TruFin launches new Bug Bounty Program with Immunefi

3 min readSep 27, 2023

Discover unknown bugs, get rewarded, and help keep TruFin secured.

TruFin is launching a new program to ensure our ecosystem is as safe as it can be. The Bug Bounty Program will launch on 27th September, 2023. Read on to learn how you can submit a bug detected on one of our smart contracts.

TLDR;

The TruFin Bug Bounty Program is launching on 27th September, 2023.
You can report bugs and be rewarded on the Immunefi platform: https://immunefi.com/bounty/trufin/.
Rewards are based on the severity of the bug detected.

Background

When building out our institutional-grade Web3 primitives, such as the TruStake liquid staking solution for MATIC, having safe and secure smart contracts is always of the utmost importance.

The TruFin Protocol has been investing significant time and money to audit and secure our smart contracts. As of early 2023, the TruFin protocol has undergone multiple independent audits from some of the most distinguished names in the industry, such as OpenZeppelin, Nethermind, and Zokyo.

On top of that, we now want to involve our community in the process and reward them accordingly for their participation. The bounty program consists in involving the community and rewarding them for reporting bugs on our smart contracts already in production.

How do I submit a bug?

If you’ve found a bug, you can submit it on the Immunefi platform: https://immunefi.com/bounty/trufin/. Upon submission, the team will investigate the bug, try to replicate it. If it is attested that it is an unknown bug, the team will issue you your rewards. The amount awarded will be distributed according to the severity level and based on the Immunefi Vulnerability Severity Classification System V2.2.

How do I know if my bug is eligible to claim my rewards?

When submitting a bug report, it will be time-stamped on the blockchain and only the first valid submission will be rewarded.

Bug reports covering previously-discovered bugs (audits, or specified in the Immunefi bounty page) are not eligible for the program. Meaning that if two or more people submit the same bug, only the first person to report it will be eligible to claim its rewards. Any bug already specified on the bounty page will also not be eligible for rewards.

All bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward.

All the detailed rules are available on the Immunefi page: https://immunefi.com/bounty/trufin/

What are the rewards ?

The rewards are offered depending on the severity of the bug reported. There are four levels of bugs that can be reported: medium, high and critical.

Critical Up to 25,000 USD (paid in USDC)
High Up to 15,000 USD (paid in USDC)
Medium 2,500 USD (paid in USDC)

Let’s continue to strive for a safer and more secure ecosystem for our community.