PerpetualEscapeVerifier (DavionLabs/APexPro contract)

StarkPerpetual (DavionLabs/APexPro contract)

AllVerifiers (DavionLabs/APexPro contract)

PerpetualTokensAndRamping (DavionLabs/APexPro contract)

PerpetualState (DavionLabs/APexPro contract)

PerpetualForcedActions (DavionLabs/APexPro contract)

FinalizableGpsFactAdapter (DavionLabs/APexPro contract)

PerpetualEscapeVerifier  (DavionLabs/APexPro contract)

Impacts only apply to assets in active use by the project like contracts on mainnet or web/app assets used in production. For those assets, the code is in scope only if it relates to the latest commit in the master branch. 

Any impact that applies to assets not in active use, like test or mock files, are out-of-scope of the bug bounty program unless explicitly mentioned as in-scope. 

__Blockchain/DLT__ 

- __Blockchain/DLT - PoC__, Blockchain/DLT bug reports are to include a runnable Proof of Concept (PoC) in order to prove impact.  
- For more information on PoCs please visit: [Proof of Concept (PoC) Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)

__Smart Contracts__ 

- __Smart Contracts - PoC__, Smart Contract bug reports are to include a runnable Proof of Concept (PoC) in order to prove impact.  
- For more information on PoCs please visit: [Proof of Concept (PoC) Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)


__Impacts in Scope__

(For Blockchain/DLTR and Smart Contracts Only) This program is considered to be governed by Primacy of Rule. For more information on what this means visit: [Best Practice - Primacy of Impact vs Primacy of Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact) 

Impacts are based on the [Immunefi Vulnerability Severity Classification System V2.2.](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/)

At Immunefi, we classify bugs on a simplified 5-level scale:
- Critical
- High
- Medium
- Low
- None

StarkEx leverages STARK technology to power scalable, self-custodial trading and payment transactions for applications such as DeFi and gaming. StarkEx enables an application to scale significantly and improve transaction speed while also reducing transaction costs.StarkEx is a production-grade platform that has been deployed on Ethereum Mainnet since June 2020 and settled over $800B since then.

Temporary freezing of funds for at least 1 week

Temporary freezing of funds for at least a week

Temporary freezing of NFTs for at least a week

Direct loss of funds

Permanent freezing of funds (fix requires hardfork)

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties

Permanent freezing of funds

Permanent freezing of NFTs

Unauthorized minting of NFTs

StarkEx Documentation

__Reward Distribution__

Please review how rewards are distributed based on the [Immunefi Vulnerability Severity Classification System V2.2.](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/) This is a simplified 5-level scale system with separate scales for Blockchain/DLTs and Smart Contracts.

__Payouts and Payout Requirements__

Payouts are handled by StarkWare directly and are denominated in USD. However, payouts are done in USDC. StarkWare commits to honoring payouts according to the terms set out in this program at the time of report submission, and to treat this program as the agreement and source of truth concerning bug reports and responsible disclosures. 

Rewards for both critical Blockchain/DLT and critical Smart Contract vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of USD 40 000 and a maximum reward of USD 500 000 for Blockchain/DLT vulnerabilities; minimum reward of USD 50 000 and a maximum reward of USD 1 000 000 for Smart Contracts vulnerabilities. 

For the purposes of determining report validity, this is a Primacy of Rule program. 

Learn more about report validity best practices here: [Best Practice - Primacy of Impact vs Primacy of Rules.](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact) 

__Repeatable Attack Limitations__

In cases of repeatable attacks for smart contract bugs, only the first attack will be counted, regardless of whether the smart contract is upgradable, pausable, or killable.

StarkWare does have a Know Your Customer (KYC) requirement for bug bounty payouts. 

StarkWare requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. The information needed is a full legal name, residential address, date of birth and copy of national ID/passport. Bounty hunters must pass OFAC Screening. Rewards cannot be paid out if hunters are on the OFAC SDN list and/or do not complete the KYC.

KYC information is only required on confirmation of the validity of a bug report.   

__Audit Discoveries and Known Issues__

Bug reports covering previously-discovered bugs are not eligible for any reward through the bug bounty program. If a bug report covers a known issue, it may be rejected together with proof of the issue being known before escalation of the bug report via Immunefi. 

Previous audits and known issues can be found at:
[https://github.com/starkware-libs/starkex-contracts/tree/master/audit ](https://github.com/starkware-libs/starkex-contracts/tree/master/audit)