Bug Bounty
SaabFi's responsible-disclosure and bug bounty program for Small Loans, covering scope, severity tiers, reward sizing, and payout rules.
Small Loans is a Base-native way to borrow USDC against Bitcoin collateral. cbBTC holders lock collateral and draw 30-day USDC loans of 1 to 1,000 USDC. There are no margin calls and no liquidations. A borrower repays within the term to reclaim the cbBTC, or defaults and forfeits the collateral. Lending liquidity is seeded by the company's Safe wallet, not by public lenders, so the funds at risk are bounded and known at any moment.
This program rewards security researchers who privately report vulnerabilities that could lead to loss of those funds, and defines exactly how reports are triaged, scored, and paid, so that valid work is paid fairly and out-of-scope or unproven claims are not.
At a glance
| Property | Value |
|---|---|
| Program owner | SaabFi |
| Asset | Small Loans smart contracts (Base mainnet) |
| Languages and stack | Solidity 0.8.35, Foundry, OpenZeppelin AccessManager, Permit2, Chainlink |
| Reward range | See Rewards |
| Reward currency | USDC on Base |
| Severity model | Four-tier (Critical, High, Medium, Low) |
| Proof of concept required | Yes, for Critical and High |
| Response target | First response within 3 business days |
| KYC | Required before any payout (sanctions screening) |
Scope
In scope
The deployed Base mainnet smart contracts and the libraries they rely on:
Btc4Stable(orchestrator)LoanManager,MicroloansLendingPoolCollateralVaultTreasuryPriceOracle,TwapOracleProtocolAccessManager- Supporting libraries:
LoanMath,TwapPriceMath,PriceMath,Constants,TickMath
In-scope mainnet addresses are listed on the Small Loans contracts page.
Rewards follow Primacy of Impact: if a bug in an in-scope contract is exploitable through any path, including the frontend or keeper, the impact is what we score, even if the entry point is technically out of scope.
Out of scope
- Testnet and Base Sepolia deployments. Reproduce on a local mainnet fork; testnet exploitation is never rewarded.
- Off-chain components as standalone targets. The frontend, keeper API, and monitoring sentinel are convenience layers; the canonical state is on-chain. A bug here that provably drains in-scope funds is still eligible under Primacy of Impact.
- Trusted-role abuse. Actions available to the Safe, guardians, or keeper acting within their granted roles. The admin keys are a trusted boundary. Exception: a bug that lets a non-privileged actor gain a privileged action, or routes funds outside the Safe-only exit paths, is in scope.
- Third-party failures. Chainlink feed outages, Permit2, the Base sequencer, or USDC and cbBTC issuer actions, unless the smart contracts mishandle a documented failure mode they claim to defend against.
- Already-known issues. Anything documented in the security materials, prior audits, or already covered by the test, Certora, or fuzz suites.
- Best-practice and theoretical. Gas optimizations, style, missing events, centralization that is documented as intended, or claims without a concrete exploit path. See Non-qualifying reports.
What the program protects
Reports are ranked by realizable impact on funds, not by cleverness. These are the main ways value could leave Small Loans, and where each lives in the smart contracts:
| Risk (impact) | Where it lives |
|---|---|
Lender capital drained. USDC leaves LendingPool without repayment | LendingPool (fund, repay, write-off, Safe-only emergency withdraw), Permit2 routing in Btc4Stable |
Collateral stolen. cbBTC leaves CollateralVault to the wrong party | CollateralVault one-shot release invariant, Btc4Stable.claimCollateral, default fan-out |
| Undercollateralized or free loans. The pool funds a loan worth less than its collateral | Pricing (PriceOracle, TwapOracle, min(TWAP, spot)), LoanMath collateral and fee math, depeg circuit breakers |
| Insolvency or accounting drift. Ledgers disagree with real balances | Treasury deficit ledger, LendingPool bad-debt write-off and creditPrincipal, Microloans state machine |
| Unauthorized fund routing or privilege escalation | ProtocolAccessManager roles and delays, guardian powers, Safe-routed exits |
| Liveness loss or fund lock. Borrowers cannot repay or claim, or funds freeze | Pause gates, TWAP warm-up, repayment and claim paths |
The bounty is the residual layer on top of the controls already in place: Certora formal verification, Echidna and Medusa property fuzzing, Slither static analysis, mutation testing, and a non-upgradeable, narrowly scoped fund-routing design. It exists to catch what those controls miss.
Severity classification
Severity is set on a four-tier impact scale. Final severity is set by the SaabFi team based on demonstrated impact; the examples below are illustrative, not exhaustive.
Critical
Direct, unauthorized loss of company or user funds.
- Draining USDC from
LendingPooloutside the Safe-routed emergency path. - Stealing cbBTC from
CollateralVault(double-release, release without full repayment, or release to a non-borrower). - Originating a loan that is free or materially undercollateralized (bypassing
collateral validation, the commitment fee, or conservative
min(TWAP, spot)pricing) for net loss to the lender. - Oracle or TWAP manipulation that lets a borrower originate at a manipulated price for net loss to the lender.
- Privilege escalation that routes funds to an arbitrary, non-Safe recipient, or forges loan or collateral state to extract value.
High
Significant loss under conditions, or permanent fund freezing.
- Permanently freezing pool USDC or vault collateral (for example, a borrower who repaid can never claim the collateral back).
- Corrupting the bad-debt or default-deficit ledger so the pool can be over-credited or over-replenished, or principal is under-recorded.
- Forcing a default on a healthy, non-expired loan (bypassing the
Microloansdefault conditions) to seize collateral early. - Bypassing the USDC or cbBTC depeg circuit breaker to originate during a depeg, for loss to the lender.
Medium
Limited or conditional loss, or recoverable disruption.
- Systematically underpaying the dynamic commitment fee through fee-model manipulation.
- Temporary denial of origination, repayment, or TWAP availability (for example, griefing the observation warm-up) without fund loss.
- Rounding or precision edge cases that leak small, bounded value.
Low and Informational
Recoverable, low-impact griefing; minor rounding within documented tolerances; defensive-hardening suggestions; specification or documentation mismatches with no exploit path.
Rewards
Rewards are sized against the funds a given bug puts at risk. Because liquidity is seeded by the company's Safe wallet (no public lenders) and loans are capped at 1,000 USDC, the funds at risk are bounded and knowable at any moment:
funds at risk ≈ USDC available in LendingPool
+ cbBTC collateral held in CollateralVault
+ any USDC or cbBTC balance sitting in TreasuryA Critical reward is capped at roughly 5 to 10 percent of the funds at risk, with a fixed floor so a Critical report is worth a researcher's time regardless of how small the seed is. The High, Medium, and Low tiers scale down from the Critical cap. Because the seed is bounded, the tiers are published as fixed amounts and re-anchored if the seed changes materially.
Reward table
| Severity | Reward | Notes |
|---|---|---|
| Critical | $XX,XXX | Capped at roughly 5 to 10 percent of funds at risk; a floor keeps it worthwhile |
| High | $XX,XXX | Roughly 25 to 40 percent of the Critical amount |
| Medium | $X,XXX | Fixed amount |
| Low and Informational | Swag or credit | Discretionary |
Reward determinants:
- Rewards are paid for the single highest-impact valid issue per root cause; multiple reports sharing one root cause are treated as duplicates.
- The team sets final severity from demonstrated impact, with the dispute path available.
- Rewards are paid in USDC on Base after the fix is verified and KYC is complete.
Submission requirements
A report is only eligible if it lets us reproduce the issue. Please include:
- Title and severity you believe applies.
- Affected contracts and functions, and a clear description of the root cause.
- Impact: what funds move or freeze, and who bears the loss.
- Proof of concept, required for Critical and High: a Foundry test or script that reproduces the issue against a local Base mainnet fork, plus exact steps.
- Suggested fix, if you have one.
Reports without a reproducible impact are triaged as informational. See Non-qualifying reports.
Rules of engagement
Permitted:
- Testing against your own local fork, local devnet, or the testnet deployment.
- Static and dynamic analysis of the public code.
Prohibited (voids eligibility):
- Any testing against mainnet that moves real funds, or against funds or accounts you do not own.
- Denial-of-service against live infrastructure, spam, or social engineering of staff, users, or the Safe signers.
- Phishing, physical attacks, or attacks on third-party services (Chainlink, Permit2, RPC providers, the sequencer).
- Public disclosure before a fix is shipped and a disclosure date is agreed.
- Exploiting a live bug for profit instead of reporting it. This forfeits any reward.
Disclosure and remediation
- Report privately to the disclosure contact below.
- Acknowledge. First response within 3 business days.
- Triage. We reproduce and assign severity (target: within 7 business days for Critical and High).
- Fix and validate. We patch, add a regression test or property to the Certora, Foundry, and fuzz suites, and verify.
- Reward, released after the fix is verified and KYC is complete.
- Coordinated disclosure. We agree a public disclosure date with the reporter, typically after the fix is deployed. Credit is given unless you prefer to remain anonymous.
Payouts, KYC, and anti-fraud
These rules protect both sides. They ensure valid researchers are paid and prevent fraudulent or sanctioned claims:
- KYC and sanctions screening is required before any payout. We cannot pay individuals or entities on sanctions lists (for example, OFAC) or in prohibited jurisdictions.
- One reward per root cause. The earliest, highest-quality report of a given root cause is the eligible one; later or duplicate submissions are not separately rewarded.
- No self-dealing. Current and former SaabFi contributors, contractors, auditors engaged on this codebase, and their immediate associates are not eligible.
- No reward for issues we can show were already known (documented here, in prior audits, or covered by existing tests, Certora, or fuzz properties) before your report.
- Fix-then-pay. Rewards are released after remediation is verified, so a payout always corresponds to a real, fixed issue.
- Payment is made to a wallet you control, in the stated currency, after the above checks.
Disputes and decisions
The SaabFi team makes the final call on validity, severity, and reward, applying this policy in good faith. If you disagree:
- Reply to the report thread with your reasoning and any additional proof of concept.
We commit to explaining the reasoning behind any rejection or severity decision.
Non-qualifying reports
The following are generally not rewarded:
- Theoretical issues without a concrete, demonstrated exploit path.
- Gas optimizations, code style, missing or incorrect events, or naming.
- Centralization or admin-power concerns that are documented as intended (the trusted Safe, guardian, and keeper model).
- Third-party failures (Chainlink, Permit2, sequencer, token issuers) the smart contracts do not claim to defend against.
- Issues requiring a trusted role (Safe, guardian, or keeper) to act maliciously within its granted powers.
- Already-known or duplicate issues, or anything already covered by the test, Certora, or fuzz suites.
- Findings only reproducible on testnet, or that rely on unrealistic assumptions (for example, the attacker controls a Chainlink feed).
- Automated-scanner output without analysis or a working proof of concept.
Contact
- Disclosure contact: email security@saabfi.com.
- Encrypt sensitive reports with our PGP public key
(download), fingerprint
7DD4 3A99 D6D0 B486 C7BB 32E2 1AF9 92B9 93D1 D485. - Do not open public GitHub issues or pull requests for security vulnerabilities.
This page is the source of truth for the Small Loans bug bounty and is versioned on each material change.