In order to ensure longevity of the project and incentivize white hat hackers for finding vulnerabilities within the yAxis contracts, we are introducing a bounty program which rewards valid reports with YAX from the project treasury.

Critical reports require that a strategy or vault would suffer a complete loss of funds.

High reports would cause users to temporarily be unable to recover funds.

Medium reports include unexpected behaviors of the contract which would cause harm to users.

Low reports include unexpected behaviors of the contract which do not cause harm to users.

Vulnerability reports on smart contracts must be accompanied by a POC demonstrating the attack.

The following behavior is forbidden and will cause the reporter to be ineligible:

• Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
• Any testing with pricing oracles or third party smart contracts
• Attempting phishing or other social engineering attacks against our employees and/or customers
• Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
• Any denial of service attacks
• Automated testing of services that generates significant amounts of traffic
• Disassembly or reverse engineering of binaries for which source code is not published, not including smart contract bytecode
• Public disclosure of an unpatched vulnerability in an embargoed bounty

Please send reports to: https://immunefi.com/bounty/yaxis/

Or email: [email protected]

Or reach out to the Team role on Discord: https://discord.gg/FxakjWT

The following assets are considered in-scope and eligible for bounty rewards.

Special note: flash-loan attacks and oracle manipulation reports are in-scope and eligible for bounty in this program.

Located at: https://github.com/yaxis-project/metavault

The main branch contains the latest version of the contracts.

Deployed at: https://etherscan.io/address/0xbfbec72f2450ef9ab742e4a27441fa06ca79ea6a#code

This contract is considered stable but is the highest valued asset of the bounty program. Critical issues found here would require redeployment and user migration to a new contract.

Deployed at their documented addresses: https://github.com/yaxis-project/metavault#mainnet

These are the currently-deployed contracts in-use by the protocol.

• Attacks that the reporter has already exploited himself, leading to damage
• Attacks that rely on social engineering
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses (governance, strategist)
• Incorrect data supplied by third party oracles
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Best practice critiques
• Deployment/private keys/secrets in test data
• Sybil attacks

The following assets are considered in-scope, but will not be rewarded with any bounty for reports.

Deployed at: https://etherscan.io/address/0xeF31Cb88048416E301Fee1eA13e7664b887BA7e8#code

This is the YAX staking contract that mints sYAX to stakers.

Deployed at: https://etherscan.io/address/0xb1dc9124c395c1e97773ab855d66e879f053a289#code

This is the YAX token contract.

Deployed at: https://etherscan.io/address/0xc330e7e73717cd13fb6ba068ee871584cf8a194f#code

This is the liquidity provider staking contract that mints YAX to LPs.

Located at: https://yaxis.io/

Includes all paths and sub-domains, DNS, and email configuration.

• Theoretical vulnerabilities without any proof or demonstration
• Content spoofing / Text injection issues
• Self-XSS
• Captcha bypass using OCR
• CSRF with no security impact (logout CSRF, change language, etc.)
• Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
• Server-side information disclosure such as IPs, server names, and most stack traces
• Vulnerabilities used to enumerate or confirm the existence of users or tenants
• Vulnerabilities requiring unlikely user actions
• URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
• Lack of SSL/TLS best practices
• DDoS vulnerabilities
• Attacks requiring privileged access from within the organization

This is our blogging platform site, which is hosted by Ghost.org.

These are messaging protocols hosted by their respective platforms.

If you come across something that you think should be considered in scope, feel free to reach out and we can asses. However, we want the focus of this bounty to be on the smart contracts.