Found a significant smart contract bug in a DeFi project with over USD 10 million in Total Locked Value (TVL) without a bug bounty program? We’re here to help.
The Immunefi Disclosure Assistance program helps you responsibly disclose significant smart contract bugs in DeFi projects to make crypto a safer place. We’ll work with you to structure your smart contract bug report, leverage our reputation to get it reviewed, and help you stay safe in case your good work is not appreciated the way it should be.
Disclosure Assistance Process
- After you find a serious bug, make a good faith effort to find their bug bounty program or responsible disclosure process
- If no disclosure method is found, submit your smart contract bug report here to Immunefi according to our bug report process
- Immunefi will assess the threat level and reproducibility of the smart contract bug to validate it
- Immunefi will then contact the project on your behalf and facilitate the disclosure communications
- If the project determines a bug bounty is appropriate, Immunefi will provide recommendations for payout. Immunefi will keep you updated throughout the process
Bug bounty payouts are entirely at the discretion of the project affected, although Immunefi encourages bug bounty payouts for valid bug reports.
The fine print: Immunefi provides Disclosure Assistance on a best effort basis. Immunefi provides Disclosure Assistance as a service to the community. Immunefi receives no compensation for any of its activities under the Disclosure Assistance program. Immunefi cannot guarantee a response from the affected project for bugs submitted through Disclosure Assistance. Immunefi cannot make any guarantees regarding timelines to bug fix and/or bounty pay-out; delays may be significant for bugs reported in projects that do not have established programs and procedures. Immunefi does not make the final decision regarding whether a bug reported through the Disclosure Assistance program will be paid out; that decision is made by the affected project. Although Immunefi advocates that valid bugs be paid out, Immunefi is not able to guarantee a payout for bugs submitted through the Disclosure Assistance program.
Threat Level Classification
We assess the impact of all bug reports through the Disclosure Assistance program based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. However, for the Disclosure Assistance Program, only smart contract bugs are considered.
Bugs in Scope
The scope of our Disclosure Assistance program is only around DeFi smart contract bugs that result in the loss of user funds, either by loss of access or by theft. Due to the resources needed to run this program, we are only able to provide this assistance to projects with a TVL of at least USD 10 million.
Accepted Vulnerability Types
Here’s a list of the vulnerability types that we accept to give you a better idea on what we are able to support. However, this is by no means an exhaustive list of all vulnerabilities that are accepted in the program.
- Logic errors
- including user authentication errors
- Solidity/EVM details not considered
- including integer over-/under-flow
- including unhandled exceptions
- Trusting trust/dependency vulnerabilities
- including composability vulnerabilities
- Oracle failure/manipulation
- Novel governance attacks
- Economic/financial attacks
- including flash loan attacks
- Congestion and scalability
- including running out of gas
- including block stuffing
- including susceptibility to frontrunning
- Consensus failures
- Cryptography problems
- Signature malleability
- Susceptibility to replay attacks
- Weak randomness
- Weak encryption
- Susceptibility to block timestamp manipulation
- Missing access controls / unprotected internal or debugging interfaces
Unaccepted Vulnerability Types and Rules
The following vulnerabilities are not accepted by our Disclosure Assistance program.
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks that rely on social engineering
- Attacks requiring access to leaked keys/credentials
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
- Website and App vulnerabilities
We also generally do not work with bug reports that have violated any of our standard rules:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks against servers you do not own
- Automated testing of services that generates significant amounts of traffic
- Disassembly or reverse engineering of binaries for which source code is not published, not including smart contract bytecode