Harvest Finance-logo

Harvest Finance

Harvest Finance automatically farms the highest yield available from the newest DeFi protocols and optimizes the yields that are received using the latest farming techniques.

Arbitrum
BSC
ETH
Polygon
Defi
L2
Yield Aggregator
JavaScript
Solidity
Maximum Bounty
$100,000
Live Since
02 December 2020
Last Updated
18 November 2024
  • PoC required

Rewards

Harvest Finance provides rewards in USDC on Ethereum, Arbitrum, denominated in USD.

Rewards by Threat Level

Smart Contract
Critical
Up to: $100,000
Primacy of Rules
High
Flat: $10,000
Primacy of Rules
Medium
Flat: $5,000
Primacy of Rules
Low
Flat: $2,500
Primacy of Rules
Critical Reward Calculation

Mainnet assets:

Reward amount is 10% of the funds directly affected up to a maximum of:

$100,000
Websites and Applications
Critical
Flat: $5,000
Primacy of Rules
High
Flat: $2,500
Primacy of Rules
Medium
Flat: $1,000
Primacy of Rules

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from the consequence of exploitation to the privilege required to the likelihood of a successful exploit.

The final reward amount for critical smart contract bugs is capped at 10% of economic damage based on the vulnerability reported with a minimum payout of USD 50 000.

Theft of yield/interest is considered as Medium for this bug bounty program.

All smart contract reports must include a PoC to be accepted. The PoC should provide clear proof of the vulnerability in a locally forked blockchain environment. All bug reports without a PoC will be rejected and require the submitter to resubmit with a PoC.

The following table is used for the classification of web and app bug reports. In the event of conflict with the Immunefi Vulnerability Severity Classification System, the classification on this table will be what is considered.

SeverityVulnerability
CriticalDeletion of site data, XSS/CSRF, ACE
HighDenial of Service, DoS ampliciation
MediumIncorrect modification of user data, leaking user data

All web and app bug reports must include a PoC to be accepted. All web and app bug reports without a PoC will be rejected and require the submitter to resubmit with a PoC.

Vulnerabilities that require moderator-approved access to be exploited will only receive a maximum of 20% of the advertised reward. For Critical Smart Contract and Blockchain vulnerability reports, this 20% is applied after the cap of 10% of economic damage.

Payouts are handled by the Harvest Finance team directly and are denominated in USD. Payouts up to USD 100 000 are paid in USDC.

Program Overview

Harvest Finance automatically farms the highest yield available from the newest DeFi protocols and optimizes the yields that are received using the latest farming techniques.

Harvest Finance is primarily interested in securing its smart contracts, which can be found in repositories of the following Github Organisation: https://github.com/harvestfi. Specific repositories that contain in-scope assets are listed in the table below. Primary areas of concern are anything that causes loss of user funds or frozen funds from a smart contract hack. Note that not all contracts in these repositories are deployed and in active use by the protocol. Only contracts in active use are within the scope of the bug bounty.

Harvest Finance is secondarily interested in securing its website, which can be found at https://harvest.finance/. Web vulnerability disclosures will be rewarded at a lower rate, relative to smart contract vulnerability disclosures.

KYC not required

No KYC information is required for payout processing.

Proof of Concept

Proof of concept is always required for all severities.

Prohibited Activities

Default prohibited activities
  • Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
  • Any testing with pricing oracles or third-party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks that are executed against project assets
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty
  • Any other actions prohibited by the Immunefi Rules

Feasibility Limitations

The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.

Therefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.

Severity
Min. - Max.
Critical
$100k
High
$2.5k -$10k
Medium
$1k -$5k
Low
$2.5k
Total Assets in Scope
5