🐞Bug Bounty

TxPipe’s V2 audit has marked the end of a successful round of safety checks before launching Lenfi V2 on mainnet. Now, we’re inviting everyone to a bug hunting event with our V2 Bug Bounty Program. All the details about this program are provided below.

When it comes to crypto lending and borrowing, safety is of crucial importance for us. In this regard, engaging the community in the V2 Bug Bounty Program embraces the multi-faceted security standard of major protocols. At the same time, it aims to encourage active participation from developers by incentivizing them to uncover any potential vulnerabilities in our smart contract code.

This proactive approach ensures that we can promptly mitigate risks associated with the following scenarios:

  • Thefts and freezing of principal of any amount.

  • System shutdowns that could jeopardize users’ funds.

Eligibility Requirements and Guidelines

All rewards will be disbursed by the Lenfi team, with a fixed amount of $20,000 USD for identifying critical smart contract vulnerabilities. Although the reward size is denominated in USD, the actual payouts will be made in ADA.

To qualify for a reward, you must:

  • Report a previously unreported vulnerability that is not previously known by the team and within the scope of the Program.

  • Be the first to disclose the unique vulnerability in compliance with the disclosure requirements.

  • Provide sufficient information to enable our engineers to reproduce the bug.

  • Avoid privacy violations, destruction of data, interruption or degradation of any of the assets in scope.

  • Recommendations on how to rectify the identified vulnerability.

Assets in Scope

Participants can review all Lenfi smart contracts on our Github repository. However, only the assets listed below are eligible for bug bounty program rewards:

Disclaimer: If you uncover any critical vulnerabilities related to other Lenfi assets that are not on the provided list, please report them to be considered for a reward.

Prohibited Practices

Our bug bounty program adheres to principles of fairness and transparency. Consequently, we will not reward vulnerabilities falling under the following categories:

  • Self-exploited attacks resulting in harm.

  • Breaches related to leaked keys or credentials.

  • Attacks targeting privileged addresses, such as governance accounts.

  • Reporting a vulnerability after exploiting it in a way it’s made public or you’ve obtained profit (other than a reward under this Program).

Additionally, the following activities are strictly prohibited within the Lenfi V2 bug bounty program:

  • Any form of phishing or social engineering attacks against our protocol’s employees or users.

  • Testing conducted through third-party applications (e.g., browser extensions) or external websites (e.g., SSO, advertising platforms, etc.).

  • Distributed Denial of Service (DDoS) attacks.

  • Automated testing that generates excessive traffic.

  • Public disclosure of unpatched vulnerabilities after receiving a reward.

  • Other unlawful conduct when disclosing the bug, including threats, demands, or any other coercive tactics.

How to Submit a Bug Report

To report a bug, please contact us via email at info@aada.finance, join our Telegram group, or participate in our Discord community. When filing a bug report, include a short description of the discovered vulnerability along with a step-by-step reproduction guide. Don’t forget to attach your Discord or Telegram username so we can reach out to you if needed.

Disclosure Agreement

The following Program adheres to strict non-disclosure standards. Any reported issue must not be shared publicly or with any other entity before the Lenfi team. The latter can grant Program participants permission for public disclosure only after finding a proper solution to the reported issue. After effective resolution of the reported vulnerabilities, the Lenfi team reserves the right to recognize the contributor if allowed.

Last updated