Fira Bug Bounty

Introduction

Steady Labs is launching a bug bounty program for Fira deployed on Ethereum mainnet. Fira is a modular lending protocol that combines fixed-rate markets, floating-rate lending, curated vaults, tokenized market primitives (BT, CT, FW), rehypothecation, a multi-layer oracle infrastructure, and protocol-controlled liquidity seeding into a single system.

Fira is composed of the following independent layers:

• Router (FiraRouterV4): Diamond-style proxy that dispatches user calls to modular Action contracts (facets), combining multi-step operations into a single transaction.
• Fixed-Rate AMM (FiraMarket): Pendle-style AMM supporting BT/FW trading and fixed-rate price discovery.
• Lending Markets: Two separate lending contracts — FiraLendingMarket for fixed-rate markets with post-maturity settlement and liquidation logic, and VariableLendingMarket for variable-rate lending with collateral management, interest accrual, liquidation, and flash loans.
• Curation Vault (SisuVault): ERC-4626 vault that allocates pooled capital across variable-rate markets using curator, allocator, and guardian roles with timelocked configuration changes.
• Token Layer: BT (Bond Token), CT (Coupon Token), FW (FiraWrapped), and LP tokens — ERC-20 tokens implementing fixed-rate yield separation and AMM liquidity positions.
• Rehypothecation Module: Controls the ratio of idle vs. invested reserves within the FW contract, rebalancing between liquid USDC and variable-rate vault positions.
• Oracle Pipeline: Multi-layer oracle stack including ChainlinkOracleV2, AaveToChainlinkAdapters, FiraSolvencyOracles, and a BCLpOracle for LP pricing.
• Interest Rate Models: AdaptiveCurveIrm for variable-rate markets (utilization-based) and address(0) for fixed-rate markets (no IRM — rate is determined by AMM pricing).
• Liquidity Injector: Protocol-controlled contract that mints BT and supplies it to fixed-rate lending markets. Only the LiquidityInjector can supply BT to these markets (whitelist-gated).

This bug bounty covers vulnerabilities in the Fira smart contracts and associated protocol-owned components that could compromise funds, accounting integrity, solvency, liquidation safety, or protocol availability. Only contracts currently deployed on Ethereum mainnet and listed below are in scope. All deployed contracts are verified on Etherscan. Ownership is assigned to designated multisig addresses at three security tiers (9/15, 5/10, and 4/9 threshold schemes).

Reward Amounts

Critical: Up to $500,000** maximum payout, not to exceed **10$50,000.

High: Discretionary. Steady Labs determines High-severity payouts on a case-by-case basis considering impact and severity.

Medium: Discretionary. Steady Labs determines Medium-severity payouts on a case-by-case basis considering impact and severity.

General Notes

All reporters should consult Sherlock's Criteria for Issue Validity for general guidance on severity and out-of-scope issues.

A working Proof of Concept (PoC) exploit is highly recommended and may be required for complex issues. Include clear reproduction steps and any setup instructions necessary for validation.

All standard Sherlock Bug Bounty Platform Rules and safe harbor provisions apply to this program.

Scope

Chain

Ethereum mainnet only. Smart contracts deployed on any other network, testnet, sidechain, or staging environment are out of scope.

In-Scope Contracts (Ethereum Mainnet)

All currently deployed and verified Fira contracts listed below are in scope, including associated implementations and proxies where applicable.

Core Protocol

Contract	Address
FiraLendingMarket (fixed-rate)	0x280ddD897F39C33fEf1CbF863B386Cb9a8e53a0e
VariableLendingMarket (variable-rate)	0xc8Db629192a96D6840e88a8451F17655880A2e4D
FiraMarket (AMM)	0xde00b5edb255078dd42ee94fd97f473d1c9c055d
FiraRouterV4	0xFF615E63aAF2d1B1EE4AdFD34a5840747185d8A0
LiquidityInjector	0x2104f638a839Ca7260180d9Ee7f4865C92Df4cE5

Router Facets

FiraRouterV4 dispatches calls to modular Action contracts via selector-based routing:

