> For the complete documentation index, see [llms.txt](https://docs.creek.finance/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.creek.finance/beta-the-gold-rush/bug-bounty.md). # Bug Bounty ### Description Creek protocol has officially launched on SUI testnet and is initiating a comprehensive bug bounty program to ensure maximum security standards. As a next-generation DeFi protocol designed to handle real user funds, security represents a fundamental cornerstone of our development approach. This program targets experienced security researchers to identify potential vulnerabilities within our smart contracts, web applications, and infrastructure components. ### Bounty Rewards The following reward structure applies to validated vulnerability reports: | Severity Level | Reward Amount | | -------------- | -------------- | | **Critical** | **2,000 USDC** | | **High** | **1,000 USDC** | | **Medium** | **500 USDC** | ### Scope #### 1. Swap Functionality **Endpoint**: `https://beta.creek.finance/swap`\ **Priority Level**: Medium\ **Reward**: 500 USDC **Testing Objectives**: * USDC to GUSD swap accuracy verification * GUSD to USDC swap accuracy verification * Price slippage calculation validation * Swap rate manipulation resistance testing * Edge case handling for minimal and maximum transaction amounts #### 2. Staking & Redemption Operations **Endpoint**: `https://beta.creek.finance/stake`\ **Priority Level**: Critical\ **Reward**: Up to 2,000 USDC **Testing Objectives**: * XAUm staking rate accuracy for GR\&GY token distribution * GR\&GY token redemption rate accuracy for XAUm conversion * Exchange rate manipulation vulnerability assessment * Staking and unstaking edge case scenarios #### 3. Lending System **Endpoint**: `https://beta.creek.finance/borrow`\ **Priority Level**: High\ **Reward**: Up to 1,000 USDC **Testing Objectives**: * Deposit mechanism collateral handling security * Borrowing function loan creation and limitation enforcement * Repayment function debt calculation accuracy * Collateral removal safety protocols and conditional requirements * Collateral ratio enforcement mechanisms #### 4. Liquidation Infrastructure **Endpoint**: `https://beta.creek.finance/borrow`\ **Priority Level**: High\ **Reward**: Up to 1,000 USDC **Testing Objectives**: * Liquidation trigger condition accuracy * Liquidation calculation precision for penalties and rewards * Liquidation bot fairness and MEV/front-running resistance * Partial liquidation logic validation * Bad debt scenario handling protocols ### Excluded Components * Faucet functionality ### Out of Scope Vulnerabilities #### What We Don't Care About The following vulnerability types are excluded from the bug bounty program and will not receive rewards: * **UI Bugs Without Security Impact**: User interface issues that do not affect security or financial operations * **Gas Optimizations**: Suggestions for improving gas efficiency without security implications * **Third-Party Wallet Issues**: Compatibility problems with external wallet providers * **Social Engineering**: Phishing attempts, user deception tactics, or human-targeted attacks * **Theoretical Attacks Without Real Impact**: Vulnerabilities that cannot be practically exploited or demonstrated #### Additional Exclusions * **Performance Optimizations**: Code efficiency improvements without security relevance * **Informational Findings**: General security recommendations without specific vulnerability identification * **Known Issues**: Previously identified and acknowledged vulnerabilities * **Environmental Dependencies**: Browser compatibility or network connectivity issues **Important Note**: UI bugs that have direct security implications (such as displaying incorrect transaction amounts, bypassing authentication, or enabling unauthorized actions) remain within scope and are eligible for rewards. ### Primary Focus Areas #### What We Care About Most **Exchange Rate Exploits (Top Priority)** * **Favorable Swap Rate Manipulation**: Achieve better swap rates than intended parameters (USDC-GUSD) * **Excessive Token Extraction**: Extract more GR/GY tokens when staking XAUm than algorithmically determined * **Surplus XAUm Acquisition**: Obtain more XAUm when redeeming GR/GY tokens than expected calculations * **Oracle Price Manipulation**: Manipulate oracle prices to artificially affect exchange rates **Borrowing System Vulnerabilities** * **Collateral Bypass**: Borrow more than collateral capacity allows * **Unauthorized