Bug Bounty Program

Aero Fed

• Base Network Fed -0x24a3C49e5Cd8786498e9051F5Be7D6e86B263c8B

• AeroFedMessenger (AeroFarmerMessenger)- 0xf090f285b6eaeb7e22487029b42a9ae59224056f

• Aero Fed Base (AeroFarmer) - 0x2457937668a345305FE08736F407Fba3F39cbF2f

• BaseFedCCTP - 0x783719ddf09d2ee0960bb365f7ef652bfe35f54d

• AeroFarmerMessengerV2 -0x09af9e0d4932604913f7cd77ad5e157f0bc700ea

• AeroFarmerV2 - 0xe96e99a5a3512468a4aafc317d77c6fa0289f5f3

Anchor Fed

• Anchor Fed - 0x5e075e40d01c82b6bf0b0ecdb4eb1d6984357ef7

Arbi Fed

• Arbi Fed - 0x0b5ec95257afd9534c953428ac833d19579843cb

• ArbiGovMessengerL1 - 0x5128559ccE352cD31f691CCD11310de34BDd89EA

• Arbitrum AuraFarmer - 0x1992af61fbf8ee38741bcc57d636caa22a1a7702

• AuraFarmerMessenger - 0x7275fd8a1b5f4874b10066236309d8901a848228

Aura Fed

• Aura Fed - 0x5C16aE212f8d721FAb74164d1039d4514b11DB54

Convex Fed

• Convex Fed v2 - 0x83FB6f6524eb8c85bDAB818981E918dB17e723CD

FiRM Fed

• FiRM Fed - 0x2b34548b865ad66a2b046cb82e59ee43f75b90fd

Velo Fed

• OptiFedCCTP - 0x52ffd313cc11882b75879c41d837b20f974ea88f

• VeloFarmerMessengerV3 - 0x19d9fd272962d5994d2bea719c54bce7bda44aa7

• VeloFarmerV3 - 0x9060a61994f700632d16d6d2938ca3c7a1d344cb

• OptiFed - 0xfEd533e0Ec584D6FF40281a7850c4621D258b43d

• VeloFarmerMessengerV2 -0x257d2836c8f5797581740543f853403b81c44b5a

• VeloFarmerV2 - 0x8bbd036d018657e454f679e7c4726f7a8ece2773

• Debt Repayer - 0x9eb6BF2E582279cfC1988d3F2043Ff4DF18fa6A0

• Debt Converter - 0x1ff9c712b011cbf05b67a6850281b13ca27ecb2a

• DBR Auction - 0x933cBE81313d9dD523dF6dC9B899A7AF8Ba073e3

• DOLA - 0x865377367054516e17014ccded1e7d814edc9ce4

• DOLA Savings Account (DSA) - 0xE5f24791E273Cb96A1f8E5B67Bc2397F0AD9B8B4

• sDOLA - 0xb45ad160634c528cc3d2926d9807104fa3157305

• sDOLA Helper - 0x3b3e4541975b9d754e27a8d68f259089d35fca61

• MainnetDolaFlashMinterV2 - 0x6C5Fdc0c53b122Ae0f15a863C349f3A481DE8f1F

Controller

• BorrowController - 0x44b7895989bc7886423f06deaa844d413384b0d6

Escrow

• Simple erc20 Escrow - 0xc06053fcad0a0df7cc32289a135bbea9030c010f

• Convex Curve Escrow - 0x2F32a5E5E000d1a7257090DF260fC08F0Bab2125

• INV Escrow - 0x502a7759809bD673cd39A0055beed44b40EAac98

• Convex Fraxshare Escrow - 0xCa78ee4544ec5a33Af86F1E786EfC7d3652bf005

• DAI Escrow - 0xCcABAD4923c14E48C9C27e6C4556C1CAf4E91eBB

• ERC-4626 Escrow - 0x1dfE66A6265D071E433675e97A53Ed4932aBD774

