Nimbus is a DAO governed platform providing users with 16 earning strategies based on lending and borrowing, classic IPO participation, start-up financing, staking, and more.
In Scope
| Target | Type | Severity | Reward |
|---|---|---|---|
P2P functionalityContracts in scope: π NimbusP2P_V2.sol |
Web | Critical | Bounty |
NFTsContracts in scope: π SmartLP.sol π SmartLender.sol π SmartStaker/ |
Code | Critical | Bounty |
Lending and BorrowingContracts in Scope: |
Code | Critical | Bounty |
In-Scope Vulnerabilities
We are interested in the following vulnerabilities:
- Reentrancy
- Logic errors
- Including user authentication errors
- Solidity/EVM details not considered
- Including integer over-/under-flow
- Including rounding errors
- Including unhandled exceptions
- Trusting trust/dependency vulnerabilities
- Including composability vulnerabilities
- Oracle failure/manipulation
- Novel governance attacks
- Economic/financial attacks
- Including flash loan attacks
- Congestion and scalability
- Including running out of gas
- Including block stuffing
- Including susceptibility to frontrunning
- Consensus failures
- Cryptography problems
- Signature malleability
- Susceptibility to replay attacks
- Weak randomness
- Weak encryption
- Susceptibility to block timestamp manipulation
- Missing access controls / unprotected internal or debugging interfaces
Out-of-Scope Vulnerabilities
Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
- Only those vulnerabilities that are original should be awarded a bounty. Meaning in case of a duplicate report or two users reporting the same bug, the fastest user who submitted the report FIRST shall be awarded.
- Public disclosure of the vulnerability, before the Nimbus team resolves it without explicit consent from the team, will make the bounty hunter ineligible for further participation.
- In case you find chain vulnerabilities weβll pay only for vulnerability with the highest severity.
- Donβt break any law and stay in the defined scope
- Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission