🔐 Security & Audits
Bug Bounty

Bug Bounty

Program Overview

This bug bounty applies to AggreLend’s on-chain smart contracts and directly linked on-chain programs. Client/UI bugs are out of scope unless they lead to a verifiable on-chain exploit path. AggreLend’s core program is open source.

  • Program ID (mainnet): AGGREbma2Gi9unS1mPptAcG4HmkMTLNmqcunYaSSf46b
SeverityDescriptionBounty
CriticalBugs that freeze user funds, drain contract holdings, or allow theft/misuse of funds without user signatures.10% of prevented/exposed loss, capped at $500,000
HighBugs that could temporarily freeze funds or mis-account balances/value.$10,000 – $50,000 (case-by-case)
Medium/LowBugs that do not threaten user funds but materially affect safety or correctness.$1,000 – $5,000 (case-by-case)

Severity follows the Immunefi severity classification (opens in a new tab). Final awards consider exploitability, impact, clarity of report, and quality of proof-of-concept.

⚠️

All submissions must be original, responsible disclosures. Do not exploit, move, or freeze real user funds. Use devnet/testnet or private forks for PoCs.

Submission

Email security@aggrelend.com with:

  • A descriptive title and affected component (program, instruction, account).
  • Step-by-step attack vector and impact.
  • Minimal PoC (prefer devnet/testnet). For critical/high, include a private mainnet-replay PoC that does not touch real user funds.
  • Any relevant traces, logs, tx IDs, and code diffs.

We acknowledge within 1 business day and keep you informed until triage is complete. If you prefer encrypted mail, include your PGP key in the initial email and we will reply with ours.

Bounty Payment

Default payment is USDC. Alternative settlement (e.g., SOL/USDC on Solana) can be arranged case-by-case. We aim to pay within 10 business days after patch/mitigation and validation.

Out of Scope

The following are not eligible for a bounty:

  • Attacks the reporter has already exploited or which caused damage.
  • Issues requiring leaked keys/credentials or access to privileged addresses (governance/admin).
  • Incorrect third-party oracle data (this does not exclude oracle manipulation vectors you can demonstrate).
  • Lack of liquidity, rate changes due to market conditions, or expected venue behavior.
  • Third-party off-chain bot errors (e.g., an external arb/keeper you run).
  • Pure best-practice critiques without concrete risk.
  • Sybil, phishing, or social engineering attacks against users or contributors.
  • Denial of service against frontends, rate-limit abuse, or automated testing that generates excessive traffic.
  • Any submission violating Immunefi’s rules or applicable laws.

Coordinated Disclosure

We practice coordinated disclosure. After triage, we will:

  1. Confirm severity and reproduce.
  2. Patch/mitigate and schedule deployment (may include prompt program upgrade and venue-side controls).
  3. Pay the bounty.
  4. Publish a short post-mortem with credit to the reporter (optional anonymity respected).

Scope Notes (Helpful Context)

  • AggreLend is lend-only and enforces transaction-context guards (CPI/foreign-instruction filtering). Findings that bypass or neutralize these defenses are in scope.
  • Exploits that rely on underlying venue insolvency without a contract flaw in AggreLend are out of scope; however, issues where AggreLend misinterprets venue responses, misroutes, double-counts, or mishandles reward conversions are in scope.
  • Any vulnerability that leads to incorrect accounting, unauthorized state transitions, PDA ownership mistakes, or fund misdirection is in scope.
🛡️

If you are unsure whether an issue qualifies, email us anyway with as much detail as you can share safely. We will help scope it.

Underlying Protocol Risks📝 API Documentation