R Bounty

Program Overview

Robert Forster, CTO of ArmorFi, a smart insurance aggregator for DeFi which provides Pay as You Go and Only Pay What You Owe ᴰᵀᴹ coverage for user funds across various protocols, is interested in securing the wider Ethereum ecosystem by encouraging responsible disclosures to prevent catastrophic hacks on any project on Ethereum. In light of the success from ArmorFi’s bug bounty program where Alexander Schlindwein (@bobface16) from IdeaMarkets disclosed a critical bug via Immunefi, Robert Forster is launching the R Bounty program with a reward of 250 000 ARMOR.

The bug bounty program covers critical smart contract bugs across the Ethereum ecosystem according to the Immunefi Vulnerability Severity Classification System that could result in the immediate loss of the equivalent of at least USD 1 million.

Bug Disclosure Process

• After you find a serious smart contract bug that causes over at least USD 1m of user funds to be at risk, submit your smart contract bug report here according to our bug report process
• Immunefi will assess the reproducibility of the smart contract bug to validate it as well as the threat level
• Immunefi will then contact the project on your behalf and facilitate the disclosure communications according to the requirements of the project. Immunefi will keep you updated throughout the process

The fine print: Robert Forster, CTO of ArmorFi, provides R Bounty as a service to the Ethereum community. Robert Forster and the ArmorFi team receive no compensation for any of its activities under the R Bounty program. Robert Forster, ArmorFi, and Immunefi cannot guarantee a response from the affected project for bugs submitted through the R Bounty program.

Bugs in Scope

The scope of the R Bounty program is only around smart contract bugs of projects on Ethereum that could result in the loss of a total of at least USD 1 million worth of user funds, either by loss of access or by theft.

Reward

Robert Forster will reward successful disclosures with 250 000 ARMOR, with 25 000 ARMOR upfront and the remaining 225 000 ARMOR vested over 6 months.

If a project has an existing bug bounty program, or if the project decides to reward you as well, you’ll get the full payout reward they have for the critical bug in addition to the reward in ARMOR.

Accepted Vulnerability Types

Here’s a list of the vulnerability types that the program accepts to give you a better idea on what R Bounty is able to support. However, this is by no means an exhaustive list of all vulnerabilities that are accepted in the program. Note that only the vulnerability types under “Smart Contracts and Blockchain” are accepted.

Accepted Vulnerabilities

Unaccepted Vulnerability Types and Rules

The following vulnerabilities are not accepted by our Disclosure Assistance program, as well as all web and app vulnerabilities.

Unaccepted Vulnerabilities

We also generally do not work with bug reports that have violated any of our standard rules:

• Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
• Any testing with pricing oracles or third party smart contracts
• Attempting phishing or other social engineering attacks against our employees and/or customers
• Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
• Any denial of service attacks
• Automated testing of services that generates significant amounts of traffic
• Disassembly or reverse engineering of binaries for which source code is not published, not including smart contract bytecode