Scallop Protocol (Smart Contract): Program info

General

All rewards will be paid in SUI/USDC/SCA and sent to the wallet address provided by the reporter. Rewards cannot be converted to other cryptocurrencies or fiat.

Rewards for findings are capped based on their severity levels as follows:

• Low severity: $30 - $300
• Medium severity: $300 - $3,000
• High severity: $3,000 - $30,000
• Critical severity: $30,000 - $300,000
• Exceptional critical cases: Over $300,000 (depending on the specifics of the case)

In-Scope Vulnerabilities (Smart Contract)

The list is not limited to the following submissions but it gives an overview of what issues we care about:

• Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield (Critical).
• Take over the capability to manipulate the protocol, that caused major damage on the protocol (Critical).
• Theft unclaimed yield (High).
• Direct theft of any funds the Scallop Treasury (High).
• Fee payment bypass (Medium).
• Block stuffing for profit (Medium).
• Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol) (Medium).

Out-of-Scope Vulnerabilities (Smart Contract)

The following vulnerabilities are excluded from the rewards for this bug bounty program:

• Impacts requiring attacks that the reporter has already exploited themselves, leading to damage.
• Impacts caused by attacks requiring access to leaked keys/credentials.
• Attacks requiring access to privileged addresses (governance, strategist).
• Theoretical vulnerabilities without any proof or demonstration.
• Vulnerabilities in imported contracts.
• Code style guide violations.
• Redundant code.
• Gas optimizations.
• Best practice issues.
• Vulnerabilities that can be exploited through front-run attacks only.
• Impact involving Centralization Risk.
• Lack of liquidity Impact.
• Impact from sybil attack.

Known Issues

Check the following link for known issues. Please keep in mind, we will continue to update the known issues list, but we cannot guarantee that we will cover every aspect. Please do your own research before submitting any reports.

https://github.com/scallop-io/sui-lending-protocol/wiki/Known-Issues

• Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
• Any testing with pricing oracles or third party smart contracts
• Attempting phishing or other social engineering attacks against our employees and/or customers
• Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
• Any denial of service attacks
• Automated testing of services that generates significant amounts of traffic
• Public disclosure of an unpatched vulnerability in an embargoed bounty
• Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
• Make every effort not to damage or restrict the availability of products, services, or infrastructure
• Avoid compromising any personal data, interruption, or degradation of any service
• Don’t access or modify other user data, localize all tests to your accounts
• Perform testing only within the scope
• Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
• Don’t spam forms or account creation flows using automated scanners
• In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
• Don’t break any law and stay in the defined scope
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission

Dev environment and Documentations

Scallop also includes resources and documentation that can help you understand our program and how the protocol works.

Core Smart contract: https://github.com/scallop-io/sui-lending-protocol/blob/main/contract-integration.md Docs: https://docs.scallop.io/

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
• No vulnerability disclosure, including partial is allowed for the moment.
• Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must not be a former or current employee of us or one of its contractor.
• ONLY USE the EMAIL under which you registered your HackenProof account (in case of violation, no bounty can be awarded)
• Provide detailed but to-the point reproduction steps