SparkLend

Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below.

Reward Calculation for Critical Level Reports

For critical Smart Contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 5 000 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 50 000 is to be rewarded in order to incentivize security researchers against withholding a bug report.

Repeatable Attack Limitations

In cases of repeatable attacks for smart contract bugs, only the first attack is considered if the smart contracts where the vulnerability exists can be upgraded, paused, or killed. If the attack impacts a smart contract directly holding funds that cannot be upgraded or paused, the amount of funds at risk will be calculated with the impact of the first attack being at 100% and then for every 300 blocks the attack needs for subsequent attacks from the first attack the impact will be counted at a reduction of 25% from the impact of the first attack, rounded down. For avoidance of doubt, if a second attack would happen at 600 blocks and then a third at 900 blocks, the funds at risk would be counted at 50% and 25% of the reward from the first attack, respectively.

However, for smart contracts directly holding funds that cannot be paused, if a discovered vulnerability includes the temporary locking of funds that could otherwise be withdrawn and thus prevented from being stolen but still accessible to the exploiter to take the funds, the time is extended to the exact same time as temporary locking. Extensions of the temporary locking that introduce a gap where withdrawals can happen will not be considered.

We do not consider funds locked if:

• Funds are not used as collateral and can eventually be recovered by a governance action

Reward Calculation for High Level Reports

High smart contract impacts will be capped at up to 100% of the funds affected. In the event of temporary freezing, the reward doubles for every additional 300 blocks that the funds could be temporarily frozen, rounded down to the nearest multiple of 300, up to the hard cap of USD 100 000. However, if it is within the hard cap, there is a further hard cap of 1000% of the funds affected.

However, a temporary freezing impact with less than 150 blocks will be rewarded the flat amount of USD 10 000.

We do not consider funds frozen if:

• Funds are not used as collateral and can eventually be recovered by a governance action

Restrictions on Security Researcher Eligibility

Security researchers who fall under any of the following are ineligible for a reward

• Compensated contributors of Spark and/or MakerDAO who have written code for at least one of the assets in scope below

Previous Audits

SparkLend has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.

• https://devs.spark.fi/security/security-and-audits

Proof of Concept (PoC) Requirements

A PoC is required for the following severity levels:

• Smart Contract - Critical
• Smart Contract - High

All PoCs submitted must comply with the Immunefi-wide PoC Guidelines and Rules. Bug report submissions without a PoC when a PoC is required will not be provided with a reward.

Other Terms and Information

• In the calculation of the USD value of the total value locked metric in determining the funds at risk, it does not include outstanding borrows.
• Referenced libraries, proxy implementations and inherited contracts of all listed assets in scope are also considered in scope of the bug bounty program.
  • In selecting an asset in scope that is impacted, please select the most relevant asset.
• In order to be eligible for a reward, the vulnerability must exist in the deployed smart contract and not just the GitHub file. In the event that a vulnerability exists on the GitHub file but not on the most recently deployed contract, this may be due to a fix to address a vulnerability but done in a discreet manner until proper communication can be done.

Reward Payment Terms

Reward Denomination: Payments are denominated in USD. However, payouts are done in DAI assuming a full 1:1 ratio with the USD. However, if the price of DAI deviates from the USD value by more than 1%, the amount of DAI will be adjusted.

Payout Process: All bounty payouts are handled by MakerDAO governance. Upon confirmation, bug bounty payouts should be included in the next possible ‘executive spell’, which is a governance vote with an onchain payload attached to it. This would involve sending DAI directly from the protocol’s buffer to the whitehat hacker.

Immunefi will publicly contact one of the Governance Facilitators with the request, including a specification of the respective vulnerability report, the requested amount and the Ethereum mainnet addresses of the beneficiaries. This should also include the payment details of the Immunefi fee, if it applies. Immunefi and the Maker Governance Facilitators should make sure the payout occurs up to one full calendar month after the report was approved.

For bug bounty rewards over USD 1 000 000, after the first million is paid out, the remaining amount is paid out over time with up to USD 1 000 000 per consecutive month until the determined amount for payout is reached.