract","addedAt":"2024-06-11T09:11:31.075Z","revision":2,"description":"SuperChargerVault_ETH - Earn","isPrimacyOfImpact":null},{"id":"70RykXMlal4Pp18tSBfs12","url":"https://explorer.zksync.io/address/0xaEed9101c760A2a306B6B9Ed774A775Ecc9686F3#contract","type":"smart_contract","addedAt":"2024-06-11T09:11:43.070Z","revision":2,"description":"LendingManager_ETH - Earn","isPrimacyOfImpact":null},{"id":"PrpQZnbYh4WbAxaEp9kqL","url":"https://explorer.zksync.io/address/0x674db8f08620726dAC5eF787D5e1F4784a3ABC23#contract","type":"smart_contract","addedAt":"2024-06-11T09:12:49.183Z","revision":3,"description":"WithdrawManager_ETH - Earn","isPrimacyOfImpact":null},{"id":"5TN6EQeYKUBvmmGp8Ldqm4","url":"https://explorer.zksync.io/address/0xc5D8fC6a7E72CA1e5041d528feEF42D7bD8A770c#contract","type":"smart_contract","addedAt":"2024-06-11T09:12:57.388Z","revision":3,"description":"FarmingVault_ETH - Earn","isPrimacyOfImpact":null},{"id":"2nkWwpraPpFnOsB5nT9jct","url":"https://explorer.zksync.io/address/0x5DaB2541175FBB2CAd3DC624Ee41917284a00fEb#contract","type":"smart_contract","addedAt":"2024-06-11T09:13:06.270Z","revision":3,"description":"VoidStrategy_ETH - Earn","isPrimacyOfImpact":null},{"id":"e6oQjQxWyOWTkI92PurHP","url":"https://lineascan.build/address/0x2A375567f5E13F6bd74fDa7627Df3b1Af6BfA5a6#code","type":"smart_contract","addedAt":"2024-06-11T09:13:15.127Z","revision":3,"description":"WooracleV2_2 - Swap","isPrimacyOfImpact":null},{"id":"GW62uH4ephqv742IQq2wk","url":"https://lineascan.build/address/0xEd9e3f98bBed560e66B89AaC922E29D4596A9642#code","type":"smart_contract","addedAt":"2024-06-11T09:13:50.329Z","revision":3,"description":"WooPPV2 - Swap","isPrimacyOfImpact":null},{"id":"hWWtqRhtf0hTRacjFwZhZ","url":"https://lineascan.build/address/0x4c4AF8DBc524681930a27b2F1Af5bcC8062E6fB7#code","type":"smart_contract","addedAt":"2024-06-11T09:13:58.761Z","revision":2,"description":"WooRouterV2 - Swap","isPrimacyOfImpact":null},{"id":"3rfiKmKGhWobQQI3M0SAh5","url":"https://lineascan.build/address/0xCa10E8825FA9F1dB0651Cd48A9097997DBf7615d#code","type":"smart_contract","addedAt":"2024-06-11T09:14:09.113Z","revision":4,"description":"CrossswapRouterv3.1 - Swap","isPrimacyOfImpact":null},{"id":"1FDTFQallnoNSq9Yq5u6Ah","url":"https://lineascan.build/address/0x7e1996945eA8866DE873179DC1677E93A4380107#code","type":"smart_contract","addedAt":"2024-06-11T09:14:18.281Z","revision":2,"description":"IntegrationHelper(token info) - Swap","isPrimacyOfImpact":null},{"id":"nRoFxMxdjMoTy7aL36Dab","url":"https://mantlescan.xyz/address/0x2A375567f5E13F6bd74fDa7627Df3b1Af6BfA5a6#code","type":"smart_contract","addedAt":"2024-06-11T09:14:26.202Z","revision":3,"description":"WooracleV2_2 - Swap","isPrimacyOfImpact":null},{"id":"2FmE5VcRicmRw35Z03KwV0","url":"https://mantlescan.xyz/address/0xEd9e3f98bBed560e66B89AaC922E29D4596A9642#code","type":"smart_contract","addedAt":"2024-06-11T09:14:36.136Z","revision":3,"description":"WooPPV2 - Swap","isPrimacyOfImpact":null},{"id":"5PZD293UKv1HuooTLI3ywo","url":"https://mantlescan.xyz/address/0x4c4AF8DBc524681930a27b2F1Af5bcC8062E6fB7#code","type":"smart_contract","addedAt":"2024-06-11T09:14:45.049Z","revision":3,"description":"WooRouterV2 - Swap","isPrimacyOfImpact":null},{"id":"3ZXvRdpxtUOWtRIhBYTLs5","url":"https://mantlescan.xyz/address/0xCa10E8825FA9F1dB0651Cd48A9097997DBf7615d#code","type":"smart_contract","addedAt":"2024-06-11T09:14:53.009Z","revision":3,"description":"CrossswapRouterv3.1 - Swap","isPrimacyOfImpact":null},{"id":"1v77JGlIWyitnMuOOgWnpn","url":"https://mantlescan.xyz/address/0x86b223E83D2FA43456b433687c8F47A35a9bE24C#code","type":"smart_contract","addedAt":"2024-06-11T09:15:01.914Z","revision":3,"description":"IntegrationHelper(token info) - Swap","isPrimacyOfImpact":null}],"assetsBodyV2":"Only those in the Assets in Scope table are considered as in-scope of the bug bounty program.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","Avalanche","BSC","Base","ETH","Optimism"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2022-01-17T07:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2pkxnnF4HGjcXfdwHaF4vT/154024f02b72c685178a08570765c57e/WOOFi_Logo_Option_1__1_.png","maxBounty":100000,"pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"__Impacts in Scope__\n\nOnly the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n__Smart Contracts/Blockchain__\n\n  - Loss of user funds staked (principal) by freezing or theft\n  - Loss of governance funds\n  - Theft of unclaimed yield\n  - Freezing of unclaimed yield\n  - Temporary freezing of funds for 1 day\n  - Unable to call smart contract\n  - Smart contract gas drainage\n  - Smart contract fails to deliver promised returns\n  - Incorrect polling actions","productType":["AMM","CEX","DEX","Staking"],"programOverview":"WOOFi is a unique decentralized exchange that bridges the deep liquidity of centralized exchanges on chain. This enables DeFi traders to swap with size and maximize their profits through the lowest swap fee and minimal slippage.\n\nIn addition to this, WOOFi has four other core components:\nCross-chain swaps - Move any asset quickly and seamlessly across 10 supported chains with minimum slippage\nRevenue sharing - Stake WOO tokens and earn 80% of all protocol fees in WOO or USDC\nSupercharged yields - Lend assets to WOOFi's liquidity manager and earn leading single-sided yield, free of impermanent loss\nPerpetual futures - Trade perpetual futures with WOOFi Pro's order book, enjoy the CeFi trading experience while keeping self-custody\n\nFor more information about WOOFi, please visit [https://fi.woo.org/](https://fi.woo.org/) \n\nThis bug bounty program is focused on their smart contracts and is focused on preventing:\n\n  - Thefts and freezing of principal of any amount\n  - Thefts and freezing of unclaimed yield of any amount\n  - Theft of governance funds\n  - Economic exploits","programType":["Smart Contract"],"project":"WOOFi","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nAll bug reports must come with a PoC and a suggestion for a fix in order to be considered for a reward.\n\nAll known issues previously highlighted in the [past audit reports ](https://learn.woo.org/v/woofi-dev-docs/references/audits-and-bounties)are considered to be out-of-scope\n\nPayouts are handled by the WOOFi team directly and are denominated in USD. However, payouts are done in __WOO__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"WOO","slug":"woofi","tenPercentEconomicRule":false,"updatedDate":"2024-10-28T15:02:53.629Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"WOOFi is a unique decentralized exchange that bridges the deep liquidity of centralized exchanges on chain. This enables DeFi traders to swap with size and maximize their profits through the lowest swap fee and minimal slippage.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":1671,"type":"smart_contract","severity":"low","title":"Smart contract fails to deliver promised returns"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":1672,"type":"smart_contract","severity":"high","title":"Freezing of unclaimed yield"},{"id":1673,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for 1 day"},{"id":1674,"type":"smart_contract","severity":"medium","title":"Unable to call smart contract"},{"id":1675,"type":"smart_contract","severity":"medium","title":"Smart contract gas drainage"},{"id":1676,"type":"smart_contract","severity":"critical","title":"Loss of user funds staked (principal) by freezing or theft"},{"id":1677,"type":"smart_contract","severity":"critical","title":"Loss of governance funds"},{"id":1678,"type":"smart_contract","severity":"critical","title":"Incorrect polling actions"}],"rewards":[{"id":5288,"severity":"high","assetType":"smart_contract","maxReward":20000,"minReward":5000,"rewardModel":"range"},{"id":5289,"severity":"medium","assetType":"smart_contract","maxReward":5000,"minReward":1000,"rewardModel":"range"},{"id":5290,"severity":"low","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":8218,"severity":"critical","assetType":"smart_contract","maxReward":100000,"rewardModel":"up_to"}],"audits":[]},{"assets":[{"id":"4E4biFstmZ39Yn6Ao3uAIf","url":"https://moonriver.moonscan.io/address/0x40375Db8A4e733c2d2f515473cebE56970D1192b","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"USDC-Aggregator-r2-v0","isPrimacyOfImpact":null},{"id":"gronQgi4Sq10FYuN9zJEj","url":"https://optimistic.etherscan.io/address/0xc2b37a776b8B98C5AD656b4F3C3B239F7dBE6459","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"USDC-Aggregator-r2-v0","isPrimacyOfImpact":null},{"id":"73npgcREPxuDvxKP5hWBKu","url":"https://optimistic.etherscan.io/address/0x10A1b6019ac090892530A2E89A0512e8bB437DdF","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"USDC-Aggregator-r0-v0","isPrimacyOfImpact":null},{"id":"3yez2CzSreprPvL52zuu1B","url":"https://optimistic.etherscan.io/address/0x7e5B4E4b06AE5beeD13056c402b8630239Bd2eea","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"ETH-Aggregator-r2-v0","isPrimacyOfImpact":null},{"id":"7F8GGS24d93yRB8xvxPlFC","url":"https://optimistic.etherscan.io/address/0x55829702477998369D5b001cA0f0E8cB4917e365","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"ETH-Aggregator-r0-v0","isPrimacyOfImpact":null},{"id":"6yQAo8Wki9uxp2yBESYq1H","url":"https://arbiscan.io/address/0x09e677692a17dA303A868D46C53aC53B1901D90E","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"USDC-Aggregator-r2-v0","isPrimacyOfImpact":null},{"id":"nSIpVjeNLDbVgyqnqHlgW","url":"https://arbiscan.io/address/0xbe2Be6a2DAcf9dCC76903756ee8e085B1C5a2c30","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"USDC-Aggregator-r0-v0","isPrimacyOfImpact":null},{"id":"52ZRPA7B2PgeUSWnyikwzp","url":"https://arbiscan.io/address/0x4c457498fde2E44582cd669f5ad1035bD23Ad376","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"ETH-Aggregator-r2-v0","isPrimacyOfImpact":null},{"id":"7xh0aid0cnXT2iNFON7562","url":"https://arbiscan.io/address/0x6dC873656fCde76dFAe75146D9B2B4b6697a0594","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"ETH-Aggregator-r0-v0","isPrimacyOfImpact":null},{"id":"3ThosR0tijMzPlWdoif7SQ","url":"https://moonriver.moonscan.io/address/0x7acE71f029fe98E2ABdb49aA5a9f86D916088e7A","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"HLP_USDC-MOVR_Solar-Well_moonriver_v0_0_Vault","isPrimacyOfImpact":null},{"id":"5ZLDkw4NTKRfTXfxZQcwap","url":"https://moonriver.moonscan.io/address/0x32884BaADfC211309D9A6Baa2BB46Fe4B2434D05","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"HLP_USDC-MOVR_Solar-Well_moonriver_v0_1_Vault","isPrimacyOfImpact":null},{"id":"20F0VPEsxts9tGu9cLFKiK","url":"https://optimistic.etherscan.io/address/0xe793Fe8eaF4980ec385f879aAb3877284Fc38661","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"LLP_USDC-ETH_Tarot-Velo_optimism_v0_0_Vault","isPrimacyOfImpact":null},{"id":"46iGlYDmOIoHnnPdBJpdyW","url":"https://optimistic.etherscan.io/address/0xdb569C898E0aa691c047B4836672058D29690730","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"LLP_ETH-USDC_Tarot-Velo_optimism_v0_0_Vault","isPrimacyOfImpact":null},{"id":"6wQaVJCJQJmNej5EJgFiUI","url":"https://arbiscan.io/address/0x8f878DE65E681bb701f014a4fbF77418c225f4Cb","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"LLP_USDC-ETH_Tarot-Xcal_arbitrum_v0_0_Vault","isPrimacyOfImpact":null},{"id":"3iq2u49GRvRY0senCBB4Al","url":"https://arbiscan.io/address/0xBA23f815E15242C366d78dA15A0355C242048F86","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"LLP_ETH-USDC_Tarot-Xcal_arbitrum_v0_0_Vault","isPrimacyOfImpact":null},{"id":"4sJmk90D9cHuyU8JHGjIMD","url":"https://optimistic.etherscan.io/address/0x6c29834a5E7359055B7F637A5EC1B29047c8E8Da","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"LND_ETH-USDC_Tarot_optimism_v0_0_Vault","isPrimacyOfImpact":null},{"id":"1lNh4JAvjOCyUN7GhdpAOe","url":"https://optimistic.etherscan.io/address/0x3eD6c8424089A88aae2e963F4592ea4101Bb5846","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"LND_USDC-ETH_Tarot_optimism_v0_0_Vault","isPrimacyOfImpact":null},{"id":"16YnMIHSUY5iEuRpsXzx8l","url":"https://arbiscan.io/address/0x22914d115E5E9B9a88C4101a1f2E1090c2fA7913","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"LND_ETH-USDC_Tarot_arbitrum_v0_0_Vault","isPrimacyOfImpact":null},{"id":"4fQTUOlZLWLKQ2ZJwiqOJL","url":"https://arbiscan.io/address/0xA6F224428a168a0F6eCFCB070D6a36e2291a6719","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"LND_USDC-ETH_Tarot_arbitrum_v0_0_Vault","isPrimacyOfImpact":null},{"id":"2XiB42A2zBkJgBAenZd0nN","url":"https://optimistic.etherscan.io/address/0x4202b73de0e3893F6cB183a085b15AdA2Ed11B91","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"LND_USDC_Stargate_optimism_v0_0_Vault","isPrimacyOfImpact":null},{"id":"iTHwJ7OqhwdF3QYqaxK17","url":"https://arbiscan.io/address/0x2Fb6EbbEd6bB744Cd6aFCDA674CE0De38d1f987F","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"LND_USDC_Stargate_arbitrum_v0_0_Vault","isPrimacyOfImpact":null},{"id":"40eRteDRWXBlbSZh7Kp7oV","url":"https://arbiscan.io/address/0xDBF024FF5b9DF294ccF637E663e2BF86e507d6d5","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"LND_USDC_Synapse_arbitrum_v0_0_Vault","isPrimacyOfImpact":null},{"id":"oyk3HrsMV2aOYu1lDx06a","url":"https://arbiscan.io/address/0x5FEcb965C834101FD26d6D7D392dA69746b87585","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"LND_ETH_Synapse_arbitrum_v0_0_Vault","isPrimacyOfImpact":null},{"id":"5NzRQrN7ePHv7olt5JumbY","url":"https://moonriver.moonscan.io/address/0x087932f702aa80bbec47875186702ec41fab5ada","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":2,"description":"MasterChefCompMulti.sol","isPrimacyOfImpact":null},{"id":"4omVc6zNppFFCgr45gaYa7","url":"https://moonriver.moonscan.io/address/0x402b16adae502e5b5a49f4593face220ab0b6dfb","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":2,"description":"MasterChefCompMulti.sol","isPrimacyOfImpact":null},{"id":"t5hZG3VcJdBgwQ0ZBzW1b","url":"https://optimistic.etherscan.io/address/0x1BFb4C5d84aA3e6564491659706B09a25a6819E4","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"IMX.sol","isPrimacyOfImpact":null},{"id":"3kpYssdcQ1LJb7yOgldmqp","url":"https://optimistic.etherscan.io/address/0x70E9D7dBDb6e276E5e298488F7dA913509239EDb","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"IMX.sol","isPrimacyOfImpact":null},{"id":"2q3A8XQg4vBDrOTw8dgFeI","url":"https://arbiscan.io/address/0xc5A80FADbAd866D41C4C4eb2E7eb62b4d5cBD976","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"IMX.sol","isPrimacyOfImpact":null},{"id":"2Oh27FIvCsgh29946KUXDS","url":"https://arbiscan.io/address/0xd79a593b9bbC2C325d7e9cdc6d55C534a3E2Ac2F","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"IMX.sol","isPrimacyOfImpact":null},{"id":"4Ir7ZezPiENMbVHIuDDEzp","url":"https://optimistic.etherscan.io/address/0x8544B4c89f2D90Adb1184dF4a3Bc3E9d67118867","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"IMXLendStrategy.sol","isPrimacyOfImpact":null},{"id":"5nkXdqA1a2fHfFLL7qDhm6","url":"https://optimistic.etherscan.io/address/0x141639034301d5E66dfe6961e8fe173D4D48Ef3B","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"IMXLendStrategy.sol","isPrimacyOfImpact":null},{"id":"6mgnKZwi0RgQOf6OL69blm","url":"https://arbiscan.io/address/0xbfa0108861A1d95B1c4BA62E98B3f084026F5196","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"IMXLendStrategy.sol","isPrimacyOfImpact":null},{"id":"6fsRqpDduyeTQD1UAY7FMV","url":"https://arbiscan.io/address/0xa701d16ee79AB65C929C2918343f28d6450b5056","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"IMXLendStrategy.sol","isPrimacyOfImpact":null},{"id":"7fwU9zZNUCSJwGgAEOy6BM","url":"https://optimistic.etherscan.io/address/0x79Fe2Ec964E8A361188f4020D3Def3bdd023d152","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"StargateStrategy.sol","isPrimacyOfImpact":null},{"id":"1WSHfclHok8eqda4hzBGOl","url":"https://arbiscan.io/address/0x36EeAe644B247Cb285f4C299c72e6a56bb50F2D6","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"StargateStrategy.sol","isPrimacyOfImpact":null},{"id":"5j1BZOPBSYYYKsxbu53Ayg","url":"https://arbiscan.io/address/0xb7aA4Bf9362a66b98D138BFaCabF0ae7bf316599","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"SynapseStrategy.sol","isPrimacyOfImpact":null},{"id":"yQTsov2eCwaKYbV2gh8PM","url":"https://arbiscan.io/address/0xD9E1AF0a23150E0Dd53E9D36311Cd31311961Eef","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"SynapseStrategy.sol","isPrimacyOfImpact":null},{"id":"6Jr441cEi7gfQvYC4of4zT","url":"https://arbiscan.io/address/0x84c002286cfa125fcc5e9a39e6564f5c5afbc43f","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"veSect.sol","isPrimacyOfImpact":null},{"id":"6ncd9Q3ubZeBs0k0Kd2yPV","url":"https://arbiscan.io/token/0x84c002286cfa125fcc5e9a39e6564f5c5afbc43f","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"VotingEscrow.sol","isPrimacyOfImpact":null},{"id":"63SVmbYE2Wk6AcpBlMLLRQ","url":"https://arbiscan.io/token/0x02F60921f07024a5b44b6e299Ae23749090dbCfc","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"bSect.sol","isPrimacyOfImpact":null},{"id":"1uTLTDfrAZc6mCgyD0eFHr","url":"https://arbiscan.io/address/0xD7aF644b6747b0cDF84443416c38102B3CE45DA6","type":"smart_contract","addedAt":"2023-05-11T11:00:00.000Z","revision":1,"description":"RewardDistributor.sol","isPrimacyOfImpact":null},{"id":"XtmZ2QeAZ4qZqqeSMnO1p","url":"https://optimistic.etherscan.io/address/0x7671B604a73bb97E42301F67CE481e18745FD6e8","type":"smart_contract","addedAt":"2023-05-24T19:52:13.310Z","revision":1,"description":"HLP_USDC-ETH_Velo-Aave_optimism_v0_0 SCYVaultU.sol","isPrimacyOfImpact":null},{"id":"5JJF2wWj8mUdbgQLv2A8mq","url":"https://optimistic.etherscan.io/address/0x728ddda91e57078794fc7be6acb84d7cc51d760a","type":"smart_contract","addedAt":"2023-05-24T19:52:11.065Z","revision":2,"description":"SolidlyAave.sol","isPrimacyOfImpact":null},{"id":"3mf2ut5H8Xxl6mmHDkvBdK","url":"https://arbiscan.io/address/0xF35Ea59A62bfaB2a0C4dC419dAff8df51E4934eb","type":"smart_contract","addedAt":"2023-05-24T19:52:08.885Z","revision":1,"description":"HLP_USDC-ETH_Sushi-Aave_arbitrum_v0_0 SCYVaultU.sol","isPrimacyOfImpact":null},{"id":"4MK75MONSBWe6F17bMAs77","url":"https://arbiscan.io/address/0x5ad70224d23c6e39801e3ca1ee00a46c0788fbd1","type":"smart_contract","addedAt":"2023-05-24T19:52:06.142Z","revision":2,"description":"MiniChefAave.sol","isPrimacyOfImpact":null},{"id":"2gh3hqgnFZcss2p0PuwI3c","url":"https://arbiscan.io/address/0xcE94D3C4660dEF1Be6C2D79Ff7c0006cB1f6B324","type":"smart_contract","addedAt":"2023-05-24T19:52:03.293Z","revision":1,"description":"HLP_USDC-ETH_Xcal-Aave_arbitrum_v0_0 SCYVaultU.sol","isPrimacyOfImpact":null},{"id":"7BLYduNg2faVUcpTS6Iq6V","url":"https://arbiscan.io/address/0x24f1f414ba1c1ace4f0a795b32b901014f256eee","type":"smart_contract","addedAt":"2023-05-24T19:52:01.072Z","revision":2,"description":"SolidlyAave.sol","isPrimacyOfImpact":null},{"id":"4fhcu4AJGKNQKyjmS2u3ES","url":"https://arbiscan.io/address/0x7c3f91a0806beF783686Bdf4968BD90e79732F79","type":"smart_contract","addedAt":"2023-05-24T19:51:59.279Z","revision":1,"description":"HLP_USDC-ETH_Camelot-Aave_arbitrum_v0_0 SCYVaultU.sol","isPrimacyOfImpact":null},{"id":"1YCOWyQ9CHzaxTEXtxZSki","url":"https://arbiscan.io/address/0x317346ba5489998bf63b56cf47149497805a6ea9","type":"smart_contract","addedAt":"2023-05-24T19:51:56.792Z","revision":2,"description":"CamelotAave.sol","isPrimacyOfImpact":null},{"id":"3q6yeDVLNLaQ1GTbMvnNBz","url":"https://arbiscan.io/address/0xf45fed6904cf65b1734f98259b2c2aaf8ceffee0","type":"smart_contract","addedAt":"2023-05-24T19:51:54.366Z","revision":1,"description":"sectGrail.sol","isPrimacyOfImpact":null}],"assetsBodyV2":"Only those listed in the Assets in Scope table are considered to be in-scope of the bug bounty program. \n\nVulnerabilities found in code used by multiple contracts (ex: proxy contracts or multi-chain deployments) will count as a single submission. In other words, if one vulnerability can be executed on the same identical code over multiple contracts, this would count as a single report. When submitting such a report select one of the affected contracts and add links to others in the body of the report.\n\n__Smart Contracts__ \n\n- __Smart Contracts - PoC__, Smart Contract bug reports are to include a runnable Proof of Concept (PoC) in order to prove impact.  \n- For more information on PoCs please visit: [Proof of Concept (PoC) Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n- Smart contracts of Sector Finance strategies and vaults can be found at:\n[https://github.com/sector-fi/sector-contracts/tree/main](https://github.com/sector-fi/sector-contracts/tree/main) \n- All smart contracts of Sector Finance tokens can be found at: [https://github.com/sector-fi/sector-token/tree/main/src](https://github.com/sector-fi/sector-token/tree/main/src)\n- Only the main branch is in-scope for all repositories.\n\nWhitehats are highly encouraged to review any potential subdomains and what specific port(s) are in scope. Even though the domain may be the same, different ports may point to different assets.  \n\n__Dev Environment and Documentation__\n\nSector Finance has included dev documentation and/or instructions to help in reviewing code and exploring for bugs:\n- [https://github.com/sector-fi/sector-contracts ](https://github.com/sector-fi/sector-contracts)(see README)\n\n__Impacts in Scope__\n\n(For Blockchain/DLT and Smart Contracts Only) This program is considered to be governed by Primacy of Rules. For more information on what this means visit: [Best Practice - Primacy of Impact vs Primacy of Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact) \n\nImpacts are based on the [Immunefi Vulnerability Severity Classification System V2.2.](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/)\n\nAt Immunefi, we classify bugs on a simplified 5-level scale:\n- Critical\n- High\n- Medium\n- Low\n- None","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Optimism","Arbitrum"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2023-05-11T11:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/7dVrw3BxzBhUqx2Sjxx9bR/9241082817e84f0b5796bd5b2e6513d6/logo_small.svg","maxBounty":25000,"pocPerTypeAndSeverity":["smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are considered out-of-scope and ineligible for payout.","productType":["Asset Management","Yield Aggregator","Staking"],"programOverview":"Transparent Risk, Real Yield. Earn yield based on your own risk preference.\n\nSector Finance consists of three  core products:  1. The risk engine, 2. Single-strategy investments vaults and 3. Aggregator vaults. The risk engine evaluates and organizes the crypto-risk of our single-strategy investment vaults. The platform then creates structured product vaults that aggregate investment strategies to match the exact risk profile of a user. \n\nWhile risk is an inherent aspect of investing, it is important that both individual and institutional investors are not subjected to the risks associated with poorly constructed products and obscure risk assessment methods. Sector Finance aims to promote the widespread adoption of digital assets by developing innovative financial products and providing investors with information regarding their risk exposures.\n\nFor more information about Sector Finance, please visit [https://sector.finance/ ](https://sector.finance/) \n\n__For Whitehats:__ It is highly recommended that you review the details of this program in full. Although many Bug Bounty programs have standard terms and conditions, each also has their own unique details that are critical to your success.  \n\nPrior to submitting a report please review the [Immunefi Bug Report Template and Best Practices. ](https://immunefisupport.zendesk.com/hc/en-us/articles/12435277406481-Bug-Report-Template)","programType":["Smart Contract"],"project":"Sector Finance","projectType":["Defi"],"rewardsBody":"Please review how rewards are distributed based on the [Immunefi Vulnerability Severity Classification System V2.2.](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/) This is a simplified 5-level scale system with separate scales for Smart Contracts and Websites/Apps.\n\nRewards for critical smart contract bug reports will be further capped at 10% of direct funds at risk if the bug discovered is exploited.  However, there is a minimum reward of USD 2 000.\n\n__Payouts and Payout Requirements__\n\nPayouts are handled by the Sector Finance team directly and are denominated in USD. However, payouts are done in USDC. Sector Finance commits to honoring payouts according to the terms set out in this program at the time of report submission, and to treat this program as the agreement and source of truth concerning bug reports and responsible disclosures. \n\nFor the purposes of determining report validity, this is a Primacy of Rules program. \n\nLearn more about report validity best practices here: [Best Practice - Primacy of Impact vs Primacy of Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact) \n\n__KYC Requirements__\n\nSector Finance __does not__ have a Know Your Customer (KYC) requirement for bug bounty payouts. \n\n__Audit Discoveries and Known Issues__\n\nBug reports covering previously-discovered bugs are not eligible for any reward through the bug bounty program. If a bug report covers a known issue, it may be rejected together with proof of the issue being known before escalation of the bug report via Immunefi. \n\nPrevious audits and known issues:\n- Sandwich attacks targeting harvests or other deposits that result in griefing or failed transactions (DDOS).\n- Depositing into Aggregator vaults when the share price is temporarily deflated and thus getting a better entry price.\n- Front-running Aggregator vault harvests by depositing immediately before a profitable harvest and withdrawing funds immediately after.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"","slug":"sectorfinance","updatedDate":"2024-10-28T13:30:56.484Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_3","description":"Sector Finance aims to promote the widespread adoption of digital assets by developing innovative financial products and providing investors with information regarding their risk exposures.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Broken link hijacking is out of scope\n- Best practice critiques","customProhibitedActivities":["The following activities are prohibited by this bug bounty program. Violation of these rules can result in a temporary suspension or permanent ban from the Immunefi platform at the sole discretion of the Immunefi team, which may also result in: 1) the forfeiture and loss of access to all bug submissions, and 2) zero payout.","Please note that Immunefi has no tolerance for spam/low-quality/incomplete bug reports, “beg bounty” behavior, and misrepresentation of assets and severity. Immunefi exists to protect the global crypto community, not facilitate grift."],"impacts":[{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":8214,"severity":"critical","assetType":"smart_contract","maxReward":25000,"minReward":2000,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"21MMDLCRBfDz3XwZo8zYLe","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/instructions/admin/collect_fund_fee.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"collect_fund_fee ","isPrimacyOfImpact":null},{"id":"6Tf5pUWeCUJ9Gb3XlMZUNi","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/instructions/admin/collect_protocol_fee.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"collect_protocol_fee","isPrimacyOfImpact":null},{"id":"xut8H2wW9oRIQmZzfyQ8c","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/instructions/admin/create_operation_account.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"create_operation_account","isPrimacyOfImpact":null},{"id":"76hXj66l5zMVXHw4YuMCEO","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/instructions/admin/mod.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"admin/mod","isPrimacyOfImpact":null},{"id":"kTmKooV5Fcrbf0tAlWQaQ","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/instructions/admin/transfer_reward_owner.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"transfer_reward_owner","isPrimacyOfImpact":null},{"id":"60EQc3Zbtg7DYfkyjCyqAf","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/instructions/admin/update_amm_config.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"update_amm_config","isPrimacyOfImpact":null},{"id":"456Vqsr4rz5Up6CXGYOSy9","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/instructions/admin/update_operation_account.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"update_operation_account","isPrimacyOfImpact":null},{"id":"01bbpcWp0jlxbfxAZXMm4w","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/instructions/admin/update_pool_status.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"update_pool_status","isPrimacyOfImpact":null},{"id":"1uvuqU0ibJ4qCicqeuOC9m","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/instructions/close_position.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"close_position","isPrimacyOfImpact":null},{"id":"777KtUlC5PDxV8MnBXYt5U","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/instructions/collect_remaining_rewards.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"collect_remaining_rewards","isPrimacyOfImpact":null},{"id":"6Qxk3KzKdFYIp0fkLGjeIo","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/instructions/create_pool.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"create_pool","isPrimacyOfImpact":null},{"id":"ZYrm8zPDGR6egygGu2rnK","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/instructions/decrease_liquidity.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"decrease_liquidity","isPrimacyOfImpact":null},{"id":"17r3lQmHxnKD2QeLsGZrpD","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/instructions/increase_liquidity.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"increase_liquidity","isPrimacyOfImpact":null},{"id":"486uIoRgvUtjmIvHC4bZ2x","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/instructions/initialize_reward.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"initialize_reward","isPrimacyOfImpact":null},{"id":"7xTxC5eJrXc86LD241XR7s","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/instructions/mod.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"instructions/mod","isPrimacyOfImpact":null},{"id":"4RTH4Nu0DsGQd4lCo3oTUV","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/instructions/open_position.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"open_position","isPrimacyOfImpact":null},{"id":"1NRrkBkpHyGNrBq76B6Xdr","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/instructions/set_reward_params.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"set_reward_params","isPrimacyOfImpact":null},{"id":"4WmIe4fjB4PfsNdarr4LlZ","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/instructions/swap.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"swap","isPrimacyOfImpact":null},{"id":"6VRucZLFFaMjESc3GMiaoK","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/instructions/swap_router_base_in.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"swap_router_base_in","isPrimacyOfImpact":null},{"id":"5tMIpwpq8RteoCBv3m50ZQ","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/instructions/update_reward_info.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"update_reward_info","isPrimacyOfImpact":null},{"id":"5W29Quicr6WoSQFJFFdVNl","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/libraries/big_num.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"big_num","isPrimacyOfImpact":null},{"id":"3hvY6aszP94IzYX2oVqG4K","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/libraries/fixed_point_64.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"fixed_point","isPrimacyOfImpact":null},{"id":"6vzzX6yIA2xX71lyuQtLPh","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/libraries/full_math.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"full_math","isPrimacyOfImpact":null},{"id":"vVAY48h0kx71IvDfUlz33","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/libraries/liquidity_math.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"liquidity_math","isPrimacyOfImpact":null},{"id":"5H77grUbcFLNdnC9ZgTx4Z","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/libraries/mod.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"libraries/mod","isPrimacyOfImpact":null},{"id":"4zaot7ZveNYB7GN1FGgqVM","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/libraries/sqrt_price_math.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"sqrt_price_math","isPrimacyOfImpact":null},{"id":"3l44sXLD4uZr0kF7qsuETT","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/libraries/swap_math.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"swap_math","isPrimacyOfImpact":null},{"id":"5rmYt3tZU8q154xTdgsdVP","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/libraries/tick_array_bit_map.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"tick_array_bit_map","isPrimacyOfImpact":null},{"id":"2v7NQj97yFofCA82oLn3gK","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/libraries/tick_math.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"tick_math","isPrimacyOfImpact":null},{"id":"oyh7egCVYdzvgbvLf4Oig","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/libraries/unsafe_math.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"unsafe_math","isPrimacyOfImpact":null},{"id":"2LyTTDlTOacMVKhsRIs8sX","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/states/config.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"config","isPrimacyOfImpact":null},{"id":"4uq14lU4rxDhzw2Nj7wb1J","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/states/mod.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"states/mod","isPrimacyOfImpact":null},{"id":"4qDiQTyljJS3Sn77T45N85","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/states/operation_account.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"operation_account","isPrimacyOfImpact":null},{"id":"6gUcTO8ciIi9tKIGtisWH0","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/states/oracle.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"oracle","isPrimacyOfImpact":null},{"id":"3200dQUv168H69hZ7ORtiS","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/states/personal_position.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"personal_position","isPrimacyOfImpact":null},{"id":"3bn4uMuqBirZIoB8cJ8mrd","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/states/pool.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"pool","isPrimacyOfImpact":null},{"id":"3O4pimGr5LIxlvCUsthbio","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/states/protocol_position.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"protocol_position","isPrimacyOfImpact":null},{"id":"1xRKcrIYTZq0sd3eBYiqnr","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/states/tick_array.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"tick_array","isPrimacyOfImpact":null},{"id":"17NTiVe3nyUQ4wprk1Y8dg","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/util/access_control.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"access_control","isPrimacyOfImpact":null},{"id":"49b3I1QxyayoOWPZRd2wdt","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/util/mod.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"util/mod","isPrimacyOfImpact":null},{"id":"3g1n6tTpba2Zka9mAQdX54","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/util/system.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"system","isPrimacyOfImpact":null},{"id":"3m9Rt7cqpj7mnWBqk5bGz4","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/util/token.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"token","isPrimacyOfImpact":null},{"id":"2xsSLk6HFny6NUrH9viwqW","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/error.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":2,"description":"error","isPrimacyOfImpact":null},{"id":"5f23K4urUvjF7Hfzjqyyd7","url":"https://github.com/raydium-io/raydium-amm-v3/blob/master/programs/amm/src/lib.rs","type":"smart_contract","addedAt":"2023-04-25T12:00:00.000Z","revision":1,"description":"lib","isPrimacyOfImpact":null},{"id":"7LYX6Zv0VTvy7kDDmLzJ08","url":"https://github.com/raydium-io/raydium-amm/blob/master/program/src/lib.rs","type":"smart_contract","addedAt":"2023-12-27T19:09:48.368Z","revision":1,"description":"lib","isPrimacyOfImpact":null},{"id":"3nlyvCWsEZRtL5m7CPY1xQ","url":"https://github.com/raydium-io/raydium-amm/blob/master/program/src/entrypoint.rs","type":"smart_contract","addedAt":"2023-12-27T19:10:02.490Z","revision":1,"description":"entrypoint","isPrimacyOfImpact":null},{"id":"2EToSW77M5EcXCjeWQuDIx","url":"https://github.com/raydium-io/raydium-amm/blob/master/program/src/instruction.rs","type":"smart_contract","addedAt":"2023-12-27T19:10:16.128Z","revision":1,"description":"instruction","isPrimacyOfImpact":null},{"id":"6xGORb2i6l4s5x2saAicOf","url":"https://github.com/raydium-io/raydium-amm/blob/master/program/src/error.rs","type":"smart_contract","addedAt":"2023-12-27T19:10:29.452Z","revision":1,"description":"error","isPrimacyOfImpact":null},{"id":"3XGeDFTzD14I1vGcVVlU0h","url":"https://github.com/raydium-io/raydium-amm/blob/master/program/src/invokers.rs","type":"smart_contract","addedAt":"2023-12-27T19:10:44.017Z","revision":1,"description":"invokers","isPrimacyOfImpact":null},{"id":"7eM063QiBGdLNAEUR2lLPR","url":"https://github.com/raydium-io/raydium-amm/blob/master/program/src/log.rs","type":"smart_contract","addedAt":"2023-12-27T19:10:58.154Z","revision":1,"description":"log","isPrimacyOfImpact":null},{"id":"5jM7OV4l3WOrwdB1y4l7Ax","url":"https://github.com/raydium-io/raydium-amm/blob/master/program/src/math.rs","type":"smart_contract","addedAt":"2023-12-27T19:11:11.111Z","revision":1,"description":"math","isPrimacyOfImpact":null},{"id":"aOK0pO728LRTWKnI3VyME","url":"https://github.com/raydium-io/raydium-amm/blob/master/program/src/processor.rs","type":"smart_contract","addedAt":"2023-12-27T19:11:23.441Z","revision":1,"description":"processor","isPrimacyOfImpact":null},{"id":"76uh4XiN3aG1bWmw8FSWdo","url":"https://github.com/raydium-io/raydium-amm/blob/master/program/src/state.rs","type":"smart_contract","addedAt":"2023-12-27T19:11:36.920Z","revision":1,"description":"state","isPrimacyOfImpact":null},{"id":"56xMffkpjD4FmamoDTzgC2","url":"https://github.com/raydium-io/raydium-cp-swap/blob/master/programs/cp-swap/src/lib.rs","type":"smart_contract","addedAt":"2024-03-26T15:12:47.225Z","revision":1,"description":"lib","isPrimacyOfImpact":null},{"id":"2tDvQXwIOVLyHLKJjTPDFX","url":"https://github.com/raydium-io/raydium-cp-swap/blob/master/programs/cp-swap/src/error.rs","type":"smart_contract","addedAt":"2024-03-26T15:14:09.800Z","revision":1,"description":"error","isPrimacyOfImpact":null},{"id":"7v8hZrIwb6Uo17RbuL4Fvq","url":"https://github.com/raydium-io/raydium-cp-swap/blob/master/programs/cp-swap/src/instructions/admin/collect_fund_fee.rs","type":"smart_contract","addedAt":"2024-03-26T15:14:31.552Z","revision":1,"description":"collect_fund_fee","isPrimacyOfImpact":null},{"id":"4eb2wSMzzWHoLcWNdLHW38","url":"https://github.com/raydium-io/raydium-cp-swap/blob/master/programs/cp-swap/src/instructions/admin/collect_protocol_fee.rs","type":"smart_contract","addedAt":"2024-03-26T15:14:52.339Z","revision":1,"description":"collect_protocol_fee","isPrimacyOfImpact":null},{"id":"2DNojC9iVlW3W5nAcPdj0k","url":"https://github.com/raydium-io/raydium-cp-swap/blob/master/programs/cp-swap/src/instructions/admin/create_config.rs","type":"smart_contract","addedAt":"2024-03-26T15:15:10.734Z","revision":1,"description":"create_config","isPrimacyOfImpact":null},{"id":"1qQbY63qutJD4PP4CALhlQ","url":"https://github.com/raydium-io/raydium-cp-swap/blob/master/programs/cp-swap/src/instructions/admin/mod.rs","type":"smart_contract","addedAt":"2024-03-26T15:15:28.960Z","revision":1,"description":"admin mod","isPrimacyOfImpact":null},{"id":"4HsWWB5fzYDtTt3VscKcHX","url":"https://github.com/raydium-io/raydium-cp-swap/blob/master/programs/cp-swap/src/instructions/admin/update_config.rs","type":"smart_contract","addedAt":"2024-03-26T15:15:46.362Z","revision":1,"description":"update_config","isPrimacyOfImpact":null},{"id":"6qr6eEUmeq73uatS1wsCqX","url":"https://github.com/raydium-io/raydium-cp-swap/blob/master/programs/cp-swap/src/instructions/admin/update_pool_status.rs","type":"smart_contract","addedAt":"2024-03-26T15:18:35.794Z","revision":1,"description":"update_pool_status","isPrimacyOfImpact":null},{"id":"7oBMrB0I7GDuydPQv2jnKL","url":"https://github.com/raydium-io/raydium-cp-swap/blob/master/programs/cp-swap/src/instructions/deposit.rs","type":"smart_contract","addedAt":"2024-03-26T15:19:37.202Z","revision":1,"description":"deposit","isPrimacyOfImpact":null},{"id":"xezr8WBz4cKnEMtBzXvKx","url":"https://github.com/raydium-io/raydium-cp-swap/blob/master/programs/cp-swap/src/instructions/initialize.rs","type":"smart_contract","addedAt":"2024-03-26T15:19:53.862Z","revision":1,"description":"initialize","isPrimacyOfImpact":null},{"id":"77iopYPA5b56jMaZDTVn4e","url":"https://github.com/raydium-io/raydium-cp-swap/blob/master/programs/cp-swap/src/instructions/mod.rs","type":"smart_contract","addedAt":"2024-03-26T15:20:13.513Z","revision":1,"description":"instructions mod","isPrimacyOfImpact":null},{"id":"44GckWUDoq1ygzJR8WcQTl","url":"https://github.com/raydium-io/raydium-cp-swap/blob/master/programs/cp-swap/src/instructions/swap_base_input.rs","type":"smart_contract","addedAt":"2024-03-26T15:20:32.631Z","revision":1,"description":"swap_base_input","isPrimacyOfImpact":null},{"id":"3Fj2O00Ieyon9tRwS27geA","url":"https://github.com/raydium-io/raydium-cp-swap/blob/master/programs/cp-swap/src/instructions/swap_base_output.rs","type":"smart_contract","addedAt":"2024-03-26T15:20:47.890Z","revision":1,"description":"swap_base_output","isPrimacyOfImpact":null},{"id":"4X7Av9osMDTg536GW4Zf6X","url":"https://github.com/raydium-io/raydium-cp-swap/blob/master/programs/cp-swap/src/instructions/withdraw.rs","type":"smart_contract","addedAt":"2024-03-26T15:21:02.988Z","revision":1,"description":"withdraw","isPrimacyOfImpact":null},{"id":"7BmvOTrpnZnVfbl8tpRaVf","url":"https://github.com/raydium-io/raydium-cp-swap/blob/master/programs/cp-swap/src/states/config.rs","type":"smart_contract","addedAt":"2024-03-26T15:21:18.477Z","revision":1,"description":"config","isPrimacyOfImpact":null},{"id":"4HD220XTUCArMHhwg2KEgy","url":"https://github.com/raydium-io/raydium-cp-swap/blob/master/programs/cp-swap/src/states/events.rs","type":"smart_contract","addedAt":"2024-03-26T15:21:32.996Z","revision":1,"description":"events","isPrimacyOfImpact":null},{"id":"336ldZC8KTOFBdSrlXPaLW","url":"https://github.com/raydium-io/raydium-cp-swap/blob/master/programs/cp-swap/src/states/mod.rs","type":"smart_contract","addedAt":"2024-03-26T15:21:46.615Z","revision":1,"description":"states mod","isPrimacyOfImpact":null},{"id":"14cHdYCkKx2im2Ifxs4aNV","url":"https://github.com/raydium-io/raydium-cp-swap/blob/master/programs/cp-swap/src/states/pool.rs","type":"smart_contract","addedAt":"2024-03-26T15:22:00.057Z","revision":1,"description":"pool","isPrimacyOfImpact":null},{"id":"7ms8PPYNKejCHeOz4cxRDS","url":"https://github.com/raydium-io/raydium-cp-swap/blob/master/programs/cp-swap/src/utils/math.rs","type":"smart_contract","addedAt":"2024-03-26T15:22:12.952Z","revision":1,"description":"math","isPrimacyOfImpact":null},{"id":"6tZRLJc3awZk2WP8RFvdkN","url":"https://github.com/raydium-io/raydium-cp-swap/blob/master/programs/cp-swap/src/utils/mod.rs","type":"smart_contract","addedAt":"2024-03-26T15:22:26.326Z","revision":1,"description":"utils mod","isPrimacyOfImpact":null},{"id":"6NZZCdfBzTUeG6yr8FPXB8","url":"https://github.com/raydium-io/raydium-cp-swap/blob/master/programs/cp-swap/src/utils/token.rs","type":"smart_contract","addedAt":"2024-03-26T15:22:40.029Z","revision":1,"description":"utils token","isPrimacyOfImpact":null}],"assetsBodyV2":"Documentation and instruction for PoC can be found here:\n- https://github.com/raydium-io/raydium-docs/blob/master/dev-resources/raydium-clmm-dev-doc.pdf\n\nA public testnet of Raydium’s CLMM can be found at [https://explorer.solana.com/address/proKtffCScMcwkFkPHFcuHawN7mWxRkhyh8PGxkTwYx.](https://explorer.solana.com/address/proKtffCScMcwkFkPHFcuHawN7mWxRkhyh8PGxkTwYx) However, note that testing on the public testnet is prohibited by the program rules. The public testnet is provided for reference only.\n\nDocumentation and instruction for PoC can be found here:\n- [Raydium Hybrid AMM overview document ](https://drive.google.com/file/d/1VQINU3Lw92CU0p-fKAGyk7my_rO-gINF/view?usp=sharing)\n\nA public testnet of Raydium’s AMM can be found at [https://explorer.solana.com/address/AMMjRTfWhP73x9fM6jdoXRfgFJXR97NFRkV8fYJUrnLE.](https://explorer.solana.com/address/proKtffCScMcwkFkPHFcuHawN7mWxRkhyh8PGxkTwYx) \n\nA public testnet of OpenBook’s Central Limit Order Book can be found at [https://explorer.solana.com/address/EoTcMgcDRTJVZDMZWBoU6rhYHZfkNTVEAfz3uUJRcYGj\t](https://explorer.solana.com/address/proKtffCScMcwkFkPHFcuHawN7mWxRkhyh8PGxkTwYx)\t \n\nHowever, note that testing on the public testnet is prohibited by the program rules. The public testnet is provided for reference only.\n\nDocumentation and instruction for PoC can be found here:\n- TODO\n\nA public testnet of Raydium’s AMM can be found at [https://explorer.solana.com/address/CPMDWBwJDtYax9qW7AyRuVC19Cc4L4Vcy4n2BHAbHkCW?cluster=devnet](https://explorer.solana.com/address/CPMDWBwJDtYax9qW7AyRuVC19Cc4L4Vcy4n2BHAbHkCW?cluster=devnet).\n\nIf a Critical Impact can be caused to any other asset managed by Raydium that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project. This only applies to Critical impacts.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Solana"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Rust"],"launchDate":"2023-04-25T12:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4X5hbah3bOvGiEZIPrFmeW/30eb4e2d5a47c3eca8d10b3fcff3ee7c/Raydium_logo.jpeg","maxBounty":505000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["AMM"],"programOverview":"Raydium is an automated market maker (AMM) built on the Solana blockchain which leverages a central limit order book to enable lightning-fast trades, shared liquidity and new features for earning yield.\n\nFor more information about Raydium, please visit [https://raydium.io/.](https://raydium.io/)","programType":["Smart Contract"],"project":"Raydium","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [ Immunefi Vulnerability Severity Classification System V2.3.](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/) This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported. \n\nAll bug reports must include a Proof of Concept (PoC) demonstrating how the vulnerability can be exploited to impact an asset-in-scope to be eligible for a reward. Critical and High severity bug reports should also include a suggestion for a fix. Explanations and statements are not accepted as PoC and code is required.\n\nRewards for critical smart contract bug reports will be further capped at __10%__ of direct funds at risk if the bug discovered is exploited. However, there is a minimum reward of __USD 50 000__.\n\nThe following vulnerabilities are not eligible for a reward:\n\n- For the CLMM contract, vulnerabilities marked in the [Ottersec security review](https://drive.google.com/file/d/1d9SiGarziu9TgPKO_6sAG8odr2qBdMO0/view?usp=share_link) are not eligible for a reward. For the Hybrid AMM program, vulnerabilities marked in the [Kudelski security review](https://drive.google.com/file/d/1q_2NpwlQmEGfMXQ7w8l6U5XjT2AqOWlC/view?usp=sharing), [Ottersec security review](https://drive.google.com/file/d/1hxFVIRgNEcCqr02yQMwTpHMQUM3LTt5g/view?usp=sharing), and [MadShield security review](https://drive.google.com/file/d/1GVDUrKziNJ9Ut8ewO7vCtqFem2MaVAjH/view) are not eligible for a reward. \n- The CLMM contract emits trading fee and farming yield tokens to LPs. If tokens from the vault or fees were drained by an attacker however, users would not be able to claim yield and transactions would fail. This is by design and not a vulnerability.\n\nPayouts are handled by the __Raydium__ team directly and are denominated in USD. However, payouts are done in __RAY__, __SOL__ or __USDC__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"RAY, SOL, USDC","slug":"raydium","updatedDate":"2024-10-26T18:28:25.269Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Raydium is an automated market maker (AMM) built on the Solana blockchain which leverages a central limit order book to enable lightning-fast trades, shared liquidity and new features for earning yield.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":4157,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for any amount of time"},{"id":4158,"type":"smart_contract","severity":"high","title":"Vulnerabilities that could freeze user funds temporarily or intentionally alter the value of user funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":4159,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":4160,"type":"smart_contract","severity":"critical","title":"Vulnerabilities that could freeze user funds permanently or involve the draining or theft of funds without user transaction approval"}],"rewards":[{"id":5181,"severity":"high","assetType":"smart_contract","fixedReward":40000,"rewardModel":"fixed"},{"id":5182,"severity":"medium","assetType":"smart_contract","fixedReward":5000,"rewardModel":"fixed"},{"id":8205,"severity":"critical","assetType":"smart_contract","maxReward":505000,"minReward":50000,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"4SwcZCeriz4PWWjQONvi3K","url":"https://arbiscan.io/address/0xFD513630F697A9C1731F196185fb9ebA6eAAc20B#code","type":"smart_contract","addedAt":"2024-03-24T18:45:53.984Z","revision":1,"description":"GammaPoolFactory","isPrimacyOfImpact":null},{"id":"3Ox23tOtSzukc5mad4JgTz","url":"https://arbiscan.io/address/0xf6152b6699C085f1063bAa27A08d5F074AB84aa6#code","type":"smart_contract","addedAt":"2024-03-24T18:46:07.930Z","revision":5,"description":"PositionManager","isPrimacyOfImpact":null},{"id":"jkYuZepVB0WECzSZmAjAg","url":"https://arbiscan.io/address/0x323B9F30b2969877F21142dDbE80e249B33163b8#code","type":"smart_contract","addedAt":"2024-03-24T18:46:22.325Z","revision":5,"description":"CPMMShortStrategy","isPrimacyOfImpact":null},{"id":"4Ta86OXVbHWOIibUbqZNHH","url":"https://arbiscan.io/address/0xAB17ba9c6a7162d207040c08119e8eFd4959Cf37#code","type":"smart_contract","addedAt":"2024-03-24T18:46:36.071Z","revision":5,"description":"CPMMRepayStrategy","isPrimacyOfImpact":null},{"id":"1kd7Caw2SDlwtc7k7xwM88","url":"https://arbiscan.io/address/0x6C223e3Dc9A1b2dBadcD96eF39DeAe1e42103413#code","type":"smart_contract","addedAt":"2024-03-24T18:46:53.503Z","revision":3,"description":"CPMMMath","isPrimacyOfImpact":null},{"id":"5M2E8CJ85SbevVScVoMuw3","url":"https://arbiscan.io/address/0xcc6d1FA8b3f14fE068a6bd62053f2545BAC2Daa1#code","type":"smart_contract","addedAt":"2024-03-24T18:47:07.859Z","revision":5,"description":"CPMMLiquidationStrategy","isPrimacyOfImpact":null},{"id":"1dnypzEbAX1eqeIgMkcsDX","url":"https://arbiscan.io/address/0x1872Eb67E78E593D8e9865C51B6359eF4e0B6eFB#code","type":"smart_contract","addedAt":"2024-03-24T18:47:23.287Z","revision":5,"description":"CPMMGammaPool","isPrimacyOfImpact":null},{"id":"5CvhZX96jmrEqk1kRWYltX","url":"https://arbiscan.io/address/0x1C6a8034BA8AC200a0bddB30B5A688808862416C#code","type":"smart_contract","addedAt":"2024-03-24T18:47:37.624Z","revision":5,"description":"CPMMExternalRebalanceStrategy","isPrimacyOfImpact":null},{"id":"2X1Z7bnkMtVSkc7chGQSFZ","url":"https://arbiscan.io/address/0xa22b989C02fC186E24f7135f6f7E061682176426#code","type":"smart_contract","addedAt":"2024-03-24T18:47:51.824Z","revision":5,"description":"CPMMExternalLiquidationStrategy","isPrimacyOfImpact":null},{"id":"2aIIgATTkans24bFSY9BNp","url":"https://arbiscan.io/address/0xc2f0848acCb5f24862e9dC1089DFf7bd79Ff2966#code","type":"smart_contract","addedAt":"2024-03-24T18:48:05.734Z","revision":5,"description":"CPMMBorrowStrategy","isPrimacyOfImpact":null},{"id":"3TMHxIWNowHJeC7GWKDYFC","url":"https://arbiscan.io/address/0xFfc9fFDe7DB2C858f57F8cA356aF3f1E00dEf440#code","type":"smart_contract","addedAt":"2024-03-24T18:48:19.954Z","revision":5,"description":"CPMMBatchLiquidationStrategy","isPrimacyOfImpact":null},{"id":"7HGKnv71uwHHHVs2F4qTVw","url":"https://arbiscan.io/address/0xCb85E1222f715a81b8edaeB73b28182fa37cffA8#code","type":"smart_contract","addedAt":"2024-03-24T18:48:34.279Z","revision":1,"description":"DeltaSwapFactory","isPrimacyOfImpact":null},{"id":"6kPBhBGVFb8FNlUoyHdadT","url":"https://arbiscan.io/address/0x5FbE219e88f6c6F214Ce6f5B1fcAa0294F31aE1b#code","type":"smart_contract","addedAt":"2024-03-24T18:48:48.313Z","revision":1,"description":"DeltaSwapRouter02","isPrimacyOfImpact":null},{"id":"4vfIKSoBm6L0ZWa0mOc5Xw","url":"https://arbiscan.io/address/0x755F72D7F22eFaeD6E00E589a8C7bD95A666fEF0#code","type":"smart_contract","addedAt":"2024-03-24T18:49:06.959Z","revision":1,"description":"DeltaSwapPair","isPrimacyOfImpact":null},{"id":"6aeyw0usB6YIp29cKOaG1G","url":"https://arbiscan.io/address/0x63c531ffed7e17f8adca4ed490837838f6fa1b66#code","type":"smart_contract","addedAt":"2024-03-24T18:49:20.797Z","revision":1,"description":"MinimalBeaconProxy","isPrimacyOfImpact":null},{"id":"3Z7p7zw889iuwrb3kkOHCs","url":"https://arbiscan.io/address/0xad64702F5556Bf897d4BA30Cc8e6e54891095cCC#code","type":"smart_contract","addedAt":"2024-03-24T18:49:34.401Z","revision":1,"description":"LockableMinimalBeacon","isPrimacyOfImpact":null},{"id":"Vqbyq04f4O036LokK4PMn","url":"https://arbiscan.io/address/0xc58221784f53b09f5ca2fa2d575e7a0f9af24ae4#code","type":"smart_contract","addedAt":"2024-05-28T15:02:05.922Z","revision":2,"description":"StakingRouter","isPrimacyOfImpact":null},{"id":"4o9W0AGpgmYo08j3py3qzY","url":"https://arbiscan.io/address/0xd04FBe195Be1313fc816D59E3c457eb6e0aD4088#code","type":"smart_contract","addedAt":"2024-05-28T15:02:21.940Z","revision":2,"description":"RewardTracker","isPrimacyOfImpact":null},{"id":"17ltqDTrpBLhVXr6j8w8fc","url":"https://arbiscan.io/address/0x57e4Cc794949FaA564521352f816dd13B14227C8#code","type":"smart_contract","addedAt":"2024-05-28T15:02:33.462Z","revision":2,"description":"RewardDistributor","isPrimacyOfImpact":null},{"id":"5BIE38WHqkk6KbIt7Mwh2a","url":"https://arbiscan.io/address/0xC4993bf95fB30E5930C7Dc73604829993bb51243#code","type":"smart_contract","addedAt":"2024-05-28T15:02:45.698Z","revision":2,"description":"Vester","isPrimacyOfImpact":null},{"id":"uWPzWV7d7sO9sNnaafs7R","url":"https://arbiscan.io/address/0x3dc7860deba77aa3a49b4d65c056156012067477#code","type":"smart_contract","addedAt":"2024-05-28T15:02:57.458Z","revision":1,"description":"BeaconProxyFactory","isPrimacyOfImpact":null},{"id":"1rCY320t8EuWdXHPTlCdML","url":"https://arbiscan.io/address/0x878269d2ee6417edcdc030961618cc5259229367#code","type":"smart_contract","addedAt":"2024-08-06T09:31:57.871Z","revision":1,"description":"BonusDistributor","isPrimacyOfImpact":null},{"id":"12jWCj42y97W3bLo6BJoIl","url":"https://arbiscan.io/address/0xc964d02f1c11e1bb1156e7c270687d6080661e9c#code","type":"smart_contract","addedAt":"2024-08-06T09:32:21.762Z","revision":2,"description":"FeeTracker","isPrimacyOfImpact":null},{"id":"45QsCE2RultHftUgA2d81u","url":"https://arbiscan.io/address/0xb08d8becab1bf76a9ce3d2d5fa946f65ec1d3e83#code","type":"smart_contract","addedAt":"2024-09-02T13:47:03.951Z","revision":1,"description":"GSTimelockController","isPrimacyOfImpact":null},{"id":"6G51gpaBG2uMswQg67qiOM","url":"https://arbiscan.io/address/0x3f7cf127bf565d3dba9cb3e69a76b1347ac673f8#code","type":"smart_contract","addedAt":"2024-09-02T13:47:18.644Z","revision":1,"description":"GS","isPrimacyOfImpact":null},{"id":"2h6Ecj17TI1XA7xSDFXnal","url":"https://arbiscan.io/address/0x4c02a44be2f9e808bd0728b2e52c616138180f98#code","type":"smart_contract","addedAt":"2024-09-13T06:03:37.937Z","revision":1,"description":"Airdrop","isPrimacyOfImpact":null}],"assetsBodyV2":"All code of GammaSwap can be found at [https://github.com/gammaswap.](https://github.com/gammaswap) Documentation for the assets provided in the table can be found at [https://sneaky-nigella-b2d.notion.site/GammaSwap-Architecture-Overview-5c0eb0f7c92d41009cca81c995b8cb8e](https://sneaky-nigella-b2d.notion.site/GammaSwap-Architecture-Overview-5c0eb0f7c92d41009cca81c995b8cb8e)  \n\nOther helpful links include:\n- Attack Vectors & Countermeasures - [https://sneaky-nigella-b2d.notion.site/Attack-Vectors-Countermeasures-6e651c8e15484c539909a56d1ea41dba](https://sneaky-nigella-b2d.notion.site/Attack-Vectors-Countermeasures-6e651c8e15484c539909a56d1ea41dba)\n- Flash Loan CFMM Fee Liquidation Attack - [https://sneaky-nigella-b2d.notion.site/Flash-Loan-CFMM-Fee-Liquidation-Attack-7001d6004f7c452d884d6ae17fd311d7](https://sneaky-nigella-b2d.notion.site/Flash-Loan-CFMM-Fee-Liquidation-Attack-7001d6004f7c452d884d6ae17fd311d7)\n- Rebalance Formulas - [https://sneaky-nigella-b2d.notion.site/Rebalance-Formulas-20096ccac7684315b8c88a26337c891a ](https://sneaky-nigella-b2d.notion.site/Rebalance-Formulas-20096ccac7684315b8c88a26337c891a)\n- Interest Rate Formula - [https://sneaky-nigella-b2d.notion.site/Interest-Rate-d2c06c248f454dd4856c43079f257fb7?pvs=4 ](https://sneaky-nigella-b2d.notion.site/Interest-Rate-d2c06c248f454dd4856c43079f257fb7?pvs=4)\n- Loan to Value Ratio (How debt collateralization is calculated) - [https://sneaky-nigella-b2d.notion.site/LTV-Ratio-2e5f873eb4eb4d8cbf1439c640dd3ffc](https://sneaky-nigella-b2d.notion.site/LTV-Ratio-2e5f873eb4eb4d8cbf1439c640dd3ffc)\n- Dynamic Origination Fee Logic - [https://sneaky-nigella-b2d.notion.site/Dynamic-Origination-Fee-1b0e7c98b5144ac4b9ee76dde18402c7](https://sneaky-nigella-b2d.notion.site/Dynamic-Origination-Fee-1b0e7c98b5144ac4b9ee76dde18402c7)\n- Transfer Fees Attack Discovered on October 2023 - https://medium.com/gammaswap-labs/immunefi-bug-report-analysis-contract-re-deployment-283cbdfa0beb\n- General Protocol Description - https://medium.com/gammaswap-labs/gammaswap-protocol-6a4430e4b0ad\n- Staking Contracts Documentation - https://docs.google.com/presentation/d/1uUCY6km1kriJ7r6x88FiZnz9RjSxZaeBt29cdwySSb4/edit#slide=id.p","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2023-09-29T20:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/139C1UQUOpAxZQpCgPNSbP/8b72b96955637df0c288dea8cb2e7602/GammaSwap_logo.png","maxBounty":40000,"outOfScopeAndRules":".","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["AMM","DEX","Derivatives","Lending","Options","Perpetuals"],"programOverview":"GammaSwap is a decentralized exchange enabling anyone to borrow liquidity from any AMM pool, oracle free. This contract is for UniV2 style AMMs but GammaSwap will support Balancer weighted pools in the future.There are two participants in the GammaSwap ecosystem: Liquidity Providers and Borrowers.\n\nFor more information about GammaSwap, please visit [https://gammaswap.com/.](https://gammaswap.com/)  \n\nGammaSwap provides rewards in USDC. For more details about the payment process, please view the Rewards by Threat Level section further below.  \n\n\n__Primacy of Impact vs Primacy of Rules__\n\nGammaSwap adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms stated in this page.\n\n\n__Invoicing Information__\n\nIf needed by the security researcher, GammaSwap is able to provide the necessary information for the proper issuance of an invoice. This includes:\n- Legal Entity Name\n- Registered Address","programType":["Smart Contract"],"project":"GammaSwap","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below. \n\n__Reward Calculation for Critical Level Reports__\n\nFor critical Smart Contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 40,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 15,000 is to be rewarded in order to incentivize security researchers against withholding a bug report.   \n\n__Repeatable Attack Limitations__\n\nIn cases of repeatable attacks for smart contract bugs, only the first attack will be counted, regardless of whether the smart contract is upgradable, pausable, or killable.\n\n__Reward Calculation for High Level Reports__\n\nHigh smart contract vulnerabilities will be capped at up to 100% of the funds affected. There is a minimum reward of __$5,000 USD__. In the event of temporary freezing, the reward doubles for every additional  5  blocks that the funds or NFTs could be temporarily frozen, rounded down to the nearest multiple of 5, up to the hard cap of USD 10,000.  \n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs acknowledged below are not eligible for any reward through the bug bounty program. \n- (Fail promised returns) Arbitrum block number mismatch with mainnet means that the next mainnet block update in arbitrum is usually 4 numbers higher than the previous one because Arbitrum syncs with mainnet every 1 minute. So a loan can be opened and closed in that timeframe to avoid paying an interest rate. However, they will still pay an origination fee.\n- (Fail promised returns) We say GammaSwap performs as good or better than the undeerlying CFMM. However, it is possible for the CFMM to outperform GammaSwap. GammaSwap’s yield is capped at 250% and the return calculated as an annualized value from the yield since the last update. Therefore, if there are many transactions or one really large transaction in the CFMM and subsequently one in GammaSwap soon after so that the annualized yield of the CFMM during that period (calculated by GammaSwap) is greater than 250% then the CFMM will outperform GammaSwap because GammaSwap’s rates are capped at 250%. This means how much a GS LP token represents in CFMM LP tokens would decrease after that update. However, over a longer period since CFMM’s fees don’t sustain that level of activity constantly, such event is short lived and GammaSwap will outperform the CFMM. \n- (Fail promised returns) Protocol fees in the CFMM can make the cfmm fee index be less than 1. This can make the value of the liquidity of GS LP token holders seem greater than it really is before the protocol fee in the CFMM is charged. The CFMM protocol fees in UniswapV2 and its forks are charged during the call of the mint() and burn() functions. Therefore, they always update to accurate values after transactions in GammaSwap that call the mint and burn functions of the CFMM (borrow, repay, liquidate, depositReserves, withdrawReserves). This does not create a benefit to anyone, other than the illusion that the returns (to liquidity suppliers) and expenses (to liquidity borrowers) are greater than they really are prior to the payment of accrued protocol fees. A calculation of the returns or costs after the protocol fee is paid is always accurate.\n- (Fail promised returns) Borrowing more liquidity has to be done in increments of the minBorrow amount. If minBorrow amount is of significant size then there’s not much granularity in borrowing liquidity. It doesn’t affect returns in the platform but it does affect the ease of use of the platform.\n- (Fail promised returns) Long volatility buyers (liquidity borrowers) may show a large profit but when deciding to close their positions to cash in, their profits may be smaller than they expected. The reason is because rebalancing the collateral to repay liquidity debt can have substantial market impact that diminishes their profits. However, this does not create protocol insolvency. The positions are always capable of repaying the liquidity debts as long as they are overcollateralized enough to recover the liquidity borrowed and pay the trading fees in the CFMM to rebalance the collateral.\n- (Fail promised returns, Temporary Freezing of Funds) A user may choose to LP into GammaSwap to become most of the liquidity deposited in the pool. Then borrow most of the liquidity in the pool at a relatively low origination fee. At last he may withdraw enough liquidity that he has LPed to leave the pool locked so nobody else can withdraw and spike up interest rates to 250%. This attack only affects liquidity borrowers, benefits LPs with high yields (although prevents them from withdrawing), and it’s a net cost to the attacker because 10% of the yield LPs receive goes to the protocol, and the attacker is paying most of this yield through interest in his large loan, while not receiving back 100% of the yield he earned. Liquidation rewards on undercollateralized loans are set at 25basis points of the collateral. So the attack may be worth it in some rare instances where there are enough loans close to liquidation that the attacker feels confident in being able to liquidate to cover his losses for spiking interest rates. However, the high rates may attract other LPs to provide liquidity, decreasing the time to liquidation of at risk loans. Also if these at risk loans are closed by their owners before the become undercollateralized then it is a loss to the attacker. Undercollateralization doesn’t mean bad debt in this case either. The current parameters leave a buffer of 50 basis points before reaching a bad debt scenario. That’s about 17.5 hours before a loan becomes bad debt at a constant interest rate of 250%\n- (Fail promised returns) A block stuffing attack may be performed to prevent liquidation transactions, until a GamaPool starts accruing bad debt. The cost of such an attack is of no benefit to the attacker, and given costs to liquidate being 10 cents currently on arbitrum, with the fee reward being multiples higher. The attacker would have to spike up the fees many times for a sustained period of time to make the attack successful. Unlikely to be economically viable for long periods of time.\n- (Fail promised returns) Since GammaPools track the liquidity of each loan as well as the sum of that whole liquidity as two separate numbers that compound separately using the same index. Mismatches may arise due to rounding issues that can accrue over time. The effect only affects the last person closing a loan. The result is that the payment of the last loan causes a write down, even if not undercollateralized, so that LPs do not earn the amount it was calculated they earned. The last person closing the loan is also not charged anymore than he was already aware he owed. These rounding differences however are so small and accrue at such a slow rate (e.g. grow by 1x10^-17 per day) that are unlikely to become a problem within any realistic timeframe.\n- (Fail promised returns) Since solidity does not have native support for decimals or square root formulas, some of the rebalancing calculations may be off a bit due to rounding issues again and liquidity borrowers may get slightly different results from what they expect during rebalancing or closing of their positions. The rounding differences however are usually seen at levels much less than a basis point so they’re usually expected to be very small and more prevalent in tokens that have smaller decimals, such as USDC and USDT which only use 6 decimals. But even in these scenarios the rounding errors lead to differences in outcome of around a couple of basis points.\n- (Fail promised returns) The LP token can be inflated away (e.g. through donations to the CFMM as in UniswapV2 and clones). When this happens it may change the actual reserve tokens a GS LP token represents due to rounding issues. This can lead to gains and losses to different LPs and borrowers. The effects are expected to be small except in early periods when a pool is first created.\n- (Fail promised returns) Liquidations can lead to the loss of the entire profit of a loan under certain conditions, especially the more profitable a position is, through CFMM price manipulation. Therefore, borrowers should always try to close their positiosn and not rely on liquidators to close their positions for them. However, this does not lead to losses of LP funds. Since liquidation is an undesirable outcome for a loan, the loss to profitable borrowers is not considered an issue.\n- (Fail promised returns) The code of the assets in scope for GammaPools, PositionManager, and Staking contracts are implementation contracts. Therefore, the implementation contracts may have security weaknesses, such as not initialized or initialized improperly. Those security issues are not part of this bounty. What is relevant is whether the proxy contracts that use those implementation contracts have security weaknesses using the current implementation contracts. In addition, proxy contracts might have been initialized with previous implementation contracts and therefore the initialization logic of the current implementation contracts may not be relevant anymore if a proxy contract can’t be initialized again. However, if a proxy contract is expected to be created again using the same implementation contract, as in the case of GammaPools for new pairs, or new staking pools, then initialization issues with the current implementation contract are relevant to this bounty.\n- (Fail promised returns) The code regarding staking for loans in the staking contracts is not part of this bounty unless it could affect the staking contracts for LP tokens. The reason is because we don’t plan to use the staking contracts for loan staking anymore. So there will not be any staking pools for loans. We will only create staking pools for LP tokens.\n- (Fail promised returns) The liquidityEMA and related parameters in DeltaSwap can be manipulated to help a token swapper avoid paying a transaction fee. This however, is no longer relevant since DeltaSwap’s parameters are now set to always charge a trading fee, and the GammaPool interest rate model depends on DeltaSwap always paying a trading fee. Therefore, we would never change this logic to not charge a trading fee.(Fail promised returns) \n\n\n__Previous Audits__\n\nGammaSwap has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.\n- [GammaSwap_Labs_Core_Strategies_and_Periphery_Smart_Contract_Security_Audit_Report_Halborn_Final.pdf](https://drive.google.com/file/d/1ZT1oaNxvXG1NoQWEhJHhq3OkBd16nGth/view?usp=sharing)\n- [GammaSwap Balancer Implementation - Zellic Audit Report March 14, 2023.pdf](https://drive.google.com/file/d/1RSi1IXCQt2FqK8qL6wn1ojDR2uQcJWS0/view?usp=sharing)\n- [GammaSwap Strategies - Zellic Audit Report March 27, 2023.pdf](https://drive.google.com/file/d/1tjRZwX7vApS2SALbnrZYRQ-gASM2YzNs/view?usp=sharing)\n- [GammaSwap - Zellic Audit Report June 5, 2023.pdf](https://drive.google.com/file/d/18pgiYsO3GM2fDAPtgnkQ126LdLuAuNnD/view?usp=sharing)\n- [GammaSwap - Zellic Audit Report August 24, 2023.pdf](https://drive.google.com/file/d/1kBpi-jYXHlSgjM3LlnOKiySrNfKU4euf/view?usp=sharing)\n- [Deltaswap - Zellic Audit Report.pdf](https://drive.google.com/file/d/1QfEbGNTNHkRRjZkeSXuyTJfF9dvMlucF/view)\n- [Staking - Zellic Audit Report.pdf](https://drive.google.com/file/d/1e8AiZasbViKVDsiwSHyQklG2OyOon2lF/view?pli=1)\n\n__Proof of Concept (PoC) Requirements__\n\nA PoC is required for the following severity levels:\n- Smart Contract, Critical Severity Level\n- Smart Contract, High Severity Level\n\nAll PoCs submitted must comply with the Immunefi-wide [PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules) Bug report submissions without a PoC when a PoC is required will not be provided with a reward.\n\n__Reward Payment Terms__\n\nPayouts are handled by the GammaSwap team directly and are denominated in USD. However, payments are done in USDC.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"gammaswap","updatedDate":"2024-10-24T09:23:09.463Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":"category_2","description":"GammaSwap is a decentralized exchange enabling anyone to borrow liquidity from any AMM pool, oracle free. This contract is for UniV2 style AMMs but GammaSwap will support Balancer weighted pools in the future.There are two participants in the GammaSwap ecosystem: Liquidity Providers and Borrowers.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice recommendations\n- Impact in UniswapV2 code for DeltaSwap fork (Unless such code was materially changed by GammaSwap or used by the GammaSwap contracts)\n- Impacts affecting only the state of implementation contracts\n- Impacts affecting the value of parameters used to determine whether DeltaSwap will charge a trading fee or not (e.g. liquidityEMA, liquidityTradedEMA, etc.) Because DeltaSwap is set up to always charge a trading fee and the current GammaPool implementation requires that it must always charge a trading fee.\n- GS, GSTimelockController, and Staking contracts are only eligible for at most high severity level rewards.\n- Airdrop contract is not eligible for medium level bugs.","customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":4481,"type":"smart_contract","severity":"medium","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"id":4889,"severity":"high","assetType":"smart_contract","maxReward":10000,"minReward":5000,"rewardModel":"range"},{"id":4890,"severity":"medium","assetType":"smart_contract","fixedReward":2000,"rewardModel":"fixed"},{"id":8189,"severity":"critical","assetType":"smart_contract","maxReward":40000,"minReward":15000,"rewardModel":"range"}],"audits":[]},{"assets":[{"id":"23yCbHOGYrxKvkNSztVWOa","url":"https://etherscan.io/address/0x5E362eb2c0706Bd1d134689eC75176018385430B","type":"smart_contract","addedAt":"2024-08-15T12:00:00.000Z","revision":1,"description":"Vault.sol - 454","isPrimacyOfImpact":null},{"id":"q3lLyVMYaonqKePHxKlhP","url":"https://etherscan.io/address/0xDee41701310f48744e6Bb4A5df6B5e714cE49133","type":"smart_contract","addedAt":"2024-08-15T12:00:00.000Z","revision":1,"description":"VaultConfigurator.sol - 365","isPrimacyOfImpact":null},{"id":"5OCdP4dMWEr1mqVPCcapd5","url":"https://etherscan.io/address/0x2c73350310C2b8c721d8192bd7620D1DCB1219ce","type":"smart_contract","addedAt":"2024-08-15T12:00:00.000Z","revision":1,"description":"ERC20TvlModule.sol - 15","isPrimacyOfImpact":null},{"id":"BIY6YMMGAAzjoFPQ4fPnq","url":"https://etherscan.io/address/0xD570E16E3B62F05EcF3ff2706D331B7f56453adA","type":"smart_contract","addedAt":"2024-08-15T12:00:00.000Z","revision":1,"description":"StakingModule.sol - 77","isPrimacyOfImpact":null},{"id":"5cWwPylbzrgXVmsazNCDTA","url":"https://etherscan.io/address/0x39D5F9aEbBEcba99ED5d707b11d790387B5acB63","type":"smart_contract","addedAt":"2024-08-15T12:00:00.000Z","revision":1,"description":"ChainlinkOracle.sol - 65","isPrimacyOfImpact":null},{"id":"5mwU9clLROwJxWxdGvfysD","url":"https://etherscan.io/address/0x278798AE6ea76ae75b381eA0D8DF140C1D5a7712","type":"smart_contract","addedAt":"2024-08-15T12:00:00.000Z","revision":1,"description":"ConstantAggregatorV3.sol - 12","isPrimacyOfImpact":null},{"id":"3OXR7bqfEvos1ve2MQb379","url":"https://etherscan.io/address/0xFeAFe509fae65962EF81555E3f078D58aF7ca3e9","type":"smart_contract","addedAt":"2024-08-15T12:00:00.000Z","revision":1,"description":"ManagedRatiosOracle.sol - 30","isPrimacyOfImpact":null},{"id":"5H9PQ136eiMdCwjQNYiKTF","url":"https://etherscan.io/address/0x966a3b1c9d477D113630290F037b12349649d1bd","type":"smart_contract","addedAt":"2024-08-15T12:00:00.000Z","revision":1,"description":"WStethRatiosAggregatorV3.sol - 16","isPrimacyOfImpact":null},{"id":"ASYY3XVs6xLUY9YowUaG6","url":"https://etherscan.io/address/0xB8eF363E1909665c18BF0CB72Cba9a8152413A2E","type":"smart_contract","addedAt":"2024-08-15T12:00:00.000Z","revision":1,"description":"DefaultProxyImplementation.sol - 12","isPrimacyOfImpact":null},{"id":"3eS1XVprwR30Ycb1h5ho1W","url":"https://etherscan.io/address/0x969A0c7699ad0AC38fE05117c81D662762443E07","type":"smart_contract","addedAt":"2024-08-15T12:00:00.000Z","revision":1,"description":"Initializer.sol - 25","isPrimacyOfImpact":null},{"id":"5Fxt66y8e5O71Kf4KPnubP","url":"https://etherscan.io/address/0x078b1C03d14652bfeeDFadf7985fdf2D8a2e8108","type":"smart_contract","addedAt":"2024-08-15T12:00:00.000Z","revision":1,"description":"SimpleDVTStakingStrategy.sol - 57","isPrimacyOfImpact":null},{"id":"12VlLYmWIdBgnvqA69I3ko","url":"https://etherscan.io/address/0xA1b3a352c3fC7cfcBD36381CC2D0b157d6843473","type":"smart_contract","addedAt":"2024-08-15T12:00:00.000Z","revision":1,"description":"ManagedValidator.sol - 96","isPrimacyOfImpact":null}],"assetsBodyV2":"Mellow Vault code commit: [https://github.com/mellow-finance/mellow-lrt/commit/1c885ad9a2964ca88ad3e59c3a7411fc0059aa3](https://github.com/mellow-finance/mellow-lrt/commit/1c885ad9a2964ca88ad3e59c3a7411fc0059aa3)\n\n__Whitehat Educational Resources & Technical Info__\n\n**Documentation & Resources**\n\n- [https://mellowprotocol.notion.site/Decentralized-Validator-Vault-a1ab952ae0a6499dbedfc45278aba5c5?pvs=74](https://mellowprotocol.notion.site/Decentralized-Validator-Vault-a1ab952ae0a6499dbedfc45278aba5c5?pvs=74) \n- [https://docs.mellow.finance/mellow-lrt-lst-primitive/dvsteth-vault-overview](https://docs.mellow.finance/mellow-lrt-lst-primitive/dvsteth-vault-overview)\n- [https://docs.mellow.finance/mellow-lrt-lst-primitive/contract-deployments#dvsteth-vault](https://docs.mellow.finance/mellow-lrt-lst-primitive/contract-deployments#dvsteth-vault)\n- [https://docs.mellow.finance/mellow-lrt-lst-primitive/user-tutorials](https://docs.mellow.finance/mellow-lrt-lst-primitive/user-tutorials)\n- [https://docs.mellow.finance/mellow-lrt-lst-primitive/security](https://docs.mellow.finance/mellow-lrt-lst-primitive/security)\n- [https://docs.mellow.finance/mellow-lrt-lst-primitive/lrt-contracts](https://docs.mellow.finance/mellow-lrt-lst-primitive/lrt-contracts)\n- Mellow DVT Vault Audit Competition scope: [https://hackmd.io/@lido/BkTgoRz90](https://hackmd.io/@lido/BkTgoRz90)\n- Lido docs: [https://docs.lido.fi/](https://docs.lido.fi/)\n\n**Is this an upgrade of an existing system? If so, which? And what are the main differences?**\n\nNo, it’s a new Mellow project\n\n**Where do you suspect there may be bugs?**\n\nMost important parts: SimpleDVTStakingStrategy and deposit and withdraw flows, ACLs and ManagedValidator. \nInvariants: LP token price in ETH is strictly not decreasing.\n\n**What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?**\n\nDeposit and withdrawals support only ERC20 tokens. System internally can use rebasing tokens such as stETH. \nTokens used: wstETH, stETH and wETH \n\n**What emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?**\n\nPossible actions:\nDisable deposits (Enable deposit locks)\n\n**What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?**\n\nTrusted actors:\n- VaultAdmin: 0x9437B2a8cF3b69D782a61f9814baAbc172f72003 (Lido+Mellow multisig)\n- ProxyVaultAdmin: 0x81698f87C6482bF1ce9bFcfC0F103C4A0Adf0Af0 (Lido+Mellow multisig (ProxyVaultAdmin can change the vault implementation.)\n- CuratorAdmin: 0x2E93913A796a6C6b2bB76F41690E78a2E206Be54 (Steakhouse multisig)\n- CuratorOperator: 0x2afc096981c2CFe3501bE4054160048718F6C0C8 (Steakhouse EOA)\n\n**What addresses would you consider any bug report requiring their involvement be out of scope, even if they exceed the privileges attributed to them?**\n\nTrusted actors:\n- VaultAdmin: 0x9437B2a8cF3b69D782a61f9814baAbc172f72003, (Lido+Mellow multisig)\n- ProxyVaultAdmin: 0x81698f87C6482bF1ce9bFcfC0F103C4A0Adf0Af0 (Lido+Mellow multisig (ProxyVaultAdmin can change the vault implementation.))\n- CuratorAdmin: 0x2E93913A796a6C6b2bB76F41690E78a2E206Be54 (Steakhouse multisig)\n- CuratorOperator: 0x2afc096981c2CFe3501bE4054160048718F6C0C8 (Steakhouse EOA)\n\n**What external dependencies are there?**\n\nOpen Zeppelin 5.0.2, Lido\n\n**Where might whitehats confuse out-of-scope code to be in-scope?**\n\nLido contracts\n\n**Are there any unusual points about your protocol that may confuse whitehats?**\n\nIn emergency withdrawal we calculate amounts based on ERC20 balances of tokens and not based on baseTvl function (Vault) return values\n\n**Which chains are the smart contracts going to be deployed to?**\n\nEthereum Mainnet \nDocs: [https://docs.mellow.finance/mellow-lrt-lst-primitive/contract-deployments#dvsteth-vault](https://docs.mellow.finance/mellow-lrt-lst-primitive/contract-deployments#dvsteth-vault)\n\n**What is the test suite setup information?**\n\n[https://github.com/mellow-finance/mellow-lrt/tree/fixes/audit-sherlock-fixes/tests/obol](https://github.com/mellow-finance/mellow-lrt/tree/fixes/audit-sherlock-fixes/tests/obol)\n\n**Public Disclosure of Known Issues**\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n- From Sherlock contest:\n      - We consider the price of 1 steth == 1 eth.\n      - In emergencyWithdraw, we process withdrawals not through the values from baseTvl but through regular ERC20 balances (this is a design decision).\n      - In the SimpleDVTStakingStrategy, the convertAndDeposit function can be front-run by anyone.\n\n- From ChainSecurity:\n      - The StakingModule may not deposit into the Simple DVT module (due to MinFirstAllocationStrategy in Lido).\n      - Emergency withdrawal (the same second point from Sherlock).\n      - All updates of important parameters can be front-run (this is 5.6 from ChainSecurity).\n\n**Previous Audits**\n\nMellow’s completed audit reports can be found at [https://github.com/mellow-finance/mellow-lrt/tree/fixes/audit-sherlock-fixes/audits](https://github.com/mellow-finance/mellow-lrt/tree/fixes/audit-sherlock-fixes/audits). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n__Asset In Scope Policies__\n\n**Asset Accuracy Assurance**\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n**Private Known Issues Reward Policy**\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n**Known Issue Assurance**\n\nLido commits to providing Known Issue Assurance to bug submissions through their program. This means that Lido will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission. \n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.\n\n**Primacy of Impact vs Primacy of Rules**\n\nLido adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page.","boostedIntroEvaluating":"","boostedIntroFinished":"All paid bug reports are available in original format [here](https://github.com/immunefi-team/Bounty_Boosts/tree/main)","boostedIntroLive":"","boostedIntroStartingIn":"$100,000 USD in rewards is available for finding bugs on Mellow Decentralized Validator Vault.\n\nThe Decentralized Validator Vault, developed by Mellow, will be utilized to direct net-new stake to the Lido Simple DVT Module, furthering the decentralization of validators using the Lido protocol. The vault will empower solo and community stakers to run more validators via Lido along with professional node operators.\n\nStakers in the vault will receive points from the two major DVT providers, Obol & SSV Network, as well as points from Mellow. In addition, by staking in the vault, users will also hold a wstETH position within the vault, represented by an LP token.\n\nNo KYC is required.\n\nAny technical questions can be asked directly to the Mellow-Lido technical team on Immunefi's [Immunefi’s Discord](https://discord.com/invite/immunefi) in the \"lido-boost\" channel.\n\nWhen the Boost has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nIn a few days after the launch, Mellow & Lido will give a live technical walkthrough.","boostedLeaderboard":[{"high":0,"name":"marchev","critical":0,"earnings":1500,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1L1OK7_NmMl8IRaViao8JEjY1gTVPSPvK/view?usp=sharing","ecosystem":["ETH"],"endDate":"2024-09-05T08:00:00.000Z","evaluationEndDate":"2024-10-22T15:00:00.000Z","features":["Boost","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2024-08-15T12:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/aNleyqsTXYGXlLKwk8xXD/d5c618f76994d16da63dacec4112b48b/Lido-mellow-svg__1_.png","maxBounty":100000,"outOfScopeAndRules":"These impacts are out of scope for this bug bounty program. \n\n__All Categories:__\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n\n__Blockchain/DLT & Smart Contract Specific:__\n\n- Incorrect data supplied by third party oracles\n    - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n\n__Prohibited Activities:__\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["smart_contract - medium","smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["DAO","Liquid Staking","Staking"],"programOverview":"Lido is a liquid staking solution for Ethereum backed by industry-leading staking providers. Lido lets users stake their ETH - without locking assets or maintaining infrastructure - whilst participating in on-chain activities, e.g. lending.\n\nThe Decentralized Validator Vault, developed by Mellow, will be utilized to direct net-new stake to the Lido Simple DVT Module, furthering the decentralization of validators using the Lido protocol. The vault will empower solo and community stakers to run more validators via Lido along with professional node operators.\n\nStakers in the vault will receive points from the two major DVT providers, Obol & SSV Network, as well as points from Mellow. In addition, by staking in the vault, users will also hold a wstETH position within the vault, represented by an LP token.\n\nFor more information about Mellow Vault, please visit [https://app.mellow.finance/vaults/ethereum-dvsteth](https://app.mellow.finance/vaults/ethereum-dvsteth). \n\nFor more information about Lido, please visit [Lido.fi](https://lido.fi/). \n\nLido provides rewards in DAI, denominated in USD.","programType":["Smart Contract"],"project":"Audit Comp | Lido: Mellow Vault","projectType":["Defi"],"rewardsBody":"The following reward terms are a summary, for the full details read our [Lido Audit Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/27551774731153-Lido-Audit-Competition-Reward-Terms). \n\nThe reward pool will be entirely distributed among participants. The size depends on the bugs found:\n- If one or more Critical severity bugs are found the reward pool will be - $100,000 USD\n- If one or more High severity bugs are found the reward pool will be - $75,000 USD\n- If one or more Medium severity bugs is found the reward pool will be - $20,000 USD\n\nFor this Audit Competition, duplicates and private known issues are valid for a reward. \n\nPrivate known issues will unlock higher reward pools as though they were one severity level lower. For example, a Critical severity bug which was a private known issue would unlock the reward pool conditional on a High severity bug being found.\n\nThe severity level of private known issues remains unchanged and whitehats earn their portion of the reward pool and position on the leaderboard according to this unchanged severity level.\n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/).\n\n__Reward Payment Terms__\n\nPayouts are handled by the Lido team directly and are denominated in USD. However, payments are done in DAI.\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.\n\n__Insight Rewards Payment Terms__\n\nInsight Rewards: Portion of the Rewards Pool\n\n* The \"Insight\" severity was introduced on Audit Competition & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. View more information about Insights.","rewardsPool":100000,"primaryPool":100000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"DAI","slug":"boost-lido","tenPercentEconomicRule":false,"updatedDate":"2024-10-22T15:05:08.030Z","impactsBody":"**Proof of Concept (PoC) Requirements**\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n**Eligibility Criteria**\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this audit competition and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Ionic has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Mellow Decentralized Validator Vault","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":5055,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 1 week"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[],"assetsBodyV2":"","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/1JUPb8fcyV2giqRH6pE_5lcaD-GMn-Oas)\n\nAll paid bug reports are available in original format [here](https://github.com/immunefi-team/Bounty_Boosts/tree/main/ThunderNFT%20%7C%20IOP)","boostedIntroLive":"$65,000 USD is available in rewards for finding bugs in ThundeNFT's codebase of 1806 nSLOC. There is no KYC required.\n\nAny technical questions and support requests can be asked directly to ThunderNFT or Immunefi in the [ThunderNFT Boost Discord channel](https://discord.com/invite/immunefi?utm_source=immunefi).\n\nWhen the Boost has ended Immunefi will publish an event-specific leaderboard and bug reports from the event.","boostedIntroStartingIn":"$65,000 USD in rewards is available for finding bugs on ThundeNFT which is an NFT marketplace built on Fuel. **For this Invite-Only Program, only whitehats who found at least 1 valid report in Fuel's Attackathon can submit reports.**\n\nNo KYC is required.\n\nAny technical questions can be asked directly to the ThunderNFT technical team on [Immunefi’s Discord](https://discord.com/invite/immunefi) in the \"thundernft-iop\" channel.\n\nWhen the Boost has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nIn a few days after the launch, ThunderNFT will give a live technical walkthrough.\n\nJoin our Discord for more updates.","boostedLeaderboard":[{"high":0,"name":"Solosync6","critical":1,"earnings":17057,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":3,"name":"zeroK","critical":0,"earnings":10573,"insights":1,"mediumLow":4,"totalValidBugs":7},{"high":2,"name":"NinetyNineCrits","critical":2,"earnings":8409,"insights":0,"mediumLow":1,"totalValidBugs":5},{"high":1,"name":"SimaoAmaro","critical":2,"earnings":6595,"insights":0,"mediumLow":0,"totalValidBugs":3},{"high":2,"name":"jecikpo","critical":1,"earnings":5270,"insights":0,"mediumLow":5,"totalValidBugs":8},{"high":0,"name":"Blockian","critical":2,"earnings":3899,"insights":1,"mediumLow":2,"totalValidBugs":4},{"high":1,"name":"jasonxiale","critical":2,"earnings":3300,"insights":0,"mediumLow":2,"totalValidBugs":5},{"high":0,"name":"bugtester","critical":0,"earnings":2951,"insights":2,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Schnilch","critical":2,"earnings":2331,"insights":0,"mediumLow":0,"totalValidBugs":2},{"high":0,"name":"anatomist","critical":2,"earnings":2331,"insights":0,"mediumLow":0,"totalValidBugs":2},{"high":0,"name":"InquisitorScythe","critical":1,"earnings":1435,"insights":0,"mediumLow":2,"totalValidBugs":3},{"high":0,"name":"rbz","critical":0,"earnings":848,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1Vp9FnQGPurPR1urKfcidAVZfQeIn49IF/view?usp=sharing","ecosystem":["Fuel Network"],"endDate":"2024-09-02T08:00:28.000Z","evaluationEndDate":"2024-10-18T08:00:00.000Z","features":["IOP (Invite Only Program)","Managed Triage: Time Saver"],"hideAssetsInScope":false,"immunefiStandard":true,"inviteOnly":true,"kyc":false,"language":["Sway"],"launchDate":"2024-08-12T11:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4c3zRck4MBUVAaxTaPkUHt/9b1dee6e49c7d39f3b8af56a8b387816/file.png","maxBounty":65000,"outOfScopeAndRules":"These impacts are out of scope for this bug bounty program. \n\n__All Categories:__\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n\n__Blockchain/DLT & Smart Contract Specific:__\n\n- Incorrect data supplied by third party oracles\n    - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n\n__Prohibited Activities:__\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["smart_contract - low","smart_contract - medium","smart_contract - high","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":null,"programOverview":"Thunder is an NFT marketplace on Fuel, L2 on Ethereum that utilizes Fuel VM. Fuel is currently on testnet. For more information, check out [https://fuel.network/](https://fuel.network/)\n\nFor more information about ThunderNFT, please visit [https://thundernft.market/](https://thundernft.market/). \n\nThunderNFT provides rewards in USDC, denominated in USD.","programType":["Smart Contract"],"project":"IOP | ThunderNFT","projectType":null,"rewardsBody":"The following reward terms are a summary, for the full details read our [ThunderNFT Audit Competition Reward Distribution Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/27472225154577-ThunderNFT-IOP-Audit-Competition-Reward-Terms). \n\nA reward pool of $65,000 USD will be distributed among participants, even if no valid bugs are found. \n\nDuplicates and private known issues are valid for a reward.\n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/).\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.\n\n__Insight Rewards Payment Terms__\n\nInsight Rewards: Portion of the Rewards Pool\n\n* The \"Insight\" severity was introduced on Audit Competition & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi)","rewardsPool":65000,"primaryPool":65000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"thundernft-iop","tenPercentEconomicRule":false,"updatedDate":"2024-10-18T14:42:27.386Z","impactsBody":"**Proof of Concept (PoC) Requirements**\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n**Eligibility Criteria**\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this audit competition and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Ionic has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","websiteUrl":"https://thundernft.market/","githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"**ThunderNFT's Invite-Only Program is a form of Audit Competition which is exclusively accessible to a select group of security researchers who have submitted at least 1 valid report during Fuel Attackathon event. These researchers will share a flat reward pool for every valid bug found.**","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":5053,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 1 hour"},{"id":5054,"type":"smart_contract","severity":"high","title":"Temporary freezing of NFTs for at least 1 hour"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[],"assetsBodyV2":"","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/1znrFLe3aSsxa0gByFECpyo4srTjgFxc6).","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[{"high":1,"name":"perseverance","critical":1,"earnings":4525,"insights":0,"mediumLow":2,"totalValidBugs":4},{"high":0,"name":"p0wd3r","critical":1,"earnings":3475,"insights":0,"mediumLow":2,"totalValidBugs":3}],"boostedSummaryReport":"https://drive.google.com/file/d/1AEDhJRGHsuRGPCqxff0wypEkOQma7SEb/view?usp=sharing","ecosystem":["Base","Mode"],"endDate":"2024-06-19T10:00:00.000Z","evaluationEndDate":"2024-07-10T10:00:00.000Z","features":["IOP (Invite Only Program)","Managed Triage: Time Saver"],"hideAssetsInScope":true,"immunefiStandard":true,"inviteOnly":true,"kyc":false,"language":["Solidity"],"launchDate":"2024-06-12T08:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4x7Tph5NGV3ZEXNMotuRlh/1ba856e44df1783eb2e910379c69f92c/logo_2.png","maxBounty":6000,"outOfScopeAndRules":"These impacts are out of scope for this bug bounty program. \n\n**All Categories:**\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n\n**Blockchain/DLT & Smart Contract Specific:**\n\n- Incorrect data supplied by third party oracles\n- Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n\n\n**Prohibited Activities:**\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["smart_contract - low","smart_contract - medium","smart_contract - high","smart_contract - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Lending"],"programOverview":"**Immunefi’s Invite Only Program is a form of Audit Competition which is exclusively accessible to a select group of security researchers who have been specifically invited to participate based on their expertise and skills. These researchers receive a guaranteed fee for participation and additional reward for every valid bug found. Project assets are only visible to the whitelisted researchers.**\n\nIonic introduces a new feature. It consists of leveraging positions of the lending platform by repeatedly borrowing and supplying by looping over the assets. The main code of the project is a Compound/Rari fork, but the in-scope feature is completely unique. \n\nFor more information about Ionic, please visit [https://www.ionic.money/](https://www.ionic.money/). \n\nIonic provides rewards in USDC, denominated in USD.","programType":["Smart Contract"],"project":"IOP | Ionic","projectType":["Defi"],"rewardsBody":"The following reward terms are a summary, for the full details read our [Ionic IOP Reward Distribution Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/25846109980177-Ionic-IOP-Reward-Terms).\n\nEach participating whitehat will receive a guaranteed reward $2,000.\n\nA reward pool of $4,000 USD will be distributed among participants. If no valid bugs are found then the reward pool will be distributed between whitehats or returned to the project at Immunefi’s discretion. \n\nFor this Invite Only Program, duplicates and private known issues are valid for a reward. \n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/).\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.\n\n**Insight Rewards Payment Terms**\n\nInsight Rewards: Portion of the Rewards Pool\n\n* The \"Insight\" severity was introduced on Audit Competition & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi)","rewardsPool":4000,"primaryPool":4000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"ionic-iop","tenPercentEconomicRule":false,"updatedDate":"2024-10-15T14:18:57.992Z","impactsBody":"**Proof of Concept (PoC) Requirements**\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n**Eligibility Criteria**\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n**Responsible Publication**\n\nWhitehats may not publish their bug reports from this program.\n\nHowever Immunefi will publish a leaderboard and high-level summary of the results of this program which whitehats can use for their portfolio.\n\n**Feasibility Limitations**\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n**Immunefi Standard Badge**\n\nBy adhering to Immunefi’s best practice recommendations, Ionic has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"**Immunefi’s Invite Only Program is a form of Audit Competition which is exclusively accessible to a select group of security researchers who have been specifically invited to participate based on their expertise and skills. These researchers receive a guaranteed fee for participation and additional reward for every valid bug found. Project assets are only visible to the whitelisted researchers.**","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":4940,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds of at least 24h"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"level":"critical","payout":"$2,000 USD Guaranteed Fee and Up to $4,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"$2,000 USD Guaranteed Fee and Up to $4,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"$2,000 USD Guaranteed Fee and Up to $4,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"$2,000 USD Guaranteed Fee and Up to $4,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[],"assetsBodyV2":"","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[{"high":1,"name":"Blockian","critical":0,"earnings":4000,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"LonelySloth","critical":0,"earnings":2500,"insights":0,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"yttriumzz","critical":0,"earnings":2500,"insights":0,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Paludo0x","critical":0,"earnings":2500,"insights":0,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Stormy","critical":0,"earnings":2500,"insights":0,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1DomEnIQ0o4Fv7ELFvnVAIP9vgd6Ez__A/view?usp=sharing","ecosystem":null,"endDate":"2024-05-07T21:00:00.000Z","evaluationEndDate":"2024-05-21T21:00:00.000Z","features":["IOP (Invite Only Program)","Managed Triage: Time Saver"],"hideAssetsInScope":true,"immunefiStandard":true,"inviteOnly":true,"kyc":true,"language":null,"launchDate":"2024-04-16T18:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3OvEzCcwvc8cwkI2RbpKZG/3baa2fd3878da589927b20e0971b3a90/64daffc4c7d038c50674a94c_ZMBTU6JE8ER4m6Kpd16qKGU6jA0GmoR70ZQ7oPwzDqA.png","maxBounty":0,"outOfScopeAndRules":"These impacts are out of scope for this bug bounty program. \n\n**All Categories:**\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n\n**Blockchain/DLT & Smart Contract Specific:**\n\n- Incorrect data supplied by third party oracles\n- Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n\n\n**Prohibited Activities:**\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":null,"programOverview":"**Immunefi’s Invite Only Program is a form of Audit Competition which is exclusively accessible to a select group of security researchers who have been specifically invited to participate based on their expertise and skills. These researchers receive a guaranteed fee for participation and additional reward for every valid bug found. Project assets are only visible to the whitelisted researchers.**\n\nHinkal is an institutional-grade protocol enabling confidential on-chain transactions. Hinkal allows liquid funds and retail users to create private accounts and transact on major dApps in complete confidentiality (the origin and destination of transaction, value).\n\nHinkal defines the new privacy category where users have a complete private execution environment for their token experience. It means that Hinkal is not an obfuscation tool but a whole layer between the wallet and the dApps.\n\nHinkal solves major problems that privacy protocols faced before:\n\n**Compliance**. Contamination risk happens when an illicit assets commingle with others in the shielded pool. Hinkal pioneered the term \"Reusable attestation,\" which allows users to prove that they did KYC (B) somewhere on the crypto internet and use this proof to access the privacy layer.\n\n**Frictions to adoption**. Public chains proved to accumulate the value, and Hinkal plugs in the current liquidity vs L1/L2 privacy infrastructure that does not provide enough value for migration of assets.\n\nPrivacy dApps facilitated a simple function of wallet obfuscation that can be achieved using centralized exchanges. Hinkal is a separate confidential execution layer focused on providing end-to-end experience, which means that after users deposit assets to a shielded address - they have everything to keep those assets inside: buy/sell tokens on major DEXs, stake, LP, and re-stake.\n\nCurrently, Hinkal offers 6 highest TVL dApps on 6 major EVM chains.\n\nFor more information about Hinkal, please visit [https://hinkal.pro/](https://hinkal.pro/).\n\nHinkal provides rewards in USDC, denominated in USD.","programType":["Smart Contract"],"project":"IOP | Hinkal","projectType":null,"rewardsBody":"The following reward terms are a summary, for the full details read our [Hinkal Invite Only Program Reward Distribution Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/24006220866065-Hinkal-Invite-Only-Program-Reward-Distribution-Terms). \n\nEach participating whitehat will receive a guaranteed reward $2,500\n\nOn top of this, there are additional rewards per-unique-bug found:\n- $2,500 per Critical\n- $1,500 per High\n\nFor this Invite Only Program, duplicates and private known issues are valid for a reward.\n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n**Reward Payment Terms**\n\nPayouts are handled by the Hinkal team directly and are denominated in USD. However, payments are done in USDC.\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"hinkal-iop","updatedDate":"2024-10-15T14:18:06.917Z","impactsBody":"**Proof of Concept (PoC) Requirements**\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n**Eligibility Criteria**\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n**Responsible Publication**\n\nWhitehats may not publish their bug reports from this program.\n\nHowever Immunefi will publish a leaderboard and high-level summary of the results of this program which whitehats can use for their portfolio.\n\n**Feasibility Limitations**\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n**Immunefi Standard Badge**\n\nBy adhering to Immunefi’s best practice recommendations, Hinkal has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"**Immunefi’s Invite Only Program is a form of Audit Competition which is exclusively accessible to a select group of security researchers who have been specifically invited to participate based on their expertise and skills. These researchers receive a guaranteed fee for participation and additional reward for every valid bug found. Project assets are only visible to the whitelisted researchers.**","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":4821,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for more than 3 hours"},{"id":4822,"type":"smart_contract","severity":"high","title":"Temporary freezing of NFTs for more than 3 hours"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"level":"critical","payout":"$2,500 USD","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"$1,500 USD","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[{"id":"4rwjExptxBtDyvB2O9VDdg","url":"https://xchain-testnet-explorer.idex.io/address/0xc214EcBC65D67905cB6f837efaDDC3be8E314bB0","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - Custodian.sol - 63","isPrimacyOfImpact":null},{"id":"30yakdICtyGYbrY9bJE6eF","url":"https://sepolia.arbiscan.io/address/0x6E879e229B5268D8eb53b71d35d055bBBfEa8973","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - EarningsEscrow.sol - 103","isPrimacyOfImpact":null},{"id":"F0lAwrnqVMFSlHdqqUHec","url":"https://xchain-testnet-explorer.idex.io/address/0xBB9A5455869e99652D13Cd0aE1E45dc3A2e9914B","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - Exchange.sol - 784","isPrimacyOfImpact":null},{"id":"2Jo7N6EFDPiyuMgdE89AAd","url":"https://xchain-testnet-explorer.idex.io/address/0x13bA4F2be7a42b61Ea6F03AaaD6323A2fc63049e","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - Governance.sol - 368","isPrimacyOfImpact":null},{"id":"5bdNr1EH9HK7m6KffR3ZrW","url":"https://api-sandbox.idex.io/","type":"websites_and_applications","addedAt":"2024-07-30T08:00:00.000Z","revision":3,"description":"Testnet","isPrimacyOfImpact":null},{"id":"1rc6SB8d3MGC100xNQC83n","url":"https://api-sandbox.idex.io/","type":"websites_and_applications","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"REST API","isPrimacyOfImpact":null},{"id":"22sVyvqGXO0hgHgt8YPUZi","url":"wss://websocket-sandbox.idex.io/","type":"websites_and_applications","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"WebSocket API","isPrimacyOfImpact":null},{"id":"2olWFX4KfHk0HsVZNIK6UV","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true},{"id":"10VVOpuS4tc88u1r9Cdyaz","url":"https://immunefi.com/","type":"websites_and_applications","addedAt":"2024-07-30T08:00:00.000Z","revision":2,"description":"Primacy of Impact","isPrimacyOfImpact":true},{"id":"5twiwzoVwISZ0n2MRtKcKe","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/Owned.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - Owned.sol - 33","isPrimacyOfImpact":null},{"id":"56FNpwYweW8TJjOMgByDj0","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/asset-migrators/USDCeMigrator.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - USDCeMigrator.sol - 27","isPrimacyOfImpact":null},{"id":"7wgUntghDEVkOW6xb1yLpd","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/bridge-adapters/ExchangeStargateV2Adapter.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - ExchangeStargateV2Adapter.sol - 153","isPrimacyOfImpact":null},{"id":"4iJ9zy67RdvvD8JBXFEiZ7","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/index-price-adapters/IDEXIndexAndOraclePriceAdapter.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - IDEXIndexAndOraclePriceAdapter.sol - 107","isPrimacyOfImpact":null},{"id":"76nHFItKTeN45zCVxz5vth","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/index-price-adapters/PythIndexPriceAdapter.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - PythIndexPriceAdapter.sol - 119","isPrimacyOfImpact":null},{"id":"2a9YjhDg7W3cmQ6PN2rPWx","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/oracle-price-adapters/PythOraclePriceAdapter.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - PythOraclePriceAdapter.sol - 76","isPrimacyOfImpact":null},{"id":"4Nhxp75VvCZmonVGNSVJYC","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/AssetUnitConversions.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - AssetUnitConversions.sol - 21","isPrimacyOfImpact":null},{"id":"5NJ2XpPtkzN8QZwpKdrRy2","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/BalanceTracking.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":2,"description":"Smart Contract - BalanceTracking.sol - 468","isPrimacyOfImpact":null},{"id":"49e9BQYJICQBuOnlXkX55M","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/ClosureDeleveraging.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - ClosureDeleveraging.sol - 179","isPrimacyOfImpact":null},{"id":"bwREGqf3J9oRYthuXK4pD","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/Constants.so","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - Constants.sol - 36","isPrimacyOfImpact":null},{"id":"7eaU8taKiD2nsiZr2jIOuF","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/Depositing.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - Depositing.sol - 66","isPrimacyOfImpact":null},{"id":"42C99ZSiMslBctcsSJqsWq","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/Enums.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - Enums.sol - 47","isPrimacyOfImpact":null},{"id":"6Pl1zwbYgkQxS1R9baP6UA","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/ExitFund.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - ExitFund.sol - 25","isPrimacyOfImpact":null},{"id":"4SWufotnqgnM8oF8PfpEfA","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/Funding.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - Funding.sol - 158","isPrimacyOfImpact":null},{"id":"5rNZnCuL0PpRVX2kle6yx7","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/FundingMultiplierQuartetHelper.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - FundingMultiplierQuartetHelper.sol - 103","isPrimacyOfImpact":null},{"id":"3kNUIN8v3kzI4JpBdkpbOn","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/Hashing.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - Hashing.sol - 80","isPrimacyOfImpact":null},{"id":"1yglaxoJjqgZOfwixfFS5t","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/IndexPriceMargin.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - IndexPriceMargin.sol - 273","isPrimacyOfImpact":null},{"id":"5brIdD0NSXpgI1zA592qsC","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/Interfaces.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - Interfaces.sol - 9","isPrimacyOfImpact":null},{"id":"3K4UykcF3ILGBO9YGKPnDA","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/LiquidationValidations.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - LiquidationValidations.sol - 113","isPrimacyOfImpact":null},{"id":"hWv6RFdCGwHFthiO2ao86","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/MarketAdmin.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - MarketAdmin.sol - 77","isPrimacyOfImpact":null},{"id":"5KjTQWCp7pZTee611uWjNG","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/MarketHelper.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - MarketHelper.sol - 40","isPrimacyOfImpact":null},{"id":"1sn9RSkYgj4BTUVXqgnDpJ","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/Math.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - Math.sol - 58","isPrimacyOfImpact":null},{"id":"2hgBjtCUJ8424ZzyJTuSL9","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/NonceInvalidations.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - NonceInvalidations.sol - 31","isPrimacyOfImpact":null},{"id":"qjeg82NDjViX91ODyQWi2","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/OraclePriceMargin.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - OraclePriceMargin.sol - 295","isPrimacyOfImpact":null},{"id":"5ueNrohUZrZ4Y2LYWScWUj","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/PositionBelowMinimumLiquidation.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - PositionBelowMinimumLiquidation.sol - 142","isPrimacyOfImpact":null},{"id":"cnlrlGI73VmFH3kGCmBNp","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/PositionInDeactivatedMarketLiquidation.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - PositionInDeactivatedMarketLiquidation.sol - 58","isPrimacyOfImpact":null},{"id":"5JONZb8rNZnL7npV7CBeHG","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/SortedStringSet.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - SortedStringSet.sol - 53","isPrimacyOfImpact":null},{"id":"6dXlE1nyieTr0wJmzO4vdf","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/String.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - String.sol - 43","isPrimacyOfImpact":null},{"id":"38MKuhtCjkCOPbn8oQ4oyn","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/Structs.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - Structs.sol - 141","isPrimacyOfImpact":null},{"id":"1zUMxtaRwPVYbKpliaET0E","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/Time.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - Time.sol - 20","isPrimacyOfImpact":null},{"id":"4SOFtV1LfLkdLVSsviHsn4","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/TradeValidations.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - TradeValidations.sol - 177","isPrimacyOfImpact":null},{"id":"1UBg3MaDJATlLr3GzXV496","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/Trading.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - Trading.sol - 222","isPrimacyOfImpact":null},{"id":"5fogA0UIk3pzJizEalzqfs","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/Transferring.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - Transferring.sol - 89","isPrimacyOfImpact":null},{"id":"5AZyKwHMyRZh7SRIIB9phu","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/UUID.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - UUID.sol - 13","isPrimacyOfImpact":null},{"id":"7A896hChKSIkIeTNXgnKPu","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/Validations.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - Validations.sol - 60","isPrimacyOfImpact":null},{"id":"63TLlym0k8kHkYC0q0KQEo","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/WalletExitAcquisitionDeleveraging.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - WalletExitAcquisitionDeleveraging.sol - 222","isPrimacyOfImpact":null},{"id":"TDrecBcCg0J1oiNY22FQr","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/WalletExitLiquidation.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - WalletExitLiquidation.sol - 147","isPrimacyOfImpact":null},{"id":"xgCTdZYuHw4MCqsVyzcp0","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/WalletExits.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - WalletExits.sol - 8","isPrimacyOfImpact":null},{"id":"5yxivyboG8XcJfInkxEWn9","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/WalletInMaintenanceAcquisitionDeleveraging.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - WalletInMaintenanceAcquisitionDeleveraging.sol - 160","isPrimacyOfImpact":null},{"id":"5zUId9fPhyxcVxeeXD2e1Z","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/WalletInMaintenanceLiquidation.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - WalletInMaintenanceLiquidation.sol - 147","isPrimacyOfImpact":null},{"id":"4MzreITf0eM8O3qDi3tR0p","url":"https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/libraries/Withdrawing.sol","type":"smart_contract","addedAt":"2024-07-30T08:00:00.000Z","revision":1,"description":"Smart Contract - Withdrawing.sol - 279","isPrimacyOfImpact":null}],"assetsBodyV2":"__Asset Accuracy Assurance__\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Reward Policy__\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n__Known Issue Assurance__\n\nIDEX commits to providing Known Issue Assurance to bug submissions through their program. This means that IDEX will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission. \n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.\n\n__Primacy of Impact vs Primacy of Rules__\n\nIDEX adheres to the Primacy of Impact for all impacts.\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see Best Practices: Primacy of Impact \nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this audit competition and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, IDEX has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/16cVluoAnCXgGQKIdeQkHE-oPi-nylsGR?usp=sharing)\n\nAll paid bug reports are available in original format [here](https://github.com/immunefi-team/Bounty_Boosts/tree/main/IDEX)","boostedIntroLive":"","boostedIntroStartingIn":"$45,000 USD in rewards is available for finding bugs on IDEX.\n\nIDEX is a high-performance decentralized perpetual swaps exchange. IDEX's hybrid design combines an off-chain order book, matching and liquidation engine with on-chain custody and settlement. This approach blends the speed and efficiency of traditional trading systems with the transparency and security of blockchain technology to create an unparalleled trading experience.\n\nIDEX operates on XCHAIN, an IDEX specific Arbitrum Orbit layer 2. XCHAIN's performance supports gas free and nearly instant settlement of all IDEX transactions. Positions on IDEX are collateralized by USDC bridged into XCHAIN via Stargate's Hydra protocol.\n\nFor more information about IDEX please visit https://idex.io/ \n\nNo KYC is required.\n\nIDEX will respond within 24 hours on weekdays to all bug reports. Any technical questions can be asked directly to the IDEX technical team on Immunefi's [Immunefi’s Discord](https://discord.com/invite/immunefi) in the \"idex-boost\" channel.\n\nWhen the Audit Competition has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nOn Aug 1sth, IDEX will give a live technical walkthrough, hosted in the Immunefi Discord. Sign up below to be notified with more details.","boostedLeaderboard":[{"high":1,"name":"Paludo0x","critical":0,"earnings":40500,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"Hoverfly9132","critical":0,"earnings":1350,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"marchev","critical":0,"earnings":1350,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"OxSCSamurai","critical":0,"earnings":1350,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"holydevoti0n","critical":0,"earnings":450,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/17Di_yuDq20EiDy-W9UtCBnKB6IfxiUbL/view?usp=sharing","ecosystem":null,"endDate":"2024-08-23T08:00:00.000Z","evaluationEndDate":"2024-10-09T11:09:38.790Z","features":["Boost","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2024-07-30T08:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3Z2Gy88N6R5vZwze49k4KA/4d53d963948076f62cd75315f28e7a69/IDEX_logo.png","maxBounty":45000,"outOfScopeAndRules":"These impacts are out of scope for this bug bounty program. \n\n__All Categories:__\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n\n__Blockchain/DLT & Smart Contract Specific:__\n\n- Incorrect data supplied by third party oracles\n- Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n\n__Websites and Apps:__\n\n- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n- This does not exclude reflected HTML injection with or without JavaScript\n- This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering\n\n__Prohibited Activities:__\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["smart_contract - high","smart_contract - critical","smart_contract - medium","smart_contract - low","websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"There are a few key areas that deserve extra attention.\n\n**Unauthorized access to permissioned components**\n- Admin access (both onchain admin functions and offchain admin system access)\n- Upgrade mechanism exploits\n- Access to user wallet delegated key\n- Ability to place orders, cancel orders, or withdraw funds without wallet signature\n\n**Trading and smart contract rules violations**\n- Trade settlement violating the terms of the wallet-authorized orders\n- Margin requirement violations allowing wallets to exceed allowed leverage\n- Balance tracking errors leading to loss of funds","productType":null,"programOverview":"IDEX is a high-performance decentralized perpetual swaps exchange. IDEX's hybrid design combines an off-chain order book, matching and liquidation engine with on-chain custody and settlement. This approach blends the speed and efficiency of traditional trading systems with the transparency and security of blockchain technology to create an unparalleled trading experience.\n\nIDEX operates on XCHAIN, an IDEX specific Arbitrum Orbit layer 2. XCHAIN's performance supports gas free and nearly instant settlement of all IDEX transactions. Positions on IDEX are collateralized by USDC bridged into XCHAIN via Stargate's Hydra protocol.\n\nFor more information about IDEX please visit https://idex.io/ \n\nIDEX provides rewards in USDC, denominated in USD.","programType":["Smart Contract","Websites and Applications"],"project":"Audit Comp | IDEX","projectType":null,"rewardsBody":"The following reward terms are a summary, for the full details read our [IDEX Audit Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/27112340939665-IDEX-Audit-Competition-Reward-Terms)\n\nThe reward pool will be entirely distributed among participants. The size depends on the bugs found:\nIf no High or Critical severity bugs are found the reward pool will be **$30,000 USD**\nIf one or more High or Critical severity bugs are found the reward pool will be **$45,000 USD**\n\nFor this audit competition, duplicates and private known issues are valid for a reward.\n\nRewards are distributed according to the impact of the vulnerability based on the Immunefi [Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Payment Terms__\n\nPayouts are handled by the IDEX team directly and are denominated in USD. However, payments are done in USDC\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.\n\nIDEX’s up to date codebase can be found at https://github.com/idexio/idex-contracts-ikon/tree/901b1d30ce77f8704867546b500e3cee7c89c59b","rewardsPool":45000,"primaryPool":45000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"boost-idex","tenPercentEconomicRule":false,"updatedDate":"2024-10-15T14:00:09.394Z","impactsBody":"__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.\n\n__Whitehat Educational Resources & Technical Info__\n\n- Documentation\n1) Smart Contracts: https://github.com/idexio/idex-contracts-ikon \n2) API: https://api-docs-v4.idex.io/ \n- Technical education: Technical articles, ReadMe's, whitepaper, etc\n1) https://docs.idex.io/ \n\n__Is this an upgrade of an existing system? If so, which? And what are the main differences?__\n\nNo, it is a new system design.\n\n__What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?__\n\nIDEX supports a single whitelisted ERC20 token as collateral for deposits and withdrawals. Specifically, IDEX deposits and withdrawals are limited to Stargate v2 Hydra-wrapped USDC on XCHAIN.\n\n__What external dependencies are there?__\n\nStargate v2 and LayerZero v2 provide bridge support for depositing and withdrawing USDC. See ExchangeStargateV2Adapter.sol.\nPyth provides index and oracle pricing. See PythIndexPriceAdapter.sol and PythOraclePriceAdapter.sol.\n\n__Where might whitehats confuse out-of-scope code to be in-scope?__\n\nIDEX has multiple third party integrations and components including the Stargate/Layerzero protocol, Pyth oracle prices, and the Arbitrum Orbit layer 2 settlement network. IDEX specific components to support these integrations, e.g. the index price adapter contracts, are in scope, while any issues or exploits with the third party systems themselves (e.g. a bridge exploit) are out of scope.\n\n__Are there any unusual points about your protocol that may confuse whitehats?__\n\nIDEX employs a hybrid design where the API, order books, and the matching engine operate off chain while smart contracts custody funds and verify operations. As a result, nearly all contract functionality is permissioned. Aside from standard owner and admin wallets, a designated dispatcher wallet, also operated by IDEX, is solely responsible for submitting trade settlements, liquidations, funding payments, etc. The use of a single dispatcher wallet guarantees the settlement sequence of off-chain actions within the contracts.\n\n__Where do you suspect there may be bugs?:__\n\nThere are a few key areas that deserve extra attention.\n\n_Unauthorized access to permissioned components_\n\n- Admin access (both onchain admin functions and offchain admin system access)\n- Upgrade mechanism exploits\n- Access to user wallet delegated key\n- Ability to place orders, cancel orders, or withdraw funds without wallet signature\n\n_Trading and smart contract rules violations_\n\n- Trade settlement violating the terms of the wallet-authorized orders\n- Margin requirement violations allowing wallets to exceed allowed leverage\n- Balance tracking errors leading to loss of funds\n\n__What is the test suite setup information?__\n\n- See the GitHub [README](https://github.com/idexio/idex-contracts-ikon/?tab=readme-ov-file#usage) for test suite operation.\n\n __Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- Issues resulting from index or oracle price manipulation.\n- Issues due to very low pricing.\n- Loss of unrealized profits during wallet [exit withdrawals](https://github.com/idexio/idex-contracts-ikon?tab=readme-ov-file#wallet-exits).\n- Loss of withdrawn value due to old oracle pricing during [exit withdrawals](https://github.com/idexio/idex-contracts-ikon?tab=readme-ov-file#wallet-exits).\n- Issues related to the USDC proxy implementation being switched to something malicious.\n- EarningsEscrow.sol contract replay prevention mechanism only includes the contract’s address.\n- Behavior within the stated design intent as defined in documentation.\n- See the previously completed audits for identified issues.\n\n__Previous Audits__\n\nIDEX’s completed audit reports can be found at https://github.com/idexio/idex-contracts-ikon/tree/main/audits. \nAny unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n- 0xMacro A-1\n- 0xMacro B-1\n- PeckShield","websiteUrl":"https://idex.io/","githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"IDEX is a high-performance decentralized perpetual swaps exchange. It operates on XCHAIN, an IDEX specific Arbitrum Orbit layer 2. XCHAIN's performance supports gas free and nearly instant settlement of all IDEX transactions. Positions on IDEX are collateralized by USDC bridged into XCHAIN via Stargate's Hydra protocol.\n\nFor more information about IDEX please visit https://idex.io/ \n\n\n","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":5012,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without an already-connected wallet interaction and with significant user interaction, such as iframing leading to modifying backend/browser state (must show impact with PoC)."},{"id":5013,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links, such as: Social media handles, etc."},{"id":5014,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as: Locking up the victim from login, Cookie bombing, etc."},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":5015,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as: HTML injection without JavaScript, Replacing existing text with arbitrary text, Arbitrary file uploads, etc"},{"id":5016,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: Email, Password of the victim etc."},{"id":5017,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information, such as: Email address, Phone number, Physical address, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":5018,"type":"websites_and_applications","severity":"medium","title":"Changing non-sensitive details of other users (including modifying browser local storage) without an already-connected wallet interaction and with up to one click of user interaction, such as changing the first/last name or enabling/disabling notifications"},{"id":5019,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as: Reflected HTML injection, Loading external site data"},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":5020,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as:  /etc/shadow, database passwords, blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":5021,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:   Changing registration information, Commenting, Voting, Making trades, Withdrawals, etc."},{"id":41,"type":"websites_and_applications","severity":"critical","title":"Subdomain takeover with already-connected wallet interaction"},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":5022,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as:  Modifying transaction arguments or parameters Substituting contract addresses Submitting malicious transactions"},{"id":45,"type":"websites_and_applications","severity":"critical","title":"Injection of malicious HTML or XSS through metadata"}],"rewards":[{"level":"critical","payout":"Portion of the $45,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the $45,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the $30,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the $30,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"critical","payout":"Portion of the $45,000 USD Reward Pool","assetType":"websites_and_applications","pocRequired":true},{"level":"high","payout":"Portion of the $45,000 USD Reward Pool","assetType":"websites_and_applications","pocRequired":true},{"level":"medium","payout":"Portion of the $30,000 USD Reward Pool","assetType":"websites_and_applications","pocRequired":true},{"level":"low","payout":"Portion of the $30,000 USD Reward Pool","assetType":"websites_and_applications","pocRequired":true}],"audits":[]},{"assets":[{"id":"7Hu7rFWcgR8MF4bBM0ULti","url":"https://github.com/shardeum/validator-gui/tree/dev","type":"websites_and_applications","addedAt":"2024-07-08T06:00:00.000Z","revision":1,"description":"Validator GUI [3048]","isPrimacyOfImpact":null},{"id":"4alDreMl20Q9b2xEciGKJ9","url":"https://github.com/shardeum/validator-cli/tree/dev","type":"websites_and_applications","addedAt":"2024-07-08T06:00:00.000Z","revision":1,"description":"Validator CLI [1871]","isPrimacyOfImpact":null},{"id":"4SqJcuuAy4RVyUra6bop8R","url":"https://github.com/shardeum/archive-server/tree/dev","type":"websites_and_applications","addedAt":"2024-07-08T06:00:00.000Z","revision":1,"description":"Archive Server [13421]","isPrimacyOfImpact":null},{"id":"3DQa3F1ZN7nsFtsoVqnS0g","url":"https://github.com/shardeum/explorer-server/tree/dev","type":"websites_and_applications","addedAt":"2024-07-08T06:00:00.000Z","revision":1,"description":"Explorer Server [14856]","isPrimacyOfImpact":null},{"id":"49Q24KWSrJreWYb30a0HbR","url":"https://github.com/shardeum/relayer-collector/tree/dev","type":"websites_and_applications","addedAt":"2024-07-08T06:00:00.000Z","revision":1,"description":"Relayer Collection [8768]","isPrimacyOfImpact":null},{"id":"2Qeb9cswUXhzzValYJQud4","url":"https://github.com/shardeum/relayer-distributor/tree/dev","type":"websites_and_applications","addedAt":"2024-07-08T06:00:00.000Z","revision":1,"description":"Relayer Distributor [2830]","isPrimacyOfImpact":null},{"id":"XFNpYTwoxXunS2MUJ9Yro","url":"https://github.com/shardeum/json-rpc-server/tree/dev","type":"websites_and_applications","addedAt":"2024-07-08T06:00:00.000Z","revision":1,"description":"JSON RPC Server [7936]","isPrimacyOfImpact":null},{"id":"Z3RzLAwR8bPwN0mfHxZI9","url":"https://github.com/shardeum/lib-net/tree/dev","type":"websites_and_applications","addedAt":"2024-07-08T06:00:00.000Z","revision":1,"description":"LIB NET [2742]","isPrimacyOfImpact":null}],"assetsBodyV2":"Shardeum’s up to date codebase can be found at [https://github.com/shardeum/](https://github.com/shardeum/).\n\n__Mid-Contest Code Updates__\n\nIn this contest bug fixes may be applied mid-contest. This is required for Shardeum to test changes on their beta networks in preparation for an imminent mainnet launch.\n\nThe project is to keep changes private as far as possible. When changes need to be made public, then the changelog will be updated here & in the [Shardeum Audit Competition Discord channel](https://discord.com/invite/immunefi?utm_source=immunefi). Publicly fixed bugs are invalid and the scope is updated to the new code.\n\nAll bug reports before the fix was public will earn a reward. All bug reports after are invalid. If a new bug is introduced by their fix then it is valid for a reward.\n\n__Mid-Contest Changelog__\n\nCurrently none.\n\nPOCs should be tested against the most recent changes on the /tree/dev github repo.\n\n__Asset Accuracy Assurance__\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Reward Policy__\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward equal to that of a bug one severity lower.\n\n__Known Issue Assurance__\n\nShardeum commits to providing Known Issue Assurance to bug submissions through their program. This means that Shardeum will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission. \n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.\n\n__Primacy of Impact vs Primacy of Rules__\n\nShardeum adheres to the Primacy of Impact for all impacts.\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact). \n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this audit competition and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Shardeum has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/12i0-9nf3DA0NUFiq5NJetGmUC7EbFndC).\n\nAll paid bug reports are available in original format [here](https://github.com/immunefi-team/Bounty_Boosts/tree/main/Shardeum%20Ancillaries).","boostedIntroLive":"$200,000 USD is available in rewards for finding bugs in Shardeum's codebase of about 55000 nSLOC. There is no KYC required.\n\nShardeum team will respond within 24 hours on weekdays to all bug reports. Any technical questions and support requests can be asked directly to Shardeum or Immunefi in the [Shardeum Boost Discord channel](https://discord.com/invite/immunefi).\n\nIn this contest bug fixes may be applied mid-contest. Further details are in the 'Assets In Scope' section.\n\nWhen the Boost has ended Immunefi will publish an event-specific leaderboard and bug reports from the event.","boostedIntroStartingIn":"$200,000 USD in rewards is available for finding bugs on Shardeum Ancillaries, which will only cover the Web2 aspects of the project. \n\nNo KYC is required.\n\nShardeum will respond within 24 hours on weekdays to all bug reports. Any technical questions can be asked directly to the Shardeum technical team on [Immunefi’s Discord](https://discord.com/invite/immunefi) in the \"shardeum-ancillaries-boost\" channel.\n\nWhen the Boost has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nIn a few days after the launch, Shardeum will give a live technical walkthrough, hosted in the Immunefi Discord.\n\nJoin our Discord for more updates.","boostedLeaderboard":[{"high":0,"name":"periniondon630","critical":1,"earnings":112923,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"anton_quantish","critical":0,"earnings":15681,"insights":4,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"riproprip","critical":0,"earnings":9410,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Swift77057","critical":0,"earnings":9410,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"neplox","critical":0,"earnings":7554,"insights":1,"mediumLow":3,"totalValidBugs":3},{"high":0,"name":"hulkvision","critical":0,"earnings":1584,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Xanzz","critical":0,"earnings":1563,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Holofan","critical":0,"earnings":938,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Minato7namikazi","critical":0,"earnings":938,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://docs.google.com/presentation/d/1xd3RjfcPysZ6HXvTrHemvRkPDjn64YGX-ycNGf1xWDM/edit?usp=sharing","ecosystem":["Shardeum"],"endDate":"2024-08-14T06:00:00.000Z","evaluationEndDate":"2024-09-26T06:00:00.000Z","features":["Boost","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Rust","Typescript"],"launchDate":"2024-07-08T06:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1m6RmtetyAanvdJtFgER1S/2dd905210d46dcb763551541b3636dc7/Shardeum_Logo_Icon_Light_-_Square__1_.png","maxBounty":200000,"outOfScopeAndRules":"These impacts are out of scope for this bug bounty program. \n\n__All Categories:__\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n\n__Websites and Apps__\n\n- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n- This does not exclude reflected HTML injection with or without JavaScript\n- This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering\n\n__Prohibited Activities:__\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["websites_and_applications - critical","websites_and_applications - high","websites_and_applications - medium","websites_and_applications - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Services"],"programOverview":"Shardeum is an EVM-based, linearly scalable network offering low gas fees forever, while maintaining true decentralization and (hopefully) solid security. Shardeum is a large project and as such, will be split over two concurrent audit competitions. This audit competition, called Ancillaries, will cover the Web2 aspects of the project. This will cover seven components: Validator Gui, Validator CLI, Archiver, Explorer, Distrubutor/Collector libraries, RPC, and Shardus-Net networking code.\n\nThe Validator GUI is the website that optionally runs on each node. This allows the node operator to interact with their node. Despite our best efforts, the community likes to have this webpage available on the internet. The Validator CLI is the command line tool used to administer the node. The GUI calls commands in the CLI, or the operator can enter the commands manually. The Archive Server’s primary role is to hold the historical state of the network and accounts.Once the network has consensed on a state change, that information is saved to archive servers. The Explorer serves a similar function to [https://etherscan.io/](https://etherscan.io/). The relayer consists of two parts: collector and distributor. These two components work together to shuffle data between ancillaries, namely the archiver servers, RPC servers, and explorer. The RPC server acts as an API, allowing users to interact with the network and inject transactions. It is designed to be as compliant as possible with Ethereum’s RPC specification, though some differences exist. Finally, lib-net is the bottom level networking library for the Shardeum network. It is written in a mix of Rust and TypeScript.\n\nFor more information about Shardeum, please visit [https://shardeum.org/](https://shardeum.org/).\n\nShardeum provides rewards in USDC, denominated in USD.","programType":["Websites and Applications"],"project":"Audit Comp | Shardeum: Ancillaries","projectType":["Infrastructure"],"rewardsBody":"The following reward terms are a summary, for the full details read our [Shardeum | Ancillaries Reward Distribution Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/26482375730577-Shardeum-Ancillaries-Audit-Competition-Reward-Terms). \n\nThe reward pool will be distributed among participants. The size depends on the bugs found:\n- If no High or Critical severity bugs are found the reward pool will be **$100,000 USD**\n- If one or more High severity bugs are found the reward pool will be **$120,000 USD**\n- If 1 Critical severity bug is found the reward pool will be **$160,000 USD**\n- If 2 Critical severity bugs are found the reward pool will be **$180,000 USD**\n- If 4 or more Critical severity bugs are found the reward pool will be **$200,000 USD**\n\nFor this Audit Competition, duplicates and private known issues are valid for a reward. \n\nPrivate known issues will unlock higher reward pools according to their severity level without any downgrade. For example, a Critical severity bug which was a private known issue would unlock the reward pool conditional on a Critical severity bug being found.\n\nRewards are distributed according to the impact of the vulnerability based on the Immunefi [Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Payment Terms__\n\nPayouts are handled by the Shardeum team directly and are denominated in USD. However, payments are done in USDC.\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.\n\n__Insight Rewards Payment Terms__\n\nInsight Rewards: Portion of the Rewards Pool\n\nThe \"Insight\" severity was introduced on Audit Competition & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi).","rewardsPool":200000,"primaryPool":200000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"shardeum-ancillaries-boost","tenPercentEconomicRule":false,"updatedDate":"2024-10-15T13:57:54.775Z","impactsBody":"__Proof of Concept (PoC) Requirements__\n\nPOCs should be tested against the most recent changes on the /tree/dev github repo.\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Whitehat Educational Resources & Technical Info__\nArchitecture documents: [https://docs.shardeum.org/docs/architecture/high-level-architecture](https://docs.shardeum.org/docs/architecture/high-level-architecture)\n\n__Is this an upgrade of an existing system? If so, which? And what are the main differences?__\n\nNo\n\n__Where do you suspect there may be bugs? Useful aspects of this question are:__\n\n- **Which parts of the code are you most concerned about?**\n    RPC server, Archive server, and GUI\n- **What attack vectors are you most concerned about?**\n    Highly concerned with the Validator GUI. At the time of writing and likely at the time of launch, the GUI will be homogenous for most of the nodes in the network. A critical bug here can quickly destroy the network as it will instantly impact every node.\n- **Which part(s) of the system do you want whitehats to attempt to break the most?**\n\tAll of it\n- **Are there any assumed invariants that you want whitehats to attempt to break?**\n    No\n\n__What external dependencies are there?__\n\nJust the packages listed in the package.json of each repo.\n\n__Where might whitehats confuse out-of-scope code to be in-scope?__\n\nSince we are doing two concurrent audit competitions with repositories that interact with each other, the specific boundaries of which vulnerability belongs to which audit competition may become confusing. A vulnerability may exist in the communication between an archive server and a validator for example. We would like to assure researchers that regardless of the final decision of which audit competition a particular vulnerability belongs to, the researcher will get paid. We may have final say over where a vuln belongs but the researcher will get their bounty pending the other eligibility factors.\n\n__Are there any unusual points about your protocol that may confuse whitehats?__\n\nThe role of archivers in the Shardeum network is a little different from similar components in other networks. Archivers have no role in a node joining or leaving the network. Archivers have no role in consensus or syncing. They are merely an archive of the history of the network.\n\nWeak subjectivity solutions do not apply to the Shardeum network because long range attacks are not relevant. Shardeum does not have probabilistic finality so there is no risk of a competing chain becoming valid.\n\n__What is the test suite setup information?__\n\nThe simple network test suite: [https://github.com/shardeum/simple-network-test](https://github.com/shardeum/simple-network-test)\nLarger test suite setup: [https://github.com/shardeum/json-rpc-server/tree/localtest/src/__tests__/integration](https://github.com/shardeum/json-rpc-server/tree/localtest/src/__tests__/integration)\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\nList of [Shardeum’s Known Issues](https://immunefisupport.zendesk.com/hc/en-us/articles/26510185034641-List-of-Known-Issues-for-Shardeum-Core-and-Shardeum-Ancillaries-Audit-Competitions).\n\n__Previous Audits__\n\nShardeum’s completed audit reports can be found here: [Arcadia (draft)](https://docs.google.com/document/d/1OlmijVY2ga_7QEe8DYU-NTEXfAqMRpuwlduIofjmEwA/edit#heading=h.5uoc4mfz7mn4), [HashCloack](https://docs.google.com/document/d/1n11d40JZYgL33-F-Lw6FMuBP9AJSXvyg-xBpJhwOkUE/edit). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Shardeum is an EVM-based, linearly scalable network offering low gas fees forever, while maintaining true decentralization and (hopefully) solid security. Shardeum is a large project and as such, will be split over two concurrent audit competitions. This audit competition, called Ancillaries, will cover the Web2 aspects of the project.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":4959,"type":"websites_and_applications","severity":"low","title":"Improperly disclosing confidential user information, such as: Email address, Phone number, Physical address, etc."},{"id":4960,"type":"websites_and_applications","severity":"low","title":"Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, e.g: Changing the first/last name of user, Enabling/disabling notifications"},{"id":4961,"type":"websites_and_applications","severity":"low","title":"Injecting/modifying the static content on the target application without JavaScript (reflected), such as: Reflected HTML injection, Loading external site data"},{"id":4962,"type":"websites_and_applications","severity":"low","title":"Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction, such as: Iframing leading to modifying the backend/browser state (must have a PoC)"},{"id":4963,"type":"websites_and_applications","severity":"low","title":"Taking over broken or expired outgoing links, such as: Social media handles, etc."},{"id":4964,"type":"websites_and_applications","severity":"low","title":"Temporarily disabling user to access target site, such as: Locking up the victim from login, Cookie bombing, etc."},{"id":4965,"type":"websites_and_applications","severity":"high","title":"Taking down the application/website"},{"id":4966,"type":"websites_and_applications","severity":"medium","title":"Injection of malicious HTML or XSS through metadata"},{"id":4967,"type":"websites_and_applications","severity":"medium","title":"Injecting/modifying the static content on the target application without JavaScript (persistent), such as: HTML injection without JavaScript, Replacing existing text with arbitrary text, Arbitrary file uploads, etc"},{"id":4968,"type":"websites_and_applications","severity":"medium","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: Email, Password of the victim etc."},{"id":52,"type":"websites_and_applications","severity":"medium","title":"Redirecting users to malicious websites (open redirect)"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":4969,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server, such as: /etc/shadow, database passwords, blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":4970,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as: Changing registration information, Commenting, Voting, Making trades, Withdrawals, etc."},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":4971,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet, such as: Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"websites_and_applications","pocRequired":true}],"audits":[]},{"assets":[{"id":"5rraVks6nBywfe9KZoGCXO","url":"https://github.com/shardeum/shardus-core/tree/dev","type":"blockchain_dlt","addedAt":"2024-07-08T06:00:00.000Z","revision":2,"description":"Core [47057]","isPrimacyOfImpact":null},{"id":"1mnBqVGgu6GM3AxojyvK7v","url":"https://github.com/shardeum/shardeum/tree/dev","type":"blockchain_dlt","addedAt":"2024-07-08T06:00:00.000Z","revision":2,"description":"Validator [22461]","isPrimacyOfImpact":null},{"id":"3Jbo64Pq2Fj9oQQUEJ9mcb","url":"https://github.com/shardeum/lib-crypto-utils/tree/dev","type":"blockchain_dlt","addedAt":"2024-07-08T06:00:00.000Z","revision":1,"description":"Crypto Utils [863]","isPrimacyOfImpact":null},{"id":"4tWsvn43udFa1Msgr1wEsf","url":"https://immunefi.com","type":"blockchain_dlt","addedAt":"2024-07-08T06:00:00.000Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true}],"assetsBodyV2":"Shardeum’s up to date codebase can be found at [https://github.com/shardeum/](https://github.com/shardeum/). \n\nA note on Shardeum and Shardus Core scope: the default config in the dev branch is in scope. Whitehats are free to configure, patch, and modify their own malicious nodes however they want. However, target nodes must be running the default config in dev. This is to prevent the whitehats from wasting time reporting things we specifically allow in debug mode. The only exception is minNodes and maxNodes settings, which allow different size networks to be created. Certain vulnerabilities may only exist in certain network sizes, and we do not wish to limit Whitehat activity and participation for lack of computing power attempting to run a large local network. However, network-wide attacks that only work under 128 nodes may be rejected or reduced in severity at our discretion. If the researchers can enable debug mode options remotely then that is valid and can be paid out.\n\nFinally, the more nodes that are required to launch an attack, the more at risk the vuln is of being downgraded. If it takes 33% (for example) of the nodes in the network being malicious to cause damage, then it becomes difficult to distinguish the impact from a Sybil attack, which is completely out of scope.\n\n__Mid-Contest Code Updates__\n\nIn this contest bug fixes may be applied mid-contest. This is required for Shardeum to test changes on their beta networks in preparation for an imminent mainnet launch.\n\nThe project is to keep changes private as far as possible. When changes need to be made public, then the changelog will be updated here & in the [Shardeum Audit Competition Discord channel](https://discord.com/invite/immunefi?utm_source=immunefi). Publicly fixed bugs are invalid and the scope is updated to the new code.\n\nAll bug reports before the fix was public will earn a reward. All bug reports after are invalid. If a new bug is introduced by their fix then it is valid for a reward.\n\n__Mid-Contest Changelog__\n\n- Error handling for all external endpoints https://github.com/shardeum/shardus-core/commit/82100da75728ea4ef3983fd6439e175201cafc9b \n\n1.12.1 Changelog\n- Updated to use latest shardus/core v2.12.30-68 and archiver v3.4.23\n- Update README.md [#88](https://github.com/shardeum/shardeum/pull/88)\n- Add debug tip to readme [#63](https://github.com/shardeum/shardeum/pull/63)\n- Add note to the readme [#68](https://github.com/shardeum/shardeum/pull/68)\n- BLUE-54 + BLUE-84: Penalty history added, refactoring and recordPenaltyTx fix [#49](https://github.com/shardeum/shardeum/pull/49)\n- GOLD-100: Replace stringify with unified version of fastStableStringify [#37](https://github.com/shardeum/shardeum/pull/37)\n- GREEN-44 add validate NaN points in debug-points endpoint [#27](https://github.com/shardeum/shardeum/pull/27)\n- Improved instructions for using prettier-ignore ([#32](https://github.com/shardeum/shardeum/pull/33)) [#33](https://github.com/shardeum/shardeum/pull/33)\n- add new configuration for formingNodesPerCycle [#39](https://github.com/shardeum/shardeum/pull/39)\n- Gold 93: Fix timestamp bigint floating point error [#36](https://github.com/shardeum/shardeum/pull/36)\n- SYS-172 fix patch files [#31](https://github.com/shardeum/shardeum/pull/31)\n- SEC-364: Put Extra Validation for ClaimReward transaction [#22](https://github.com/shardeum/shardeum/pull/22)\n- Add instructions on how to halt shardeum network and obtain SHM [#18](https://github.com/shardeum/shardeum/pull/18)\n- Link dockerfile to image in GHCR [#20](https://github.com/shardeum/shardeum/pull/20)\n- SEC-119: Adding Extra Validation for contract call [#13](https://github.com/shardeum/shardeum/pull/13)\n- Update links from Gitlab to GitHub [#14](https://github.com/shardeum/shardeum/pull/14)\n- added check for EVM payload [#7](https://github.com/shardeum/shardeum/pull/7)\n\nPOCs should be tested against the most recent changes on the /tree/dev github repo.\n\n__Out of Scope Clauses__\n\n- For [https://github.com/shardeum/shardus-core/](https://github.com/shardeum/shardus-core/), Deprecated.ts, TransactionConsensus.ts, Functionality related to PreCrack, src/snapshot/* are considered to be out of scope.\n- For [https://github.com/shardeum/shardeum](https://github.com/shardeum/shardeum), Automated Access List Generation (AALG) or AALG Warm Up code, Eth-call code, Codebytes, contract storage are considered to be out of scope\n\n__Asset Accuracy Assurance__\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Reward Policy__\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward equal to that of a bug one severity lower.\n\n__Known Issue Assurance__\n\nShardeum commits to providing Known Issue Assurance to bug submissions through their program. This means that Shardeum will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission. \n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.\n\n__Primacy of Impact vs Primacy of Rules__\n\nShardeum adheres to the Primacy of Impact for all impacts.\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact). \n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this audit competition and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Shardeum has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/1ZCyeZlpBzYz-ZgbBQ-IUU_YVVEd_0YUn).\n\nAll paid bug reports are available in original format [here](https://github.com/immunefi-team/Bounty_Boosts/tree/main/Shardeum%20Core).","boostedIntroLive":"$500,000 USD is available in rewards for finding bugs in Shardeum's codebase of about 70000 nSLOC. There is no KYC required.\n\nShardeum team will respond within 24 hours on weekdays to all bug reports. Any technical questions and support requests can be asked directly to Shardeum or Immunefi in the [Shardeum Boost Discord channel](https://discord.com/invite/immunefi).\n\nIn this contest bug fixes may be applied mid-contest. Further details are in the 'Assets In Scope' section.\n\nWhen the Boost has ended Immunefi will publish an event-specific leaderboard and bug reports from the event.","boostedIntroStartingIn":"$500,000 USD in rewards is available for finding bugs on Shardeum Core which covers the Layer1, p2p and consensus protocol. All code, except for Shardeum's smart contracts, is in scope\n\nNo KYC is required.\n\nShardeum will respond within 24 hours on weekdays to all bug reports. Any technical questions can be asked directly to the Shardeum technical team on [Immunefi’s Discord](https://discord.com/invite/immunefi) in the \"shardeum-core-boost\" channel.\n\nWhen the Boost has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nIn a few days after the launch, Shardeum will give a live technical walkthrough, hosted in the Immunefi Discord. \n\nJoin our Discord for more updates.","boostedLeaderboard":[{"high":2,"name":"infosec_us_team","critical":9,"earnings":108385,"insights":0,"mediumLow":3,"totalValidBugs":14},{"high":0,"name":"neplox","critical":8,"earnings":95054,"insights":0,"mediumLow":0,"totalValidBugs":8},{"high":0,"name":"doxtopzhivago","critical":4,"earnings":82998,"insights":0,"mediumLow":0,"totalValidBugs":4},{"high":0,"name":"ZhouWu","critical":7,"earnings":82501,"insights":0,"mediumLow":0,"totalValidBugs":7},{"high":0,"name":"Blockian","critical":2,"earnings":29153,"insights":0,"mediumLow":0,"totalValidBugs":2},{"high":0,"name":"rootrescue","critical":1,"earnings":20749,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"usmannk","critical":2,"earnings":18882,"insights":0,"mediumLow":0,"totalValidBugs":2},{"high":1,"name":"GuplerSaxanoid","critical":1,"earnings":15987,"insights":1,"mediumLow":0,"totalValidBugs":2},{"high":0,"name":"riproprip","critical":2,"earnings":11807,"insights":0,"mediumLow":0,"totalValidBugs":2},{"high":0,"name":"periniondon630","critical":2,"earnings":8446,"insights":0,"mediumLow":0,"totalValidBugs":2},{"high":0,"name":"ret2happy","critical":0,"earnings":7500,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":1,"name":"Lastc0de","critical":0,"earnings":5851,"insights":1,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"anton_quantish","critical":0,"earnings":5187,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"gln","critical":0,"earnings":3750,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"gladiator111","critical":0,"earnings":3750,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1xv3ZrqHNXi94-39xehlhQt2DFbZdDNmY/view?usp=sharing","ecosystem":["Shardeum"],"endDate":"2024-08-14T06:00:00.000Z","evaluationEndDate":"2024-09-25T06:00:00.000Z","features":["Boost","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Typescript"],"launchDate":"2024-07-08T06:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3xrzvSX4v3cZXmp4CuDjMq/4e8e46638a00d31de927c277638a1c4b/Shardeum_Logo_Icon_Light_-_Square__1_.png","maxBounty":500000,"outOfScopeAndRules":"These impacts are out of scope for this bug bounty program. \n\n__All Categories:__\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n\n__Blockchain/DLT & Smart Contract Specific:__\n\n- Incorrect data supplied by third party oracles\n    - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n\n__Prohibited Activities:__\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["blockchain_dlt - high","blockchain_dlt - medium","blockchain_dlt - low","blockchain_dlt - critical"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["L1"],"programOverview":"Shardeum is an EVM-based, linearly scalable network offering low gas fees forever while maintaining true decentralization and (hopefully) solid security. Shardeum is a large project and as such, will be split over two concurrent audit competitions. This audit competition, called Core, will cover the Web3 aspects of the project, as well as some internal libs. This will cover three components: Shardus Core, Shardeum Validator, and Crypto Utils library. \n\n[Shardus Core](https://github.com/shardeum/shardus-core/) covers the Layer 1, p2p and consensus protocol. [Shardeum Validator](https://github.com/shardeum/shardeum) is the L2 EVM-compatible distributed application (DApp). Everything here except smart contracts is in scope. Finally, the [crypto utils](https://github.com/shardeum/lib-crypto-utils) library holds wrappers for cryptographic functions used throughout the Shardeum Foundation codebase.\n\nFor more information about Shardeum, please visit [https://shardeum.org/](https://shardeum.org/). \n\nShardeum provides rewards in USDC, denominated in USD.","programType":["Blockchain/DLT"],"project":"Audit Comp | Shardeum: Core","projectType":["Blockchain"],"rewardsBody":"The following reward terms are a summary, for the full details read our [Shardeum | Core Reward Distribution Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/26482360597009-Shardeum-Core-Audit-Competition-Reward-Terms). \n\nThe reward pool will be distributed among participants. The size depends on the bugs found:\n- If no High or Critical severity bugs are found the reward pool will be **$250,000 USD**\n- If one or more High severity bugs are found the reward pool will be **$300,000 USD**\n- If 1 Critical severity bug is found the reward pool will be **$400,000 USD**\n- If 2 Critical severity bugs are found the reward pool will be **$450,000 USD**\n- If 4 or more Critical severity bugs are found the reward pool will be **$500,000 USD**\n\nFor this Audit Competition, duplicates and private known issues are valid for a reward. \n\nPrivate known issues will unlock higher reward pools according to their severity level without any downgrade. For example, a Critical severity bug which was a private known issue would unlock the reward pool conditional on a Critical severity bug being found.\n\nRewards are distributed according to the impact of the vulnerability based on the Immunefi [Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Payment Terms__\n\nPayouts are handled by the Shardeum team directly and are denominated in USD. However, payments are done in USDC.\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.\n\n__Insight Rewards Payment Terms__\n\nInsight Rewards: Portion of the Rewards Pool\n\nThe \"Insight\" severity was introduced on Audit Competition & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. \"Insights\" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi).","rewardsPool":500000,"primaryPool":500000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"shardeum-core-boost","tenPercentEconomicRule":false,"updatedDate":"2024-10-15T13:52:45.780Z","impactsBody":"__Proof of Concept (PoC) Requirements__\n\nPOCs should be tested against the most recent changes on the /tree/dev github repo.\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n__Whitehat Educational Resources & Technical Info__\n\nArchitecture documents: [https://docs.shardeum.org/docs/architecture/high-level-architecture](https://docs.shardeum.org/docs/architecture/high-level-architecture)\n\n__Is this an upgrade of an existing system? If so, which? And what are the main differences?__\n\nNo, this is fully unique code.\n\n__Where do you suspect there may be bugs?__\n\nOur random functions are uniformly distributed. We would like to know if the random numbers can be manipulated to give attackers a way to influence when their node is moved from standby to active, their node’s ID, and where in the network their node is placed.\n\n__What emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?__\n\nThe Validor GUI, the old version. We want to make sure that the bugs are coming into a new version, and not to the old one.\n\n__What external dependencies are there?__\n\nNone other than the libs listed in package.json\n\n__Where might whitehats confuse out-of-scope code to be in-scope?__\n\nOur code relating to precrack may cause confusion. These chunks of code are out of scope for the current bounty. PreCrack functionality is spread around the repository but is clearly labeled with variable and function names.\n\nSince we are doing two concurrent audit competitions with repositories that interact with each other, the specific boundaries of which vulnerability belongs to which audit competition may become confusing. A vulnerability may exist in the communication between an archive server and a validator for example. We would like to assure researchers that regardless of the final decision of which audit compeition a particular vulnerability belongs to, the researcher will get paid. We may have final say over where a vuln belongs but the researcher will get their bounty pending the other eligibility factors.\n\n__Are there any unusual points about your protocol that may confuse whitehats?__\n\nThe role of archivers in the Shardeum network is a little different from similar components in other networks. Archivers have no role in a node joining or leaving the network. Archivers have no role in consensus or syncing. They are merely an archive of the history of the network.\n\nWeak subjectivity solutions do not apply to the Shardeum network because long range attacks are not relevant. Shardeum does not have probabilistic finality so there is no risk of a competing chain becoming valid.\n\n__What is the test suite setup information?__\n\nThe simple network test suite: [https://github.com/shardeum/simple-network-test](https://github.com/shardeum/simple-network-test)\nLarger test suite setup: [https://github.com/shardeum/json-rpc-server/tree/localtest/src/__tests__/integration](https://github.com/shardeum/json-rpc-server/tree/localtest/src/__tests__/integration)\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\nList of [Shardeum’s Known Issues](https://immunefisupport.zendesk.com/hc/en-us/articles/26510185034641-List-of-Known-Issues-for-Shardeum-Core-and-Shardeum-Ancillaries-Audit-Competitions).\n\n__Previous Audits__\n\nShardeum’s completed audit reports can be found here: [Arcadia (draft)](https://docs.google.com/document/d/1OlmijVY2ga_7QEe8DYU-NTEXfAqMRpuwlduIofjmEwA/edit#heading=h.5uoc4mfz7mn4), [HashCloack](https://docs.google.com/document/d/1n11d40JZYgL33-F-Lw6FMuBP9AJSXvyg-xBpJhwOkUE/edit). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Shardeum is an EVM-based, linearly scalable network offering low gas fees forever while maintaining true decentralization and (hopefully) solid security. Shardeum is a large project and as such, will be split over two concurrent audit competitions. This audit competition, called Core, will cover the Web3 aspects of the project, as well as some internal libs. This will cover three components: Shardus Core, Shardeum Validator, and Crypto Utils library.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":12,"type":"blockchain_dlt","severity":"low","title":"Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":13,"type":"blockchain_dlt","severity":"low","title":"Modification of transaction fees outside of design parameters"},{"id":5,"type":"blockchain_dlt","severity":"high","title":"Unintended chain split (network partition)"},{"id":4957,"type":"blockchain_dlt","severity":"high","title":"RPC API crash affecting projects with greater than or equal to 25% of the market capitalization on top of the respective layer"},{"id":4958,"type":"blockchain_dlt","severity":"medium","title":"Causing network processing nodes to process transactions from the transaction queue beyond set parameters"},{"id":9,"type":"blockchain_dlt","severity":"medium","title":"Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours"},{"id":10,"type":"blockchain_dlt","severity":"medium","title":"Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network"},{"id":1,"type":"blockchain_dlt","severity":"critical","title":"Network not being able to confirm new transactions (total network shutdown)"},{"id":3,"type":"blockchain_dlt","severity":"critical","title":"Direct loss of funds"},{"id":4,"type":"blockchain_dlt","severity":"critical","title":"Permanent freezing of funds (fix requires hardfork)"}],"rewards":[{"level":"critical","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"high","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"medium","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true},{"level":"low","payout":"Portion of the Reward Pool","assetType":"blockchain_dlt","pocRequired":true}],"audits":[]},{"assets":[{"id":"3gKTAQCE5z9fhVmx7VydoF","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/76","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"refactor: add extra checks to the math library","isPrimacyOfImpact":null},{"id":"72GLGKm4s7eijXXKCMfQ4U","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/75","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: check the available liquidity when withdrawing","isPrimacyOfImpact":null},{"id":"5v5Ku5Bc5LncE9DmCDD0yl","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/74","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: scale down the repay borrow amount by the liquidation bonus","isPrimacyOfImpact":null},{"id":"8savxrSKfA25nnv5BmXIr","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/72","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: stable borrow balance increases","isPrimacyOfImpact":null},{"id":"JI1DJ6TMpkqhzhNOjWN2w","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/70","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: reduce the loan type collateral used in by the liquidation fee","isPrimacyOfImpact":null},{"id":"2Klj5hzO70qAxIIIqQWPkK","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/68","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: cannot rebalance up to a lower stable rate","isPrimacyOfImpact":null},{"id":"3jyJJXBtyPCGOKofE0208h","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/66","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: cannot mix borrows when liquidating","isPrimacyOfImpact":null},{"id":"11OFOjFpNu7EjtjR11qBum","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/64","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: don’t use cached chainlink node decimals","isPrimacyOfImpact":null},{"id":"8WvVipy55MTeXhHUzhThc","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/62","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: hanlde PythNode exponent which is less than -18","isPrimacyOfImpact":null},{"id":"25hkfWHfXZ40hcRuthwh5T","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/60","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: outdated deposit interest rate","isPrimacyOfImpact":null},{"id":"4UhLdeRdmAWdJ5ZgYADNJf","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/58","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: check the loan is over-collateralised in the switch borrow type operation","isPrimacyOfImpact":null},{"id":"7jduzdBWHD5ioG6AGsyQW4","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/56","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: make retry and reverse message permissioned retry + can override the return message params","isPrimacyOfImpact":null},{"id":"5FeWX6xWuotSKXbkb7AKaf","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/52","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: remove unused same oracle node","isPrimacyOfImpact":null},{"id":"MSJ9e8Z2LIrQjn3m4JHGI","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/50","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: round in the protocol’s favour  when calculating the average stable rate","isPrimacyOfImpact":null},{"id":"3rIJxpge3kCrIe00kJFtHb","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/48","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: handle zero deposits and zero borrows","isPrimacyOfImpact":null},{"id":"4F4zcTp8Qq08PbeMmL4hOS","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/45","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: check available liquidity when borrowing","isPrimacyOfImpact":null},{"id":"2Y6G292x4HD0MthLICLNGW","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/43","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: delete collaterals and borrows mappings","isPrimacyOfImpact":null},{"id":"52kULiOIQCluRY22quEdjF","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/40","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: frontrun protection for the create account and create loan operations","isPrimacyOfImpact":null},{"id":"6GGH87SvuGvuC7qSdogUTY","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/37","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: make rebalance up and rebalance down a permissioned operation","isPrimacyOfImpact":null},{"id":"6U9zOi6AcGdMAKwi6PvRCD","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/35","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: various small fixes for price deviation (same oracle) node","isPrimacyOfImpact":null},{"id":"1QD3DlhUfOGYKWqzdnO5a2","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/31","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: check adapter address match to handle zero adapter id edge case","isPrimacyOfImpact":null},{"id":"9yBUDKRkaA5qFLB2TUFIP","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/29","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: cannot add zero address adapter","isPrimacyOfImpact":null},{"id":"2M8zN2ZGfWIhGd366S7Pw","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/27","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: cannot delete account","isPrimacyOfImpact":null},{"id":"786opUrAqHi6nCaqMab7YL","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/25","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"feat: reduce gas consumption for failed messages","isPrimacyOfImpact":null},{"id":"2pGCyItFguBVH2mUfmnagT","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/23","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: handle case where Pyth publish time is newer than block timestamp","isPrimacyOfImpact":null},{"id":"7pkiTYnfM2rJN6mfqt37ae","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/21","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: round in the protocol’s favour when withdrawing and repaying with collateral","isPrimacyOfImpact":null},{"id":"1TlJ54xQH4N9kDtxc7a3R","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/18","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: consider Wormhole publish message fee","isPrimacyOfImpact":null},{"id":"4IDISknev4C8nuRJ35nkjN","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/16","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: don’t increase total deposits by the interest paid when repaying with collateral","isPrimacyOfImpact":null},{"id":"7D9vDbw1iFF3vYnIV2pvAg","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/13","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"feat: can override existing invite if one exists","isPrimacyOfImpact":null},{"id":"3LUDeENOKgNpz7j5PxBYQp","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/11","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: use CCTP source domain in message keys","isPrimacyOfImpact":null},{"id":"EfWQ2GAsdTuIAiiUdcUxB","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/9","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: incorrect implementation of Chainlink TWAP","isPrimacyOfImpact":null},{"id":"ghUF3n1KeonfNIe8Ei79J","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/5","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: NodeManager didn’t follow EIP-165","isPrimacyOfImpact":null},{"id":"4jUktPSHbxhJ4TWpXgebOI","url":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/pull/4","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"fix: some oracle contracts used floating pragma","isPrimacyOfImpact":null},{"id":"3f2Y03kwXiORssF1jhKvBj","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2024-08-27T11:00:00.000Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true}],"assetsBodyV2":"__Asset Accuracy Assurance__\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Primacy of Impact vs Primacy of Rules__\n\nFolks Finance adheres to the Primacy of Impact for all Impacts stated within this page.\n\nThe primary objectives of a Mitigation Audit include verifying whether the fix fully resolves the reported vulnerability by addressing its root cause. Additionally, SRs must ensure that the fix covers all potential attack vectors, preventing any partial fixes that leave other exploitation avenues open. Any vulnerabilities that are discovered in other sections of the code that were introduced by the mitigation of another bug i.e. fix introduces a new vulnerability in another part of the system, should be reported under that fix.\n\nBugs unrelated to any fixes found on any of these `contracts https://github.com/Folks-Finance/folks-finance-xchain-contracts/tree/1eb10075d5ce2208cdf6e4560c2968eafa414327/contracts` should be reported under the Primacy of Impact.\n\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this audit competition and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Folks Finance has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/1VGhOjtKqQbWdhcFd6PuY5AS-VSghecpG).\n\nAll paid bug reports are available in original format [here](https://github.com/immunefi-team/Bounty_Boosts/tree/main/Mitigation%20Audit%20%7C%20Folks%20Finance).","boostedIntroLive":"","boostedIntroStartingIn":"$25,000 USD in rewards are available to assess whether the set of fixes from the original Folks Finance Boost both fully resolve the reported vulnerabilities and do not introduce new ones.\n\nHunting on a Mitigation Audit involves understanding the root cause of the issues and verifying that the patches or mitigations directly address the causes. This is crucial to ensure that the vulnerabilities are fully fixed and do not leave other avenues open for exploitation.\n\nFolks Finance is a leading DeFi platform providing innovative tools for lending, borrowing, trading and managing digital assets, all in one place.\n\nFolks Finance are expanding with a new cross-chain lending protocol using a hub and spoke model. The hub chain, Avalanche, contains the main logic and state of the lending protocol. The spoke chains, initially EVM, act as an entry point for a user to interact with the protocol.\n\nNo KYC is required.","boostedLeaderboard":[{"high":0,"name":"A2Security","critical":1,"earnings":22500,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"zarkk","critical":0,"earnings":1563,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Paludo0x","critical":0,"earnings":938,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1tbmiKRimI_BPPy-BIhHf7e9HVD2-JOlk/view?usp=sharing","ecosystem":null,"endDate":"2024-09-05T11:00:00.000Z","evaluationEndDate":"2024-09-18T08:00:00.000Z","features":["Boost","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":null,"launchDate":"2024-08-27T11:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1am7TbpqOJP8hBh1WulSGF/23beae2bc95f2c93764fbdb5eaa49ab1/Folks_Finance_logo.png","maxBounty":25000,"outOfScopeAndRules":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"The primary objectives of a Mitigation Audit include verifying whether the fix fully resolves the reported vulnerability by addressing its root cause. Additionally, SRs must ensure that the fix covers all potential attack vectors, preventing any partial fixes that leave other exploitation avenues open.\n\nAny vulnerabilities that are discovered in other sections of the code that were introduced by the mitigation of another bug i.e. fix introduces a new vulnerability in another part of the system, should be reported under that fix.\n\nBugs unrelated to any fixes found on any of these contracts https://github.com/Folks-Finance/folks-finance-xchain-contracts/tree/1eb10075d5ce2208cdf6e4560c2968eafa414327/contracts should be reported under the Primacy of Impact.","productType":null,"programOverview":"Folks Finance is a leading DeFi platform providing innovative tools for lending, borrowing, trading and managing digital assets, all in one place.\n\nFolks Finance are expanding with a new cross-chain lending protocol using a hub and spoke model. The hub chain, Avalanche, contains the main logic and state of the lending protocol. The spoke chains, initially EVM, act as an entry point for a user to interact with the protocol.\n\nChainlink CCIP and Wormhole Messaging are used to communicate between the spoke chains and hub chain. Circle CCTP is used for native cross chain transfers of USDC.\n\nFor more information about Folks Finance and their existing products, please visit https://folks.finance. \nFolks Finance provides rewards in USDC, denominated in USD.","programType":["Smart Contract"],"project":"Mitigation Audit | Folks Finance","projectType":null,"rewardsBody":"The following reward terms are a summary, for the full details read our [Folks Finance Mitigation Audit Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/27853859981969-Mitigation-Audit-Folks-Finance-Reward-Terms)\n\nThe purpose of a Mitigation Audit is for whitehats to assess whether the set of fixes from the original [Folks Finance Audit Competition](https://immunefi.com/audit-competition/folksfinance-boost/information/#top) both fully resolve the reported vulnerabilities and do not introduce new ones. Hunting on a Mitigation Audit involves understanding the root cause of the issues and verifying that the patches or mitigations directly address the causes.\n\nThis is crucial to ensure that the vulnerabilities are fully fixed and do not leave other avenues open for exploitation.\n\nThe rewards pool is partly distributed with the following formula, and partly at Immunefi’s discretion. The main purpose of a Mitigation Audit is to reward vulnerabilities, exploiting the fixes of the original Audit Competition. \n\nThe portion of the reward pool is to reward high-quality whitehat contributions, such as valuable but technically invalid bug reports which are called Insights. More information about Insight reports can be found in this Help Center article.\n\nThe reward pool size for Mitigation Audit | Folks Finance is $25,000 USD. If no bugs or only Insights are found, the reward pool will be - 10% of the largest reward pool ($2,500 USD). \n\nFor this Audit, duplicates are valid for a reward.","rewardsPool":25000,"primaryPool":25000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"mitigation-audit-folksfinance","tenPercentEconomicRule":false,"updatedDate":"2024-10-15T13:48:20.492Z","impactsBody":"__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.\n\n__Whitehat Educational Resources & Technical Info__\n\n1. Design Overview for Cross-chain Lending Protocol: [Link to Google Docs](https://docs.google.com/document/d/19HjdYSmSxoXf7b0RIjiv8cff7jwdGZ1lkFrjqRrogiE/edit?usp=sharing)\n\n2. Operation lifecycle in cross-chain lending protocol: [Link to Google Docs](https://docs.google.com/document/d/1UEV2JHpW23ChARUp_AcHJjuuq6A9T-n85T3FDYQTuGM/edit?usp=sharing)\n\n3. Formulae Used in Cross-chain Lending Protocol: [Link to Google Docs](https://docs.google.com/document/d/1UU-zhy-Ik6h-EhKS2TvcIsd0Q377H7HKF6MGP5WdwAk/edit?usp=sharing)\n\n4. Testnet for Cross-chain Lending Protocol:\n   [Link to Testnet](https://testnet.xapp.folks.finance/)\n\n5. Smart Contract README for Cross-chain Lending Protocol:\n   [Link to GitHub README](https://github.com/Folks-Finance/folks-finance-xchain-contracts/blob/main/README.md)\n\n6. Docs for Existing Folks Finance Products:\n   [Link to Folks Finance Docs](https://docs.folks.finance/)\n\n7. Medium Articles:\n   [Link to Medium Articles](https://folksfinance.medium.com/)\n\n__Is this an upgrade of an existing system? If so, which? And what are the main differences?__\n\nThis is a new cross chain lending protocol that follows a similar model to our existing Algorand lending protocol. The loans and economic structure are the same with the only difference being how liquidations work. All the cross chain infrastructure is new. \n\nThe cross chain lending protocol also uses an oracle design from Synthetix which takes up less than 5% of the total codebase. The codebase language is fully Solidity. \n\n\n__Where do you suspect there may be bugs? Useful aspects of this question are:__\n\nWhich parts of the code are you most concerned about?\nWhat attack vectors are you most concerned about?\nWhich part(s) of the system do you want whitehats to attempt to break the most?\nAre there any assumed invariants that you want whitehats to attempt to break?\n\nIn general all parts of the code should be checked and attack vectors explored. We write here some areas to look at in particular but this is not to discount any other areas.\n\nOne area to explore is the communication between chains. Messages are relayed between the spoke chain and the hub chain via Chainlink CCIP and Wormhole Messaging. In addition, Circle CCTP is used for USDC transfers. It is important to verify that we are using these protocols as intended and have correctly reasoned about the lifecycle of a message. \n\nWe have a contract named “HubAdapter” which mimics the behaviour of the Chainlink CCIP and Wormhole messaging, without actually relaying anything. Its purpose is to have a common interface for interacting with the protocol through the spoke contracts regardless of whether on the hub chain or not.\n\nWe also have a new process for liquidations which should be checked both economically and codewise. The oracle integration is also new and should be checked for resistance against tampering.\n\nOne invariant to ensure that there is sufficient funds such that if all borrowers repaid their loans, all depositors can withdraw their tokens. Not an invariant, but the average stable interest rate should be closely tracking the weighted average of all the stable borrows for a given pool.\n\n__What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?__\n\nERC20 and ERC777 are the only two supported. The modular design allows ERC1155 to be supported in the future too if needed.\n\n__What emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?__\n\nWe have rate limiting which sets the maximum amount which can be withdrawn or deposited. If the limit is consumed through a denial of service attack, we have the ability to temporarily boost the capacity.\n\nOther mitigating actions we can take involve removing/adding an adapter, lowering rate limits, lowering pool caps and deprecating a pool. If the bug report’s impact is small in the scope of the protocol as a whole, considering the possible mitigations, then that could be reason to invalidate or downgrade the severity.\n\n\n__What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?__\n\nE.g An ‘Operator’ address with the ability to pause smart contracts who could use their privileged functions to exploit a bug and steal funds\n\nAll admin and role addresses, as well as 3rd party infrastructure the project relies on. \n\n\n__What external dependencies are there?__\n\n- Chainlink Price Feeds\n- Pyth Price Feeds\n- Folks Finance Centralised Fallback Oracle\n- Wormhole’s Messaging\n- Chainlink’s CCIP\n- Circle’s CCTP\n\n__WWhat are some of the most significant changes to the protocol from the fixes made?__\n\nMost of the fixes were errors in the logic that don’t change the protocol intention. These should be checked to ensure they correctly fix the underlying issue. \n\nSome more significant changes were:\n- The retry and reverse message operations are permissioned so only the relevant user can call these. In addition, you can now override the return message parameters if need be.\n- The account id and loan id are generated on-chain for front-running protection. \n- We no longer save the entire failed message but rather a hash of the failed message, significantly reducing gas consumption.\n- In the account management, you can override an existing invite and no longer unregister all connected addresses.  \n\n\n\n__Where might whitehats confuse out-of-scope code to be in-scope?__\n\nThe external services such as the WormholeRelayer, Chainlink CCIP RouterClient and external oracle services. \n\nAre there any unusual points about your protocol that may confuse whitehats?\n\nWe have our own standard of sending and receiving messages. Certain operations require finality as they involve a value transfer while the others can be immediately relayed. There is the “HubAdapter” too which is mentioned above.\n\nWe split tokens into two categories in our lending protocol. The first are tokens which are not bridged and remain on the spoke chain e.g. ETH, Link. The second are tokens which are bridged and reside on the hub chain e.g. USDC.\n\nOur lending protocol also is different from others in that a user can have multiple loans, and that a loan can have multiple collaterals and borrows within it. We also define various loan types which have their own respective parameters. One of these is the “deposit” loan type which has borrow caps of zero for every token.\n\n\n__What is the test suite setup information?__\n\nIf this is already provided in Github, then linking that resource is enough.\n\nIt will be in the GitHub report with the rest of the code. \n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- Griefing through consuming external rate limits of tokens e.g. Circle CCTP rate limits for USDC\n- Griefing through consuming internal rate limits where we have the ability to respond by temporarily boosting capacity\n- Dust positions not being liquidated because of gas fees\n- Manipulation of stable borrow rate to get cheaper borrow\n- Liquidation leading to bad debt when we are prioritising the certainty of a lesser amount of bad debt against the risk of incurring a larger amount of bad debt\n- LiquidationLogic::getMaxRepayBorrowValue can panic if privileged address sets certain parameters \n\n__Previous Audits__\n\n- Folks Finance’s completed audit reports can be found at https://github.com/Folks-Finance/audits/blob/13f8d8307902e8ff7018fe9b6df0b5668c638863/OtterSec%20-%20Audit%20of%20XChain%20Lending%20-%20May%202024.pdf. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\n- Folks Finance’s up to date codebase can be found at https://github.com/Folks-Finance/folks-finance-xchain-contracts. \n\n- Folks Finance’s link to full list of changes: https://github.com/Folks-Finance/folks-finance-xchain-contracts/pulls?q=is%3Apr+is%3Aclosed \n\n- Folks Finance’s link to full list of issues:\nhttps://github.com/Folks-Finance/folks-finance-xchain-contracts/issues?q=is%3Aissue+is%3Aclosed","websiteUrl":"https://folks.finance/it","githubUrl":"https://github.com/Folks-Finance/folks-finance-xchain-contracts/issues?q=is%3Aissue+is%3Aclosed","eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Folks Finance is a leading DeFi platform providing innovative tools for lending, borrowing, trading and managing digital assets, all in one place.\n\n\n","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":5056,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds of at least 24h"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"level":"critical","payout":"Portion of the $25,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the $25,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the $25,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the $25,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[{"id":"5Y6tdSFsR7922gVKu958Gl","url":"https://testnet.snowtrace.io/address/0xa9491a1f4f058832e5742b76eE3f1F1fD7bb6837","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":2,"description":"Smart Contract - BridgeRouterHub","isPrimacyOfImpact":null},{"id":"4L6qoIiezQQFa8tFBSNvMR","url":"https://testnet.snowtrace.io/address/0x0f91d914E058d0588Cc1bf35FA3736A627C3Ba81","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - BridgeRouterSpoke","isPrimacyOfImpact":null},{"id":"2W40plJRUUmQZ7JbDYyrFm","url":"https://testnet.snowtrace.io/address/0xf472ab58969709De9FfEFaeFFd24F9e90cf8DbF9","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - HubAdapter","isPrimacyOfImpact":null},{"id":"2Dak5apiGQ9MTqWBOhJiqR","url":"https://testnet.snowtrace.io/address/0x8F27355662D6de024FEE83b176dD8DB1F2CA1585/","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - WormholeDataAdapter","isPrimacyOfImpact":null},{"id":"4Ny6liEjlvfdhXR3WJEI99","url":"https://testnet.snowtrace.io/address/0x8a81dbF6D6b6A8693181de7ad6Ff7F4c47a5B8bd","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - WormholeCCTPAdapter","isPrimacyOfImpact":null},{"id":"6sfx5jSkoEQiwwBMl8HyZY","url":"https://testnet.snowtrace.io/address/0xE7F80b606614989209f2c36F6074bAfDe1565A19","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - CCIPDataAdapter","isPrimacyOfImpact":null},{"id":"wlFopSRPKdLVZOJl5hNMt","url":"https://testnet.snowtrace.io/address/0x006A9A176662920306074bB00B57f5CA836e4200","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - CCIPTokenAdapter","isPrimacyOfImpact":null},{"id":"7cjZRSpssocUN8CxYpEGTu","url":"https://testnet.snowtrace.io/address/0xaE4C62510F4d930a5C8796dbfB8C4Bc7b9B62140","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - Hub","isPrimacyOfImpact":null},{"id":"3LWQ4a1eLULeT5UVvCxoay","url":"https://testnet.snowtrace.io/address/0xA758c321DF6Cd949A8E074B22362a4366DB1b725","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - NodeManager","isPrimacyOfImpact":null},{"id":"3EixgqxEo8Ypg7PmXR3rIL","url":"https://testnet.snowtrace.io/address/0x46c425F4Ec43b25B6222bcc05De051e6D3845165","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - OracleManager","isPrimacyOfImpact":null},{"id":"7gCttVunkk6xK167oDhiw6","url":"https://testnet.snowtrace.io/address/0xA5b9525a0A46d4D4bf6f588f565f0d15AffDB81d","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - SpokeManager","isPrimacyOfImpact":null},{"id":"1hEKC1NSaojp0QwPFQkeLV","url":"https://testnet.snowtrace.io/address/0x3324B5BF2b5C85999C6DAf2f77b5a29aB74197cc","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - AccountManager","isPrimacyOfImpact":null},{"id":"22av40GKhgHlMrPnTH7T39","url":"https://testnet.snowtrace.io/address/0x2cAa1315bd676FbecABFC3195000c642f503f1C9","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - LoanManager","isPrimacyOfImpact":null},{"id":"7Br77v1lgPpYGo1SYMKsgd","url":"https://testnet.snowtrace.io/address/0xf8E94c5Da5f5F23b39399F6679b2eAb29FE3071e","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - UserLoanLogic","isPrimacyOfImpact":null},{"id":"ILOfRN67xwosFfar4Fbme","url":"https://testnet.snowtrace.io/address/0xEdbB349EB3FC66a0C8AaC7933c690b000079505c","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - LoanPoolLogic","isPrimacyOfImpact":null},{"id":"4Z1bCJltR30Vzt3MyzE6pl","url":"https://testnet.snowtrace.io/address/0xc1FBF54B25816B60ADF322d8A1eaCA37D9A50317","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - LiquidationLogic","isPrimacyOfImpact":null},{"id":"5n8hQEtaHtnMi1ApOL3aXI","url":"https://testnet.snowtrace.io/address/0x1A44f534B2a7Ce689156965cdcAA75590Cd1E115","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - LoanManagerLogic","isPrimacyOfImpact":null},{"id":"35xnL2qwdodwkz8jQgxuIJ","url":"https://testnet.snowtrace.io/address/0xe83DD670241189949f910493F5F016Ba5df6549d","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - RewardLogic","isPrimacyOfImpact":null},{"id":"Wez7SpFDOEhmVEsErhOFt","url":"https://testnet.snowtrace.io/address/0x96e957bF63B5361C5A2F45C97C46B8090f2745C2","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - HubPoolLogic","isPrimacyOfImpact":null},{"id":"5v14tOIKthAq0NFV91JIW4","url":"https://testnet.snowtrace.io/address/0x1968237f3a7D256D08BcAb212D7ae28fEda72c34","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - HubCircleTokenPool  (USDC)","isPrimacyOfImpact":null},{"id":"kpnMra6yKIxpOcPTO64rk","url":"https://testnet.snowtrace.io/address/0xd90B7614551E799Cdef87463143eCe2efd4054f9","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - HubNonBridgedTokenPool (AVAX)","isPrimacyOfImpact":null},{"id":"1r5SvELOAj9Qko5hmEWkzh","url":"https://testnet.snowtrace.io/address/0xecD328082035146d99fd621E809Bc9642cDd0BAd","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - HubNonBridgedTokenPool (ETH Ethereum Sepolia)","isPrimacyOfImpact":null},{"id":"7C6cH331gQ2Inf37ZCPNUj","url":"https://testnet.snowtrace.io/address/0x9E7dfcDFA94C007e868917ec3088107De0B8Dff8","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - HubNonBridgedTokenPool (ETH Base Sepolia)","isPrimacyOfImpact":null},{"id":"75ak9CnNq6SmfRfgkUigZe","url":"https://testnet.snowtrace.io/address/0x457f30Bc85E885e4D519975C1dd87F397d4817B7","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - AlwaysEligibleAddressOracle","isPrimacyOfImpact":null},{"id":"66Rz3GzdYGOd3MtQKWa34V","url":"https://testnet.snowtrace.io/address/0x6628cE08b54e9C8358bE94f716D93AdDcca45b00","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - SpokeCommon","isPrimacyOfImpact":null},{"id":"5yVczWpHJk0DoKOjGQUOtH","url":"https://testnet.snowtrace.io/address/0x89df7db4af48Ec7A84DE09F755ade9AF1940420b","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - SpokeCircleToken (USDC)","isPrimacyOfImpact":null},{"id":"54GmHNadhRzpKjqQJ5BeYr","url":"https://testnet.snowtrace.io/address/0xBFf8b4e5f92eDD0A5f72b4b0E23cCa2Cc476ce2a","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - SpokeGasToken (AVAX)","isPrimacyOfImpact":null},{"id":"398YEe4Dv46eDgA6gINVOt","url":"https://sepolia.etherscan.io/address/0xBeF7aB7C5e6CeFF384cde460dd20C862047CDFa5","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - BridgeRouterSpoke","isPrimacyOfImpact":null},{"id":"5DpBmwQsVsKwzZsUTu5xBk","url":"https://sepolia.etherscan.io/address/0xC0CFfA934598E655DC8D25Cd1774F249FFCF5e59","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - WormholeDataAdapter","isPrimacyOfImpact":null},{"id":"3JjtgOhebqYyK4beQ6jJZH","url":"https://sepolia.etherscan.io/address/0x7cdB014Bc73C74Da5b3830eDE6a4494ec52C3738","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - WormholeCCTPAdapter","isPrimacyOfImpact":null},{"id":"3TtDpmdcyxzUIiiPInVAQE","url":"https://sepolia.etherscan.io/address/0xa51cA34831CEB2F8BafE4ADEf032286E067EF2ad","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - CCIPDataAdapter","isPrimacyOfImpact":null},{"id":"4vn3IClROOu9nUPZ5JgVLL","url":"https://sepolia.etherscan.io/address/0x0100F7f027EC3B4B4Fd8bB739efd8BDDBa3bF847","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - CCIPTokenAdapter","isPrimacyOfImpact":null},{"id":"68v1sACME3oLF5Jx0MIeNM","url":"https://sepolia.etherscan.io/address/0x2b760759e4f8D994BeB2B9aFBA8De37eCf13F9B3","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - AlwaysEligibleAddressOracle","isPrimacyOfImpact":null},{"id":"4EFBepjmvyTnuKP4xztOwR","url":"https://sepolia.etherscan.io/address/0x16Eecb8CeB2CE4Ec542634d7525191dfce587C85","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - SpokeCommon","isPrimacyOfImpact":null},{"id":"4x4IJt32HWDPJAKmH7LBGk","url":"https://sepolia.etherscan.io/address/0x40C77F8cc70DF8F6D7A91ebb5291d38d42540455","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - SpokeCircleToken (USDC)","isPrimacyOfImpact":null},{"id":"5cgkmOVvq1dvbAFYXLtovu","url":"https://sepolia.etherscan.io/address/0x9ecfD854F4F8BD2275930Cc51d45d7817EF6CeE3","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - SpokeGasToken (ETH)","isPrimacyOfImpact":null},{"id":"f36rakeBBQq8aIipbsdtb","url":"https://sepolia.etherscan.io/address/0x8Aac7fA5B2d0c7Ca4f1610bB43CF0d62A670Fa14","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - SpokeErc20Token (LINK)","isPrimacyOfImpact":null},{"id":"1v0oS9F9lKlNz5AgDemFYw","url":"https://sepolia.basescan.org/address/0x92051Ad708C4e5FCcC7322c111F63440D638312e","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - BridgeRouterSpoke","isPrimacyOfImpact":null},{"id":"VWCKpr8jTtui27DO6YuGG","url":"https://sepolia.basescan.org/address/0x56d9a6e25E9e31080A3Ab1bd4a6f7bd0B4C884Da","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - WormholeDataAdapter","isPrimacyOfImpact":null},{"id":"6noUnqxb1uVTweJmkpr1pm","url":"https://sepolia.basescan.org/address/0x8c8E4Eb83138D2625a14F0517E0106D26F9c23f3","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - WormholeCCTPAdapter","isPrimacyOfImpact":null},{"id":"2Wf8svenw8jeecBljffVfE","url":"https://sepolia.basescan.org/address/0x08447025BB3D7249cb6566E579b1d309679c7720","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - CCIPDataAdapter","isPrimacyOfImpact":null},{"id":"1jOtNMMPC172eTzgGD6qb1","url":"https://sepolia.basescan.org/address/0x22644D46e5aE39Fa6b9d9706AaA1d398E5EB8aBc","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - CCIPTokenAdapter","isPrimacyOfImpact":null},{"id":"3VALJRIIPI1lZ4eeFKSzZ2","url":"https://sepolia.basescan.org/address/0x2b760759e4f8D994BeB2B9aFBA8De37eCf13F9B3","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - AlwaysEligibleAddressOracle","isPrimacyOfImpact":null},{"id":"hdPDSPDby8yGvSeZ6clLs","url":"https://sepolia.basescan.org/address/0x993C9a918B145B90E69A8D22B7e3b6d3413e3755","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - SpokeCommon","isPrimacyOfImpact":null},{"id":"5hIwdAGf71glkvEQNgd2Ks","url":"https://sepolia.basescan.org/address/0x7cdB014Bc73C74Da5b3830eDE6a4494ec52C3738","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - SpokeCircleToken (USDC)","isPrimacyOfImpact":null},{"id":"6kKlGnOD76YRXV7B1ai90N","url":"https://sepolia.basescan.org/address/0xa51cA34831CEB2F8BafE4ADEf032286E067EF2ad","type":"smart_contract","addedAt":"2024-07-16T08:00:00.000Z","revision":1,"description":"Smart Contract - SpokeGasToken (ETH)","isPrimacyOfImpact":null},{"id":"5sH7BeRpZZ6CJzDTt1hx3l","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2024-07-17T18:31:22.367Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true}],"assetsBodyV2":"__Asset Accuracy Assurance__\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Reward Policy__\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward.\n\n__Known Issue Assurance__\n\nFolks Finance commits to providing Known Issue Assurance to bug submissions through their program. This means that Folks Finance will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission. \n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.\n\n__Primacy of Impact vs Primacy of Rules__\n\nFolks Finance adheres to the Primacy of Impact for all impacts.