[BIP-758] Update Bug Bounty Program scope for v3 assets
This proposal's description has been partially trimmed to fit.
The full proposal text can be found on the Balancer proposal: https://snapshot.box/#/s:balancer.eth/proposal/0x78e1e1243888b3c6f0bd6f4d4eeae66e8a753fb58db97502f3ddf6a6098bef6c
Introduction
Balancer Bug Bounty, hosted by Immunefi, has transitioned to the care of Balancer DAO after [BIP-687]. It’s imperative that we update the scope of the program to embrace v3 assets.
We are also introducing a change to KYC requirements, whereas there was no KYC in the past, Immunefi will conduct light KYC onboarding of security researchers according to the terms of use of the platform, which should result in no impact on the amount of relevant reports received.
After consulting with Immunefi team and contributions from DAO members, here are the proposed overview of the program:
Rewards by threat level
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.1. This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.
Smart Contracts
- Critical Up to USD 1 000 000
- High Up to USD 250 000
- Medium Up to USD 25 000
All Critical/High severity bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.
Critical smart contract vulnerabilities are further capped at 10% of economic damage, taking into account the funds at risk at the moment of the bug report submission. However, there is a minimum reward of USD 250,000. Additionally, the maximum reward is capped at USD 1 000 000, even if 10% of the damage in USD equivalent is greater than USD 1 000 000.
High severity smart contract vulnerabilities are also further capped at 10% of economic damage, taking into account the funds at risk at the moment of the bug report submission. However, there is a minimum reward of 50 000 USD. Additionally, the maximum reward is capped at USD 250 000, even if 10% of the damage is greater than USD 250 000.
Vulnerabilities involving non-standard ERC20 tokens are considered out of scope, as it would be trivial to insert an exploit into a token for the sake of applying to this bug bounty. A standard, Balancer-compatible ERC20 token is one that conforms to all EIP-20 interfaces and exhibits expected behavior in implementation; i.e., transfers move exactly N tokens from sender to recipient, and balances do not change by any means other than transfers. Notably, tokens with transfer fees, rebasing supplies, streaming mechanics, or multiple entrypoints are not compatible with Balancer, but that list is not exhaustive.
Known issues such as those previously highlighted in the following audit reports, past security contests and public disclosures are considered out of scope (list is not exhaustive):
- https://github.com/balancer/balancer-v2-monorepo/tree/master/audits
- https://github.com/balancer/balancer-v3-monorepo/tree/main/audits
Payouts are handled by the Balancer team directly and are denominated in USD. However, payouts are done in ETH or USDC, at the discretion of the team.
First level KYC is required by security researchers to participate in the program, following Immunefi’s terms of use.
Assets in Scope
V3 Assets in scope
All smart contracts of BalancerV2 can be found at https://github.com/balancer-labs/balancer-v2-monorepo, and for Balancer V3 in https://github.com/balancer-labs/balancer-v3-monorepo. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.
If a Critical impact can be caused to any other asset managed by Balancer that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.
Impacts in Scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
Smart Contracts
Critical
- Theft of >1% of total funds in the Vault
- Permanent freezing of >1% of total funds in the Vault
High
- Theft of deposited funds in excess of gas costs or swap fees
- Permanent freezing of funds in excess of gas costs or swap fees
Medium
- Temporary freezing of deposited funds in excess of gas costs or swap fees, potentially affecting multiple users
- Theft of unclaimed yield
- Permanent freezing of unclaimed yield
- Individual losses of funds in excess of gas costs or swap fees, affecting a single user at the time (e.g. missing slippage checks)
Low
- Individual DoS on a particular operation, affecting a single user at the time
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requi...
Off-Chain Vote
Yes, let's do it
16.4M vlAURA100%
No, this is not the way
0 vlAURA0%
Abstain
0 vlAURA0%
Timeline
Jan 16, 2025Proposal created
Jan 16, 2025Proposal vote started
Jan 20, 2025Proposal vote ended
Jan 20, 2025Proposal updated