RenVM
Submit a BugProgram Overview
RenVM provides one of the only practical interoperability solutions that can scale. It is also the only solution that allows for secret computation over multiple inputs and multiple parties. RenVM is not a product or an application in and of itself, it is a network (and an accompanying SDK) that allows developers to bring cross-chain functionality to their DeFi applications.
RenVM is a network powered by decentralized virtual machines. This virtual machine is replicated over thousands of machines that work together to power it, contributing their network bandwidth, their computational power, and their storage capacity. These machines are known as Darknodes. Darknodes earn a share of the volume transacted through RenVM.
For more information about RenVM, please visit their website at https://renproject.io/.
The bug bounty program is focused on the following impacts on funds custodied within RenVM and ancillary components of the protocol (i.e. darknode fees going to operators, CEF funds, etc):
The ability to steal, modify, access, or distort funds in these components. The ability to hack, steal, and or modify smart contacts in a way that would break RenVM’s 1 to 1 peg or jeopardize the contracts ability to store funds securely.
Rewards by Threat Level
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.
To qualify for a reward, all bug reports must:
- Not have been previously reported.
- Not have broken the law in any jurisdictions.
- Include disclosure on how the issue was found.
- Include a proof of concept (PoC) and demonstration of the exploit.
- Bug reports that do not satisfy all four requirements will not be eligible for a reward.
For PoC provision, all bug reporters must use Hardhat for providing a bug and must be done with a ganache fork of Mainnet with the attack executed.
Critical vulnerabilities are capped at 10% of economic damage, primarily taking into consideration the funds at risk. However, the team may factor in PR and branding considerations at its discretion.
Payouts are handled by the RenVM team directly and are denominated in USD. Payouts are done in REN, USDC, or USDT, at the choice of the bug bounty hunter.
Smart Contract
- Critical
- Level
- Up to USD $1,000,000
- Payout
- High
- Level
- USD $1,500 - USD $5,000
- Payout
- Medium
- Level
- USD $600 - USD $1,500
- Payout
- Low
- Level
- USD $200 - USD $600
- Payout
Assets in scope
- Blockchain/DLT - Consensus engineType
- Blockchain/DLT - P2P networking libraryType
- Blockchain/DLT - Blockchain adaptersType
- Blockchain/DLT - MPC libraryType
- Smart Contract - GatewayRegistryType
- Smart Contract - BasicAdapterType
- Smart Contract - renBTC ERC20Type
- Smart Contract - renBTC GatewayType
- Smart Contract - renZEC ERC20Type
- Smart Contract - renZEC GatewayType
- Smart Contract - renBCH ERC20Type
- Smart Contract - renBCH GatewayType
- Smart Contract - renFIL ERC20Type
- Smart Contract - renFIL GatewayType
- Smart Contract - renDOGE ERC20Type
- Smart Contract - renDOGE GatewayType
- Smart Contract - renDGB ERC20Type
- Smart Contract - renDGB GatewayType
- Smart Contract - renLUNA ERC20Type
- Smart Contract - renLUNA GatewayType
- Smart Contract - ProtocolType
- Smart Contract - DarknodeRegistryType
- Smart Contract - DarknodeRegistryStoreType
- Smart Contract - DarknodePaymentType
- Smart Contract - DarknodePaymentStoreType
- Smart Contract - GatewayRegistryType
- Smart Contract - BasicAdapterType
- Smart Contract - renBTC BEP20Type
- Smart Contract - renBTC GatewayType
- Smart Contract - renZEC BEP20Type
- Smart Contract - renZEC GatewayType
- Smart Contract - renBCH BEP20Type
- Smart Contract - renBCH GatewayType
- Smart Contract - renFIL BEP20Type
- Smart Contract - renFIL GatewayType
- Smart Contract - renDOGE BEP20Type
- Smart Contract - renDOGE GatewayType
- Smart Contract - renDGB BEP20Type
- Smart Contract - renDGB GatewayType
- Smart Contract - renLUNA BEP20Type
- Smart Contract - renLUNA GatewayType
- Smart Contract - GatewayRegistryType
- Smart Contract - BasicAdapterType
- Smart Contract - renBTC ERC20Type
- Smart Contract - renBTC GatewayType
- Smart Contract - renZEC ERC20Type
- Smart Contract - renZEC GatewayType
- Smart Contract - renBCH ERC20Type
- Smart Contract - renBCH GatewayType
- Smart Contract - renFIL ERC20Type
- Smart Contract - renFIL GatewayType
- Smart Contract - renDOGE ERC20Type
- Smart Contract - renDOGE GatewayType
- Smart Contract - renDGB ERC20Type
- Smart Contract - renDGB GatewayType
- Smart Contract - renLUNA ERC20Type
- Smart Contract - renLUNA GatewayType
- Smart Contract - GatewayRegistryType
- Smart Contract - BasicAdapterType
- Smart Contract - renBTC ERC20Type
- Smart Contract - renBTC GatewayType
- Smart Contract - renZEC ERC20Type
- Smart Contract - renZEC GatewayType
- Smart Contract - renBCH ERC20Type
- Smart Contract - renBCH GatewayType
- Smart Contract - renFIL ERC20Type
- Smart Contract - renFIL GatewayType
- Smart Contract - renDOGE ERC20Type
- Smart Contract - renDOGE GatewayType
- Smart Contract - renDGB ERC20Type
- Smart Contract - renDGB GatewayType
- Smart Contract - renLUNA ERC20Type
- Smart Contract - renLUNA GatewayType
- Smart Contract - GatewayRegistryType
- Smart Contract - BasicAdapterType
- Smart Contract - renBTC ERC20Type
- Smart Contract - renBTC GatewayType
- Smart Contract - renZEC ERC20Type
- Smart Contract - renZEC GatewayType
- Smart Contract - renBCH ERC20Type
- Smart Contract - renBCH GatewayType
- Smart Contract - renFIL ERC20Type
- Smart Contract - renFIL GatewayType
- Smart Contract - renDOGE ERC20Type
- Smart Contract - renDOGE GatewayType
- Smart Contract - renDGB ERC20Type
- Smart Contract - renDGB GatewayType
- Smart Contract - renLUNA ERC20Type
- Smart Contract - renLUNA GatewayType
For added reference, please take a look at their GitHub - https://github.com/renproject. However, only the contracts listed as in-scope here are considered as part of the bug bounty program.
Impacts in scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
Smart Contract
- Loss of user funds staked (principal) by freezing or theftCriticalImpact
- Loss of governance fundsCriticalImpact
- Theft of unclaimed yieldHighImpact
- Freezing of unclaimed yieldHighImpact
- Temporary freezing of funds for any amount of timeHighImpact
- Unable to call smart contractMediumImpact
- Smart contract gas drainageMediumImpact
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
Smart Contracts
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
Blockchain (All)
- Bugs in third party dependencies
- Known limitations (e.g. failures when there are more than k malicious players)
- For Hyperdrive:
- Problems in the implementation/general deviations from the spec (https://github.com/renproject/hyperdrive/wiki)
- Logic errors
- Errors in the serialisation/deserialisation of data
The following activities are prohibited by this bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty