$0 USD

JUNE 2021




"Crypto volatility keeps you from having a good night's sleep. Hedge crypto and protect your portfolio with Pods. Unlock a new level of safety for your assets."


"Pods' design leverages DeFi's composability and makes it easy for other projects to integrate with the Pods Protocol." "Tailor made to DeFi options, it unlocks a different experience of earning while using the liquidity provision feature in an options pool." "Sell, buy, provide liquidity for both puts and calls. It will result in many different ways to interact with the protocol. Find the one that suits you best." "We’re in beta and currently hold admin keys to make the funds of our users safe. We expect to let go of the admin keys by the end of the year. More here."


"Sell options and earn more. Generate additional yield on your aTokens and get exposure to assets of your choice." "Buy options to protect your portfolio. Investing in crypto does not have to mean suffering from volatility fever. Reduce your exposure to price downside by placing hedges in your portfolio."


"Whitehat Csanuragjain submitted a vulnerability to Immunefi regarding Pods Finance on June 25. The vulnerability was given a severity rating of “high”, as it is a logic error that allows for theft of yield or abuse of the rewards system on the protocol. The contract was not deployed on mainnet, so there were no funds at risk."


"Pods Finance has a rewards system that mints rewards for users who issue options, but the reward calculation logic itself, present in both AavePodPut.sol and AavePodCall.sol, allows a malicious attacker to claim rewards owed to other users and drain the entire contract. This vulnerability was rated as “high” because it is tantamount to a theft of yield. Although the vulnerable contracts also hold original user funds, this bug does not allow an attacker to steal them. The way it works is that, if a malicious attacker had minted at least one option in the past, they could repeatedly call unmintWithRewards() with a single share forever — as long as the attacker has the required gas."


"The logic above distributes rewards based only on the user shares, instead of also considering the amountOfOptions. As opposed to the withdraw function, where the caller always withdraws 100% of their shares, the unmint function allows the caller to do a partial unmint. The error was that the rewards function was paying as if the user was always unminting 100% of their shares. This led to a vulnerability where the user could remove more rewards than what was due."


"Pods Finance received the report, evaluated it, and paid out $4,000 USDC to the whitehat in just 13 minutes, winning the award by far for the fastest ever bug bounty response and pay-out on Immunefi. We congratulate Pods Finance for their excellent work and response."


"Pods Finance fixed a logic error which could result in the theft of yield after it was responsibly disclosed by Csanuragjain." "The reward calculation should be based on options unminted, rather than only the shares a user possesses."

Pods Finance is a tool which allows you to hedge your portfolio to reduce the risk of vulnerability. This tool uses a smart contract to manage the reward distribution.


The proposed smart contract (which was not yet deployed) had a vulnerability which would have allowed a hacker to claim additional rewards. A bounty of $4,000 was paid out to for responsible disclosure.


There were no losses in this case. The bounty was paid prior to the smart contract even being deployed.


In general, smart contract hot wallets may contain bugs or vulnerabilities, and nothing is ever certain. Simple offline multi-signature storage should be used for the majority of funds. Smart contract hot wallets can be insured through an offline multi-sig treasury fund, industry fund, or accepted smart contract insurance protocol.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.