Details:

Pinto is low volatility money built on Base. This bug bounty program is focused on securing both Pinto and Pinto Exchange, the Pinto-native exchange. For more information about Pinto, see the whitepaper and docs. For more information of Pinto Exchange, see the docs and whitepaper.

Rewards are determined based on Severity Tier, Funds at Risk, and the given attack or bug’s feasibility. Speculation about potential reputation damage as a result of any vulnerability may be considered with regards to an award by the PCM at its discretion, but is not determining of, nor determined by, Severity Tier or Funds at Risk.

Severity Tiers (Impacts in Scope):

Critical (USD 100 000 - USD 10 000):

• Direct theft of any User Funds, whether at-rest or in-motion.
  • User Funds refers to assets Deposited in the Silo (including both Pinto and LP), Farm (internal) balances, Wallet balances, liquidity underlying LP tokens not deposited in the Silo, Deposits underlying sPinto, Earned Pinto, Pinto inside of Pod Orders, Harvestable Pods, Pinto and sPinto.
  • Unharvestable Pods, Stalk and Seeds are not considered User Funds. But, Unharvestable Pods may factor into Funds at Risk calculations (see below).
• Permanent freezing of irreplaceable funds (i.e., funds that cannot be minted by the Pinto protocol).
• Illegitimate minting of Pinto resulting in extracted exogenous value.

High (USD 25 000 - USD 5 000):

Note: If there are no funds are at risk, the max High Severity reward is USD 15 000

• Temporary freezing of irreplaceable funds for at least 1 hour.
• Permanent freezing of replaceable funds or assets (i.e., funds or assets that can be minted by the Pinto Protocol) or unclaimed yield (i.e., making yield unclaimable).
• Theft of Stalk, Seeds or Unharvestable Pods.
• Illegitimate minting/burning/transferring of protocol native assets.

Medium (USD 5 000 - USD 500):

• Temporary freezing of replaceable funds for under 1 hour.
• Smart contract unable to operate due to lack of token funds.
• Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol).
• Illegitimate maintaining of protocol-native assets.
• Contract fails to deliver promised returns but doesn't lose value.
• Exploit is possible but is exclusively prevented by an invariant.
• Invariant check is missing on a function where it should be implemented (at PCM’s discretion).

Websites and Application (USD 15 000 - USD 1 000)

• Data integrity & content manipulation: Unauthorized control, modification, or manipulation of website or application data, content, or behavior.
• Reproducible execution of something significantly different from reasonably performed user intention.
  • Note: non-execution (tried to Sow but it didn’t go through) is unlikely to qualify unless users actually cannot do the intended action.
• Manipulating Discord bot messages to display arbitrary data not relating to what has occurred onchain.
• Manipulating any subgraph query response that results in incorrect data presented to users on the UI or Discord.
• Unauthorized website or service takedown, or redirection of users to malicious websites impersonating the Pinto site.

Rewards Determination

For bugs that are deemed to belong in anything other than the Critical Severity Tier by the Pinto Contract Multisig (PCM), in order to be considered for the maximum potential reward within their Severity Tier, bug reports must come with a valid Proof of Concept (PoC). Explanations and statements are not accepted as a PoC. High and lower severity bug reports that do not come with a PoC may qualify for a maximum of up to 30% of the potential reward outlined below, as determined by the PCM or the committee it selects to operate the bug bounty program. Valid critical bugs that are reported without a PoC are still eligible for the full USD 100 000 reward.

Funds at Risk for a given bug report are defined as the USD value of exogenous assets that, within the first hour after the report is made, can be (a) stolen and liquidated, (b) destroyed, or (c) frozen. Funds at Risk calculations assume the minimum of (i) time-weighted average of system data (e.g., liquidity, supply, price) over the prior seven days and (ii) system data at the time the report was submitted. Pinto and other protocol-native tokens are only counted as Funds at Risk insofar as they can reasonably be redeemed for exogenous value within that same timeframe and under the same assumptions.

• For non-Pinto in Wallet Balances, the Funds at Risk are determined to be 50% of the USD value of exogenous assets that within the first hour after the report is made, can be (a) stolen and liquidated, (b) destroyed or (c) frozen.
• If an exploit is not currently executable, but would become executable upon reasonable and realistic changes in system conditions (e.g., liquidity, supply or price changes), Funds at Risk will be calculated as if the system incurs the minimum reasonable change that would reach valid conditions, and the Funds at Risk will be deducted by 50%.

An attack or bug's feasibility is determined by:

• Triggerability**:** how easily an attacker (or normal operation) can create the conditions for the bug to manifest.
• The cost-benefit tradeoff of performing the attack.

Note: a valid bug may be infeasible, e.g., needing to sacrifice more money to perform than would be exploited) and thus will likely be rewarded at or near the lower bound of its appropriate Severity Tier. By contrast, a highly feasible vulnerability may be, but need not be, considered for a higher reward within the relevant tier.