\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see Best Practices: Primacy of Impact \nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Eligibility Criteria__\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this audit competition and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Folks Finance has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/1fOTfJxylAg5YnFkbf8jOiASuAatopinO).\n\nAll paid bug reports are available in original format [here](https://github.com/immunefi-team/Bounty_Boosts/tree/main/Boost%20%7C%20Folks%20Finance).","boostedIntroLive":"","boostedIntroStartingIn":"$100,000 USD in rewards is available for finding bugs on Folks Finance. to assess whether the set of fixes from the original Folks Finance Boost both fully resolve the reported vulnerabilities and do not introduce new ones. Hunting on a Mitigation Audit involves understanding the root cause of the issues and verifying that the patches or mitigations directly address the causes.\n\n\nFolks Finance is a leading DeFi platform providing innovative tools for lending, borrowing, trading and managing digital assets, all in one place.\n\nFolks Finance are expanding with a new cross-chain lending protocol using a hub and spoke model. The hub chain, Avalanche, contains the main logic and state of the lending protocol. The spoke chains, initially EVM, act as an entry point for a user to interact with the protocol.\n\nNo KYC is required.\n\nFolks Finance will respond within 24 hours on weekdays to all bug reports. Any technical questions can be asked directly to the Folks Finance technical team on Immunefi's [Immunefi’s Discord](https://discord.com/invite/immunefi) in the \"folks-finance-boost\" channel.\n\nWhen the Boost has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nOn July 18th, Folks Finance will give a live technical walkthrough, hosted in the Immunefi Discord. Sign up below to be notified with more details.","boostedLeaderboard":[{"high":1,"name":"zarkk","critical":1,"earnings":26633,"insights":1,"mediumLow":3,"totalValidBugs":5},{"high":0,"name":"nnez","critical":2,"earnings":12485,"insights":0,"mediumLow":9,"totalValidBugs":11},{"high":1,"name":"A2Security","critical":2,"earnings":10319,"insights":1,"mediumLow":6,"totalValidBugs":9},{"high":1,"name":"alix_40","critical":0,"earnings":6838,"insights":1,"mediumLow":1,"totalValidBugs":2},{"high":0,"name":"kankodu","critical":1,"earnings":6536,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"ethprotector","critical":1,"earnings":5695,"insights":0,"mediumLow":0,"totalValidBugs":2},{"high":0,"name":"JCN2023","critical":1,"earnings":5217,"insights":0,"mediumLow":5,"totalValidBugs":6},{"high":0,"name":"OxAnmol","critical":1,"earnings":4004,"insights":3,"mediumLow":1,"totalValidBugs":2},{"high":0,"name":"Shahen","critical":1,"earnings":3028,"insights":0,"mediumLow":1,"totalValidBugs":2},{"high":0,"name":"arno","critical":1,"earnings":2828,"insights":1,"mediumLow":1,"totalValidBugs":2},{"high":0,"name":"Tripathi","critical":0,"earnings":1923,"insights":1,"mediumLow":4,"totalValidBugs":4},{"high":0,"name":"chista0x","critical":0,"earnings":1737,"insights":2,"mediumLow":3,"totalValidBugs":3},{"high":1,"name":"Nyksx","critical":0,"earnings":1703,"insights":0,"mediumLow":1,"totalValidBugs":2},{"high":0,"name":"cryptoticky","critical":0,"earnings":1606,"insights":1,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"bbl4de","critical":0,"earnings":1323,"insights":1,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"jovi","critical":0,"earnings":1052,"insights":1,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"OxSCSamurai","critical":0,"earnings":980,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"gizzy","critical":0,"earnings":875,"insights":0,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"Lastc0de","critical":0,"earnings":688,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"OxAnmol","critical":0,"earnings":688,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"IronsideSec","critical":0,"earnings":688,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Pavan","critical":0,"earnings":649,"insights":1,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"QuantumKid","critical":0,"earnings":501,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Obin","critical":0,"earnings":501,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Ironside_Sec","critical":0,"earnings":446,"insights":0,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"Paludo0x","critical":0,"earnings":283,"insights":0,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"Kalogerone","critical":0,"earnings":213,"insights":0,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"OxG0P1","critical":0,"earnings":213,"insights":0,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"twcctop","critical":0,"earnings":167,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"iamandreiski","critical":0,"earnings":133,"insights":0,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"seesnap","critical":0,"earnings":47,"insights":0,"mediumLow":1,"totalValidBugs":1}],"boostedSummaryReport":"https://drive.google.com/file/d/1NI_O0_lJ6w9emEJlDogF5M_BCLkf8mNX/view?usp=sharing","ecosystem":null,"endDate":"2024-08-06T08:00:00.000Z","evaluationEndDate":"2024-08-30T10:30:00.000Z","features":["Boost","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2024-07-16T08:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6J3xxAowY0ZlOFTEciL88K/752c37cc0e37232a1f9075df7609c79c/Folks_Finance_logo.png","maxBounty":100000,"outOfScopeAndRules":"These impacts are out of scope for this bug bounty program\n\n__All Categories:__\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n\n__Blockchain/DLT & Smart Contract Specific:__\n\n- Incorrect data supplied by third party oracles\n- Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n\n__Prohibited Activities:__\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"In general all parts of the code should be checked and attack vectors explored. We write here some areas to look at in particular but this is not to discount any other areas.\n\nOne area to explore is the communication between chains. Messages are relayed between the spoke chain and the hub chain via Chainlink CCIP and Wormhole Messaging. In addition, Circle CCTP is used for USDC transfers. It is important to verify that we are using these protocols as intended and have correctly reasoned about the lifecycle of a message. \n\nWe have a contract named “HubAdapter” which mimics the behaviour of the Chainlink CCIP and Wormhole messaging, without actually relaying anything. Its purpose is to have a common interface for interacting with the protocol through the spoke contracts regardless of whether on the hub chain or not.\n\nWe also have a new process for liquidations which should be checked both economically and codewise. The oracle integration is also new and should be checked for resistance against tampering.\n\nOne invariant to ensure that there is sufficient funds such that if all borrowers repaid their loans, all depositors can withdraw their tokens. Not an invariant, but the average stable interest rate should be closely tracking the weighted average of all the stable borrows for a given pool.","productType":null,"programOverview":"Folks Finance is a leading DeFi platform providing innovative tools for lending, borrowing, trading and managing digital assets, all in one place.\n\nFolks Finance are expanding with a new cross-chain lending protocol using a hub and spoke model. The hub chain, Avalanche, contains the main logic and state of the lending protocol. The spoke chains, initially EVM, act as an entry point for a user to interact with the protocol.\n\nChainlink CCIP and Wormhole Messaging are used to communicate between the spoke chains and hub chain. Circle CCTP is used for native cross chain transfers of USDC.\n\nFor more information about Folks Finance and their existing products, please visit https://folks.finance. \nFolks Finance provides rewards in USDC, denominated in USD.","programType":["Smart Contract"],"project":"Audit Comp | Folks Finance","projectType":null,"rewardsBody":"The following reward terms are a summary, for the full details read our [Folks Finance Audit Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/26758465696785-Folks-Finance-Audit-Competition-Reward-Terms)\n\nThe reward pool will be entirely distributed among participants. The size depends on the bugs found:\nIf no High or Critical severity bugs are found the reward pool will be **$50,000 USD**\nIf one or more High severity bugs are found the reward pool will be **$75,000 USD**\nIf one or more Critical severity bugs are found the reward pool will be **$100,000 USD**\n\n\nFor this audit competition, duplicates and private known issues are valid for a reward.\n\nRewards are distributed according to the impact of the vulnerability based on the Immunefi [Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Payment Terms__\n\nPayouts are handled by the Folks Finance team directly and are denominated in USD. However, payments are done in USDC\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.\n\nFolks Finance’s up to date codebase can be found at https://github.com/Folks-Finance/folks-finance-xchain-contracts.","rewardsPool":100000,"primaryPool":100000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"folksfinance-boost","tenPercentEconomicRule":false,"updatedDate":"2024-10-15T13:45:38.226Z","impactsBody":"__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.\n\n__Whitehat Educational Resources & Technical Info__\n\n1. Design Overview for Cross-chain Lending Protocol: [Link to Google Docs](https://docs.google.com/document/d/19HjdYSmSxoXf7b0RIjiv8cff7jwdGZ1lkFrjqRrogiE/edit?usp=sharing)\n\n2. Operation lifecycle in cross-chain lending protocol: [Link to Google Docs](https://docs.google.com/document/d/1UEV2JHpW23ChARUp_AcHJjuuq6A9T-n85T3FDYQTuGM/edit?usp=sharing)\n\n3. Formulae Used in Cross-chain Lending Protocol: [Link to Google Docs](https://docs.google.com/document/d/1UU-zhy-Ik6h-EhKS2TvcIsd0Q377H7HKF6MGP5WdwAk/edit?usp=sharing)\n\n4. Testnet for Cross-chain Lending Protocol:\n   [Link to Testnet](https://testnet.xapp.folks.finance/)\n\n5. Smart Contract README for Cross-chain Lending Protocol:\n   [Link to GitHub README](https://github.com/Folks-Finance/folks-finance-xchain-contracts/blob/main/README.md)\n\n6. Docs for Existing Folks Finance Products:\n   [Link to Folks Finance Docs](https://docs.folks.finance/)\n\n7. Medium Articles:\n   [Link to Medium Articles](https://folksfinance.medium.com/)\n\n__Is this an upgrade of an existing system? If so, which? And what are the main differences?__\n\nThis is a new cross chain lending protocol that follows a similar model to our existing Algorand lending protocol. The loans and economic structure are the same with the only difference being how liquidations work. All the cross chain infrastructure is new. \n\nThe cross chain lending protocol also uses an oracle design from Synthetix which takes up less than 5% of the total codebase. The codebase language is fully Solidity. \n\n\n__Where do you suspect there may be bugs? Useful aspects of this question are:__\n\nWhich parts of the code are you most concerned about?\nWhat attack vectors are you most concerned about?\nWhich part(s) of the system do you want whitehats to attempt to break the most?\nAre there any assumed invariants that you want whitehats to attempt to break?\n\nIn general all parts of the code should be checked and attack vectors explored. We write here some areas to look at in particular but this is not to discount any other areas.\n\nOne area to explore is the communication between chains. Messages are relayed between the spoke chain and the hub chain via Chainlink CCIP and Wormhole Messaging. In addition, Circle CCTP is used for USDC transfers. It is important to verify that we are using these protocols as intended and have correctly reasoned about the lifecycle of a message. \n\nWe have a contract named “HubAdapter” which mimics the behaviour of the Chainlink CCIP and Wormhole messaging, without actually relaying anything. Its purpose is to have a common interface for interacting with the protocol through the spoke contracts regardless of whether on the hub chain or not.\n\nWe also have a new process for liquidations which should be checked both economically and codewise. The oracle integration is also new and should be checked for resistance against tampering.\n\nOne invariant to ensure that there is sufficient funds such that if all borrowers repaid their loans, all depositors can withdraw their tokens. Not an invariant, but the average stable interest rate should be closely tracking the weighted average of all the stable borrows for a given pool.\n\n__What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?__\n\nERC20 and ERC777 are the only two supported. The modular design allows ERC1155 to be supported in the future too if needed.\n\n__What emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?__\n\nWe have rate limiting which sets the maximum amount which can be withdrawn or deposited. If the limit is consumed through a denial of service attack, we have the ability to temporarily boost the capacity.\n\nOther mitigating actions we can take involve removing/adding an adapter, lowering rate limits, lowering pool caps and deprecating a pool. If the bug report’s impact is small in the scope of the protocol as a whole, considering the possible mitigations, then that could be reason to invalidate or downgrade the severity.\n\n\n__What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?__\n\nE.g An ‘Operator’ address with the ability to pause smart contracts who could use their privileged functions to exploit a bug and steal funds\n\nAll admin and role addresses, as well as 3rd party infrastructure the project relies on. \n\n\n__What external dependencies are there?__\n\n- Chainlink Price Feeds\n- Pyth Price Feeds\n- Folks Finance Centralised Fallback Oracle\n- Wormhole’s Messaging\n- Chainlink’s CCIP\n- Circle’s CCTP\n\n__Where might whitehats confuse out-of-scope code to be in-scope?__\n\nThe external services such as the WormholeRelayer, Chainlink CCIP RouterClient and external oracle services. \n\n\n__Are there any unusual points about your protocol that may confuse whitehats?__\n\nWe have our own standard of sending and receiving messages. Certain operations require finality as they involve a value transfer while the others can be immediately relayed. There is the “HubAdapter” too which is mentioned above.\n\nWe split tokens into two categories in our lending protocol. The first are tokens which are not bridged and remain on the spoke chain e.g. ETH, Link. The second are tokens which are bridged and reside on the hub chain e.g. USDC.\n\nOur lending protocol also is different from others in that a user can have multiple loans, and that a loan can have multiple collaterals and borrows within it. We also define various loan types which have their own respective parameters. One of these is the “deposit” loan type which has borrow caps of zero for every token.\n\n\n__What is the test suite setup information?__\n\nIf this is already provided in Github, then linking that resource is enough.\n\nIt will be in the GitHub report with the rest of the code. \n\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n- Griefing through consuming external rate limits of tokens e.g. Circle CCTP rate limits for USDC\n- Griefing through consuming internal rate limits where we have the ability to respond by temporarily boosting capacity\n\n__Previous Audits__\n\nFolks Finance’s completed audit reports can be found at https://github.com/Folks-Finance/audits/blob/13f8d8307902e8ff7018fe9b6df0b5668c638863/OtterSec%20-%20Audit%20of%20XChain%20Lending%20-%20May%202024.pdf. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.","websiteUrl":"https://folks.finance/it","githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Folks Finance is a leading DeFi platform providing innovative tools for lending, borrowing, trading and managing digital assets, all in one place.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":4941,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds of at least 24h"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"level":"critical","payout":"Portion of the $100,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the $75,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the $50,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the $50,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[{"id":"sYxvTwpFZXSl61JdnkuO8","url":"https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/RevenueHandler.sol","type":"smart_contract","addedAt":"2024-04-30T10:30:00.000Z","revision":1,"description":"RevenueHandler.sol - 183","isPrimacyOfImpact":null},{"id":"4pgstjtPOHyedaQUogaMRe","url":"https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/RewardsDistributor.sol","type":"smart_contract","addedAt":"2024-04-30T10:30:00.000Z","revision":1,"description":"RewardsDistributor.sol - 286","isPrimacyOfImpact":null},{"id":"6qzgJKNogm9FZgzPOnO3Q7","url":"https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/VotingEscrow.sol","type":"smart_contract","addedAt":"2024-04-30T10:30:00.000Z","revision":1,"description":"VotingEscrow.sol - 887","isPrimacyOfImpact":null},{"id":"3MN84EGqHK45qgzYdbQkva","url":"https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/Minter.sol","type":"smart_contract","addedAt":"2024-04-30T10:30:00.000Z","revision":1,"description":"Minter.sol - 124","isPrimacyOfImpact":null},{"id":"601bgkSEISfaaxyfGVdY3X","url":"https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/BaseGauge.sol","type":"smart_contract","addedAt":"2024-04-30T10:30:00.000Z","revision":1,"description":"BaseGauge.sol - 49","isPrimacyOfImpact":null},{"id":"7KZmxCjDyPKqsjJA7AJmBb","url":"https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/Voter.sol","type":"smart_contract","addedAt":"2024-04-30T10:30:00.000Z","revision":1,"description":"Voter.sol - 335","isPrimacyOfImpact":null},{"id":"2L7JQtBUJybSuX8KWYKPmq","url":"https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/RewardPoolManager.sol","type":"smart_contract","addedAt":"2024-04-30T10:30:00.000Z","revision":1,"description":"RewardPoolManager.sol - 102","isPrimacyOfImpact":null},{"id":"7rtabTcBEIkFw7ncCgKb1n","url":"https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/FluxToken.sol","type":"smart_contract","addedAt":"2024-04-30T10:30:00.000Z","revision":1,"description":"FluxToken.sol - 152","isPrimacyOfImpact":null},{"id":"5ucoTsJsBnj5Wt6SsmtGiW","url":"https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/CurveMetaPoolAdapter.sol","type":"smart_contract","addedAt":"2024-04-30T10:30:00.000Z","revision":1,"description":"CurveMetaPoolAdapter.sol - 30","isPrimacyOfImpact":null},{"id":"7GRZjQhL88GOsqatgfVQUL","url":"https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/CurveEthPoolAdapter.sol","type":"smart_contract","addedAt":"2024-04-30T10:30:00.000Z","revision":1,"description":"CurveEthPoolAdapter.sol - 34","isPrimacyOfImpact":null},{"id":"2iZ1gyKklEDmD53GY4FIKv","url":"https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/Bribe.sol","type":"smart_contract","addedAt":"2024-04-30T10:30:00.000Z","revision":1,"description":"Bribe.sol - 256","isPrimacyOfImpact":null},{"id":"1n1Ual2DiwumFXsZTbDIL4","url":"https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/AlchemixGovernor.sol","type":"smart_contract","addedAt":"2024-04-30T10:30:00.000Z","revision":1,"description":"AlchemixGovernor.sol - 55","isPrimacyOfImpact":null},{"id":"2y8Z97DneWJ8Nj8iUTC14K","url":"https://immunefi.com","type":"smart_contract","addedAt":"2024-05-06T07:26:37.160Z","revision":1,"description":"Primacy of Impact","isPrimacyOfImpact":true}],"assetsBodyV2":"__Asset Accuracy Assurance__\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n__Private Known Issues Reward Policy__\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a reward equal to that of a bug one severity lower.\n\n__Known Issue Assurance__\n\nAlchemix commits to providing Known Issue Assurance to bug submissions through their program. This means that Alchemix will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission. \n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.\n\n__Primacy of Impact vs Primacy of Rules__\n\nAlchemix adheres to the Primacy of Impact for all impacts.\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact). \n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this audit competition and a leaderboard of the participants and their earnings.\n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n__Immunefi Standard Badge__\n\nBy adhering to Immunefi’s best practice recommendations, Alchemix has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/1elvBCDehX4odL9uj9ou-pj1_nkNynW7U?usp=sharing).\n\nAll paid bug reports are available in original format [here](https://github.com/immunefi-team/Bounty_Boosts/tree/main/Alchemix).","boostedIntroLive":"$125,000 USD is available in rewards for finding bugs in Alchemix’s codebase of about 3000 nSLOC. There is no KYC required.\n\nAlchemix team will respond within 24 hours on weekdays to all bug reports. Any technical questions and support requests can be asked directly to Alchemix or Immunefi in the [Alchemix Boost Discord channel](https://discord.com/invite/immunefi).\n\nWhen the Boost has ended Immunefi will publish an event-specific leaderboard and bug reports from the event.","boostedIntroStartingIn":"$125,000 USD in rewards is available for finding bugs on Alchemix, specifically vote-escrowed ALCX (veALCX). Their brand new assets will be in-scope.\n\nNo KYC is required.\n\nAlchemix will respond within 24 hours on weekdays to all bug reports. Any technical questions can be asked directly to the Alchemix technical team on Immunefi's [Immunefi’s Discord](https://discord.com/invite/immunefi) in the \"alchemix-boost\" channel.\n\nWhen the Boost has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nOn launch day, April 30th, Alchemix will give a live technical walkthrough, hosted in the Immunefi Discord. Sign up below to be notified with more details.\n\n[Sign up for updates](https://forms.gle/z9SZtJhFLrXofQvm6)","boostedLeaderboard":[{"high":2,"name":"infosec_us_team","critical":8,"earnings":22436,"insights":1,"mediumLow":3,"totalValidBugs":13},{"high":1,"name":"savi0ur","critical":3,"earnings":16159,"insights":1,"mediumLow":2,"totalValidBugs":6},{"high":4,"name":"Holterhus","critical":4,"earnings":14616,"insights":0,"mediumLow":0,"totalValidBugs":8},{"high":1,"name":"cryptoticky","critical":5,"earnings":8086,"insights":1,"mediumLow":2,"totalValidBugs":8},{"high":1,"name":"gladiator111","critical":2,"earnings":7647,"insights":2,"mediumLow":1,"totalValidBugs":4},{"high":1,"name":"OxAnmol","critical":2,"earnings":7364,"insights":0,"mediumLow":2,"totalValidBugs":5},{"high":1,"name":"Limbooo","critical":4,"earnings":4749,"insights":1,"mediumLow":2,"totalValidBugs":7},{"high":3,"name":"xBentley","critical":0,"earnings":3370,"insights":0,"mediumLow":0,"totalValidBugs":3},{"high":2,"name":"jecikpo","critical":3,"earnings":2755,"insights":0,"mediumLow":1,"totalValidBugs":6},{"high":0,"name":"Django","critical":3,"earnings":2594,"insights":0,"mediumLow":2,"totalValidBugs":5},{"high":2,"name":"MahdiKarimi","critical":3,"earnings":2442,"insights":0,"mediumLow":0,"totalValidBugs":5},{"high":0,"name":"jasonxiale","critical":5,"earnings":2388,"insights":0,"mediumLow":2,"totalValidBugs":7},{"high":0,"name":"perseverance","critical":4,"earnings":2321,"insights":0,"mediumLow":0,"totalValidBugs":4},{"high":2,"name":"marchev","critical":0,"earnings":2316,"insights":1,"mediumLow":2,"totalValidBugs":4},{"high":0,"name":"zeroK","critical":1,"earnings":2311,"insights":0,"mediumLow":2,"totalValidBugs":3},{"high":1,"name":"yttriumzz","critical":4,"earnings":2170,"insights":0,"mediumLow":1,"totalValidBugs":6},{"high":0,"name":"hulkvision","critical":3,"earnings":1946,"insights":1,"mediumLow":0,"totalValidBugs":3},{"high":0,"name":"OxG0P1","critical":0,"earnings":1925,"insights":2,"mediumLow":1,"totalValidBugs":1},{"high":1,"name":"OxSCSamurai","critical":0,"earnings":1583,"insights":0,"mediumLow":2,"totalValidBugs":3},{"high":2,"name":"Norah","critical":0,"earnings":1534,"insights":0,"mediumLow":3,"totalValidBugs":5},{"high":0,"name":"imsrybr0","critical":3,"earnings":1386,"insights":1,"mediumLow":1,"totalValidBugs":4},{"high":0,"name":"Mirrors","critical":1,"earnings":1234,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"DuckAstronomer","critical":3,"earnings":1129,"insights":0,"mediumLow":0,"totalValidBugs":3},{"high":1,"name":"tryingToHack","critical":2,"earnings":1093,"insights":0,"mediumLow":2,"totalValidBugs":5},{"high":0,"name":"OxRizwan","critical":0,"earnings":949,"insights":2,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"zeroxmuxyz","critical":0,"earnings":906,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":1,"name":"SAAJ","critical":0,"earnings":866,"insights":0,"mediumLow":3,"totalValidBugs":4},{"high":0,"name":"00xWizard","critical":0,"earnings":725,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Minato7namikazi","critical":1,"earnings":720,"insights":1,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"Ch301","critical":1,"earnings":616,"insights":0,"mediumLow":1,"totalValidBugs":2},{"high":0,"name":"The_Seraphs","critical":0,"earnings":578,"insights":1,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Lastc0de","critical":0,"earnings":567,"insights":1,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"kankodu","critical":0,"earnings":543,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"cheatcode","critical":0,"earnings":543,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"sss","critical":0,"earnings":543,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Kenzo","critical":0,"earnings":468,"insights":1,"mediumLow":1,"totalValidBugs":1},{"high":1,"name":"NinetyNineCrits","critical":0,"earnings":397,"insights":0,"mediumLow":1,"totalValidBugs":2},{"high":1,"name":"Lin511","critical":0,"earnings":308,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"RandomSec","critical":1,"earnings":273,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"Hoverfly9132","critical":0,"earnings":267,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"copperscrewer","critical":0,"earnings":228,"insights":0,"mediumLow":2,"totalValidBugs":2},{"high":1,"name":"Jonnes","critical":0,"earnings":208,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":1,"name":"Adrianx","critical":0,"earnings":208,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"RNemes","critical":0,"earnings":181,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"oxumarkhatab","critical":0,"earnings":133,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"crazy_squirrel","critical":1,"earnings":119,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"Saediek","critical":1,"earnings":119,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"Praise","critical":1,"earnings":119,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"MTNether","critical":0,"earnings":112,"insights":0,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"Breeje","critical":0,"earnings":61,"insights":0,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"mt030d","critical":0,"earnings":55,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"dirtymic","critical":1,"earnings":50,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"Tapir49939","critical":1,"earnings":50,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"b0g0","critical":1,"earnings":50,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"riptide","critical":1,"earnings":50,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"konata","critical":1,"earnings":50,"insights":0,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"Shahen","critical":0,"earnings":37,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"cryptonoob2k","critical":0,"earnings":34,"insights":0,"mediumLow":1,"totalValidBugs":1}],"boostedSummaryReport":"https://drive.google.com/file/d/1iH4THdG-NfXCE4Jpst5UluGlKcd7p1GY/view?usp=sharing","ecosystem":null,"endDate":"2024-05-21T10:30:00.000Z","evaluationEndDate":"2024-06-29T12:00:00.000Z","features":["Managed Triage: Time Saver","Boost"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":null,"launchDate":"2024-04-30T10:30:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5pjZJ5fR4NCzaLxDB7TqlF/ea861b248380639b0048863f6b4aff56/AlchemixLogoMaster500px.png","maxBounty":125000,"outOfScopeAndRules":"These impacts are out of scope for this bug bounty program. \n\n__All Categories:__\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n\n__Blockchain/DLT & Smart Contract Specific:__\n\n- Incorrect data supplied by third party oracles\n    - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n\n__Prohibited Activities:__\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["smart_contract - high","smart_contract - critical","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":null,"programOverview":"veALCX is the tokenomics upgrade for ALCX, Alchemix's governance token. Users will lock 80/20 ALCX/ETH Balancer Liquidity Tokens into veALCX in exchange for voting power, ALCX emissions, and protocol revenue. Voting power is used to vote on snapshot proposals, on-chain governance of veALCX contracts, and gauge voting to direct ALCX emissions. veALCX users also earn a new ecosystem token called FLUX that allows for boosted gauge voting and early unlocks.  \n\nFor more information about Alchemix, please visit [https://alchemix.fi/](https://alchemix.fi/)\n\nAlchemix provides rewards in USDC, denominated in USD.","programType":["Smart Contract"],"project":"Audit Comp | Alchemix","projectType":null,"rewardsBody":"The following reward terms are a summary, for the full details read our [Alchemix Audit Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/24665684227857-Alchemix-Audit-Competition-Reward-Terms).\n\nThe reward pool will be entirely distributed among participants. The size depends on the bugs found:\n- If no High or Critical severity bugs are found the reward pool will be **$75,000 USD**\n- If one or more High severity bugs are found the reward pool will be **$100,000 USD**\n- If one or more Critical severity bugs are found the reward pool will be **$125,000 USD**\n\nFor this audit competition, duplicates and private known issues are valid for a reward.\n\nRewards are distributed according to the impact of the vulnerability based on the Immunefi [Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n__Reward Payment Terms__\n\nPayouts are handled by the Alchemix team directly and are denominated in USD. However, payments are done in USDC\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.","rewardsPool":125000,"primaryPool":125000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"alchemix-boost","updatedDate":"2024-10-15T13:43:48.909Z","impactsBody":"__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.\n\n__Whitehat Educational Resources & Technical Info__\n\n- 1-year old medium article that is still largely correct: [https://alchemixfi.medium.com/vealcx-update-272e8900ac5a](https://alchemixfi.medium.com/vealcx-update-272e8900ac5a)\n- Draft document that will eventually turn into a governance proposal to explain and define the launch parameters: [https://alchemixdao.notion.site/veALCX-Launch-Parameters-Proposal-60113919e018424db7fc03c346c34386?pvs=4](https://alchemixdao.notion.site/veALCX-Launch-Parameters-Proposal-60113919e018424db7fc03c346c34386?pvs=4)\n\n__Is this an upgrade of an existing system? If so, which? And what are the main differences?__\n\nThis is a brand-new system to Alchemix, but is an upgrade of Velodromes veVELO (which is an upgrade of solidly’s vote-escrow system). The primary differences are:\n- Alchemix is not a DEX, and therefore sends a majority of ALCX to external locations such as incentives for 3rd party DEX pools, and vote incentives on platforms such as votium, votemarket, etc. Therefore, the system requires both external and internal gauges (ie, gauges that send ALCX to 3rd party and internal contracts). \n- Alchemix has introduced a “continuous max lock” boolean that may be enabled to prevent decay in voting power and remaining lock time (thus eliminating the need to manually re-lock a position constantly)\n- Alchemix has added the FLUX token, which is earned by veALCX lockers. Accrued FLUX credit can be burned to boost gauge voting power. Alternatively, credit can be burned to mint an ERC20 version of FLUX. The FLUX ERC20 is tradeable, and can be used to unlock a veALCX position early. The ERC20 can NOT be used to boost gauge voting power. \n- Alchemix has created a system by which any veALCX revenue asset can be whitelisted to be converted to alAssets to repay users’ debt so long as there is a direct swap path. Assets that are not whitelisted will be passed through directly to veALCX users. \n\n__Where do you suspect there may be bugs?__\n\n- **Which parts of the code are you most concerned about?**\n\nThe highest concern is in the accounting of bribes, including ensuring the total supply is tracked correctly. \n\n- **What attack vectors are you most concerned about?** \n\nAny attack that would artifically inflate a user’s claim on bribes, rewards, or a user’s voting power, or any other means by which bribes and rewards could be stolen.\n\n- **Which part(s) of the system do you want whitehats to attempt to break the most?**\n\nThe rewards distributor and voting system has the most complexity and handles bribes which could be a variety of assets as well as tracking voting\n\n- **Are there any assumed invariants that you want whitehats to attempt to break?**\n    - A user should never be able to claim more bribes than they have earned\n    - A user should never be able to claim more revenue than they have earned\n\t- A user should never be able to claim more rewards than they have earned\n\t- A user should never be able to vote with more power than they have\n\n\n__What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?__\n\nERC20, ERC721, ERC4626\n\n__What monitoring systems may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?__\n\nNone.\n\n__What Roles are there, and what capacities do they have?__\n\nusers - veALCX holders: can create new veALCX tokens, vote, claim bribes, claim rewards (ALCX), claim revenue, claim / burn / boost vote with FLUX\ndelegates - addresses veALCX holders approved to act on their behalf \nadmin - address (governance) that can update system state variables as needed\n\n__Which Roles are trusted roles and what privileges do they hold?__\n\nadmin - address (governance) that can update system state variables as needed.\n\n__Are there trusted roles for which you would consider any bugs invalid, even if the roles are not intended to have that capacity?__\n\nAny malicious behavior that an admin can execute is acknowledged and invalid since the assumption is that admin will be a trusted party\n\n__What external dependencies are there?__\n\nBalancer pool - 0xf16aEe6a71aF1A9Bc8F56975A4c2705ca7A782Bc\n\nAura pool - 0x8B227E3D50117E80a02cd0c67Cd6F89A8b7B46d7\n\nALCX/ETH price feed - 0x194a9AaF2e0b67c35915cD01101585A33Fe25CAa\n\n__Where might whitehats confuse out-of-scope code to be in-scope?__\n\nThe Balancer pool and Aura pools are out of scope and are acknowledged as a third-party pool integration. \n\nDependencies should be audited to verify they are being referenced and utilized correctly, but the dependencies themselves do not need to be audited (ie, it should be assumed the dependencies function as intended). For example, it should be assumed the Balancer Pool Token always represents 80% balance of ALCX and a 20% balance of ETH that tracks the initial deposit. \n\n__Are there any unusual points about your protocol that may confuse whitehats?__\n\nVoting power decay over time. If a user does not update their vote their voting power remains constant, however, they will not be eligible for future bribes or FLUX earnings until they vote. This is considered when accounting for the distribution of Bribes in a given Epoch. \n\nRewards claiming with the Alchemists. If a user has an open debt position in an Alchemist (alETH, alUSD) they can claim revenue that pays off the debt in a given position, so long as that revenue asset is whitelisted to be swapped to the alAsset. \n\nAura rewards with ALCX-BPT. Deposits are sent to the Aura rewards pool when a user creates a veALCX position. VotingEscrow.sol accounts for this and manages the deposit and withdrawal when a user deposits or withdrawals from the VotingEscrow.sol contract. \n\nUsers can boost their vote only with unclaimed FLUX. Once FLUX has been claimed it can only be used to unlock a veALCX token early. It is intentional that it requires longer than the period their token is locked to accrue enough FLUX to unlock a veALCX position early. \n\n__What is the test suite setup information?__\n\n[https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/README.md](https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/README.md)\n\n__Which chains are the smart contracts going to be deployed to?__\n\nETH Mainnet\n\n__Public Disclosure of Known Issues__\n\nBug reports covering previously discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- Ambiguous Proposal Executions via the TimelockController are acknowledged and a part of the governance management system. \n- We are assuming that the price of the alAsset will always be at or below the price of the revenue token. This is currently a safe assumption since this imbalance has always held true for alUSD and alETH since their inception\n\n__Previous Audits__\n\nAlchemix’s completed audit reports can be found at [https://drive.google.com/file/d/1YsO1t1-hSK1wkHajT_GAZ-u35O1Su74X/view?usp=sharing](https://drive.google.com/file/d/1YsO1t1-hSK1wkHajT_GAZ-u35O1Su74X/view?usp=sharing). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"veALCX is the tokenomics upgrade for ALCX, Alchemix's governance token. Users will lock 80/20 ALCX/ETH Balancer Liquidity Tokens into veALCX in exchange for voting power, ALCX emissions, and protocol revenue. Voting power is used to vote on snapshot proposals, on-chain governance of veALCX contracts, and gauge voting to direct ALCX emissions. veALCX users also earn a new ecosystem token called FLUX that allows for boosted gauge voting and early unlocks.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":4849,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for 12 hours"},{"id":28,"type":"smart_contract","severity":"high","title":"Temporary freezing of NFTs"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":18,"type":"smart_contract","severity":"critical","title":"Permanent freezing of NFTs"},{"id":19,"type":"smart_contract","severity":"critical","title":"Unauthorized minting of NFTs"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":21,"type":"smart_contract","severity":"critical","title":"Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"level":"critical","payout":"Portion of the $125,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the $100,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the $75,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the $75,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[{"id":"2ipiCpxFuD4cHfty1qYd2v","url":"https://github.com/zerolend/governance","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":4,"description":"Governance smart contracts","isPrimacyOfImpact":null},{"id":"63hznlYDkzaWZ7sOaMe51k","url":"https://explorer.zksync.io/address/0x785765De3E9ac3D8eEb42B4724A7FEA8990142B8","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"AaveOracle (zkSync)","isPrimacyOfImpact":null},{"id":"6GZhWRCl0ZEeQ0RD0ciFn4","url":"https://explorer.zksync.io/address/0x9A60cce3da06d246b492931d2943A8F574e67389","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"ACLManager (zkSync)","isPrimacyOfImpact":null},{"id":"2g6Xq5gnh2EI7Hs3a0qpwm","url":"https://explorer.zksync.io/address/0xe8178fF950Ea1B69a51cE961C542a4CC6Cb6e38E","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"AToken (zkSync)","isPrimacyOfImpact":null},{"id":"1CMdqNdX7SsecG9TxePEuQ","url":"https://explorer.zksync.io/address/0x102699803F4A2b02046C38C672401759af633510","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"DelegationAwareAToken (zkSync)","isPrimacyOfImpact":null},{"id":"5Ja12JShdtJGDSjPDgyCeb","url":"https://explorer.zksync.io/address/0x72D2aB433526d32e6Ee52c03d1562A9E79bf0F19","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"EmissionManager (zkSync)","isPrimacyOfImpact":null},{"id":"5J0Zbx82Z0IqE5eOQxelGf","url":"https://explorer.zksync.io/address/0x54AB34aB3C723bD2674c7082aA6fFcdfd3A5BEdc","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"IncentivesProxy (zkSync)","isPrimacyOfImpact":null},{"id":"1gPWUMTtkl3HNttsxsJcjU","url":"https://explorer.zksync.io/address/0x86bd524C09508df7B4B9027464975351B1BC2c92","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"IncentivesV2-Implementation (zkSync)","isPrimacyOfImpact":null},{"id":"7CnrXaJEwcLazXsZQPkeoI","url":"https://explorer.zksync.io/address/0x54d6F91bE4509826559ad12E1Ca6CA3A6C3811e0","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"Pool-Implementation (zkSync)","isPrimacyOfImpact":null},{"id":"1vq7TrgNabVcPMBxEFlybM","url":"https://explorer.zksync.io/address/0x4d9429246EA989C9CeE203B43F6d1C7D83e3B8F8","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"Pool-Proxy (zkSync)","isPrimacyOfImpact":null},{"id":"64hear1whzOeQpj4jx1NBh","url":"https://explorer.zksync.io/address/0x4f285Ea117eF0067B59853D6d16a5dE8088bA259","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"PoolAddressesProvider (zkSync)","isPrimacyOfImpact":null},{"id":"5YQ12OcmKnQUKiqLfcDKCg","url":"https://explorer.zksync.io/address/0x78B93fBb35C97b32C7381C81Fa3A620b3fB7787B","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"PoolAddressesProviderRegistry (zkSync)","isPrimacyOfImpact":null},{"id":"6HGz4HWL7R1SaFSE2E4QIt","url":"https://explorer.zksync.io/address/0x8FBC873afD2a23D0bDd79d8a8756a38adda40810","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"PoolConfigurator-Implementation (zkSync)","isPrimacyOfImpact":null},{"id":"5LvPxZlPFst9UA31HFRlGA","url":"https://explorer.zksync.io/address/0x9C3058F7bfCA6139ac3013999F57D7aa6a3AB1Ed","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"PoolConfigurator-Proxy (zkSync)","isPrimacyOfImpact":null},{"id":"RR1CS9IWrbzWnN7nXZR3n","url":"https://explorer.zksync.io/address/0xB73550bC1393207960A385fC8b34790e5133175E","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"PoolDataProvider (zkSync)","isPrimacyOfImpact":null},{"id":"5l3EJavqMr4GSVjIZzWojT","url":"https://explorer.zksync.io/address/0xB73550bC1393207960A385fC8b34790e5133175E","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"ReservesSetupHelper (zkSync)","isPrimacyOfImpact":null},{"id":"2PiNFkIekXBWukluqCfEMH","url":"https://explorer.zksync.io/address/0x70cA80C5dE9fC8f080a494453dF1aA9180073031","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"ReserveStrategy-rateStrategyStableOne (zkSync)","isPrimacyOfImpact":null},{"id":"40nMGyq5bpPUNSVWacOEbR","url":"https://explorer.zksync.io/address/0xcaA502e289bFb924732f44f5E70bd08fc052aab8","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"ReserveStrategy-rateStrategyStableTwo (zkSync)","isPrimacyOfImpact":null},{"id":"2SdQxugW9CwIQuFpEx93LH","url":"https://explorer.zksync.io/address/0xEdAc06D73DbdD3460B5728E4bBE9862b04Ac198a","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"ReserveStrategy-rateStrategyVolatileOne (zkSync)","isPrimacyOfImpact":null},{"id":"2ZTS0POXD0TG4iiazdo9Wn","url":"https://explorer.zksync.io/address/0x3A8ea541597D74ACB33F94533D731940AF516031","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"StableDebtToken (zkSync)","isPrimacyOfImpact":null},{"id":"27r2ejRUdnFhcCoyWtAakg","url":"https://explorer.zksync.io/address/0x677C3Cae4F23142c6A8480694554751B462d7326","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"Treasury-Controller (zkSync)","isPrimacyOfImpact":null},{"id":"6paYc1nuiWlk5BfwwnilI4","url":"https://explorer.zksync.io/address/0xC59971Ff27806629D9935fbFBBFC2236961f82C8","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"Treasury-Implementation (zkSync)","isPrimacyOfImpact":null},{"id":"2GoSr3oUyXqMSqYNyxz20V","url":"https://explorer.zksync.io/address/0xE52540DBD350c611A1B9c51E97e2A6bc16c09133","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"TreasuryProxy (zkSync)","isPrimacyOfImpact":null},{"id":"1ajd4dOiIVqZv1BLH9X5O3","url":"https://explorer.zksync.io/address/0x91ccF57c1E9A7F5A9537eE59306faF8dA3b7e960","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"UiIncentiveDataProviderV3 (zkSync)","isPrimacyOfImpact":null},{"id":"4KKwjDmFSZpQwpVFroz32f","url":"https://explorer.zksync.io/address/0x8FE0ac76b634B7D343Bd32282B98E9f271B43367","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"UiPoolDataProviderV3 (zkSync)","isPrimacyOfImpact":null},{"id":"3PNmJZFnnMEg2wi8SVwD88","url":"https://explorer.zksync.io/address/0xA48aCc9847Cc1dD2caDA05151C9A78Ba47a305Cb","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"VariableDebtToken (zkSync)","isPrimacyOfImpact":null},{"id":"23gAxxePnqzznw6ej3VOxy","url":"https://explorer.zksync.io/address/0xdeEa10da04D867e3303AB6E50FA26C2d8a5e9f70","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"WalletBalanceProvider (zkSync)","isPrimacyOfImpact":null},{"id":"4AzSsxx0OYDlUo37TMggZg","url":"https://explorer.zksync.io/address/0x767b4A087c11d7581Ac95eaFfc1FeBFA26bad3d2","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"WrappedTokenGatewayV3 (zkSync)","isPrimacyOfImpact":null},{"id":"IDbrMeI7cKV5VdjGBLDLQ","url":"https://explorer.zksync.io/address/0x6CDe8a8cEE9771A30dE4fEAB8eaccb58cb0d30aF","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"[Library] BridgeLogic (zkSync)","isPrimacyOfImpact":null},{"id":"6fX4pfsOGWZtbrQcuswPa7","url":"https://explorer.zksync.io/address/0x8731d4E5b990025143609F4A40eC80Fb482E46A0","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"[Library] ConfiguratorLogic (zkSync)","isPrimacyOfImpact":null},{"id":"3HmpnZVbDvuUOftgGLtJHS","url":"https://explorer.zksync.io/address/0xA8D16FB0620E3376093cb89e2cD9dEF9fE47Daaa","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"[Library] PoolLogic (zkSync)","isPrimacyOfImpact":null},{"id":"5iBqqTQCR6QCCYeX8D8mtd","url":"https://explorer.zksync.io/address/0xD84E953a621bb9D81Dc998E0b1482D2916153c23","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"[Library] EModeLogic (zkSync)","isPrimacyOfImpact":null},{"id":"2eKusmk77htc1UwR6H4cP8","url":"https://explorer.zksync.io/address/0x8855Fd7d577A05d04Cea2E026c5BAa4Bb47feAf9","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"[Library] LiquidationLogic (zkSync)","isPrimacyOfImpact":null},{"id":"2e3UfzImMEhHVcJxXRc2AO","url":"https://explorer.zksync.io/address/0x9223dC9205Cf8336CA59bA0bD390647E62D487E5","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"[Library] SupplyLogic (zkSync)","isPrimacyOfImpact":null},{"id":"4XluvrOSTqOL26KR9Cas5L","url":"https://explorer.zksync.io/address/0x424C0995114a614c12506D9A994d3eE140742f12","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"[Library] FlashLoanLogic (zkSync)","isPrimacyOfImpact":null},{"id":"2yGh9e2y2W4RuzNusNNXJS","url":"https://explorer.zksync.io/address/0x81D6b98Beb0A4288dCFab724FDeaE52E5Aa2F7b1","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"[Library] BorrowLogic (zkSync)","isPrimacyOfImpact":null},{"id":"4PKatwadtERrcz0lykAYkH","url":"https://explorer.zksync.io/address/0x9002ecb8a06060e3b56669c6B8F18E1c3b119914","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"WETH-AToken (zkSync)","isPrimacyOfImpact":null},{"id":"oTAFrcLppwX83OHKPhcMC","url":"https://explorer.zksync.io/address/0x9c9158BFF47342A20b7D2Ac09F89e96F3A209b9B","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"WETH-StableDebtToken (zkSync)","isPrimacyOfImpact":null},{"id":"7mljm8UzZ09paNlSJJTGnD","url":"https://explorer.zksync.io/address/0x56f58d9BE10929CdA709c4134eF7343D73B080Cf","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"WETH-VariableDebtToken (zkSync)","isPrimacyOfImpact":null},{"id":"1nBBD26lNuI0jCVR1P0UKz","url":"https://explorer.zksync.io/address/0x016341e6Da8da66b33Fd32189328c102f32Da7CC","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"USDC-AToken (zkSync)","isPrimacyOfImpact":null},{"id":"6Q9LyLvn6Ens2MetO5EQ4U","url":"https://explorer.zksync.io/address/0x5faC4FD2e4bCE392d34600d94Aa1114274e54Dff","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"USDC-StableDebtToken (zkSync)","isPrimacyOfImpact":null},{"id":"7n1tngqllPbID5t2mXNVU5","url":"https://explorer.zksync.io/address/0xE60E1953aF56Db378184997cab20731d17c65004","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"USDC-VariableDebtToken (zkSync)","isPrimacyOfImpact":null},{"id":"26LNrkl5V9LBhjAtdXjhKV","url":"https://explorer.zksync.io/address/0x9ca4806fa54984Bf5dA4E280b7AA8bB821D21505","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"USDT-AToken (zkSync)","isPrimacyOfImpact":null},{"id":"7l0um9KNSTQBTFKPRlmpZD","url":"https://explorer.zksync.io/address/0x6F977fD05962d67Eb7B16b15684fbEa0462F442d","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"USDT-StableDebtToken (zkSync)","isPrimacyOfImpact":null},{"id":"1n9YqyY4Mbpl8fT4YkiqmZ","url":"https://explorer.zksync.io/address/0xa333c6FF89525939271E796FbDe2a2D9A970F831","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":2,"description":"USDT-VariableDebtToken (zkSync)","isPrimacyOfImpact":null},{"id":"5U8LmB3FKXyAfGPOb2BUMd","url":"https://pacific-explorer.manta.network/address/0xFF679e5B4178A2f74A56f0e2c0e1FA1C80579385","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"AaveOracle (Manta)","isPrimacyOfImpact":null},{"id":"3jNVyQBhnr73RMtLiggDxL","url":"https://pacific-explorer.manta.network/address/0xb2178109A414C3a869E5104283Fcf1a18923D0B8","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"ACLManager (Manta)","isPrimacyOfImpact":null},{"id":"1kooLpCNRPgUfLvdl85jfz","url":"https://pacific-explorer.manta.network/address/0xD2a2a567674E85Bedab9dcC402bCae6C4E0aaBb8","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"AToken (Manta)","isPrimacyOfImpact":null},{"id":"1xq6Vnewj63fNffYiAh7GJ","url":"https://pacific-explorer.manta.network/address/0xF49Ee3EA9C56D90627881d88004aaBDFc44Fd82c","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"DelegationAwareAToken (Manta)","isPrimacyOfImpact":null},{"id":"1z0dhWECHhk591zrh6vb18","url":"https://pacific-explorer.manta.network/address/0x749dF84Fd6DE7c0A67db3827e5118259ed3aBBa5","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"EmissionManager (Manta)","isPrimacyOfImpact":null},{"id":"3x2MaUta3UwQLstz9B2sFo","url":"https://pacific-explorer.manta.network/address/0x28F6899fF643261Ca9766ddc251b359A2d00b945","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"IncentivesProxy (Manta)","isPrimacyOfImpact":null},{"id":"7CsPwmQ0wHOA9AWdVtxI9h","url":"https://pacific-explorer.manta.network/address/0x6e9d0cE24d14fB1750Ba0369e300413B230CA947","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"IncentivesV2-Implementation (Manta)","isPrimacyOfImpact":null},{"id":"1FlKjkL0F01JFT3jFjxBYC","url":"https://pacific-explorer.manta.network/address/0x8676e39B5D2f0d6E0d78a4208a0cCBc50504972e","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"Pool-Implementation (Manta)","isPrimacyOfImpact":null},{"id":"5chr07goFWtXIcz3eCO8vn","url":"https://pacific-explorer.manta.network/address/0x2f9bB73a8e98793e26Cb2F6C4ad037BDf1C6B269","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"Pool-Proxy (Manta)","isPrimacyOfImpact":null},{"id":"6akmRObBNMVo3JpevGa8GU","url":"https://pacific-explorer.manta.network/address/0xC44827C51d00381ed4C52646aeAB45b455d200eB","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"PoolAddressesProvider (Manta)","isPrimacyOfImpact":null},{"id":"3IPriIdG7MV46ph6MfXmCt","url":"https://pacific-explorer.manta.network/address/0xC3B6dDc1c9876a922754f1d01D18893C7956A74D","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"PoolAddressesProviderRegistry (Manta)","isPrimacyOfImpact":null},{"id":"6EUvbyPxndejbbFhSbNijf","url":"https://pacific-explorer.manta.network/address/0x78Ad3d53045b6582841e2a1a688C52Be2CA2A7a7","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"PoolConfigurator-Implementation (Manta)","isPrimacyOfImpact":null},{"id":"7hgsZZhXMhdsk7WqhsDvAX","url":"https://pacific-explorer.manta.network/address/0xf17218B09699d0F7145e40E771e72130FF616498","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"PoolConfigurator-Proxy (Manta)","isPrimacyOfImpact":null},{"id":"4tvnDSHU88GTFDwktwmUd8","url":"https://pacific-explorer.manta.network/address/0x67f93d36792c49a4493652B91ad4bD59f428AD15","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"PoolDataProvider (Manta)","isPrimacyOfImpact":null},{"id":"7E6ytsi1CoCnca27ahwGTs","url":"https://pacific-explorer.manta.network/address/0x2ACc2b9FC1123AB649895c9e825260f31348732B","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"PullRewardsTransferStrategy (Manta)","isPrimacyOfImpact":null},{"id":"6d3nu2ZR5m1hNkYfXnoDOS","url":"https://pacific-explorer.manta.network/address/0xb8634e0a320d0f4861062514a63B659E52A87E21","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"ReservesSetupHelper (Manta)","isPrimacyOfImpact":null},{"id":"2QC6c7WABcFt2qBDzzxzy3","url":"https://pacific-explorer.manta.network/address/0xaa999eA356F925BF1e856038c5D182Ae5E8A4973","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"ReserveStrategy-rateStrategyStableOne (Manta)","isPrimacyOfImpact":null},{"id":"1OpOWbvtOyVEvnml6Ihbnw","url":"https://pacific-explorer.manta.network/address/0xB7ED499e7570EE7691eeF4DF9D708d258DE2B512","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"ReserveStrategy-rateStrategyStableTwo (Manta)","isPrimacyOfImpact":null},{"id":"3yeNsfxMJI60HGhd1v6WcK","url":"https://pacific-explorer.manta.network/address/0x0f9bfa294bE6e3CA8c39221Bb5DFB88032C8936E","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"ReserveStrategy-rateStrategyVolatileOne (Manta)","isPrimacyOfImpact":null},{"id":"6P0aUANdYMYsK7l8wN6jz4","url":"https://pacific-explorer.manta.network/address/0x859C2ca97EAd2742a0758bc9dD889e9D0e7e84E8","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"StableDebtToken (Manta)","isPrimacyOfImpact":null},{"id":"5zc98Y9kWswtCmSqWBGRSn","url":"https://pacific-explorer.manta.network/address/0x3fC90e521397b251D4aAA1FBeAC7cc32f25E78fa","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"Treasury-Controller (Manta)","isPrimacyOfImpact":null},{"id":"30wBrkIUHm0fXYUUuqalDB","url":"https://pacific-explorer.manta.network/address/0xAdC1eb4e8c72f03339638a7B43b2097FC1AFB6c8","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"Treasury-Implementation (Manta)","isPrimacyOfImpact":null},{"id":"6ZwSx5asUXIyeba6370BCs","url":"https://pacific-explorer.manta.network/address/0x97e59722318F1324008484ACA9C343863792cBf6","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"TreasuryProxy (Manta)","isPrimacyOfImpact":null},{"id":"5JE3oeaqfwbgClIYhAMjdv","url":"https://pacific-explorer.manta.network/address/0x81b3184A3B5d4612F2c26A53Da8D99474B91B2D2","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"UiIncentiveDataProviderV3 (Manta)","isPrimacyOfImpact":null},{"id":"1GSocddHvxSyffxDjlnvcM","url":"https://pacific-explorer.manta.network/address/0xa32Eb787F2A3DC1F2c2da0E5d8caE7Ff74E6fD32","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"UiPoolDataProviderV3 (Manta)","isPrimacyOfImpact":null},{"id":"2ttf7GQKKN2ZCkxk5hrhok","url":"https://pacific-explorer.manta.network/address/0x0a8058203387c15a711204908ed9efeD9f76e6A8","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"VariableDebtToken (Manta)","isPrimacyOfImpact":null},{"id":"53r2II51dC51I2eNmoDR35","url":"https://pacific-explorer.manta.network/address/0xCbDc0aeD7CDf2472784068abEf23a902CafABb98","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"WalletBalanceProvider (Manta)","isPrimacyOfImpact":null},{"id":"3cE9LcLTpJIehFrEPoruV5","url":"https://pacific-explorer.manta.network/address/0xE05361EA51E20118072aec0fB0FD178e8b09D69e","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"WrappedTokenGatewayV3 (Manta)","isPrimacyOfImpact":null},{"id":"2PkgaEtgVFmtKZ0Q7oIiP7","url":"https://pacific-explorer.manta.network/address/0x9698FdF843cbe4531610aC231B0047d9FFc13bC6","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"[Library] BorrowLogic (Manta)","isPrimacyOfImpact":null},{"id":"7MQOFO96iRXsTKGBCQHgW0","url":"https://pacific-explorer.manta.network/address/0xCcCf56e2b6Ad4C06Af8214781b77Cd98446377Bf","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"[Library] BridgeLogic (Manta)","isPrimacyOfImpact":null},{"id":"7sGdcND9SgmDE9BzvzTDAI","url":"https://pacific-explorer.manta.network/address/0x2f7e54ff5d45f77bFfa11f2aee67bD7621Eb8a93","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"[Library] ConfiguratorLogic (Manta)","isPrimacyOfImpact":null},{"id":"3PrcTFTpIp3Wpl9mNhhWPF","url":"https://pacific-explorer.manta.network/address/0x59423CCeB710266520dB98034ff62dD1E2090E10","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"[Library] EModeLogic (Manta)","isPrimacyOfImpact":null},{"id":"q9srDm2BR6ESLFYAPDFAX","url":"https://pacific-explorer.manta.network/address/0xb0811a1FC9Fb9972ee683Ba04c32Cb828Bcf587B","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"[Library] FlashLoanLogic (Manta)","isPrimacyOfImpact":null},{"id":"66W7Bz5iEms94prXc7JOvT","url":"https://pacific-explorer.manta.network/address/0x89fEc31daD373922879bd6279ccDc3666c5D1b7a","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"[Library] LiquidationLogic (Manta)","isPrimacyOfImpact":null},{"id":"2w7GQrDe59JkSWpHaENw4W","url":"https://pacific-explorer.manta.network/address/0xc6DF4ddDBFaCb866e78Dcc01b813A41C15A08C10","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"[Library] PoolLogic (Manta)","isPrimacyOfImpact":null},{"id":"14of7dlVzK3YSbbYyzjTPY","url":"https://pacific-explorer.manta.network/address/0x15785C5D383Fa33339CF5D5720546C24313BC66D","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"[Library] SupplyLogic (Manta)","isPrimacyOfImpact":null},{"id":"1EfqyfzBK23u2KfVBpCo1J","url":"https://pacific-explorer.manta.network/address/0x2E207ecA8B6Bf77a6ac82763EEEd2A94de4f081d?tab=contract","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"MATIC-AToken (Manta)","isPrimacyOfImpact":null},{"id":"1qAZjjRF4mRlKVemQBz1Ix","url":"https://pacific-explorer.manta.network/address/0xd07e6A4da4e360ba6EdDE42ce7867051ea4BE024","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"MATIC-StableDebtToken (Manta)","isPrimacyOfImpact":null},{"id":"HcfmcTyIUPOy5BWMol3j5","url":"https://pacific-explorer.manta.network/address/0xa2703Dc9FbACCD6eC2e4CBfa700989D0238133f6","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"MATIC-VariableDebtToken (Manta)","isPrimacyOfImpact":null},{"id":"5qURcUhuTV0BPlsUlJI7iW","url":"https://pacific-explorer.manta.network/address/0x508C39Cd02736535d5cB85f3925218E5e0e8F07A","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"TIA-AToken (Manta)","isPrimacyOfImpact":null},{"id":"2WDKtxnIJHCTe7yILAWt3P","url":"https://pacific-explorer.manta.network/address/0x607f422f2e2de0FD1b084223ED16AE51c2453b06","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"TIA-StableDebtToken (Manta)","isPrimacyOfImpact":null},{"id":"OIgZkldJACT27qA89lIHx","url":"https://pacific-explorer.manta.network/address/0x476F206511a18C9956fc79726108a03E647A1817","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"TIA-VariableDebtToken (Manta)","isPrimacyOfImpact":null},{"id":"4yYODBNesiu5ifk9BrjwzK","url":"https://pacific-explorer.manta.network/address/0xB4FFEf15daf4C02787bC5332580b838cE39805f5","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"USDC-AToken (Manta)","isPrimacyOfImpact":null},{"id":"1tu0qBYQUyRHi6FCeegYt3","url":"https://pacific-explorer.manta.network/address/0x27C7733D7A0F142720Af777E70eBc33CA485d014","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"USDC-StableDebtToken (Manta)","isPrimacyOfImpact":null},{"id":"59kX8K7I4iv2XVNHhk5QCP","url":"https://pacific-explorer.manta.network/address/0xCb2dA0F5aEce616e2Cbf29576CFc795fb15c6133","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"USDC-VariableDebtToken (Manta)","isPrimacyOfImpact":null},{"id":"1apGiEMlyCTs8ADcFwLSmU","url":"https://pacific-explorer.manta.network/address/0x759cb97fbc452BAFD49992BA88d3C5dA4Dd9B0e7","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"USDT-AToken (Manta)","isPrimacyOfImpact":null},{"id":"3abIvO6VPpmxTL4pQuGtF1","url":"https://pacific-explorer.manta.network/address/0xB8E26F3C4AFb4f56f430a390Dc3f3b12f8A50B26","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"USDT-StableDebtToken (Manta)","isPrimacyOfImpact":null},{"id":"1UoK5RFRWI6exJIf6Makig","url":"https://pacific-explorer.manta.network/address/0xc1d9ca73f57930D4303D380C5DC668C40B38598B","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"USDT-VariableDebtToken (Manta)","isPrimacyOfImpact":null},{"id":"6yWN1g052iHfIoHmDo4Kpv","url":"https://pacific-explorer.manta.network/address/0xE7e54ca3D6F8a5561f8cee361260E537BDc5bE48","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"WBTC-AToken (Manta)","isPrimacyOfImpact":null},{"id":"525tuugV5NY8ce3hyGIzSw","url":"https://pacific-explorer.manta.network/address/0x7C2e57764eC33292fE098636AaA5D0357d814d16","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"WBTC-StableDebtToken (Manta)","isPrimacyOfImpact":null},{"id":"17xZi94jDNYdXmT3R3BU51","url":"https://pacific-explorer.manta.network/address/0xe6B9b00d42fA5831ccE4E44D9d6D8C51ba17cd1E","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"WBTC-VariableDebtToken (Manta)","isPrimacyOfImpact":null},{"id":"25uf1LEDfvf0Dq49JykQnm","url":"https://pacific-explorer.manta.network/address/0x0684FC172a0B8e6A65cF4684eDb2082272fe9050","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"WETH-AToken (Manta)","isPrimacyOfImpact":null},{"id":"2IkMiaYj2kKT25qi7tJUqo","url":"https://pacific-explorer.manta.network/address/0xFFa256Ad2487c4D989C3DFA6A6e9C13Fe33beba4","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"WETH-StableDebtToken (Manta)","isPrimacyOfImpact":null},{"id":"1bMNwzdbFtK2ApN9tREgrF","url":"https://pacific-explorer.manta.network/address/0xcC7b5Fd2F290a61587352343b7Cf77bB35cB6f00","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"WETH-VariableDebtToken (Manta)","isPrimacyOfImpact":null},{"id":"4Dw8nHXuyrZxd9xeSyeU6V","url":"https://pacific-explorer.manta.network/address/0x0ab214F127998a36Ce7aB0087a9B0D20adc2d5AD","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"wstETH-AToken (Manta)","isPrimacyOfImpact":null},{"id":"28cFOpB3sO7LEi1eprT40P","url":"https://pacific-explorer.manta.network/address/0x28D7246cd9da102c75FAa7d4Cf1c5399B323F084","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"wstETH-StableDebtToken (Manta)","isPrimacyOfImpact":null},{"id":"2IjRXNbCh4kRTHlblzSHba","url":"https://pacific-explorer.manta.network/address/0xb5EEf4Df2e48Fb41E6eaE6778c14787bAAa181F1","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":"wstETH-VariableDebtToken (Manta)","isPrimacyOfImpact":null},{"id":"2HFfNh6dYmjxCxTfkGIBwN","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2024-02-29T08:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":true}],"assetsBodyV2":"ZeroLend's deployed contracts can also be found here: https://docs.zerolend.xyz/security/deployed-addresses\n\nZeroLend’s up to date codebase can be found here https://github.com/zerolend \n\nThe zkSync contracts are the same as the Manta contracts. Where one’s deployed contract isn’t verified, it’s content can be known by referring to the deployment on the other chain, or by checking GitHub.\n\n### Whitehat Educational Resources & Technical Info\n\nDocumentation: https://docs.zerolend.xyz/ \n\n**Is this an upgrade of an existing system? If so, which? And what are the main differences?**\n\n- ZeroLend is a fork of AAVE V3 with changes in the incentive mechanisms that make it very similar to Radiant Capital. The incentive mechanism is located in the governance repo https://github.com/zerolend/governance \n\n- ZeroLend uses the same EVM as Aave and does not use zk code in itself, but does run on a different compiler which introduces complexity and the potential for novel bugs.\n\n\n\n**Where do you suspect there may be bugs?**\n\n- The incentive contracts (https://github.com/zerolend/governance) are custom-made code so this is an area of concern.\n- Misconfigurations in the lending market (parameters, oracles, etc).\n- Permission issues (like EOAs having admin access) and similar access issues.\n\n\n**Which part(s) of the system do you want whitehats to attempt to break the most?**\n\n- Everything already live on zkSync and Manta, such as: \n  - Manipulation in terms of asset price\n  - Manipulation that creates bad debt\n  - Creating any other asset risk in the lending market.\n- Any other hack which could bring down the protocol is a major concern.\n\n\n**Are there any assumed invariants that you want whitehats to attempt to break?**\n\n- All positions should have a health factor > 1.\n\n\n\n**What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?**\n\n- Only ERC20. Nothing else.\n\n\n**What emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?**\n\n\n- Same emergency actions as Aave; we can freeze the protocol, we can freeze an asset if it becomes more risky. We likely wouldn’t want to invalidate a bug on account of these, and may not downgrade it either. This would be based on the circumstances.\n\n\n\n**What Roles are there, and what capacities do they have?**\n\n- Same as aave: https://docs.aave.com/developers/core-contracts/aclmanager\n- The ⅔ multisig used is trusted.\n\n\n**What external dependencies are there?**\n\n- The token assets used.\n\n\n\n**What is the test suite setup information?**\n\n- Tests are in Hardhat https://github.com/zerolend/governance/tree/main/test\n- To run just do “yarn test.” \n\n\n**Public Disclosure of Known Issues**\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n\n- There is a bug on flashloans, so as a precautionary measure they’re disabled and their bugs are considered out-of-scope: https://governance.aave.com/t/pre-cautionary-measures-on-three-aave-v3-assets/16037 \n\n\n**Previous Audits**\n\nZeroLend’s completed audit reports can be found at https://docs.zerolend.xyz/security/audits. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\n\n### Asset In Scope Policies\n\n\n**Asset Accuracy Assurance**\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n**Private Known Issues Reward Policy**\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid, but their rewards are downgraded one severity level.\n\n**Known Issue Assurance**\n\nZeroLend commits to providing Known Issue Assurance to bug submissions through their program. This means that ZeroLend will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission. \n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.\n\n**Primacy of Impact vs Primacy of Rules**\n\nZeroLend adheres to the Primacy of Impact for the following impacts:\n\n- Smart Contract - Critical\n- Smart Contract - High\n\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact).\n\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/17OHbMfw2-w02kbwSThZNiDNLlhoT47ih?usp=sharing).\n\nAll paid bug reports are available in original format [here](https://github.com/immunefi-team/Bounty_Boosts/tree/main/ZeroLend).","boostedIntroLive":"ZeroLend has $60 million TVL needing to be secured. There is no KYC.\n\nA flat $200,000 USD reward pool will be distributed among whitehats who find bugs on ZeroLend’s ~6500 nSLOC codebase.\n\nDuplicates will be rewarded, with the first to submit the greatest severity of the bug receiving a greater portion of the reward pool. For more details read our [Boost Reward Distribution Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/22902062811281-ZeroLend-Boost-Reward-Terms). \n\nZeroLend will respond within 24 hours on weekdays to all bug reports. Any technical questions and support requests can be asked directly to ZeroLend or Immunefi within the “zerolend-boost” channel on [Immunefi’s Discord](https://discord.com/invite/immunefi).\n\nWhen the Boost has ended Immunefi will publish a whitehat leaderboard and findings from the event.","boostedIntroStartingIn":"$200,000 USD in rewards is available for finding bugs on ZeroLend. Their entire deployed codebase holding $50 million TVL will be in-scope. As well, their brand new as-yet undeployed governance contracts will be in-scope.\n\nNo KYC is required.\n\nZeroLend will respond within 24 hours on weekdays to all bug reports. Any technical questions can be asked directly to the ZeroLend technical team on Immunefi's [Discord](https://discord.gg/rpkPDR7pVV?utm_source=immunefi) in the \"zerolend-boost\" channel.\n\nWhen the Boost has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nOn launch day, Thursday Feb 29th, ZeroLend will give a live technical walkthrough, hosted in the Immunefi Discord. Sign up below to be notified with more details.\n\n\n[Sign up for updates](https://forms.gle/xn7SkhFsUUhwM82s9)","boostedLeaderboard":[{"high":6,"name":"Trust","critical":2,"earnings":49378,"insights":0,"mediumLow":1,"totalValidBugs":9},{"high":2,"name":"stiglitz","critical":1,"earnings":25416,"insights":2,"mediumLow":0,"totalValidBugs":3},{"high":3,"name":"MahdiKarimi","critical":1,"earnings":24697,"insights":0,"mediumLow":0,"totalValidBugs":4},{"high":1,"name":"offside0011","critical":1,"earnings":20671,"insights":0,"mediumLow":1,"totalValidBugs":3},{"high":2,"name":"perseverance","critical":1,"earnings":15878,"insights":0,"mediumLow":2,"totalValidBugs":5},{"high":1,"name":"ox7a69","critical":0,"earnings":14360,"insights":1,"mediumLow":2,"totalValidBugs":3},{"high":1,"name":"joaovwfreire","critical":1,"earnings":11647,"insights":1,"mediumLow":1,"totalValidBugs":3},{"high":1,"name":"EricTee","critical":1,"earnings":8126,"insights":0,"mediumLow":0,"totalValidBugs":2},{"high":1,"name":"[banned]","critical":0,"earnings":5998,"insights":2,"mediumLow":1,"totalValidBugs":2},{"high":0,"name":"OxSCSamurai","critical":0,"earnings":4408,"insights":1,"mediumLow":1,"totalValidBugs":1},{"high":1,"name":"dontonka","critical":0,"earnings":3439,"insights":1,"mediumLow":1,"totalValidBugs":2},{"high":0,"name":"Paludo0x","critical":0,"earnings":2795,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"mhmd_alfa","critical":0,"earnings":2581,"insights":4,"mediumLow":0,"totalValidBugs":0},{"high":1,"name":"nereus","critical":0,"earnings":2493,"insights":1,"mediumLow":0,"totalValidBugs":1},{"high":0,"name":"Lastc0de","critical":0,"earnings":1906,"insights":1,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"azhar0406","critical":0,"earnings":1613,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Piyushbug","critical":0,"earnings":1613,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Norah","critical":0,"earnings":853,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"jimmyhackd","critical":0,"earnings":645,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"riptide","critical":0,"earnings":604,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"djxploit","critical":0,"earnings":293,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Mirrors","critical":0,"earnings":293,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"savi0ur","critical":0,"earnings":293,"insights":0,"mediumLow":1,"totalValidBugs":1}],"boostedSummaryReport":"https://drive.google.com/file/d/1ZIp_jHUbIXU1LcJxgHXgWwycrF_dMA9X/view?usp=sharing","ecosystem":["ETH"],"endDate":"2024-03-14T08:00:00.000Z","evaluationEndDate":"2024-05-03T08:00:00.000Z","features":["Vault","Managed Triage: Time Saver","Boost"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity","JavaScript"],"launchDate":"2024-02-29T08:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/6DUpgCKU7RBNjZBDgQp7Oh/462a64d77ba48737bf0e6c86ef036880/Screenshot_2024-02-22_at_5.43.58___PM.png","maxBounty":200000,"outOfScopeAndRules":"These impacts are out of scope for this bug bounty program. \n\n**All Categories:**\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n\n**Blockchain/DLT & Smart Contract Specific:**\n\n- Incorrect data supplied by third party oracles\n- Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n\n\n**Prohibited Activities:**\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"tbd","productType":["Lending"],"programOverview":"ZeroLend is a decentralized lending protocol built on zkSync Era.\n\nZeroLend's core product is its decentralized non-custodial liquidity market. ZeroLend is a fork of [AAVE V3](https://aave.com/) with changes in the incentive mechanisms that make it similar to [Radiant Capital](https://radiant.capital/).\n\nFor more information about ZeroLend, please visit https://zerolend.xyz \n\nZeroLend provides rewards in USDC, denominated in USD.","programType":["Smart Contract"],"project":"Audit Comp | ZeroLend","projectType":["Defi"],"rewardsBody":"The following reward terms are a summary, for the full details read our [Audit Competition Reward Distribution Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/22902062811281-ZeroLend-Audit-Competition-Reward-Terms). \n\nA reward pool of $200,000 USD will be distributed among participants, even if no valid bugs are found. Duplicates and private known issues are valid for a reward.\n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n**Reward Payment Terms**\n\nPayouts are handled by the ZeroLend team directly and are denominated in USD. However, payments are done in USDC.\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.","rewardsPool":200000,"primaryPool":200000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"zerolend-boost","updatedDate":"2024-10-15T13:42:09.406Z","impactsBody":"**Proof of Concept (PoC) Requirements**\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n**Temporary Freezing of Funds**\n\nIf the minimum threshold of temporary freezing for at least 1 hour is not met then the report will be downgraded to Medium severity.\n\n### Miscellaneous Policies\n\n**Responsible Publication**\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n\n\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this audit competition and a leaderboard of the participants and their earnings.\n\n**Feasibility Limitations**\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n**Immunefi Standard Badge**\n\nBy adhering to Immunefi’s best practice recommendations, ZeroLend has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"ZeroLend is a decentralized lending protocol built on zkSync Era. ZeroLend's core product is its decentralized non-custodial liquidity market. ZeroLend is a fork of AAVE V3 with changes in the incentive mechanisms that make it similar to Radiant Capital.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":4762,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 1 hour"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":16,"type":"smart_contract","severity":"critical","title":"Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"level":"critical","payout":"Portion of the $200,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the $200,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the $200,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[{"id":"15fTmA35NPZNoseq6WKci0","url":"https://github.com/immunefi-team/vaults/blob/main/src/RewardTimelock.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"RewardTimelock - 124","isPrimacyOfImpact":null},{"id":"34XNQJprrGcNaoN1S3cu6K","url":"https://github.com/immunefi-team/vaults/blob/main/src/guards/ScopeGuard.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"ScopeGuard - 92","isPrimacyOfImpact":null},{"id":"49s2Vc7zBB2kxbUnZVpRnx","url":"https://github.com/immunefi-team/vaults/blob/main/src/guards/ImmunefiGuard.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"ImmunefiGuard - 39","isPrimacyOfImpact":null},{"id":"6MX9JThbU5udIMXBucMcBT","url":"https://github.com/immunefi-team/vaults/blob/main/src/base/RewardSystemBase.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"RewardSystemBase - 47","isPrimacyOfImpact":null},{"id":"47btjrjANpbcpTPLYUoOIP","url":"https://github.com/immunefi-team/vaults/blob/main/src/base/RewardTimelockBase.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"RewardTimelockBase - 171","isPrimacyOfImpact":null},{"id":"60yS59AOpzwY0Oiyd4EMaP","url":"https://github.com/immunefi-team/vaults/blob/main/src/base/ArbitrationBase.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"ArbitrationBase - 105","isPrimacyOfImpact":null},{"id":"2RWjvF4bQaS1mbj10Bk5L2","url":"https://github.com/immunefi-team/vaults/blob/main/src/base/AccessControlBaseModule.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"AccessControlBaseModule - 53","isPrimacyOfImpact":null},{"id":"46SZHJ3uxyRUkEoLMxAIIO","url":"https://github.com/immunefi-team/vaults/blob/main/src/base/WithdrawalSystemBase.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"WithdrawalSystemBase - 42","isPrimacyOfImpact":null},{"id":"2fFwVAf16Ro8vzsWtpWNm5","url":"https://github.com/immunefi-team/vaults/blob/main/src/base/AccessControlGuardable.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"AccessControlGuardable - 19","isPrimacyOfImpact":null},{"id":"BRRvaO0rdfPb4OzJMCPO3","url":"https://github.com/immunefi-team/vaults/blob/main/src/base/TimelockBase.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"TimelockBase - 192","isPrimacyOfImpact":null},{"id":"6okJu0CjhIjQjCGctL5WI5","url":"https://github.com/immunefi-team/vaults/blob/main/src/handlers/VaultSetup.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"VaultSetup - 28","isPrimacyOfImpact":null},{"id":"2hO3aUm7QMZtO4YbyuYLMq","url":"https://github.com/immunefi-team/vaults/blob/main/src/events/IWithdrawalSystemEvents.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"IWithdrawalSystemEvents - 8","isPrimacyOfImpact":null},{"id":"3K1Ros1myQeKp8iCGLXg7l","url":"https://github.com/immunefi-team/vaults/blob/main/src/events/IRewardTimelockEvents.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"IRewardTimelockEvents - 22","isPrimacyOfImpact":null},{"id":"6BLTPQZc3L1u7Y3p9qn0LW","url":"https://github.com/immunefi-team/vaults/blob/main/src/events/IEmergencySystemEvents.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"IEmergencySystemEvents - 5","isPrimacyOfImpact":null},{"id":"21wrnzZ1PFN75GrobzGIfy","url":"https://github.com/immunefi-team/vaults/blob/main/src/events/IImmunefiGuardEvents.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"IImmunefiGuardEvents - 5","isPrimacyOfImpact":null},{"id":"PVk6inqQzVkTuxyvW20oO","url":"https://github.com/immunefi-team/vaults/blob/main/src/events/IArbitrationEvents.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"IArbitrationEvents - 13","isPrimacyOfImpact":null},{"id":"SBSmNiRWlD3MEODgfd1i6","url":"https://github.com/immunefi-team/vaults/blob/main/src/events/ITimelockEvents.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"ITimelockEvents - 31","isPrimacyOfImpact":null},{"id":"7cz6iMawe8IwpdcmavMF1t","url":"https://github.com/immunefi-team/vaults/blob/main/src/events/IRewardSystemEvents.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"IRewardSystemEvents - 20","isPrimacyOfImpact":null},{"id":"4hNgc5YuA782O6LUcXIFo4","url":"https://github.com/immunefi-team/vaults/blob/main/src/events/IScopeGuardEvents.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"IScopeGuardEvents - 10","isPrimacyOfImpact":null},{"id":"1g3X4KFdin0pFcZdubOFYc","url":"https://github.com/immunefi-team/vaults/blob/main/src/events/IVaultFreezerEvents.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"IVaultFreezerEvents - 6","isPrimacyOfImpact":null},{"id":"3xSKRHNg94IZc0TE06SGAx","url":"https://github.com/immunefi-team/vaults/blob/main/src/WithdrawalSystem.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"WithdrawalSystem - 43","isPrimacyOfImpact":null},{"id":"1Ktf0SkTYtod9XsIXuZN6j","url":"https://github.com/immunefi-team/vaults/blob/main/src/RewardSystem.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"RewardSystem - 48","isPrimacyOfImpact":null},{"id":"6sgPWJgt2VgNYAVwXEV08A","url":"https://github.com/immunefi-team/vaults/blob/main/src/VaultFreezer.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"VaultFreezer - 26","isPrimacyOfImpact":null},{"id":"4aIwi5Nx5prJuJzsu8TWyS","url":"https://github.com/immunefi-team/vaults/blob/main/src/encoders/RewardTimelockOperationEncoder.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"RewardTimelockOperationEncoder - 20","isPrimacyOfImpact":null},{"id":"2HaG99NZELfpKqXFP9IOmt","url":"https://github.com/immunefi-team/vaults/blob/main/src/encoders/TimelockOperationEncoder.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"TimelockOperationEncoder - 22","isPrimacyOfImpact":null},{"id":"78liMjjZ2dqfxpXvYVcbgR","url":"https://github.com/immunefi-team/vaults/blob/main/src/encoders/BaseEncoder.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"BaseEncoder - 18","isPrimacyOfImpact":null},{"id":"5ItZJxNaKo2X6hW4kVkbTH","url":"https://github.com/immunefi-team/vaults/blob/main/src/encoders/ArbitrationOperationEncoder.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"ArbitrationOperationEncoder - 14","isPrimacyOfImpact":null},{"id":"65yqSNXExdURwy9Jct8t0O","url":"https://github.com/immunefi-team/vaults/blob/main/src/EmergencySystem.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"EmergencySystem - 17","isPrimacyOfImpact":null},{"id":"6WGQrvn6OpxefHNZ4hnVd1","url":"https://github.com/immunefi-team/vaults/blob/main/src/common/VaultDelegate.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"VaultDelegate - 110","isPrimacyOfImpact":null},{"id":"6UfPRlppGOLZg8flMpwWlU","url":"https://github.com/immunefi-team/vaults/blob/main/src/common/Rewards.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"Rewards - 7","isPrimacyOfImpact":null},{"id":"3GGC1wv1ieBBEuApZJh5e","url":"https://github.com/immunefi-team/vaults/blob/main/src/common/VaultFees.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"VaultFees - 50","isPrimacyOfImpact":null},{"id":"1dxsWfqp5uVIHhJBon3DXO","url":"https://github.com/immunefi-team/vaults/blob/main/src/ImmunefiModule.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"ImmunefiModule - 23","isPrimacyOfImpact":null},{"id":"5aKIOupzEuPSiy6X28cA57","url":"https://github.com/immunefi-team/vaults/blob/main/src/Timelock.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"Timelock - 78","isPrimacyOfImpact":null},{"id":"2UO39kjJprvAsas3asV5eW","url":"https://github.com/immunefi-team/vaults/blob/main/src/Arbitration.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"Arbitration - 182","isPrimacyOfImpact":null},{"id":"1FIt5fqV1Pkz17jlG0ECcs","url":"https://github.com/immunefi-team/vaults/blob/main/src/oracles/IPriceConsumerEvents.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"IPriceConsumerEvents - 5","isPrimacyOfImpact":null},{"id":"5to94QttWtbkRX1SxhWNUg","url":"https://github.com/immunefi-team/vaults/blob/main/src/oracles/IPriceFeed.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"IPriceFeed - 3","isPrimacyOfImpact":null},{"id":"7st3rDwZjFoOTuYoceV7BL","url":"https://github.com/immunefi-team/vaults/blob/main/src/oracles/chainlink/Denominations.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"Denominations - 23","isPrimacyOfImpact":null},{"id":"5e7dcb5VGrrpZWaNmdzPW7","url":"https://github.com/immunefi-team/vaults/blob/main/src/oracles/chainlink/shared/interfaces/AggregatorInterface.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"AggregatorInterface - 3","isPrimacyOfImpact":null},{"id":"6kcvOTJzuj2SyUgOJdWqP6","url":"https://github.com/immunefi-team/vaults/blob/main/src/oracles/chainlink/shared/interfaces/AggregatorV3Interface.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"AggregatorV3Interface - 3","isPrimacyOfImpact":null},{"id":"5GgPD7D8oEi3V3PJxna13X","url":"https://github.com/immunefi-team/vaults/blob/main/src/oracles/chainlink/shared/interfaces/AggregatorV2V3Interface.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"AggregatorV2V3Interface - 5","isPrimacyOfImpact":null},{"id":"2nGSJo2ADj2YPqc8IMqkFp","url":"https://github.com/immunefi-team/vaults/blob/main/src/oracles/chainlink/FeedRegistryInterface.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"FeedRegistryInterface - 25","isPrimacyOfImpact":null},{"id":"4p8XXILQhZ5NIUpQTYTjdM","url":"https://github.com/immunefi-team/vaults/blob/main/src/oracles/FeedRegistryL2.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"FeedRegistryL2 - 52","isPrimacyOfImpact":null},{"id":"53YMTY1HeRHkbt45OkbUi8","url":"https://github.com/immunefi-team/vaults/blob/main/src/oracles/IFeedRegistryMinimal.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"IFeedRegistryMinimal - 3","isPrimacyOfImpact":null},{"id":"5YAClSWJZah9V9IMCrIqki","url":"https://github.com/immunefi-team/vaults/blob/main/src/oracles/PriceConsumer.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"PriceConsumer - 95","isPrimacyOfImpact":null},{"id":"1OtISNS0xXyUF5VNCYm8pu","url":"https://github.com/immunefi-team/vaults/blob/main/src/proxy/ProxyAdminOwnable2Step.sol","type":"smart_contract","addedAt":"2024-03-12T08:00:00.000Z","revision":1,"description":"ProxyAdminOwnable2Step - 15","isPrimacyOfImpact":null}],"assetsBodyV2":"Immunefi Arbitration’s up to date codebase can be found at https://github.com/immunefi-team/vaults\n\n\n### Whitehat Educational Resources & Technical Info\n\nPlease provide educational resources, for example:\n\n1. [Arbitration Protocol Overview](https://docs.google.com/document/d/1SGt3O18Ne37WKuVx5T-EmNUtKKIgc5LuOYpd6h-wvWc)\n2. [Arbitration Protocol Diagrams](https://miro.com/app/board/uXjVNm4Fx3Q=/)\n3. [Video Overview](https://www.youtube.com/watch?v=iY3ZCcRlKfQ)\n4. [Technical Walkthrough](https://www.youtube.com/watch?v=-5U56Sst-C4)\n\n**Is this an upgrade of an existing system? If so, which? And what are the main differences?**\n\nNo.\n\n\n**Where do you suspect there may be bugs? Useful aspects of this question are:**\n\n- **Which parts of the code are you most concerned about?**\n- **What attack vectors are you most concerned about?**\n- **Which part(s) of the system do you want whitehats to attempt to break the most?**\n- **Are there any assumed invariants that you want whitehats to attempt to break?**\n\nEverything that touches on the ImmunefiModule is sensitive. In theory, a Safe module gives it full power over whatever is inside the Vault, so the module code and everything around it is critical. Users should not be able to trick the protocol to drain the Vaults.\n\nWe also assume it is really difficult or costly to take money from a Vault when it is on arbitration.\n\n**What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?**\n\n- **For example, rebasing tokens and Fee-On-Transfer tokens.**\n\nIn theory, all ERC20 tokens can be used as payment tokens for whitehats. Arbitration fee should use USDC or some other token that the owner decides to be the new fee token. \n\n**What emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?**\n\n- **For each emergency action, how does it work, how would it affect a bug report, and when would you utilize it?**\n\n**If this is listed in your documentation, then a link to that part of the documentation would suffice.**\n\n- **Note that normally, not all emergency actions are accepted as a valid reason to invalidate or downgrade an otherwise valid bug report, such as [chain rollbacks.](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)**\n\nIt is assumed that all timelocked actions can be stopped through freezing of vaults, or through the emergency system.\n\n\n**What monitoring systems may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?**\n\n- **Note that normally, monitoring systems are only a valid reason to downgrade a bug if there is 100% certainty that the bug would be detected and fully prevented. Immunefi’s full policy and reasoning can be read [here](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring).**\n\nNothing.\n\n\n**What Roles are there, and what capacities do they have?**\n\nThe roles are detailed in the [documentation](https://docs.google.com/document/d/1SGt3O18Ne37WKuVx5T-EmNUtKKIgc5LuOYpd6h-wvWc), along with their privileges.\n\n\n**Which Roles are trusted roles and what privileges do they hold?**\n\nThe roles are detailed in the [documentation](https://docs.google.com/document/d/1SGt3O18Ne37WKuVx5T-EmNUtKKIgc5LuOYpd6h-wvWc), along with their privileges.\n\n\n**Are there trusted roles for which you would consider any bugs invalid, even if the roles are not intended to have that capacity?**\n\n**Note that normally, bugs requiring access to privileged addresses are valid in such cases where the privileged addresses are not intended to have access to functions that make the attack possible.**\n\nAny malicious behavior coming from contract owners, enforcers or arbitrators using their scoped powers to affect the protocol is considered invalid.\n\n\n**What external dependencies are there?**\n\nOpenZeppelin Contracts, OpenZeppelin Upgradeable Contracts.\n\n**Where might whitehats confuse out-of-scope code to be in-scope?**\n\nAll the code is in scope.\n\n**Are there any unusual points about your protocol that may confuse whitehats?**\n\nVaults are assumed to have an ImmunefiModule setup and an ImmunefiGuard, and no other modules should be added to the Vault. The code is assuming all of this.\n\n\n**What is the test suite setup information?**\n\n- **If this is already provided in Github, then linking that resource is enough.**\n\nhttps://github.com/immunefi-team/vaults/blob/main/README.md#testing \n\n\n**Public Disclosure of Known Issues**\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- It is possible for a project to immediately withdraw funds from a Vault when it is not in Arbitration. They can do this by bypassing the withdrawal timelock and impersonating a whitehat, issuing a reward to themselves through the RewardSystem component and potentially paying a fee for it. This is known behavior, and it was previously flagged in the [internal audit](https://github.com/immunefi-team/vaults/blob/main/audits/2024-01-15%20-%20Immunefi%20-%20Internal%20Audit%20of%20the%20Vault%20System%20and%20Arbitration.pdf). The project could also decide to do this as a frontrunning transaction to an arbitration call (flagged in [this audit](https://github.com/immunefi-team/vaults/blob/main/audits/dedaub-arbitration-immunefi-report.pdf)).\n- It is possible to queue reward transactions for an amount of funds that actually doesn’t exist in a vault.The transaction will revert once the reward is executed, if the vault doesn’t hold enough funds covering it. Same goes for other transactions such as withdrawals. Flagged in the [internal audit.](https://github.com/immunefi-team/vaults/blob/main/audits/2024-01-15%20-%20Immunefi%20-%20Internal%20Audit%20of%20the%20Vault%20System%20and%20Arbitration.pdf)\n- It is technically possible to call arbitration and grief a reward transaction execution, though it does require the grifter to pay a heavy fee. Flagged in the [internal audit.](https://github.com/immunefi-team/vaults/blob/main/audits/2024-01-15%20-%20Immunefi%20-%20Internal%20Audit%20of%20the%20Vault%20System%20and%20Arbitration.pdf)\n- We acknowledge that reward payments are not necessarily accounting for fee-on-transfer tokens. Flagged in the [internal audit.](https://github.com/immunefi-team/vaults/blob/main/audits/2024-01-15%20-%20Immunefi%20-%20Internal%20Audit%20of%20the%20Vault%20System%20and%20Arbitration.pdf´)\n- It is technically possible to withdraw funds that are critical for arbitration, if for some reason the off-chain mechanisms don’t have enough time to act and freeze a vault during a critical withdrawal request. We assume that the cooldown time is enough for the off-chain actors to action. Flagged in [this audit.](https://github.com/immunefi-team/vaults/blob/main/audits/ackee-blockchain-immunefi-vault-final-report.pdf)\n\n**Previous Audits**\n\nImmunefi Arbitration’s completed audit reports can be found at [https://github.com/immunefi-team/vaults/tree/main/audits]. Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n### Asset In Scope Policies\n\n**Asset Accuracy Assurance**\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n**Private Known Issues Reward Policy**\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid for a 25% partial reward.\n\n**Known Issue Assurance**\n\nImmunefi Arbitration commits to providing Known Issue Assurance to bug submissions through their program. This means that [Immunefi Arbitration] will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission. \n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.\n\n**Primacy of Impact vs Primacy of Rules**]\n\nImmunefi Arbitration adheres to the Primacy of Impact for the following impacts:\n\n- Smart Contract / Critical\n- Smart Contract / High\n- Smart Contract / Medium\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.\n\nAll other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/1V992rR-DhkUr4y8Kz0jpicdMw4cjWxst?usp=sharing).\n\nAll paid bug reports are available in original format [here](https://github.com/immunefi-team/Bounty_Boosts/tree/main/Immunefi%20Arbitration).","boostedIntroLive":"$30,000 USD in rewards is available for finding bugs for the Immunefi Arbitration Boost. \n\nKYC is required.\n\nThe rewards pool is partly distributed with the following formula, and partly at Immunefi’s discretion. The portion at Immunefi’s discretion is to reward high-quality whitehat contributions, such as exceptionally well-written reports, the best report among duplicates, and valuable but technically invalid bug reports. For more details read our [Boost Reward Distribution Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/23262277256849-Immunefi-Arbitration-Boost-Reward-Terms)\n\nImmunefi will respond within 24 hours on weekdays to all bug reports. Any technical questions and support requests can be asked directly to Immunefi within the “immunefiarb-boost” channel on [Immunefi’s Discord](https://discord.com/invite/immunefi).\n\nWhen the Boost has ended Immunefi will publish a whitehat leaderboard and findings from the event.","boostedIntroStartingIn":"$30,000 USD in rewards is available for finding bugs for the Immunefi Arbitration Boost. \n\nKYC is required.\n\nImmunefi will respond within 24 hours on weekdays to all bug reports. Any technical questions can be asked directly to the Immunefi technical team on Immunefi's [Discord](https://discord.gg/rpkPDR7pVV?utm_source=immunefi) in the \"immunefiarb-boost\" channel.\n\nWhen the Boost has ended, Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nOn launch day, Tuesday March 12th, Immunefi will give a live technical walkthrough, hosted in the Immunefi Discord. Sign up below to be notified with more details.\n\n\n[Sign up for updates](https://docs.google.com/forms/d/e/1FAIpQLSdBLJGLkTNEJLTnPPak-5b5bwV2I6GVGRBKia_FHO9KB4UbFQ/viewform?usp=sf_link)","boostedLeaderboard":[{"high":0,"name":"marchev","critical":0,"earnings":13730,"insights":2,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"OxSCSamurai","critical":0,"earnings":7500,"insights":2,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"seinsidler","critical":0,"earnings":1269,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Dudex_2004","critical":0,"earnings":1269,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"caglankaan","critical":0,"earnings":1269,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"greed","critical":0,"earnings":1269,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"OxRizwan","critical":0,"earnings":1269,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Sadhunter","critical":0,"earnings":807,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"En3cyptedDegenExt","critical":0,"earnings":807,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"shanb1605","critical":0,"earnings":807,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1dES_h4V-8XISqI0gFTgsh1ZbcopqSYPO/view?usp=sharing","ecosystem":null,"endDate":"2024-04-02T08:00:00.000Z","evaluationEndDate":"2024-05-03T08:00:00.000Z","features":["Managed Triage: Time Saver","Vault","Boost"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":null,"launchDate":"2024-03-12T08:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/2V4kHwGy9dzUAcs61R7mC6/0dea15f36e83e9429d47c7685b2cfba0/Logo_Mark_Badge_White_Round_4x.png","maxBounty":30000,"outOfScopeAndRules":"These impacts are out of scope for this bug bounty program. \n\n### All Categories:\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n\n### Blockchain/DLT & Smart Contract Specific:\n\n- Incorrect data supplied by third party oracles\n   - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n\n\n### Prohibited Activities:\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":null,"programOverview":"The smart contract Arbitration Protocol is a set of on-chain workflows designed to resolve disputes between Projects and Security Researchers over bug report validity and appropriate reward. The expected output is a final binding decision on a report, followed by enforcement (as required) of the bounty reward from the Project to the Security Researcher. The first level of enforcement should occur through leveraging Immunefi’s Vaults.\n\nThe Vaults are Gnosis Safe wallets, and the system includes a set of components which interact with the Vaults through a module and a guard. The purpose of the components is to scope the access of the different roles and players in the arbitration protocol, as well as their capabilities of rewarding, arbitration calling, enforcing, among others.\n\nFor more information about Immunefi Arbitration, please visit https://medium.com/immunefi/introducing-immunefis-arbitration-boost-32858a1fe7e3\n\nImmunefi Arbitration provides rewards in USDC, denominated in USD.","programType":["Smart Contract"],"project":"Audit Comp | Immunefi Arbitration","projectType":null,"rewardsBody":"The following reward terms are a summary, for the full details read our [Immunefi Arbitration Audit Competition Reward Distribution Terms.](https://docs.google.com/document/d/19kBlndLHNAq2toEQ0BSN-LsLGrbiB7MUYvHczcgEOLA/edit?usp=sharing)\n\nA baseline reward pool of $30,000 USD will be distributed among participants, even if no valid bugs are found. \nFor this audit competition, duplicates and private known issues are valid for a reward.\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3. ](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/)\n\n### Reward Payment Terms\n\nPayouts are handled by the Immunefi Arbitration team directly and are denominated in USD. However, payments are done in USDC.\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.\n\n### Invoicing Information\n\nAvailable on request.","rewardsPool":30000,"primaryPool":30000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"immunefiarbitration-boost","updatedDate":"2024-10-15T13:40:52.077Z","impactsBody":"### Proof of Concept (PoC) Requirements\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.\n\n### KYC Requirement\n\nImmunefi Arbitration will be requesting KYC information in order to pay for successful bug submissions. \n\nFor all submissions, Immunefi may request the researcher's country of residence before releasing payment. Some countries are restricted when it comes to payments. This bug bounty program is only open to individuals who reside outside of the countries that are restricted by OFAC and by UNSC resolutions.\n\nFor critical submissions, Immunefi will request government identification. KYC verification will be completed by an external service before payment can be released.\n\nKYC information is only required on confirmation of the validity of a bug report.\n\nThe following information will be required:\n\n- Full name \n- Date of birth\n- Proof of address (either a redacted bank statement with address or a recent utility bill)\n- Copy of Passport or other Government issued ID\n\n\n### Eligibility Criteria\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n\n- On OFACs SDN list \n- Official contributor, both past or present\n- Employees and/or individuals closely associated with the project \n- Security auditors that directly or indirectly participated in the audit review\n\n\n### Responsible Publication\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this audit competition and a leaderboard of the participants and their earnings.