Solv Protocol
Published in

Solv Protocol

Solv’s $50,000 Bug Bounty Program! In Partnership With Immunefi

Solv is offering a $50,000 bug bounty to incentivize developers and white hats to help us secure our protocol by uncovering its vulnerabilities and shortcomings. And we are pleased to be able launch this undertaking with Immunefi, which is a leading bug bounty platform experienced in the testing and securing of DeFi protocols.

For those of you who may not be familiar, Immunefi is a bug bounty platform with a mission to secure the DeFi sector. Currently, they are protecting $50 billion in user funds and have worked with projects like Synthetix, Chainlink, SushiSwap, and The Graph. As we seek to provide a secure platform for projects and investors alike, working with Immunefi is the logical next step for us. This, along with the insurance fund we bought from Tidal Finance and Unslashed Finance last month, will give our platform security and give our users peace of mind.

Read on to learn the ins and outs of our bug bounty program.

The $50,000 Bug Bounty Overview

This bug bounty program is focused on Solv’s smart contracts and is focused on preventing:

  • Loss of user funds staked (principal) by freezing or theft
  • Theft of unclaimed yield
  • Freezing of unclaimed yield
  • Smart contract fails to deliver promised returns

The Bounty Program Rewards

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

Smart Contracts and Blockchain

  • Critical, USD 50 000
  • High, USD 25 000
  • Medium, USD 10 000
  • Low, USD 3 000

All Critical/High severity bug reports must come with a PoC (Proof of Capacity) and a suggestion for a fix in order to be considered for a reward.

How to Register

No KYC!!!

Assets & Impacts in Scope

All smart contracts of Solv can be found at https://github.com/solv-finance. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.

Impacts in Scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Smart Contracts/Blockchain

  • Loss of user funds staked (principal) by freezing or theft
  • Theft of unclaimed yield
  • Freezing of unclaimed yield
  • Smart contract fails to deliver promised returns

Prioritized vulnerabilities

We are especially interested in receiving and rewarding vulnerabilities of the following types:

Smart Contracts and Blockchain

  • Re-entrancy
  • Logic errors

including user authentication errors

  • Solidity/EVM details not considered

including integer over-/under-flow
Including rounding errors
including unhandled exceptions

  • Trusting trust/dependency vulnerabilities

including composability vulnerabilities

  • Oracle failure/manipulation
  • Novel governance attacks
  • Economic/financial attacks

including flash loan attacks

  • Congestion and scalability

including running out of gas
including block stuffing
including susceptibility to frontrunning

  • Consensus failures
  • Cryptography problems

Signature malleability
Susceptibility to replay attacks
Weak randomness
Weak encryption

  • Susceptibility to block timestamp manipulation
  • Missing access controls / unprotected internal or debugging interfaces

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts and Blockchain

  • Incorrect data supplied by third party oracles

Not to exclude oracle manipulation/flash loan attacks

  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Best practice critiques
  • Sybil attacks

The following activities are prohibited by this bug bounty program:

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
  • Any testing with pricing oracles or third party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty

How To Report Bugs?

We request hackers submit their bug reports responsibly to prevent any attack on Solv. Thus, they must give the Solv Team enough time to fix the problems before making the vulnerabilities public.

Participants must note that only the first person to report the bug will be entitled to the relevant reward. They must submit the vulnerabilities with all the relevant links, documents, and codes. Only one form will be accepted for submission for any given vulnerability. However, bounty hunters are free to submit multiple forms for multiple vulnerabilities.

Any attempt to publicly disclose the vulnerability before resolving it will lead to the cancellation of the reward. Solv and Immunefi reserve the right to disqualify anyone who doesn’t adhere to the rules and regulations of the bounty program. Finally, under no circumstances will Solv negotiate for payments under any threat or coercion.

Learn more about how to participate in the bug bounty at bugs.immunefi.com.

Want more #Solv related news, updates and announcements? Then follow us on Twitter or join our Telegram group!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store