Sector Finance Bug Bounties

Only those listed in the Assets in Scope table are considered to be in-scope of the bug bounty program.

Vulnerabilities found in code used by multiple contracts (ex: proxy contracts or multi-chain deployments) will count as a single submission. In other words, if one vulnerability can be executed on the same identical code over multiple contracts, this would count as a single report. When submitting such a report select one of the affected contracts and add links to others in the body of the report.

Smart Contracts

Smart Contracts - PoC, Smart Contract bug reports are to include a runnable Proof of Concept (PoC) in order to prove impact.
For more information on PoCs please visit: Proof of Concept (PoC) Guidelines and Rules
Smart contracts of Sector Finance strategies and vaults can be found at: https://github.com/sector-fi/sector-contracts/tree/main
All smart contracts of Sector Finance tokens can be found at: https://github.com/sector-fi/sector-token/tree/main/src
Only the main branch is in-scope for all repositories.

Whitehats are highly encouraged to review any potential subdomains and what specific port(s) are in scope. Even though the domain may be the same, different ports may point to different assets.

Dev Environment and Documentation

Sector Finance has included dev documentation and/or instructions to help in reviewing code and exploring for bugs:

https://github.com/sector-fi/sector-contracts (see README)

Impacts in Scope

(For Blockchain/DLT and Smart Contracts Only) This program is considered to be governed by Primacy of Rules. For more information on what this means visit: Best Practice - Primacy of Impact vs Primacy of Rules.

Impacts are based on the Immunefi Vulnerability Severity Classification System V2.2.

At Immunefi, we classify bugs on a simplified 5-level scale:

Critical
High
Medium
Low
None