Developer Docs
Search…
Getting Started
Introduction
Protocol Overview
Litepaper
Voltz Use Cases: TL;DR
Uniswap v3 Additional Use Grant
Voltz Core
Factory
vAMM
Margin Engine
Full Collateralisation Modules (FCMs)
Aave v2 FCM
Voltz Periphery
Periphery
Security
Audits
Bug Bounty
Networks
Kovan
Mainnet
SDK & Subgraph
SDK
Subgraph
Build on Voltz
Active LP Optimiser
Powered By GitBook
Bug Bounty
Voltz Bug Bounty
Alongside third-party auditors we want help from the community in ensuring Voltz Protocol remains secure. As a result, we have a generous bug-bounty program on Immunifi. We look forward to your help in creating one of the most important lego-blocks of a new financial system!

Smart Contract Scope

The bug bounty program is limited to the issues and vulnerabilities that have an effect on Voltz Protocol.

Vulnerabilities that fall into the below categories are of particular interest to us:

  • Re-entrancy
  • Logic Errors
  • Integer Overflow/Underflow
  • Composability Vulnerabilities
  • Interest Rate Oracle manipulation
  • Susceptibility to block timestamp manipulation

Vulnerabilities that are excluded from the programme are:

  • DDOS attacks
  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses (governance)
  • Lack of liquidity
  • Best practice critiques

Reward Table

Severity Level
USD Amount
Impacts Covered
Critical
$100,000
  • Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
  • Permanent freezing of funds
High
$15,000
  • Insolvency
  • Theft of unclaimed yield
  • Permanent freezing of unclaimed yield
Medium
$5,000
  • Smart contract unable to operate due to lack of funds
  • Block stuffing for profit
  • Theft of gas
  • Unbounded gas consumption (gas drainage)
Low
$1,000
  • Smart contract fails to deliver promised returns, but doesn’t lose value

Reporting Guidelines

  • It is critical to proactively aim to cause no issues to the UX of the protocol and/or interfere with Voltz Protocol contract deployments
  • It is critical to not disclose vulnerabilities post discovery until finalizing iterations/resolution with the team
  • The bug reports should only be done via the Immunefi UI
  • A reporter cannot be one of our current or former team members, vendors, contractors or an employee of any of those contractors or vendors
  • Report a single vulnerability per submission, unless it is necessary to chain vulnerabilities to provide context regarding any of the issues

Disclosures

Following is not allowed in the scope of the programme:
  • Any testing with mainnet or public testnet contracts; all testing should be done in private development environments
  • Attempting phishing or other social engineering attacks against our team
  • Any testing that involves third party applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)

Other terms

The decisions regarding the reward payouts are made by our team. The terms of the program may change as the protocol and DAO evolves.
Security - Previous
Audits
Next - Networks
Kovan
Last modified 2mo ago
Copy link
Contents
Smart Contract Scope
Reward Table
Reporting Guidelines
Disclosures
Other terms