Connect

Inverse Finance

Inverse FinanceInverse Finance

Details

Scope

My Submission

About Inverse Finance

Inverse Finance is a decentralized autonomous organization that develops and manages the FiRM fixed-rate lending protocol and DOLA, a debt-backed decentralized stablecoin. Originally founded by Nour Haridy in late 2020, the protocol is now governed by Inverse Finance DAO, a collective of crypto enthusiasts.

Main Products:

  • FiRM — A fixed-rate lending market
  • DOLA — A stablecoin pegged to the US Dollar
  • DBR — A DeFi primitive that enables holders to service DOLA loans on FiRM
  • INV — Governance token for on-chain DAO voting
  • sDOLA — Yield-bearing DOLA savings vault
  • jrDOLA — Junior tranche providing bad debt protection for FiRM

Resources:

Reward Amounts

SeverityReward
Critical15,00015,000 – 100,000 (10% of funds at risk, min 15k,max15k, max 100k)
High$5,000
Medium$2,000
Low$1,000

Rewards are paid in DOLA on Ethereum, denominated in USD. The calculation of funds at risk is based on the time and date the bug report is submitted.

Severity Criteria

Critical

  • Definite and significant loss of funds without limitations of external conditions
  • Definite and significant freezing of funds for >1 year without limitations of external conditions
  • Unauthorized minting of INV, DOLA, or DBR tokens on-chain
  • Private key or private key generation leakage leading to unauthorized access to user funds

High

  • Theft or permanent freezing of unclaimed yield/royalties
  • Temporary freezing of funds (reward doubles for every additional 24h frozen, up to max high reward)

Medium

  • Issues requiring extensive constraints (e.g., extreme slashing scenarios as precondition)

Low

  • Minor issues with limited impact

General Notes

  • Sherlock's Criteria for Issue Validity guide can be a helpful resource but nothing in the guide should overrule the definitions above
  • A coded Proof of Concept (PoC) with instructions to run is required for all severities
  • If the protocol team can take measures (upgrade, pause, etc.) against an exploit, potential damage is limited to a 1-hour exploit period before mitigation is assumed

Known Issues & Out of Scope

The following are known issues and will not be rewarded:

  1. Delegator griefing — Potential for griefing through manipulation of the delegator parameter in delegateBySig function (MultiDelegator, XINV, etc.)

  2. Escrow initialization — Submissions related to missing initialization on Escrow implementation contracts are invalid. Contracts are cloned and correctly initialized per user at first deposit; proxies are properly initialized on creation.

  3. Legacy contract interactions — Some active contracts interact with older Inverse Finance contracts (Anchor, Frontier). While active contracts are in scope, deprecated components are no longer maintained and do not represent real security risks. Verify all components in an exploit path are active and in-scope.

  4. Vault share inflation — The vault share inflation attack is known. The protocol team will deposit on deployment; if an attacker front-runs, a new vault will be deployed.

  5. Bad debt exceeding slashable amount — It's known that if bad debt exceeds the total slashable amount from junior tranche, users won't be able to withdraw (besides new deposits or accruing rewards).

  6. Extreme slashing scenarios — Repeated slashing and deposits causing share deflation are known. These are considered failure of risk parameterization. Slashing is "extreme" if:

    • All available funds are slashed, OR
    • Several slashing actions compound to create share deflation exceeding 1,000,000x (≥1_million_e18 shares for 1e18 of underlying)
    • Issues requiring extreme slashing as precondition are Medium at max

  7. Deposit bricking from extreme slashing — Known that extreme slashing will brick deposits due to share deflation up to total share limit. Issues requiring extreme slashing but unconnected to max total shares may be viewed as Medium at max.

Previous Audits

All completed audits: https://www.inverse.finance/audits

AuditorReportDate
Code4renaContest ReportDec 2022
NomoiFiRM AuditMay 2023
yAuditsDOLA AuditJan 2024
SherlockJunior Tranche PrivateOct 2025
SherlockJunior Tranche ContestNov 2025

Unfixed vulnerabilities mentioned in these reports are not eligible for a reward.

Additional Context

Chains in Scope

  • Ethereum Mainnet

Expected Tokens

  • DOLA — Standard ERC-20
  • DBR — ERC-20 with special behavior for FiRM borrowing

Trusted Roles

  • Gov — Trusted
  • Operator — Trusted to set reward budget within Gov constraints

Offchain Mechanisms

A slasher observes the chain for bad debt and slashes jrDOLA depositors. DOLA holders and the Inverse Finance DAO are incentivized to do this to protect DOLA backing/peg. Assume slashing will always happen in a timely manner.

Platform Rules

Please review the Sherlock Bug Bounty Platform Rules before submitting any vulnerability.

Protocol Resources

https://docs.inverse.finance/inverse-finance/
https://docs.inverse.finance/risk-working-group-digest/
https://www.inverse.finance/

Max Rewards

100,000 USDC

Status

Live since

Last updated

LIVE

Mar 5, 2026, 8:57 PM

Mar 5, 2026, 8:57 PM

Report a bug