# Bug Bounty

## Program Overview

The bug bounty program covers the Solend smart contracts (no UI bugs) and is focused on preventing thefts and freezing of funds.

The Solend smart contracts are fully [open source](https://github.com/solendprotocol/solana-program-library).

## Rewards

Rewards are distributed according to the following classifications:

| Severity | Max Prize                                  |
| -------- | ------------------------------------------ |
| Critical | 10% of value at risk, up to $1,000,000 USD |
| High     | $50,000 USD                                |
| Medium   | $5,000 USD                                 |

Severity is classified by the following:

| Severity | Description                                                                                                                                                                    |
| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Critical | <p>- Empty or freeze the contract's holdings (e.g. economic attacks, flash loans, reentrancy, MEV, logic errors, integer over-/under-flow)<br>- Cryptographic flaws</p>        |
| High     | <p>- Token holders temporarily unable to transfer holdings<br>- Users spoof each other<br>- Theft of yield<br>- Transient consensus failures<br></p>                           |
| Medium   | <p>- Contract consumes unbounded gas<br>- Block stuffing<br>- Griefing denial of service (i.e. attacker spends as much in gas as damage to the contract)<br>- Gas griefing</p> |

The actual prize amount is determined by a combination of factors including but not limited to severity, value at risk, and likelihood of being exploited.

Payouts are done in vesting SLND on Solana. This is anon-friendly (no KYC required).

## Reporting

Email us a detailed description of the attack at [security@solend.f](mailto:security@solend.fi)i. Critical and High bug reports must come with a proof of concept.

## Scope

#### Assets in Scope

[Smart contract code](https://github.com/solendprotocol/solana-program-library/tree/871935cafc590bf1985bebfbc7e6399b153a5b40/token-lending)

The main file of the lending program is [here](https://github.com/solendprotocol/solana-program-library/blob/871935cafc590bf1985bebfbc7e6399b153a5b40/token-lending/program/src/processor.rs).&#x20;

**Impacts in Scope**

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect the assets in the scope table.

**Smart Contracts**

* Loss of user funds staked (principal) by freezing or theft
* Loss of governance funds
* Theft of unclaimed yield
* Freezing of unclaimed yield
* Temporary freezing of funds for at least 1 hour
* Unable to call smart contract

#### Known Issues (not qualified)

Bug reports involving position limit, where a user can only have so many positions before actions fail due to the computation limit, are not accepted in this bug bounty program.

Bug reports involving borrow limit, where a user can borrow even when the limit is set, are not accepted in this bug bounty program.

#### Prioritized Vulnerabilities

We are especially interested in receiving and rewarding vulnerabilities of the following types:

**Smart Contracts and Blockchain**

* Re-entrancy
* Logic errors
  * Including user authentication errors
* Trust/dependency vulnerabilities
  * Composability vulnerabilities
* Oracle failure/manipulation
* Novel governance attacks
* Economic/financial attacks
  * Flash loan attacks
* Congestion and scalability
  * Running out of gas
  * Block stuffing
  * Susceptibility to front-running
* Consensus failures
* Cryptography problems
  * Signature malleability
  * Susceptibility to replay attacks
  * Weak randomness
  * Weak encryption
* Susceptibility to block timestamp manipulation
* Missing access controls / unprotected internal or debugging interfaces

## Out of Scope Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

* Attacks that the reporter has already exploited themselves, leading to damage
* Attacks requiring access to leaked keys/credentials
* Attacks requiring access to privileged addresses (governance, strategist)

**Smart Contracts and Blockchain**

* Incorrect data supplied by third party oracles
  * Not to exclude oracle manipulation/flash loan attacks
* Basic economic governance attacks (e.g. 51% attack)
* Lack of liquidity
* Best practice critiques
* Sybil attacks

The following activities are prohibited by this bug bounty program:

* Any testing with mainnet contracts; all testing should be done on devnet or private testnets
* Any testing with live pricing oracles or live third party smart contracts
* Attempting phishing or other social engineering attacks against our employees and/or customers
* Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
* Any denial of service attacks
* Automated testing of services that generates significant amounts of traffic
* Public disclosure of an unpatched vulnerability in an embargoed bounty