• Convex crvUSD-DOLA Escrow - 0xCB21Dc82C4346cE448808A8B9C51719F13cE00c3

• Convex Escrow for FRAXpyUSD/DOLA - 0x5a78852fc9246272e893c0189db0214ebdcab372

• Convex Escrow for FRAX/FRAXBP - 0x5527f27510f4ad9d5bbf23f9dd55334fc25a8877

Feed

• Convex Curve Price Feed - 0x0266445Ea652F8467cbaA344Fcf531FF8f3d6462

• st-yCRV Price Feed - 0xfc63C9c8Ba44AE89C01265453Ed4F427C80cBd4E

• Convex Frax Share Price Feed - 0x7a1e123e41458aabaB8068BFed6010D8f9480898

• wstETH Price Feed - 0x894B896cDc772656Cbb1eE28e6Bd4a704caA7b61

• INV Price Feed - 0x7cd14096CD6f81E31e945afB7De41a5D7D970589

• wBTC Price Feed - 0x857E5ABDeCeAd6BCC1aC21e69B4E98Ff42cE10a0

• st-yETH Price Feed - 0xbBE5FaBbB55c2c79ae1efE6b5bd52048A199e166

• sFRAX Price Feed - 0x90787a14B3D30E4865C9cF7b61B6FC04533A5F48

• CrvUSD-DOLA LP Feed - 0x4ef6ba5ef7ddb259ad98cd86e1a282884cbe0c0f

• Primary crvUSD Feed - 0xD78527F9853da96FEbc4aF423527309810b83Ec1

• Fallback crvUSD - 0x92B57f41e90F8320EADdfCF22BB8AF45b0E5ed4E

• USDC-USD Chainlink Wrapper - 0xc193409C9437C96146018dec6c650a9ab32C9117

• Yearn LP Feed V2 (DOLA/crvUSD Market) - 0x11d3e00f3df84a7bb805b9fcef44dd479e071975

• DolaFraxpyUSD LP Feed - 0x85A390F189C0642D0CbB88E150057e3065F3c698

• FraxpyUSD LP Feed - 0xFDc4a4ABcd45518CfBc3F8d43a48f5513FFAb891

• DolaFixedPriceFeed - 0x5CB542EB054f81b8Fa1760c077f44AA80271c75D

• Main Frax Feed - 0x4f424B135739cc8F2fD538d1F58c23b07546b4a2

• Main pyUSD Feed - 0xAbFC2814690D0b54bAb4E329d636d2a2E576dF81

• pyUSD Fallback - 0x1979BDeCF2E6C2FAfd838AE5842AD5A87D367b81

• Base USDC/USD Wrapper for Chainlink - 0x5B4e043d614809A4b240Ed4Be7D1589f7871a749

• Yearn LP Feed (DOLA/FRAXpyUSD Market) - 0xCe11740bD83cA366e76Ee5ff775134288D9f891e

• DOLAFraxBP LP Feed - 0x3a50fca6d732facdbb06d57f0d46d0fc52daa2f8

• FRAXBP Pessimistic LP Feed - 0x4e7a947f1852540ec7c6e1d900b3c3c3b66111e5

• Main USDC Feed - 0xd35606446b9c63ad502c09e1d53e12464a79c687

• USDC Fallback - 0xab56a0ce51028ac286022bc8917bf326ef5f1701

• Base ETH/USD Wrapper for Chainlink ETH/USD - 0x5cbe8f3d9ff92d66c0cd1863352388515c35eb51

• Yearn LP Feed (DOLA/FRAXBP Market) - 0x11de7caa229d3c808756f84883c73075a530fb5f

• PT-sUSDe-MAR272025 Feed Switch - 0xddb5653fac7a215139141863b2fad021d44d7ee4

• sUSDe/USD Chainlink Wrapper - 0xd723a0910e261de49a90779d38a94afaaa028f15

• sUSDe Chainlink USD feed divided USDe:sUSDe exchange rate - 0x6277cb27232f35c75d3d908b26f3670e7d167400

