# Bug Bounty ## Introduction Steady Labs is launching a bug bounty program for **Fira** deployed on **Ethereum mainnet**. Fira is a modular lending protocol that combines fixed-rate markets, floating-rate lending, curated vaults, tokenized market primitives (BT, CT, FW), rehypothecation, a multi-layer oracle infrastructure, and protocol-controlled liquidity seeding into a single system. Fira is composed of the following independent layers: * **Router (FiraRouterV4):** Diamond-style proxy that dispatches user calls to modular Action contracts (facets), combining multi-step operations into a single transaction. * **Fixed-Rate AMM (FiraMarket):** Pendle-style AMM supporting BT/FW trading and fixed-rate price discovery. * **Lending Markets:** Two separate lending contracts — **FiraLendingMarket** for fixed-rate markets with post-maturity settlement and liquidation logic, and **VariableLendingMarket** for variable-rate lending with collateral management, interest accrual, liquidation, and flash loans. * **Curation Vault (SisuVault):** ERC-4626 vault that allocates pooled capital across variable-rate markets using curator, allocator, and guardian roles with timelocked configuration changes. * **Token Layer:** BT (Bond Token), CT (Coupon Token), FW (FiraWrapped), and LP tokens — ERC-20 tokens implementing fixed-rate yield separation and AMM liquidity positions. * **Rehypothecation Module:** Controls the ratio of idle vs. invested reserves within the FW contract, rebalancing between liquid USDC and variable-rate vault positions. * **Oracle Pipeline:** Multi-layer oracle stack including ChainlinkOracleV2, AaveToChainlinkAdapters, FiraSolvencyOracles, and a BCLpOracle for LP pricing. * **Interest Rate Models:** AdaptiveCurveIrm for variable-rate markets (utilization-based) and `address(0)` for fixed-rate markets (no IRM — rate is determined by AMM pricing). * **Liquidity Injector:** Protocol-controlled contract that mints BT and supplies it to fixed-rate lending markets. Only the LiquidityInjector can supply BT to these markets (whitelist-gated). This bug bounty covers vulnerabilities in the **Fira smart contracts and associated protocol-owned components** that could compromise funds, accounting integrity, solvency, liquidation safety, or protocol availability. Only contracts currently deployed on Ethereum mainnet and listed below are in scope. All deployed contracts are verified on Etherscan. Ownership is assigned to designated multisig addresses at three security tiers (9/15, 5/10, and 4/9 threshold schemes). ## Reward Amounts **Critical:** Up to **$500,000** maximum payout, not to exceed **10% of the funds at risk at the time of submission**. Critical findings result in a definite and significant loss of funds or an irreversible locking of funds on a systemic level. Minimum payout for a valid Critical issue: **$50,000**. **High:** Discretionary. Steady Labs determines High-severity payouts on a case-by-case basis considering impact and severity. **Medium:** Discretionary. Steady Labs determines Medium-severity payouts on a case-by-case basis considering impact and severity. ### General Notes All reporters should consult **Sherlock's Criteria for Issue Validity** for general guidance on severity and out-of-scope issues. A working **Proof of Concept (PoC)** exploit is highly recommended and may be required for complex issues. Include clear reproduction steps and any setup instructions necessary for validation. All standard **Sherlock Bug Bounty Platform Rules** and safe harbor provisions apply to this program. ## Scope ### Chain **Ethereum mainnet only.** Smart contracts deployed on any other network, testnet, sidechain, or staging environment are out of scope. ### In-Scope Contracts (Ethereum Mainnet) All currently deployed and verified Fira contracts listed below are in scope, including associated implementations and proxies where applicable. Can also be found here: [Contracts & Addresses | Fira Docs](https://docs.fira.money/resources/contracts-addresses) ### Core Protocol | Contract | Address | | ------------------------------------- | -------------------------------------------- | | FiraLendingMarket (fixed-rate) | `0x280ddD897F39C33fEf1CbF863B386Cb9a8e53a0e` | | VariableLendingMarket (variable-rate) | `0xc8Db629192a96D6840e88a8451F17655880A2e4D` | | FiraMarket (AMM) | `0xde00b5edb255078dd42ee94fd97f473d1c9c055d` | | FiraRouterV4 | `0xFF615E63aAF2d1B1EE4AdFD34a5840747185d8A0` | | LiquidityInjector | `0x2104f638a839Ca7260180d9Ee7f4865C92Df4cE5` | ### Router Facets FiraRouterV4 dispatches calls to modular Action contracts via