Pendle Bounty
Bounty Range
$2,000,000 - $2,000,000
external program
/opportunities/leaderboard[/welcome](Discover Cantina)
[/login](Log in)[/signup](Sign up)
@pendle-finance Live
https://x.com/pendle_fihttps://github.com/pendle-financehttps://www.pendle.finance
Total reward
$2,000,000
Deposit required
$100
Findings submitted
72
Start date
14 Jun 2024
Please sign in as a researcher to join the bounty.
[/login](Log in)
Pendle is the first protocol that enables the trading of tokenized future yield on an AMM system. The project aims to give holders of yield-generating assets the opportunity to generate additional yield and to lock in future yield upfront, while offering traders direct exposure to future yield streams, without the need for an underlying collateral.
Further resources about Pendle can be found at https://pendle.finance/
The bug bounty program is focused around its smart contracts and is mostly concerned with the loss of user funds.
We aim for reports with a clear, actionable outcome. A report is eligible for a reward under this program only if all of the following are true:
Pendle has adopted the SEAL (Security Alliance) Whitehat Safe Harbor framework. Safe Harbor is intended for active exploits (i.e., hacks-in-progress), where whitehats may need to intervene to rescue funds and return them with clear pre-authorization and rules of engagement.
Authoritative references (please read these first):
If you intend to perform any rescue actions, you must follow the Safe Harbor requirements and parameters defined in the links above (including where rescued assets must be returned). In particular:
The following table contains the addresses of Pendle V2 system contracts across chains where Pendle V2 has been deployed.
Type | Ethereum | Optimism | Sonic | Arbitrum | BSC | Mantle | Base | Bera | HyperEVM | pyYtLpOracle | https://etherscan.io//address/0x9a9fa8338dd5e5b2188006f1cd2ef26d921650c2 | https://optimistic.etherscan.io//address/0x9a9fa8338dd5e5b2188006f1cd2ef26d921650c2 | https://sonicscan.org//address/0x9a9fa8338dd5e5b2188006f1cd2ef26d921650c2 | https://arbiscan.io//address/0x9a9fa8338dd5e5b2188006f1cd2ef26d921650c2 | https://bscscan.com//address/0x9a9fa8338dd5e5b2188006f1cd2ef26d921650c2 | https://manyscan.io//address/0x9a9fa8338dd5e5b2188006f1cd2ef26d921650c2 | https://basescan.org//address/0x9a9fa8338dd5e5b2188006f1cd2ef26d921650c2 | https://berascan.com//address/0x9a9fa8338dd5e5b2188006f1cd2ef26d921650c2 | https://hyperevmscan.io//address/0x9a9fa8338dd5e5b2188006f1cd2ef26d921650c2 | router | https://etherscan.io//address/0x888888888889758F76e7103c6CbF23ABbF58F946 | https://optimistic.etherscan.io//address/0x888888888889758F76e7103c6CbF23ABbF58F946 | https://sonicscan.org//address/0x888888888889758F76e7103c6CbF23ABbF58F946 | https://arbiscan.io//address/0x888888888889758F76e7103c6CbF23ABbF58F946 | https://bscscan.com//address/0x888888888889758F76e7103c6CbF23ABbF58F946 | https://manyscan.io//address/0x888888888889758F76e7103c6CbF23ABbF58F946 | https://basescan.org//address/0x888888888889758F76e7103c6CbF23ABbF58F946 | https://berascan.com//address/0x888888888889758F76e7103c6CbF23ABbF58F946 | https://hyperevmscan.io//address/0x888888888889758F76e7103c6CbF23ABbF58F946 | routerFacets.ActionAddRemoveLiqV3 | https://etherscan.io//address/0x663C21103915B68e9dA797CfdF3cAb01a037D5Ff | https://optimistic.etherscan.io//address/0x663C21103915B68e9dA797CfdF3cAb01a037D5Ff | https://sonicscan.org//address/0x663C21103915B68e9dA797CfdF3cAb01a037D5Ff | https://arbiscan.io//address/0x663C21103915B68e9dA797CfdF3cAb01a037D5Ff | https://bscscan.com//address/0x663C21103915B68e9dA797CfdF3cAb01a037D5Ff | https://manyscan.io//address/0x663C21103915B68e9dA797CfdF3cAb01a037D5Ff | https://basescan.org//address/0x663C21103915B68e9dA797CfdF3cAb01a037D5Ff | https://berascan.com//address/0x663C21103915B68e9dA797CfdF3cAb01a037D5Ff | https://hyperevmscan.io//address/0x663C21103915B68e9dA797CfdF3cAb01a037D5Ff | routerFacets.ActionCallbackV3 | https://etherscan.io//address/0x997FBC511a8Ad11F84a400feACD66E2A3fa805d2 | https://optimistic.etherscan.io//address/0x997FBC511a8Ad11F84a400feACD66E2A3fa805d2 | https://sonicscan.org//address/0x7b78F36aBf6cF3C6C0dd54716dFeF0607ae17846 | https://arbiscan.io//address/0x997FBC511a8Ad11F84a400feACD66E2A3fa805d2 | https://bscscan.com//address/0x997FBC511a8Ad11F84a400feACD66E2A3fa805d2 | https://manyscan.io//address/0x997FBC511a8Ad11F84a400feACD66E2A3fa805d2 | https://basescan.org//address/0x997FBC511a8Ad11F84a400feACD66E2A3fa805d2 | https://berascan.com//address/0x7b78F36aBf6cF3C6C0dd54716dFeF0607ae17846 | https://hyperevmscan.io//address/0x7b78F36aBf6cF3C6C0dd54716dFeF0607ae17846 | routerFacets.ActionMiscV3 | https://etherscan.io//address/0x373Dba2055Ad40cb4815148bC47cd1DC16e92E44 | https://optimistic.etherscan.io//address/0x373Dba2055Ad40cb4815148bC47cd1DC16e92E44 | https://sonicscan.org//address/0x373Dba2055Ad40cb4815148bC47cd1DC16e92E44 | https://arbiscan.io//address/0x373Dba2055Ad40cb4815148bC47cd1DC16e92E44 | https://bscscan.com//address/0x373Dba2055Ad40cb4815148bC47cd1DC16e92E44 | https://manyscan.io//address/0x373Dba2055Ad40cb4815148bC47cd1DC16e92E44 | https://basescan.org//address/0x373Dba2055Ad40cb4815148bC47cd1DC16e92E44 | https://berascan.com//address/0x373Dba2055Ad40cb4815148bC47cd1DC16e92E44 | https://hyperevmscan.io//address/0x373Dba2055Ad40cb4815148bC47cd1DC16e92E44 | routerFacets.ActionSimple | https://etherscan.io//address/0x852e59252c94716F0df19B52b36512f6C9297a96 | https://optimistic.etherscan.io//address/0x852e59252c94716F0df19B52b36512f6C9297a96 | https://sonicscan.org//address/0x852e59252c94716F0df19B52b36512f6C9297a96 | https://arbiscan.io//address/0x852e59252c94716F0df19B52b36512f6C9297a96 | https://bscscan.com//address/0x852e59252c94716F0df19B52b36512f6C9297a96 | https://manyscan.io//address/0x852e59252c94716F0df19B52b36512f6C9297a96 | https://basescan.org//address/0x852e59252c94716F0df19B52b36512f6C9297a96 | https://berascan.com//address/0x852e59252c94716F0df19B52b36512f6C9297a96 | https://hyperevmscan.io//address/0x852e59252c94716F0df19B52b36512f6C9297a96 | routerFacets.ActionStorageV4 | https://etherscan.io//address/0x6a0Ed0A9193FCBe7ae9B0F3D90F88e365Cca64fC | https://optimistic.etherscan.io//address/0x6a0Ed0A9193FCBe7ae9B0F3D90F88e365Cca64fC | https://sonicscan.org//address/0xdED51dca2ECED7a0BAab3D9711A87f214769Da0f | https://arbiscan.io//address/0x6a0Ed0A9193FCBe7ae9B0F3D90F88e365Cca64fC | https://bscscan.com//address/0x6a0Ed0A9193FCBe7ae9B0F3D90F88e365Cca64fC | https://manyscan.io//address/0x6a0Ed0A9193FCBe7ae9B0F3D90F88e365Cca64fC | https://basescan.org//address/0x6a0Ed0A9193FCBe7ae9B0F3D90F88e365Cca64fC | https://berascan.com//address/0xdED51dca2ECED7a0BAab3D9711A87f214769Da0f | https://hyperevmscan.io//address/0xdED51dca2ECED7a0BAab3D9711A87f214769Da0f | routerFacets.ActionSwapPTV3 | https://etherscan.io//address/0xd8D200d9A713A1c71cF1e7F694B14E5F1D948b15 | https://optimistic.etherscan.io//address/0xd8D200d9A713A1c71cF1e7F694B14E5F1D948b15 | https://sonicscan.org//address/0xd8D200d9A713A1c71cF1e7F694B14E5F1D948b15 | https://arbiscan.io//address/0xd8D200d9A713A1c71cF1e7F694B14E5F1D948b15 | https://bscscan.com//address/0xd8D200d9A713A1c71cF1e7F694B14E5F1D948b15 | https://manyscan.io//address/0xd8D200d9A713A1c71cF1e7F694B14E5F1D948b15 | https://basescan.org//address/0xd8D200d9A713A1c71cF1e7F694B14E5F1D948b15 | https://berascan.com//address/0xd8D200d9A713A1c71cF1e7F694B14E5F1D948b15 | https://hyperevmscan.io//address/0xd8D200d9A713A1c71cF1e7F694B14E5F1D948b15 | routerFacets.ActionSwapYTV3 | https://etherscan.io//address/0x4a03Ce0a268951d04E187B1CF48075eE69266e27 | https://optimistic.etherscan.io//address/0x4a03Ce0a268951d04E187B1CF48075eE69266e27 | https://sonicscan.org//address/0x4a03Ce0a268951d04E187B1CF48075eE69266e27 | https://arbiscan.io//address/0x4a03Ce0a268951d04E187B1CF48075eE69266e27 | https://bscscan.com//address/0x4a03Ce0a268951d04E187B1CF48075eE69266e27 | https://manyscan.io//address/0x4a03Ce0a268951d04E187B1CF48075eE69266e27 | https://basescan.org//address/0x4a03Ce0a268951d04E187B1CF48075eE69266e27 | https://berascan.com//address/0x4a03Ce0a268951d04E187B1CF48075eE69266e27 | https://hyperevmscan.io//address/0x4a03Ce0a268951d04E187B1CF48075eE69266e27 | limitRouter | https://etherscan.io//address/0x000000000000c9B3E2C3Ec88B1B4c0cD853f4321 | https://optimistic.etherscan.io//address/0x000000000000c9B3E2C3Ec88B1B4c0cD853f4321 | https://sonicscan.org//address/0x000000000000c9B3E2C3Ec88B1B4c0cD853f4321 | https://arbiscan.io//address/0x000000000000c9B3E2C3Ec88B1B4c0cD853f4321 | https://bscscan.com//address/0x000000000000c9B3E2C3Ec88B1B4c0cD853f4321 | https://manyscan.io//address/0x000000000000c9B3E2C3Ec88B1B4c0cD853f4321 | https://basescan.org//address/0x000000000000c9B3E2C3Ec88B1B4c0cD853f4321 | https://berascan.com//address/0x000000000000c9B3E2C3Ec88B1B4c0cD853f4321 | https://hyperevmscan.io//address/0x000000000000c9B3E2C3Ec88B1B4c0cD853f4321 | reflector | https://etherscan.io//address/0x73d5DBF81A4f3bFa7b335e6a2d4638D6017a4fA8 | https://optimistic.etherscan.io//address/0x73d5DBF81A4f3bFa7b335e6a2d4638D6017a4fA8 | https://sonicscan.org//address/0x73d5DBF81A4f3bFa7b335e6a2d4638D6017a4fA8 | https://arbiscan.io//address/0x73d5DBF81A4f3bFa7b335e6a2d4638D6017a4fA8 | https://bscscan.com//address/0x73d5DBF81A4f3bFa7b335e6a2d4638D6017a4fA8 | https://manyscan.io//address/0x73d5DBF81A4f3bFa7b335e6a2d4638D6017a4fA8 | https://basescan.org//address/0x73d5DBF81A4f3bFa7b335e6a2d4638D6017a4fA8 | https://berascan.com//address/0x73d5DBF81A4f3bFa7b335e6a2d4638D6017a4fA8 | https://hyperevmscan.io//address/0x73d5DBF81A4f3bFa7b335e6a2d4638D6017a4fA8 | pendleSwap | https://etherscan.io//address/0xd4F480965D2347d421F1bEC7F545682E5Ec2151D | https://optimistic.etherscan.io//address/0xd4e9B0d466789d7F6201442eecCBA6a75A552db0 | https://sonicscan.org//address/0xd4F480965D2347d421F1bEC7F545682E5Ec2151D | https://arbiscan.io//address/0xd4F480965D2347d421F1bEC7F545682E5Ec2151D | https://bscscan.com//address/0xd4F480965D2347d421F1bEC7F545682E5Ec2151D | https://manyscan.io//address/0xd4F480965D2347d421F1bEC7F545682E5Ec2151D | https://basescan.org//address/0xd4F480965D2347d421F1bEC7F545682E5Ec2151D | https://berascan.com//address/0xd4F480965D2347d421F1bEC7F545682E5Ec2151D | https://hyperevmscan.io//address/0xd4F480965D2347d421F1bEC7F545682E5Ec2151D | receiverEndpoint | N/A | https://optimistic.etherscan.io//address/0xED18de5442297a4Ec1ce59C7c7d9427Adc2A012b | https://sonicscan.org//address/0x3209E9412cca80B18338f2a56ADA59c484c39644 | https://arbiscan.io//address/0xC9215ae9EC67385F38C755D862C8eE3702B5793A | https://bscscan.com//address/0x998CF52b2585e05494BF9F2bF502351a9C7FdA8f | https://manyscan.io//address/0xf799E4c029d14f41Dc1918C9A4C67242F565710e | https://basescan.org//address/0xeE708FC793a02F1eDd5BB9DBD7fD13010D1F7136 | https://berascan.com//address/0xd5C47D2383Fddc19596489280C0A33AC42b2bB18 | https://hyperevmscan.io//address/0xaD511b12F73c145Cf158EB92E4fa256937d952A4 | senderEndpoint | https://etherscan.io//address/0x07b1014c88f14C9E910092526db57A20052E989F | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | vePendle | https://etherscan.io//address/0x4f30A9D41B80ecC5B94306AB4364951AE3170210 | https://optimistic.etherscan.io//address/0xd5C47D2383Fddc19596489280C0A33AC42b2bB18 | https://sonicscan.org//address/0xE017CCC08505Ac8fbb5a364680e459d9fBaEE74d | https://arbiscan.io//address/0x3209E9412cca80B18338f2a56ADA59c484c39644 | https://bscscan.com//address/0x8A09574b0401A856d89d1b583eE22E8cb0C5530B | https://manyscan.io//address/0x30c6d4e892871220B5Ab66c10db577da96Fb974b | https://basescan.org//address/0x051dcd6a80f11fE68F77Fb0EBdE03853FA96B1fD | https://berascan.com//address/0x6875e4A945E498FE1B90BbB13CFbAF0b68658C9C | https://hyperevmscan.io//address/0x1fBaCedf510dAA79dfD9B41227A7ba192d5D548D | votingController | https://etherscan.io//address/0x44087E105137a5095c008AaB6a6530182821F2F0 | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | marketFactoryV5 | https://etherscan.io//address/0x6fcf753f2C67b83f7B09746Bbc4FA0047b35D050 | https://optimistic.etherscan.io//address/0x02Adf72d5D06a9C92136562Eb237C07696833a84 | https://sonicscan.org//address/0xFeE31A6eC6eBefa0b5A594Bf5b1139e3c6fAA0fB | https://arbiscan.io//address/0xd29e76c6F15ada0150D10A1D3f45aCCD2098283B | https://bscscan.com//address/0x7C7f73f7a320364DBB3C9aAa9bCcd402040EE0f9 | https://manyscan.io//address/0xcb02435716b0143D4Ac1BDf370302D619E714126 | https://basescan.org//address/0x59968008a703dC13E6beaECed644bdCe4ee45d13 | https://berascan.com//address/0x8A09574b0401A856d89d1b583eE22E8cb0C5530B | https://hyperevmscan.io//address/0x44A2DdF5339FfdE8c23AF4099a64Def59b11b128 | yieldContractFactoryV5 | https://etherscan.io//address/0x35A338522a435D46f77Be32C70E215B813D0e3aC | https://optimistic.etherscan.io//address/0xCcA0977eA3809C8fB785737Eb9fAcD5B19626e81 | https://sonicscan.org//address/0x0582D93FD9c9d42f26bE5D86a5f75291F92102C2 | https://arbiscan.io//address/0xFF29e023910FB9bfc86729c1050AF193A45a0C0c | https://bscscan.com//address/0xE006760020384A20774Dea977C313EF5F51FE17D | https://manyscan.io//address/0x5dFBEAEa9e41f85c334075482A20afb7031207aE | https://basescan.org//address/0x963ddBB35c1AE44e2a159E3b5fb5177E0B32660d | https://berascan.com//address/0x2bEa6BfD8fbFF45aA2a893EB3B6d85D10EFcC70E | https://hyperevmscan.io//address/0x523eCB8501C14507bCa56d4752dA1991c6176758 | gaugeController | https://etherscan.io//address/0x47D74516B33eD5D70ddE7119A40839f6Fcc24e57 | https://optimistic.etherscan.io//address/0x6875e4A945E498FE1B90BbB13CFbAF0b68658C9C | https://sonicscan.org//address/0xeE708FC793a02F1eDd5BB9DBD7fD13010D1F7136 | https://arbiscan.io//address/0x1e56299ebc8a1010cec26005d12e3e5c5cc2db00 | https://bscscan.com//address/0x704478Dd72FD7F9B83d1F1e0fc18C14B54F034d0 | https://manyscan.io//address/0x428f2f93afAc3F96B0DE59854038c585e06165C8 | https://basescan.org//address/0x17F100fB4bE2707675c6439468d38249DD993d58 | https://berascan.com//address/0x704478Dd72FD7F9B83d1F1e0fc18C14B54F034d0 | https://hyperevmscan.io//address/0x7e500c6efbb00fd3227888256e477171a1304721 | feeDistributorV2 | https://etherscan.io//address/0x8C237520a8E14D658170A633D96F8e80764433b9 | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | vePendleAirdropDistributor | https://etherscan.io//address/0x3942F7B55094250644cFfDa7160226Caa349A38E | https://optimistic.etherscan.io//address/0x3942F7B55094250644cFfDa7160226Caa349A38E | https://sonicscan.org//address/0x3942F7B55094250644cFfDa7160226Caa349A38E | https://arbiscan.io//address/0x3942F7B55094250644cFfDa7160226Caa349A38E | https://bscscan.com//address/0x3942F7B55094250644cFfDa7160226Caa349A38E | https://manyscan.io//address/0x3942F7B55094250644cFfDa7160226Caa349A38E | https://basescan.org//address/0x3942F7B55094250644cFfDa7160226Caa349A38E | https://berascan.com//address/0x7f6Ca6aA1F2291992E252Fb8E25348c4861C5C25 | https://hyperevmscan.io//address/0x42c706eab26aA8FAcFa4B3f32902bA872AaA10aC | externalRewardsDistributor | https://etherscan.io//address/0x33305665f69B4642D1275f4Ce81c23651674D21C | https://optimistic.etherscan.io//address/0xae898a7d07f8e27f25e13d0f351a7401f9a5bf9d | https://sonicscan.org//address/0xae898a7d07f8e27f25e13d0f351a7401f9a5bf9d | https://arbiscan.io//address/0x33305665f69B4642D1275f4Ce81c23651674D21C | https://bscscan.com//address/0x33305665f69B4642D1275f4Ce81c23651674D21C | https://manyscan.io//address/0x33305665f69B4642D1275f4Ce81c23651674D21C | https://basescan.org//address/0x33305665f69B4642D1275f4Ce81c23651674D21C | https://berascan.com//address/0x33305665f69B4642D1275f4Ce81c23651674D21C | https://hyperevmscan.io//address/0x1Cb446fAE25Ae19878f9f71189902e2a6A6A749c | decimalsFactory | https://etherscan.io//address/0x992ec6a490a4b7f256bd59e63746951d98b29be9 | https://optimistic.etherscan.io//address/0x992ec6a490a4b7f256bd59e63746951d98b29be9 | https://sonicscan.org//address/0x992ec6a490a4b7f256bd59e63746951d98b29be9 | https://arbiscan.io//address/0x992ec6a490a4b7f256bd59e63746951d98b29be9 | https://bscscan.com//address/0x992ec6a490a4b7f256bd59e63746951d98b29be9 | https://manyscan.io//address/0x992ec6a490a4b7f256bd59e63746951d98b29be9 | https://basescan.org//address/0x992ec6a490a4b7f256bd59e63746951d98b29be9 | https://berascan.com//address/0x992ec6a490a4b7f256bd59e63746951d98b29be9 | https://hyperevmscan.io//address/0xF2a26C2eb3c4098e03807442196FbA7f78b125a2 | lpWrapperFactory | https://etherscan.io//address/0x12930Bd944bb34B0A21CCc2E7d32a6834Bd58e19 | https://optimistic.etherscan.io//address/0xeCfEB97D7F070DA5b93c5DC274183F1D7f68532F | https://sonicscan.org//address/0xeCfEB97D7F070DA5b93c5DC274183F1D7f68532F | https://arbiscan.io//address/0xdb5dB14819a16642e6736aB0cDFe0156f8E01ddF | https://bscscan.com//address/0x6f14d3cD37a0647a3eE60eb2214486f8A1CDdccc | https://manyscan.io//address/0x6D653C8DAAc8D81c9CE98E038fbF94D7E652e147 | https://basescan.org//address/0xCa274A44a52241c1a8EFb9f84Bf492D8363929FC | https://berascan.com//address/0x7c0fa6ad8c14aFc85706E28B6ed2d9cbACc47161 | https://hyperevmscan.io//address/0xcb645C93820B92E5F21781C5c3c18C29BCb6126B |
Additionally, markets that are whitelisted on the Pendle V2 platform are considered in scope.
This includes StandardizedYieldToken (SY), PendlePrincipalToken (PT), PendleYieldToken (YT), PendleYieldTokenV2 (YTv2) and PendleMarket (Market).
Please note that each asset will have a different SY but the same PT, YT (or YTv2), and Market.
The list of currently active and inactive markets can be obtained using the following endpoints from our Backend:
https://api-v2.pendle.finance/core/docs#/Markets/MarketsSimplifiedController_getActiveMarkets
https://api-v2.pendle.finance/core/docs#/Markets/MarketsSimplifiedController_getInactiveMarkets
Markets that are not obtainable by the above endpoints are not whitelisted by us.
Markets that are inactive or not whitelisted by us will NOT be considered if the vulnerability is isolated in that market only and does not affect the Pendle V2 system or the other markets.
Markets that are inactive or not whitelisted by us will be considered if the vulnerability has system-wide impact, or impacts on active markets.
SY contracts that are not deployed and audited by Pendle Team will NOT be considered.
To see if a SY contract is deployed and audited by Pendle Team, go to https://app.pendle.finance/trade/markets/0x976fb34e06c933bdd97cb1e8b868e04442edaa8d/swap?view=pt and see the market info:
The underlying contracts that SY and Market based on are considered out of scope.
Level | Critical | High | Max | 1,000,000 USD | 100,000 USD | Min | 100,000 USD | 10,000 USD |
Rewards are capped at 10% of economic impact.
For critical/high smart Contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of 1,000,000 USD/100,000 USD respectively.
The calculation of the amount of funds at risk is based on the time and date the bug report is submitted.
