Bug Bounty

Introduction

Steady Labs is launching a bug bounty program for Fira deployed on Ethereum mainnet. Fira is a modular lending protocol that combines fixed-rate markets, floating-rate lending, curated vaults, tokenized market primitives (BT, CT, FW), rehypothecation, a multi-layer oracle infrastructure, and protocol-controlled liquidity seeding into a single system.

Fira is composed of the following independent layers:

• Router (FiraRouterV4): Diamond-style proxy that dispatches user calls to modular Action contracts (facets), combining multi-step operations into a single transaction.

• Fixed-Rate AMM (FiraMarket): Pendle-style AMM supporting BT/FW trading and fixed-rate price discovery.

• Lending Markets: Two separate lending contracts — FiraLendingMarket for fixed-rate markets with post-maturity settlement and liquidation logic, and VariableLendingMarket for variable-rate lending with collateral management, interest accrual, liquidation, and flash loans.

• Curation Vault (SisuVault): ERC-4626 vault that allocates pooled capital across variable-rate markets using curator, allocator, and guardian roles with timelocked configuration changes.

• Token Layer: BT (Bond Token), CT (Coupon Token), FW (FiraWrapped), and LP tokens — ERC-20 tokens implementing fixed-rate yield separation and AMM liquidity positions.

• Rehypothecation Module: Controls the ratio of idle vs. invested reserves within the FW contract, rebalancing between liquid USDC and variable-rate vault positions.

• Oracle Pipeline: Multi-layer oracle stack including ChainlinkOracleV2, AaveToChainlinkAdapters, FiraSolvencyOracles, and a BCLpOracle for LP pricing.

• Interest Rate Models: AdaptiveCurveIrm for variable-rate markets (utilization-based) and address(0) for fixed-rate markets (no IRM — rate is determined by AMM pricing).

• Liquidity Injector: Protocol-controlled contract that mints BT and supplies it to fixed-rate lending markets. Only the LiquidityInjector can supply BT to these markets (whitelist-gated).

This bug bounty covers vulnerabilities in the Fira smart contracts and associated protocol-owned components that could compromise funds, accounting integrity, solvency, liquidation safety, or protocol availability. Only contracts currently deployed on Ethereum mainnet and listed below are in scope. All deployed contracts are verified on Etherscan. Ownership is assigned to designated multisig addresses at three security tiers (9/15, 5/10, and 4/9 threshold schemes).

Reward Amounts

Critical: Up to $500,000 maximum payout, not to exceed 10% of the funds at risk at the time of submission. Critical findings result in a definite and significant loss of funds or an irreversible locking of funds on a systemic level. Minimum payout for a valid Critical issue: $50,000.

High: Discretionary. Steady Labs determines High-severity payouts on a case-by-case basis considering impact and severity.

Medium: Discretionary. Steady Labs determines Medium-severity payouts on a case-by-case basis considering impact and severity.

General Notes

All reporters should consult Sherlock's Criteria for Issue Validity for general guidance on severity and out-of-scope issues.

A working Proof of Concept (PoC) exploit is highly recommended and may be required for complex issues. Include clear reproduction steps and any setup instructions necessary for validation.

All standard Sherlock Bug Bounty Platform Rules and safe harbor provisions apply to this program.

Scope

Chain

Ethereum mainnet only. Smart contracts deployed on any other network, testnet, sidechain, or staging environment are out of scope.

In-Scope Contracts (Ethereum Mainnet)

All currently deployed and verified Fira contracts listed below are in scope, including associated implementations and proxies where applicable. Can also be found here: Contracts & Addresses | Fira Docs

Core Protocol

Router Facets

FiraRouterV4 dispatches calls to modular Action contracts via selector-based routing:

Vault

Token Layer

BT and CT share the same expiry (May 7, 2026 — unix 1778112000) and are minted/burned in pairs via the YieldContractFactory.

Modules

Oracles

Fixed-rate markets use a 4-layer oracle pipeline:

FiraSolvencyOracle contracts are immutable after deployment — no admin functions, no owner.

Variable-rate markets:

Other:

Interest Rate Models

Fixed-rate markets use address(0) as their IRM. The borrowing rate is determined at the time of BT issuance through AMM pricing, not through an interest rate model.

Live Fixed-Rate Markets

All live fixed-rate markets operate on the FiraLendingMarket at 0x280ddD897F39C33fEf1CbF863B386Cb9a8e53a0e. BT is the loan token. Only the LiquidityInjector can supply BT (whitelist-gated). Both markets expire May 7, 2026.

PT-USDe / BT Market

PT-sUSDe / BT Market

Live Variable-Rate Markets

All live variable-rate markets operate on the VariableLendingMarket at 0xc8Db629192a96D6840e88a8451F17655880A2e4D.

wstETH / USDC

cbBTC / USDC

Critical / High / Medium Eligibility

Critical findings typically affect the core, live, value-bearing layers of Fira:

• FiraLendingMarket and VariableLendingMarket

• FiraMarket (AMM)

• FiraRouterV4 and Action facets

• Token layer accounting and redemption logic (BT, CT, FW)

• RehypothecationModule

• Oracle pipeline (FiraSolvencyOracle, ChainlinkOracleV2, adapters)

• SisuVault with user funds

• LiquidityInjector, where a flaw could directly compromise live assets or protocol solvency

Only Eligible for High / Medium

The following are in scope but findings are generally capped at High or Medium unless they directly compromise live funds in a core deployed market:

Deployment and configuration helper contracts, and non-custodial support contracts that do not themselves hold or control meaningful live value, are also capped at High or Medium.

Scope Note

This bounty covers Fira contracts and protocol-owned infrastructure only. Other products, protocols, or systems outside the Fira deployment are out of scope unless the vulnerability arises from Fira's own on-chain logic or integration handling.

Out of Scope

No rewards will be awarded for reports that fall solely into the following categories.

Undeployed or Non-Mainnet Code

Code, contracts, modules, or features not currently deployed on Ethereum mainnet are out of scope. This includes draft code, future upgrades, staging deployments, local testing contracts, and testnets.

Previously Known Issues

Issues already identified in prior audits (Sherlock, Spearbit/Cantina, Hexens, yAudit), internal reviews, documentation, or acknowledged by Steady Labs before submission are not eligible.

Frontend, Website, and UI

Issues limited to the web application, user interface, dashboards, websites, or other frontend layers are out of scope.

Third-Party Protocol or Token Risks

Vulnerabilities in third-party systems that Fira interacts with but does not control are out of scope. This includes bugs or failures in external protocols, vaults, bridges, or token implementations.

Examples of external dependencies not in scope:

• USDC (Circle)

• wstETH (Lido)

• cbBTC (Coinbase)

• USDe / sUSDe (Ethena)

• USDG (Paxos)

• PT-USDe / PT-sUSDe / PT-USDG (Pendle)

• Any third-party wrapped asset, oracle, or off-chain issuer

• Oracles not deployed and maintained by the Protocol Team itself, e.g. Chainlink Feeds.

If a report depends on these systems failing rather than on a flaw in Fira's own smart contract logic or validation, it is not in scope.

External Oracle Failures

Pure failures of third-party oracle infrastructure, feed operators, or data providers are out of scope unless the vulnerability is specifically in Fira's oracle integration, validation, or fallback logic — including the AaveToChainlinkAdapter, ChainlinkOracleV2, or FiraSolvencyOracle contracts.

Off-Chain, Legal, or Custodial Risks

Issues arising purely from off-chain custody, legal enforceability, issuer solvency, governance coordination outside the contracts, or real-world asset processes are out of scope.

Intended Admin or Multisig Powers

Behavior that requires proper use of intended administrative, governance, curator, allocator, or multisig permissions is out of scope.

Examples of authorized actions, when performed by properly authorized actors:

• Adjusting LTV, LLTV, or fee parameters

• Pausing or unpausing contracts (USDCFW pause flags: depositPaused, withdrawPaused, transferPaused)

• Updating supply caps on SisuVault markets

• Rebalancing vault allocations within configured permissions and timelocks

• Operating the LiquidityInjector (minting/burning BT, supplying/withdrawing from lending markets)

• Executing timelocked curator or allocator actions

• Triggering manual rehypothecation via forceRehypothecation

However, bypassing or impersonating those permissions is in scope.

Protocol-Intended Behaviors

The following behaviors are not vulnerabilities when they occur according to design:

• Liquidation of unhealthy positions according to configured LTV / LLTV and the 3.1% liquidation incentive

• Forced post-maturity settlement or liquidation of expired positions (after the 24-hour grace period)

• BT/FW convergence to par near maturity

• AMM pricing, slippage, or discount/premium behavior consistent with the FiraMarket pricing model

• Reserve rebalancing by the RehypothecationModule according to configured phiMin, phiMax, and phiTarget ratios

• Yield accruing to CT holders as designed (via InterestManagerCT)

• Vault allocation and reallocation inside configured caps and timelocks

• Router execution that follows the documented action flow and Diamond-style facet dispatch

Pure Economic Attacks Without a Code Vulnerability

Pure market behavior or economic outcomes that do not rely on a contract bug are out of scope:

• Market manipulation within intended protocol rules

• Liquidity withdrawal by users

• Slippage or adverse execution under expected market conditions

• Rate movement, basis trading, or maturity-driven repricing

• Honest liquidations after genuine collateral price moves

• Losses caused solely by external market volatility

Minor Gas, Efficiency, or Documentation Issues

The following are out of scope unless they create a real and material security impact:

• Gas optimizations

• Minor inefficiencies

• Cosmetic or documentation issues

• NatSpec mismatches, comment or spelling errors

• Minor rounding or precision issues with no material effect on funds or solvency

Theoretical or Unrealistic Attacks

Attacks that require impractical brute force, extreme assumptions, or unrealistic coordination are out of scope. Reports must describe a credible and reproducible exploit path.

If you are unsure whether a finding is in scope, focus on technical, on-chain vulnerabilities in the deployed Fira contracts and live market infrastructure.

Protocol Resources

The ultimate scope of this bounty is defined by the deployed Ethereum mainnet contracts listed above.

Judging and Severity Assessment

Sherlock's security team triages and validates all submissions. Sherlock coordinates issue verification and determines validity and severity based on the criteria in this program and Sherlock's platform rules.

Steady Labs may be consulted during validation. Sherlock makes the final determination on issue validity, severity, and payout eligibility.

In case of dispute or ambiguity, Sherlock's assessment is the deciding factor.

Disclosure Policy

This bounty follows Sherlock's standard disclosure policy with additional requirements for serious vulnerabilities.

Critical and high-impact findings must not be disclosed publicly or to any third party until all of the following conditions are met:

1. Steady Labs has been notified through the official submission process

2. The issue has been acknowledged

3. A fix or mitigation has been deployed, or explicit written permission to disclose has been granted

4. Sherlock has completed or approved the disclosure process

Premature disclosure of an exploit path or a live unpatched vulnerability may disqualify the submission from any reward.

Report vulnerabilities promptly — ideally within 24 hours of discovery — through the official Sherlock submission flow.

Do not exploit vulnerabilities on the live network. Do not steal funds, manipulate users, destroy data, or disrupt service. Any exploit activity beyond what is strictly necessary to demonstrate a vulnerability in a controlled manner may lead to disqualification and possible legal consequences.

If you believe a vulnerability is already being exploited or may soon be exploited, notify Sherlock and Steady Labs immediately through the approved reporting process. Do not make it public.

Steady Labs may, at its discretion, offer additional bonuses for especially novel, impactful, or responsibly handled reports.

Eligibility

To be eligible for a reward, you must meet all of the following conditions:

• No sanctions: You are not located in a sanctioned jurisdiction and are not on any prohibited party list.

• No affiliation with Steady Labs: You are not a current or former employee, core contributor, or immediate family member of someone directly affiliated with Steady Labs or the Fira development effort.

• Legal capacity: You are legally able to participate in bug bounty programs and receive rewards in your jurisdiction.

• No prior paid audit conflict: You have not been paid to audit or review this exact codebase in an official capacity, and you did not materially contribute to the in-scope contracts. You may request an exception directly from Steady Labs.

• Follow program rules: You agree to follow all program rules, scope restrictions, disclosure requirements, and platform terms.

By submitting a report, you affirm that you meet these eligibility requirements. Steady Labs and Sherlock reserve the right to verify eligibility and disqualify participants who do not meet these conditions.

Testing Guidelines and Safe Harbor

Do Not Test Destructively on Mainnet

Do not perform destructive testing on Ethereum mainnet. Use a local environment, simulation, or mainnet fork to test exploit scenarios. All in-scope contracts are verified on Etherscan. Researchers can reproduce behavior using Foundry or Hardhat.

Use Accounts You Control

Use only wallets, keys, and accounts you control. Do not interfere with other users' positions, balances, or funds.

No Mainnet Denial of Service

Do not spam, grief, or attempt denial-of-service against live contracts, users, or infrastructure. Demonstrate any blocking or service-degradation vulnerability in a controlled environment.

Maintain Confidentiality

Do not share exploit details outside the official submission process before a fix is deployed and disclosure is authorized.

No Social Engineering or Off-Chain Intrusion

This bounty covers smart contract and technical security issues only. Social engineering, phishing, credential attacks, or attempts to gain access through non-technical means are strictly prohibited.

Responsible Testing

Avoid high-volume or risky testing on live systems. If a testing approach might affect real funds or real users, do not perform it on mainnet.

As long as you act in good faith, stay within these rules, and report vulnerabilities responsibly, Steady Labs intends for this program to operate under a safe-harbor framework for legitimate security research.

Closing

Steady Labs values the work of independent security researchers and the broader white-hat community. Your efforts strengthen the safety and resilience of Fira's fixed-rate, floating-rate, and curated lending infrastructure.

Thank you for participating in the Fira Bug Bounty.

Happy Hunting!