Alpha Venture DAO Bug Bounties

Program Overview

Alpha Venture DAO is building an ecosystem of DeFi products (the Alpha ecosystem), consisting of innovative building blocks that capture unaddressed demand in key pillars of the financial system. These building blocks will interoperate, creating the Alpha ecosystem that will be an innovative and more capital efficient way to banking in DeFi.

We explore and innovate at the fringes of Web3 and drive significant value to Web3 users, and ultimately, alpha returns to the Alpha community.

Homora V2 is Alpha Venture DAO’s first product and DeFi’s first leveraged yield farming product that captures the market gap in lending, one of the key pillars of the financial system.

Further information about Alpha Venture DAO can be found here https://docs.alphaventuredao.io/.

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

All web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. For Smart Contract bug reports, PoCs and suggestions for a fix are not required but good to have and encouraged. Explanations and statements are not accepted as PoC and code is required.

Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. This includes a bounty of up to USD 500,000 from the Alpha Venture DAO team.

Payouts are handled by the Alpha Venture DAO team directly and are denominated in USD. However, payouts are done in ALPHA for payouts up to USD 500,000. For critical level smart contract vulnerabilities, payouts of up to USD 500,000 will take place with an upfront payout of up to USD 100,000 and USD 50,000 monthly vesting thereafter. .

Smart Contract

Critical
Level: Up to USD $500,000
Payout

High
Level: USD $20,000
Payout

Medium
Level: USD $5,000
Payout

Low
Level: USD $1,000
Payout

Websites and Applications

Critical
Level: USD $20,000
Payout

High
Level: USD $10,000
Payout

Medium
Level: USD $1,000
Payout

Assets in scope

https://gist.github.com/n1punp/e9d2961de5af69fbd9a39d0efbb77766
Target
Smart Contract - Alpha Homora v1 (ETH)
Type
https://gist.github.com/n1punp/afc21382eabf68a2a16a8f2947697338
Target
Smart Contract - Alpha Homora v1 (BSC)
Type
https://gist.github.com/n1punp/3345d1bf6d159c7d4457b41656cd11f7
Target
Smart Contract - Alpha Staking
Type
https://gist.github.com/n1punp/707f1fa2632ae9e3651b3686ac68d197
Target
Smart Contract - Homora v2
Type
https://gist.github.com/n1punp/66e994be78d5e303829f148feb96b0e8
Target
Smart Contract - Homora v2 (AVAX)
Type
https://homora-v2.alphafinance.io/
Target
Websites and Applications - Homora V2 (ETH & AVAX)
Type
https://tokenomics.alphafinance.io/
Target
Websites and Applications - Alpha Tokenomics
Type

In the Github link in the Assets in Scope table, only Exact Match Verified smart contracts are considered as in-scope of the bug bounty program.

Impacts in scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Smart Contract

Any governance voting result manipulation
Critical
Impact
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Critical
Impact
Permanent freezing of funds
Critical
Impact
Miner-extractable value (MEV)
Critical
Impact
Protocol Insolvency
Critical
Impact
Theft of unclaimed yield
High
Impact
Permanent freezing of unclaimed yield
High
Impact
Temporary freezing of funds
High
Impact
Smart contract unable to operate due to lack of token funds
Medium
Impact
Block stuffing for profit
Medium
Impact
Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
Medium
Impact
Theft of gas
Medium
Impact
Unbounded gas consumption
Medium
Impact
Contract fails to deliver promised returns, but doesn't lose value
Low
Impact

Websites and Applications

Execute arbitrary system commands
Critical
Impact
Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and blockchain keys(this does not include non-sensitive environment variables, open source code, or usernames)
Critical
Impact
Completely taking down the application/website e.g. remove all stored data in the database, self-destruct the server or the running vm
Critical
Impact
Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc
Critical
Impact
Subdomain takeover with already-connected wallet interaction
Critical
Impact
Direct theft of user funds
Critical
Impact
Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions
Critical
Impact
Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc
High
Impact
Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as email or password of the victim, etc
High
Impact
Improperly disclosing confidential user information such as email address, phone number, physical address, etc
High
Impact
Subdomain takeover without already-connected wallet interaction
High
Impact
Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as changing the user name, or enabling/disabling notifications
Medium
Impact
Injecting/modifying the static content on the target application without Javascript (Reflected) such as reflected HTML injection or loading external site data
Medium
Impact
Redirecting users to malicious websites (Open Redirect)
Medium
Impact

These accepted impacts are then based on the severity classification system of this bug bounty program. When submitting a bug report, please select the severity level you feel best corresponds to the severity classification system as long as the impact itself is one of the listed items.

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

Attacks that the reporter has already exploited themselves, leading to damage
Attacks requiring access to leaked keys/credentials
Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts and Blockchain

Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
Basic economic governance attacks (e.g. 51% attack)
Lack of liquidity
Best practice critiques
Sybil attacks
Centralization risks

Websites and Apps

Theoretical vulnerabilities without any proof or demonstration
Content spoofing / Text injection issues
Self-XSS
Captcha bypass using OCR
CSRF with no security impact (logout CSRF, change language, etc.)
Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
Server-side information disclosure such as IPs, server names, and most stack traces
Vulnerabilities used to enumerate or confirm the existence of users or tenants
Vulnerabilities requiring unlikely user actions
URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
Lack of SSL/TLS best practices
DDoS vulnerabilities
Attacks requiring privileged access from within the organization
Feature requests
Best practices

The following activities are prohibited by this bug bounty program:

Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
Any testing with pricing oracles or third party smart contracts
Attempting phishing or other social engineering attacks against our employees and/or customers
Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
Any denial of service attacks
Automated testing of services that generates significant amounts of traffic
Public disclosure of an unpatched vulnerability in an embargoed bounty