Union Finance Bug Bounties

Program Overview

UNION is a technology platform that combines bundled protection and a liquid secondary market with a multi-token model. DeFi participants manage their multi-layer risks across smart contracts and protocols in one scalable system. UNION decreases the barriers to entry for retail users and lays the foundation for institutional investors.

For more information about Union Finance, please visit https://www.unn.finance/.

The bug bounty program covers its smart contracts and is focused on the prevention of loss of user funds, denial of service, and data breaches, data leaks, and flashloan-related vulnerabilities.

KYC is only required for payouts above USD 5 000.

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

Payouts are handled by the Union Finance team directly and are denominated in USD. However, payouts are competed in USDT.

Smart Contract

Critical
Level: USD $20,000
Payout

High
Level: USD $10,000
Payout

Medium
Level: USD $500
Payout

Low
Level: USD $250
Payout

Assets in scope

https://github.com/UNIONProtocolFoundation/OC-Protection/tree/main/contracts
Target
Smart Contract
Type
https://github.com/UNIONProtocolFoundation/SC-Protection
Target
Smart Contract
Type

Impacts in scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Smart Contract

Critical Smart Contract Impact
Critical
Impact
High Smart Contract Impact
High
Impact
Medium Smart Contract Impact
Medium
Impact
Low Smart Contract Impact
Low
Impact

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

Attacks that the reporter has already exploited themselves, leading to damage
Attacks requiring access to leaked keys/credentials
Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts and Blockchain

Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
Basic economic governance attacks (e.g. 51% attack)
Lack of liquidity
Best practice critiques
Sybil attacks

The following activities are prohibited by bug bounty program:

Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
Any testing with pricing oracles or third party smart contracts
Attempting phishing or other social engineering attacks against our employees and/or customers
Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
Any denial of service attacks
Automated testing of services that generates significant amounts of traffic
Public disclosure of an unpatched vulnerability in an embargoed bounty