selector-based routing: | Facet | Address | | -------------------- | -------------------------------------------- | | ActionSwapBTV3 | `0xab2383692ed8e0836e25b71988c925dfd94ed2fe` | | ActionSwapCTV3 | `0xdb7a722ae7baf83d3d8b9e812952916326d6656b` | | ActionAddRemoveLiqV3 | `0x286bbc5519cd421011e7e1c092e1d6a72edb4d30` | | ActionCallbackV3 | `0x2dead5b19935d7299d7077c52f2e2860370278a5` | | ActionSimple | `0x4474886d003abcb53c307324894c074ce5176f75` | | ActionMiscV3 | `0x967234d7a4416380107da653e5d3afc9c7bf8874` | | ActionBorrow | `0x66f5853cf6c36b97e754f074397d00b78253ef03` | | ActionStorageV4 | `0x0386685eA7d37c61dDb8F2e2E8c45f6a81d4A3C8` | ### Vault | Contract | Address | Description | | ----------------------------- | -------------------------------------------- | ------------------------------------------------------------------------------------------- | | SisuVault (Markov USDC Prime) | `0x50791a5cA041b9D6Dd03e64E3Fa0e34a376759AC` | ERC-4626 vault curated by Markov Labs, allocating USDC across variable-rate lending markets | ### Token Layer | Token | Address | Decimals | | ----------------- | -------------------------------------------- | -------- | | FW-USDC (USDCFW) | `0x62F5366C9E21A95326C461a098a408e034e017b3` | 18 | | BT (Bond Token) | `0x57FFbb88f0c69283531a751BE6FF0741348371bA` | 6 | | CT (Coupon Token) | `0x93635d34fAd5A9fA7065a645691100b2E23C93cd` | 6 | BT and CT share the same expiry (May 7, 2026 — unix `1778112000`) and are minted/burned in pairs via the YieldContractFactory. ### Modules | Contract | Address | | --------------------- | -------------------------------------------- | | RehypothecationModule | `0xad332515d9c82438BBa0e9FAA9486B52A33a7Ac8` | | YieldContractFactory | `0xcdB83Abb9121c04589567A4106C3cFaf65DB68Be` | ### Oracles **Fixed-rate markets** use a 4-layer oracle pipeline: ``` Chainlink Price Feed → AaveToChainlinkAdapter → ChainlinkOracleV2 → FiraSolvencyOracle → FiraLendingMarket ``` | Layer | PT-USDe Market | PT-sUSDe Market | | ---------------------- | -------------------------------------------- | -------------------------------------------- | | AaveToChainlinkAdapter | `0xc42F003F9eCD3DdDF704556E82Cdd9271818171F` | `0x3d7346578be9B82E0227D027bd86F6De59BA3C91` | | ChainlinkOracleV2 | `0x2ED527087B740530562754EFCd608290eCCdBe2e` | `0xD6f5D9102007A737D9EDE6543262516d5c2fc8f8` | | FiraSolvencyOracle | `0xeB30b33A1aC175e0305853636D0eF3898eb530f3` | `0xB9bAA3D58E1431776218F39919fd21AeD3e69aBb` | FiraSolvencyOracle contracts are immutable after deployment — no admin functions, no owner. **Variable-rate markets:** | Market | Oracle | Type | | ----------- | -------------------------------------------- | -------------------------------------------- | | wstETH/USDC | `0x48F7E36EB6B826B2dF4B2E630B62Cd25e89E40e2` | Morpho oracle (pre-deployed) | | cbBTC/USDC | `0x698253A24CC4926090f841B38D31d6342A00a82C` | ChainlinkOracleV2 (BTC/USD + USDC/USD feeds) | **Other:** | Contract | Address | | ---------- | -------------------------------------------- | | BCLpOracle | `0xfEAAEC9124FB007d7c44Ed704A08d24b264de921` | ### Interest Rate Models | Contract | Address | Used By | | ---------------- | -------------------------------------------- | ----------------------------------------- | | AdaptiveCurveIrm | `0x73C288826347af3718e6F09c2A24AaFDA77684cD` | Variable-rate markets (utilization-based) | Fixed-rate markets use `address(0)` as their IRM. The borrowing rate is determined at the time of BT issuance through AMM pricing, not through an interest rate model. ### Live Fixed-Rate Markets All live fixed-rate markets operate on the **FiraLendingMarket** at `0x280ddD897F39C33fEf1CbF863B386Cb9a8e53a0e`. BT is the loan token. Only the LiquidityInjector can supply BT (whitelist-gated). Both markets expire **May 7, 2026**. **PT-USDe / BT Market** | Field | Value | | --------------------- | -------------------------------------------------------------------- | | Market ID | `0xC48C055110D1692EDA1D45975BD80C75EE5E4D0AB6A5B6FFB949F2252C1B7791` | | Loan Token | BT — `0x57FFbb88f0c69283531a751BE6FF0741348371bA` | | Collateral | PT-USDe (May 7 2026) — `0xAeBf0Bb9f57E89260d57f31AF34eB58657d96Ce0` | | Oracle | FiraSolvencyOracle — `0xeB30b33A1aC175e0305853636D0eF3898eb530f3` | | IRM | `0x0000000000000000000000000000000000000000` (none — fixed rate) | | LTV / LLTV | 89% / 90% | | Liquidation Incentive | 3.1% | | Whitelist | LiquidityInjector — `0x2104f638a839Ca7260180d9Ee7f4865C92Df4cE5` | | Maturity Grace Period | 86400 (24h) | **PT-sUSDe / BT Market** | Field | Value | | --------------------- | -------------------------------------------------------------------- | | Market ID | `0xCA309C3ECE0FA3341779D8319F28BD9E08D3E08889E8AC58B4AC9001FBE458F3` | | Loan Token | BT — `0x57FFbb88f0c69283531a751BE6FF0741348371bA` | | Collateral | PT-sUSDe (May 7 2026) — `0x3de0ff76E8b528C092d47b9DaC775931cef80F49` | | Oracle | FiraSolvencyOracle — `0xB9bAA3D58E1431776218F39919fd21AeD3e69aBb` | | IRM | `0x0000000000000000000000000000000000000000` (none — fixed rate) | | LTV / LLTV | 89% / 90% | | Liquidation Incentive | 3.1% | | Whitelist | LiquidityInjector — `0x2104f638a839Ca7260180d9Ee7f4865C92Df4cE5` | | Maturity Grace Period | 86400 (24h) | ### Live Variable-Rate Markets All live variable-rate markets operate on the **VariableLendingMarket** at `0xc8Db629192a96D6840e88a8451F17655880A2e4D`. **wstETH / USDC** | Field | Value | | ---------- | -------------------------------------------------------------------- | | Market ID | `0xB3152AC00687CC9502B78AB452956F85CC89AC210DEEFDA5DBFF09F7F167B544` | | Loan Token | USDC — `0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48` | | Collateral | wstETH — `0x7f39C581F595B53c5cb19bD0b3f8dA6c935E2Ca0` | | Oracle | `0x48F7E36EB6B826B2dF4B2E630B62Cd25e89E40e2` (Morpho wstETH/USDC) | | IRM | AdaptiveCurveIrm — `0x73C288826347af3718e6F09c2A24AaFDA77684cD` | | LTV / LLTV | 87% / 89% | **cbBTC / USDC** | Field | Value | | ---------- | --------------------------------------------------------------------------- | | Market ID | `0x39D3BDD30BF4BCF4A4D3547F2484ABE1E30A2DCD41ED83788B40E2720357AB76` | | Loan Token | USDC — `0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48` | | Collateral | cbBTC — `0xcbB7C0000aB88B473b1f5aFd9ef808440eed33Bf` | | Oracle | `0x698253A24CC4926090f841B38D31d6342A00a82C` (ChainlinkOracleV2 cbBTC/USDC) | | IRM | AdaptiveCurveIrm — `0x73C288826347af3718e6F09c2A24AaFDA77684cD` | | LTV / LLTV | 88% / 90% | ### Critical / High / Medium Eligibility Critical findings typically affect the **core, live, value-bearing layers** of Fira: * FiraLendingMarket and VariableLendingMarket * FiraMarket (AMM) * FiraRouterV4 and Action facets * Token layer accounting and redemption logic (BT, CT, FW) * RehypothecationModule * Oracle pipeline (FiraSolvencyOracle, ChainlinkOracleV2, adapters) * SisuVault with user funds * LiquidityInjector, where a flaw could directly compromise live assets or protocol solvency ### Only Eligible for High / Medium The following are in scope but findings are generally capped at **High** or **Medium** unless they directly compromise live funds in a core deployed market: | Contract | Address | | ------------------------ | -------------------------------------------- | | YieldContractFactory | `0xcdB83Abb9121c04589567A4106C3cFaf65DB68Be` | | FiraMarketFactory | `0xBF1EfC2199ae9EE1B6f5060a45D4440157E49744` | | SisuVaultFactory | `0xe77E0f97A864558e5513209323e4169FcEAC6981` | | ChainlinkOracleV2Factory | `0x7783fF7bE856C7A82bC5497Fb3CC8F7E8802D8dC` | Deployment and configuration helper contracts, and non-custodial support contracts that do not themselves hold or control meaningful live value, are also capped at High or Medium. ### Scope Note This bounty covers **Fira contracts and protocol-owned infrastructure only**. Other products, protocols, or systems outside the Fira deployment are out of scope unless the vulnerability arises from Fira's own on-chain logic or integration handling. ## Out of Scope No rewards will be awarded for reports that fall solely into the following categories. ### Undeployed or Non-Mainnet Code Code, contracts, modules, or features **not currently deployed on Ethereum mainnet** are out of scope. This includes draft code, future upgrades, staging deployments, local testing contracts, and testnets. ### Previously Known Issues Issues already identified in prior audits (Sherlock, Spearbit/Cantina, Hexens, yAudit), internal reviews, documentation, or acknowledged by Steady Labs before submission are not eligible. ### Frontend, Website, and UI Issues limited to the web application, user interface, dashboards, websites, or other frontend layers are out of scope. ### Third-Party Protocol or Token Risks Vulnerabilities in third-party systems that Fira interacts with but does not control are out of scope. This includes bugs or failures in external protocols, vaults, bridges, or token implementations. Examples of external dependencies not in scope: * **USDC** (Circle) * **wstETH** (Lido) * **cbBTC** (Coinbase) * **USDe / sUSDe** (Ethena) * **USDG** (Paxos) * **PT-USDe / PT-sUSDe / PT-USDG** (Pendle) * Any third-party wrapped asset, oracle, or off-chain issuer * **Oracles** not deployed and maintained by the Protocol Team itself, e.g. Chainlink Feeds. If a report depends on these systems failing rather than on a flaw in Fira's own smart contract logic or validation, it is not in scope. ### External Oracle Failures Pure failures of third-party oracle infrastructure, feed operators, or data providers are out of scope unless the vulnerability is specifically in **Fira's oracle integration, validation, or fallback logic** — including the AaveToChainlinkAdapter, ChainlinkOracleV2, or FiraSolvencyOracle contracts. ### Off-Chain, Legal, or Custodial Risks Issues arising purely from off-chain custody, legal enforceability, issuer solvency, governance coordination outside the contracts, or real-world asset processes are out of scope. ### Intended Admin or Multisig Powers Behavior that requires proper use of intended administrative, governance, curator, allocator, or multisig permissions is out of scope. Examples of authorized actions, when performed by properly authorized actors: * Adjusting LTV, LLTV, or fee parameters * Pausing or unpausing contracts (USDCFW pause flags: `depositPaused`, `withdrawPaused`, `transferPaused`) * Updating supply caps on SisuVault markets * Rebalancing vault allocations within configured permissions and timelocks * Operating the LiquidityInjector (minting/burning BT, supplying/withdrawing from lending markets) * Executing timelocked curator or allocator actions * Triggering manual rehypothecation via `forceRehypothecation` However, **bypassing or impersonating those permissions** is in scope. ### Protocol-Intended Behaviors The following behaviors are not vulnerabilities when they occur according to design: * Liquidation of unhealthy positions according to configured **LTV / LLTV** and the 3.1% liquidation incentive * Forced post-maturity settlement or liquidation of expired positions (after the 24-hour grace period) * BT/FW convergence to par near maturity * AMM pricing, slippage, or discount/premium behavior consistent with the FiraMarket pricing model * Reserve rebalancing by the RehypothecationModule according to configured `phiMin`, `phiMax`, and `phiTarget` ratios * Yield accruing to CT holders as designed (via InterestManagerCT) * Vault allocation and reallocation inside configured caps and timelocks * Router execution that follows the documented action flow and Diamond-style facet dispatch ### Pure Economic Attacks Without a Code Vulnerability Pure market behavior or economic outcomes that do not rely on a contract bug are out of scope: * Market manipulation within intended protocol rules * Liquidity withdrawal by users * Slippage or adverse execution under expected market conditions * Rate movement, basis trading, or maturity-driven repricing * Honest liquidations after genuine collateral price moves * Losses caused solely by external market volatility ### Minor Gas, Efficiency, or Documentation Issues The following are out of scope unless they create a real and material security impact: * Gas optimizations * Minor inefficiencies * Cosmetic or documentation issues * NatSpec mismatches, comment or spelling errors * Minor rounding or precision issues with no material effect on funds or solvency ### Theoretical or Unrealistic Attacks Attacks that require impractical brute force, extreme assumptions, or unrealistic coordination are out of scope. Reports must describe a credible and reproducible exploit path. If you are unsure whether a finding is in scope, focus on **technical, on-chain vulnerabilities in the deployed Fira contracts and live market infrastructure**. ## Protocol Resources | Resource | Location | | --------------------------------- | -------------------------------------------------------------------------------------------- | | Fira Documentation | [docs.fira.money](https://docs.fira.money) | | Contracts & Audits | [docs.fira.money/security-and-risk/audits](https://docs.fira.money/security-and-risk/audits) | | Source Code (fira) | [github.com/usual-dao/fira](https://github.com/usual-dao/fira) | | Source Code (fira-lending-market) | [github.com/usual-dao/fira-lending-market](https://github.com/usual-dao/fira-lending-market) | The ultimate scope of this bounty is defined by the **deployed Ethereum mainnet contracts** listed above. ## Judging and Severity Assessment Sherlock's security team triages and validates all submissions. Sherlock coordinates issue verification and determines validity and severity based on the criteria in this program and Sherlock's platform rules. Steady Labs may be consulted during validation. **Sherlock makes the final determination** on issue validity, severity, and payout eligibility. In case of dispute or ambiguity, Sherlock's assessment is the deciding factor. ## Disclosure Policy This bounty follows Sherlock's standard disclosure policy with additional requirements for serious vulnerabilities. Critical and high-impact findings must **not** be disclosed publicly or to any third party until all of the following conditions are met: 1. Steady Labs has been notified through the official submission process 2. The issue has been acknowledged 3. A fix or mitigation has been deployed, or explicit written permission to disclose has been granted 4. Sherlock has completed or approved the disclosure process Premature disclosure of an exploit path or a live unpatched vulnerability may disqualify the submission from any reward. Report vulnerabilities **promptly** — ideally within **24 hours of discovery** — through the official Sherlock submission flow. Do not exploit vulnerabilities on the live network. Do not steal funds, manipulate users, destroy data, or disrupt service. Any exploit activity beyond what is strictly necessary to demonstrate a vulnerability in a controlled manner may lead to disqualification and possible legal consequences. If you believe a vulnerability is already being exploited or may soon be exploited, notify Sherlock and Steady Labs immediately through the approved reporting process. Do not make it public. Steady Labs may, at its discretion, offer additional bonuses for especially novel, impactful, or responsibly handled reports. ## Eligibility To be eligible for a reward, you must meet all of the following conditions: * **No sanctions:** You are not located in a sanctioned jurisdiction and are not on any prohibited party list. * **No affiliation with Steady Labs:** You are not a current or former employee, core contributor, or immediate family member of someone directly affiliated with Steady Labs or the Fira development effort. * **Legal capacity:** You are legally able to participate in bug bounty programs and receive rewards in your jurisdiction. * **No prior paid audit conflict:** You have not been paid to audit or review this exact codebase in an official capacity, and you did not materially contribute to the in-scope contracts. You may request an exception directly from Steady Labs. * **Follow program rules:** You agree to follow all program rules, scope restrictions, disclosure requirements, and platform terms. By submitting a report, you affirm that you meet these eligibility requirements. Steady Labs and Sherlock reserve the right to verify eligibility and disqualify participants who do not meet these conditions. ## Testing Guidelines and Safe Harbor ### Do Not Test Destructively on Mainnet Do not perform destructive testing on Ethereum mainnet. Use a **local environment, simulation, or mainnet fork** to test exploit scenarios. All in-scope contracts are verified on Etherscan. Researchers can reproduce behavior using **Foundry** or **Hardhat**. ### Use Accounts You Control Use only wallets, keys, and accounts you control. Do not interfere with other users' positions, balances, or funds. ### No Mainnet Denial of Service Do not spam, grief, or attempt denial-of-service against live contracts, users, or infrastructure. Demonstrate any blocking or service-degradation vulnerability in a controlled environment. ### Maintain Confidentiality Do not share exploit details outside the official submission process before a fix is deployed and disclosure is authorized. ### No Social Engineering or Off-Chain Intrusion This bounty covers smart contract and technical security issues only. Social engineering, phishing, credential attacks, or attempts to gain access through non-technical means are strictly prohibited. ### Responsible Testing Avoid high-volume or risky testing on live systems. If a testing approach might affect real funds or real users, do not perform it on mainnet. As long as you act in good faith, stay within these rules, and report vulnerabilities responsibly, Steady Labs intends for this program to operate under a safe-harbor framework for legitimate security research. ## Closing Steady Labs values the work of independent security researchers and the broader white-hat community. Your efforts strengthen the safety and resilience of Fira's fixed-rate, floating-rate, and curated lending infrastructure. Thank you for participating in the **Fira Bug Bounty**. Happy Hunting! --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.fira.money/security-and-risk/bug-bounty.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.