Axis Finance

Axis FinanceAxis Finance

Details

Scope

My Submission

Reward Amounts

Critical

  • 100,000 USDC maximum payout

  • 50,000 USDC minimum payout

  • Payout shall not exceed 10% of funds at risk at time of submission

Severity Criteria

Critical Definition

  • Definite and significant loss of funds without limitations of external conditions

  • Definite and significant freezing of funds for >1 year without limitations of external conditions

General Notes

  • Sherlock’s Criteria for Issue Validity guide (used in Sherlock audit contests) can be a helpful resource for more context on out-of-scope issues, etc. but nothing in the guide should overrule the definitions above

  • A coded Proof of Concept (POC) with instructions to run the POC is required

  • If the protocol team has the ability to take measures (upgrade the contract, pause the contract, etc.) against an exploit, the potential damage is limited to a 1-hour exploit period before it is assumed that the protocol team takes measures to prevent further damage

Platform Rules

Please review the Sherlock Bug Bounty Platform Rules before submitting any vulnerability. 

Known Issues and Acceptable Risks

  • There are known issues with ECIES encryption library around the security of the alt_bn_128 curve and the use of hash-based key derivation functions. More info is provided in src/lib/ECIES.sol.

  • Rebasing tokens can be accounted for incorrectly and aren't generally supported. In the case of Blast's USDB and WETH (which rebase), the contract owner accrues the rebases for tokens sitting in the contract.

Previous Audits

Additional Context

Chains in scope

  • Ethereum

  • OP Stack based Rollups

  • Optimism

  • Blast

  • Mode

  • Base

  • Arbitrum Stack based Rollups

  • Arbitrum One

  • Kinto

Expected tokens

  • Any that implement ERC20 Metadata, have between 6 and 18 decimals, and do not have a fee-on-transfer functionality. 

  • Rebasing tokens with strictly increasing token balances should work with the codebase, but extra balances will be accrued by the contract. 

  • Rebasing tokens with decreasing token balances are not supported.

Trusted protocol roles

  • Protocol admins are trusted.

Protocol Resources

Max Rewards

50,000 USDC

Status

Live since

Last updated

LIVE

Aug 15, 2024, 7:04 AM

Aug 15, 2024, 7:04 AM

Report a bug