Arcade.xyz
Arcade.xyz is the first of its kind Web3 platform to enable liquid lending markets for NFTs. At Arcade.xyz, we think all assets will eventually become digitized and that NFTs represent a 0 to 1 innovation in storing value and ownership attribution for unique digital assets.
PoC required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
Out of scope
Within the defined scope above, the general rules are that
The bug bounty is based on the following assumptions about token behavior:
- External token contracts (for collateral and principal currency) are assumed to follow relevant token standards (ERC20, ERC721, ERC1155).
- Any attack related to token upgradeability is out of scope.
- Lost principal or fees related to fee-on-transfer tokens are out of scope.
- Attacks related to special admin permission of tokens (e.g. an ERC721 or ERC20 where admins can transfer any user’s tokens) are out of scope.
- Attacks related to explicitly malicious implementations of standard token functions (e.g. ERC20 tokens that consume the block gas limit on transfer) are out of scope.
The bug bounty assumes the following operational and trust models:
- For any contract which is Ownable or contains privileged operations for certain addresses (e.g. upgradeable contracts), the owner addresses are assumed to behave rationally and honestly.
- All contracts should be assumed to be deployed and configured correctly.
- Each counterparty in the loan process is assumed to act in their own financial self-interest.
- Users in the staking process are assumed to act in their own financial self-interest.
- Any finding or impact which is derived from one of the above assumptions being broken (e.g., an upgradeable ERC20 that can be made to fail on transfer via upgrade) is out of scope for this program.
Any finding or impact which is derived from one of the above assumptions being broken (e.g., an ERC721 that does not revert on a failed transfer, or an upgradeable ERC20 that can be made to fail on transfer via upgrade) is out of scope for this program.
Any finding based on one counterparty misleading the other as to the nature of the loan principal or collateral is out of scope. For instance, a borrower using a fake BAYC contract as collateral to trick a lender into giving favorable terms is an attack that is out of scope for this program.
Any attack related to convincing lenders to lend against assets flagged as stolen on other platforms (e.g. OpenSea) is out of scope.
Any phishing attack that requires social engineering in order to convince one counterparty to enter a loan under false pretenses (e.g. forcing them to sign loan terms differing from ones on a phishing UI), is considered out of scope for this program.
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
- Any attack that has been previously reported, whether or not it has been publicly disclosed
Smart Contracts
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
- Centralization risks
- Non-protocol related attacks around signatures (e.g. phishing sites that entice users to sign signatures with unfavorable terms)
The following activities are prohibited by this bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty