VOLT Protocol is the world’s first currency that offers true purchasing power stability over time. Instead of losing your hard earned savings to inflation, VOLT offers a chance to keep what’s yours and save with confidence regardless of market conditions. The protocol directs value to outperform inflation, and provides a backstop in case of volatility or loss to maintain VOLT stability.
For more information about Volt Protocol, please visit https://www.voltprotocol.io/.
Rewards by Threat Level
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.1. This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.
All bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.
Rewards for critical smart contract vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of USD 50 000 for Critical smart contract bug reports.
Previous issues highlighted in the following audit reports are considered to be out of scope:
Payouts are handled by Volt Protocol directly and are denominated in USD. However, payouts are done in USDC or VOLT, at the discretion of the team.
- Up to USD $250,000
- USD $30,000
- USD $5,000
- USD $1,000
Assets in scope
- Smart Contract - GlobalRateLimitedMinterType
- Smart Contract - Volt Fuse PCV DepositType
- Smart Contract - Non Custodial PSMType
- Smart Contract - Oracle Pass ThroughType
- Smart Contract - Scaling Price OracleType
- Smart Contract - CoreType
- Smart Contract - VoltType
All smart contracts of Volt Protocol can be found at https://github.com/volt-protocol/volt-protocol-core/tree/master. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.
Impacts in scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
- Any governance voting result manipulationCriticalImpact
- Direct theft of any user or protocol funds, whether at-rest or in-motion, other than unclaimed yield without privileged roleCriticalImpact
- Permanent freezing of funds without privileged roleCriticalImpact
- Protocol InsolvencyCriticalImpact
- Logic errors in the oracle contracts that would cause loss of PCVCriticalImpact
- Theft of unclaimed yieldHighImpact
- Permanent freezing of unclaimed yieldHighImpact
- Miner-extractable value from PCV (MEV)HighImpact
- Temporary freezing of funds for at least 2 days without permissioned roleHighImpact
- Unauthorized privilege escalation by user without a role in the systemHighImpact
- Smart contract unable to operate due to lack of token fundsMediumImpact
- Block stuffing for profitMediumImpact
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)MediumImpact
- Unbounded gas consumptionMediumImpact
- Theft of gasMediumImpact
- Smart contract fails to deliver promised returns, but doesn’t lose valueLowImpact
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
Smart Contracts and Blockchain
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
- Centralization risks
The following activities are prohibited by this bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty