Bug Bounty

Description

Creek protocol has officially launched on SUI testnet and is initiating a comprehensive bug bounty program to ensure maximum security standards. As a next-generation DeFi protocol designed to handle real user funds, security represents a fundamental cornerstone of our development approach.

This program targets experienced security researchers to identify potential vulnerabilities within our smart contracts, web applications, and infrastructure components.

Bounty Rewards

The following reward structure applies to validated vulnerability reports:

Scope

1. Swap Functionality

Endpoint: https://beta.creek.finance/swap Priority Level: Medium Reward: 500 USDC

Testing Objectives:

• USDC to GUSD swap accuracy verification

• GUSD to USDC swap accuracy verification

• Price slippage calculation validation

• Swap rate manipulation resistance testing

• Edge case handling for minimal and maximum transaction amounts

2. Staking & Redemption Operations

Endpoint: https://beta.creek.finance/stake Priority Level: Critical Reward: Up to 2,000 USDC

Testing Objectives:

• XAUm staking rate accuracy for GR&GY token distribution

• GR&GY token redemption rate accuracy for XAUm conversion

• Exchange rate manipulation vulnerability assessment

• Staking and unstaking edge case scenarios

3. Lending System

Endpoint: https://beta.creek.finance/borrow Priority Level: High Reward: Up to 1,000 USDC

Testing Objectives:

• Deposit mechanism collateral handling security

• Borrowing function loan creation and limitation enforcement

• Repayment function debt calculation accuracy

• Collateral removal safety protocols and conditional requirements

• Collateral ratio enforcement mechanisms

4. Liquidation Infrastructure

Endpoint: https://beta.creek.finance/borrow Priority Level: High Reward: Up to 1,000 USDC

Testing Objectives:

• Liquidation trigger condition accuracy

• Liquidation calculation precision for penalties and rewards

• Liquidation bot fairness and MEV/front-running resistance

• Partial liquidation logic validation

• Bad debt scenario handling protocols

Excluded Components

• Faucet functionality

Out of Scope Vulnerabilities

What We Don't Care About

The following vulnerability types are excluded from the bug bounty program and will not receive rewards:

• UI Bugs Without Security Impact: User interface issues that do not affect security or financial operations

• Gas Optimizations: Suggestions for improving gas efficiency without security implications

• Third-Party Wallet Issues: Compatibility problems with external wallet providers

• Social Engineering: Phishing attempts, user deception tactics, or human-targeted attacks

• Theoretical Attacks Without Real Impact: Vulnerabilities that cannot be practically exploited or demonstrated

Additional Exclusions

• Performance Optimizations: Code efficiency improvements without security relevance

• Informational Findings: General security recommendations without specific vulnerability identification

• Known Issues: Previously identified and acknowledged vulnerabilities

• Environmental Dependencies: Browser compatibility or network connectivity issues

Important Note: UI bugs that have direct security implications (such as displaying incorrect transaction amounts, bypassing authentication, or enabling unauthorized actions) remain within scope and are eligible for rewards.

Primary Focus Areas

What We Care About Most

Exchange Rate Exploits (Top Priority)

• Favorable Swap Rate Manipulation: Achieve better swap rates than intended parameters (USDC-GUSD)

• Excessive Token Extraction: Extract more GR/GY tokens when staking XAUm than algorithmically determined

• Surplus XAUm Acquisition: Obtain more XAUm when redeeming GR/GY tokens than expected calculations

• Oracle Price Manipulation: Manipulate oracle prices to artificially affect exchange rates

Borrowing System Vulnerabilities

• Collateral Bypass: Borrow more than collateral capacity allows

• Unauthorized Collateral Removal: Remove collateral while maintaining active loan positions

• Liquidation Avoidance: Avoid liquidation when positions meet liquidation criteria

• Interest Rate Manipulation: Pay less interest than required by protocol parameters

• Flash Loan Attack Vectors: Execute flash loan attacks against any borrowing function

Smart Contract Security Fundamentals

• Reentrancy Attacks: Execute reentrancy attacks on core protocol functions

• Access Control Bypass: Gain administrative privileges or become protocol admin

• Mathematical Vulnerabilities: Exploit integer overflow/underflow in financial calculations

• Concurrency Issues: Exploit race conditions between multiple users

How to Submit Bug Reports

Submission Process

Email: [email protected]

All vulnerability reports must be submitted exclusively to the above email address within 24 hours of discovery.

Required Information

Your bug report must include the following components:

1. Vulnerability Summary

• Clear, concise title describing the vulnerability

• Severity assessment (Critical/High/Medium)

• Affected component(s) and endpoint(s)

2. Technical Details

• Vulnerability Type: Specify the category (e.g., reentrancy, access control, oracle manipulation)

• Root Cause: Explain the underlying technical issue

• Impact Assessment: Describe potential financial or security consequences

3. Proof of Concept

• Step-by-step reproduction instructions

• Transaction hashes (if applicable)

• Screenshots or video recordings showing the exploit

• Code snippets demonstrating the vulnerability

• Network details (testnet addresses, block numbers)

4. Exploitation Details

• Attack scenario: How would a malicious actor exploit this?

• Prerequisites: What conditions must be met for exploitation?

• Potential losses: Quantify the financial impact

• Affected users: Who would be impacted?

Report Template

Subject: [SEVERITY] Vulnerability Report - [Brief Description]

=== VULNERABILITY SUMMARY ===
Title: 
Severity: Critical/High/Medium
Affected Components: 
Endpoint(s): 

=== TECHNICAL DETAILS ===
Vulnerability Type: 
Root Cause: 
Impact: 

=== PROOF OF CONCEPT ===
Reproduction Steps:
1. 
2. 
3. 

Transaction Hashes: 
Screenshots/Evidence: [Attached]
Code/Scripts: [Attached if applicable]

=== EXPLOITATION ANALYSIS ===
Attack Scenario: 
Prerequisites: 
Potential Financial Impact: 
Affected Users: 

=== RESEARCHER INFORMATION ===
Name/Handle: 
Contact Method: 
Wallet Address (for reward): 

Submission Guidelines

✅ Do Include

• Detailed technical analysis

• Clear reproduction steps

• Visual evidence (screenshots/videos)

• Transaction hashes on testnet

• Potential remediation suggestions

• Your contact information

❌ Don't Include

• Attempts on mainnet

• Exploitation for personal gain

• Public disclosure before resolution

• Spam or duplicate reports

• Non-security related issues

Response Timeline

• Initial Acknowledgment: Within 24 hours

• Technical Review: 3-5 business days

• Validation & Testing: 5-10 business days

• Reward Decision: Within 2 weeks of validation

• Payment Processing: Within 30 days of approval

Quality Standards

Reports will be evaluated based on:

• Accuracy: Technical correctness of the vulnerability identification

• Impact: Severity and potential consequences

• Clarity: Clear communication and reproduction steps

• Completeness: All required information provided

• Originality: First-time discovery and reporting

Vulnerability Impact Classification

Impact Examples in Detail

Critical Vulnerabilities:

• Complete protocol fund extraction

• Unlimited borrowing without collateral

• Infinite token minting or burning

High Vulnerabilities:

• Obtaining 10x better exchange rates than intended

• Complete interest payment avoidance

• Bypassing liquidation mechanisms entirely

Medium Vulnerabilities:

• Temporary denial-of-service on core functions

• Minor calculation errors in non-critical operations

• Edge case handling failures with limited impact

Program Guidelines

Testing Constraints

• Prohibit automated vulnerability scanning tools generating excessive traffic

• Maintain product, service, and infrastructure availability integrity

• Avoid personal data compromise, service interruption, or performance degradation

• Restrict data access and modification to researcher-owned accounts exclusively

• Conduct all testing activities within designated scope boundaries

• Refrain from exploiting DoS/DDoS vulnerabilities, social engineering, or spam tactics

• Avoid automated scanner usage for form submission or account creation processes

Vulnerability Chain Assessment

For identified vulnerability chains, compensation will be determined based on the highest severity component only.

Compliance Requirements

• Maintain strict adherence to applicable legal frameworks

• Operate exclusively within defined testing parameters

• Restrict vulnerability disclosure to authorized Creek security team members and designated company personnel

Disclosure Protocols

Confidentiality Standards

• Prohibit program or vulnerability discussion outside authorized channels without explicit organizational consent

• Maintain complete disclosure restriction, including partial vulnerability information

• Refrain from publishing or discussing identified security issues

Eligibility Criteria and Coordinated Disclosure

Reward Qualification Standards

Valid reports meeting the following criteria may receive monetary compensation:

1. First Reporter Status: Must be the initial identifier and reporter of the vulnerability

2. Qualification Compliance: Vulnerability must meet established program parameters

3. Timely Reporting: Submit reports within 24 hours of discovery exclusively to [email protected]

4. Comprehensive Documentation: Provide clear textual vulnerability description with complete reproduction steps

5. Supporting Evidence: Include relevant documentation such as screenshots or proof-of-concept code

6. Independence Requirement: Non-affiliation with Creek or contractor organizations (current or former employment)

Submission Requirements

• Detailed vulnerability analysis and technical description

• Complete step-by-step reproduction methodology

• Relevant supporting evidence (screenshots, code samples, transaction hashes)

• Exclusive submission through designated email address ([email protected])

• Clear impact assessment and potential exploitation scenarios

Quality Standards

Reports must demonstrate:

• Technical Accuracy: Precise vulnerability identification and impact assessment

• Reproducibility: Clear steps enabling consistent vulnerability reproduction

• Business Impact: Quantifiable risk assessment to protocol operations

• Remediation Insight: Constructive suggestions for vulnerability resolution

Core Focus Statement

Focus on these 4 core functions: Swap, Stake/Redeem, Borrow, and Liquidation. Break them, and we'll pay you for it.

The Creek Bug Bounty Program prioritizes vulnerabilities that compromise the fundamental financial logic of our protocol. We reward researchers who can demonstrate real exploits that affect user funds, exchange rates, or protocol solvency.

Program Objectives

The Creek Bug Bounty Program represents a collaborative effort between security researchers and protocol developers to establish robust security standards within the DeFi ecosystem. Through systematic vulnerability identification and responsible disclosure practices, participants contribute to the advancement of decentralized finance security while receiving appropriate recognition and compensation for their contributions.

Success Metrics

• Identification and resolution of critical security vulnerabilities

• Enhancement of protocol security posture

• Establishment of ongoing security research relationships

• Contribution to broader DeFi security knowledge base

Total Reward Pool: Up to 2,000 USDC per qualifying vulnerability

Program Duration: Ongoing during testnet phase

Contact: Submit all reports exclusively to [email protected]

Last Updated: October 2025