Reward Amounts

Critical

$100,000 maximum payout
Payout shall not exceed 10% of funds at risk at time of submission

Severity Criteria

Critical Definition

Definite a significant loss of funds without limitations of external conditions
Definite a significant freezing of funds for >1 year without limitations of external conditions

Key Notes:

Discovery of vulnerabilities in underlying protocols and third party dependencies (e.g. AAVE, Morpho, Euler, USDC CCTP, USDC and RLUSD token contracts) will not warrant a reward. Only vulnerabilities tied to the MetaLend contracts are eligible.
Malicious admin updates are also not a valid submission for this bug bounty competition.
There is a 20 minute rebalance cooldown in place preventing infinite rebalancing.

Known case:
Smart wallet not supported on a network does not apply towards the bounty. User signs only configuration that represents their supported chains.

General Notes

Sherlock's Criteria for Issue Validity guide (used in Sherlock audit contests) can be a helpful resource for more context on out-of-scope issues, etc. but nothing in the guide should overrule the definitions above
A coded Proof of Concept (POC) with instructions to run the POC is required
If the protocol team has the ability to take measures (upgrade the contract, pause the contract, etc.) against an exploit, the potential damage is limited to a 1-hour exploit period before it is assumed that the protocol team takes measures to prevent further damage

Platform Rules

Please review the Sherlock Bug Bounty Platform Rules before submitting any vulnerability.

Previous Audits

Sherlock May 19 - May 22, 2025
Sherlock June 23 - June 27, 2025
Sherlock July 31 - August 2, 2025
Sherlock September 29 - October 1, 2025

Additional Context

This represents a system of smart contracts designed to optimize yield through
cross-chain rebalancing. A central Manager contract deploys individual Rebalancer
contracts for users, which are user-owned and handle fund deposits into the Yield
Protocol. An Operator can then bridge these funds to other chains and rebalance them
across pools, driven by APY comparisons to maximize returns. Currently 2 tokens are supported - USDC and RLUSD. Only USDC supports cross-chain rebalancing, while RLUSD supports rebalancing within Ethereum. Additionally, user has an option to opt-in for "funding MetaMask card" which enables withdrawal of AAVE receipt token to owner's wallet.

Chains in scope and their USDC CCTP domain

Ethereum - 0
Base - 6
Arbitrum - 3
Avalanche - 1
Optimism - 2
Linea - 11
Polygon - 7

All chains share the same contract addresses defined in the scope.

Expected tokens

USDC, RLUSD

USDC address per chain
- Ethereum - 0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48
- Base - 0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913
- Arbitrum - 0xaf88d065e77c8cC2239327C5EDb3A432268e5831
- Avalanche - 0xB97EF9Ef8734C71904D8002F8b6Bc66Dd9c48a6E
- Optimism - 0x0b2C639c533813f4Aa9D7837CAf62653d097Ff85
- Linea - 0x176211869cA2b568f2A7D4EE941E073a821EE1ff
- Polygon - 0x3c499c542cEF5E3811e1192ce70d8cC03d5c3359
RLUSD address per chain
- Ethereum - 0x8292Bb45bf1Ee4d140127049757C2E0fF06317eD

Expected protocols

AAVE
MORPHO
EULER

Expected list of supported pools

USDC
- Ethereum
  - 0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2 - AAVE
  - 0xdd0f28e19c1780eb6396170735d45153d261490d - MORPHO
  - 0xd63070114470f685b75b74d60eec7c1113d33a3d - MORPHO
  - 0xd41830d88dfd08678b0b886e0122193d54b02acc - MORPHO
  - 0xc582f04d8a82795aa2ff9c8bb4c1c889fe7b754e - MORPHO
  - 0xbeefff209270748ddd194831b3fa287a5386f5bc - MORPHO
  - 0xbeefb9f61cc44895d8aec381373555a64191a9c4 - MORPHO
  - 0xbeef11c63d7173bdcc2037e7220ee9bd0ccda862 - MORPHO
  - 0xbeef01735c132ada46aa9aa4c54623caa92a64cb - MORPHO
  - 0x7204b7dbf9412567835633b6f00c3edc3a8d6330 - MORPHO
  - 0x4ff4186188f8406917293a9e01a1ca16d3cf9e59 - MORPHO
  - 0x2f21c6499fa53a680120e654a27640fc8aa40bed - MORPHO
  - 0x214b47c50057efaa7adc1b1c2608c3751cd77d78 - MORPHO
  - 0x132e6c9c33a62d7727cd359b1f51e5b566e485eb - MORPHO
  - 0x0f359fd18bda75e9c49bc027e7da59a4b01bf32a - MORPHO
  - 0x974c8fbf4fd795f66b85b73ebc988a51f1a040a9 - MORPHO
  - 0x8eb67a509616cd6a7c1b3c8c21d48ff57df3d458 - MORPHO
  - 0x777791c4d6dc2ce140d00d2828a7c93503c67777 - MORPHO
- Avalanche
  - 0x794a61358D6845594F94dc1DB02A252b5b4814aD - AAVE
  - 0x39dE0f00189306062D79eDEC6DcA5bb6bFd108f9 - EULER
- Optimism
  - 0x794a61358D6845594F94dc1DB02A252b5b4814aD - AAVE
- Arbitrum
  - 0x794a61358D6845594F94dc1DB02A252b5b4814aD - AAVE
  - 0xa60643c90A542A95026C0F1dbdB0615fF42019Cf - MORPHO
  - 0x7e97fa6893871A2751B5fE961978DCCb2c201E65 - MORPHO
  - 0x7c574174DA4b2be3f705c6244B4BfA0815a8B3Ed - MORPHO
  - 0x4B6F1C9E5d470b97181786b26da0d0945A7cf027 - MORPHO
  - 0x6aFB8d3F6D4A34e9cB2f217317f4dc8e05Aa673b - EULER
- Base
  - 0xA238Dd80C259a72e81d7e4664a9801593F98d1c5 - AAVE
  - 0xee8f4ec5672f09119b96ab6fb59c27e1b7e44b61 - MORPHO
  - 0xc1256ae5ff1cf2719d4937adb3bbccab2e00a2ca - MORPHO
  - 0xc0c5689e6f4d256e861f65465b691aeecc0deb12 - MORPHO
  - 0xbeef010f9cb27031ad51e3333f9af9c6b1228183 - MORPHO
  - 0x616a4e1db48e22028f6bbf20444cd3b8e3273738 - MORPHO
  - 0x23479229e52ab6aad312d0b03df9f33b46753b5e - MORPHO
  - 0x1d3b1cd0a0f242d598834b3f2d126dc6bd774657 - MORPHO
  - 0x12afdefb2237a5963e7bab3e2d46ad0eee70406e - MORPHO
  - 0x7bfa7c4f149e7415b73bdedfe609237e29cbf34a - MORPHO
- Polygon
  - 0x794a61358D6845594F94dc1DB02A252b5b4814aD - AAVE
- Linea
  - 0xc47b8C00b0f69a36fa203Ffeac0334874574a8Ac - AAVE
  - 0xfB6448B96637d90FcF2E4Ad2c622A487d0496e6f - EULER
RLUSD
- Ethereum
  - 0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2 - AAVE
  - 0xe1Ce9AF672f8854845E5474400B6ddC7AE458a10 - EULER

USDC CCTP Support

Token Messenger - 0x28b5a0e9C621a5BadaA536219b3a228C8168cf5d
Message Transmitter - 0x81D40F21F12A8F0E3252Bccb954D722d4c464B64

Protocol Resources

General description available - https://metalend-inc.gitbook.io/litepaper
USDC CCTP - https://developers.circle.com/cctp
AAVE - https://aave.com/docs
MORPHO - https://docs.morpho.org/get-started/developers/quick-start/
EULER - https://docs.euler.finance/

Max Rewards

100,000 USDC

Status

Live since

Last updated

LIVE

Oct 27, 2025, 10:56 PM

Report a bug