Skip to content

Security: yaxis-project/metavault

Security

SECURITY.md

yAxis Security Bug Bounty

In order to ensure longevity of the project and incentivize white hat hackers for finding vulnerabilities within the yAxis contracts, we are introducing a bounty program which rewards valid reports with YAX from the project treasury.

Payment Amounts

Critical: 5000 YAX

Critical reports require that a strategy or vault would suffer a complete loss of funds.

High: 1000 YAX

High reports would cause users to temporarily be unable to recover funds.

Medium: 500 YAX

Medium reports include unexpected behaviors of the contract which would cause harm to users.

Low: 100 YAX

Low reports include unexpected behaviors of the contract which do not cause harm to users.

Program Rules

Vulnerability reports on smart contracts must be accompanied by a POC demonstrating the attack.

The following behavior is forbidden and will cause the reporter to be ineligible:

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
  • Any testing with pricing oracles or third party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks
  • Automated testing of services that generates significant amounts of traffic
  • Disassembly or reverse engineering of binaries for which source code is not published, not including smart contract bytecode
  • Public disclosure of an unpatched vulnerability in an embargoed bounty

Please send reports to: https://immunefi.com/bounty/yaxis/

Or email: [email protected]

Or reach out to the Team role on Discord: https://discord.gg/FxakjWT

In-Scope & Eligible for Bounty

The following assets are considered in-scope and eligible for bounty rewards.

Special note: flash-loan attacks and oracle manipulation reports are in-scope and eligible for bounty in this program.

Github repository: metavault

Located at: https://github.com/yaxis-project/metavault

The main branch contains the latest version of the contracts.

yAxisMetavault

Deployed at: https://etherscan.io/address/0xbfbec72f2450ef9ab742e4a27441fa06ca79ea6a#code

This contract is considered stable but is the highest valued asset of the bounty program. Critical issues found here would require redeployment and user migration to a new contract.

Deployed contracts

Deployed at their documented addresses: https://github.com/yaxis-project/metavault#mainnet

These are the currently-deployed contracts in-use by the protocol.

Ineligible Reports

  • Attacks that the reporter has already exploited himself, leading to damage
  • Attacks that rely on social engineering
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses (governance, strategist)
  • Incorrect data supplied by third party oracles
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Best practice critiques
  • Deployment/private keys/secrets in test data
  • Sybil attacks

In-Scope & Ineligible for Bounty

The following assets are considered in-scope, but will not be rewarded with any bounty for reports.

yAxisBar

Deployed at: https://etherscan.io/address/0xeF31Cb88048416E301Fee1eA13e7664b887BA7e8#code

This is the YAX staking contract that mints sYAX to stakers.

yAxisToken

Deployed at: https://etherscan.io/address/0xb1dc9124c395c1e97773ab855d66e879f053a289#code

This is the YAX token contract.

yAxisChef

Deployed at: https://etherscan.io/address/0xc330e7e73717cd13fb6ba068ee871584cf8a194f#code

This is the liquidity provider staking contract that mints YAX to LPs.

yAxis Domains & Sites

Located at: https://yaxis.io/

Includes all paths and sub-domains, DNS, and email configuration.

Excluding:

  • Theoretical vulnerabilities without any proof or demonstration
  • Content spoofing / Text injection issues
  • Self-XSS
  • Captcha bypass using OCR
  • CSRF with no security impact (logout CSRF, change language, etc.)
  • Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
  • Server-side information disclosure such as IPs, server names, and most stack traces
  • Vulnerabilities used to enumerate or confirm the existence of users or tenants
  • Vulnerabilities requiring unlikely user actions
  • URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
  • Lack of SSL/TLS best practices
  • DDoS vulnerabilities
  • Attacks requiring privileged access from within the organization

Out-of-Scope & Ineligible for Bounty

Ghost.org (Blog)

This is our blogging platform site, which is hosted by Ghost.org.

Discord & Telegram

These are messaging protocols hosted by their respective platforms.

Any asset not explicitly listed in this program

If you come across something that you think should be considered in scope, feel free to reach out and we can asses. However, we want the focus of this bounty to be on the smart contracts.

There aren’t any published security advisories