\n\n### Feasibility Limitations\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards ](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n### Immunefi Standard Badge\n\nBy adhering to Immunefi’s best practice recommendations, Immunefi Arbitration has satisfied the requirements for the [Immunefi Standard Badge.](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209)","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"The smart contract Arbitration Protocol is a set of on-chain workflows designed to resolve disputes between Projects and Security Researchers over bug report validity and appropriate reward. The expected output is a final binding decision on a report, followed by enforcement (as required) of the bounty reward from the Project to the Security Researcher.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":24,"type":"smart_contract","severity":"high","title":"Theft of unclaimed royalties"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":26,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed royalties"},{"id":27,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":20,"type":"smart_contract","severity":"critical","title":"Predictable or manipulable RNG that results in abuse of the principal or NFT"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"level":"critical","payout":"Portion of the $30,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Portion of the $30,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Portion of the $30,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Portion of the $30,000 USD Reward Pool","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[{"id":"32nobiKEqGuQr706GcgX5e","url":"https://etherscan.io/address/0x3C28B7c7Ba1A1f55c9Ce66b263B33B204f2126eA#code","type":"smart_contract","addedAt":"2024-02-22T08:00:00.000Z","revision":1,"description":"[TimeLock.sol] - [289 nSLOC]","isPrimacyOfImpact":null},{"id":"Vp5HhNZo73EtJ8JTtlRsL","url":"https://etherscan.io/address/0x7276925e42f9c4054afa2fad80fa79520c453d6a","type":"smart_contract","addedAt":"2024-02-22T08:00:00.000Z","revision":1,"description":"[PufferDepositor.sol] - [208]","isPrimacyOfImpact":null},{"id":"3NdyyZx2NPLR3ugCrVDF4L","url":"https://etherscan.io/address/0xd9a442856c234a39a81a089c06451ebaa4306a72","type":"smart_contract","addedAt":"2024-02-22T08:00:00.000Z","revision":1,"description":"[PufferVault.sol] - [295]","isPrimacyOfImpact":null},{"id":"ZXgVte55zg0AVBmonSabG","url":"https://etherscan.io/address/0xd9a442856c234a39a81a089c06451ebaa4306a72","type":"smart_contract","addedAt":"2024-02-22T08:00:00.000Z","revision":1,"description":null,"isPrimacyOfImpact":true}],"assetsBodyV2":"Puffer Finance’s codebase can be found at https://github.com/PufferFinance/pufETH/tree/main \n\n- There is a minor edit in PufferDepositor.sol github which doesn't match the deployed code. The code is basically the same functions, just the permit is moved to a separate file and the rest of the changes are related to that move. The deployed code is the determinator of whether a bug is valid.\n\nPuffer Depositor swap functions are in scope, but due to them being paused bugs will only be considered if they can bypass the pause mechanism. They technically pause in 2 days from now (Feb 21 2024) but we will consider them to already be paused at the beginning of this program.\n\n\n**Whitehat Educational Resources & Technical Info:**\n\n- Documentation: https://docs.puffer.fi/\n\n- [Decoding Puffer: The Future of Ethereum Restaking](https://medium.com/@puffer.fi/decoding-puffer-the-future-of-ethereum-restaking-28a8d7ee53da)\n- [Ethereum Restaking Redefined: A Deep Dive with Puffer’s CTO](https://medium.com/@puffer.fi/ethereum-restaking-redefined-a-deep-dive-with-puffers-cto-at-devconnect-2023-11f30c7a38e9)\n- [How Puffer’s Secure-Signer Reduces Slashing Risk](https://medium.com/@puffer.fi/how-puffers-secure-signer-reduces-slashing-risk-5f24dc2c57c)\n- [Demystify the Access Control Mechanism in Puffer Protocol](https://blocksec.com/blog/demystify-the-access-control-mechanism-in-puffer-protocol)\n\n\n**Non-Technical Resources:**\n\n- [Puffer Finance hits $850 million in TVL, now second-largest liquid restaking protocol](https://www.theblock.co/post/277137/puffer-finance-hits-850-million-in-tvl-now-second-largest-liquid-restaking-protocol)\n- [The Crunchy Carrot Campaign and Beyond](https://medium.com/@puffer.fi/the-crunchy-carrot-campaign-and-beyond-6bf2c5432923)\n- [Puffer Finance Raises $5.5M to Redefine Liquid ETH Staking](https://medium.com/@puffer.fi/a-push-for-decentralization-puffer-finance-raises-5-5m-to-redefine-liquid-eth-staking-936a61b750f7)\n- [Securing Ethereum Through Slash-Resistant and Decentralized Liquid Staking](https://medium.com/@puffer.fi/puffer-finance-securing-ethereum-through-slash-resistant-and-decentralized-liquid-staking-9da124d58752)\n- [Making a Splash in the LST Market](https://medium.com/@puffer.fi/puffer-finance-making-a-splash-in-the-lst-market-723b36a748c8)\n\n\n\n**Is this an upgrade of an existing system? If so, which? And what are the main differences?**\n\n- No, this is the first deployment we have made as part of our product offering. Upgrades to come later. \n\n\n\n**Which parts of the code are you most concerned about?**\n\n- The vault logic of Open Zeppelin’s that we have overridden\n  - We are not fully compliant with ERC 4626, because we have overridden some functionality. Namely, we have overriden the maxWithdraw() function, and we are not returning a value of 0, even though withdrawals are currently paused. The specs of ERC 4626 require global and user-specific limits to be factored into the result of this function, which we do not abide by. Similarly, maxRedeem() has the same non-compliance with ERC 4626 specs.\n- withdraw() and redeem() are disabled\n- EigenLayer integration\n\n\n\n**What attack vectors are you most concerned about?**\n\n- We’ve upgraded the logic dealing with the vault’s total assets, so perhaps the logic to calculate the shares each user has within the vault can be examined closely to ensure the vault still works as intended and there are no attacks to mess with the original accounting code of the vault \n\n\n**Which part(s) of the system do you want whitehats to attempt to break the most?**\n\n- Being able to steal, DoS, or lock up funds\n\n**Are there any assumed invariants that you want whitehats to attempt to break?**\n\n- No unauthorized parties should be able to move or withdraw funds from the vault\n\n\n\n**What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?**\n\n- Rebasing ERC20 (we will allow stETH and wstETH deposits into our vault)\n\n\n\n**What monitoring systems may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?**\n\nMonitoring systems are only a valid reason to downgrade a bug if there is 100% certainty that the bug would be detected and fully prevented. Immunefi’s full policy and reasoning can be [read here](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring).\n\n- We are implementing BlockSec Phalcon and Hexagate monitoring to pause the contracts in case of any hack attempts on the contracts. The monitoring criteria is a work in progress and we are setting up tests in place to make sure the monitoring works as intended. \n\n\n\n**What Roles are there, and what capacities do they have?**\n\n- We have 3 different multisigs, the Community multisig, the Operations multisig, and the Pauser multisig. You may review their capacities within the following doc: https://blocksec.com/blog/demystify-the-access-control-mechanism-in-puffer-protocol\n\n\n\n\n\n**Are there trusted roles for which you would consider any bugs invalid, even if the roles are not intended to have that capacity?**\n\n- Since the multisig parties  are trusted to behave honestly, we would consider bugs where multisig members  can do malicious things as invalid\n\n\n**What external dependencies are there?**\n\n- Open Zeppelin Contracts and Open Zeppelin Upgradeable Contracts\n\n\n**Are there any unusual points about your protocol that may confuse whitehats?**\n\n- There is currently no way to withdraw or redeem assets from our vault. This is because that functionality will come later on in our product roadmap. \n\n\n**What is the test suite setup information?**\n\n- Use forge test\n- See README: https://github.com/PufferFinance/pufETH/blob/main/README.md \n\n**Public Disclosure of Known Issues**\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- Inflation attack on erc4626 vaults: https://blog.openzeppelin.com/a-novel-defense-against-erc4626-inflation-attacks \n\n**Previous Audits**\n\nPuffer Finance’s completed audit reports can be found below. Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.\n\n- Slow Mist: https://github.com/slowmist/Knowledge-Base/blob/master/open-report-V2/smart-contract/SlowMist%20Audit%20Report%20-%20pufETH_en-us.pdf\n- BlockSec: https://github.com/blocksecteam/audit-reports/blob/main/solidity/blocksec_puffer_v1.0-signed.pdf\n- QuantStamp: https://github.com/PufferFinance/pufETH/blob/main/audits/Quantstamp-pufETH-v1.pdf  \n\n### Asset In Scope Policies\n\n**Asset Accuracy Assurance**\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n**Private Known Issues Reward Policy**\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are valid, but are downgraded one severity level.\n\n**Known Issue Assurance**\n\nPuffer Finance commits to providing Known Issue Assurance to bug submissions through their program. This means that Puffer Finance will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission. \n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.\n\n**Primacy of Impact vs Primacy of Rules**\n\nPuffer Finance adheres to the Primacy of Impact for all impacts.\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/1eHt8kpkfqpnvefyngLXfflgS2F5G-vgp?usp=sharing).\n\nAll paid bug reports are available in original format [here](https://github.com/immunefi-team/Bounty_Boosts/tree/main/Puffer%20Finance).","boostedIntroLive":"Puffer Finance has $1 Billion TVL in these contracts needing to be secured. There is no KYC.\n\nA $50,000 USD reward pool is available for finding bugs in Puffer Finance’s codebase of about 792 nSLOC. On top of this, $200,000 will be rewarded per unique Critical bug found, and $50,000 per High, $2000 per Medium, and $1000 per Low. Puffer Finance provides rewards in USDC.\n\nPuffer Finance, will respond within 24 hours on weekdays to all bug reports. Any technical questions and support requests can be asked directly to Puffer or Immunefi in the [Puffer Boost Discord channel](http://discord.gg/immunefi).\n\nWhen the Boost has ended Immunefi will publish an event-specific leaderboard and bug reports from the event.","boostedIntroStartingIn":"$50,000 USD in guaranteed rewards is available for finding bugs in Puffer Finance's codebase.\n\nOn top of that, $200,000 USD will be rewarded per unique Critical severity bug found, and $50,000 per High, with duplicates being rewarded also.\n\nPuffer Finance will respond within 24 hours on weekdays to all bug reports and any technical questions can be asked directly to Puffer in the dedicated channel on Immunefi's Discord.\n\nOn Thursday Feb 22nd to kick-off the Boost Puffer will be presenting a live technical walkthrough and AMA, hosted by Immunefi in the Immunefi Discord on launch day.\n\nWhen the Boost has ended Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\n\n[Sign up for updates](https://docs.google.com/forms/d/e/1FAIpQLSdwz5be41W9IrbDq4EpCO4xOi6Ps3xrJJtK_sd6fJ0kRUHgKQ/viewform?usp=sf_link)","boostedLeaderboard":[{"high":0,"name":"codesentry","critical":0,"earnings":9277,"insights":0,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"OxSCSamurai","critical":0,"earnings":6693,"insights":3,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"OxDEADBEEF","critical":0,"earnings":6390,"insights":0,"mediumLow":3,"totalValidBugs":3},{"high":0,"name":"LokiThe5th","critical":0,"earnings":5143,"insights":1,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"shadowHunter","critical":0,"earnings":3249,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"cheatcode","critical":0,"earnings":2499,"insights":2,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"aman","critical":0,"earnings":1699,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"dontonka","critical":0,"earnings":1699,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"yixxas","critical":0,"earnings":1699,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"MahdiKarimi","critical":0,"earnings":1699,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"grobelr","critical":0,"earnings":1699,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"MrPotatoMagic","critical":0,"earnings":1596,"insights":3,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"SAAJ","critical":0,"earnings":1200,"insights":3,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Kodak","critical":0,"earnings":1196,"insights":2,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"kaysoft","critical":0,"earnings":956,"insights":1,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"Kenzo","critical":0,"earnings":956,"insights":1,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"djxploit","critical":0,"earnings":800,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Norah","critical":0,"earnings":716,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"HX000","critical":0,"earnings":716,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"honeymewn","critical":0,"earnings":716,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"offside0011","critical":0,"earnings":560,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"oxumarkhatab","critical":0,"earnings":400,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"jaraxxus","critical":0,"earnings":400,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"chainSiren","critical":0,"earnings":400,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"ox7a69","critical":0,"earnings":400,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Shaheen","critical":0,"earnings":400,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"ihtishamsudo","critical":0,"earnings":320,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"OxJoyBoy03","critical":0,"earnings":240,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"SentientX","critical":0,"earnings":240,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Cryptor","critical":0,"earnings":240,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"ladboy233","critical":0,"earnings":240,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Haxatron","critical":0,"earnings":240,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"marqymarq10","critical":0,"earnings":160,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"crazy_squirrel","critical":0,"earnings":80,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"imaybeghost","critical":0,"earnings":80,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1HawWp2fFWAO6a2brQObDago45AOBCLkm/view?usp=sharing","ecosystem":["ETH"],"endDate":"2024-03-07T08:00:00.000Z","evaluationEndDate":"2024-04-15T08:00:00.000Z","features":["Vault","Boost","Managed Triage: Expert Assessment","Subscription Plan: Pro"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2024-02-22T08:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/5x7QhsDhZ5qzZtxIpF5wGL/2bddd9c86ed9b5e7b63d62f4bb894285/Screenshot_2024-02-16_at_2.34.23___PM.png","maxBounty":200000,"outOfScopeAndRules":"Puffer Depositor swap functions are in scope, but due to them being paused bugs will only be considered if they can bypass the pause mechanism. They technically pause in 2 days from now (Feb 21 2024) but we will consider them to already be paused at the beginning of this program.\n\n\nThese impacts are out of scope for this bug bounty program. \n\n**All Categories:**\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n\n**Blockchain/DLT & Smart Contract Specific:**\n\n- Incorrect data supplied by third party oracles\n- Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n\n**Prohibited Activities:**\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"tbd","productType":["Staking"],"programOverview":"Puffer is a decentralized [native liquid restaking](https://pufferfinance.github.io/docs-dev/protocol/restaking-modules/#native-restaking-) protocol (nLRP) built on [Eigenlayer](https://www.eigenlayer.xyz/). It makes native restaking on Eigenlayer more accessible, allowing anyone to run an Ethereum Proof of Stake (PoS) validator while supercharging their rewards.\n\n\nThe current scope is only to examine the set of smart contracts we have already deployed. These smart contracts allow the depositing of stETH and allow a multisig to sign off on a transaction to deposit the stETH assets to the EigenLayer stETH Strategy smart contract. \n\n\n\n\nFor more information about Puffer Finance, please visit [https://www.puffer.fi/](https://www.puffer.fi/)","programType":["Smart Contract"],"project":"Audit Comp | Puffer Finance","projectType":["Defi"],"rewardsBody":"The following reward terms are a summary, for the full details read our [Puffer Finance Audit Competition Reward Distribution Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/22778454162321-Puffer-Audit-Competition-Reward-Terms).\n\nThere is a guaranteed reward pool of $50,000.\n\nOn top of this there are additional rewards per unique bug found. These rewards are only split among those who find them:\n\n- Additional Rewards per unique Critical bug: $200k\n- Additional Rewards per unique High bug: $50k\n- Additional Rewards per unique Medium bug: $2k \n- Additional Rewards per unique Low bug: $1k \n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n**Duplicate Reward Policy**\n\nRewards from the guaranteed rewards pool are distributed evenly among all finders\n\nWhile additional rewards per unique bug finding are split with 80% going to the chief-finder and 20% being shared equally among all duplicates.\nThe chief-finder is whoever proves the highest severity level of the bug first.\n\n**Reward Payment Terms**\n\nPayouts are handled by the Puffer Finance team directly and are denominated in USD. However, payments are done in USDC.\n\nRewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.","rewardsPool":50000,"primaryPool":50000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"pufferfinance-boost","updatedDate":"2024-10-15T13:39:31.714Z","impactsBody":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.\n\n**Proof of Concept (PoC) Requirements**\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n**Temporary Freezing of Funds**\n\nIf the minimum threshold of temporary freezing for at least 1 hour is not met then the report will be downgraded to Medium severity.\n\n\n\n### Miscellaneous Policies\n\n**Eligibility Criteria**\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n\n- On OFACs SDN list \n- Security Auditors from the audit firms that did the audit reviews of the contract (they must go through the existing business partnership for the bug report)\n- Employees of Puffer Finance, both past or present\n\n\n\n**Responsible Publication**\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n\n\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this audit competition and a leaderboard of the participants and their earnings.\n\n**Feasibility Limitations**\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n\n**Immunefi Standard Badge**\n\nBy adhering to Immunefi’s best practice recommendations, Puffer Finance has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209).","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Puffer is a decentralized [native liquid restaking](https://pufferfinance.github.io/docs-dev/protocol/restaking-modules/#native-restaking-) protocol (nLRP) built on [Eigenlayer](https://www.eigenlayer.xyz/). It makes native restaking on Eigenlayer more accessible, allowing anyone to run an Ethereum Proof of Stake (PoS) validator while supercharging their rewards.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":4750,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 1 hour"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"level":"critical","payout":"USD $200,000","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"USD $50,000","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"USD $2,000","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"USD $1,000","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[{"id":"zUiQi0VbqoIuitRKEO8I4","url":"https://github.com/ebtc-protocol/ebtc/blob/release-0.7/packages/contracts/contracts/ActivePool.sol","type":"smart_contract","addedAt":"2024-02-19T08:00:00.000Z","revision":1,"description":"ActivePool.sol - 224 nSLOC","isPrimacyOfImpact":null},{"id":"5AmZb7ybgsrkofdXqNevvC","url":"https://github.com/ebtc-protocol/ebtc/blob/release-0.7/packages/contracts/contracts/BorrowerOperations.sol","type":"smart_contract","addedAt":"2024-02-19T08:00:00.000Z","revision":1,"description":"BorrowerOperations.sol - 754 nSLOC","isPrimacyOfImpact":null},{"id":"1qVNpllzziAbUHqKdWqjgU","url":"https://github.com/ebtc-protocol/ebtc/blob/release-0.7/packages/contracts/contracts/CdpManager.sol","type":"smart_contract","addedAt":"2024-02-19T08:00:00.000Z","revision":1,"description":"CdpManager.sol - 588 nSLOC","isPrimacyOfImpact":null},{"id":"4LWqW9zeTBQVxxz2vNzco2","url":"https://github.com/ebtc-protocol/ebtc/blob/release-0.7/packages/contracts/contracts/LiquidationLibrary.sol","type":"smart_contract","addedAt":"2024-02-19T08:00:00.000Z","revision":1,"description":"LiquidationLibrary.sol - 710 nSLOC","isPrimacyOfImpact":null},{"id":"hiyOrXViVCFMyYOgc7wbg","url":"https://github.com/ebtc-protocol/ebtc/blob/release-0.7/packages/contracts/contracts/CollSurplusPool.sol","type":"smart_contract","addedAt":"2024-02-19T08:00:00.000Z","revision":1,"description":"CollSurplusPool.sol - 95 nSLOC","isPrimacyOfImpact":null},{"id":"3DoJrEzmyOblRvish3tcpi","url":"https://github.com/ebtc-protocol/ebtc/blob/release-0.7/packages/contracts/contracts/EBTCToken.sol","type":"smart_contract","addedAt":"2024-02-19T08:00:00.000Z","revision":1,"description":"EBTCToken.sol - 223 nSLOC","isPrimacyOfImpact":null},{"id":"hgjZVTYWdIaVq4BxROBk3","url":"https://github.com/ebtc-protocol/ebtc/blob/release-0.7/packages/contracts/contracts/Governor.sol","type":"smart_contract","addedAt":"2024-02-19T08:00:00.000Z","revision":1,"description":"Governor.sol - 127 nSLOC","isPrimacyOfImpact":null},{"id":"3aIhJF99TOIJ0GbFuy1WFD","url":"https://github.com/ebtc-protocol/ebtc/blob/release-0.7/packages/contracts/contracts/PriceFeed.sol","type":"smart_contract","addedAt":"2024-02-19T08:00:00.000Z","revision":1,"description":"PriceFeed.sol - 496 nSLOC","isPrimacyOfImpact":null},{"id":"12aKGRJZdiiDipIrgtcYfJ","url":"https://github.com/ebtc-protocol/ebtc/blob/release-0.7/packages/contracts/contracts/SortedCdps.sol","type":"smart_contract","addedAt":"2024-02-19T08:00:00.000Z","revision":1,"description":"SortedCdps.sol - 399 nSLOC","isPrimacyOfImpact":null},{"id":"3G1q699Ukwa5m7PJGNqkUU","url":"https://github.com/ebtc-protocol/ebtc/blob/release-0.7/packages/contracts/contracts/EbtcFeed.sol","type":"smart_contract","addedAt":"2024-02-19T08:00:00.000Z","revision":1,"description":"EbtcFeed.sol - 105 nSLOC","isPrimacyOfImpact":null},{"id":"3IvPrJYV2pqTGJV6SdigkL","url":"https://github.com/ebtc-protocol/ebtc/blob/release-0.7/packages/contracts/contracts/ChainlinkAdapter.sol","type":"smart_contract","addedAt":"2024-02-19T08:00:00.000Z","revision":1,"description":"ChainlinkAdapter.sol - 93 nSLOC","isPrimacyOfImpact":null},{"id":"3gYNRUGEUZlZH18hmvSDpr","url":"https://github.com/ebtc-protocol/ebtc/blob/release-0.7/packages/contracts/contracts/FixedAdapter.sol","type":"smart_contract","addedAt":"2024-02-19T08:00:00.000Z","revision":1,"description":"FixedAdapter.sol - 48 nSLOC","isPrimacyOfImpact":null},{"id":"4Es1MkvSdiQlOLSqSVbSMP","url":"https://immunefi.com/","type":"smart_contract","addedAt":"2024-02-20T17:09:25.767Z","revision":1,"description":null,"isPrimacyOfImpact":true}],"assetsBodyV2":"All eBTC contracts will be deployed shortly and the assets in the ‘assets in scope’ table above will be updated with the live contracts. These will be fully identical with the code in the github links. \n\nBadgerDAO’s up to date codebase can be found at https://github.com/ebtc-protocol/ebtc/tree/release-0.7 \n\n**Whitehat Educational Resources & Technical Info**\n\n\n- [Read the changelog here](https://github.com/ebtc-protocol/ebtc/pull/766) to learn the differences between this release and the [previous Code4rena contest](https://code4rena.com/audits/2023-10-badger-ebtc-audit-certora-formal-verification-competition).\n- [Primary documentation](https://docs.ebtc.finance/ebtc/)\n- [Primary Readme](https://github.com/code-423n4/2023-10-badger/blob/main/README_EBTC.md)\n- [In-depth Introductory Video](https://www.youtube.com/watch?v=QWIB4avTkt4)\n- [eBTC Cheatsheet](https://gist.github.com/GalloDaSballo/7b060bb97de09c539ec64c533dd352c6) with additional videos and an up to date list of additional resources\n- Website: [ebtc.finance](https://www.ebtc.finance/)\n- Twitter: [eBTCProtocol](https://twitter.com/eBTCprotocol)\n- [JohnnyTime eBTC Overview](https://www.youtube.com/watch?v=f2numPMZFSI&t=1s)\n- [eBTC x Immunefi Technical Walkthrough](https://www.youtube.com/watch?v=0_Tb8GitY8w)\n\n\n\n\n**Is this an upgrade of an existing system? If so, which? And what are the main differences?**\n\nNo, this is a net new protocol with no relation to past BadgerDAO projects.\n\n\n\n**Where do you suspect there may be bugs?**\n\nWe are concerned around core accounting (yield split and debt redistribution), the ability to abuse or significantly DOS the liquidation or redemption mechanics, and significant rounding errors.\n\nHere is our [full list of invariants](https://github.com/ebtc-protocol/ebtc/blob/release-0.7/packages/contracts/contracts/TestContracts/invariants/PropertiesDescriptions.sol).\n\nCalling out accounting invariants:\n\n- Cdps have a pending accounting state that is only updated when that Cdp is interacted with. Cdps can stay out of sync for a long time, there is no way to force them to synchronize unless the owner or approved positionManager interacts with the Cdp. \n\n- For numerical exploits, the total stETH in existence or that could be in existence must be considered. \n \n- Loss of yield must be considered relative to other changes. For example, if a bunch of positive rebases happen and then there’s a slash, and the system is not updated until that point, those positive rebases will be lost.\n \n- Max 1 wei of unallocated debt per Cdp per debt redisttribution event is a theoretical maximum that can happen. This does not scale to a reasonable value with real-world values.\n \n- SortedCdps view functions are not for on-chain users.\n\n\n**What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?**\n\nstETH is supported as collateral, which is a rebasing token. The eBTC token is “standard” as far as these properties go.\n\n\n**What emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?**\n\nEmergency actions could involve:\n\n- pausing flashloans\n- pausing redemptions\n- switching between the stETH 1:1 fixed oracle to the stETH/ETH market rate oracle\n\n\n\n**What Roles are there, and what capacities do they have?**\n\nThere are a number of roles maintained by the Governor contract.\n\nIt has role-based access control that gates function signatures by role, based on [solmate RolesAuthority](https://github.com/transmissions11/solmate/blob/main/src/auth/authorities/RolesAuthority.sol).\n\n\nThe following roles exist in the system:\n\nRole 0: // The Admin, manages the setting of roles and associated properties\n\n- governor.setRoleName()\n- governor.setUserRole()\n- governor.setRoleCapability()\n- governor.setPublicCapability()\n- governor.burnCapability()\n- governor.transferOwnership()\n- governor.setAuthority()\n\n\nRole 1: // Extensible minter, can mint eBTC tokens at-will. Unused at the start.\n\n- ebtcToken.mint(address,uint256)\n\nRole 2: // Extensible burner, can burn eBTC tokens at will. Unused at the start.\n\n- ebtcToken.burn(address,uint256)\n- ebtcToken.burn(uint256)\n\nRole 3: // Redemption and yield split parameter manager\n\n- cdpManager.setStakingRewardSplit(uint256)\n- cdpManager.setRedemptionFeeFloor(uint256)\n- cdpManager.setMinuteDecayFactor(uint256)\n- cdpManager.setBeta(uint256)\n- cdpManager.setGracePeriod(uint256)\n\nRole 4: // Emergency pauser\n\n- cdpManager.setRedemptionsPaused(bool)\n- activePool.setFlashLoansPaused(bool)\n- borrowerOperations.setFlashLoansPaused(bool)\n\n5: // Flashloan fee parameter manager\n\n- borrowerOperations.setFeeBps(uint256)\n- activePool.setFeeBps(uint256)\n\n\n6: // Token sweeper. Note that the sweeping recipient is pre-set and members of this role can’t claim the tokens to themselves.\n\n- activePool.sweepToken(address,uint256)\n- collSurplusPool.sweepToken(address,uint256)\n\n7: // Fee recipient sweeper\n\n- activePool.claimFeeRecipientCollShares(uint256)\n\n8: // Primary oracle manager\n\n- ebtcFeed.setPrimaryOracle(address)\n\n9: // Secondary oracle manager\n\n- ebtcFeed.setSecondaryOracle(address)\n\n10: // Price Feed fallback manager\n\n- priceFeed.setFallbackCaller(address)\n\n11: // stETH 1:1 to market rate switcher, coupled with appropriate redemption rate change. Unused initially, but intended to give to a bot with security guardrails around conditions where sETH/ETH feed is appropriate.\n\n- priceFeed.setCollateralFeedSource(bool)\n- cdpManager.setRedemptionFeeFloor(uint256)\n\n\n**There are five permissioned contracts**\n\n1. High Security Timelock\n\nThe ultimate governance administrator also holds most permissions. The only permissions it doesn’t have are eBTC minting and burning (which no contract has in this configuration)\n\nRoles: [0, 3, 4, 5, 6, 7, 8, 9, 10]\n\n\n2. Low Security Timelock\n\nA faster timelock that can perform all but the most sensitive operations.\nIt notably doesn’t have admin capabilities on the Governor, or the ability to swap primary oracle.\n\nRoles: [3, 4, 5, 6, 7, 9, 10]\n\n\n3. Security Multisig\n\nThe higher security multisig. It can propose transactions into the high security and low security timelocks and call pausing functions directly\n\nRoles: [4]\n\n\n4. Tech Ops Multisig\n\nThe lower security multisig. It can propose transactions into the low security timelock and call pausing functions directly.\n\nRoles: [4]\n\n\n5. Fee Recipient Multisig\n\nManages the yield split fee collections serving as a destination for sweeping tokens.\n\nRoles: [6, 7]\n\n\n\n**What external dependencies are there?**\n\nWe’ve got a short list for eBTC.\n\n- Chainlink oracles\n- stETH token\n\n**Where might whitehats confuse out-of-scope code to be in-scope?**\n\nFiles in the repo that are not specifically in scope are the most likely source of confusion, such as test files. This project has a low number of external dependencies and doesn’t interact with much.\n\nAssume the PriceFeed.sol will never have the fallback oracle assigned, this will remain at zero. This governance capability can be permanently burned to enable this spec.\n \nUnbounded gas is effectively possible via poor hint selection, this is known and should not constitute an unbounded gas finding\n\n**Are there any unusual points about your protocol that may confuse whitehats?**\n\nThe rebasing nature of the stETH token and conversion between balances and shares.\n\n\n**What is the test suite setup information?**\n\nWe have several test suites, they can be found here:\n\n- [Hardhat test directory](https://github.com/ebtc-protocol/ebtc/tree/release-0.7/packages/contracts/test) \n- [Foundry test directory](https://github.com/ebtc-protocol/ebtc/tree/release-0.7/packages/contracts/foundry_test)\n- Several Echdina/Medusa configs\n\n\n**Public Disclosure of Known Issues**\n\nBug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. \n\n- Account's stETH balance getting lower on 1 or 2 wei due to rounding down integer math: https://github.com/lidofinance/lido-dao/issues/442 \n\n- Steal of shares using transferSharesFrom due to math rounding issues: https://github.com/lidofinance/lido-dao/issues/796\n\n- Redeem to change partial NICR in order to grief redemption, or, open a cdp that front-runs the redemption to grief the redemption: https://github.com/code-423n4/2023-10-badger-findings/issues/226 \n\n- stETH upgrade risk is considered known\n\n- Unbounded gas is via poor hint selection\n\n- Chainlink misbehaviour and single privilege is considered known\n\n- Known Rounding Behaviour: Debt Redistribution Precision Loss:\n\n  - Every time a Cdp updates with one or more pending debt redistribution events, it can possibly lose 1 wei of debt to rounding. This 1 wei of debt will still be accounted for in systemDebt. This is “rounding against the protocol” in the sense that the systemDebt will become 1 wei higher than the sum of all active Cdp debt for each instance of this occuring. It’s unbounded. This leads to a theoretical maximum differential of 1 wei per Cdp per debt redistribution event between the sum of all active Cdp debt and the systemDebt.\n\n- Known Rounding Behaviour: Collateral Rebase Precision Loss:\n\n  - However, this rounding behavior also exists during collateral rebase events. In this case it “rounds against the user”. Each time a Cdp is updated with any pending rebases to apply, it can lose 1 wei of collateral versus what it would have mathematically speaking due to precision loss of division. The systemCollShares becomes 1 wei higher than the sum of all active Cdp collShares in this instance. This leads to a theoretical maximum differential of 1 wei per Cdp per rebase event between the systemCollShares and the sum of all active Cdp collShares.\n\n- SortedCdps list can get out of order with debt redistribution. This is considered acceptable and does not affect liquidations, only redemption ordering.\n\n**Previous Audits**\n\nBadgerDAO’s has provided these completed audit review reports for reference. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\n- RiskDAO: https://github.com/Risk-DAO/Reports/blob/main/eBTC.pdf\n- Trust: https://badger.com/images/uploads/trust-ebtc-audit-report.pdf\n- Spearbit: https://badger.com/images/uploads/ebtc-security-review-spearbit.pdf\n- Cantina: https://badger.com/images/uploads/ebtc-security-review-cantina.pdf\n- Code4rena: https://code4rena.com/reports/2023-10-badger\n- Shung: https://gist.github.com/Shungy/ebeb9366e970ecbf4da1eda296581e47\n\n### Asset In Scope Policies\n\n**Asset Accuracy Assurance**\n\nBugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.\n\n**Private Known Issues Reward Policy**\n\nPrivate known issues, meaning known issues that were not publicly disclosed, are considered valid, but will be downgraded by one severity.\n\n**Known Issue Assurance**\n\nBadgerDAO commits to providing Known Issue Assurance to bug submissions through their program. This means that BadgerDAO will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission. \n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.\n\n**Primacy of Impact vs Primacy of Rules**\n\nBadgerDAO adheres to the Primacy of Impact for all impacts.\n\nPrimacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see [Best Practices: Primacy of Impact ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)\n\nWhen submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.\n\nIf the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.","boostedIntroEvaluating":"","boostedIntroFinished":"Audit Competition cards for security researchers with paid reports are available [here](https://drive.google.com/drive/folders/1iULI4qlQkE6VCJFGdcnjw9TlBid7z6lQ?usp=sharing).\n\nAll paid bug reports are available in original format [here](https://github.com/immunefi-team/Bounty_Boosts/tree/main/BadgerDAO%20(eBTC).","boostedIntroLive":"$200,000 USD is available in rewards for finding bugs in eBTC’s codebase of about 5000 nSLOC. There is no KYC and anyone may participate, except for official contributors that are currently involved (past contributors may participate).\n\nBadgerDAO, the creators of eBTC, will respond within 24 hours on weekdays to all bug reports. Any technical questions and support requests can be asked directly to BadgerDAO or Immunefi in the [BadgerDAO Boost Discord channel](https://discord.com/channels/787092485969150012/1207523219880280104).\n\nWhen the Boost has ended Immunefi will publish an event-specific leaderboard and bug reports from the event. \n\nThe Boost is primarily concerned with the loss of user funds.","boostedIntroStartingIn":"$200,000 USD is available in rewards for finding bugs in eBTC’s codebase of about 5000 nSLOC. There is no KYC and anyone may participate, except for official contributors that are currently involved (past contributors may participate).\n\nBadgerDAO, the creators of eBTC, will respond within 24 hours on weekdays to all bug reports. Any technical questions and support requests can be asked directly to BadgerDAO or Immunefi in the [BadgerDAO Boost Discord channel](https://discord.com/channels/787092485969150012/1207523219880280104).\n\nWhen the Boost has ended Immunefi will publish an event-specific leaderboard and bug reports from the event.\n\nTo kick-off the launch BadgerDAO will be presenting a [live technical walkthrough and AMA](https://discord.com/events/787092485969150012/1207964956167897098), hosted by Immunefi. It starts Monday at 4:30pm UTC+0.\n\n[Sign up for the Boost here](https://docs.google.com/forms/d/e/1FAIpQLSf0lo3wkUsWPUMutcV1xliBEU9-c8Dcwh0YjAkROGak8bZtUw/viewform).","boostedLeaderboard":[{"high":0,"name":"Stormy","critical":0,"earnings":20517,"insights":1,"mediumLow":2,"totalValidBugs":2},{"high":0,"name":"moonsimon","critical":0,"earnings":11034,"insights":2,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"holydevoti0n","critical":0,"earnings":10000,"insights":0,"mediumLow":1,"totalValidBugs":1},{"high":0,"name":"shanb1605","critical":0,"earnings":1724,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"savi0ur","critical":0,"earnings":1724,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"cheatcode","critical":0,"earnings":1552,"insights":3,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"cryptonoob2k","critical":0,"earnings":862,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"OxG0P1","critical":0,"earnings":862,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Hunterx2","critical":0,"earnings":517,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"thomastech","critical":0,"earnings":517,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Mirrors","critical":0,"earnings":517,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Saediek","critical":0,"earnings":172,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":"https://drive.google.com/file/d/1CrK9PWe8BhGmoWNb5NIjXqN50dF2mwJx/view?usp=sharing","ecosystem":["ETH"],"endDate":"2024-03-04T08:00:00.000Z","evaluationEndDate":"2024-04-09T20:00:00.000Z","features":["Boost","Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity","JavaScript"],"launchDate":"2024-02-19T08:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4l9J9IrYDQDKEKDRro6liJ/8f307a05a51e20350ce7e82dc207c109/ebtc.png","maxBounty":200000,"outOfScopeAndRules":"These impacts are out of scope for this bug bounty program. \n\n**All Categories:**\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n\n\n**Blockchain/DLT & Smart Contract Specific:**\n\n- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n\n\n**Prohibited Activities:**\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"tbd","productType":["Lending","Synthetic Assets"],"programOverview":"eBTC is a collateralized crypto asset soft pegged to the price of Bitcoin and built on the Ethereum network. It is based on the Liquity protocol and backed exclusively by Staked Ether (stETH). The protocol is designed with an immutable core with minimized counterparty reliance and governance. \n\nIt’s designed to be the most decentralized synthetic BTC in DeFi and offers the ability for anyone in the world to borrow BTC at no cost.\n\n\nAfter locking up stETH as collateral and creating an individual position called a CDP, the user can get instant liquidity by minting eBTC. Each CDP is required to be collateralized at a fixed minimum ratio determined by the protocol.\n\nThe redemption and liquidation mechanisms help ensure that stability is maintained through economically-driven user interactions and arbitrage, rather than through active governance or monetary interventions.\n\neBTC is built by [BadgerDAO](https://badger.com/). For more information about eBTC, please visit [twitter](https://twitter.com/eBTCprotocol) and the [docs](https://docs.ebtc.finance/ebtc/).","programType":["Smart Contract"],"project":"Audit Comp | eBTC","projectType":["Defi"],"rewardsBody":"The reward pool will be fully distributed among participants. The size depends on the bugs found:\n\n- If no High or Critical severity bugs are found the reward pool will be $50,000 USD\n- If one or more High severity bugs are found the reward pool will be $100,000 USD\n- If one or more Critical severity bugs are found the reward pool will be $200,000 USD\n\n\nFor this audit competition, duplicates and private known issues are valid for a reward.\n\nThese reward terms are a summary, for the full details read our [eBTC Audit Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/22591362396689-eBTC-Audit-Competition-Reward-Terms).\n\nRewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). \n\n**Reward Payment Terms**\n\nPayouts are handled by the BadgerDAO team directly and are denominated in USD. However, payments are done in USDC.\n\nRewards will be distributed all at once based on Immunefi’s distribution terms after the event has concluded and the final bug reports have been resolved.","rewardsPool":200000,"primaryPool":200000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"ebtc-boost","updatedDate":"2024-10-15T13:38:06.461Z","impactsBody":"**Proof of Concept (PoC) Requirements**\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).\n\n**Impacts caused by exploiting external dependencies**\n\nCritical & High severity impacts caused by exploiting external dependencies (such as Chainlink oracles and OpenZepplin libraries) are considered valid and in-scope, however they will be downgraded to Medium severity from the assessed impact.\n\nMedium & Low severity impacts caused by exploiting external dependencies (such as Chainlink oracles and OpenZepplin libraries) are considered invalid and out-of-scope from the assessed impact.\n\n**Feasibility Limitations**\n\nFor a Critical or High severity impact related to Loss of Yield, Precision Loss or insolvency the issue needs to demonstrate a loss higher than $500 with a 2 stETH Cdp (which would be the minimal threshold for insolvency for eBTC).\n\nMagnitude matters when evaluating the validity of Critical & High severity impacts. Notably when discussing theft of funds, protocol insolvency, and theft of unclaimed yield. With this protocol, assume:\n\n- System TVL is between $1m and $1b at $2500 ETH. Meaning 400 stETH to 400,000 stETH total collateral\n- Absolute value of loss must be greater than 10% to qualify as protocol insolvency because any damage below 10% will not cause protocol insolvency in the worst case scenario due to the minimum Collateral Ratio being 110%.\n- 100,000 maximum Cdps \n- No more than 36,500 rebases and 10,000 bad debt redistribution events\n\nPOCs that demonstrate impacts with conditions outside of this range will be considered valid but downgraded to Medium severity due to practical infeasibility.\n\n### Miscellaneous Policies\n\n**Eligibility Criteria**\n\nSecurity researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:\n- On OFACs SDN list \n- Official contributors that are currently involved (past contributors may participate)\n\n**Responsible Publication**\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n\n- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.\n\nImmunefi may publish bug reports submitted to this audit competition and a leaderboard of the participants and their earnings.\n\n**Feasibility Limitations**\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards](https://immunefisupport.zendesk.com/hc/en-us/articles/16913132495377-Feasibility-Limitation-Standards) which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"eBTC is a collateralized crypto asset soft pegged to the price of Bitcoin and built on the Ethereum network. It is based on the Liquity protocol and backed exclusively by Staked Ether (stETH). The protocol is designed with an immutable core with minimized counterparty reliance and governance. ","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":23,"type":"smart_contract","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":4748,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 15 minutes"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":30,"type":"smart_contract","severity":"medium","title":"Block stuffing"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":14,"type":"smart_contract","severity":"critical","title":"Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results"},{"id":4749,"type":"smart_contract","severity":"critical","title":"Direct theft of 2 stETH worth of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"}],"rewards":[{"level":"critical","payout":"USD $200,000","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"USD $100,000","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"USD $50,000","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"USD $50,000","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[{"id":"4mvglDK3LEFLbNp3K5clPn","url":"https://etherscan.io/address/0xf2991507952d9594e71a44a54fb19f3109d213a5#code","type":"smart_contract","addedAt":"2023-11-20T16:00:00.000Z","revision":1,"description":"Timelock for DepositContractProxy","isPrimacyOfImpact":null},{"id":"05o5wmKiDXx1laZpssx8j","url":"https://etherscan.io/address/0x0d2ec0a5858730e7d49f5b4ae6f2c665e46c1d9d#code","type":"smart_contract","addedAt":"2023-11-20T16:00:00.000Z","revision":1,"description":"Timelock for ExchangeProxy","isPrimacyOfImpact":null},{"id":"3s5SW75jd5UG18nVoWvhJr","url":"https://etherscan.io/address/0x54D7aE423Edb07282645e740C046B9373970a168#code","type":"smart_contract","addedAt":"2023-11-20T16:00:00.000Z","revision":1,"description":"DepositContractProxy","isPrimacyOfImpact":null},{"id":"3t1bnnf9qptsJycPUjn4nk","url":"https://etherscan.io/address/0x9C07A72177c5A05410cA338823e790876E79D73B#code","type":"smart_contract","addedAt":"2023-11-20T16:00:00.000Z","revision":1,"description":"ExchangeProxy","isPrimacyOfImpact":null},{"id":"5FhS0NYHXiKWO1bmiH40An","url":"https://etherscan.io/address/0x2028834B2c0A36A918c10937EeA71BE4f932da52#code","type":"smart_contract","addedAt":"2023-11-20T16:00:00.000Z","revision":1,"description":"Gnosis Multisig","isPrimacyOfImpact":null}],"assetsBodyV2":"__Assets in Scope__\n\nAll impacts resulting from the introduction of the in code listed in scope are in scope for this audit competition.\n\nAll impacts not resulting from the introduction of the code listed in scope should be submitted to [DeGate’s normal bug bounty program ](https://immunefi.com/bounty/degate/)instead.\n\nImpacts on test files, mock files, and configuration files are out of scope, unless stated otherwise in the bug bounty program.\nTimelock contracts source code (a fork from Compound): [https://github.com/degatedev/protocols/blob/degate1.1.0/packages/loopring_v3/contracts/thirdparty/timelock](https://github.com/degatedev/protocols/blob/degate1.1.0/packages/loopring_v3/contracts/thirdparty/timelock)\n\nUpgradability contracts source code: [https://github.com/degatedev/protocols/blob/degate1.1.0/packages/loopring_v3/contracts/thirdparty/proxies](https://github.com/degatedev/protocols/blob/degate1.1.0/packages/loopring_v3/contracts/thirdparty/proxies)\n\nDocumentation directly pertaining to the in scope code can be found at: [https://github.com/degatedev/protocols/commit/180138015197c886ec3c87efa8bf0031b653359f#commitcomment-132582143](https://github.com/degatedev/protocols/commit/180138015197c886ec3c87efa8bf0031b653359f#commitcomment-132582143) \n\n__Further Resources__\n\nDeGate is especially interested in bugs in how this new code interacts with their older code.\n\nAll DeGate’s smart contract code, including out of scope smart contract code, can be found at [https://github.com/degatedev/protocols/tree/degate1.1.0/packages/loopring_v3/contracts](https://github.com/degatedev/protocols/tree/degate1.1.0/packages/loopring_v3/contracts), along with the [Protocol Specification Docs](https://github.com/degatedev/protocols/blob/degate1.1.0/DeGate%20Protocol%20Specification%20Document.md?utm_source=immunefi), [Circuit Design Docs](https://github.com/degatedev/protocols/blob/degate1.1.0/Circuit%20Design.md?utm_source=immunefi) and [Smart Contract Design Docs.](https://github.com/degatedev/protocols/blob/degate1.1.0/Smart%20Contract%20Design.md?utm_source=immunefi)\n\nDeGate Testnet is currently live on [https://testnet.degate.com,](https://testnet.degate.com) and more details can be found in the product documentation ([https://docs.degate.com/v/product_en/readme](https://docs.degate.com/v/product_en/readme) ). \n\nTo ask DeGate or Immunefi questions directly, join the [DeGate Audit Competition Discord channel.](https://discord.com/channels/787092485969150012/1173840561455775744)\n\n__Previous Audits & Known Issues__\n\nPrivate known issues, meaning known issues which were not publicly disclosed, are valid for a partial reward. If a bug found during the event requires an immediate fix then that bug will be considered a publicly known issue as soon as the fix is deployed.