Rocket Pool
Rocket Pool is a decentralised, non-custodial, and community owned staking protocol for Ethereum. Rocket Pool aligns the interests of two user groups; those that wish to participate in tokenised liquid staking; and those that wish to stake ETH and run a node.
PoC required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Direct theft of any user funds (with value > $250,000), whether at-rest or in-motion, other than unclaimed yield
Permanent freezing of user funds (with value > $250,000)
Direct theft of DAO owned funds (with value > $250,000), whether at-rest or in-motion
Permanent freezing of DAO owned funds (with value > $250,000)
Manipulation of governance voting result deviating from voted outcome and resulting in an cost impact > $250,000
Direct theft of any user funds (with value > $5,000 and < $250,000), whether at-rest or in-motion
Permanent freezing of user funds (with value > $5,000 and < $250,000)
Direct theft of DAO owned funds (with value > $5,000 and < $250,000), whether at-rest or in-motion
Permanent freezing of DAO owned funds (with value > $5,000 and < $250,000)
Manipulation of governance voting result deviating from voted outcome and resulting in a cost impact > $5,000 and < $250,000
Theft of unclaimed yield
Theft of unclaimed royalties
Out of scope
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks requiring access to privileged actors (guardian, ODAO members)
- Mentions of secrets in Github, will be considered out of scope without proof that they are in-use in production
Smart Contract specific
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts
- Impacts from Sybil attacks
- Impacts involving centralization risks
All categories
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers