Open in app

Sign in

Write

Sign in

Spool Unveils Comprehensive Bug Bounty Programme to Fortify DeFi Security

Spool
Spool
Published in
4 min readDec 6, 2023

In a move to strengthen our foothold as a secure and trustworthy DeFi infrastructure, Spool has rolled out an extensive Bug Bounty Programme. This follows extensive testing in-house, as well as audits by multiple leading specialist security companies.

As is standard with bug bounties, the programme seeks to uncover previously unidentified vulnerabilities that could potentially affect user and treasury funds, among other critical aspects. By leveraging community expertise, Spool aims to create a resilient ecosystem, particularly focusing on its smart contracts.

Objectives and In-Scope Impacts

Investor security, safety, and risk management are key tenets of Spool and this programme is aimed at preventing:

  • Loss of user funds
  • Loss of treasury funds
  • Permanent freezing of funds
  • Theft of principal funds
  • Theft of unclaimed yield funds

Rewards are allocated according to the severity of the vulnerability, utilising the Immunefi Vulnerability Severity Classification System V2.1.

Reward Tiers by Threat Level

  • Critical: Up to USD 1,500,000
  • High: Up to USD 50,000
  • Medium: USD 5,000
  • Low: USD 1,000

For Critical and High-severity reports, Proof of Concept (PoC) must be provided alongside a proposed fix. For these categories, rewards are capped at 10% of the economic damage incurred, with a minimum reward set at USD 50,000 for Critical and USD 20,000 for High-severity reports.

In-Scope Impacts

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered in-scope, even if they affect something in the Assets in Scope table https://github.com/SpoolFi/.

Critical

  • Direct theft of any user funds, whether at rest or in-motion, other than unclaimed yield
  • Permanent freezing of funds
  • Protocol Insolvency

High

  • Theft of unclaimed yield
  • Miner-extractable value (MEV)
  • Permanent freezing of unclaimed yield (unless emergency withdrawal of a strategy was performed, in which case we do not claim the protocol rewards)
  • Temporary freezing of funds for at least 90 days

Medium

  • Smart contracts are unable to operate due to a lack of token funds (except the RewardDistributor contract where the rewards have to be transferred manually)
  • Block stuffing for profit
  • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
  • Theft of gas
  • Unbounded gas consumption

Low

  • Smart contract fails to deliver promised returns but doesn’t lose value

Rules and Limitations

Some of the activities and vulnerabilities deemed out of scope include:

  • Attacks previously exploited by the reporter, leading to damage
  • Attacks requiring access to leaked keys or privileged addresses
  • Lack of liquidity and best practice critiques
  • Sybil attacks and centralisation risks

The following activities are prohibited by this bug bounty program:

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
  • Any testing with pricing oracles or third party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks
  • Automated testing of services that generate significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty

KYC and Payment Procedures

All bug bounty hunters wishing to submit a report and receive a reward must undergo a Know Your Customer (KYC) process, requiring a national ID or passport photo and a recent bank statement or utility bill. Payments will be conducted in DAI/USDC by the Spool team, but the rewards are denominated in USD.

A Call to Community Vigilance

This bug bounty programme stands as a testament to Spool’s commitment to security and transparency, offering robust financial incentives for identifying vulnerabilities that could compromise the platform’s integrity.

For those keen to contribute, all smart contracts related to Spool can be found at their [GitHub repository](https://github.com/SpoolFi/). However, please note that only those listed in the Assets in Scope table are considered within the scope of the bug bounty programme.

By actively engaging with the wider community, Spool aims to further solidify its position as a leader in providing secure, institutional-grade DeFi solutions. Through this initiative, Spool continues to show that the safety of its users and the secure handling of their assets remain a top priority.

For full details, please visit https://immunefi.com/bounty/spool/.

______________________

Spool is a permissionless DeFi platform that connects Capital Aggregators with DeFi Yield Generators. Funds are dynamically and efficiently allocated to ensure optimized yields, for custom strategies, managed by DAO-curated Risk Models.

Spool was established as a DAO, with a selection of founding contributors representing a diverse cross-section of the blockchain community.

Website | Telegram Ann | Twitter | Medium | Discord

Bug Bounty
Security
Blockchain
Smart Contracts
Defi

--

--

Spool
Spool

Written by Spool

379 Followers
Editor for

www.spool.fi

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams