INIT Capital is the money market that aims to democratize access to liquidity, catering not only to DeFi users but also to protocols through 'Liquidity Hooks'
In Scope
| Target | Type | Severity | Reward |
|---|---|---|---|
https://dev.init.capital/contract-addresses/blastFull list of in-scope Blast SC |
Smart Contract | Critical | Bounty |
https://dev.init.capital/contract-addresses/mantleFull list of in-scope Mantle SC |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0xf8B8552D52986F06Ffaf14Bc88bfCF6DCBDbA05D?tab=contractInitCore |Mantle (for address of proxy SC — look into full list) |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0x995b3D3CF83d5A0040b56b0201d3d2Db6E369DBF?tab=contractPosManager |Mantle (for address of proxy SC — look into full list) |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0x1dBD1e94373b3163F4376d6ae1A39DB9fdA334cB?tab=contractConfig |Mantle (for address of proxy SC — look into full list) |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0x423bB7577BCf594df986D9646B44D3144b3329FD?tab=contractLendingPool |Mantle |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0xf3416748553EA93643aa8B5A7879F2C40018002b?tab=contractRiskManager |Mantle (for address of proxy SC — look into full list) |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0x7928419135cE5427858F0F5c0cbA3151b9b14f81?tab=contractInitOracle |Mantle (for address of proxy SC — look into full list) |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0xDDC99aeef7D5F87118A3A2636F7D0FB6c60daCF3?tab=contractLiqIncentiveCalculator |Mantle (for address of proxy SC — look into full list) |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0xCE3292cA5AbbdFA1Db02142A67CFFc708530675a?tab=contractAccessControlManager |Mantle |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0x7d2b278b8ef87bEb83AeC01243ff2Fed57456042?tab=contractInitLens |Mantle |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0x06cAb8cbD9bb02dB40eBa963A8C38d4C5924dA84?tab=contractMoneyMarketHook |Mantle (for address of proxy SC — look into full list) |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0x917A9fA5606e7Bb6a9Bf7eb0AbB00FE152D3DC14?tab=contractLooping Hook (swap via Universal router) |Mantle (for address of proxy SC — look into full list) |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0x497949e7a3cD1352980a1b2c27dA27b5A71C94bD?tab=contractLoopingHook (swap via MerchantMoe && swap via Agni && swap via FusionX) |Mantle (for address of proxy SC — look into full list) |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0x51AB74f8B03F0305d8dcE936B473AB587911AEC4?tab=contractMantle Lending Pool | WETH |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0x9c9F28672C4A8Ad5fb2c9Aca6d8D68B02EAfd552?tab=contractMantle Lending Pool | WBTC |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0x44949636f778fAD2b139E665aee11a2dc84A2976?tab=contractMantle Lending Pool | WMN |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0x00A55649E597d463fD212fBE48a3B40f0E227d06?tab=contractMantle Lending Pool| USDC |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0xadA66a8722B5cdfe3bC504007A5d793e7100ad09?tab=contractMantle Lending Pool | USDT |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0x5071c003bB45e49110a905c1915EbdD2383A89dF?tab=contractMantle Lending Pool | METH |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0xf084813F1be067d980a0171F067f084f27B3F63A?tab=contractMantle Lending Pool | USDY |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0x3282437C436eE6AA9861a6A46ab0822d82581b1c?tab=contractMantle Lending Pool| USDe |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0x59448551523A4d244f26759e48d83e432Ed1FDBF?tab=contractMantle Interest Rate Model | WETH |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0x71e0B2E5DDcDd509D1dA7029b09D310c108B2cF6?tab=contractMantle Interest Rate Model | WBTC |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0xF25E438eFad5a865A72f9FE39Ffd9aeC1F18398e?tab=contractMantle Interest Rate Model | WMNT |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0x0959a65AB35cbF335AbAdC7793e2E8CAC81aE7e4?tab=contractMantle Interest Rate Model | USDC |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0x00fA41248F6c3A26863ec56634Fe78Ad4E4748EC?tab=contractMantle Interest Rate Model | USDT |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0x32f533EAbD0B128e7EbE391DcC3F012701618B62?tab=contractMantle Interest Rate Model | METH |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0xEEd8A04876ceeE12DDaf4Fd1eb59663A62D9BE34?tab=contractMantle Interest Rate Model | USDY |
Smart Contract | Critical | Bounty |
https://explorer.mantle.xyz/address/0xF525F9a23DB5Fa9BeA0f64E5427A103752977A0C?tab=contractMantle Interest Rate Model | USDe |
Smart Contract | Critical | Bounty |
https://blastscan.io/address/0xf62e7c831fc41c93b61c04c24152c433d6553236PointOperator (Multisig Point Operator Contract) | Blast (EOA) |
