dHEDGE-logo

dHEDGE

dHEDGE is a one-stop location for managing investment activities on the blockchain where you can put your capital to work in different strategies based on a transparent track record. Multi-chain, non-custodial, decentralized asset management integrated with multiple protocols; allowing for trades, providing liquidity and yield farming.

Polygon
Defi
Asset Management
Solidity
Maximum Bounty
$50,000
Live Since
09 November 2021
Last Updated
22 May 2024
  • PoC required

Select the category you'd like to explore

Assets in Scope

Target
Type
Smart Contract - Pool Factory Proxy
Added on
12 February 2022
Target
Type
Smart Contract - Governance
Added on
12 February 2022

Impacts in Scope

Severity
Critical
Title
Permanent loss or freezing of funds
Severity
High
Title
Permanent loss or freezing of funds $10m+ (Possible)
Severity
High
Title
Permanent loss or freezing of funds $100k+ (Very Likely)
Severity
Medium
Title
Permanent loss or freezing of funds $10m+ (Very Unlikely)
Severity
Medium
Title
Permanent loss or freezing of funds $1m+ (Unlikely)
Severity
Medium
Title
Permanent loss or freezing of funds $100k+ (Possible)
Severity
Medium
Title
Temporary freezing of funds (Very Likely)
Severity
Medium
Title
Loss of yield (Very Likely)
Severity
Medium
Title
Miner-extractable value (MEV)
Severity
Medium
Title
Unable to call smart contract
Severity
Low
Title
Permanent loss or freezing of funds $1m+ (Very Unlikely)
Severity
Low
Title
Permanent loss or freezing of funds $100k+ (Unlikely)

Out of scope

Program's Out of Scope information

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses (governance, DAO)
  • Attacks by privileged manager accounts which relate to poor trading practices or slippage.

Smart Contracts and Blockchain

  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Best practice critiques
  • Sybil attacks

The following activities are prohibited by this bug bounty program:

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
  • Any testing with pricing oracles or third party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty