The Carbon Defi Bug Bounty aims to incentivize responsible disclosures of any bugs in the Carbon Defi smart contracts. Starting with the official Beta launch, the carbon-contracts repository are subject to the bounty program.
Rewards are allocated based on the severity of the bug disclosed and awarded up to $900,000 USD. The scope, terms and rewards are at the sole discretion of the Bprotocol Foundation.
Rewards by Threat Level
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.
Critical smart contract vulnerabilities are further capped at 10% of economic damage, which primarily takes into consideration the funds at risk. In cases of repeatable attacks, only the first attack is considered unless the smart contract cannot be upgraded or paused.
High smart contract vulnerabilities are further capped at 10% of economic damage, which primarily takes into consideration the funds at risk. In cases of repeatable attacks, only the first attack is considered unless the smart contract cannot be upgraded or paused.
To be eligible for a reward, an invoice must be provided to the Bprotocol Foundation, together with a proper invoice that indicates that it is for the reward of a valid bug report (e.g Carbon Defi bug bounty). The invoice must include the full name and address of the bug bounty hunter as well as an invoice number and date.
Payouts are handled by Bancor directly and are denominated in USD. However, payouts are done in BNT. All reward amounts are decided by the Bprotocol Foundation and all severity levels have no minimum reward amount.
- up to USD $900,000
- USD $4,500
- USD $900
Assets in scope
- Smart Contract - Carbon DefiType
To be eligible for a reward under this Program, you must:
- Discover a previously unreported, non-public vulnerability in Carbon Defi (but not on any third party platform interacting with Carbon Defi) that is within the scope of this Program. Vulnerabilities must be distinct from issues covered in any of the official security audits.
- Be the first to disclose the unique vulnerability, in compliance with the disclosure requirements above. If similar vulnerabilities are reported within the same 24 hour period, rewards will be split at the discretion of Bprotocol Foundation.
- Provide sufficient information to enable contributors to reproduce and fix the vulnerability.
- Not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.
- Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
- Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of Carbon Defi.
- Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.
- Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this program.
- Not be a current or former vendor, contractor or subcontractor to the Bprotocol Foundation
- Not be subject to Swiss sanctions or reside in a Swiss-embargoed country.
- Be at least 18 years of age or, if younger, submit your vulnerability with the consent of your parent or guardian.
Impacts in scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
- Direct theft of user or protocol funds other than unclaimed yieldCriticalImpact
- Protocol InsolvencyCriticalImpact
- Permanent freezing of fundsCriticalImpact
- Smart contract unable to operate due to lack of token fundsMediumImpact
- Block stuffing for profitMediumImpact
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)MediumImpact
- Unbounded gas consumptionMediumImpact
- Theft of gasMediumImpact
- Contract fails to deliver promised returns, but doesn't lose valueLowImpact
Out of Scope & Rules
The following are not within the scope of the Program:
- Bugs in any third party contract or platform that interacts with Carbon Defi.
- Vulnerabilities already reported and/or discovered in contracts built by third parties on Carbon Defi. We reserve the right to keep private previous bug disclosures.
- Any previously reported bugs.
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage.
- Attacks requiring access to leaked keys/credentials.
- Attacks requiring access to privileged addresses (governance, strategist)
- Incorrect data supplied by third party oracles (Note that oracle manipulation and flash loan attacks are included in the bounty)
- Basic economic governance attacks (e.g. 51% attack)
- Best practice critiques
- Sybil attacks
- Bugs in any third party contract or platform that interacts with the Carbon Defi protocol (Note that oracle manipulation and flash loan attacks are included in the bounty)
The following activities are prohibited by bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets or private mainnet forks
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against contributors and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty
By submitting your report, you grant the Bprotocol Foundation any and all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at the sole discretion of the Bprotocol Foundation. The terms and conditions of the Carbon Defi Bug Bounty Program may be altered at any time. The above scope, terms and rewards of the program are at the sole discretion of the Bprotocol Foundation.