• USDe/USD Chainlink Wrapper - 0xb3c1d801a02d88adc96a294123c2daa382345058

Helper

• CurveHelper - 0x0aBb47c564296D34B0F5B068361985f507fe123c

• ERC4626Helper - 0xfBd90607CC42f8AE0E8b0Ac94e7aB1631e494aBd

• ALEv2 - 0x5233f4C2515ae21B540c438862Abb5603506dEBC

• CurveDolaLPHelper - 0x6c592Fe4deA245B296476fd72863E8b2B739f911

• yvyCRV Helper - 0xe61d1c71a2311100670932c79b7316e9a568e401

Market

• WETH Market - 0x63df5e23db45a2066508318f172ba45b9cd37035

• CRV Market - 0x63fAd99705a255fE2D500e498dbb3A9aE5AA1Ee8

• cvxCRV Market - 0x3474ad0e3a9775c9F68B415A7a9880B0CAB9397a

• INV Market - 0xb516247596Ca36bf32876199FBdCaD6B3322330B

• yvyCRV Market - 0x27b6c301Fd441f3345d61B7a4245E1F823c3F9c4

• DAI Market - 0x0971B1690d101169BFca4715897aD3a9b3C39b26

• Staked CVX Market - 0xdc2265cBD15beD67b5F2c0B82e23FcE4a07ddF6b

• wstETH Market - 0x3FD3daBB9F9480621C8A111603D3Ba70F17550BC

• wBTC Market - 0x48BA574Edf0bc4E2E40B529863aaA6a67c264E7C

• st-yETH Market - 0x0c0bb843FAbda441edeFB93331cFff8EC92bD168

• sFRAX Market - 0xFEA3A862eE4b3F9b6015581d6d2D25AF816C54f1

• COMP Market - 0x29fe42F4F71Ba5b9a7aaE794468e7ca4128a93b8

• sUSDe Market - 0x79eF6d28C41e47A588E2F2ffB4140Eb6d952AEc4

• Convex crvUSD-DOLA Market - 0x6A522f3BD3fDA15e74180953f203cf55aA6C631E

• Yearn crvUSD-DOLA Market - 0xe85943e280776254ee6C9801553B93F10Ef4C99C

• cbBTC Market - 0x2A256306D8ba899E33B01e495982656884Ac77FF

• Convex DOLA-FraxPyUSD Market - 0x4797A68c8feB383c3372c0e098533aCf8eD95B26

• Yearn DOLA-FraxpyUSD Market - 0xf013D998D4cf7f45547958094F1EEE75Ca43c4f5

• Convex DOLA-FRAXBP Market - 0x87df9a00f0e4908e61756d2fcb348adf95ce72ea

• Yearn DOLA-FRAXBP Market - 0x8205be13cc245740f9ea23dc88a9b56206bec0e3

• PT-sUSDe-MAR272025 Market - 0x0dfe3d04536a74dd532dd0cef5005ba14c5f4112

Oracle

• Oracle - 0xabe146cf570fd27ddd985895ce9b138a7110cce8

Payments

• DBR Distributor - 0xdcd2D918511Ba39F2872EB731BB88681AE184244

Token

• DBR - 0xad038eb671c44b853887a7e32528fab35dc5d710

• INV - 0x41d5d79431a913c4ae7d69a668ecdfe5ff9dfb68

• xINV - 0x1637e4e9941d55703a7a5e7807d6ada3f7dcd61b

• Xinv Manager - 0x07eb8fd853c847d6e25f29e566d605cff474909d

• XinvVestorFactory - 0xe1C67007D1074bcAcC577DD946661F0CB9053A19

• sINV v2 - 0x08d23468A467d2bb86FaE0e32F247A26C7E2e994

• sInvHelper - 0x43A766DB039617fDfAdDDc1863cAE2F690cFA7bc

• Treasury - 0x926df14a23be491164dcf93f4c468a50ef659d5b

• Governor Mills - 0xbeccb6bb0aa4ab551966a7e4b97cec74bb359bf6

• MultiDelegator - 0x1ba87bE4C20Fa2d4cbD8e4Ae9998649226207F76

• Payroll - 0x32edDd879B199503c6Fc37DF95b8920Cd415358F

Critical

• Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results

• Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield.

• Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties

• Permanent freezing of funds

• Permanent freezing of NFTs

• Unauthorized minting of NFTs

• Predictable or manipulable RNG that results in abuse of the principal or NFT

• Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)

• Protocol insolvency

• Theft of unclaimed yield

• Theft of unclaimed royalties

• Permanent freezing of unclaimed yield

• Permanent freezing of unclaimed royalties

Websites and Applications

• Direct theft of user funds

• Malicious interactions with an already-connected wallet, such as: Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions

High

• Temporary freezing of funds

• Temporary freezing of NFTs

Medium

• Smart contract unable to operate due to lack of token funds

• Block stuffing

• Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

• Theft of gas

• Unbounded gas consumption

Low

• Contract fails to deliver promised returns, but doesn't lose value

These impacts are out of scope for this bug bounty program.

All Categories:

• Impacts requiring attacks that the reporter has already exploited themselves, leading to damage

• Impacts caused by attacks requiring access to leaked keys/credentials

• Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible

• Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code

• Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production

• Best practice recommendations

• Feature requests

• Impacts on test files and configuration files unless stated otherwise in the bug bounty program

Blockchain/DLT & Smart Contract Specific:

• Incorrect data supplied by third party oracles

  • Not to exclude oracle manipulation/flash loan attacks

• Impacts requiring basic economic and governance attacks (e.g. 51% attack)

• Lack of liquidity impacts

• Impacts from Sybil attacks

• Impacts involving centralization risks

Websites and Apps

• Theoretical impacts without any proof or demonstration

• Impacts involving attacks requiring physical access to the victim device

• Impacts involving attacks requiring access to the local network of the victim

• Reflected plain text injection (e.g. url parameters, path, etc.)

  • This does not exclude reflected HTML injection with or without JavaScript

  • This does not exclude persistent plain text injection

• Any impacts involving self-XSS

• Captcha bypass using OCR without impact demonstration

• CSRF with no state modifying security impact (e.g. logout CSRF)

• Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact

• Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces

• Impacts causing only the enumeration or confirmation of the existence of users or tenants

• Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows

• Lack of SSL/TLS best practices

• Impacts that only require DDoS

• UX and UI impacts that do not materially disrupt use of the platform

• Impacts primarily caused by browser/plugin defects

• Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)

• Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)

• SPF/DMARC misconfigured records)

• Missing HTTP Headers without demonstrated impact

• Automated scanner reports without demonstrated impact

• UI/UX best practice recommendations

• Non-future-proof NFT rendering