AUTOfinance Bug Bounty Program
GENERAL INFORMATION
AUTOfinance Autopools were developed to address the many challenges liquidity providers (LPs) face when optimizing for best performance. No protocol currently offers fully autonomous, transparent and sophisticated rebalance solution focused solely on liquidity provision.
This dedicated approach offers great value not only to LPs, but also to a wide range of other ecosystem participants, making LP accessible.
For more information about AUTOfinance, please visit:
Assets type: Smart Contracts, Websites and Applications
Chains: ETH
Programming language: Solidity
Product types: DeFi, Web app
Project categories: Asset Management, Other
PAYOUTS
Smart Contracts and Websites and Applications
Critical: $50,000 - $250,000
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
- Permanent freezing of funds
High: $40,000
- Theft of unclaimed yield
- Permanent freezing of unclaimed yield
Medium: $4,000
- Unbounded gas consumption (unless otherwise noted)
- Block stuffing for profit
Low: $1,000
- Smart contract fails to deliver promised returns, but doesn't lose value
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Theft of gas
Informational: Not eligible
PROGRAM DETAILS
To determine the final reward amount, the likelihood to have a meaningful impact on availability, integrity, and/or loss of funds is considered. The final decision on the payout amount will be determined by the AUTOfinance team at its discretion.
This bug bounty program is focused on their smart contracts and app and is focused on preventing the following impacts:
- Loss of funds
- Any function that is outside the intended behavior of the smart contracts
- Redirection of funds
- Injection of text
PoC Requirements
All bug reports are required to come with a PoC. A suggestion for a fix is also required for all severity levels.
Critical smart contract vulnerabilities are further capped at 10% of economic damage, primarily taking into consideration funds at risk, at the discretion of the team. However, there is a minimum reward of USD 50,000. Rewards for critical smart contract bugs have the potential to be paid out over time at $50k USD value per month.
All web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. Smart contracts bug reports are required to include a runnable PoC in order to prove impact. Exceptions may be made in cases where the vulnerability is objectively evident from simply mentioning the vulnerability and where it exists. However, the bug reporter may be required to provide a PoC at any point in time.
Upgrade/Pause Considerations
If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk.
For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward.
Payouts
Payouts are handled by the AUTOfinance team directly and are denominated in USD. However, payouts are done in ETH, TOKE, or stablecoins, at the discretion of the team.
All contracts of AUTOfinance can be found at https://docs.auto.finance/developer-docs/contracts-overview/contract-addresses. However, only those listed in-scope below, and not referenced in the out-of-scope section are considered for the program.
If the whitehat discovers an impact to any other asset managed by AUTOfinance that is not listed in the table but falls under the Impacts in Scope section below, they are encouraged to submit it for consideration by the project.
PROHIBITED ACTIVITIES
- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
- Any testing with pricing oracles or third-party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks that are executed against project assets
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty
ASSETS IN SCOPE
Smart Contracts and Websites and Applications
In Scope:
-
Contracts under /src with the exceptions noted below
https://github.com/Tokemak/v2-core-pub
-
Deployed contracts
https://docs.auto.finance/developer-docs/contracts-overview/contract-addresses
Out of Scope - Contracts:
- Contracts related to Maverick
- /external/*
- /interfaces/*
- /lens/*
- /liquidation/LiquidationExecutor.sol
- /stats/Chainlink*.sol
- /staking/*
OUT OF SCOPE IMPACTS
All Categories (Contracts and Web App)
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses
- Impacts relying on attacks involving the depegging of an external Liquid Staking Token (LST) or Liquid Restaking Token (LRT) token where the attacker does not directly cause the depegging due to a bug in our code
- Impacts that involve frontrunning transactions, i.e., impacts that require users to send transactions through the public mempool
- Mentions of secrets, access tokens, API keys, private keys, etc. in GitHub
- Best practice recommendations
- Feature requests
- Impacts on test, scripts, or configuration files unless stated otherwise
- Incorrect data supplied by third party oracles
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Issues already reported
- Any items listed in previous audits: https://docs.auto.finance/developer-docs/security-and-audits
Smart Contracts
- Parameter safety checks on admin functions. i.e. zero address checks or missing "matching System Registry" checks
- Issues around the base asset of an Autopool not being ETH/WETH
- ERC4626 spec adherence
- ERC20 Permit DOS
- Autopool profit unlock being lowered or disabled by an admin
- Assets being left in the AutopilotRouter
- Out-of-gas via large withdraw()/redeem()'s on the Autopool
- Extra / leftover auto-compounding rewards due to timing when rebalancing in or out of a Destination
- Extra fees being taken due to an increased frequency of Autopool debt reporting due to price or reserve manipulation
- Unrealized value loss that would normally go to the Autopool during withdraw that is inside the credit or bounds of the Autopools last valuation of the tokens taking into account oracle price deviations
- Autopool valuation movement due to price or reserve manipulation
- Valuation differences in accumulated rewards during liquidations resulting in higher or lower distributions back to the DestinationVaults
- Stale or uncovered swap paths in the SwapRouter
- Impacts due to stale debt reporting
- Slippage checks during entry or exit of the Autopool (covered in the router)
- Autopool shares minted over limit due to fees
- Destinations/Strategy relying on a calculator before its warm-up period is complete
- Snapshotting functions protected via roles being accessible through Keepers
- Calculator values that do not exactly reflect current values or what their name strictly implies, they are filtered metrics
- Lack of liquidity impacts
- Gas optimizations
- Impacts involving centralization risks
- Impacts affecting only the state of implementation contracts
- Out of date documentation
- "Missed opportunity" yield due to calculator misconfigurations/calculations are capped at a Medium
- "Missed opportunity" yield due to rebalances being performed
