Announcing Liquity’s Bug Bounty Program

Kolten
Kolten
Feb 19 · 3 min read
Image for post
Image for post

A bug bounty program for Liquity’s smart contracts is now live. We intend for hackers to look for smart contract vulnerabilities in our system that can lead to loss of funds or locked components.

Rewards

Vulnerability reports will be scored using the CVSS v3 standard. The reward amounts for different types of vulnerabilities are:

🚨 Critical (CVSS 9.0–10.0)

→ $5,000 - $50,000

⚠️ Major (CVSS 7.0–8.9)

→ $2,500 - $5,000​

⚡ Medium (CVSS 4.0–6.9)

→ $1,000 - $2,500

🐛 Low (CVSS 1.0–3.9)

→ $500 - $1,000

Rewards will be awarded at the sole discretion of Liquity AG. Quality of the report and reproduction instructions can impact the reward. Rewards are denominated and paid out in USD. If both parties agree, rewards can also be paid out in crypto.

For this initial bug bounty program, there is a .

The bug bounty program is ongoing and has been running since February 19th, 2021.

Reporting a Vulnerability

Please responsibly disclose any findings to the development team, following these instructions:

  • In order to report a vulnerability, please write an email to with [SECURITY DISCLOSURE] in the subject of the email.
  • For sensitive vulnerabilities, please the encrypt the email using this PGP key (Fingerprint: 3F21 FFCD AD2A 7D5B 8E11 3198 FCE7 91AE 1A6F 4793).
  • We will make our best effort to reply in a timely manner and provide a timeline for resolution.
  • Please include a detailed report on the vulnerability with clear reproduction steps. The quality of the report can impact the reward amount.

Failure to do so will result in a finding being ineligible for any bounties.

Scope

In scope for the bug bounty are all the smart contract components of the Liquity protocol. They can be found in the following repositories:

Solidity code under the contracts directory:

  • Excluding contracts/Dependencies
  • Excluding contracts/LPRewards/Dependencies

The contract StabilityPool.sol is not yet released and therefore out of scope. Nevertheless, we have published the interface for it, Interfaces/IStabilityPool.sol, which includes descriptions for the contract's purpose and for each function. A high level description can also be found in the README file

Out of scope

  • Any frontend applications or client-side code interacting with the contracts, as well as testing code.
  • Mismatch of the functionality of the contracts and outdated spec documents.

Areas of interest

These are some examples of vulnerabilities that would be interesting:

  • Stealing tokens or manipulating the token generation process.
  • Locking or freezing any of the Liquity contracts.
  • Griefing attacks: is it possible to block liquidations, redemptions, borrower operations, rewards distributions, etc?
  • Do the desired constraints on borrower operations hold?
  • Flash loan exploits
  • LQTY token exploits involving the LockupContracts

Resources

Eligibility

Terms for eligible bounties:

  • Only unknown vulnerabilities will be awarded a bounty; in case of duplicate reports, the first report will be awarded the bounty.
  • Public disclosure of the vulnerability, before explicit consent from Liquity AG to do so, will make the vulnerability ineligible for a bounty.
  • Attempting to exploit the vulnerability in a public Ethereum network will also make it ineligible for a bounty.

Liquity

Decentralized Borrowing Protocol

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store