Collateral Removal**: Remove collateral while maintaining active loan positions * **Liquidation Avoidance**: Avoid liquidation when positions meet liquidation criteria * **Interest Rate Manipulation**: Pay less interest than required by protocol parameters * **Flash Loan Attack Vectors**: Execute flash loan attacks against any borrowing function **Smart Contract Security Fundamentals** * **Reentrancy Attacks**: Execute reentrancy attacks on core protocol functions * **Access Control Bypass**: Gain administrative privileges or become protocol admin * **Mathematical Vulnerabilities**: Exploit integer overflow/underflow in financial calculations * **Concurrency Issues**: Exploit race conditions between multiple users ### How to Submit Bug Reports #### Submission Process **Email**: `dev@creek.finance` All vulnerability reports must be submitted exclusively to the above email address within 24 hours of discovery. #### Required Information Your bug report must include the following components: **1. Vulnerability Summary** * Clear, concise title describing the vulnerability * Severity assessment (Critical/High/Medium) * Affected component(s) and endpoint(s) **2. Technical Details** * **Vulnerability Type**: Specify the category (e.g., reentrancy, access control, oracle manipulation) * **Root Cause**: Explain the underlying technical issue * **Impact Assessment**: Describe potential financial or security consequences **3. Proof of Concept** * **Step-by-step reproduction instructions** * **Transaction hashes** (if applicable) * **Screenshots or video recordings** showing the exploit * **Code snippets** demonstrating the vulnerability * **Network details** (testnet addresses, block numbers) **4. Exploitation Details** * **Attack scenario**: How would a malicious actor exploit this? * **Prerequisites**: What conditions must be met for exploitation? * **Potential losses**: Quantify the financial impact * **Affected users**: Who would be impacted? #### Report Template ``` Subject: [SEVERITY] Vulnerability Report - [Brief Description] === VULNERABILITY SUMMARY === Title: Severity: Critical/High/Medium Affected Components: Endpoint(s): === TECHNICAL DETAILS === Vulnerability Type: Root Cause: Impact: === PROOF OF CONCEPT === Reproduction Steps: 1. 2. 3. Transaction Hashes: Screenshots/Evidence: [Attached] Code/Scripts: [Attached if applicable] === EXPLOITATION ANALYSIS === Attack Scenario: Prerequisites: Potential Financial Impact: Affected Users: === RESEARCHER INFORMATION === Name/Handle: Contact Method: Wallet Address (for reward): ``` #### Submission Guidelines **✅ Do Include** * Detailed technical analysis * Clear reproduction steps * Visual evidence (screenshots/videos) * Transaction hashes on testnet * Potential remediation suggestions * Your contact information **❌ Don't Include** * Attempts on mainnet * Exploitation for personal gain * Public disclosure before resolution * Spam or duplicate reports * Non-security related issues #### Response Timeline * **Initial Acknowledgment**: Within 24 hours * **Technical Review**: 3-5 business days * **Validation & Testing**: 5-10 business days * **Reward Decision**: Within 2 weeks of validation * **Payment Processing**: Within 30 days of approval #### Quality Standards Reports will be evaluated based on: * **Accuracy**: Technical correctness of the vulnerability identification * **Impact**: Severity and potential consequences * **Clarity**: Clear communication and reproduction steps * **Completeness**: All required information provided * **Originality**: First-time discovery and reporting ### Vulnerability Impact Classification | Severity | Impact Description | Specific Examples | Reward | | ------------ | ----------------------------------------------------------- | ------------------------------------------------- | -------------- | | **Critical** | Protocol fund drainage or unlimited borrowing capabilities | Drain protocol funds, Infinite borrowing | **2,000 USDC** | | **High** | Significant rate advantages or interest avoidance | Get 10x better rates, Avoid all interest payments | **1,000 USDC** | | **Medium** | Core function disruption or minor calculation discrepancies | DoS core functions, Minor calculation errors | **500 USDC** | #### Impact Examples in Detail **Critical Vulnerabilities**: * Complete protocol fund extraction * Unlimited borrowing without collateral * Infinite token minting or burning **High Vulnerabilities**: * Obtaining 10x better exchange rates than intended * Complete