Olympus Bug Bounties

Select the category you'd like to explore

Assets in Scope

Target	Type	Added on
	Smart Contract - Staking v2	7 February 2022
	Smart Contract - Authority	7 February 2022
	Smart Contract - Olympus Treasury	27 February 2023
	Smart Contract - Bond Depo v2	7 February 2022
	Smart Contract - gOHM	7 February 2022
	Smart Contract - Treasury v2	7 February 2022
	Smart Contract - OHM v2	7 February 2022
	Smart Contract - Boosted Liquidity Vault Manager	19 April 2023
	Smart Contract - Olympus Treasury	7 February 2022
	Smart Contract - Flex Loans (Incur Debt)	27 February 2023
	Smart Contract - sOHM v2	7 February 2022
	Smart Contract - Olympus Heart	27 February 2023

Target

Type

Smart Contract - Staking v2

Added on

7 February 2022

Target

Type

Smart Contract - Authority

Added on

7 February 2022

Target

Type

Smart Contract - Olympus Treasury

Added on

27 February 2023

Target

Type

Smart Contract - Bond Depo v2

Added on

7 February 2022

Target

Type

Smart Contract - gOHM

Added on

7 February 2022

Target

Type

Smart Contract - Treasury v2

Added on

7 February 2022

Target

Type

Smart Contract - OHM v2

Added on

7 February 2022

Target

Type

Smart Contract - Boosted Liquidity Vault Manager

Added on

19 April 2023

Target

Type

Smart Contract - Olympus Treasury

Added on

7 February 2022

Target

Type

Smart Contract - Flex Loans (Incur Debt)

Added on

27 February 2023

Target

Type

Smart Contract - sOHM v2

Added on

7 February 2022

Target

Type

Smart Contract - Olympus Heart

Added on

27 February 2023

Impacts in Scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Critical	Loss of treasury funds
Critical	Loss of treasury funds
Critical	Loss of user funds
Critical	Loss of user funds
Critical	Loss of bond funds
Critical	Loss of bond funds

Severity

Critical

Title

Loss of treasury funds

Severity

Critical

Title

Loss of treasury funds

Severity

Critical

Title

Loss of user funds

Severity

Critical

Title

Loss of user funds

Severity

Critical

Title

Loss of bond funds

Severity

Critical

Title

Loss of bond funds

View rewards

Out of scope

Default Out of Scope and rules

Smart Contract specific

Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
Impacts requiring basic economic and governance attacks (e.g. 51% attack)
Lack of liquidity impacts
Impacts from Sybil attacks
Impacts involving centralization risks

All categories

Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
Impacts caused by attacks requiring access to leaked keys/credentials
Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
Best practice recommendations
Feature requests
Impacts on test files and configuration files unless stated otherwise in the bug bounty program
Impacts requiring phishing or other social engineering attacks against project's employees and/or customers