Immunefi
Immunefi

Badger DAO

Submit a Bug
08 January 2021
Live since
No
KYC required
$500,000
Maximum bounty

Program Overview

Badger DAO builds applications to help bring Bitcoin to DeFi.

Verification

Verification of Badger DAO's bug bounty program on Immunefi is available at

See verification

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

Critical - Empty or freeze the contract’s holdings

High - Token holders temporarily unable to transfer holdings

Medium - Denial of Service (e.g. unbounded gas, block stuffing

Low - Contract fails to deliver promised returns (e.g. high-level economic errors)

Payouts are handled by Badger directly. Payouts are denominated in USD and are paid out in the reporter's choice of:

  • Badger,
  • Ethereum
  • Bitcoin
  • a stablecoin
    • USDC
    • DAI
    • USDT

Smart Contracts and Blockchain

Critical
Level
up to USD $500,000
Payout
high
Level
up to USD $5,000
Payout
medium
Level
up to USD $500
Payout
low
Level
up to USD $250
Payout
none
Level
USD $0
Payout

Assets in Scope

https://github.com/Badger-Finance/badger-system
Target
Smart contract
Type

Prioritized Vulnerabilities

We are especially interested in receiving and rewarding vulnerabilities of the following types:

  • Re-entrancy
  • Logic errors
    • including user authentication errors
  • Solidity/EVM details not considered
    • including integer over-/under-flow
    • including unhandled exceptions
  • Trusting trust/dependency vulnerabilities
    • including composability vulnerabilities
  • Oracle failure/manipulation
  • Economic/financial attacks
    • including flash loan attacks
  • Congestion and scalability
    • including running out of gas

Out of Scope & Rules

The following vulnerabilities are not eligible for bounties under this program:

  • Theoretical vulnerabilities without any proof or demonstration
  • Incorrect data supplied by third party oracles
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Best practice critiques

Additionally, Badger's website hosted at https://badger.finance and the infrastructure that hosts that site are excluded from this bug bounty program. Reports of web vulnerabilities that do not impact Badger's Web3 smart contract interface will not receive a payout under this program. Web vulnerabilities that are claimed to impact Badger's Web3 smart contract interface must be accompanied by a proof-of-concept exploit. Web vulnerabilities may be included in future versions of this program; watch this page for updates.

Rules

The following actions and behaviors are prohibited. Doing so will prevent collection of a bounty and may result in prosecution:

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
  • Any testing with pricing oracles or third party smart contracts
  • Attempting phishing or other social engineering attacks against employees and/or customers
  • Testing any denial of service attacks
  • Automated testing of services that generates significant amounts of spam transactions
  • Disassembly or reverse engineering of binaries for which source code is not published, not including smart contract bytecode
  • Public disclosure of an unpatched vulnerability