Yearn Finance
Yearn Finance is a suite of products in Decentralized Finance (DeFi) that provides lending aggregation and yield generation on the Ethereum blockchain. The protocol is maintained by various independent developers and is governed by YFI holders. Their products include:
PoC required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Out of scope
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist) This includes roles that potentially can be opened.
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
- Any report on contracts not actively/directly supported by Yearn Finance. E.g.: Ironbank.
- Any report for the following helper contracts are not valid for bounties or in scope:
- https://etherscan.io/address/0x5b4F3BE554a88Bd0f8d8769B9260be865ba03B4a
- https://etherscan.io/address/0x437758D475F70249e03EDa6bE23684aD1FC375F0
- https://etherscan.io/address/0xa0B57619A980DFEfD50f24F310EE1b55A40A9D46
- https://ftmscan.com/address/0x97D0bE2a72fc4Db90eD9Dbc2Ea7F03B4968f6938
- https://ftmscan.com/address/0x8ca27a3ab8917a033f278D20135d2467faA099bA
- https://ftmscan.com/address/0x5ABdfDfa0cF2d83c4755E0a2a782eF57FEd5c23B
- https://arbiscan.io/address/0x3a8efa2d87d60c0289f19b44a0928f4269c0f094
- https://arbiscan.io/address/0x66a1a27f4b22dcaa24e427dcffbf0cddd9d35e0f
- https://optimistic.etherscan.io/address/0xD63aB09ac2048a7eCac92f0fFad5F104edD0E032
- https://optimistic.etherscan.io/address/0xD3A93C794ee2798D8f7906493Cd3c2A835aa0074
Rules
The rules of this bug bounty are as follows:
- Bug has not been publicly disclosed.
- Vulnerabilities that have been previously submitted by another contributor or already known by the Yearn development team are not eligible for rewards.
- The size of the bounty payout depends on the assessment of the severity of the exploit. Please refer to the rewards section below for additional details.
- Bugs must be reproducible in order for us to verify the vulnerability.
- Rewards and the validity of bugs are determined by the Yearn security team and any payouts are made at their sole discretion.
- Terms and conditions of the Bug Bounty program can be changed at any time at the discretion of Yearn.
- Details of any valid bugs may be shared with complementary protocols utilized in the Yearn ecosystem in order to promote ecosystem cohesion and safety.
Bug Bounty FAQ
Q: Is there a time limit for the Bug Bounty program? A: No. The Bug Bounty program currently has no end date, but this can be changed at any time at the discretion of Yearn.
Q: Can I submit bugs anonymously and still receive payment? A: Yes. If you wish to remain anonymous you can do so and still be eligible for rewards as long as they are for valid bugs. Rewards will be sent to the valid Ethereum address that you provide.
Q: Can I donate my reward to charity? A: Yes. You may donate your reward to a charity of your choosing, or to a gitcoin grant.