TrueFi Lending Marketplace V1 Smart Contract Bug Bounty

[yuchenlintt]

About TrueFi Lending Marketplace

TrueFi is an uncollateralized lending platform on Ethereum with almost $1B TVL and over $1B loans originated. We are launching a completely new version of the protocol, completely disconnected from the currently deployed contracts.

The initial iteration of this new version will be called our Lending Marketplace. This project has not yet officially launched. However, we have already deployed contracts and seeded them with a small amount of real funds for testing. We have also injected bugs to the current deployment in order to benchmark our internal red team, external auditors, and this bug bounty program.

Program Rules

• Public disclosure of a vulnerability before mitigation would make it ineligible for reward. Please report vulnerabilities to security@trusttoken.com and mention this bounty program.
• Social engineering attacks (e.g. phishing) are ineligible.
• Only Solidity smart contract code is currently eligible. If you disclose a web vulnerability, we may decide to reward you at our discretion.
• All disclosed vulnerabilities must include a POC implementation with reproducible steps. This can be Solidity code, a Typescript test, or a list of actions that clearly shows how the bug occurs. If the report is not detailed enough to reproduce the issue, then the vulnerability is ineligible.
• Injected bugs are eligible for the bug bounty program.
• Our employees and contracted external auditors are ineligible for this program.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to prove impact.
• When duplicates occur, we only reward the first report that was received. The first report rule also applies to any findings from our internal red team or external auditors.
• Multiple vulnerabilities caused by one underlying issue will be rewarded one bounty.
• The amounts below are our reward payouts based on severity. We aim to be fair; all reward amounts are at our discretion.
• Terms and conditions of the bug bounty process may vary over time.

Rewards

Our rewards are based on the severity of a vulnerability. TrustToken uses CVSS 3.0 (Common Vulnerability Scoring Standard) and the total percentage of potential capital loss to calculate severity. Please note, however, that reward decisions are up to the discretion of TrustToken and reward amounts may be adjusted during the program.

Severity	Payout
Low	$1,250
Medium	$2,500
High	$5,000
Critical	$10,000

Scope

The following contracts have been deployed to Ethereum mainnet and seeded with a small test amount of funds. They are in scope for this bug bounty.

Contract	Address
BorrowerSignatureVerifier	0x285Fe8Cb345d2B05b497d9C8DbB9601A8243d759
Bounty ManagedPortfolio proxy	0x73663Ac72988138f97C7A3fde6AbC638BcAd1E55
BulletLoans	0x8ddf7021fEA12A277F75414a1BAC32F1586cB5E6
BulletLoans proxy	0xd886ba98DdA7D337cC5EE1fd060CfC8D0D2368f3
ManagedPortfolio	0xf98b1BE69ca26D5b571c7359074A635a140308C1
ManagedPortfolioFactory	0x8470a53e59Db7b1f00376a7B752009F02e92073B
ManagedPortfolioFactory proxy	0xd9919ddE053bcFd9e1A56d38C9704167999e3B54
ProtocolConfig	0x22651A862815E9240975ee5E0Ef8eDe577A7F335
ProtocolConfig proxy	0x12BD9b9a9Ec1a928202e2d78b125F9CCAA28E69b
SignatureOnlyLenderVerifier	0xd69cABbe6700F329261A6Aa901f9Ee88f045976a

Injected Bugs

In order to benchmark the relative effectiveness of our bug bounty program, internal security team, and external audits, our smart contracts engineering team has injected up to 10 possible bugs in our smart contract code. The following are precommitment hashes of descriptions for these possible bugs:

0xd53d78535e7aec1088b626017bd1d4bee173556af9d35934eaa61bb84b61d6e3 REPORTED
0x29719ac31658cec8c3b0ca909cf2bb86a8e0de712b3f1a31cfda2f42f30ed1ae REPORTED
0xb602c4cc8a2c5fa760e4e6b6bdd4db650745588d0b2869f994fc6763389559b2 REPORTED
0x9ad795b285d6c8041cc6cfa8039a2e920a5b282600f3743ea53df2b7f33a70b0
0x250b5cd71c784c13bda762272c9ab564ef4c782656d41f92d6c3fe9f4bc9491b
0xbc3be741c82c8bdbf18bccc387f5b17f7228cfcf5c5820243d3cacb6eae83665
0x74f98829afa7ad12977514761ace2227a66ed1e087baf6985b9c051401f7ce44
0x19883d22635f7115e785263cfddf0c3c89b00b19648137d28e1e0caa6e1ae8b6
0xe349f5441516f214f75fc743d02c95bcbb463e3a5b8221a9fd81a53e9620a6a0 REPORTED
0xc931bb243c38007be6410e1ce6dad9c837fd40ee6f59691f471fc126dd423246 REPORTED

After conclusion of the bounty and internal/external audits, we plan to reveal and fix these possible injected bugs.

UPDATE (2022-02-18): A report of our injected bugs can be found in our audits repo.

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

This issue now has a funding of 10000.0 USDC (10000.0 USD @ $1.0/USDC) attached to it as part of the trusttoken fund.

• If you would like to work on this issue you can 'start work' on the Gitcoin Issue Details page.
  • Want to chip in? Add your own contribution here.
  • Questions? Checkout Gitcoin Help or the Gitcoin's Discord
  • $6,949,475.12 more funded OSS Work available on the Gitcoin Issue Explorer

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

Work has been started.

These users each claimed they can complete the work by 264 years, 4 months from now. Please review their action plans below:

1) aparnajoshi007 has started work.

I have experience in solidity programming. I will look into your project requirements and test various edge cases to perform bug bash 2) amritkumarj has started work.

Started looking into the code, update you with the bug soon 3) fibrinlab has started work.

I got experience in Smart Contract Security. 4) gmspacex has started work.

I am very familiar with your protocol, will start debugging right now. 5) pmlambert has started work.

Will review source code to try and catch some bugs. 6) yummyweb has started work.

I will perform complete analysis of source code to determine possible bugs of various severities. 7) enckrish has started work.

Looking forward to an awesome bug hunting experience. 8) eurisko4242 has started work.

I will look through the contracts to find any bugs and report them 9) hrishikeshdkakkad has started work.

• As a software engineer looking for bugs - the first thing I would look into are the current tests - of course after understanding the current protocol and implementations.
• Doing the above will give me a good idea of expectations vs results.
• I might then try to play around with the mocks.
• Finally, I believe this would be a good path for me to look into the actual contract code. 10) vinaysati has started work.

I am check full website and small to high vulnerability problem solve 11) bugb33 has started work.

I will perform a Complete Web Security Assessment of your site and provide a professional report including recommendations.

About The Test:

You get an in-depth penetration test of your website. The test is customized towards the underlying technology as well as its internal business logic. I will check for the most critical web application security risks according to the Open Web Application Security Project. Specifically, your application will be tested against :

Access Control . File Upload Vulnerabilities, Injection flaws Sensitive data exposure Server-side security API endpoint security.

Thanks, Bugb33 12) ericfromus has started work.

I'll evaluate the source code, connection points in and out of source code and transaction on chain to find vulnerabilities in the system. 13) reedlzw has started work.

my first in counties, lucky for me 14) johnexzy has started work.

I will analyze your test and learn about the contracts, then make a deep analysis on the contract 15) alecj1240 has started work.

Will dive into the contracts and try to find any bugs -- always up for a challenge :-) 16) ardi814 has started work.

oppoatujuh30@gmail.com dan isi dari buku ini juga akan ada yg 17) 7suyash7 has started work.

I have experience with the Truffle Test Suite and will use that to test the smart contract 18) hannahbashir has started work.

I will deep analyze the contract 19) kalzak has started work.

Will start looking through the code and search for any bugs/vulnerabilities. 20) rajabhargava has started work.

I will go through the code and will try to report any bug I find and also the possible solution if possible. I am a beginner and I see this as an opportunity to learn more. I am here for learning. 21) akshatgada has started work.

I have experience in bug fixes and testing in solidity and can help you out with this. I will fill find those bugs and get in contact with you immediately 22) d4mk0 has started work.

I will try :) Thank you for this ability! 23) minhquanym has started work.

Thank you for this opportunity. I will try it 24) noveltysa has started work.

Identify bugs and report the bugs using the required process

Learn more on the Gitcoin Issue Details page.

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

Work for 10000.0 USDC (10000.0 USD @ $1.0/USDC) has been submitted by:

1. @dezmerritt75
2. @surroundingart64
3. @minhquanym

@yuchenlintt please take a look at the submitted work:

• PR by @minhquanym
• PR by @surroundingart64
• [PR](Check out this bounty that pays out 10000.0 USDC https://gitcoin.co/issue/RGV6bWVycml0dDc1WDk2Z1JBVnZ3eDUydVM2dzRRWUNVSFJmUjNPYW9CMjc0MTk= #solidity #uncollateralized #lending) by @dezmerritt75

---

• Learn more on the Gitcoin Issue Details page
• Want to chip in? Add your own contribution here.
• Questions? Checkout Gitcoin Help or the Gitcoin's Discord
• $5,311,441.57 more funded OSS Work available on the Gitcoin Issue Explorer

[SurroundingArt64]

@yuchenlintt How do I submit the reports? I have a few now.

[SurroundingArt64]

The reports are password protected. Drop me you email for password @yuchenlintt

Bug Report Submission:

Number of bug reports: 5(2 LOW, 1 HIGH, 2 CRITICAL)

IPFS LINK: ipfs://Qmd5zc1EfToRJ1XVyiyPpxbsqm6Lt7VrvVs1kMt3asSoCv

HTTPS LINK: https://gateway.pinata.cloud/ipfs/Qmd5zc1EfToRJ1XVyiyPpxbsqm6Lt7VrvVs1kMt3asSoCv

IPFS/pre-commitment hash: Qmd5zc1EfToRJ1XVyiyPpxbsqm6Lt7VrvVs1kMt3asSoCv

[yuchenlintt]

@yuchenlintt How do I submit the reports? I have a few now.

Thanks for working on our bounty! You can email us at security@trusttoken.com and mention the Gitcoin bug bounty so this gets routed through our internal handling channels.

[d4mk0]

@yuchenlintt Hi! Reported bugs can not be public, before contest ending?

[yuchenlintt]

@d4mk0 That's correct!

Our purpose in injecting bugs is to benchmark bounty hunters against our other methods of finding bugs. Revealing reported bugs would skew our statistics since bounty hunters who would otherwise have reported these bugs would no longer be able to. Indeed, receiving overlapping reports helps give us more confidence that other bugs at this level of difficulty don't exist.

[yuchenlintt]

Hi @SurroundingArt64!

Thank you for your submissions to our smart contract bug bounty! Here is our response to the five findings you reported:

1. We did indeed forget to emit an event when BulletLoans are fully repaid. Thanks for catching this! However, we would classify the severity of this bug as Informational and hence ineligible for reward.
2. Having no restrictions on who can issue BulletLoans is working as intended, at least for this version of our Lending Marketplace. This lack-of-restrictions came as a direct requirement from our product team, so it is ineligible for reward.
3. A loan duration of zero causes divide-by-zeros. This was one of our injected bugs! We rate it as high severity because it can lead to denial of service but requires the collusion or mistake of a trusted manager role to trigger.
4. A repayment amount less than the principal can cause integer underflow. This was another injected bug! We also rate this as high severity for the same reasons as (3).
5. Centralization risk. While we recognize your concern, our contract manager roles are working exactly as our product team intended, and hence this finding is not eligible for reward.

Our internal red team reported findings (3) and (4) on Jan 11 and Jan 10, respectively, before you were able to submit them to us. Under the current terms of our bug bounty program, you would technically be ineligible for any reward.

However, since we made no public communications that several bugs had already been reported internally, we are willing to pay you half of the bounty reward as a gesture of good will. To be explicit, we will be rewarding you $5k / 2 + $5k / 2 == $5k total for findings (3) and (4), and we hope you find this to be reasonable compensation for your work.

This was our first time running a bug bounty program on Gitcoin, and we're still learning how to structure this program better. Please let us know if you have any feedback for us.

For injected bugs in the next iteration, we are considering dropping the requirement to be ahead of our internal red team and external audits. However, we would likely reward injected bugs at a lower bounty amount (while still paying the full schedule of rewards for original bugs).

Thank you so much for participating! We would love to have you continue bounty hunting in our next iteration.

Yuchen Lin Lead Security Engineer TrustToken

[yuchenlintt]

@d4mk0 We're closing out this round of our bug bounty program and will be unblinding the injected bugs very shortly, as we already have contracts deployed on mainnet with the fixes.

Stay tuned! In about two months, we'll have another round of bug bounties with new injected bugs!

[SurroundingArt64]

Hi @yuchenlintt

Thanks for reaching out. I believe the compensation is bit lower than what I was expecting but I completely understand your viewpoint. And, the terms are agreeable to me.

It was great being part of this bug bounty especially as you were so quick to respond to my queries. Generally it is a hassle to get a straight answer from GitCoin bounty program creators. Will be looking forward to public disclose of injected bugs and/or otherwise.

Please leave a rating at GitCoin as it helps me get better bounties.

Let me know if you are hiring. lol.

Also, can you please tell me when the payout will be rolling. Thanks.

Regards SurroundingArt64 Primary Email: culturalsurround64@protonmail.com

[SurroundingArt64]

Also, public submission if anyone is interested: https://github.com/SurroundingArt64/Truefi-Bug-Bounty

[Dezmerritt75]

I am ok with that compensation. Where will this payment be sent and when.

On Fri, Jan 14, 2022, 12:34 AM Gitcoin.co Bot @.***> wrote:

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

Work for 10000.0 USDC (10000.0 USD @ $1.0/USDC) has been submitted by:

1. @dezmerritt75 https://gitcoin.co/dezmerritt75

@yuchenlintt https://github.com/yuchenlintt please take a look at the submitted work:

• [PR](Check out this bounty that pays out 10000.0 USDC https://gitcoin.co/issue/RGV6bWVycml0dDc1WDk2Z1JBVnZ3eDUydVM2dzRRWUNVSFJmUjNPYW9CMjc0MTk=

  solidity #uncollateralized #lending) by @Dezmerritt75

  https://github.com/Dezmerritt75

---

• Learn more on the Gitcoin Issue Details page https://gitcoin.co/issue/trusttoken/bug-bounty/6/100027419
• Want to chip in? Add your own contribution here https://gitcoin.co/issue/trusttoken/bug-bounty/6/100027419.
• Questions? Checkout Gitcoin Help https://gitcoin.co/help or the Gitcoin's Discord https://discord.gg/gitcoin/
• $6,692,485.69 more funded OSS Work available on the Gitcoin Issue Explorer https://gitcoin.co/explorer

— Reply to this email directly, view it on GitHub https://github.com/trusttoken/bug-bounty/issues/6#issuecomment-1012789978, or unsubscribe https://github.com/notifications/unsubscribe-auth/AWMCNKH2AH7DBT4GH3UYE63UV6YV5ANCNFSM5LFM2PMQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you were mentioned.Message ID: @.***>

[yuchenlintt]

Please leave a rating at GitCoin as it helps me get better bounties.

I tried leaving a 5 star rating but couldn't figure out how to do so. I left a positive review on your wall though.

Also, can you please tell me when the payout will be rolling. Thanks.

I just transferred 5000 USDC to your account. Should be ready for you to withdraw now!

[yuchenlintt]

I am ok with that compensation. Where will this payment be sent and when.

Hi @Dezmerritt75. We have still yet to receive any work you might have submitted. Please confidentially email vuln disclosures to security@trusttoken.com, and if that's not working try CCing me at yuchen.lin@trusttoken.com.

[minhquanym]

Hi @yuchenlintt. I have just emailed you my findings. Please take a look, thank you.

[yuchenlintt]

Hi @yuchenlintt. I have just emailed you my findings. Please take a look, thank you.

Hi @minhquanym! We've reviewed your submission and responded to your email. Let us know if you have any questions. Happy bug hunting!

[yuchenlintt]

Update: We've revealed our injected bugs and published all audit reports for this version of our TrueFi Lending Marketplace in our audit repo: https://github.com/trusttoken/audits/tree/master/TrueFiLendingMarketplaceV1

[SurroundingArt64]

Hmm. I did think there was something buggy with repay but couldn't land my finger on it.