Introduction
Balancer Bug Bounty, hosted by Immunefi, has transitioned to the care of Balancer DAO after [BIP-687]. It’s imperative that we update the scope of the program to embrace v3 assets.
We are also introducing a change to KYC requirements, whereas there was no KYC in the past, Immunefi will conduct light KYC onboarding of security researchers according to the terms of use of the platform, which should result in no impact on the amount of relevant reports received.
After consulting with Immunefi team and contributions from DAO members, here are the proposed overview of the program:
Rewards by threat level
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.1. This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.
Smart Contracts
- Critical Up to USD 1 000 000
- High Up to USD 250 000
- Medium Up to USD 25 000
All Critical/High severity bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.
Critical smart contract vulnerabilities are further capped at 10% of economic damage, taking into account the funds at risk at the moment of the bug report submission. However, there is a minimum reward of USD 250,000. Additionally, the maximum reward is capped at USD 1 000 000, even if 10% of the damage in USD equivalent is greater than USD 1 000 000.
High severity smart contract vulnerabilities are also further capped at 10% of economic damage, taking into account the funds at risk at the moment of the bug report submission. However, there is a minimum reward of 50 000 USD. Additionally, the maximum reward is capped at USD 250 000, even if 10% of the damage is greater than USD 250 000.
Vulnerabilities involving non-standard ERC20 tokens are considered out of scope, as it would be trivial to insert an exploit into a token for the sake of applying to this bug bounty. A standard, Balancer-compatible ERC20 token is one that conforms to all EIP-20 interfaces and exhibits expected behavior in implementation; i.e., transfers move exactly N tokens from sender to recipient, and balances do not change by any means other than transfers. Notably, tokens with transfer fees, rebasing supplies, streaming mechanics, or multiple entrypoints are not compatible with Balancer, but that list is not exhaustive.
Known issues such as those previously highlighted in the following audit reports, past security contests and public disclosures are considered out of scope (list is not exhaustive):
- balancer-v2-monorepo/audits at master · balancer/balancer-v2-monorepo · GitHub
- balancer-v3-monorepo/audits at main · balancer/balancer-v3-monorepo · GitHub
Payouts are handled by the Balancer team directly and are denominated in USD. However, payouts are done in ETH or USDC, at the discretion of the team.
First level KYC is required by security researchers to participate in the program, following Immunefi’s terms of use.
Assets in Scope
V3 Assets in scope
All smart contracts of BalancerV2 can be found at GitHub - balancer/balancer-v2-monorepo: Balancer V2 Monorepo, and for Balancer V3 in https://github.com/balancer-labs/balancer-v3-monorepo. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.
If a Critical impact can be caused to any other asset managed by Balancer that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.
Impacts in Scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
Smart Contracts
Critical
- Theft of >1% of total funds in the Vault
- Permanent freezing of >1% of total funds in the Vault
High
- Theft of deposited funds in excess of gas costs or swap fees
- Permanent freezing of funds in excess of gas costs or swap fees
Medium
- Temporary freezing of deposited funds in excess of gas costs or swap fees, potentially affecting multiple users
- Theft of unclaimed yield
- Permanent freezing of unclaimed yield
- Individual losses of funds in excess of gas costs or swap fees, affecting a single user at the time (e.g. missing slippage checks)
Low
- Individual DoS on a particular operation, affecting a single user at the time
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
- Known issues acknowledged in past audits and / or security contests.
Smart Contracts and Blockchain
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
- Centralization risks
The following activities are prohibited by this bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty