SaabFi

Bug Bounty

SaabFi's responsible-disclosure and bug bounty program for Small Loans, covering scope, severity tiers, reward sizing, and payout rules.

Small Loans is a Base-native way to borrow USDC against Bitcoin collateral. cbBTC holders lock collateral and draw 30-day USDC loans of 1 to 1,000 USDC. There are no margin calls and no liquidations. A borrower repays within the term to reclaim the cbBTC, or defaults and forfeits the collateral. Lending liquidity is seeded by the company's Safe wallet, not by public lenders, so the funds at risk are bounded and known at any moment.

This program rewards security researchers who privately report vulnerabilities that could lead to loss of those funds, and defines exactly how reports are triaged, scored, and paid, so that valid work is paid fairly and out-of-scope or unproven claims are not.

At a glance

PropertyValue
Program ownerSaabFi
AssetSmall Loans smart contracts (Base mainnet)
Languages and stackSolidity 0.8.35, Foundry, OpenZeppelin AccessManager, Permit2, Chainlink
Reward rangeSee Rewards
Reward currencyUSDC on Base
Severity modelFour-tier (Critical, High, Medium, Low)
Proof of concept requiredYes, for Critical and High
Response targetFirst response within 3 business days
KYCRequired before any payout (sanctions screening)

Scope

In scope

The deployed Base mainnet smart contracts and the libraries they rely on:

  • Btc4Stable (orchestrator)
  • LoanManager, Microloans
  • LendingPool
  • CollateralVault
  • Treasury
  • PriceOracle, TwapOracle
  • ProtocolAccessManager
  • Supporting libraries: LoanMath, TwapPriceMath, PriceMath, Constants, TickMath

In-scope mainnet addresses are listed on the Small Loans contracts page.

Rewards follow Primacy of Impact: if a bug in an in-scope contract is exploitable through any path, including the frontend or keeper, the impact is what we score, even if the entry point is technically out of scope.

Out of scope

  • Testnet and Base Sepolia deployments. Reproduce on a local mainnet fork; testnet exploitation is never rewarded.
  • Off-chain components as standalone targets. The frontend, keeper API, and monitoring sentinel are convenience layers; the canonical state is on-chain. A bug here that provably drains in-scope funds is still eligible under Primacy of Impact.
  • Trusted-role abuse. Actions available to the Safe, guardians, or keeper acting within their granted roles. The admin keys are a trusted boundary. Exception: a bug that lets a non-privileged actor gain a privileged action, or routes funds outside the Safe-only exit paths, is in scope.
  • Third-party failures. Chainlink feed outages, Permit2, the Base sequencer, or USDC and cbBTC issuer actions, unless the smart contracts mishandle a documented failure mode they claim to defend against.
  • Already-known issues. Anything documented in the security materials, prior audits, or already covered by the test, Certora, or fuzz suites.
  • Best-practice and theoretical. Gas optimizations, style, missing events, centralization that is documented as intended, or claims without a concrete exploit path. See Non-qualifying reports.

What the program protects

Reports are ranked by realizable impact on funds, not by cleverness. These are the main ways value could leave Small Loans, and where each lives in the smart contracts:

Risk (impact)Where it lives
Lender capital drained. USDC leaves LendingPool without repaymentLendingPool (fund, repay, write-off, Safe-only emergency withdraw), Permit2 routing in Btc4Stable
Collateral stolen. cbBTC leaves CollateralVault to the wrong partyCollateralVault one-shot release invariant, Btc4Stable.claimCollateral, default fan-out
Undercollateralized or free loans. The pool funds a loan worth less than its collateralPricing (PriceOracle, TwapOracle, min(TWAP, spot)), LoanMath collateral and fee math, depeg circuit breakers
Insolvency or accounting drift. Ledgers disagree with real balancesTreasury deficit ledger, LendingPool bad-debt write-off and creditPrincipal, Microloans state machine
Unauthorized fund routing or privilege escalationProtocolAccessManager roles and delays, guardian powers, Safe-routed exits
Liveness loss or fund lock. Borrowers cannot repay or claim, or funds freezePause gates, TWAP warm-up, repayment and claim paths

The bounty is the residual layer on top of the controls already in place: Certora formal verification, Echidna and Medusa property fuzzing, Slither static analysis, mutation testing, and a non-upgradeable, narrowly scoped fund-routing design. It exists to catch what those controls miss.

Severity classification

Severity is set on a four-tier impact scale. Final severity is set by the SaabFi team based on demonstrated impact; the examples below are illustrative, not exhaustive.

Critical

Direct, unauthorized loss of company or user funds.

  • Draining USDC from LendingPool outside the Safe-routed emergency path.
  • Stealing cbBTC from CollateralVault (double-release, release without full repayment, or release to a non-borrower).
  • Originating a loan that is free or materially undercollateralized (bypassing collateral validation, the commitment fee, or conservative min(TWAP, spot) pricing) for net loss to the lender.
  • Oracle or TWAP manipulation that lets a borrower originate at a manipulated price for net loss to the lender.
  • Privilege escalation that routes funds to an arbitrary, non-Safe recipient, or forges loan or collateral state to extract value.

High

Significant loss under conditions, or permanent fund freezing.

  • Permanently freezing pool USDC or vault collateral (for example, a borrower who repaid can never claim the collateral back).
  • Corrupting the bad-debt or default-deficit ledger so the pool can be over-credited or over-replenished, or principal is under-recorded.
  • Forcing a default on a healthy, non-expired loan (bypassing the Microloans default conditions) to seize collateral early.
  • Bypassing the USDC or cbBTC depeg circuit breaker to originate during a depeg, for loss to the lender.

Medium

Limited or conditional loss, or recoverable disruption.

