Harvest Finance
Harvest Finance automatically farms the highest yield available from the newest DeFi protocols and optimizes the yields that are received using the latest farming techniques.
PoC required
Rewards by Threat Level
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from the consequence of exploitation to the privilege required to the likelihood of a successful exploit.
The final reward amount for critical smart contract bugs is capped at 10% of economic damage based on the vulnerability reported with a minimum payout of USD 50 000.
Theft of yield/interest is considered as Medium for this bug bounty program.
All smart contract reports must include a PoC to be accepted. The PoC should provide clear proof of the vulnerability in a locally forked blockchain environment. All bug reports without a PoC will be rejected and require the submitter to resubmit with a PoC.
The following table is used for the classification of web and app bug reports. In the event of conflict with the Immunefi Vulnerability Severity Classification System, the classification on this table will be what is considered.
| Severity | Vulnerability |
|---|---|
| Critical | Deletion of site data, XSS/CSRF, ACE |
| High | Denial of Service, DoS ampliciation |
| Medium | Incorrect modification of user data, leaking user data |
All web and app bug reports must include a PoC to be accepted. All web and app bug reports without a PoC will be rejected and require the submitter to resubmit with a PoC.
Vulnerabilities that require moderator-approved access to be exploited will only receive a maximum of 20% of the advertised reward. For Critical Smart Contract and Blockchain vulnerability reports, this 20% is applied after the cap of 10% of economic damage.
Payouts are handled by the Harvest Finance team directly and are denominated in USD. Payouts up to USD 100 000 are paid in USDC.
Program Overview
Harvest Finance automatically farms the highest yield available from the newest DeFi protocols and optimizes the yields that are received using the latest farming techniques.
Harvest Finance is primarily interested in securing its smart contracts, which can be found in repositories of the following Github Organisation: https://github.com/harvestfi. Specific repositories that contain in-scope assets are listed in the table below. Primary areas of concern are anything that causes loss of user funds or frozen funds from a smart contract hack. Note that not all contracts in these repositories are deployed and in active use by the protocol. Only contracts in active use are within the scope of the bug bounty.
Harvest Finance is secondarily interested in securing its website, which can be found at https://harvest.finance/. Web vulnerability disclosures will be rewarded at a lower rate, relative to smart contract vulnerability disclosures.
KYC not required
No KYC information is required for payout processing.
Prohibited Activities
- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
- Any testing with pricing oracles or third-party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks that are executed against project assets
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty
- Any other actions prohibited by the Immunefi Rules
Feasibility Limitations
The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity. Therefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.