Reward Calculation for Critical Smart Contract Reports

Rewards for Critical smart contract vulnerabilities are capped at the lower of (a) 10% of Funds at Risk, or (b) USD 100 000, primarily taking into consideration the Funds at Risk and feasibility of the given attack or bug. However, there is a minimum reward of USD 10 000 for Critical Severity smart contract bug reports.

Reward Calculation for High Smart Contract Reports

Rewards for High smart contract vulnerabilities are capped at the lower of (a) 10% of Funds at Risk, or (b) USD 25 000, primarily taking into consideration the Funds at Risk, and feasibility of the given attack. However, there is a minimum reward of USD 5 000 for High Severity smart contract bug reports.

Reward Calculation for Medium Smart Contract and All Website and Applications Reports

Rewards for Medium Severity smart contract vulnerabilities and all website and applications vulnerabilities are scaled based on a set of internal criteria established by the PCM. However, there is a minimum reward of USD 5 000 for Medium smart contract bug reports and USD 1 000 for website and applications bug reports. The PCM will primarily take into account the attack's impact and feasibility.

Reward Payment Terms

Payouts are handled by the PCM directly (or via a committee it selects) and are done in PINTO. They will account for the price of Pinto and slippage, so that the bounty hunter can withdraw the full USDC value of their reward at the time of payout.

PCM Determination

The PCM shall determine whether a submitting party is entitled to a bug bounty/reward, and if so, the amount of such bounty/reward (and specifically, whether such submission qualifies for a Critical, High or Medium Impact bounty/reward, what if any are the Funds at Risk, and what the appropriate bounty/reward should be within each Severity Tier). The PCM’s determination of (i) whether such submission qualifies for a Critical, High or Medium Impact bounty/reward, (ii) what are the Funds at Risk, and (iii) whether such submission came with a PoC, thereby enabling it to be considered for the maximum potential applicable reward in the case of non-Critical tier bugs (vs. a submission that did not come with a PoC, thereby limiting such submission to a maximum of up to 30% of the applicable reward unless deemed critical by the PCM), shall be made in the PCM’s sole and absolute discretion and shall be final, and not be subject to any appeal or challenge.

A submitting party may only dispute the PCM’s determination (a) that a submitting party is not entitled to any bug bounty/reward, or (b) what the appropriate bounty/reward should be within each Severity Tier. In such disputes, Sherlock will conduct a binding mediation. If the submitting party disputes the PCM’s decision that a submitting party is not entitled to any bug bounty/reward, Sherlock will mediate, and shall determine, in its sole and absolute discretion, though subject to its stated appeals process, whether the submitting party is entitled to any bug bounty/reward, and if so, the amount of such bug bounty/reward, up to USD 10 000 in the case of a smart contract bug reports, and up to USD 1 000 in the case of a website and applications bug report. If the submitting party disputes the PCM’s determination what the appropriate bounty/reward should be within a specific Severity Tier, Sherlock will mediate, and shall determine, in its sole and absolute discretion, subject to its stated appeals process and the terms specified in the Reward Calculations above, the amount of such bug bounty/reward in the relevant Severity Tier determined by the PCM; however, Sherlock may not modify or change (a) the Funds at Risk determination made by the PCM, or (b) the PCM determination whether such submission came with a valid PoC, thereby enabling it to be considered it for the maximum potential applicable reward (vs. a submission that did not come with a PoC, thereby limiting such submission to a maximum of up to 30% of the applicable reward). For example, if the PCM determines a critical bug to have a total Funds at Risk of USD 700 000, and issues a reward of USD 55 000, the bounty hunter can appeal the reward up to the maximum of USD 70 000.

Program Basics

Pinto is low volatility money built on Base. This bug bounty program is focused on securing both Pinto and Pinto Exchange. For more information about Pinto, see the whitepaper and docs.

As the Pinto and Beanstalk Bug Bounty Programs are operated by the same team, any valid submission that affects both programs, whether reported under Pinto or Beanstalk, will be considered a known issue in the other.

Eligibility Criteria

Security researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:

• A contributor (past or present) to the project; or
• A private auditor that has been paid by Pinto or a related party to review the code that is reported to be vulnerable.

Previous Audits

Audit reports of the various in-scope assets can be found here. Any unfixed vulnerabilities mentioned in these reports (or otherwise known by the PCM) are not eligible for a reward.

No KYC information is required for payout processing.

Resources:

All Pinto smart contracts can be found at https://github.com/pinto-org/protocol. All Pinto Exchange smart contracts can be found at https://github.com/pinto-org/exchange. However, only those in the Assets in Scope section are considered as in-scope of the bug bounty program. The following links may also be helpful:

• Pinto Docs
• Pinto Discord
• Pinto Exchange Docs