ForceDAO Bug Bounties

Program Overview

Force DAO is a collective of investment strategists working to identify and productize alpha across DeFi. ForceDAO started with building out strategies on Ethereum and have now expanded strategies to Polygon.

Force DAO’s governance token is $FORCE. The token is designed to be used as the basis for the token governed organization, aligning incentives while keeping it 100% decentralized.

Further resources regarding the ForceDAO can be found on their website, https://www.forcedao.com/.

The bug bounty program is focused around its smart contracts and is mostly concerned with the loss of user funds.

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

Critical payouts are further capped at 10% of economic damage, primarily taking into account the user funds at risk.

Payouts are handled by the ForceDAO team directly and are denominated in USD. However, payouts are done in FORCE.

Smart Contract

Critical
Level: Up to USD $100,000
Payout

High
Level: USD $10,000
Payout

Medium
Level: USD $5,000
Payout

Assets in scope

https://polygonscan.com/address/0x7E428A383D0F3A3B8e2D4a0cA2cDde8792878e2c
Target
Smart Contract - Storage Contract
Type
https://polygonscan.com/address/0x8D7f8722B796526B7DBe94055cb405148cc47719
Target
Smart Contract - Vault Contract
Type
https://polygonscan.com/address/0x274Fd47DE106dB114Bd87f7c52e28996B5F066f9
Target
Smart Contract - SushiHodlStrategyFactory Contract
Type
https://polygonscan.com/address/0x5e6dccb2df12d78c13fb1e3195f05f1afefce5d1
Target
Smart Contract - MasterChefHodlStrategy Contract
Type
https://polygonscan.com/address/0xC1f99f723C7bDF1313140BFA29390138F1b325bf
Target
Smart Contract - StaticsHelper Contract
Type

Impacts in scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Smart Contract

Critical Smart Contract Impact
Critical
Impact
High Smart Contract Impact
High
Impact
Medium Smart Contract Impact
Medium
Impact

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

Attacks that the reporter has already exploited themselves, leading to damage
Attacks requiring access to leaked keys/credentials
Attacks requiring access to privileged addresses (governance, strategist)
Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
Purely informational or optimizational findings of low severity
Basic economic governance attacks (e.g. 51% attack)
Lack of liquidity
Best practice critiques
Sybil attacks

The following activities are prohibited by bug bounty program:

Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
Any testing with pricing oracles or third party smart contracts
Attempting phishing or other social engineering attacks against our employees and/or customers
Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
Any denial of service attacks
Automated testing of services that generates significant amounts of traffic
Public disclosure of an unpatched vulnerability in an embargoed bounty