However, a minimum reward of 100,000 USD/10,000 USD is to be rewarded in order to incentivize security researchers against withholding a bug report. Cross-Market Limitations
If multiple markets whitelisted on Pendle can be exploited with the same vulnerability, the fund at risk is the combined sum of the fund that can be stolen across those markets. Repeatable Attack Limitations
For smart contracts where the vulnerability exists can be upgraded or paused, only the stolen funds from the first attack is considered the fund at risk.
For smart contracts where the vulnerability exists can NOT be upgraded or paused, the fund at risk of each attack will be calculated as follows:
100% funds that could be stolen from the first attack.
max(0, 100% - 25% * ⌈t⌉) funds that could be stolen from the subsequent attack, where t is the time from the first attack, in hour (25% funds reduction by hour).
If the attack has cross-chain impact:
Among all of the sent transactions across all chain supported by Pendle, the transaction with the lowest block time is consider the first attack.
Claimable-yields (interests and rewards) that can be stolen by the attacks are also considered fund at risk. Feasibility Limitations
Bug reports about an attack that focuses only on the underlying protocol of one of the markets whitelisted on Pendle V2, without any exploits on Pendle V2’s contracts, will NOT be considered for this bug bounty program.
Even though Pendle V2 users can lose their fund when interacting with Pendle V2, the reason was the exploitation on the underlying protocol, forcing incompatibility with the Pendle V2 system.
Bug reports that require an attack that involve one or more other protocols (e.g. utilizing flash loans from a margin protocol or manipulating the spot prices on a DEX), either to make an attack more severe than it would be in isolation, or to achieve an attack that would otherwise be impossible or infeasible, would be downgraded by one severity level.
However, they will be considered as in-scope and categorized according to the program rules as long as all of the following are true:
Losses or other negative effects of the attack are inflicted upon Pendle V2 users.
The additional protocols used must have enough liquidity in various assets to allow the attack to succeed at the time of bug report submission. For example: if an attack requires an ETH flash loan, but the amount is larger than all the ETH available for loan across the ecosystem
Likelihood/Impact | >1% TVL | < 1% TVL | High | Critical | High or Critical | Medium | High or Critical | High |
The Pendle team will exercise its discretion, together with the Cantina team, to judge the severity with the aim of awarding fairly to security researchers.
Likelihood/Impact | Significant | Moderate | High | High or Critical | High | Medium | High | Medium |
The source files that are not listed in the "In Scope" section are considered out of scope.
Known issues from previous security reviews are considered out of scope.
The issue is considered out-of-scope if it is already known to the Pendle team, has already been reported, or we have already taken prior steps to mitigate it (including mitigations that are deployed, in progress, or scheduled).
Along with a clear description and reproduction steps, reports must include an actionable remediation. A remediation can be either:
A concrete code-level change (patch, pseudo-code, or precise guidance on what to change), or
A concrete operational/design mitigation that we can realistically adopt (e.g., configuration constraints, process controls, monitoring + response, feature removal/disablement). A report may be considered out of scope if:
It does not include a credible remediation or mitigation path, or
The reported impact relies on a condition that we can reasonably avoid through configuration, operational controls, or design choices (i.e., the protocol is not exposed under intended and reasonably expected operation), or
The proposed remediation is not feasible to implement or does not meaningfully reduce the reported risk. We reserve the right to determine whether a mitigation is feasible and "reasonably avoidable" based on intended protocol usage and realistic operational constraints.
Issues that do not have strong impact according to the severity criteria are considered out of scope.
We still encourage researchers to report such issues in good faith, as they can help us improve resilience and user safety. Please see the Goodwill Policy section below.
We still encourage researchers to report issues even if they appear out of scope under this program. Security is our priority, and we’d rather hear about a potential weakness than miss it. Pendle frequently offers goodwill awards for high-quality, well-evidenced reports that identify unusual or previously unknown behaviors affecting the protocol. To date, Pendle has awarded over $20,000 in goodwill to researchers for such reports.
That said, out-of-scope reports are eligible for goodwill awards only at Pendle’s discretion. To keep this channel useful for everyone, we will prioritize submissions that are: