The Bug Bounty Program aims to improve the security of dForce network by inviting talented bug bounty hunters to uncover exploits and vulnerabilities pertaining to dForce native protocols, including dForce Lending, USX, EUX, dForce Trade, and Farming.
Bugs can be classified into three categories: Smart Contract Bugs, Infrastructure Bugs, and Other Bugs.
Smart Contract Bugs
Please visit our GitHub repository for the respective smart contract addresses:
IMPORTANT: The list may be updated from time to time to include the newly deployed contracts and remove those that have been abandoned. Please note this Bug Bounty Program does not cover vulnerabilities pertaining to 1) protocols built by third-party developers (i.e., smart contract wallet); 2) ownership of an admin key.
dForce Bug Bounty Program also covers vulnerabilities affecting domains that may produce exploitation of user accounts. We have deployed multiple DApps for users to interact with dForce protocols, including:
IMPORTANT: Only critical bugs are eligible for bounty rewards
Finally, dForce Bug Bounty Program does not cover test contracts on Rinkeby and staging servers, unless the discovered vulnerability also poses a threat to our protocols and interfaces on the Mainnet, or challenge the safety of users’ funds.
Bugs capable of affecting system stability or even triggering network crash, including those that:
- Allow attacker(s) to take away collateral tokens for at least 10% in dollar value of collateral tokens from the system.
- Are applied to a real situation and triggered through an attack vector rather than theory or hypothesis.
- Occur in operation mode or emergency shutdown mode, excluding those occuring during or shortly after the deployment when the system is yet to become fully activated.
Smart Contract Bugs
Type of severity of bug/defect can be categorized into four levels with different rewards:
- Critical $100,000
- High $20,000
- Medium $5,000
- Low $1,000
We have partnered with Immunefi to launch a bug bounty program. You can submit your findings through Immunefi as well. But please note 1 finding can only claim once from either Immunefi or email: [email protected].