Program overview

Atlendis is a capital-efficient DeFi protocol enabling uncollateralized crypto lending for institutional borrowers. For authorized business entities, the Atlendis protocol permits the opening of a unique pool per borrower and per asset that functions like a revolving line of credit, giving granularity and flexibility over recurrent and short term liquidity needs. Loan terms such as the maturity, asset type, maximum borrowable amount and more are negotiated and fixed in the pool parameters upon opening.

For lenders, the Atlendis protocol offers a high-return financial vehicle and allows them to individually select their borrowers and set their lending rate, hence enabling lenders to choose the amount of risk they are willing to take depending on their risk profile. Liquidity providers earn liquidity rewards while funds are unused and increased interest as funds are lent out. Not only is there no idle capital on Atlendis, it also opens a wide range of use cases for Web3 actors and Web2 entities looking for crypto exposure.

The Atlendis protocol was successfully audited by Runtime Verification and PeckShield and the audit reports can be found at the following address: Runtime Verification audit and PeckShield audit.

Atlendis Labs is working with Immunefi to offer a bug bounty program focused on the Atlendis protocol’s smart contracts with the objective of preventing the use of the Atlendis protocol in an unintended manner, and more specifically:

• Preventing the loss of user funds
• Preventing the exploit of borrower pools parameters in any way
• Preventing governance interference

For more information about Atlendis, please visit http://atlendis.io.

Program Scope

The bug bounty is focused on the Atlendis protocol’s smart contracts, and on the following items in particular:

• BorrowerPools.sol: the main smart contract pooling lenders’ funds and handling loans on the borrowers’ side
• PoolLogic.sol: a library handling all logic related to internal accounting and loans in the pools
• PositionManager.sol: an ERC721 compatible contract representing the positions of individual lenders on pools

Rewards by Threat Level

Specifics for each threat level are available here: https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2/. This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.

Please note that:

• None of the vulnerabilities marked in the PeckShield security review are eligible for a reward.
• None of the vulnerabilities marked in the audit by Runtime Verification are eligible for a reward.
• None of the vulnerabilities marked in the Out of Scope section are eligible for a reward.
• Payouts are handled by the Atlendis Labs team directly and are denominated in USD. However, payouts are made in USDC.

Assets in Scope

All smart contracts of Atlendis can be found at https://github.com/Atlendis/protocol-v1. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.

If an impact can be caused to any other asset managed by Atlendis that isn’t on this table but for which the impact is in the Impacts in Scope section, you are encouraged to submit it for the consideration of the project. 

Repositories address: link

Impacts in Scope

Atlendis’ bug bounty program will closely follow Immunefi’s vulnerability severity classification system for smart contracts: https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2/. The only exception being that we do not include any issue relative to governance, as decentralization of the Atlendis protocol and on-chain governance will be part of a future version of the protocol.

Critical

• Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
• Permanent freezing of funds
• Protocol insolvency

High

• Theft of unclaimed yield
• Permanent freezing of unclaimed yield
• Temporary freezing of funds for any amount of time

Medium

• Smart contract unable to operate due to lack of token funds 
• Block stuffing for profit
• Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
• Theft of gas
• Unbounded gas consumption 

Low

• Smart contract fails to deliver promised returns, but doesn’t lose value

Out of Scope & Rules

Only the smart contracts fall within the scope of the Atlendis protocol’s bug bounty program, henceforth the following are excluded from the program:

• The contract tests in Atlendis’ repositories
• The Atlendis website
• The Atlendis dApp 
• Backend services
• Anything already highlighted in Runtime Verification’s audit of the Atlendis Protocol
• Any bug found by the development and audit team itself after the program started

More specifically:

• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks requiring access to leaked private keys/credentials
• Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts and Blockchain:

• Incorrect data supplied by third-party oracles
  • Not to exclude oracle manipulation/flash loan attacks
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Best practice critiques
• Sybil attacks
• Centralization risks

Websites and Apps:

• Theoretical vulnerabilities without any proof or demonstration
• Content spoofing/text injection issues
• Self-XSS
• Captcha bypass using OCR
• CSRF with no security impact (logout CSRF, change language, etc.)
• Missing HTTP security headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
• Server-side information disclosure such as IPs, server names, and most stack traces
• Vulnerabilities used to enumerate or confirm the existence of users or tenants
• Vulnerabilities requiring unlikely user actions
• URL redirects (unless combined with another vulnerability to produce a more severe vulnerability)
• Lack of SSL/TLS best practices
• DDoS vulnerabilities
• Attacks requiring privileged access from within the organization
• Feature requests
• Best practices
• Vulnerabilities primarily caused by browser/plugin defects
• Any vulnerability exploit requiring CSP bypass resulting from a browser bug

The following activities are prohibited by this bug bounty program:

• Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
• Any testing with pricing oracles or third party smart contracts
• Attempting phishing or other social engineering attacks against our employees and/or customers
• Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
• Any denial of service attacks
• Automated testing of services that generates significant amounts of traffic
• Public disclosure of an unpatched vulnerability in an embargoed bounty

About Immunefi

Immunefi is the leading bug bounty platform for Web3. Launched in 2020, the platform focuses on Web3 and smart contract security. The Immunefi team provides bug bounty hosting, consultation, bug triaging and more to blockchain and smart contract projects.

Additional Resources

App.atlendis.io | Atlendis.io | Whitepaper | LinkedIn | Twitter | Discord | Newsletter | Audit reports 1 and 2 | Bug Bounty