Facet	Address
ActionSwapBTV3	0xab2383692ed8e0836e25b71988c925dfd94ed2fe
ActionSwapCTV3	0xdb7a722ae7baf83d3d8b9e812952916326d6656b
ActionAddRemoveLiqV3	0x286bbc5519cd421011e7e1c092e1d6a72edb4d30
ActionCallbackV3	0x2dead5b19935d7299d7077c52f2e2860370278a5
ActionSimple	0x4474886d003abcb53c307324894c074ce5176f75
ActionMiscV3	0x967234d7a4416380107da653e5d3afc9c7bf8874
ActionBorrow	0x66f5853cf6c36b97e754f074397d00b78253ef03
ActionStorageV4	0x0386685eA7d37c61dDb8F2e2E8c45f6a81d4A3C8

Vault

Contract	Address	Description
SisuVault (Markov USDC Prime)	0x50791a5cA041b9D6Dd03e64E3Fa0e34a376759AC	ERC-4626 vault curated by Markov Labs, allocating USDC across variable-rate lending markets

Token Layer

Token	Address	Decimals
FW-USDC (USDCFW)	0x62F5366C9E21A95326C461a098a408e034e017b3	18
BT (Bond Token)	0x57FFbb88f0c69283531a751BE6FF0741348371bA	6
CT (Coupon Token)	0x93635d34fAd5A9fA7065a645691100b2E23C93cd	6

BT and CT share the same expiry (May 7, 2026 — unix 1778112000) and are minted/burned in pairs via the YieldContractFactory.

Modules

Contract	Address
RehypothecationModule	0xad332515d9c82438BBa0e9FAA9486B52A33a7Ac8
YieldContractFactory	0xcdB83Abb9121c04589567A4106C3cFaf65DB68Be

Oracles

Fixed-rate markets use a 4-layer oracle pipeline:

Chainlink Price Feed → AaveToChainlinkAdapter → ChainlinkOracleV2 → FiraSolvencyOracle → FiraLendingMarket  

Layer	PT-USDe Market	PT-sUSDe Market
AaveToChainlinkAdapter	0xc42F003F9eCD3DdDF704556E82Cdd9271818171F	0x3d7346578be9B82E0227D027bd86F6De59BA3C91
ChainlinkOracleV2	0x2ED527087B740530562754EFCd608290eCCdBe2e	0xD6f5D9102007A737D9EDE6543262516d5c2fc8f8
FiraSolvencyOracle	0xeB30b33A1aC175e0305853636D0eF3898eb530f3	0xB9bAA3D58E1431776218F39919fd21AeD3e69aBb

FiraSolvencyOracle contracts are immutable after deployment — no admin functions, no owner.

Variable-rate markets:

Market	Oracle	Type
wstETH/USDC	0x48F7E36EB6B826B2dF4B2E630B62Cd25e89E40e2	Morpho oracle (pre-deployed)
cbBTC/USDC	0x698253A24CC4926090f841B38D31d6342A00a82C	ChainlinkOracleV2 (BTC/USD + USDC/USD feeds)

Other:

Contract	Address
BCLpOracle	0xfEAAEC9124FB007d7c44Ed704A08d24b264de921

Interest Rate Models

Contract	Address	Used By
AdaptiveCurveIrm	0x73C288826347af3718e6F09c2A24AaFDA77684cD	Variable-rate markets (utilization-based)

Fixed-rate markets use address(0) as their IRM. The borrowing rate is determined at the time of BT issuance through AMM pricing, not through an interest rate model.

Live Fixed-Rate Markets

All live fixed-rate markets operate on the FiraLendingMarket at 0x280ddD897F39C33fEf1CbF863B386Cb9a8e53a0e. BT is the loan token. Only the LiquidityInjector can supply BT (whitelist-gated). Both markets expire May 7, 2026.

PT-USDe / BT Market

Field	Value
Market ID	0xC48C055110D1692EDA1D45975BD80C75EE5E4D0AB6A5B6FFB949F2252C1B7791
Loan Token	BT — 0x57FFbb88f0c69283531a751BE6FF0741348371bA
Collateral	PT-USDe (May 7 2026) — 0xAeBf0Bb9f57E89260d57f31AF34eB58657d96Ce0
Oracle	FiraSolvencyOracle — 0xeB30b33A1aC175e0305853636D0eF3898eb530f3
IRM	0x0000000000000000000000000000000000000000 (none — fixed rate)
LTV / LLTV	89% / 90%
Liquidation Incentive	3.1%
Whitelist	LiquidityInjector — 0x2104f638a839Ca7260180d9Ee7f4865C92Df4cE5
Maturity Grace Period	86400 (24h)

PT-sUSDe / BT Market

Field	Value
Market ID	0xCA309C3ECE0FA3341779D8319F28BD9E08D3E08889E8AC58B4AC9001FBE458F3
Loan Token	BT — 0x57FFbb88f0c69283531a751BE6FF0741348371bA
Collateral	PT-sUSDe (May 7 2026) — 0x3de0ff76E8b528C092d47b9DaC775931cef80F49
Oracle	FiraSolvencyOracle — 0xB9bAA3D58E1431776218F39919fd21AeD3e69aBb
IRM	0x0000000000000000000000000000000000000000 (none — fixed rate)
LTV / LLTV	89% / 90%
Liquidation Incentive	3.1%
Whitelist	LiquidityInjector — 0x2104f638a839Ca7260180d9Ee7f4865C92Df4cE5
Maturity Grace Period	86400 (24h)

Live Variable-Rate Markets

All live variable-rate markets operate on the VariableLendingMarket at 0xc8Db629192a96D6840e88a8451F17655880A2e4D.

wstETH / USDC

Field	Value
Market ID	0xB3152AC00687CC9502B78AB452956F85CC89AC210DEEFDA5DBFF09F7F167B544
Loan Token	USDC — 0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48
Collateral	wstETH — 0x7f39C581F595B53c5cb19bD0b3f8dA6c935E2Ca0
Oracle	0x48F7E36EB6B826B2dF4B2E630B62Cd25e89E40e2 (Morpho wstETH/USDC)
IRM	AdaptiveCurveIrm — 0x73C288826347af3718e6F09c2A24AaFDA77684cD
LTV / LLTV	87% / 89%

cbBTC / USDC

Field	Value
Market ID	0x39D3BDD30BF4BCF4A4D3547F2484ABE1E30A2DCD41ED83788B40E2720357AB76
Loan Token	USDC — 0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48
Collateral	cbBTC — 0xcbB7C0000aB88B473b1f5aFd9ef808440eed33Bf
Oracle	0x698253A24CC4926090f841B38D31d6342A00a82C (ChainlinkOracleV2 cbBTC/USDC)
IRM	AdaptiveCurveIrm — 0x73C288826347af3718e6F09c2A24AaFDA77684cD
LTV / LLTV	88% / 90%

Critical / High / Medium Eligibility

Critical findings typically affect the core, live, value-bearing layers of Fira :

• FiraLendingMarket and VariableLendingMarket
• FiraMarket (AMM)
• FiraRouterV4 and Action facets
• Token layer accounting and redemption logic (BT, CT, FW)
• RehypothecationModule
• Oracle pipeline (FiraSolvencyOracle, ChainlinkOracleV2, adapters)
• SisuVault with user funds
• LiquidityInjector, where a flaw could directly compromise live assets or protocol solvency

Only Eligible for High / Medium

The following are in scope but findings are generally capped at High or Medium unless they directly compromise live funds in a core deployed market:

Contract	Address
YieldContractFactory	0xcdB83Abb9121c04589567A4106C3cFaf65DB68Be
FiraMarketFactory	0xBF1EfC2199ae9EE1B6f5060a45D4440157E49744
SisuVaultFactory	0xe77E0f97A864558e5513209323e4169FcEAC6981
ChainlinkOracleV2Factory	0x7783fF7bE856C7A82bC5497Fb3CC8F7E8802D8dC

Deployment and configuration helper contracts, and non-custodial support contracts that do not themselves hold or control meaningful live value, are also capped at High or Medium.

Scope Note

This bounty covers Fira contracts and protocol-owned infrastructure only. Other products, protocols, or systems outside the Fira deployment are out of scope unless the vulnerability arises from Fira's own on-chain logic or integration handling.

Out of Scope

No rewards will be awarded for reports that fall solely into the following categories.

Undeployed or Non-Mainnet Code

Code, contracts, modules, or features not currently deployed on Ethereum mainnet are out of scope. This includes draft code, future upgrades, staging deployments, local testing contracts, and testnets.

