Bug Bounty Program
Security is core to our values, and we value the input of hackers to help us maintain the highest standard for security and safety. Though the DeFiner protocol has gone through professional audits and formal verification, there is a new technology that may contain undiscovered vulnerabilities.
We encourage the community to audit our contracts and security and encourage the responsible disclosure of any issues. This program is intended to recognize the value of working with the community of independent security researchers.
Rewards by Threat Level
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from the consequence of exploitation to privilege required to the likelihood of a successful exploit.
Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into account the funds at risk. Other considerations such as PR and branding concerns may also be considered by the team at its discretion.
Paid auditor(s) of this code is(are) not eligible for rewards in this table. Determinations of eligibility and final reward amount (for critical vulnerabilities) and all terms related to an award are at the sole and final discretion of the DeFiner Protocol team.
Payouts are handled by the DeFiner directly and are denominated in USD. Payouts are done in USDT, DAI ,or USDC for payouts up to USD 10,000 and FIN/stablecoin mix (90%/10%) for all other critical payouts.
Smart Contract Rewards:
Level
Payouts
Critical
Up to USD $100,000
High
USD $10,000
Medium
USD $5,000
Low
USD $1,000
Scope
The primary scope of the bug bounty program is for vulnerabilities affecting the on-chain deployed contracts on the Ethereum Mainnet, for contract addresses listed in this developer documentation This list may change as new contracts are deployed, or as existing contracts are removed from usage.
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in the scope table.
Smart Contracts Impacts:
Loss of user funds staked (principal) by freezing or theft
Loss of governance funds
Theft of unclaimed yield
Freezing of unclaimed yield
Temporary freezing of funds for 1 day.
Unable to call smart contract
Smart contract gas drainage
Smart contract fails to deliver promised returns
Disclosure
Submit all bug bounty disclosures to contact@definer.org. The disclosure must include clear and concise steps to reproduce the discovered vulnerability in either written or video format. DeFiner will follow up promptly with acknowledgment of the disclosure.
DeFiner reserves the right to reject submissions and alter the terms and conditions of this program.
Last updated