Bug Bounty Comp | Lido: Dual Governance-logo

Bug Bounty Comp | Lido: Dual Governance

Lido is a liquid staking solution for Ethereum backed by industry-leading staking providers. Lido lets users stake their ETH - without locking assets or maintaining infrastructure - whilst participating in on-chain activities, e.g. lending.

ETH

Live

9d: 9h remaining
Maximum Bounty
$2,000,000
Bonus Rewards Pool
$100,000
Rewards Token
USDC
Start Date
29 July 2025
End Date
12 August 2025
Lines of Code
3,262
  • Triaged by Immunefi

  • PoC Required

Select the category you'd like to explore

Assets in Scope

Target
Type
Smart Contract - DualGovernance
Added on
29 July 2025
Target
Type
Smart Contract - EmergencyProtectedTimelock
Added on
29 July 2025
Target
Type
Smart Contract - Escrow
Added on
29 July 2025
Target
Type
Smart Contract - Executor
Added on
29 July 2025
Target
Type
Smart Contract - ImmutableDualGovernanceConfigProvider
Added on
29 July 2025
Target
Type
Smart Contract - ResealManager
Added on
29 July 2025
Target
Type
Smart Contract - TimelockedGovernance
Added on
29 July 2025
Target
Type
Smart Contract - HashConsensus
Added on
29 July 2025
Target
Type
Smart Contract - ProposalsList
Added on
29 July 2025
Target
Type
Smart Contract - TiebreakerCoreCommittee
Added on
29 July 2025
Target
Type
Smart Contract - TiebreakerSubCommittee
Added on
29 July 2025
Target
Type
Smart Contract - AssetsAccounting
Added on
29 July 2025

Impacts in Scope

Build Commands, Test Commands, and How to Run Them

Is this an upgrade of an existing system? If so, which? And what are the main differences?

Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?

  • Attacks that result in indefinite blocking of governance decision execution.
  • Attacks that prevent the successful completion of the RageQuit process, potentially leading to permanent or temporary locking of users’ stETH/wstETH/unstETH/ETH in Escrow contracts.
  • Execution of proposals that bypass the enforced delays established by DualGovernance and EmergencyProtectedTimelock

What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?

  • Only stETH and wstETH (ERC20), and unstETH (ERC721) tokens are supported.

What emergency actions may you want to use as a reason to downgrade an otherwise valid bug report?

Which chains and/or networks will the code in scope be deployed to?

  • hoodi/mainnet

What external dependencies are there?

Severity
Critical
Title

Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results

Severity
Critical
Title

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Severity
Critical
Title

Permanent freezing of funds

Severity
Critical
Title

Protocol insolvency

Severity
Critical
Title

Incorrect calculation of multisig signers required for transaction processing

Severity
High
Title

Theft of unclaimed yield

Severity
High
Title

Permanent freezing of unclaimed yield

Severity
High
Title

Temporary freezing of funds

Severity
High
Title

Prevention of governance participation despite design parameters providing participation rights

Severity
High
Title

Acquiring owner/admin rights or roles without contract’s owner/admin action

Severity
High
Title

Impact caused by missing access controls allowing to execute privileged actions (e.g., changing protocol parameters or upgrading contracts) without required privileged roles

Severity
Medium
Title

Impacts caused by griefing with no economic damage other than transaction fees where fix requires a change or a pause of a smart contract

Out of scope

Default Out of Scope and rules

All categories

  • Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
  • Impacts caused by attacks requiring access to leaked keys/credentials
  • Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
  • Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
  • Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
  • Best practice recommendations
  • Feature requests
  • Impacts on test files and configuration files unless stated otherwise in the bug bounty program
  • Impacts requiring phishing or other social engineering attacks against project's employees and/or customers