Securing Pods: Bug Bounties

Let’s hunt some bugs 🔍

Guilherme Guimarães
Pods
Published in
5 min readApr 28, 2021

--

Pods is hosting its Bug Bounty Program with Immunefi. This blog post describes the program and aims to invite you to share it with your community. Our intention is to find bugs as fast as we can.

Overview

‌Open source on-chain protocols work (and scale) only when built for and with the community. The participation of our community members in testing and debugging is of real importance to us.

With the launch of Pods, we want to make sure that users are correctly incentivized through a joint practice between the core team and security engineers. The goal is to create a safer space for everyone.

What is Pods

Pods is a decentralized non-custodial options protocol that allows users to create calls and or puts and trade them in the Options AMM. Pods was implemented in a system of non-upgradable smart contracts in the Ethereum Blockchain.

Currently, users can participate:

  • as sellers or buyers of either puts or calls in the Options Instrument and or
  • as liquidity providers in the Options AMM.

If you want to learn more about Pods Protocol here are some resources:

‌Scope‌

The bug bounty program is focused on its smart contracts and is mostly concerned with the loss of user funds.

This Program is limited to the vulnerabilities affecting Pods Finance V1 in the following contracts:‌

The following are not within the scope of the Program:‌

https://github.com/pods-finance/contracts-v0

Vulnerabilities

Prioritized Smart Contract/Blockchain vulnerabilities

We are especially interested in receiving and rewarding vulnerabilities of the following types:

Vulnerability Classification

Critical

An issue that might cause immediate loss of > 10% of the funds or permanent impairment of the protocol state.‌

Very High / High‌

An issue that might cause immediate loss of <10% of the funds, or severely damage the protocol state.‌

Medium‌

An issue that might theoretically cause minimal loss of funds, damage the protocol state, or cause severe user dissatisfaction.‌

Low / Very Low / Note‌

An issue that might cause user dissatisfaction or minimal failure.‌

Program Rewards

The likelihood of exploitability is also taken into consideration in the determination of the final payout amount based on the severity of the bug reported according to the table below:

Bug bounty program rewards

Program Rules

The following activities are prohibited by bug bounty program:

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets.
  • Any testing with pricing oracles or third-party smart contracts.
  • Attempting phishing or other social engineering attacks against our employees and/or customers.
  • Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks).
  • Any denial of service attacks.
  • Automated testing of services that generates significant amounts of traffic.
  • Public disclosure of an unpatched vulnerability in an embargoed bounty.
  • Best practices critiques are not accepted under this program. This level is for bugs that may be considered “Low” but have an even lower impact level.

Eligibility‌

  • Comply with all the eligibility requirements of the Program.
  • Submissions need to be related to the Bounty Scope. Submissions out of the Bounty Scope won’t be eligible for a reward.
  • It is mandatory to read and follow the responsible disclosure policy available in the references. Submissions not following the disclosure policy will not be eligible for a reward.
  • Public disclosure of a vulnerability would make it ineligible for a reward.
  • Technical knowledge is required for the process.
  • Duplicated issues are not eligible for the reward. The first submission would be the eligible one.
  • Report any vulnerability you’ve discovered promptly.
  • Avoid violating the privacy of others, disrupting our systems, destroying data, or harming the user experience.
  • Keep the details of any discovered vulnerabilities confidential until they are fixed.
  • Not engage in blackmail, extortion, or any other unlawful conduct.
  • Bugs must be reproducible in order for us to verify the vulnerability.
  • The bug has not been publicly disclosed.‌

How long will this program be available?‌

There is no end date for this Bug Bounty program.

About Immunefi

Immunefi is the leading bug bounty and security services platform for DeFi, where projects secure their code and whitehats keep funds safe. Immunefi protects over $25 billion in user funds and has paid out millions of dollars in bug bounties.

Immunefi’s community of proven whitehat hackers, war room and crisis management expertise, and industry-leading secure disclosure platform make Immunefi a core part of the security stack for DeFi’s leading projects, such as Synthetix, SushiSwap, PancakeSwap, and BadgerDAO.

‌More questions?‌

Thank you for being interested in our Bug Bounty Program.

‌It is extremely important for us to hear from you and your findings. If you found something or if you think there might be a problem but it doesn’t fit the current program, please contact us at your earliest convenience. You may find us in our personal Telegram accounts @rafaellabaraldo, @ggviana, @robsonsjre, @aerhy, and @razgraf or in our Discord.‌

We thank you for your collaboration and effort in advance. 🙏🏻

About Pods

Pods is a decentralized non-custodial options protocol. Users can create options and trade them through an Options AMM on the Ethereum Blockchain. Pods is the easiest way to hedge crypto in DeFi.

We invite you to take the first step in your new mission: start testing the app on app.pods.finance

Join the Pods community

app | website | documentation | blog | twitter | youtube | telegram | discord

--

--