Reward Amounts

Critical

• 150,000 USDC maximum payout

• 50,000 USDC minimum payout

• Payout shall not exceed 10% of funds at risk at time of submission

Severity Criteria

Critical Definition

• Definite and significant loss of funds without limitations of external conditions

• Definite and significant freezing of funds for >1 year without limitations of external conditions

General Notes

• Sherlock’s Criteria for Issue Validity guide (used in Sherlock audit contests) can be a helpful resource for more context on out-of-scope issues, etc. but nothing in the guide should overrule the definitions above

• A coded Proof of Concept (POC) with instructions to run the POC is required

• If the protocol team has the ability to take measures (upgrade the contract, pause the contract, etc.) against an exploit, the potential damage is limited to a 1-hour exploit period before it is assumed that the protocol team takes measures to prevent further damage

Platform Rules

Please review the Sherlock Bug Bounty Platform Rules before submitting any vulnerability. 

KYC Requirement

To receive a reward from this Bug Bounty, the provision of KYC is required. The following information is only required on confirmation of the validity of a submission:

• Name

• Government ID

• Country of Residence

Known Issues and Acceptable Risks

• If there are no USDC rewards to be distributed then it doesnt count as a denial of service attack.

Previous Audits

Staking v2 Contracts

• Sherlock Contest

• 0xMacro

• Guhu

• Omniscia

Smart Margin v2 Contracts

• 0xMacro v1.0.0

• 0xMacro v2.0.0

• 0xMacro v2.0.2

• 0xMacro v2.1.0

• 0xMacro v2.1.1

Smart Margin v3 Contracts

• Omiscia

• 0xMacro A11

• 0xMacro A8

• Guhu

• Internal Audit

Additional Context

Chains in scope

• Optimism

Expected tokens

• Only whitelisted tokens (USDC & KWENTA) following the ERC-20 standard work with the codebase.

Trusted protocol roles

• Protocol owers: Users trust the contract owner to exercise their upgrade and permission capabilities responsibly and to avoid actions that could harm users or the system. 

• Operators: Similarly, users place their trust in the operators they designate to act in their best interests and to adhere to the permissions granted to them.

Protocol Resources

• https://kwenta.eth.limo/

• https://docs.kwenta.io/