Introducing The Set Protocol Bug Bounty Program

Be rewarded for helping us to secure our protocol

Anthony Sassano
Set Labs
3 min readAug 15, 2019

--

We take the security of our protocol very seriously and, starting today, we’re launching the Set Protocol Bug Bounty Program to seek help from the global community to publicly audit our codebase on an ongoing basis. The program will pay up to $50,000 for critical exploits and is open to anyone interested in helping to improve the security of Set Protocol.

The bug bounty program will cover exploits found in Set Protocol. The codebases in scope can be found our smart contract repositories found here and here.

Main areas of Interest

Loss of assets

  • A user authorized a transaction or trade but spends more assets than expected
  • A user’s assets are moved out of their account that they did not authorize

Undercollateralization

  • A Rebalancing SetToken or SetToken becomes undercollateralized by its underlying components.

Unintended contract state

  • A user is able to update the state of a contract such that it is no longer usable
  • Any assets get unexpectedly “stuck” in a contract with regular use of the contract’s public methods.
  • A user is able to freeze the assets in the Vault smart contract
  • A non-permissioned user is able to make an unauthorized transaction

Rules

  • Exploits will be evaluated on the extent to which they materially pose a risk to user funds and the liveness of the protocol.
  • Payout eligibility will be evaluated under the sole discretion of Set Labs.
  • We will only consider submissions outlining issues outside of those already documented in the whitepaper or previous audit reports — Trail of Bits or ChainSecurity.
  • When duplicates occur, we may only award the first report that was received.
  • Before discussing your findings publicly, please inform us and allow us a reasonable timeframe to fix the vulnerability.

Please send any questions & submit any findings to security@setprotocol.com and include [Bug Bounty] in the subject line. Anonymous submissions are accepted.

Compensation

Compensation will primarily be based on the severity of the bug found. To determine a bug’s severity, we will use the OWASP risk assessment methodology.

In calculating the payout, we will also consider the quality of the submission. This includes a clear description, a test case, and a provided fix. The payouts are guided by the below estimates, but are determined at the sole discretion of Set Labs.

All bounties are payable in Sets of your selection at the equivalent value at the time of payment.

Thank you in advance for your participation in helping to secure our protocol.

Learn more about Set and join our community

TokenSets | Website | Medium | Twitter | Telegram | Slack

--

--