Rewards - Bug Bounties
A malicious user could call borrow(), pass a valid loanId/borrower pair (each loanId maps to a borrower address), and then enter an arbitrary address for the receiver parameter.
Days in Operation:
Sovryn is an on-chain decentralized trading and lending protocol deployed on RSK, a side chain of the Bitcoin blockchain. As a lending platform, users can both lend and borrow to and from a pool. Lending is how users earn interest on their BTC, and that interest comes from the fees which borrowers pay when they borrow BTC to engage in margin trading.
Whitehat Turbo (Discord: turbo#1177) submitted a “critical” and a “high” vulnerability in Sovryn’s smart contract to Immunefi on March 11, 2021. The critical vulnerability consisted of a failure to validate that the receiver of the proceeds of a collateralized loan was the same entity as the borrower, meaning a malicious user could request a loan based on unused collateral from another user. Effectively, this let a malicious user steal an amount equal to the amount of the collateral. The high vulnerability applied to margin trades on Sovryn. While users could be pushed into undesirable positions, no funds could have been stolen, so this vulnerability was ranked as “high”.
With recommendations from Immunefi, the whitehat was rewarded with a base payout of $50,000 for the critical vulnerability, bumped up to $76,568 because of the high vulnerability bug, which then had the 15% bonus that was in place at the time of submission and the discovery of the high vulnerability.
DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.
Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.