As a pioneer in the Cardano DeFi, Aada Finance aims to deliver core lending and borrowing primitives to the ecosystem. Moreover, the V1 protocol will showcase an entirely new set of use cases with its NFT bond feature. Users will benefit from peer-to-peer lending and borrowing in an order book style while fully controlling their loan requests and loans. Still, ensuring seamless services requires complete confidence in the code’s robustness.
A Community-Driven Smart Contract Audit Program
As we’re getting closer to mainnet launch, our V1 dApp aims to deliver efficient lending and borrowing primitives to Cardano. In this regard, we’re fully embracing decentralization and transparency by inviting the community to participate in our bug bounty competition.
The audit program will convince our non-technical community members to lend and borrow safely. Meanwhile, it will incentivize developers to participate actively and contribute by finding any existing vulnerabilities in our smart contract code. That way, we will promptly manage the risks related to the following events:
- Thefts and freezing of principal of any amount;
- Shutting down the entire system that may put users’ funds in danger.
Rewards and payout rules:
All rewards are paid out by the Aada Finance team. The reward size is 25,000 USD for critical smart contract vulnerability. Reward size is nominated in USD, but payouts will be made in AADA tokens. To be eligible for a reward, you must provide:
- PoC (Proof of Consensus);
- Suggestions of how to fix the vulnerability.
Assets in Scope:
Participants can find all Aada Finance smart contracts on Github. However, only the assets in the list below are considered for bug bounty program rewards.
- github.com/aadafinance/aada-finance/blob/development-testnet/src/AadaNft.hs
- github.com/aadafinance/aada-finance/blob/development-testnet/src/Collateral.hs
- github.com/aadafinance/aada-finance/blob/development-testnet/src/Interest.hs
- github.com/aadafinance/aada-finance/blob/development-testnet/src/Liquidation.hs
- github.com/aadafinance/aada-finance/blob/development-testnet/src/Request.hs
Disclaimer: If you find any critical vulnerabilities related to other Aada Finance assets that are not on the list, submit it as a report for a reward.
Out of Scope Cases & Bug Bounty Rules
Participation in the bug bounty competition adheres to all fairness and transparency principles. In this regard, the team will not reward vulnerabilities in the following scope:
- Self-exploited attacks that have led to damage;
- Breaches related to leaked keys or credentials;
- Attacks threatening privileged addresses, e. g. governance, etc.
List of prohibited activities for the Aada Finance bug bounty program:
- Any phishing or social engineering attacks against the protocol’s employees or users;
- Testing through third-party applications (e.g., browser extensions) or websites (e.g., SSO, advertising, etc.);
- DDoS attacks;
- Automated testing that generates high amounts of traffic;
- Public disclosure of unpatched vulnerabilities after seizing a reward.
How to submit a bug report
To report a bug, please contact us via mail at info@aada.finance, Telegram, or Discord group! Remember to provide a PoS (Proof of Consensus) with your bug report.
Follow the links to join the Aada Finance community and stay updated with our progress:
