DELV

The bug bounty program is focused on DELV’s the Element Protocol's Council Governance smart contracts and is mostly concerned with the loss of user funds and access to those funds without user permission.

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

In addition to assessing severity, the rewards will be considered based on the impact of the discovered vulnerability as well as the level of difficulty in discovering such vulnerability.

Payouts are handled by the DELV team directly and are denominated in USD. However, payouts are done in DAI or USDC.

KYC Requirement

DELV will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:

• Verified full name
• Address
• SSN (or equivalent)
• Country of residence.

Eligibility

To be eligible for a reward under the DELV Bug Bounty Program, you must:

• Discover a previously unreported and non-public vulnerability that would result in a loss of or a lock on any ERC-20 token in Council.. Each bug will only be considered for a reward once. This does not include third-party platforms interacting with Council..

• Be the first to disclose the unique vulnerability through Immunefi, in compliance with the disclosure requirements with Immunefi and the section below.

• Provide sufficient information to enable our team to reproduce and fix the vulnerability. This includes providing a PoC.

• Not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.

• Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than the reward subject under this Program).

• Submit only one vulnerability per submission, unless you need to bundle vulnerabilities together in order to provide an accurate assessment of impact regarding any of the vulnerabilities.

• Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.

• Not be one of our current or former employees or contractors.

Disclosure and Reporting Guidelines

We ask that all bug bounty hunters, security engineers, and researchers:

• Make it a priority to avoid privacy violations, degradation of user experience, and disruption to production systems during security testing.
• Report vulnerabilities as soon as they have been discovered and keep them confidential between yourself and the DELV team until the issue(s) has been resolved.
• Only use the Immunefi bug reporting interface to report vulnerability information to us.
• Provide the team with at least 5 working days to investigate the issue and get back to you before taking any further action.

These accepted impacts are then based on the severity classification system of this bug bounty program. When submitting a bug report, please select the severity level you feel best corresponds to the severity classification system as long as the impact itself is one of the listed items.

The following vulnerabilities are excluded from the rewards for this bug bounty program:

• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses (governance, strategist)
• Incorrect data supplied by third party oracles
  • Not to exclude oracle manipulation/flash loan attacks
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Best practice critiques
• Sybil attacks

The following activities are prohibited by this bug bounty program:

• Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
• Any testing with pricing oracles or third party smart contracts
• Attempting phishing or other social engineering attacks against our employees and/or customers
• Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
• Any denial of service attacks
• Automated testing of services that generates significant amounts of traffic
• Public disclosure of an unpatched vulnerability in an embargoed bounty

Terms

By submitting your report through Immunefi, you grant DELV the rights to validate, mitigate, and disclose the vulnerability. All bug bounty reward decisions, including eligibility, amounts for rewards, and how such rewards will be paid, are made at DELV’s sole discretion. The terms and conditions of this Bug Bounty Program may be altered at any time.