__KYC Requirement__

Fluid Protocol will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:
- Full name 
- Date of birth
- Proof of address (either a redacted bank statement with address or a recent utility bill)
- Copy of Passport or other Government issued ID

Security researchers are required to submit KYC within 14 days of KYC being requested, else their rewards may be forfeited. Immunefi may make exceptions due to extenuating circumstances.

__Asset Accuracy Assurance__

Bugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.

__Private Known Issues Reward Policy__

Private known issues, meaning known issues that were not publicly disclosed, are valid for a reward equal to that of a bug one severity lower.

__Primacy of Impact vs Primacy of Rules__

Fluid protocol adheres to the Primacy of Impact for all severities listed.

Primacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see Best Practices: Primacy of Impact 
When submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.

If the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.

All other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.

__Responsible Publication__

Whitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:
- Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.

Immunefi may publish bug reports submitted to this audit competition and a leaderboard of the participants and their earnings.

__Immunefi Standard Badge__

By adhering to Immunefi’s best practice recommendations, Fluid Protocol has satisfied the requirements for the [Immunefi Standard Badge](https://immunefisupport.zendesk.com/hc/en-us/articles/15006865432209-The-Immunefi-Standard-Badge).

**Fluid Protocol's Invite-Only Program is a form of Audit Competition which is exclusively accessible to a select group of security researchers who have submitted at least 1 valid report during Fuel Attackathon event. These researchers will share a flat reward pool for every valid bug found.**

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Permanent freezing of funds

Protocol insolvency

Theft of unclaimed yield

Theft of unclaimed royalties

Permanent freezing of unclaimed yield

Smart contract unable to operate due to lack of token funds

Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

Theft of gas

Unbounded gas consumption

Contract fails to deliver promised returns, but doesn't lose value

Temporary freezing of funds for more than one week

__Proof of Concept (PoC) Requirements__

A PoC, demonstrating the bug's impact, is required for this program and has to comply with the [Immunefi PoC Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules).

__Whitehat Educational Resources & Technical Info__

- [https://docs.hydrogenlabs.xyz/fluid-protocol-community/](https://docs.hydrogenlabs.xyz/fluid-protocol-community/)
- Ottersec audit: [https://drive.google.com/file/d/1qhiI26aB9MTXfo-hLW8Qy9ki2ueCudKN/view?usp=sharing](https://drive.google.com/file/d/1qhiI26aB9MTXfo-hLW8Qy9ki2ueCudKN/view?usp=sharing)


__Is this an upgrade of an existing system? If so, which? And what are the main differences?__

This is a rewrite of Liquity (v1) from Solidity into Sway, with numerous design changes. The main differences are the lack of recovery, multi-collateral system with single stability pool, and partial liquidations.

__Where do you suspect there may be bugs? Useful aspects of this question are:__

Yes, please see required functions across all the contracts. Specifically in FPT staking, there are the same assumed invariants as in this report for Liquity: [https://github.com/trailofbits/publications/blob/master/reviews/LiquityProtocolandStabilityPoolFinalReport.pdf](https://github.com/trailofbits/publications/blob/master/reviews/LiquityProtocolandStabilityPoolFinalReport.pdf)
Additionally, math rounding throughout the contracts, since we are using 9 decimals of precision whereas liquity is using 18. 

__What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?__

SRC-20 Token Standard

__What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?__

An Owner is out of scope. 


__What addresses would you consider any bug report requiring their involvement be out of scope, even if they exceed the privileges attributed to them?__

Owner Address.

__What external dependencies are there?__

Fuel standard library primarily. Sway libs. Pyth, Redstone. 


__Are there any unusual points about your protocol that may confuse whitehats?__

The Fluid Proocol docs overview covers the main design changes from Liquity. There are some other minor changes that are not documented. 

__What is the test suite setup information?__

The tests for the smart contracts are included in the GitHub repo: [https://github.com/Hydrogen-Labs/fluid-protocol](https://github.com/Hydrogen-Labs/fluid-protocol)

**Test Structure:**
Unit tests for some smart contracts are located in ./contracts/[contract-name]/src/utils.sw
Integration tests are located in 
The interfaces and setup for integration tests are in 

**Running the Tests:**
Make sure you have fuelup, fuel-core, cargo, and rust installed
Use command: make build-and-test

__Public Disclosure of Known Issues__

Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. 

__Previous Audits__

Fluid Proocol’s completed audit reports can be found here [https://drive.google.com/file/d/1qhiI26aB9MTXfo-hLW8Qy9ki2ueCudKN/view?usp=sharing](https://drive.google.com/file/d/1qhiI26aB9MTXfo-hLW8Qy9ki2ueCudKN/view?usp=sharing). Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.

The following reward terms are a summary, for the full details read our [Fluid Protocol Invite-only program Reward Distribution Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/29970475885457-Fluid-Protocol-Invite-Only-Program-Reward-Terms). 

A reward pool of $80,000 USD will be distributed among participants, even if no valid bugs are found. 

Duplicates and private known issues are valid for a reward.

Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/).

Rewards will be distributed all at once based on Immunefi’s distribution formula after the event has concluded and the final bug reports have been resolved.

__Insight Rewards Payment Terms__

Insight Rewards: Portion of the Rewards Pool

* The "Insight" severity was introduced on Audit Competition & Attackathon programs to recognize contributions that extend beyond identifying immediate vulnerabilities. Currently, it's not an option to select the Insight severity when submitting a report. However, our team or program will designate it accordingly if applicable. "Insights" underscores our commitment to valuing all types of contributions that contribute to a more secure environment and will always be rewarded. [View more information about Insights](https://immunefisupport.zendesk.com/hc/en-us/articles/13333032674961-Severity-Classification-System?utm_source=immunefi)


Private known issues will unlock higher reward pools as though they were one severity level lower. For example, a Critical severity bug which was a private known issue would unlock the reward pool conditional on a High severity bug being found.

The severity level of private known issues remains unchanged and whitehats earn their portion of the reward pool and position on the leaderboard according to this unchanged severity level.
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.3.

IOP | Fluid Protocol

Live

Live