Solv’s $50,000 Bug Bounty Program! In Partnership With Immunefi
Solv is offering a $50,000 bug bounty to incentivize developers and white hats to help us secure our protocol by uncovering its vulnerabilities and shortcomings. And we are pleased to be able launch this undertaking with Immunefi, which is a leading bug bounty platform experienced in the testing and securing of DeFi protocols.
For those of you who may not be familiar, Immunefi is a bug bounty platform with a mission to secure the DeFi sector. Currently, they are protecting $50 billion in user funds and have worked with projects like Synthetix, Chainlink, SushiSwap, and The Graph. As we seek to provide a secure platform for projects and investors alike, working with Immunefi is the logical next step for us. This, along with the insurance fund we bought from Tidal Finance and Unslashed Finance last month, will give our platform security and give our users peace of mind.
Read on to learn the ins and outs of our bug bounty program.
The $50,000 Bug Bounty Overview
This bug bounty program is focused on Solv’s smart contracts and is focused on preventing:
- Loss of user funds staked (principal) by freezing or theft
- Theft of unclaimed yield
- Freezing of unclaimed yield
- Smart contract fails to deliver promised returns
The Bounty Program Rewards
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.
Smart Contracts and Blockchain
- Critical, USD 50 000
- High, USD 25 000
- Medium, USD 10 000
- Low, USD 3 000
All Critical/High severity bug reports must come with a PoC (Proof of Capacity) and a suggestion for a fix in order to be considered for a reward.
How to Register
No KYC!!!
Assets & Impacts in Scope
All smart contracts of Solv can be found at https://github.com/solv-finance. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.
Impacts in Scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
Smart Contracts/Blockchain
- Loss of user funds staked (principal) by freezing or theft
- Theft of unclaimed yield
- Freezing of unclaimed yield
- Smart contract fails to deliver promised returns
Prioritized vulnerabilities
We are especially interested in receiving and rewarding vulnerabilities of the following types:
Smart Contracts and Blockchain
- Re-entrancy
- Logic errors
including user authentication errors
- Solidity/EVM details not considered
including integer over-/under-flow
Including rounding errors
including unhandled exceptions
- Trusting trust/dependency vulnerabilities
including composability vulnerabilities
- Oracle failure/manipulation
- Novel governance attacks
- Economic/financial attacks
including flash loan attacks
- Congestion and scalability
including running out of gas
including block stuffing
including susceptibility to frontrunning
- Consensus failures
- Cryptography problems
Signature malleability
Susceptibility to replay attacks
Weak randomness
Weak encryption
- Susceptibility to block timestamp manipulation
- Missing access controls / unprotected internal or debugging interfaces
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
Smart Contracts and Blockchain
- Incorrect data supplied by third party oracles
Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
The following activities are prohibited by this bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty
How To Report Bugs?
We request hackers submit their bug reports responsibly to prevent any attack on Solv. Thus, they must give the Solv Team enough time to fix the problems before making the vulnerabilities public.
Participants must note that only the first person to report the bug will be entitled to the relevant reward. They must submit the vulnerabilities with all the relevant links, documents, and codes. Only one form will be accepted for submission for any given vulnerability. However, bounty hunters are free to submit multiple forms for multiple vulnerabilities.
Any attempt to publicly disclose the vulnerability before resolving it will lead to the cancellation of the reward. Solv and Immunefi reserve the right to disqualify anyone who doesn’t adhere to the rules and regulations of the bounty program. Finally, under no circumstances will Solv negotiate for payments under any threat or coercion.
Learn more about how to participate in the bug bounty at bugs.immunefi.com.
