/opportunities /leaderboard[/welcome](Discover Cantina)

[/login](Log in)[/signup](Sign up)

Kiln OmniVault Bounty

@kilnfi Live

https://x.com/Kiln_finance https://github.com/kilnfi https://www.kiln.fi/

Total reward

$500,000

No deposit required

Findings submitted

Start date

9 Sep 2024

Please sign in as a researcher to join the bounty.

[/login](Log in)

?overviewTab=0&assetGroup=0

Kiln OmniVault enables non-custodial platforms to propose DeFi yield products (like lending supply or rwa distributor) where users can deposit any amount of ERC20 on a vault while remaining the only one able to access their staked assets.

The goal of these EVM Smart Contracts is to enable:

Users to deposit to supported protocols with a common 4626 interface
Enable Integrators, and any third parties enabled by the integrator to have a fee on the rewards generated or on the deposit, dispatched on-chain This Bug Bounty is focused on Kiln OmniVault Smart Contracts only, all items regarding dApps or indexing / reporting stacks are out of scope but can be submitted at mailto:[email protected].

For more information about Kiln OmniVault, please visit https://www.kiln.fi/omnivault

Smart Contracts in Scope

Core Contracts

Connectors

Active vaults:

An active vault is any vault listed below that is not paused. Even if not explicitly listed here, the Kiln core and connector contracts used by the active vaults listed below are also in scope. See the two tables above for mainnet Kiln core and connector contracts as a reference.

Documentation for the assets provided in the table can be found at https://docs.kiln.fi/v1/kiln-products/defi.

Severity Definitions

Smart Contracts severity levels

Critical:

Complete loss of funds or permanent freezing of funds

High:

Theft of unclaimed yield, or Permanent freezing of unclaimed yield
Temporary freezing of funds > 2 days (excluding potential delay due to an oracle).

Medium:

Smart contracts inoperable due to lack of funds
Griefing or unbounded gas consumption
Theft of any commission/fees

A PoC is required for the following severity levels:

Smart Contract:
Critical
High
Medium

Rewards

Rewards for Smart Contract Bugs

Reward Levels

Critical: Upto 500,000, Minimum payout 100,000 Rewards will be further capped at 10% of direct funds at risk based on the valid POC provided.

High: Upto 50,000, Minimum payout 20,000 Rewards will be further capped at 100% of direct funds at risk based on the valid POC provided. In case of a temporary freeze of funds, reward is proportional to the amount of funds locked and increases as the freeze duration increases up until the maximum cap of the High severity levels.

Medium: Upto 20,000, Minimum payout $5,000 Rewards will be further capped at 100% of direct funds at risk based on the valid POC provided.

The bug bounty will have a hard cap of $1,000,000. In the case of multiple bug findings are submitted that exceed this amount, the rewards will be distributed on a first come first served basis.

Out of Scope

These impacts are out of scope for this bug bounty program. General:

Consequences resulting from exploits the reporter has already carried out, which lead to damage.
Issues caused by attacks that require access to leaked keys or credentials.
Problems arising from attacks that need access to privileged roles (e.g., governance or strategist), except when the contracts are explicitly designed to prevent privileged access to functions that enable the attack.
Issues relying on attacks triggered by the depegging of an external stablecoin, unless the attacker causes the depegging due to a bug in the code.
References to secrets, access tokens, API keys, private keys, etc., that are not being used in production. Smart Contracts:
Issues arising from incorrect data provided by third-party oracles, with the exception of oracle manipulation or flash loan attacks.
Attacks that rely on basic economic or governance vulnerabilities, such as a 51% attack.
Problems related to insufficient liquidity.
Issues stemming from Sybil attacks.
Concerns involving risks of centralization.
Suggestions for best practices. Roles:
Admin, proxy admin, hatcher admin, treasury, oracles and other admin roles are trusted to behave properly and in the best interest of the users. They should not be considered as malicious. Submission citing malicious behaviour of these roles will be considered invalid.

Known Issues

Known issues listed and acknowledged below are not eligible for any reward through the bug bounty program.

https://kilnfi.notion.site/EXTERNAL-AUDITS-479819dce90540d1a0800c0541d2352b

Specific Types of Issues

Informational findings.
Design choices related to protocol.
Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to address(0).
Rounding errors.
Relatively high gas consumption.
Extreme market turmoil vulnerability.

Disclosure

Researchers who submit valid vulnerability reports agree to adhere to the following responsible disclosure process:

Upon confirmation of a valid vulnerability, Kiln will work diligently to develop and implement a fix.
Once the fix is deployed to production, Kiln will notify the researcher and initiate a 1-month (30 calendar days) disclosure waiting period.
During this waiting period, the researcher must maintain strict confidentiality regarding the vulnerability and shall not disclose any information about it to third parties or the public.
After the 1-month period has elapsed following the production deployment of the fix, the researcher may publicly disclose the vulnerability, provided they have obtained written approval from Kiln regarding the content of the disclosure.
The researcher agrees to coordinate with Kiln on the timing and content of any public disclosure to ensure all parties are prepared and to minimize potential risks to users.
If the researcher discovers that the vulnerability has become publicly known before the end of the waiting period, they should immediately notify Kiln. Kiln reserves the right to request an extension of the waiting period in exceptional circumstances, which will be communicated to the researcher in writing.

Eligibility

Security researchers who fall under any of the following are ineligible for a reward

Any person included on the List of Specially Designated Nationals and Blocked Persons maintained by the US Treasury Department’s Office of Foreign Assets Control (OFAC) or on any list pursuant to European Union (EU) and/or United Kingdom (UK) regulations.

KYC

The following information is required for payments:

If the claim comes from an individual:
The first names, surnames, date and place of birth of the person concerned
A Valid ID
If the claim comes from a business:
Legal form, name, registration number and address of the registered office
Valid certificate of incorporation
List of shareholders/directors

Prohibited Actions

Live testing on public chains, including public mainnet deployments and public testnet deployments.
We recommend testing on local forks, for example using foundry.
Public disclosure of bugs without the consent of the protocol team.
Any denial of service attacks that are executed against project assets
Automated testing of services that results in a denial of service
Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.
Attempting phishing or other social engineering attacks against our employees and/or customers

Other Terms

By submitting a report, you grant Kiln the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Kiln. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.