TrueFi-Protocol / bug-bounty

TrustToken Bug Bounty Program
3 stars 4 forks source link

TrueFi Lending Marketplace V2 Smart Contract Bug Bounty #9

Open yuchenlintt opened 2 years ago

yuchenlintt commented 2 years ago

About

TrueFi is an uncollateralized lending platform with over $1B+ loans originated.

This bug bounty covers new, pre-audit code with injected bugs.

During development, our eng team intentionally introduced vulnerabilities so we can benchmark our internal red team, external auditors, and this bug bounty. Thus we anticipate it will be easier to find bugs here than in a typical bug bounty. Think of this as like a CTF, with extra bonuses for original findings.

Rewards

Severity Injected Bug Payout Original Finding Payout
Medium $500 $1,000
High $500 $2,000
Critical $500 $5,000

Our rewards are based on the severity of a vulnerability. TrustToken uses CVSS 3.0 (Common Vulnerability Scoring Standard) and the total percentage of potential capital loss to calculate severity. Please note, however, that reward decisions are up to the discretion of TrustToken and reward amounts may be adjusted during the program.

Program Rules

Scope

Repository: https://github.com/trusttoken/contracts-helium

Commit hash: 0fe54efa2f1198b63bba12c65bb1a63d097b7d9c

The audit scope consists of the following contracts:

Base Portfolio:

Flexible Portfolio + Fixed Interest Only Loans:

Automated Line of Credit:

Governance:

Others:

Note that BulletLoans (and related contracts) are not used and can be treated as Mocks.

Injected Bugs

The following are precommitment hashes of descriptions of our possible injected bugs:

0xab640ebc40127d19c49a4cf2b6f093727198c498c31d91bcb4ac4f4df4aae93f
0x7a104aa2d8ca0cbaaac9774c52714e179542efe09ed8b767533e196106c013ac
0x58b37cd12a912a6a83085c874b69db4356575fabfbe3e688558cf494fbc94eb9
0x9a16920a303ab4180e46a0b535236c0fc444f3aacf74366a944a667cc01467f1
0xd7e0da24e6a6650349c5d07f3e239d16b3e33f9cb7e8662a832d4b17f1f5927c
0xe0f264835e97282242a85f8541e1601bb626479415fd6b94d8380568a9dc67a3
0xc8783240dcb8384c5a90606aaa96d60556f9638843645fda9ada25d67fa337d4
0xd77900445b0183d38343f535a907536454e1b31bf63bcef7b612c01aec68341a
0xddfe2a030532a8f574731d9542202815346b956b1fc79cc0b84b9b6d630d879a
0xaf19306ad173b6ae2774d4acc7d7cbba0cf6528f34a0de25c142fd21e6f8def6
0x4dbdf685a2a6fa0d2e9a593606bfec65c89d82052fc9b8e16706ec1bcb1fa8db
0x35610a4f837bb8e7f1115fdd1b60dad1f4cea6eaf0af93ebf47192bd86bc8b02

After conclusion of the bounty and internal/external audits, we plan to reveal and fix these possible injected bugs.

gitcoinbot commented 2 years ago

Issue Status: 1. Open 2. Started 3. Submitted 4. Done


This issue now has a funding of 5000.0 USDC (5000.0 USD @ $1.0/USDC) attached to it.

gitcoinbot commented 2 years ago

Issue Status: 1. Open 2. Started 3. Submitted 4. Done


Work has been started.

These users each claimed they can complete the work by 264 years, 6 months from now. Please review their action plans below:

1) minhquanym has started work.

Working on source code of lending marketplace v2 smart contract 2) lokithe5th has started work.

I will review the code within the scope of the bounty for any vulnerabilities. 3) rubydusa has started work.

I will review the code within the scope of the bounty for any vulnerabilities 4) ferdiakhmadirawan44 has started work.

A worthy project for future stability of Cryptocurreny users According to Testing rules

Learn more on the Gitcoin Issue Details page.

gitcoinbot commented 2 years ago

Issue Status: 1. Open 2. Started 3. Submitted 4. Done


Work for 5000.0 USDC (5000.0 USD @ $1.0/USDC) has been submitted by:

  1. @ferdiakhmadirawan44
  2. @minhquanym
  3. @aldenioburgos

@yuchenlintt please take a look at the submitted work: