Reward Amounts

Critical

• $250000 maximum payout

• Payout shall not exceed 10% of funds at risk at time of submission

Severity Criteria

Critical Definition

• Definite and significant loss of funds without limitations of external conditions
• Definite and significant freezing of funds for >1 year without limitations of external conditions

General Notes

• Sherlock’s Criteria for Issue Validity guide (used in Sherlock audit contests) can be a helpful resource for more context on out-of-scope issues, etc. but nothing in the guide should overrule the definitions above

• A coded Proof of Concept (POC) with instructions to run the POC is required

• If the protocol team has the ability to take measures (upgrade the contract, pause the contract, etc.) against an exploit, the potential damage is limited to a 1-hour exploit period before it is assumed that the protocol team takes measures to prevent further damage

• Only the first occurrence of a repeatable attack will be eligible for a payout. This rule applies regardless of the smart contract's upgradability, pausable state, or ability to be terminated.

Platform Rules

Please review the Sherlock Bug Bounty Platform Rules before submitting any vulnerability.

Previous Audits

N/A

Additional Context

Chains in scope

Sonic (https://www.soniclabs.com/) -> Cancun support

Expected tokens

Only whitelisted ERC20 tokens will be supported by Mach Finance to be supplied / borrowed
These whitelisted tokens are expected to follow one of these two behaviours

• Return true if transfer succeeds
• Not return anything, if transfer suceeds

Tokens are expected to have a maximum of 36 decimal places for precision oracle price reasons
We do not support ERC777 tokens

ERC20 tokens we plan to integrate

• USDC (6 decimals)
• USDT
  • Not return anything if transfer succeeds
• SolvBTC,
• Layer Zero wrapped tokens such as
  • lz.WBTC, lz.WETH
• Wormhole wrapped tokens on Sonic such as

  • Wormhole WETH, Wormhole WBTC

In the future we are looking to support:

• $S (SONIC) Liquid Staking Token

Trusted protocol roles

Comptroller admin is trusted in this case. After the protocol has been launched and the situation stabilizes, the Comptroller admin will be relinquished to a timelock contract. Timelock contract will be managed by Safe Multisig, managed by the Mach Finance contributors as signers.

CToken admin is trusted too in this case, similar to above, admin will be reliquinshed to a Timelock contract that is managed by a Safe Multisig.

There are 3 different guardian roles that ensure the safety of the protocol. These guardians do not need to go through a Timelock to call the Comptroller only for these actions:

1. Pause guardian (Compound implementation)
2. Pause mint
3. Pause borrow
4. Pause transfer
5. Pause seize
6. Supply cap for each cToken
7. Set the maximum amount (less than) of cToken that can be supplied (cash + borrows - reserves)
8. Borrow cap for each cToken
9. Set the maximum amount (less than) of cToken that can be borrowed (borrows)

Offchain mechanisms and procedures

Similar to Compound and other borrow/lending protocols, there are two off-chain components required:

• Price feed oracles -> Pyth, API3
• Liquidation bots

Price feed oracles will submit prices at every interval or if there is a percentage change in price for the particular asset

• Pyth -> https://api-reference.pyth.network/price-feeds/evm/getPriceUnsafe
• API3 -> https://docs.api3.org/dapps/integration/

There is an implicit trust that these oracle providers would honour their commitment to provide the best feed prices, if not the protocol may go into bad debt due to arbitrage

Liquidation bots are needed to keep the protocol healthy (no bad debt), similar to Compound v2

• Liquidation bots will monitor if there is an account that has shortfall > 0

• Shortfall is defined as

  • $\text{Shortfall} = \sum_{i} \left( \text{cTokenBorrowAmountInUsd}_i - \text{collateralAmountInUsd}_i \times \text{cTokenCollateralFactor} \right)$

• Liquidation bot will repay the loan's shortfall on behalf of the account

• Then the liquidation bot can seize the equivalent shortfall's collateral asset in USD with an additional incentive

Protocol Resources

• https://machfi.gitbook.io/

• https://www.machfi.xyz/

• https://github.com/Mach-Finance/contracts/blob/main/audit/brief.md