Omni Network

For critical Blockchain/DLT bugs, the reward amount is 10% of the funds directly affected, capped at the maximum critical reward [$500K]. However, a minimum reward of USD [$50,000] is to be rewarded in order to incentivize security researchers against withholding on a bug report.

For critical Blockchain/DLT bugs with a non-funds-at risk impact, the reward will be paid out as follows:

• Network not being able to confirm new transactions (total network shutdown) - [$50,000]
• Unintended permanent chain split requiring hard fork (network partition requiring hard fork) - [$50,000]
• Permanent freezing of funds (fix requires hardfork) - [10% of the funds at risk or $50,000, whichever is lower]

For high Blockchain/DLT non-funds-at risk impacts, the reward will be paid out as follows:

• Unintended chain split (network partition) - [$25,000]
• Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments - [$25,000]
• Causing network processing nodes to process transactions from the mempool beyond set parameters - [$15,000]
• RPC API crash affecting projects with greater than or equal to 25% of the market capitalization on top of the respective layer - [$15,000]

For critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD [$500,000]. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD [$25,000] is to be rewarded in order to incentivize security researchers against withholding a critical bug report.

Repeatable Attack Limitations

If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk.

For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward.

Reward Calculation for High Level Reports

High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of [$5,000] to [$25,000] depending on the funds at risk, capped at the maximum high reward.

In the event of temporary freezing, the reward doubles from the full frozen value for every additional [24h] that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.

For critical web/apps bug reports will be rewarded with [$50,000], only if the impact leads to: A loss of funds involving an attack that does not require any user action Private key or private key generation leakage leading to unauthorized access to user funds

All other impacts that would be classified as Critical would be rewarded a flat amount of [$25,000]. The rest of the severity levels are paid out according to the Impact in Scope table.