Bug Bounty

ImmuneFi Vault

Inverse Finance Sec-Ops Team has set up a 50,000 DOLA Bug Bounty vault on the ImmuneFi Platform. Users can report bugs anonymously through ImmuneFi to be reviewed by our committee.

Read more about the Bug Bounty Program here.

Assets in Scope

All smart contracts of Inverse Finance can be found at https://github.com/InverseFinance. However, only those items explicitly listed in the Assets list below are considered eligible for Inverse’s bug bounty program and, therefore, in-scope. We consider bug bounties to be a lasting complement to any external or in-house security audit capabilities that Inverse Finance develops. As such, smart contracts will only be eligible for the Bug Bounty Program once they have undergone our review process which may include rigorous testing by a third party auditor.

Assets

Base Network Fed - https://etherscan.io/address/0x24a3C49e5Cd8786498e9051F5Be7D6e86B263c8B

AeroFedMessenger - https://etherscan.io/address/0xf090f285b6eaeb7e22487029b42a9ae59224056f

Aero Fed Base - https://basescan.org/address/0x2457937668a345305FE08736F407Fba3F39cbF2f

Anchor Fed - https://etherscan.io/address/0x5e075e40d01c82b6bf0b0ecdb4eb1d6984357ef7

Arbi Fed - https://etherscan.io/address/0x0b5ec95257afd9534c953428ac833d19579843cb

ArbiGovMessengerL1 - https://etherscan.io/address/0x5128559ccE352cD31f691CCD11310de34BDd89EA

Arbitrum AuraFarmer - https://arbiscan.io/address/0x1992af61fbf8ee38741bcc57d636caa22a1a7702

AuraFarmerMessenger - https://etherscan.io/address/0x7275fd8a1b5f4874b10066236309d8901a848228

Aura Fed - https://etherscan.io/address/0x5C16aE212f8d721FAb74164d1039d4514b11DB54

Debt Converter - https://etherscan.io/address/0x1ff9c712b011cbf05b67a6850281b13ca27ecb2a

Debt Repayer - https://etherscan.io/address/0x9eb6bf2e582279cfc1988d3f2043ff4df18fa6a0

Convex Fed - https://etherscan.io/address/0xF382d062DF29CF5E400c131C1383c9E6Cd174305

DOLA - https://etherscan.io/address/0x865377367054516e17014ccded1e7d814edc9ce4

Simple erc20 Escrow - https://etherscan.io/address/0xc06053fcad0a0df7cc32289a135bbea9030c010f

GOhm Token Escrow - https://etherscan.io/address/0xb4c4cD74e7b99ad2cf2f7b3A4F7091efB8BCeb7A

DAI Escrow - https://etherscan.io/address/0xCcABAD4923c14E48C9C27e6C4556C1CAf4E91eBB

ERC4626 escrow - https://etherscan.io/address/0x1dfE66A6265D071E433675e97A53Ed4932aBD774

Convex Frax Share Price Feed - https://etherscan.io/address/0x7a1e123e41458aabaB8068BFed6010D8f9480898

Convex Curve Price Feed - https://etherscan.io/address/0x0266445Ea652F8467cbaA344Fcf531FF8f3d6462

CurveHelper - https://etherscan.io/address/0x0aBb47c564296D34B0F5B068361985f507fe123c

Convex Fraxshare Escrow - https://etherscan.io/address/0xCa78ee4544ec5a33Af86F1E786EfC7d3652bf005

DBR Distributor - https://etherscan.io/address/0xdcd2D918511Ba39F2872EB731BB88681AE184244

Convex Curve Escrow - https://etherscan.io/address/0x2F32a5E5E000d1a7257090DF260fC08F0Bab2125

FiRM Fed - https://etherscan.io/address/0x2b34548b865ad66a2b046cb82e59ee43f75b90fd

BorrowController - https://etherscan.io/address/0x44b7895989bc7886423f06deaa844d413384b0d6

INV Escrow - https://etherscan.io/address/0x502a7759809bD673cd39A0055beed44b40EAac98

Oracle - https://etherscan.io/address/0xabe146cf570fd27ddd985895ce9b138a7110cce8

DBR - https://etherscan.io/address/0xad038eb671c44b853887a7e32528fab35dc5d710

Market - https://etherscan.io/address/0x63df5e23db45a2066508318f172ba45b9cd37035

DAI Market - https://etherscan.io/address/0x0971B1690d101169BFca4715897aD3a9b3C39b26

cvxCRV Market - https://etherscan.io/address/0x3474ad0e3a9775c9F68B415A7a9880B0CAB9397a

cvxFXS Market - https://etherscan.io/address/0x93685185666c8D34ad4c574B3DBF41231bbfB31b

st-yCRV Market - https://etherscan.io/address/0x27b6c301Fd441f3345d61B7a4245E1F823c3F9c4

Staked CVX Market - https://etherscan.io/address/0xdc2265cBD15beD67b5F2c0B82e23FcE4a07ddF6b

gOHM Market - https://etherscan.io/address/0x7Cd3ab8354289BEF52c84c2BF0A54E3608e66b37

stETH Market - https://etherscan.io/address/0x743A502cf0e213F6FEE56cD9C6B03dE7Fa951dCf

CRV Market - https://etherscan.io/address/0x63fAd99705a255fE2D500e498dbb3A9aE5AA1Ee8

INV Market - https://etherscan.io/address/0xb516247596Ca36bf32876199FBdCaD6B3322330B

Treasury - https://etherscan.io/address/0x926df14a23be491164dcf93f4c468a50ef659d5b

Xinv Manager - https://etherscan.io/address/0x07eb8fd853c847d6e25f29e566d605cff474909d

Governor Mills - https://etherscan.io/address/0xbeccb6bb0aa4ab551966a7e4b97cec74bb359bf6

xINV - https://etherscan.io/address/0x1637e4e9941d55703a7a5e7807d6ada3f7dcd61b

INV - https://etherscan.io/address/0x41d5d79431a913c4ae7d69a668ecdfe5ff9dfb68

Payroll - https://etherscan.io/address/0x32edDd879B199503c6Fc37DF95b8920Cd415358F

MultiDelegator - https://etherscan.io/address/0x1ba87bE4C20Fa2d4cbD8e4Ae9998649226207F76

XinvVestorFactory - https://etherscan.io/address/0xe1C67007D1074bcAcC577DD946661F0CB9053A19

Opti Fed - https://etherscan.io/address/0xfEd533e0Ec584D6FF40281a7850c4621D258b43d

VeloFarmerV2 - https://optimistic.etherscan.io/address/0x8bbd036d018657e454f679e7c4726f7a8ece2773

VeloFarmerMessenger - https://etherscan.io/address/0x257d2836c8f5797581740543f853403b81c44b5a

ALE - https://etherscan.io/address/0x958979432a7c58fd3f30be8071bba79401bbae3e

Home page - https://www.inverse.finance:443

Impacts in Scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Critical

  • Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results

  • Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield.

  • Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties

  • Permanent freezing of funds

  • Permanent freezing of NFTs

  • Unauthorized minting of NFTs

  • Predictable or manipulable RNG that results in abuse of the principal or NFT

  • Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)

  • Protocol insolvency

  • Theft of unclaimed yield

  • Theft of unclaimed royalties

  • Permanent freezing of unclaimed yield

  • Permanent freezing of unclaimed royalties

Websites and Applications

  • Direct theft of user funds

  • Malicious interactions with an already-connected wallet, such as: Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions

High

  • Temporary freezing of funds

  • Temporary freezing of NFTs

Medium

  • Smart contract unable to operate due to lack of token funds

  • Block stuffing

  • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

  • Theft of gas

  • Unbounded gas consumption

Low

  • Contract fails to deliver promised returns, but doesn't lose value

Out of Scope

These impacts are out of scope for this bug bounty program.

All Categories:

  • Impacts requiring attacks that the reporter has already exploited themselves, leading to damage

  • Impacts caused by attacks requiring access to leaked keys/credentials

  • Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible

  • Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code

  • Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production

  • Best practice recommendations

  • Feature requests

  • Impacts on test files and configuration files unless stated otherwise in the bug bounty program

Blockchain/DLT & Smart Contract Specific:

  • Incorrect data supplied by third party oracles

    • Not to exclude oracle manipulation/flash loan attacks

  • Impacts requiring basic economic and governance attacks (e.g. 51% attack)

  • Lack of liquidity impacts

  • Impacts from Sybil attacks

  • Impacts involving centralization risks

Websites and Apps

  • Theoretical impacts without any proof or demonstration

  • Impacts involving attacks requiring physical access to the victim device

  • Impacts involving attacks requiring access to the local network of the victim

  • Reflected plain text injection (e.g. url parameters, path, etc.)

    • This does not exclude reflected HTML injection with or without JavaScript

    • This does not exclude persistent plain text injection

  • Any impacts involving self-XSS

  • Captcha bypass using OCR without impact demonstration

  • CSRF with no state modifying security impact (e.g. logout CSRF)

  • Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact

  • Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces

  • Impacts causing only the enumeration or confirmation of the existence of users or tenants

  • Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows

  • Lack of SSL/TLS best practices

  • Impacts that only require DDoS

  • UX and UI impacts that do not materially disrupt use of the platform

  • Impacts primarily caused by browser/plugin defects

  • Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)

  • Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)

  • SPF/DMARC misconfigured records)

  • Missing HTTP Headers without demonstrated impact

  • Automated scanner reports without demonstrated impact

  • UI/UX best practice recommendations

  • Non-future-proof NFT rendering

Rules

The following activities are prohibited by this bug bounty program:

  • Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet

  • Any testing with pricing oracles or third-party smart contracts

  • Attempting phishing or other social engineering attacks against our employees and/or customers

  • Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)

  • Any denial of service attacks that are executed against project assets

  • Automated testing of services that generates significant amounts of traffic

  • Public disclosure of an unpatched vulnerability in an embargoed bounty

Please feel free to contact our the Risk Working Group via our Discord Server with any questions about the rules or rewards for this program.

Last updated