Submit a Bug
02 April 2021
Live since
KYC required
Maximum bounty

Program Overview

CompliFi is a derivatives issuance protocol combined with an Automated Market Maker (AMM). Deployed on Ethereum, it features minimal governance, no counterparty risk, no margin calls or liquidations, and limited sensitivity to blockchain congestion. Holding a derivative carries two major risks – loss of value if the market moves against you, and inability to collect your full payoff if the market moves in your favour. CompliFi takes away the latter risk.

CompliFi creates a derivative by taking a fixed pool of collateral and issuing equal quantities of two derivative assets that together always have a claim on the entire pool. The first (“primary”) asset is the chosen derivative and the second (“complement”) asset represents the opposite side of the trade. In other words, if you combine one unit of the primary asset with one unit of its complement, their respective risks cancel each other out - they can be exchanged back for a predetermined amount of collateral at any time.

For further information about CompliFi, please check

The bug bounty program covers its smart contracts and app and is focused around the prevention of loss of user funds.

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

All app bug reports must come with instructions on how to reproduce the bug in order to be considered for a reward.

For high and critical web and app bugs to be accepted, a PoC with demonstrated must be submitted, otherwise, this would qualify as Medium or get categorized as a best practices recommendation, which will not come with a reward.

Payouts are handled by the CompliFi team directly and are denominated in USD. Payouts are done in USDC or USDT, with the option for CompliFi to pay up to 50% in their governance token for critical vulnerabilities.

Smart Contracts and Blockchain

USD $50,000
USD $20,000
USD $5,000
USD $1,000
USD $0

Web and Apps

up to USD $20,000
USD $7,500
USD $3,250
USD $0
$USD 0

Assets in Scope

Only web vulnerabilities that directly affect the web/app assets in this table are accepted within the bug bounty program. All others are out-of-scope.

Prioritized Vulnerabilities

We are especially interested in receiving and rewarding vulnerabilities of the following types:

Smart Contracts/Blockchain:

  • Re-entrancy
  • Logic errors
    • including user authentication errors
  • Solidity/EVM details not considered
    • including integer over-/under-flow
    • including unhandled exceptions
  • Trusting trust/dependency vulnerabilities
    • including composability vulnerabilities
  • Oracle failure/manipulation
  • Novel governance attacks
  • Economic/financial attacks
    • including flash loan attacks
  • Congestion and scalability
    • including running out of gas
    • including block stuffing
    • including susceptibility to frontrunning
  • Consensus failures
  • Cryptography problems
    • Signature malleability
    • Susceptibility to replay attacks
    • Weak randomness
    • Weak encryption
  • Susceptibility to block timestamp manipulation
  • Missing access controls / unprotected internal or debugging interfaces

Web/App Vulnerabilities:

  • Remote Code Execution
  • Trusting trust/dependency vulnerabilities
  • Vertical Privilege Escalation
  • XML External Entities Injection
  • SQL Injection
  • Horizontal Privilege Escalation
  • Stored XSS
  • Reflective XSS with impact
  • CSRF with impact
  • Direct object reference
  • Internal SSRF
  • Session fixation
  • Insecure Deserialization
  • SSL misconfigurations
  • SSL/TLS issues (weak crypto, improper setup)
  • URL redirect
  • Clickjacking (must be accompanied with PoC)
  • Misleading Unicode text (e.g. using right to left override characters)

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts and Blockchain

  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Best practice critiques
  • Sybil attacks

Websites and Apps

  • Theoretical vulnerabilities without any proof or demonstration
  • Content spoofing / Text injection issues
  • Self-XSS
  • Captcha bypass using OCR
  • CSRF with no security impact (logout CSRF, change language, etc.)
  • Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
  • Server-side information disclosure such as IPs, server names, and most stack traces
  • Vulnerabilities used to enumerate or confirm the existence of users or tenants
  • Vulnerabilities requiring unlikely user actions
  • URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
  • Lack of SSL/TLS best practices
  • DDoS vulnerabilities
  • Attacks requiring privileged access from within the organization
  • Feature requests
  • Best practices

The following activities are prohibited by bug bounty program:

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
  • Any testing with pricing oracles or third party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty