The FILLiquid testnet is officially live! We’re extremely proud to show our product to the Filecoin ecosystem, allowing us to test our protocol in a live environment.
The testnet serves as the opportunity for us to identify any problems that might be in the protocol. Although we’re confident after months of coding, more eyes on our product might help to identify problems that we might have missed.
This is where our Bug bounty program comes into play.
We are excited to invite security researchers and users to participate in the bug bounty program for the Filliquid testnet launch. This is an opportunity to test out the platform, identify any vulnerabilities, and earn additional FIG tokens rewards.
Rewards
We have a range of rewards lined up for the bug bounty program, with higher rewards for those identifying the most critical bugs.
Rewards will be granted based on vulnerability severity, according to the following schedule:
- Critical: 500,000 FIG per each verified bug identified
- High: 50,000 FIG per each verified bug identified
- Medium: 10,000 FIG per each verified bug identified
- Low: 1,000 FIG per each verified bug identified
Vulnerability Categories
The following contains examples of vulnerabilities we are looking for in each severity category.
It is important to note that any bugs found outside of these examples will be individually assessed by the team to determine what caterogriy it belongs in.
Critical
- Staking/farming contract exploits resulting in FIG token theft or loss of staked assets
- Borrowing exploits that drain reserve funds or cause unaccounted FIG rewards
- Liquidation mechanism failures that prevent bad debt repayment
- FIT exchange rate manipulation
High
- Wallet integration issues that compromise user private keys or funds
- Bypassing authorization controls to access other user accounts
- Manipulating on-chain data to falsely trigger liquidations
- Achieving unintended high FIG rewards from farming
Medium
- UI/UX issues that result in unintended operations or confusion
- Incorrect data presentations about staking yields, loan terms etc.
- Spamming the network to degrade performance
Low
- Typos, broken links, inconsistencies in docs or UI
- Missing input validations in forms
- Minor calculation errors in yields or exchange rates
Scope
The scope of the bug bounty includes:
- Filliquid web application
- Staking, farming and borrowing smart contracts
- Wallet integrations
- Supporting infrastructure like faucets
Out of Scope
- Denial of service attacks on production infrastructure
- Spamming mailing lists or communications
- Any testing without an agreed upon scope
Participation
Those looking to participate in the bug bounty program can make their submissions here;
https://docs.google.com/forms/d/1GR2eGaU11S11EJ0_XD4ZudanWbcwsOT8grmhZA7cvhI/edit
We look forward to your participation and feedback, which will help strengthen the security and experience of our products before mainnet launch.
Rules
To be eligible for a reward:
- You must be the first to report the unique vulnerability, and it must be previously unreported.
- A detailed explanation of vulnerability and steps to reproduce must be provided.
- An explanation of potential impact must be included.
- Reports with attached working exploits are rewarded higher.
Restricted activity that makes you ineligible:
- Attempting phishing attacks or social engineering of our employees/community
- Any physical attacks against our property or employees
- Spamming our services
- Any illegal activity
We determine eligibility and reward decisions solely at our own discretion.
By participating in this program, you agree to use only test accounts and test funds on the Filliquid testnet. Attacking or accessing mainnet components is strictly prohibited.
Terms:
- Issues previously submitted by another user first will go to them
- Determinations of reward amounts is at sole discretion of Filliquid team based on severity, reproducibility and quality of reports
- We reserve the right to amend terms during the program
- Rewards are delivered end of testnet period
