Skip to main content

EVC Bug Bounty Program

1. Introduction:

Background:

The Ethereum Vault Connector (EVC) represents a pivotal innovation in the world of decentralized finance. As a foundational layer, it is engineered to underpin the essential functions of a lending market, offering a stable and adaptable platform for development. The EVC stands out by its unique ability to facilitate interactions between various vaults. These vaults, conforming to the ERC-4626 interface, incorporate logic for seamless interfacing with other vaults, thus enhancing interoperability within the ecosystem.

Purpose and Importance:

At its core, the EVC simplifies and streamlines operations for core lending and borrowing contracts. By shouldering the complexity, it allows these contracts to concentrate on their unique features and capabilities. This not only fosters innovation but also ensures a higher degree of stability and security in financial operations. As the EVC prepares for its public release, our priority is to ensure its robustness and reliability.

Objective of the Bug Bounty Program:

The Euler EVC Bug Bounty Program is initiated with a clear objective: to harness the collective expertise of the community in identifying and addressing potential security vulnerabilities within the EVC. By engaging with skilled security researchers, ethical hackers, and the wider community, we aim to scrutinise the EVC for any weaknesses that could be exploited maliciously. This program serves as a proactive step towards fortifying the EVC’s security posture, ensuring it operates with the highest level of integrity and reliability in the decentralised finance landscape.

2. Scope of the Program:

The bug bounty program focuses on the following components within the Ethereum Vault Connector (EVC) ecosystem:

In Scope:

├── interfaces
│   ├── IERC1271.sol
│   ├── IEthereumVaultConnector.sol
│   └── IVault.sol
├── utils
│   └── EVCUtil.sol
├── Errors.sol
├── EthereumVaultConnector.sol
├── Events.sol
├── ExecutionContext.sol
├── Set.sol
└── TransientStorage.sol

Key Areas for Testing:

Security vulnerabilities in any of the listed contracts. Functional flaws that could affect the integrity and reliability of the EVC. Interactions between the contracts, especially concerning data handling and execution flow.

Out of Scope and Non-qualifying bugs:

  • Vulnerabilities in third-party libraries not directly related to the EVC’s core contracts.
  • Issues related to the underlying blockchain protocol.
  • Any issues/vulnerabilities discussed in the White Paper
  • Any security issues/vulnerabilities already reported in the security audits
  • Any security issue pertaining to the Lockdown and Permit Only Modes considering they have not been audited yet

3. Submission Guidelines:

For the Euler EVC Bug Bounty Program, all bug reports should be submitted publicly through GitHub issues in a designated repository. This approach promotes transparency and collaborative problem-solving within the community. To maintain consistency and thoroughness in reporting, participants are required to use the following template for the report to be eligible for reward:

Bug Report Template for Public Submission:

Title: [Concise and Descriptive Title Reflecting the Bug]

  1. Bug Description:

Summary: [A brief overview of the bug]

Details: [In-depth explanation of the bug, including how it impacts the system and possible consequences]

  1. Criticality Assessment:

Severity: [Critical/High/Medium/Low/Informational]

Justification: [Reasoning behind the severity rating, considering potential impact on security, functionality, and user experience]

  1. Proof of Concept (PoC):

Step-by-Step Reproduction: [Clear instructions on how to reproduce the bug]

Code/Screenshots: [Relevant code snippets or screenshots; GitHub gists can be used for longer code samples]

Environment Details: [Information about the environment where the bug was found, such as contract versions, tools used, etc.]

  1. Impact Analysis:

Affected Components: [Specify the parts of the system that are impacted by the bug]

Potential Exploits: [Discuss how the bug could be potentially exploited and the implications]

  1. Additional Information:

Consistency of Reproduction: [Indicate the frequency with which the bug can be reproduced]

Mitigation Suggestions: [Any recommendations for resolving or mitigating the bug]

  1. Reporter's Contact:

GitHub Username: [Your GitHub username]

Email: [Your email for follow-up discussions]

New GitHub Issue

4. Proof of Concept (PoC) Requirements:

  • Runnable Code: PoCs must be executable, demonstrating the bug in a controlled environment.
  • Documentation: Clear documentation of each step in the PoC, including setup, exploitation process, and impact demonstration.
  • Code Standards: The submitted PoC should follow best coding practices, be well-commented, and include any necessary configuration files or dependencies.

5. Rewards and Classification:

LevelCritical
Payout$20,000 to $200,000
LevelHigh
Payout$10,000 to $20,000
LevelMedium
Payout$2,000 to $10,000
LevelLow
Payout$100 to $2,000

Participants must comply with all legal requirements and not engage in any activity that could harm Euler, its users, or the EVC. Failure to comply with can result in disqualification or legal action.

7. Timeline:

Bug Bounty starts on 11.01.2024

8. Contact Information:

[email protected]

9. Disclaimer and Report Management:

To ensure the effectiveness and efficiency of the Euler EVC Bug Bounty Program, we include the following disclaimers and management guidelines:

Duplicate Reports:

  • First Report Priority: Only the first report of a specific vulnerability will be considered eligible for a reward. Subsequent reports of the same issue will be regarded as duplicates.
  • Documentation Check: Before submitting a report, participants are required to check the documentation to ensure the bug is not a feature.
  • Pending Pull Requests (PRs): Reports of vulnerabilities that are already addressed in PRs pending merge will not qualify as valid submissions. This is to acknowledge efforts already in progress to enhance the system's security.
  • Public Repository Check: Before submitting a report, participants are required to check the GitHub repository to ensure the bug has not already been reported. This also includes previous security audits.
  • Duplicate Notification: If a report is determined to be a duplicate, the reporter will be notified accordingly.

Severity and Reward Discretion:

  • Severity Assessment: Euler reserves the right to determine the severity of each reported bug. This assessment will be based on the potential impact, exploitability, and other relevant factors.
  • Reward Allocation: Rewards for valid bug reports will be determined at the discretion of Euler, based on the assessed severity and in accordance with the reward structure outlined in the program.
  • Final Decision: The decisions made by Euler regarding severity classification and reward allocation are final and binding.

Responsible Reporting:

We encourage reporters to collaborate with the Euler team in resolving the identified issue, maintaining a constructive and cooperative approach.

These guidelines are established to manage the bug bounty process effectively, ensuring fair and orderly reporting and reward distribution. Participants are urged to adhere to these principles to contribute positively to the security and integrity of the Ethereum Vault Connector.

10. Additional Information:

For additional documentation please refer to:

Github: link

Docs: link

Specs: link

Diagrams: link

Security Audits: link