In the run-up to the launch of the necDAO, we are announcing a community bug bounty program offering ETH rewards (with the highest award being 10k USD equivalent for identifying a critical bug) to anyone reporting security vulnerabilities in the DAO contracts, locking mechanisms and governance processes. Read on to learn more.
On September 09, the team behind DeversiFi and Nectar announced the new Nectar 2.0 white-paper — an overhaul of the Nectar token which included deflationary tokenomics through an aggressive supply burn and buy-back & burn system, whitelist removal, fee discounts and perhaps most excitingly of all its role in the fast-approaching necDAO. More details can be found in the new Nectar whitepaper.
In preparation for the necDAO, this bug bounty program serves to incentivize the discovery of security vulnerabilities within the codebase of the DAO, as well as any potential issues related to locking NEC (required for earning reputation) which may see significant funds locked into these smart-contracts.
The Bug Bounty Program
The program will apply to the deployment of the necDAO contracts running on an Ethereum test network (Rinkeby) and as such there will be no real funds at stake. This codebase, however, is identical to the planned version to be deployed live.
Rewards will be granted to those who report legitimate bugs (more details below) to DeversiFi and DAOstack. The main areas of focus include, but are not limited to:
Reputation Process. In order to receive reputation in the necDAO users will be required to go through 1 of 3 options;
- locking NEC tokens for selected periods;
- holding NEC for a reputation airdrop at a given blocktime;
- bidding GEN tokens in an auction.
For example, are you able to find vulnerabilities allowing an attacker to undermine/break these processes and gain access to ETH/NEC/GEN/TOKENS or additional reputation
Governance Process. Any unintended behaviour related to the actual governance mechanisms of the DAO. Can you undermine/break the DAO by passing a malevolent proposal? Draining funds against a majority vote? Or otherwise exploiting a major vulnerability in the code?
Useful technical information/resources for the above can be found at the following Github repository. An example DAO is deployed on rinkeby.
Rewards
We will be using the Ethereum Foundation’s Bug Bounty severity scale (using the OWASP principle) visible below. The value of each awarded bounty will be based on DeversiFi’s judgment of the severity of each reported bug:
- Critical — USD 5000 to 10000
- High — USD 2500
- Medium — USD 1000
- Low — USD 500
The judgement of the severity of the reported bug will be at the discretion of DeversiFi.
How long will the bounty run for?
There is currently no defined end date and the program as it stands will continue indefinitely or until the time the necDAO officially launches as detailed in the NEC 2.0 whitepaper.
General Rules
Most of the rules outlined in the Ethereum Foundation Bug Bounty Programme will also apply here. Mainly that:
- Issues that have already been submitted by another user or are already known to the necDAO team are not eligible for bounty rewards. This includes the existing possibility for proposals to pass in Alchemy, despite there not being enough funds in the DAO contracts.
- Public disclosure of a vulnerability before reporting makes it ineligible for a bounty.
- Anyone who has been paid to work on the codebase or audit it is not eligible for rewards.
- The necDAO bounty program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the necDAO bug bounty panel.
Bounties will be awarded to the first submitter of a given issue and only security vulnerabilities where funds are at risk will be included in the scope of this program.
How to Submit?
Submissions should be made to security@deversifi.com following the structure outlined below:
- Name and social link
- Description of bug
- Instructions on reproducing the attack vector
- Any other important information
- Your Ethereum address
When submitting a bug report, please be as thorough and detailed in these answers as possible as this will play a role in influencing its placing in the severity chart above and ultimately your bounty reward.
For any questions or to stay updated, connect with us on Telegram, Twitter and Reddit.
We work around the ⏰ on the development of DeversiFi as the home of decentralised token trading, offering the most innovative solutions putting our users in control of their trading experience without sacrificing on speed, liquidity, choice or trust.
Get involved with, play your role and join us together as we fan the flames of the financial evolution.
- Try DeversiFi Today
- Benefit from our weekly round-up of all things DAO, DEX and DEFI by signing up to our newsletter
- Join the community, the conversation and the dots at Twitter, Telegram, Linkedin, Reddit, and Youtube