\nDeGate’s completed audit reports and known issues can be found at:\n\n- Previous Code: \nhttps://github.com/degatedev/protocols/blob/degate_mainnet/packages/loopring_v3/security_audit/Trailofbits%20-%20DeGate%20Final%20Audit%20Report.pdf \n- Previous Code: https://github.com/degatedev/protocols/blob/degate_mainnet/packages/loopring_v3/security_audit/Least%20Authority%20-%20DeGate%20DAO%20DeGate%20Smart%20Contracts%20Updated%20Final%20Audit%20Report.pdf \n- Previous Code:\nhttps://github.com/degatedev/protocols/blob/degate_mainnet/packages/loopring_v3/security_audit/Least%20Authority%20-%20DeGate%20Technology%20DeGate%20zk-SNARK%20Circuit%20Final%20Audit%20Report.pdf\n- Previous Code: https://github.com/degatedev/protocols/blob/degate_mainnet/packages/loopring_v3/security_audit/DeGate_Report_EN-final2023.pdf \n- Previous Code: https://github.com/degatedev/protocols/blob/degate_mainnet/packages/loopring_v3/security_audit/DeGate_Report_EN-final20230912.pdf  \n- Latest Code:\nhttps://github.com/degatedev/protocols/blob/degate1.1.0/packages/loopring_v3/security_audit/DeGate_Report_EN-20231115.pdf\n\nAny unfixed vulnerabilities mentioned in these reports are not eligible for a reward.\n\n__Known Issue Assurance__\n\nDeGate commits to providing Known Issue Assurance to bug submissions through their program. This means that DeGate will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission.\n\nIn a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in scope, and due a reward.\n\n__Primacy of Impact vs Primacy of Rules__\n\nThis timeboxed bug bounty adheres to the Primacy of Rules, which means that the whole timeboxed bug bounty program is run strictly under the terms stated on this page.\n\nIf your bug report demonstrates an impact which does not originate from or depend on the assets in scope of this timeboxed bug bounty program then it may be valid for a reward on [DeGate’s normal bug bounty program](https://immunefi.com/bounty/degate/), which utilizes Primacy of Impact.","boostedIntroEvaluating":"","boostedIntroFinished":"All paid bug reports are available in original format [here](https://github.com/immunefi-team/Bounty_Boosts/tree/main/DeGate).","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[{"high":0,"name":"infosec_us_team","critical":0,"earnings":7000,"insights":3,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"yttriumzz","critical":0,"earnings":3000,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"dontonka","critical":0,"earnings":3000,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"p4rsely","critical":0,"earnings":3000,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"ThreeHrSleep","critical":0,"earnings":2500,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"neth","critical":0,"earnings":2500,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Shogoki","critical":0,"earnings":2500,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"JCN2023","critical":0,"earnings":2500,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Merkle_Bonsai","critical":0,"earnings":2500,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"lordagnew","critical":0,"earnings":2500,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"savi0ur","critical":0,"earnings":1500,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"ongrid","critical":0,"earnings":1500,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"CanYeRest298751","critical":0,"earnings":1000,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"said","critical":0,"earnings":1000,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"kank","critical":0,"earnings":1000,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"piken","critical":0,"earnings":1000,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Paludo0x","critical":0,"earnings":1000,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"SentientX","critical":0,"earnings":1000,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"cheatcode","critical":0,"earnings":1000,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"OxSCSamurai","critical":0,"earnings":1000,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"peterm","critical":0,"earnings":1000,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Madalad","critical":0,"earnings":1000,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"v0id","critical":0,"earnings":1000,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"EricTee","critical":0,"earnings":750,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"KaloMen","critical":0,"earnings":750,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"hoshiyari","critical":0,"earnings":500,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Bauchibred","critical":0,"earnings":500,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"xBentley","critical":0,"earnings":500,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"conqueror","critical":0,"earnings":500,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"copperscrewer","critical":0,"earnings":250,"insights":2,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"ZanyBonzy","critical":0,"earnings":250,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"naraion","critical":0,"earnings":250,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Kodak","critical":0,"earnings":250,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"Breeje","critical":0,"earnings":250,"insights":1,"mediumLow":0,"totalValidBugs":0},{"high":0,"name":"whunter","critical":0,"earnings":250,"insights":1,"mediumLow":0,"totalValidBugs":0}],"boostedSummaryReport":null,"ecosystem":["ETH"],"endDate":"2023-12-04T09:00:00.000Z","evaluationEndDate":"2023-12-21T09:00:00.000Z","features":["Managed Triage: Time Saver"],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["C/C++","Go","Solidity"],"launchDate":"2023-11-20T16:00:00.000Z","logo":"https://images.ctfassets.net/t3wqy70tc3bv/3IdBeRLWUgyzNlQMTxcsLk/e46540438fbcd3e556c45e1769418263/DeGate_logo.jpeg","maxBounty":400000,"outOfScopeAndRules":"These impacts are out of scope for this bug bounty program. \n\n__All Categories:__\n\n- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n\n__Blockchain/DLT & Smart Contract Specific:__\n\n- Incorrect data supplied by third party oracles\n   - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks\n- Impacts involving balance changes and authority freezes caused by the token contract itself, such as rebase tokens\n- Impacts involving the need to use more than 300 ETH in gas fees to force entry into Exodus Mode through block stuffing, storage occupation, or executing other potential economic attacks.\n\n__Prohibited Activities:__\n\n- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n\n__Responsible Publication__\n\nWhitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:\n- Out-of-scope bugs which are in-scope for DeGate’s normal bug bounty program may not be published. Such bug reports are to be submitted to [DeGate’s normal bug bounty program.](https://immunefi.com/bounty/degate/)\n- Bug reports in mediation may not be published until mediation has concluded.\n\nImmunefi may publish bug reports submitted to this audit competition.","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","smart_contract - low"],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"Only the following (custom) impacts are accepted within this bug bounty program. All other impacts are not considered as in scope, even if they affect something in the assets in scope table.","productType":["Asset Management","DEX","L2"],"programOverview":"__Audit Competition Overview__\n\nA total of $400,000 USD in rewards is available in this audit competition. A baseline reward pool of $50,000 USD will be distributed among participants even if no valid bugs are found. For this audit competition, duplicates and private known issues are valid for a reward.\n\nDeGate will respond within 24 hours on weekdays to all bug reports. Any technical questions and support requests can be asked directly to DeGate or Immunefi in the [DeGate Audit Competition Discord channel.](https://discord.com/channels/787092485969150012/1173840561455775744)\n\nWhen the audit competition has ended Immunefi will publish an event-specific leaderboard and bug reports from the event. \n\nDeGate deployed approximately 500 nSLOC designed to allow them to upgrade their contracts. This new code is the target of this audit competition. DeGate is most interested in bugs in how their new contracts were deployed and how they interact with their protocol.\n\nA high level overview of the code which is in scope for this audit competition can be found here: [https://github.com/degatedev/protocols/commit/180138015197c886ec3c87efa8bf0031b653359f#commitcomment-132582143](https://github.com/degatedev/protocols/commit/180138015197c886ec3c87efa8bf0031b653359f#commitcomment-132582143)\n\nOnly the proxies themselves are in scope for this audit competition. Bugs in the implementation contracts are out of scope, but are valid for a reward in [DeGate's normal bug bounty program,](https://immunefi.com/bounty/degate/) and should be submitted there instead.\n\n__Project Overview__\n\n[DeGate](https://degate.com/) is a decentralized orderbook exchange (DEX) built on the Ethereum blockchain that utilizes zero-knowledge technology. DeGate DEX offers spot market trading with limit orders and also offers a grid trading function.\n\nDeGate operates as a decentralized autonomous organization (DAO). The DEX platform is focused on being user-friendly and is built on the principle of Trustlessness. With DeGate’s unique Efficient Gas Saving technology, users can expect super-low gas fees while using a decentralized protocol. Another critical component of DeGate is the Permissionless Listing feature which enables any token to be listed in a permissionless manner on DeGate’s orderbook DEX.\n\nFor more information about DeGate, visit [https://docs.degate.com](https://docs.degate.com)","programType":["Smart Contract"],"project":"Audit Comp | DeGate","projectType":["Defi","Exchange"],"rewardsBody":"This audit competition has $400,000 USD in rewards split across 3 reward pools. $300,000 is allocated to the Criticals reward pool, $50,000 to the Highs reward pool, and $50,000 to the Baseline rewards pool.\n\n__Reward Payment Terms__\n\nPayouts are handled by the DeGate team directly and are denominated in USD. However, payouts are done in USDC.\n\nRewards will be distributed all at once after the event has concluded and the final bug reports have been resolved.\n\nThe following reward rules are a summary, for an in-depth explanation read our [Reward Distribution Rules article](https://immunefisupport.zendesk.com/hc/en-us/articles/20215594250385-DeGate-s-Boosted-Bug-Bounty-Reward-Distribution-Rules). The reward mechanisms are designed to reward all high quality whitehat work, with the greatest rewards for Critical issues and unique findings.\n\n__Duplicate & Private Known Issue Reward Policy__\n\nDuplicate bug reports which are in-scope for this event are considered valid and will be rewarded in a Sybil-resistant manner. Attempts to abuse the duplicate reward policy will result in a ban and forfeit of all rewards.\nPrivate known issues, meaning bugs known to the project but not publicly disclosed, which are in scope for this event are considered valid and will be rewarded at a reduced rate of 25%.\n\n__Baseline Reward Pool__\n\nThe $50,000 USD baseline reward pool is distributed among all participants. 80% is split among all valid report submissions based on the bug’s severity. 20% is distributed at Immunefi’s discretion to highly valuable reports, even if they’re technically invalid, and other significant contributions.\nThe entire baseline reward pool will be distributed even if no valid bugs are found.\n\n__Criticals Reward Pool__\n\nThe $300,000 USD Criticals reward pool is distributed among all valid Critical severity reports. This reward pool is split among all Critical bug submissions with 80% going to the primary finder and 20% going to all other finders in a Sybil-resistant way. The primary finder is the first whitehat to demonstrate how the bug is Critical severity.\nIf no Critical severity bugs are found then this reward pool is not distributed.\n\n__Highs Reward Pool__\n\nThe $50,000 USD Highs reward pool is distributed among all valid High severity reports. This reward pool is split among all High bug submissions with 80% going to the primary finder and 20% going to all other finders in a Sybil-resistant way. The primary finder is the first whitehat to demonstrate how the bug is High severity.\nIf no High severity bugs are found then this reward pool is not distributed.","rewardsPool":50000,"primaryPool":50000,"allStarsPool":0,"podiumPool":0,"rewardsToken":"USDC","slug":"boosteddegatebugbounty","updatedDate":"2024-10-15T13:36:17.735Z","impactsBody":"__Proof of Concept (PoC) Requirements__\n\nA PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)\n\n__List of ERC20, ERC721, and ERC777 that DeGate Can Interact With:__\n\n- DeGate is permissionless and can interact with all ERC20s. However, impacts involving balance changes and authority freezes caused by the token contract itself are out of scope, such as rebase tokens\n- ERC721 and ERC777 are incompatible with DeGate\n\n__Validity of bugs dependent on 100% trusted actors or privileged addresses:__\n\n- DeGate is built on the principle of Trustlessness, or ‘Can’t do evil’. Impacts due to the unintended functions of an Operator are especially valuable and valid for a reward.\n- DeGate is interested in all impacts caused by the unintended functionality of multisig owners. Such bugs are in scope and valid for a reward, with the exception of impacts dependent on the multisig owners proposing new malicious code that will only implement after a 45 day delay.\n\n__Repeatable Attack Limitations__\n\n- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attacks within the first hour will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk. \n- For critical repeatable attacks on smart contracts that can not be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward. \n\n__Feasibility Limitations__\n\nThe project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of [feasibility limitation standards ](https://immunefisupport.zendesk.com/hc/en-us/sections/18488140853905-Feasibility-Limitations)which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.","websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"DeGate deployed approximately 500 nSLOC designed to allow them to upgrade their contracts. This new code is the target of this audit competition","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":null,"defaultOutOfScopeWebAndApplications":null,"defaultOutOfScopeGeneral":null,"defaultFeasibilityLimitations":null,"defaultProhibitedActivities":null,"customOutOfScopeInformation":null,"customProhibitedActivities":[],"impacts":[{"id":4570,"type":"smart_contract","severity":"low","title":"Circuit fails to work correctly, but doesn’t lose value (Zero Knowledge Proof Circuit)"},{"id":34,"type":"smart_contract","severity":"low","title":"Contract fails to deliver promised returns, but doesn't lose value"},{"id":4571,"type":"smart_contract","severity":"high","title":"Theft of funds from the Default Deposit Contract that requires malicious actions from the DeGate Operator."},{"id":4572,"type":"smart_contract","severity":"high","title":"Permanent freezing of funds from the Default Deposit Contract that requires malicious actions from the DeGate Operator."},{"id":4573,"type":"smart_contract","severity":"high","title":"Direct theft of user funds from the Default Deposit Contract that is less than 1,000,000 USD."},{"id":4574,"type":"smart_contract","severity":"high","title":"Permanent freezing of funds in the Default Deposit Contract that is less than 2,500,000 USD."},{"id":4575,"type":"smart_contract","severity":"high","title":"Force DeGate into Exodus Mode"},{"id":4576,"type":"smart_contract","severity":"high","title":"Impact of this malicious contract verification through zk-proof"},{"id":4577,"type":"smart_contract","severity":"high","title":"The amount of tokens in the L2 is inconsistent with that of the L1, except for Non-Standard tokens (Zero Knowledge Proof Circuit)"},{"id":4578,"type":"smart_contract","severity":"high","title":"Climbing blocks fails to recovery the asset tree (Zero Knowledge Proof Circuit)"},{"id":4579,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds: Minimum freezing of 15 days (Zero Knowledge Proof Circuit)"},{"id":4580,"type":"smart_contract","severity":"high","title":"Prevent new token from registering (Zero Knowledge Proof Circuit)"},{"id":4581,"type":"smart_contract","severity":"high","title":"Steal trading fee or gas fee (Zero Knowledge Proof Circuit)"},{"id":4582,"type":"smart_contract","severity":"high","title":"Prevent new users from registering (Zero Knowledge Proof Circuit)"},{"id":4583,"type":"smart_contract","severity":"high","title":"The account cannot be used (Zero Knowledge Proof Circuit)"},{"id":4584,"type":"smart_contract","severity":"high","title":"Theft of unclaimed rewards"},{"id":4585,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed rewards"},{"id":4586,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds: Minimum 24hrs"},{"id":4587,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":4588,"type":"smart_contract","severity":"critical","title":"Direct theft of funds exceeding 1,000,000 USD from the Default Deposit Contract"},{"id":4589,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds exceeding 2,500,000 USD in the Default Deposit Contract."}],"rewards":[{"level":"critical","payout":"Pool of USD $300,000","assetType":"smart_contract","pocRequired":true},{"level":"high","payout":"Pool of USD $50,000","assetType":"smart_contract","pocRequired":true},{"level":"medium","payout":"Pool of USD $50,000 (baseline)","assetType":"smart_contract","pocRequired":true},{"level":"low","payout":"Pool of USD $50,000 (baseline)","assetType":"smart_contract","pocRequired":true}],"audits":[]},{"assets":[{"id":"7pbzFsckos6zUIMWFFMlyN","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/Comptroller/ComptrollerCommonImpl.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"Comptroller/ComptrollerCommonImpl","isPrimacyOfImpact":null},{"id":"qXcA6JAmPwiD6QPG83wKz","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/Comptroller/ComptrollerInterface.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"Comptroller/ComptrollerInterface","isPrimacyOfImpact":null},{"id":"7K7mO67qsgyOCv0XcbjzXd","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/Comptroller/ComptrollerPart1.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"Comptroller/ComptrollerPart1","isPrimacyOfImpact":null},{"id":"1WVtEYH58nRpZh93q0OVaw","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/Comptroller/ComptrollerPart2.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"Comptroller/ComptrollerPart2","isPrimacyOfImpact":null},{"id":"7jM2tXPevNqlKPGoSR45GR","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/Comptroller/ComptrollerStorage.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"Comptroller/ComptrollerStorage","isPrimacyOfImpact":null},{"id":"4zrPMCuI1daYCZLkHlxFj1","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/Comptroller/Unitroller.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"Comptroller/Unitroller","isPrimacyOfImpact":null},{"id":"3vgiXOa2zmEYpfcME5yse8","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/Governance/PBXToken.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"Governance/PBXToken","isPrimacyOfImpact":null},{"id":"45ZOst0CDIzeQYjcflFmZ7","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/InterestRateModels/BaseJumpRateModelV2.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"InterestRateModels/BaseJumpRateModelV2","isPrimacyOfImpact":null},{"id":"6ffNozn9E9aYTSGkRfbVTw","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/InterestRateModels/DAIInterestRateModelV3.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"InterestRateModels/DAIInterestRateModelV3","isPrimacyOfImpact":null},{"id":"6qcsC97A5tgrkWr1SLw4C","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/InterestRateModels/InterestRateModelInterface.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"InterestRateModels/InterestRateModelInterface","isPrimacyOfImpact":null},{"id":"3UIgjXM3XER5ylbkVrGBC7","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/InterestRateModels/JumpRateModel.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"InterestRateModels/JumpRateModel","isPrimacyOfImpact":null},{"id":"23Jak5psC4h1J31O4f3XQL","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/InterestRateModels/JumpRateModelV2.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"InterestRateModels/JumpRateModelV2","isPrimacyOfImpact":null},{"id":"7yzCtsZftLb7SdfkRV8s4L","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/InterestRateModels/LegacyInterestRateModel.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"InterestRateModels/LegacyInterestRateModel","isPrimacyOfImpact":null},{"id":"4sFwekCOUEZeM9shovwqmT","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/InterestRateModels/LegacyJumpRateModelV2.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"InterestRateModels/LegacyJumpRateModelV2","isPrimacyOfImpact":null},{"id":"1e6qS0EQHDTB3LVgcgkrp4","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/InterestRateModels/WhitePaperInterestRateModel.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"InterestRateModels/WhitePaperInterestRateModel","isPrimacyOfImpact":null},{"id":"2vc0FGeCbwxmkusaQFkcDM","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/Interfaces/AaveInterfaces.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"Interfaces/AaveInterfaces","isPrimacyOfImpact":null},{"id":"7BcAvNeHdTbK4grBeenBkr","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/Interfaces/Api3Interfaces.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"Interfaces/Api3Interfaces","isPrimacyOfImpact":null},{"id":"e7jzIeZ6Ex6kim02CQLHo","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/Interfaces/EIP20Interface.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"Interfaces/EIP20Interface","isPrimacyOfImpact":null},{"id":"1N5i9SlAV1CSI01yt9foXH","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/Interfaces/EIP20NonStandardInterface.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"Interfaces/EIP20NonStandardInterface","isPrimacyOfImpact":null},{"id":"7FlYJvipXg7KHRncACgPV1","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/Interfaces/UniswapV2Interfaces.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"Interfaces/UniswapV2Interfaces","isPrimacyOfImpact":null},{"id":"35yl92pOich3onj4xhZ3y0","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/Interfaces/UniswapV3Interfaces.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"Interfaces/UniswapV3Interfaces","isPrimacyOfImpact":null},{"id":"ILB3Zr9ed5hkvopEfrsf3","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/PToken/PErc20.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"PToken/PErc20","isPrimacyOfImpact":null},{"id":"4CALhqKFsNAJkRfYwV4ngC","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/PToken/PErc20Delegate.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"PToken/PErc20Delegate","isPrimacyOfImpact":null},{"id":"Y0g4rlJouNzboQBhXMTAq","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/PToken/PErc20Delegator.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"PToken/PErc20Delegator","isPrimacyOfImpact":null},{"id":"2vrktdx4wfCd1MASBxhiur","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/PToken/PErc20Immutable.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"PToken/PErc20Immutable","isPrimacyOfImpact":null},{"id":"3W0Mtx34h8UYpLSDoLTX3Z","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/PToken/PEther.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"PToken/PEther","isPrimacyOfImpact":null},{"id":"21V508dFCGdN7PG9XSZ2ga","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/PToken/PToken.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"PToken/PToken","isPrimacyOfImpact":null},{"id":"7udT29WnTa58DgcPd6PyKA","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/PToken/PTokenInterfaces.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"PToken/PTokenInterfaces","isPrimacyOfImpact":null},{"id":"5a7jCtVtwRC8qWgvqyVZIK","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/PriceOracle/ArbitrumPriceOracle.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"PriceOracle/ArbitrumPriceOracle","isPrimacyOfImpact":null},{"id":"474iIiPOBlR3OxyHjD09Wl","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/PriceOracle/GoerliPriceOracle.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"PriceOracle/GoerliPriceOracle","isPrimacyOfImpact":null},{"id":"4Y4678mjleX8l4NiTP9jQD","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/PriceOracle/PolygonPriceOracle.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"PriceOracle/PolygonPriceOracle","isPrimacyOfImpact":null},{"id":"UljDjYDGKgWUVxljxdVj1","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/PriceOracle/PriceOracleInterface.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"PriceOracle/PriceOracleInterface","isPrimacyOfImpact":null},{"id":"5zY5J1MR1CqaDd6NJSXSMO","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/PriceOracle/RinkebyPriceOracle.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"PriceOracle/RinkebyPriceOracle","isPrimacyOfImpact":null},{"id":"5Zwwy6fwR32K4lHNUZ7rnm","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/PriceOracle/SimplePriceOracle.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"PriceOracle/SimplePriceOracle","isPrimacyOfImpact":null},{"id":"6HE9v51xiaqYCWEOGPzDKU","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/PriceOracle/Impl/Api3PriceOracle.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"PriceOracle/Impl/Api3PriceOracle","isPrimacyOfImpact":null},{"id":"4DHQqAUdMhStAn3pEHcyWy","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/PriceOracle/Impl/ChainlinkPriceOracle.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"PriceOracle/Impl/ChainlinkPriceOracle","isPrimacyOfImpact":null},{"id":"UNgvaaWW9nGXU0vsgVu9c","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/PriceOracle/Impl/PriceOracleCommonImpl.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"PriceOracle/Impl/PriceOracleCommonImpl","isPrimacyOfImpact":null},{"id":"6BB3qsCHqgWsqlTrRrvPDz","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/PriceOracle/Impl/StablecoinsPriceOracle.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"PriceOracle/Impl/StablecoinsPriceOracle","isPrimacyOfImpact":null},{"id":"6QKKCYmx9i2QMkPna0vi0i","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/Utils/ExponentialNoError.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"Utils/ExponentialNoError","isPrimacyOfImpact":null},{"id":"1AtztW3pGcEwXDNQIMIBU0","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/Utils/Ownable.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"Utils/Ownable","isPrimacyOfImpact":null},{"id":"5McAGquBJcwrQJ8fsELE5F","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/Utils/SafeMath.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"Utils/SafeMath","isPrimacyOfImpact":null},{"id":"7iBFNzVghCJ68SEYNCNC08","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/Utils/Timelock.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"Utils/Timelock","isPrimacyOfImpact":null},{"id":"6TihjUAsm4myxCD0S402vB","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/ErrorReporter.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"ErrorReporter","isPrimacyOfImpact":null},{"id":"5vyoM4rk7i1tcrQK9xu7Mj","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/Liquidator.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"Liquidator","isPrimacyOfImpact":null},{"id":"iurzmBwelFMogXI0SpozI","url":"https://github.com/Paribus/paribus-protocol-contracts/blob/main/contracts/Maximillion.sol","type":"smart_contract","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"Maximillion","isPrimacyOfImpact":null},{"id":"7APynx1nZb0SivjdHE0LEl","url":"https://testnet.app.paribus.io/","type":"websites_and_applications","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"Web/App","isPrimacyOfImpact":null},{"id":"3V06HzpM3AI38nGAr3hnip","url":"https://paribus.io","type":"websites_and_applications","addedAt":"2022-10-13T13:00-06:00","revision":1,"description":"Web/App","isPrimacyOfImpact":null}],"assetsBodyV2":"All smart contracts of Paribus can be found at [https://github.com/Paribus/paribus-protocol-contracts](https://github.com/Paribus/paribus-protocol-contracts). However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.\n\nIf an Critical/High severity impact can be caused to any other asset managed by Paribus that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.","boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["Arbitrum","ETH"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":false,"language":["Solidity"],"launchDate":"2022-10-13T13:00-06:00","logo":"https://images.ctfassets.net/t3wqy70tc3bv/4Jbo3K6tOpiDYBvIexddcd/ccdd734170f3f739eb7efd8ca914da7f/Paribus_Logo__1_.png","maxBounty":20000,"outOfScopeAndRules":"The following vulnerabilities are excluded from the rewards for this bug bounty program:\n\n  - Attacks that the reporter has already exploited themselves, leading to damage\n  - Attacks requiring access to leaked keys/credentials\n  - Attacks requiring access to privileged addresses (governance, strategist)\n\n__Smart Contracts and Blockchain__\n  - Incorrect data supplied by third party oracles\n    - Not to exclude oracle manipulation/flash loan attacks\n  - Basic economic governance attacks (e.g. 51% attack)\n  - Lack of liquidity\n  - Best practice critiques\n  - Sybil attacks\n  - Centralization risks\n\n__Websites and Apps__\n  - Theoretical vulnerabilities without any proof or demonstration\n  - Attacks requiring physical access to the victim device\n  - Attacks requiring access to the local network of the victim\n  - Reflected plain text injection ex: url parameters, path, etc.\n    - This does not exclude reflected HTML injection with or without javascript\n    - This does not exclude persistent plain text injection\n  - Self-XSS\n  - Captcha bypass using OCR without impact demonstration\n  - CSRF with no state modifying security impact (ex: logout CSRF)\n  - Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n  - Server-side non-confidential information disclosure such as IPs, server names, and most stack traces\n  - Vulnerabilities used only to enumerate or confirm the existence of users or tenants\n  - Vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n  - Lack of SSL/TLS best practices\n  - DDoS vulnerabilities\n  - Feature requests\n  - Issues related to the frontend without concrete impact and PoC\n  - Best practices issues without concrete impact and PoC\n  - Vulnerabilities primarily caused by browser/plugin defects\n  - Leakage of non sensitive api keys ex: etherscan, Infura, Alchemy, etc.\n  - Any vulnerability exploit requiring browser bugs for exploitation. ex: CSP bypass\n\nThe following activities are prohibited by this bug bounty program:\n\n  - Any testing with mainnet or public testnet contracts; all testing should be done on private testnets\n  - Any testing with pricing oracles or third party smart contracts\n  - Attempting phishing or other social engineering attacks against our employees and/or customers\n  - Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n  - Any denial of service attacks\n  - Automated testing of services that generates significant amounts of traffic\n  - Public disclosure of an unpatched vulnerability in an embargoed bounty","pocPerTypeAndSeverity":["smart_contract - critical","smart_contract - high","smart_contract - medium","websites_and_applications - critical","websites_and_applications - high"],"primaryPaymentWallet":"OtherNonEVML1","prioritizedVulnerabilities":"Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.","productType":["Lending","Synthetic Assets"],"programOverview":"Paribus is a cross-chain borrowing and lending protocol for NFTs, liquidity positions, and synthetic assets, building for the Cardano blockchain.\n\nAs DeFi moves forward, innovators are uncovering transformational ways to store and represent value on-chain.\n\nParibus’ mission is to unlock the true potential of these assets, evolving them into interoperable financial instruments, capable of being used within DeFi protocols, on any chain.\n\nFor more information about Paribus, please visit [https://paribus.io/](https://paribus.io/).","programType":["Smart Contract","Websites and Applications"],"project":"Paribus","projectType":["Defi","NFT"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.\n\nAll bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. \n\nIn addition, all bug reports must come with a suggestion for a fix in order to be considered for a reward.\n\nAll previously known issues highlighted in the follow audit report are considered as out of scope: \n  - [https://hacken.io/audits/#paribus](https://hacken.io/audits/#paribus)\n\nPayouts are handled by the __Paribus__ team directly and are denominated in USD. However, payouts are done in __PBX__.","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"PBX","slug":"paribus","updatedDate":"2024-04-08T19:00:06.380Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Paribus is a cross-chain borrowing and lending protocol for NFTs, liquidity positions, and synthetic assets, building for the Cardano blockchain.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"  - Best practice critiques","customProhibitedActivities":[],"impacts":[{"id":3435,"type":"blockchain_dlt","severity":"high","title":"Theft of unclaimed yield"},{"id":25,"type":"smart_contract","severity":"high","title":"Permanent freezing of unclaimed yield"},{"id":3436,"type":"smart_contract","severity":"high","title":"Temporary freezing of funds for at least 5 minutes"},{"id":3437,"type":"websites_and_applications","severity":"high","title":"Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc."},{"id":3438,"type":"websites_and_applications","severity":"high","title":"Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as email or password of the victim, etc."},{"id":3439,"type":"websites_and_applications","severity":"high","title":"Improperly disclosing confidential user information such as email address, phone number, physical address, etc."},{"id":49,"type":"websites_and_applications","severity":"high","title":"Subdomain takeover without already-connected wallet interaction"},{"id":29,"type":"smart_contract","severity":"medium","title":"Smart contract unable to operate due to lack of token funds"},{"id":3440,"type":"smart_contract","severity":"medium","title":"Block stuffing for profit"},{"id":31,"type":"smart_contract","severity":"medium","title":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"},{"id":32,"type":"smart_contract","severity":"medium","title":"Theft of gas"},{"id":33,"type":"smart_contract","severity":"medium","title":"Unbounded gas consumption"},{"id":15,"type":"smart_contract","severity":"critical","title":"Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield"},{"id":17,"type":"smart_contract","severity":"critical","title":"Permanent freezing of funds"},{"id":3441,"type":"smart_contract","severity":"critical","title":"Miner-extractable value (MEV)"},{"id":22,"type":"smart_contract","severity":"critical","title":"Protocol insolvency"},{"id":35,"type":"websites_and_applications","severity":"critical","title":"Execute arbitrary system commands"},{"id":3442,"type":"websites_and_applications","severity":"critical","title":"Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and blockchain keys(this does not include non-sensitive environment variables, open source code, or usernames)"},{"id":37,"type":"websites_and_applications","severity":"critical","title":"Taking down the application/website"},{"id":3443,"type":"websites_and_applications","severity":"critical","title":"Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc."},{"id":42,"type":"websites_and_applications","severity":"critical","title":"Direct theft of user funds"},{"id":3444,"type":"websites_and_applications","severity":"critical","title":"Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions"}],"rewards":[{"id":5664,"severity":"high","assetType":"smart_contract","fixedReward":10000,"rewardModel":"fixed"},{"id":5665,"severity":"medium","assetType":"smart_contract","fixedReward":1000,"rewardModel":"fixed"},{"id":5666,"severity":"critical","assetType":"websites_and_applications","fixedReward":10000,"rewardModel":"fixed"},{"id":5667,"severity":"high","assetType":"websites_and_applications","fixedReward":5000,"rewardModel":"fixed"},{"id":8260,"severity":"critical","assetType":"smart_contract","fixedReward":20000,"rewardModel":"fixed"}],"audits":[]},{"assets":[{"id":"1X73flgDkn8WX1OQnVykO0","url":"https://github.com/money-on-chain/main-RBTC-contract","type":"smart_contract","addedAt":"2022-02-19T08:16:44.036Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"5xHZ8A0KUKySUOkd6yzaMQ","url":"https://github.com/money-on-chain/price-feeder","type":"websites_and_applications","addedAt":"2022-02-19T08:16:46.633Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"NpxYCdVLzzh7l1Sj1fThZ","url":"https://github.com/money-on-chain/py_Moneyonchain","type":"smart_contract","addedAt":"2022-05-04T04:31:28.617Z","revision":1,"description":"py_Moneyonchain","isPrimacyOfImpact":null},{"id":"3qhvW1aJGq4gwFTOhvcw3E","url":"https://github.com/money-on-chain/RDOC-Contract","type":"smart_contract","addedAt":"2022-02-19T08:16:53.871Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"6vy0yKaLcmqyT5mI3155tL","url":"https://github.com/money-on-chain/Areopagus-Governance","type":"smart_contract","addedAt":"2022-02-19T08:16:56.776Z","revision":1,"description":null,"isPrimacyOfImpact":null},{"id":"4HX2jk7IEdGQieLhG74Jr2","url":"https://github.com/money-on-chain/Amphiraos-Oracle","type":"smart_contract","addedAt":"2022-05-04T04:31:08.803Z","revision":1,"description":"Amphiraos-Oracle","isPrimacyOfImpact":null}],"assetsBodyV2":null,"boostedIntroEvaluating":"","boostedIntroFinished":"","boostedIntroLive":"","boostedIntroStartingIn":"","boostedLeaderboard":[],"boostedSummaryReport":null,"ecosystem":["RSK"],"endDate":null,"evaluationEndDate":null,"features":[],"hideAssetsInScope":null,"immunefiStandard":true,"inviteOnly":false,"kyc":true,"language":["Solidity"],"launchDate":"2021-01-14T00:00-07:00","logo":"https://images.ctfassets.net/t3wqy70tc3bv/1OsrVnYDfPNy8a3qWntuk4/9d26ef24ff56bf9ff6c71a6c1e90c84d/MoneyonChain-logo.png","maxBounty":10000,"outOfScopeAndRules":"The following vulnerabilities are excluded from the rewards for this bug bounty\nprogram:\n\n- Attacks that the reporter has already exploited themselves, leading to damage\n- Attacks that rely on social engineering\n- Attacks requiring access to leaked keys/credentials\n\n**Smart Contracts/Blockchain**\n\n- Incorrect data supplied by third party oracles\n- Not to exclude oracle manipulation/flash loan attacks\n- Basic economic governance attacks (e.g. 51% attack)\n- Lack of liquidity\n- Best practice critiques\n- Sybil attacks\n\n**Websites and Apps**\n\n- Theoretical vulnerabilities without any proof or demonstration\n- Content spoofing / Text injection issues\n- Self-XSS\n- Captcha bypass using OCR\n- CSRF with no security impact (logout CSRF, change language, etc.)\n- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security\n  flags (such as “httponly”)\n- Server-side information disclosure such as IPs, server names, and most stack\n  traces\n- Vulnerabilities used to enumerate or confirm the existence of users or\n  tenants\n- Vulnerabilities requiring unlikely user actions\n- URL Redirects (unless combined with another vulnerability to produce a more\n  severe vulnerability)\n- Lack of SSL/TLS best practices\n- DDoS vulnerabilities\n- Attacks requiring privileged access from within the organization\n\n**The following vulnerabilities are not sought after for website bug reports:**\n\n- Theoretical vulnerabilities without any proof or demonstration\n- Content spoofing / Text injection issues\n- Self-XSS\n- Captcha bypass using OCR\n- CSRF with no security impact (logout CSRF, change language, etc.)\n- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security\n  flags (such as “httponly”)\n- Server-side information disclosure such as IPs, server names, and most stack\n  traces\n- Vulnerabilities used to enumerate or confirm the existence of users or\n  tenants\n- Vulnerabilities requiring unlikely user actions\n- URL Redirects (unless combined with another vulnerability to produce a more\n  severe vulnerability)\n- Lack of SSL/TLS best practices\n- DDoS vulnerabilities\n- Attacks requiring privileged access from within the organization\n\n**The following activities are prohibited by bug bounty program:**\n\n- Any testing with mainnet or public testnet contracts; all testing should be\n  done on private testnets\n- Any testing with pricing oracles or third party smart contracts\n- Attempting phishing or other social engineering attacks against our employees\n  and/or customers\n- Any testing with third party systems and applications (e.g. browser\n  extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks\n- Automated testing of services that generates significant amounts of traffic\n- Disassembly or reverse engineering of binaries for which source code is not\n  published, not including smart contract bytecode\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n","pocPerTypeAndSeverity":[],"primaryPaymentWallet":"EVM","prioritizedVulnerabilities":"We are especially interested in receiving and rewarding vulnerabilities of the\nfollowing types:\n\n**Smart Contracts/Blockchain:**\n\n- Re-entrancy\n- Logic errors\n  - Including user authentication errors\n- Solidity/EVM details not considered\n  - Including integer over-/under-flow\n  - Including unhandled exceptions\n- Trusting trust/dependency vulnerabilities\n  - Including composability vulnerabilities\n- Oracle failure/manipulation\n- Novel governance attacks\n- Economic/financial attacks\n  - Including flash loan attacks\n- Congestion and scalability\n  - Including running out of gas\n  - Including block stuffing\n  - Including susceptibility to frontrunning\n- Consensus failures\n- Cryptography problems\n  - Signature malleability\n  - Susceptibility to replay attacks\n  - Weak randomness\n  - Weak encryption\n- Susceptibility to block timestamp manipulation\n- Missing access controls / unprotected internal or debugging interfaces\n\n**Websites and Apps:**\n\n- Remote Code Execution\n- Trusting trust/dependency vulnerabilities\n- Vertical Privilege Escalation\n- XML External Entities Injection\n- SQL Injection\n- LFI/RFI\n- Horizontal Privilege Escalation\n- Stored XSS\n- Reflective XSS with impact\n- CSRF\n- CSRF with impact\n- Direct object reference\n- Internal SSRF\n- Session fixation\n- Insecure Deserialization\n- Direct object reference\n- Path Traversal\n- DOM XSS\n- SSL misconfigurations\n- SSL/TLS issues (weak crypto, improper setup)\n- URL redirect\n- Clickjacking\n- Misleading Unicode text (e.g. using right to left override characters)\n- Coercing the application to display/return specific text to other users","productType":["Stablecoin","Staking"],"programOverview":"Money On Chain brings Bitcoin to mass adoption. To that end, it offers\nsolutions to meet the needs of different types of users: a fully\nBitcoin-collateralized stablecoin (DoC), a Bitcoin on steroids conceived for\nthe long term bitcoin holder (BPro), and a dizzying bitcoiner option for lovers\nof leveraged trading (BTCx). All this, without requiring the delivery of\nprivate keys. To make this possible, we developed a unique\nmathematical-financial model with proven robustness, even in extreme market\nsituations. Money On Chain - Bringing Bitcoin into the mainstream.\n\nMoney on Chain is interested in securing its smart contracts, oracle, and price\nfeeder app and is primarily interested in preventing the loss of user funds.","programType":["Smart Contract","Websites and Applications"],"project":"Money on Chain","projectType":["Defi"],"rewardsBody":"Rewards are distributed according to the impact of the vulnerability based on\nthe [Immunefi Vulnerability Severity Classification System](/severity-system/). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.\n\nThe final payout amount may be affected by the exploitability of the\nvulnerability. Payouts are handled by **Money on Chain** directly and are\ndenominated in **USD**. However, payouts are done in **DOC**\n(Bitcoin-collateralized stablecoin).","rewardsPool":0,"primaryPool":0,"allStarsPool":0,"podiumPool":0,"rewardsToken":"DOC","slug":"moneyonchain","tenPercentEconomicRule":false,"updatedDate":"2024-04-08T18:56:41.638Z","impactsBody":null,"websiteUrl":null,"githubUrl":null,"eligibilityCriteria":[],"responsiblePublicationCategory":null,"description":"Money On Chain brings Bitcoin to mass adoption. To that end, it offers solutions to meet the needs of different types of users: a fully Bitcoin-collateralized stablecoin (DoC), a Bitcoin on steroids conceived for the long term bitcoin holder (BPro), and a dizzying bitcoiner option for lovers of leveraged trading (BTCx). All this, without requiring the delivery of private keys.","knownIssues":[],"defaultOutOfScopeBlockchain":null,"defaultOutOfScopeSmartContract":"- Incorrect data supplied by third party oracles\n  - Not to exclude oracle manipulation/flash loan attacks\n- Impacts requiring basic economic and governance attacks (e.g. 51% attack)\n- Lack of liquidity impacts\n- Impacts from Sybil attacks\n- Impacts involving centralization risks","defaultOutOfScopeWebAndApplications":"- Theoretical impacts without any proof or demonstration\n- Impacts involving attacks requiring physical access to the victim device\n- Impacts involving attacks requiring access to the local network of the victim\n- Reflected plain text injection (e.g. url parameters, path, etc.)\n  - This does not exclude reflected HTML injection with or without JavaScript\n  - This does not exclude persistent plain text injection\n- Any impacts involving self-XSS\n- Captcha bypass using OCR without impact demonstration\n- CSRF with no state modifying security impact (e.g. logout CSRF)\n- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact\n- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces\n- Impacts causing only the enumeration or confirmation of the existence of users or tenants\n- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows\n- Lack of SSL/TLS best practices\n- Impacts that only require DDoS\n- UX and UI impacts that do not materially disrupt use of the platform\n- Impacts primarily caused by browser/plugin defects\n- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)\n- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)\n- SPF/DMARC misconfigured records)\n- Missing HTTP Headers without demonstrated impact\n- Automated scanner reports without demonstrated impact\n- UI/UX best practice recommendations\n- Non-future-proof NFT rendering","defaultOutOfScopeGeneral":"- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage\n- Impacts caused by attacks requiring access to leaked keys/credentials\n- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed\n- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code\n- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production\n- Best practice recommendations\n- Feature requests\n- Impacts on test files and configuration files unless stated otherwise in the bug bounty program\n- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers","defaultFeasibilityLimitations":"The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.\n\nTherefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.\n- [Chain Rollbacks](https://immunefisupport.zendesk.com/hc/en-us/articles/16913153448721-Chain-Rollbacks)\n- [Pre-Impact Bug Monitoring](https://immunefisupport.zendesk.com/hc/en-us/articles/19430444320401-Pre-Impact-Bug-Monitoring)\n- [Attack Investment Amount](https://immunefisupport.zendesk.com/hc/en-us/articles/17243068885265-Attack-Investment-Amount)\n- [Attacks With A Financial Risk To The Attacker](https://immunefisupport.zendesk.com/hc/en-us/articles/17454897136401-Attacks-With-A-Financial-Risk-To-The-Attacker)\n- [When Is An Impactful Attack Downgraded To Griefing?](https://immunefisupport.zendesk.com/hc/en-us/articles/17455102268305-When-Is-An-Impactful-Attack-Downgraded-To-Griefing)","defaultProhibitedActivities":"- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet\n- Any testing with pricing oracles or third-party smart contracts\n- Attempting phishing or other social engineering attacks against our employees and/or customers\n- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)\n- Any denial of service attacks that are executed against project assets\n- Automated testing of services that generates significant amounts of traffic\n- Public disclosure of an unpatched vulnerability in an embargoed bounty\n- [Any other actions prohibited by the Immunefi Rules](https://immunefi.com/rules/)","customOutOfScopeInformation":"- Best practice critiques\n- Vulnerabilities requiring unlikely user actions\n- URL Redirects (unless combined with another vulnerability to produce a more\n- Attacks requiring privileged access from within the organization","customProhibitedActivities":["- Disassembly or reverse engineering of binaries for which source code is not   published, not including smart contract bytecode"],"impacts":[{"id":198,"type":"smart_contract","severity":"low","title":"Low Smart Contract Impact"},{"id":199,"type":"smart_contract","severity":"high","title":"High Smart Contract Impact"},{"id":200,"type":"smart_contract","severity":"medium","title":"Medium Smart Contract Impact"},{"id":201,"type":"smart_contract","severity":"critical","title":"Critical Smart Contract Impact"}],"rewards":[{"id":26934,"severity":"critical","assetType":"smart_contract","maxReward":10000,"rewardModel":"up_to","rewardCalculationPercentage":10},{"id":26935,"severity":"high","assetType":"smart_contract","maxReward":5000,"rewardModel":"up_to"},{"id":26936,"severity":"medium","assetType":"smart_contract","maxReward":3000,"rewardModel":"up_to"},{"id":26937,"severity":"low","assetType":"smart_contract","maxReward":1000,"rewardModel":"up_to"}],"audits":[]}]