Bug Bounty Program

Security is core to our values, and we value the input of hackers to help us maintain the highest standard for security and safety. Though the DeFiner protocol has gone through professional audits and formal verification, there is a new technology that may contain undiscovered vulnerabilities.

We encourage the community to audit our contracts and security and encourage the responsible disclosure of any issues. This program is intended to recognize the value of working with the community of independent security researchers.

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from the consequence of exploitation to privilege required to the likelihood of a successful exploit.

Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into account the funds at risk. Other considerations such as PR and branding concerns may also be considered by the team at its discretion.

Paid auditor(s) of this code is(are) not eligible for rewards in this table. Determinations of eligibility and final reward amount (for critical vulnerabilities) and all terms related to an award are at the sole and final discretion of the DeFiner Protocol team.

Payouts are handled by the DeFiner directly and are denominated in USD. Payouts are done in USDT, DAI ,or USDC for payouts up to USD 10,000 and FIN/stablecoin mix (90%/10%) for all other critical payouts.

Smart Contract Rewards:

Level

Payouts

Critical

Up to USD $100,000

High

USD $10,000

Medium

USD $5,000

Low

USD $1,000

Scope

The primary scope of the bug bounty program is for vulnerabilities affecting the on-chain deployed contracts on the Ethereum Mainnet, for contract addresses listed in this developer documentation This list may change as new contracts are deployed, or as existing contracts are removed from usage.

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in the scope table.

Smart Contracts Impacts:

  • Loss of user funds staked (principal) by freezing or theft

  • Loss of governance funds

  • Theft of unclaimed yield

  • Freezing of unclaimed yield

  • Temporary freezing of funds for 1 day.

  • Unable to call smart contract

  • Smart contract gas drainage

  • Smart contract fails to deliver promised returns

Disclosure

Submit all bug bounty disclosures to contact@definer.org. The disclosure must include clear and concise steps to reproduce the discovered vulnerability in either written or video format. DeFiner will follow up promptly with acknowledgment of the disclosure.

DeFiner reserves the right to reject submissions and alter the terms and conditions of this program.

Last updated