Comment on page

Bug Bounty

Voltz Bug Bounty

Alongside third-party auditors we want help from the community in ensuring Voltz Protocol remains secure. As a result, we have a generous bug-bounty program on Immunifi. We look forward to your help in creating one of the most important lego-blocks of a new financial system!
Smart Contract Scope
The bug bounty program is limited to the issues and vulnerabilities that have an effect on Voltz Protocol. 
Vulnerabilities that fall into the below categories are of particular interest to us:
Re-entrancy
Logic Errors
Integer Overflow/Underflow 
Composability Vulnerabilities
Interest Rate Oracle manipulation
Susceptibility to block timestamp manipulation
Vulnerabilities that are excluded from the programme are:
DDOS attacks
Attacks that the reporter has already exploited themselves, leading to damage
Attacks requiring access to leaked keys/credentials 
Attacks requiring access to privileged addresses (governance) 
Lack of liquidity 
Best practice critiques
​
Reward Table
Severity Level
USD Amount
Impacts Covered
Critical
$100,000
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield 
Permanent freezing of funds
High
$15,000
Insolvency
Theft of unclaimed yield
Permanent freezing of unclaimed yield
Medium
$5,000
Smart contract unable to operate due to lack of funds 
Block stuffing for profit
Theft of gas
Unbounded gas consumption (gas drainage)
Low
$1,000
Smart contract fails to deliver promised returns, but doesn’t lose value
​
Reporting Guidelines
It is critical to proactively aim to cause no issues to the UX of the protocol and/or interfere with Voltz Protocol contract deployments
It is critical to not disclose vulnerabilities post discovery until finalizing iterations/resolution with the team
The bug reports should only be done via the Immunefi UI
A reporter cannot be one of our current or former team members, vendors, contractors or an employee of any of those contractors or vendors
Report a single vulnerability per submission, unless it is necessary to chain vulnerabilities to provide context regarding any of the issues
Disclosures
Following is not allowed in the scope of the programme:
Any testing with mainnet or public testnet contracts; all testing should be done in private development environments
Attempting phishing or other social engineering attacks against our team
Any testing that involves third party applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
Other terms 
The decisions regarding the reward payouts are made by our team. The terms of the program may change as the protocol and DAO evolves.

Severity Level	USD Amount	Impacts Covered
Critical	$100,000	Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield Permanent freezing of funds
High	$15,000	Insolvency Theft of unclaimed yield Permanent freezing of unclaimed yield
Medium	$5,000	Smart contract unable to operate due to lack of funds Block stuffing for profit Theft of gas Unbounded gas consumption (gas drainage)
Low	$1,000	Smart contract fails to deliver promised returns, but doesn’t lose value

Last modified 1yr ago