Details

USDFC Bug Bounty by Secured Finance

Status: Active

Launched: 2 Apr 2025

Expires: Non-expiring

Max Payout: $20,000

GENERAL INFORMATION

Filecoin-backed Stablecoin USDFC

Assets Type: Smart Contracts

Chains: Other

Programming Language: Solidity

Product Types: DeFi

Project Categories: Stablecoin

PAYOUTS

Smart Contracts

Critical: $5,000 - $20,000

Permanent funds freeze
Protocol Insolvency
Direct theft of any user funds (at-rest, in-motion)
Unclaimed yield excluded

High: $2,500 - $5,000

Unclaimed yield permanent freeze
Unclaimed yield theft
Profit-oriented block stuffing

Medium: $1,000 - $2,500

Unbounded gas consumption
Gas Theft
Smart contract incapacitated due to insufficient token funds
Griefing

Low: $100 - $1,000

A smart contract does not meet the promised returns, yet retains its value

Informational: up to $100

PROGRAM RULES

Respect the scope of the program
Don't discuss or disclose vulnerability information without prior written consent

ELIGIBILITY CRITERIA

Current employees, vendors (auditors), partners and contractors are not eligible to participate in the bug bounty program

REWARDS AND RECOGNITION

Payouts are handled by the team directly and are denominated in USD. However, payouts are done in USDT/USDC/USDFC or SFC at the discretion of the team
The bug bounty program reserves the right to adjust award amounts based on the quality and accuracy of submissions within the specified range

SUBMISSION GUIDELINES

Reports should be submitted through the Remedy platform
High/Critical severity bug reports should include a runnable Proof of Concept (PoC) in order to prove impact

ASSETS IN SCOPE

Smart Contracts

USDFC Smart Contracts Repository https://github.com/Secured-Finance/stablecoin-contracts

Forked from: Liquity

OUT OF SCOPE

The contracts in the following directories are for testing and are not eligible for payout:

/contracts/TestContracts
/contracts/Proxy

The following vulnerabilities are considered out of scope and are not eligible for payout:

Attacks that the reporter has already exploited themselves, leading to damage
Attacks requiring access to leaked keys/credentials
Attacks requiring access to privileged addresses (governance, strategist)
Incorrect data supplied by third-party oracles (not to exclude oracle manipulation/flash loan attacks)
Basic economic governance attacks (e.g. 51% attack)
Lack of liquidity
Best practice critiques
Sybil attacks
Centralization risks
Impacts requiring basic economic and governance attacks (e.g. 51% attack)
Impacts from Sybil attacks
Problems Caused by L1 Gas Pricing
Freezing of own funds due to mistaken operation
Impacts from malicious upgrades to third party contracts
Temporary impacts resulting from configuration adjustment race-conditions

PAYOUTS

Smart Contracts

Critical: $5,000 - $20,000

Permanent funds freeze

Protocol Insolvency

Direct theft of any user funds (at-rest, in-motion)

Unclaimed yield excluded

High: $2,500 - $5,000

Unclaimed yield permanent freeze

Unclaimed yield theft

Profit-oriented block stuffing

Medium: $1,000 - $2,500

Unbounded gas consumption

Gas Theft

Smart contract incapacitated due to insufficient token funds

Griefing

Low: $100 - $1,000

A smart contract does not meet the promised returns, yet retains its value

Informational: up to $100

OUT OF SCOPE

The contracts in the following directories are for testing and are not eligible for payout:

/contracts/TestContracts

/contracts/Proxy

The following vulnerabilities are considered out of scope and are not eligible for payout:

Attacks that the reporter has already exploited themselves, leading to damage

Attacks requiring access to leaked keys/credentials

Attacks requiring access to privileged addresses (governance, strategist)

Incorrect data supplied by third-party oracles (not to exclude oracle manipulation/flash loan attacks)

Basic economic governance attacks (e.g. 51% attack)

Lack of liquidity

Best practice critiques

Sybil attacks

Centralization risks

Impacts requiring basic economic and governance attacks (e.g. 51% attack)

Impacts from Sybil attacks

Problems Caused by L1 Gas Pricing

Freezing of own funds due to mistaken operation

Impacts from malicious upgrades to third party contracts

Temporary impacts resulting from configuration adjustment race-conditions