TrueFi Lending Marketplace V2 Smart Contract Bug Bounty

yuchenlintt commented 2 years ago

About

TrueFi is an uncollateralized lending platform with over $1B+ loans originated.

This bug bounty covers new, pre-audit code with injected bugs.

During development, our eng team intentionally introduced vulnerabilities so we can benchmark our internal red team, external auditors, and this bug bounty. Thus we anticipate it will be easier to find bugs here than in a typical bug bounty. Think of this as like a CTF, with extra bonuses for original findings.

Rewards

Severity	Injected Bug Payout	Original Finding Payout
Medium	$500	$1,000
High	$500	$2,000
Critical	$500	$5,000

Our rewards are based on the severity of a vulnerability. TrustToken uses CVSS 3.0 (Common Vulnerability Scoring Standard) and the total percentage of potential capital loss to calculate severity. Please note, however, that reward decisions are up to the discretion of TrustToken and reward amounts may be adjusted during the program.

Program Rules

Please report vulnerabilities confidentially to security@trusttoken.com.
- Public disclosure of a vulnerability would make it ineligible for reward.
Only Solidity smart contract code is eligible.
- If you disclose a web vulnerability, we may decide to reward you at our discretion.
- Social engineering attacks (e.g. phishing) are ineligible.
All disclosed vulnerabilities must include a POC implementation with reproducible steps.
- This can be Solidity code, a Typescript test, or a list of actions that clearly shows how the bug occurs.
- If the report is not detailed enough to reproduce the issue, then the vulnerability is ineligible.
Our employees and contractors are ineligible for this program.
Submit one vulnerability per report, unless you need to chain vulnerabilities to prove impact.
When duplicates occur, we only reward the first report that was received.
- Injected bugs: we will reward the first report from this bug bounty even if our internal red team or an external auditor reports it first.
- Original findings: we will not reward findings if our internal red team or an external auditor is the first to report it.
Multiple vulnerabilities caused by one underlying issue will be rewarded one bounty.
Terms and conditions of the bug bounty program may vary over time.

Scope

Repository: https://github.com/trusttoken/contracts-helium

Commit hash: 0fe54efa2f1198b63bba12c65bb1a63d097b7d9c

The audit scope consists of the following contracts:

Base Portfolio:

BasePortfolio.sol
BasePortfolioFactory.sol

Flexible Portfolio + Fixed Interest Only Loans:

FlexiblePortfolio.sol
FlexiblePortfolioFactory.sol
FixedInterestOnlyLoans.sol

Automated Line of Credit:

AutomatedLineOfCredit.sol
AutomatedLineOfCreditFactory.sol

Governance:

governance/DaoGovernor.sol
governance/DaoToken.sol
governance/StkTruToken.sol
governance/VoteToken.sol

Others:

access/Manageable.sol
access/InitializableManageable.sol
ProtocolConfig.sol
strategies/DepositStrategy.sol
strategies/FIOLValuationStrategy.sol
strategies/LiquidValuationStrategy.sol
strategies/MultiInstrumentValuationStrategy.sol
strategies/NonUsOnlyDeposit.sol
strategies/TransferStrategy.sol
strategies/WhitelistDeposit.sol
strategies/WithdrawStrategy.sol
governance/common/ERC20.sol
governance/common/ProxyStorage.sol
governance/common/StkClaimableContract.sol

Note that BulletLoans (and related contracts) are not used and can be treated as Mocks.

Injected Bugs

The following are precommitment hashes of descriptions of our possible injected bugs:

0xab640ebc40127d19c49a4cf2b6f093727198c498c31d91bcb4ac4f4df4aae93f
0x7a104aa2d8ca0cbaaac9774c52714e179542efe09ed8b767533e196106c013ac
0x58b37cd12a912a6a83085c874b69db4356575fabfbe3e688558cf494fbc94eb9
0x9a16920a303ab4180e46a0b535236c0fc444f3aacf74366a944a667cc01467f1
0xd7e0da24e6a6650349c5d07f3e239d16b3e33f9cb7e8662a832d4b17f1f5927c
0xe0f264835e97282242a85f8541e1601bb626479415fd6b94d8380568a9dc67a3
0xc8783240dcb8384c5a90606aaa96d60556f9638843645fda9ada25d67fa337d4
0xd77900445b0183d38343f535a907536454e1b31bf63bcef7b612c01aec68341a
0xddfe2a030532a8f574731d9542202815346b956b1fc79cc0b84b9b6d630d879a
0xaf19306ad173b6ae2774d4acc7d7cbba0cf6528f34a0de25c142fd21e6f8def6
0x4dbdf685a2a6fa0d2e9a593606bfec65c89d82052fc9b8e16706ec1bcb1fa8db
0x35610a4f837bb8e7f1115fdd1b60dad1f4cea6eaf0af93ebf47192bd86bc8b02

After conclusion of the bounty and internal/external audits, we plan to reveal and fix these possible injected bugs.

gitcoinbot commented 2 years ago

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

This issue now has a funding of 5000.0 USDC (5000.0 USD @ $1.0/USDC) attached to it.

If you would like to work on this issue you can 'start work' on the Gitcoin Issue Details page.
- Want to chip in? Add your own contribution here.
- Questions? Checkout Gitcoin Help or the Gitcoin's Discord
- $5,551,254.47 more funded OSS Work available on the Gitcoin Issue Explorer

gitcoinbot commented 2 years ago

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

Work has been started.

These users each claimed they can complete the work by 264 years, 6 months from now. Please review their action plans below:

1) minhquanym has started work.

Working on source code of lending marketplace v2 smart contract 2) lokithe5th has started work.

I will review the code within the scope of the bounty for any vulnerabilities. 3) rubydusa has started work.

I will review the code within the scope of the bounty for any vulnerabilities 4) ferdiakhmadirawan44 has started work.

A worthy project for future stability of Cryptocurreny users According to Testing rules

Learn more on the Gitcoin Issue Details page.

gitcoinbot commented 2 years ago

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

Work for 5000.0 USDC (5000.0 USD @ $1.0/USDC) has been submitted by:

@yuchenlintt please take a look at the submitted work:

PR by @aldenioburgos
PR by @minhquanym
PR by @ferdiakhmadirawan44

Learn more on the Gitcoin Issue Details page
Want to chip in? Add your own contribution here.
Questions? Checkout Gitcoin Help or the Gitcoin's Discord
$4,781,932.19 more funded OSS Work available on the Gitcoin Issue Explorer

TrueFi-Protocol / bug-bounty