Web3 | Critical | Bounty |
https://blastscan.io/address/0xf683Ce59521AA464066783d78e40CD9412f33D21#codeWWETH (Blast Gold Receiver Contract) | Blast |
Smart Contract | Critical | Bounty |
https://blastscan.io/address/0x4B246c4C41c4e5eC1d4A8453c313cbc57Bf0993A#codeWUSDB | Blast |
Smart Contract | Critical | Bounty |
https://blastscan.io/address/0xa7d36f2106b5a5D528a7e2e7a3f436d703113A10#codeInitCore (Blast Gold Receiver Contract) | Blast |
Smart Contract | Critical | Bounty |
https://blastscan.io/address/0xA0e172f8BdC18854903959b8f7f73F0D332633fe#codePosManager | Blast |
Smart Contract | Critical | Bounty |
https://blastscan.io/address/0x57200D2B0C36244B3c8EBf99e5724c7536cea2F7#codeConfig | Blast |
Smart Contract | Critical | Bounty |
https://blastscan.io/address/0xD97Bb363b5B925cF95acD7c463045750514C68C1#codeRiskManager | Blast |
Smart Contract | Critical | Bounty |
https://blastscan.io/address/0xe31686E5590E4FD5D5418Fe3c4e9368EfD75e2eF#codeInitOracle | Blast |
Smart Contract | Critical | Bounty |
https://blastscan.io/address/0xed9d7E89309B060e876098F4695aB9fd3011904b#codeLiqIncentiveCalculator | Blast |
Smart Contract | Critical | Bounty |
https://blastscan.io/address/0x265DAA697489968AEbd650c665F4Fb241b560785#codeAccessControlManager | Blast |
Smart Contract | Critical | Bounty |
https://blastscan.io/address/0x56Fba2cC045C02d7adAE5A9dfDce795900b2860E#codeInitLens | Blast |
Smart Contract | Critical | Bounty |
https://blastscan.io/address/0xC02819a157320Ba2859951A1dfc1a5E76c424dD4#codeMoneyMarketHook | Blast |
Smart Contract | Critical | Bounty |
https://blastscan.io/address/0x85babafa73c3499247d937f7abb877e0e6250f68#codeLoopingHook | Blast |
Smart Contract | Critical | Bounty |
https://blastscan.io/address/0x5313428df205273dcd4100b2fbc0803aba13ff28#codeMarginTradingHook | Blast |
Smart Contract | Critical | Bounty |
https://blastscan.io/address/0xD20989EB39348994AA99F686bb4554090d0C09F3#codeBlast Lending Pool |ETH |
Smart Contract | Critical | Bounty |
https://blastscan.io/address/0xc5EaC92633aF47c0023Afa0116500ab86FAB430F#codeBlast Lending Pool | USDB |
Smart Contract | Critical | Bounty |
https://blastscan.io/address/0x027296054f8181fbc0df26174e7640652bb28b40#codeBlast Lending Pool | ezETH |
Smart Contract | Critical | Bounty |
https://blastscan.io/address/0x17f18794ecE38EE3F17Ab7Bcc41CF99486A3B85c#codeBlast Lending Pool |wrsETH |
Smart Contract | Critical | Bounty |
https://blastscan.io/address/0xD20989EB39348994AA99F686bb4554090d0C09F3#codeBlast Lending Pool |weETH |
Smart Contract | Critical | Bounty |
https://blastscan.io/address/0x72ee68fc1d6650b32314188321e92a8b4f3b552a#codeBlast Interest Rate Model |ETH |
Smart Contract | Critical | Bounty |
https://blastscan.io/address/0x95b8640e5a9a496427D089b14F6736de212852D0#codeBlast Interest Rate Model |USDB |
Smart Contract | Critical | Bounty |
https://blastscan.io/address/0xD501a57d404a4beDB2c911512D79b9087Ad6bf39#codeBlast Interest Rate Models |ezETH && wrsETH && weETH |
Smart Contract | Critical | Bounty |
IN-SCOPE VULNERABILITIES
The list is not limited to the following submissions but it gives an overview of what issues we care about:
- Stealing or loss of funds
- Unauthorized transaction
- Transaction manipulation
- Price manipulation
- Fee payment bypass
- Balance manipulation
- Contracts execution flows
- Cryptographic flaws
OUT-OF-SCOPE VULNERABILITIES
- Network-level DoS
- Vulnerabilities in the protocol that are unrelated to smart contract execution
- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
- Make every effort not to damage or restrict the availability of products, services, or infrastructure
- Avoid compromising any personal data, interruption, or degradation of any service
- Don’t access or modify other user data, localize all tests to your accounts
- Perform testing only within the scope
- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
- Don’t spam forms or account creation flows using automated scanners
- In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
- Don’t break any law and stay in the defined scope
- Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
- For more information, check: https://init-capital.gitbook.io/init-capital/protocol-overview/introduction
- Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
- No vulnerability disclosure, including partial is allowed for the moment.
- Please do NOT publish/discuss bugs
We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability
- Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
- You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
- You must not be a former or current employee of us or one of its contractor.
- ONLY USE the EMAIL under which you registered your HackenProof account (in case of violation, no bounty can be awarded)
- Provide detailed but to-the point reproduction steps