Previously Known Issues

Issues already identified in prior audits (Sherlock, Spearbit/Cantina, Hexens, yAudit), internal reviews, documentation, or acknowledged by Steady Labs before submission are not eligible.

Frontend, Website, and UI

Issues limited to the web application, user interface, dashboards, websites, or other frontend layers are out of scope.

Third-Party Protocol or Token Risks

Vulnerabilities in third-party systems that Fira interacts with but does not control are out of scope. This includes bugs or failures in external protocols, vaults, bridges, or token implementations.

Examples of external dependencies not in scope:

• USDC (Circle)
• wstETH (Lido)
• cbBTC (Coinbase)
• USDe / sUSDe (Ethena)
• PT-USDe / PT-sUSDe (Pendle)
• Any third-party wrapped asset, oracle, or off-chain issuer
• Oracles not deployed and maintained by the Protocol Team itself, e.g. Chainlink Feeds.

If a report depends on these systems failing rather than on a flaw in Fira's own smart contract logic or validation, it is not in scope.

External Oracle Failures

Pure failures of third-party oracle infrastructure, feed operators, or data providers are out of scope unless the vulnerability is specifically in Fira's oracle integration, validation, or fallback logic — including the AaveToChainlinkAdapter, ChainlinkOracleV2, or FiraSolvencyOracle contracts.

Off-Chain, Legal, or Custodial Risks

Issues arising purely from off-chain custody, legal enforceability, issuer solvency, governance coordination outside the contracts, or real-world asset processes are out of scope.

Intended Admin or Multisig Powers

Behavior that requires proper use of intended administrative, governance, curator, allocator, or multisig permissions is out of scope.

Examples of authorized actions, when performed by properly authorized actors:

• Adjusting LTV, LLTV, or fee parameters
• Pausing or unpausing contracts (USDCFW pause flags: depositPaused, withdrawPaused, transferPaused)
• Updating supply caps on SisuVault markets
• Rebalancing vault allocations within configured permissions and timelocks
• Operating the LiquidityInjector (minting/burning BT, supplying/withdrawing from lending markets)
• Executing timelocked curator or allocator actions
• Triggering manual rehypothecation via forceRehypothecation

However, bypassing or impersonating those permissions (without compromising admins'/trusted roles' keys) is in scope.

Protocol-Intended Behaviors

The following behaviors are not vulnerabilities when they occur according to design:

• Liquidation of unhealthy positions according to configured LTV / LLTV and the 3.1% liquidation incentive
• Forced post-maturity settlement or liquidation of expired positions (after the 24-hour grace period)
• BT/FW convergence to par near maturity
• AMM pricing, slippage, or discount/premium behavior consistent with the FiraMarket pricing model
• Reserve rebalancing by the RehypothecationModule according to configured phiMin, phiMax, and phiTarget ratios
• Yield accruing to CT holders as designed (via InterestManagerCT)
• Vault allocation and reallocation inside configured caps and timelocks
• Router execution that follows the documented action flow and Diamond-style facet dispatch

Pure Economic Attacks Without a Code Vulnerability

Pure market behavior or economic outcomes that do not rely on a contract bug are out of scope:

• Market manipulation within intended protocol rules
• Liquidity withdrawal by users
• Slippage or adverse execution under expected market conditions
• Rate movement, basis trading, or maturity-driven repricing
• Honest liquidations after genuine collateral price moves
• Losses caused solely by external market volatility

Minor Gas, Efficiency, or Documentation Issues

The following are out of scope unless they create a real and material security impact:

• Gas optimizations
• Minor inefficiencies
• Cosmetic or documentation issues
• NatSpec mismatches, comment or spelling errors
• Minor rounding or precision issues with no material effect on funds or solvency

Theoretical or Unrealistic Attacks

Attacks that require impractical brute force, extreme assumptions, or unrealistic coordination are out of scope. Reports must describe a credible and reproducible exploit path.

If you are unsure whether a finding is in scope, focus on technical, on-chain vulnerabilities in the deployed Fira contracts and live market infrastructure.

Protocol Resources

Resource	Location
Fira Documentation	docs.fira.money
Contracts & Audits	docs.fira.money/resources-and-ecosystem/contracts-and-audits
Source Code (fira)	github.com/usual-dao/fira
Source Code (fira-lending-market)	github.com/usual-dao/fira-lending-market

The ultimate scope of this bounty is defined by the deployed Ethereum mainnet contracts listed above.

Judging and Severity Assessment

Sherlock's security team triages and validates all submissions. Sherlock coordinates issue verification and determines validity and severity based on the criteria in this program and Sherlock's platform rules.

Steady Labs may be consulted during validation. Sherlock makes the final determination on issue validity, severity, and payout eligibility.

In case of dispute or ambiguity, Sherlock's assessment is the deciding factor.

Disclosure Policy

This bounty follows Sherlock's standard disclosure policy with additional requirements for serious vulnerabilities.

Critical and high-impact findings must not be disclosed publicly or to any third party until all of the following conditions are met:

1. Steady Labs has been notified through the official submission process
2. The issue has been acknowledged
3. A fix or mitigation has been deployed, or explicit written permission to disclose has been granted
4. Sherlock has completed or approved the disclosure process

Premature disclosure of an exploit path or a live unpatched vulnerability may disqualify the submission from any reward.

Report vulnerabilities promptly — ideally within 24 hours of discovery — through the official Sherlock submission flow.

Do not exploit vulnerabilities on the live network. Do not steal funds, manipulate users, destroy data, or disrupt service. Any exploit activity beyond what is strictly necessary to demonstrate a vulnerability in a controlled manner may lead to disqualification and possible legal consequences.

If you believe a vulnerability is already being exploited or may soon be exploited, notify Sherlock and Steady Labs immediately through the approved reporting process. Do not make it public.

Steady Labs may, at its discretion, offer additional bonuses for especially novel, impactful, or responsibly handled reports.

Eligibility

To be eligible for a reward, you must meet all of the following conditions:

• No sanctions: You are not located in a sanctioned jurisdiction and are not on any prohibited party list.
• No affiliation with Steady Labs: You are not a current or former employee, core contributor, or immediate family member of someone directly affiliated with Steady Labs or the Fira development effort.
• Legal capacity: You are legally able to participate in bug bounty programs and receive rewards in your jurisdiction.
• No prior paid audit conflict: You have not been paid to audit or review this exact codebase in an official capacity, and you did not materially contribute to the in-scope contracts. You may request an exception directly from Steady Labs.
• Follow program rules: You agree to follow all program rules, scope restrictions, disclosure requirements, and platform terms.

By submitting a report, you affirm that you meet these eligibility requirements. Steady Labs and Sherlock reserve the right to verify eligibility and disqualify participants who do not meet these conditions.

Testing Guidelines and Safe Harbor

Do Not Test Destructively on Mainnet

Do not perform destructive testing on Ethereum mainnet. Use a local environment, simulation, or mainnet fork to test exploit scenarios. All in-scope contracts are verified on Etherscan. Researchers can reproduce behavior using Foundry or Hardhat.

Use Accounts You Control

Use only wallets, keys, and accounts you control. Do not interfere with other users' positions, balances, or funds.

No Mainnet Denial of Service

Do not spam, grief, or attempt denial-of-service against live contracts, users, or infrastructure. Demonstrate any blocking or service-degradation vulnerability in a controlled environment.

Maintain Confidentiality

Do not share exploit details outside the official submission process before a fix is deployed and disclosure is authorized.

No Social Engineering or Off-Chain Intrusion

This bounty covers smart contract and technical security issues only. Social engineering, phishing, credential attacks, or attempts to gain access through non-technical means are strictly prohibited.

Responsible Testing

Avoid high-volume or risky testing on live systems. If a testing approach might affect real funds or real users, do not perform it on mainnet.

As long as you act in good faith, stay within these rules, and report vulnerabilities responsibly, Steady Labs intends for this program to operate under a safe-harbor framework for legitimate security research.

Closing

Steady Labs values the work of independent security researchers and the broader white-hat community. Your efforts strengthen the safety and resilience of Fira's fixed-rate, floating-rate, and curated lending infrastructure.

Thank you for participating in the Fira Bug Bounty.

Happy Hunting!