Reward Amounts

Critical

• 50,000 USDC maximum payout

• Payout shall not exceed 10% of funds at risk at time of submission

Severity Criteria

Critical Definition

• Definite and significant loss of funds without limitations of external conditions

• Definite and significant freezing of funds for >1 year without limitations of external conditions

General Notes

• Sherlock’s Criteria for Issue Validity guide (used in Sherlock audit contests) can be a helpful resource for more context on out-of-scope issues, etc. but nothing in the guide should overrule the definitions above

• A coded Proof of Concept (POC) with instructions to run the POC is required

• If the protocol team has the ability to take measures (upgrade the contract, pause the contract, etc.) against an exploit, the potential damage is limited to a 1-hour exploit period before it is assumed that the protocol team takes measures to prevent further damage

Platform Rules

Please review the Sherlock Bug Bounty Platform Rules before submitting any vulnerability. 

Known Issues and Acceptable Risks

• UNIT can decrease in dollar value when funding rates are negative and protocol fees don't cover the losses. This is acceptable.

• UNIT can be net short and ETH goes up 5x in a short period of time, potentially leading to UNIT going to 0.

• The UNIT holders should be mostly delta neutral, but they may be up to 20% short in certain market conditions (skewFractionMax parameter).

• The funding rate should balance this out, but theoretically, if ETH price increases by 5x in a short period of time whilst the UNIT holders are 20% short, it's possible for UNIT value to go to 0. This scenario is deemed to be extremely unlikely and the funding rate is able to move quickly enough to bring the UNIT holders back to delta neutral.

• When long max skew (skewFractionMax) is reached, UNIT holders cannot withdraw, and no new leverage positions can be opened.

• This is to prevent the UNIT holders being increasingly short. This is temporary because the funding rate will bring the skew back to 0 and create more room for UNIT holders to withdraw and leverage traders to open positions.

Previous Audits

• https://audits.sherlock.xyz/contests/132

• https://audits.sherlock.xyz/contests/287

Additional Context

Chains in scope

• Base

Expected tokens

• External ERC20: rETH on Base

Trusted integrations

• rETH token

• Pyth network oracle for rETH and onchain (Chainlink) oracle for rETH.

Trusted protocol roles

• Trusted owner role. Owner is a Gnosis Safe multisig.

Permissioned function requirements

• The only permissioned functions are related to owner-only setter functions. These are usually clearly defined as the last section of functions in all modules.

Offchain mechanisms and procedures

• There are keepers for order execution and liquidations. As long as the Pyth price they are using is fresh enough (as defined in the OracleModule), we are ok with any arbitrage issues that might occur. Ultimately, we want the feasibility of these arbitrage attacks to be high and likely to occur often.

• Pyth network oracles for rETH price updates.

Protocol Resources

• Flat Money docs: https://docs.flat.money

• RocketPool depository: https://github.com/rocket-pool/rocketpool/tree/master

rETH token on Base: [https://basescan.org/token/0xb6fe221fe9eef5aba221c348ba20a1bf5e73624c#code](https://basescan.org/token/0xb6fe221fe9eef5aba221c348ba20a1bf5e73624c#code