Announcing $100K Bug Bounty Program with Immunefi

In an endeavor to make Lido for Solana secure, we are partnering with Immunefi to deliver a $100,000 bug bounty program

Rishi Sidhu
Chorus One
4 min readAug 30, 2021

--

We are taking another step in making Lido for Solana more secure by announcing a bug bounty in partnership with Immunefi. To date, we have had two audits done on our source code. The first one has been done by Bramah Systems and the second one, which is ongoing at the moment, by Neodyme. This bug bounty is a step further in fortifying the security of Lido for Solana ahead of its launch in September.

The bounty amount of $100,000 could be soon revised to $2,000,000 if the proposal to bump it up gets accepted. The $2m proposal is getting voted upon and as of now has received 100% votes in favour of increasing the bounty. The voting is still open though and ends on the 1st of September.

About Immunefi

Immunefi is a bug bounty platform for smart contracts and projects to protect them against catastrophic exploits by rewarding white hats who find bugs in the system. Rewards are distributed according to the level of the vulnerability exposed, with levels varying on a 5-point scale based on Immunefi Vulnerability Severity Classification System.

Rewards and Program Scope

The bug bounty covers smart contracts as well as the lido app website. The primary focus of the bug bounty program is the Lido Program’s smart contracts but there are generous rewards for discovering bugs in the Lido web app as well.

Payouts are done in either ETH, DAI, RAI, or LDO

All the web app bug reports require an accompanying PoC in order to be considered for a reward. Payouts are handled by the Lido for Solana department of the Lido team directly and are denominated in USD. Payouts are done in either ETH, DAI, RAI, or LDO, as per the bug bounty hunter’s preference.

For a list of assets in scope please refer to the bug bounty page at Immunefi

Note: For researchers who want to start their research early, a development version is available at https://solana-dev.testnet.lido.fi/, but this devnet deployment is not in scope. Additionally, any web/app bugs not directly related to what is in the Assets in Scope table but relevant for lido.fi, should be submitted in their main bug bounty program, assuming it fulfills all other requirements.

About Lido for Solana

Lido for Solana is a Lido-DAO governed liquid staking protocol for the Solana blockchain. Anyone who stakes their SOL tokens with Lido will be issued an on-chain representation of SOL staking position with Lido validators, called stSOL. Lido for Solana will integrate stSOL widely into the Solana DeFi ecosystem to enable stSOL users to make use of their staked assets in a variety of applications.

With a proposal to increase and expand Lido’s bug bounty program to $2m underway, it is clear the Lido DAO is very serious about maintaining the security of its projects.

Lido for Solana is going to be a very mission-critical project and consequently a lucrative target for attacks. We take security seriously and this bug bounty is an effort to battle-test our codebase. We encourage all white hats to participate in this program and be rewarded with handsome bounty amounts.

For applying to the bug bounty and for further information, please visit the Immunefi bug bounty page

About Chorus One

Chorus One is offering staking services and building protocols and tools to advance the Proof-of-Stake ecosystem.

Website: https://chorus.one
Twitter: https://twitter.com/chorusone
Telegram: https://t.me/chorusone
Newsletter: https://substack.chorusone.com

Disclaimer

Our content is intended to be used and must be used for educational purposes only. It is not intended as legal, financial or investment advice and should not be construed or relied on as such. The information is general in nature and has not taken into account your personal financial position or objectives. Before making any commitment of financial nature you should seek advice from a qualified and registered financial or investment adviser. Chorus One does not recommend that any cryptocurrency should be bought, sold, or held by you. Any reference to past or potential performance is not, and should not be construed as, a recommendation or as a guarantee of any specific outcome or profit. Always remember to do your own research.

--

--

Rishi Sidhu
Chorus One

Blockchain | Machine Learning | Product Management