Reward Amounts

Critical

• $30,000 maximum payout

• Payout shall not exceed 10% of funds at risk at time of submission

Severity Criteria

Critical Definition

• Definite and significant loss of funds without limitations of external conditions

• Definite and significant freezing of funds for >1 year without limitations of external conditions

General Notes

• Sherlock’s Criteria for Issue Validity guide (used in Sherlock audit contests) can be a helpful resource for more context on out-of-scope issues, etc. but nothing in the guide should overrule the definitions above

• A coded Proof of Concept (POC) with instructions to run the POC is required

• If the protocol team has the ability to take measures (upgrade the contract, pause the contract, etc.) against an exploit, the potential damage is limited to a 1-hour exploit period before it is assumed that the protocol team takes measures to prevent further damage

Platform Rules

Please review the Sherlock Bug Bounty Platform Rules before submitting any vulnerability. 

Known Issues and Acceptable Risks

• If someone doesn't repay the person that underwrote them will not be able to get money back. This is not a bug this is credit.

Previous Audits

• Sherlock-  Union Finance Update #2

• Sherlock - Union Finance Update

• Sherlock - Union Finance

Additional Context

Chains in scope

• Any EVM-compatible chain

Expected tokens

• USDC

• USDT

• DAI

Trusted protocol roles

• Protocol admins.

Offchain mechanisms and procedures

• There are keeper bots that do two things. Firstly, they mark any borrows that overdue. Secondly, they write-off debts that pass the overdue grace period.

• The script can be found here: https://github.com/unioncredit/union-gov-actions/blob/main/src/updateOverdue.js.

• It basically loops through all the borrowers and marks those overdue by calling userManager.batchUpdateFrozenInfo(stakers)

Protocol Resources

• Union Finance Docs