  • Systematically underpaying the dynamic commitment fee through fee-model manipulation.
  • Temporary denial of origination, repayment, or TWAP availability (for example, griefing the observation warm-up) without fund loss.
  • Rounding or precision edge cases that leak small, bounded value.

Low and Informational

Recoverable, low-impact griefing; minor rounding within documented tolerances; defensive-hardening suggestions; specification or documentation mismatches with no exploit path.

Rewards

Rewards are sized against the funds a given bug puts at risk. Because liquidity is seeded by the company's Safe wallet (no public lenders) and loans are capped at 1,000 USDC, the funds at risk are bounded and knowable at any moment:

funds at risk  ≈  USDC available in LendingPool
               +  cbBTC collateral held in CollateralVault
               +  any USDC or cbBTC balance sitting in Treasury

A Critical reward is capped at roughly 5 to 10 percent of the funds at risk, with a fixed floor so a Critical report is worth a researcher's time regardless of how small the seed is. The High, Medium, and Low tiers scale down from the Critical cap. Because the seed is bounded, the tiers are published as fixed amounts and re-anchored if the seed changes materially.

Reward table

SeverityRewardNotes
Critical$XX,XXXCapped at roughly 5 to 10 percent of funds at risk; a floor keeps it worthwhile
High$XX,XXXRoughly 25 to 40 percent of the Critical amount
Medium$X,XXXFixed amount
Low and InformationalSwag or creditDiscretionary

Reward determinants:

  • Rewards are paid for the single highest-impact valid issue per root cause; multiple reports sharing one root cause are treated as duplicates.
  • The team sets final severity from demonstrated impact, with the dispute path available.
  • Rewards are paid in USDC on Base after the fix is verified and KYC is complete.

Submission requirements

A report is only eligible if it lets us reproduce the issue. Please include:

  1. Title and severity you believe applies.
  2. Affected contracts and functions, and a clear description of the root cause.
  3. Impact: what funds move or freeze, and who bears the loss.
  4. Proof of concept, required for Critical and High: a Foundry test or script that reproduces the issue against a local Base mainnet fork, plus exact steps.
  5. Suggested fix, if you have one.

Reports without a reproducible impact are triaged as informational. See Non-qualifying reports.

Rules of engagement

Permitted:

  • Testing against your own local fork, local devnet, or the testnet deployment.
  • Static and dynamic analysis of the public code.

Prohibited (voids eligibility):

  • Any testing against mainnet that moves real funds, or against funds or accounts you do not own.
  • Denial-of-service against live infrastructure, spam, or social engineering of staff, users, or the Safe signers.
  • Phishing, physical attacks, or attacks on third-party services (Chainlink, Permit2, RPC providers, the sequencer).
  • Public disclosure before a fix is shipped and a disclosure date is agreed.
  • Exploiting a live bug for profit instead of reporting it. This forfeits any reward.

Disclosure and remediation

  1. Report privately to the disclosure contact below.
  2. Acknowledge. First response within 3 business days.
  3. Triage. We reproduce and assign severity (target: within 7 business days for Critical and High).
  4. Fix and validate. We patch, add a regression test or property to the Certora, Foundry, and fuzz suites, and verify.
  5. Reward, released after the fix is verified and KYC is complete.
  6. Coordinated disclosure. We agree a public disclosure date with the reporter, typically after the fix is deployed. Credit is given unless you prefer to remain anonymous.

Payouts, KYC, and anti-fraud

These rules protect both sides. They ensure valid researchers are paid and prevent fraudulent or sanctioned claims:

  • KYC and sanctions screening is required before any payout. We cannot pay individuals or entities on sanctions lists (for example, OFAC) or in prohibited jurisdictions.
  • One reward per root cause. The earliest, highest-quality report of a given root cause is the eligible one; later or duplicate submissions are not separately rewarded.
  • No self-dealing. Current and former SaabFi contributors, contractors, auditors engaged on this codebase, and their immediate associates are not eligible.
  • No reward for issues we can show were already known (documented here, in prior audits, or covered by existing tests, Certora, or fuzz properties) before your report.
  • Fix-then-pay. Rewards are released after remediation is verified, so a payout always corresponds to a real, fixed issue.
  • Payment is made to a wallet you control, in the stated currency, after the above checks.

Disputes and decisions

The SaabFi team makes the final call on validity, severity, and reward, applying this policy in good faith. If you disagree:

  • Reply to the report thread with your reasoning and any additional proof of concept.

We commit to explaining the reasoning behind any rejection or severity decision.

Non-qualifying reports

The following are generally not rewarded:

  • Theoretical issues without a concrete, demonstrated exploit path.
  • Gas optimizations, code style, missing or incorrect events, or naming.
  • Centralization or admin-power concerns that are documented as intended (the trusted Safe, guardian, and keeper model).
  • Third-party failures (Chainlink, Permit2, sequencer, token issuers) the smart contracts do not claim to defend against.
  • Issues requiring a trusted role (Safe, guardian, or keeper) to act maliciously within its granted powers.
  • Already-known or duplicate issues, or anything already covered by the test, Certora, or fuzz suites.
  • Findings only reproducible on testnet, or that rely on unrealistic assumptions (for example, the attacker controls a Chainlink feed).
  • Automated-scanner output without analysis or a working proof of concept.

Contact

  • Disclosure contact: email security@saabfi.com.
  • Encrypt sensitive reports with our PGP public key (download), fingerprint 7DD4 3A99 D6D0 B486 C7BB 32E2 1AF9 92B9 93D1 D485.
  • Do not open public GitHub issues or pull requests for security vulnerabilities.

This page is the source of truth for the Small Loans bug bounty and is versioned on each material change.

On this page