interest payment avoidance * Bypassing liquidation mechanisms entirely **Medium Vulnerabilities**: * Temporary denial-of-service on core functions * Minor calculation errors in non-critical operations * Edge case handling failures with limited impact *** ### Program Guidelines #### Testing Constraints * Prohibit automated vulnerability scanning tools generating excessive traffic * Maintain product, service, and infrastructure availability integrity * Avoid personal data compromise, service interruption, or performance degradation * Restrict data access and modification to researcher-owned accounts exclusively * Conduct all testing activities within designated scope boundaries * Refrain from exploiting DoS/DDoS vulnerabilities, social engineering, or spam tactics * Avoid automated scanner usage for form submission or account creation processes #### Vulnerability Chain Assessment For identified vulnerability chains, compensation will be determined based on the highest severity component only. #### Compliance Requirements * Maintain strict adherence to applicable legal frameworks * Operate exclusively within defined testing parameters * Restrict vulnerability disclosure to authorized Creek security team members and designated company personnel ### Disclosure Protocols #### Confidentiality Standards * Prohibit program or vulnerability discussion outside authorized channels without explicit organizational consent * Maintain complete disclosure restriction, including partial vulnerability information * Refrain from publishing or discussing identified security issues ### Eligibility Criteria and Coordinated Disclosure #### Reward Qualification Standards Valid reports meeting the following criteria may receive monetary compensation: 1. **First Reporter Status**: Must be the initial identifier and reporter of the vulnerability 2. **Qualification Compliance**: Vulnerability must meet established program parameters 3. **Timely Reporting**: Submit reports within 24 hours of discovery exclusively to 4. **Comprehensive Documentation**: Provide clear textual vulnerability description with complete reproduction steps 5. **Supporting Evidence**: Include relevant documentation such as screenshots or proof-of-concept code 6. **Independence Requirement**: Non-affiliation with Creek or contractor organizations (current or former employment) #### Submission Requirements * Detailed vulnerability analysis and technical description * Complete step-by-step reproduction methodology * Relevant supporting evidence (screenshots, code samples, transaction hashes) * Exclusive submission through designated email address () * Clear impact assessment and potential exploitation scenarios #### Quality Standards Reports must demonstrate: * **Technical Accuracy**: Precise vulnerability identification and impact assessment * **Reproducibility**: Clear steps enabling consistent vulnerability reproduction * **Business Impact**: Quantifiable risk assessment to protocol operations * **Remediation Insight**: Constructive suggestions for vulnerability resolution *** ### Core Focus Statement **Focus on these 4 core functions: Swap, Stake/Redeem, Borrow, and Liquidation. Break them, and we'll pay you for it.** The Creek Bug Bounty Program prioritizes vulnerabilities that compromise the fundamental financial logic of our protocol. We reward researchers who can demonstrate real exploits that affect user funds, exchange rates, or protocol solvency. ### Program Objectives The Creek Bug Bounty Program represents a collaborative effort between security researchers and protocol developers to establish robust security standards within the DeFi ecosystem. Through systematic vulnerability identification and responsible disclosure practices, participants contribute to the advancement of decentralized finance security while receiving appropriate recognition and compensation for their contributions. #### Success Metrics * Identification and resolution of critical security vulnerabilities * Enhancement of protocol security posture * Establishment of ongoing security research relationships * Contribution to broader DeFi security knowledge base *** **Total Reward Pool**: Up to 2,000 USDC per qualifying vulnerability **Program Duration**: Ongoing during testnet phase **Contact**: Submit all reports exclusively to **Last Updated**: October 2025 --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.creek.finance/beta-the-gold-rush/bug-bounty.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.