Impossible Cloud Network

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.3. Reward Calculation for Critical Level Reports

For critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 25 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 10 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.

Repeatable Attack Limitations

If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. The amount of funds at risk will be calculated with the impact of the first attack being at 100% and then a reduction of 25% from the amount of the first attack for every 1h the attack needs for subsequent attacks from the first attack, rounded down Reward Calculation for High Level Reports

High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 3 000 to USD 5 000 with the reward calculated based on 100% of the funds at risk, though capped at the maximum high reward.

In the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward.

Primacy of Impact vs Primacy of Rules

Impossible Cloud Network adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page.

Proof of Concept (PoC) Requirements

A PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.

Public Disclosure of Known Issues

Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk.

Intended functionality:

• Temporary freezing of funds: The ICN Protocol has implemented a pause feature which stops funds from being able to transit through the protocol. Meaning ICNT cannot be deposited or withdrawn until unpaused. This is used only in critical scenarios of catastrophic bugs that may jeopardize user funds or protocol economies to minimize damage and give time for the team to issue fixes.

• Smart contract unable to operate due to lack of token funds: Protocol rewards are funded by a smart contract that rewards activity via a reward fund. As the reward fund depletes, the ICN protocol will be topped up to maintain healthy operation. While there is no protocol rule to prevent the reward fund from depleting completely, ICN is regularly maintaining checks and periodically returns the fund to healthy levels.

• Scenarios that involve unsupported states or rely on assumptions (such as transferring an NFT while staked, etc) are not considered valid and will be rejected.

Known issues:

• ScalerNode can be removed before its utilized capacity is reset: Users can create bookings for resources on ScalerNodes. The BookingManager is responsible for updating the utilized capacity trackers for the region, cluster and hardware provider for the node that's being booked/re-booked. As a booking expires the updates to these trackers are not updated immediately, instead a call to expireCapacity() needs to be made which will perform the desired operations. Currently a node can be removed by a call to removeScalerNode() on ICNRegistry which does not check whether the capacity for the node is still marked as utilized. After removing the node it will be impossible to revert the utilized capacity updates that were made in creating the last booking for the removed node. As a result various computations around protocol rewards will be inaccurate since they'll operate with inaccurate utilized capacity numbers.

• Users are not guarded against price increase in the extendBooking path: Users are guarded against unexpected price increases in the bookCapacity function by specifying a maxBookingPrice. But this guard is not present in the extendBooking function where similar similar issue can occur.

• Link token ids must be smaller than the max uint32 value: The modules supporting link staking and reward claiming assume that link token ids have a value lower than the max uint32 value.Currently the ICN link contract supports minting tokens that do not satisfy this constraint, as a result governance might accidentally mint tokens that are incompatible with the modules.

Reward Payment Terms

Payouts are handled by the Impossible Cloud Network team directly and are denominated in USD. However, payments are done in USDC on Base.

The calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.