Bug Bounty

  • Updated

We have an active bug bounty on Immunefi that has been live since January 2021. Immunefi is a leading bug bounty platform for Web3 with the world's largest bug bounties.

The bug bounty covers Perpetual Protocol's smart contract code. You can find all the relevant details here: https://immunefi.com/bounty/perpetual/

Impacts in Scope

The assets in scope for each severity level are:

  • Critical:
    • Any governance voting result manipulation,
    • Direct theft of any user funds, whether in-rest or at-motion, other than unclaimed yield,
    • Permanent freezing of funds,
    • Miner-extractable Value (MEV),
    • Protocol insolvency.
  • High:
    • Theft of unclaimed yield,
    • Permanent freezing of unclaimed yield.
  • Medium:
    • Smart contract unable to operate due to lack of token funds,
    • Block stuffing for profit,
    • Griefing (e.g., no profit motive for an attacker, but damage to the users or the protocol).
  • Low:  
    • Contract fails to deliver promised returns, but doesn't lose value. 

The severity guidelines are based on Immunefi's vulnerability severity classification system

 

Payouts

Rewards are distributed based on the severity of the vulnerability, as shown below:

Severity Estimated Payout
Critical 10% of the TVL in the Clearinghouse contract (minimum: $10,000, maximum base payout: $820,000)
High $5,000 to $9,999
Medium $1,000 to $4,999
Low Up to $999

You must create an account with Immunefi and submit any in-scope bugs you discover here: https://bugs.immunefi.com/. Each bug submission will be evaluated on a case-by-case basis. 

More information about the submission process is available via Immunefi's blog: https://medium.com/immunefi/a-hackers-guide-to-submitting-bugs-on-immunefi-1e6b7ada71a9 

Base payouts will be handled by the Perpetual Protocol team and will be denominated in USD, but paid in PERP tokens. All amounts are calculated using a 7-day TWAP price which ends on the day of submission.

Invalid Bug Bounties

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Attacks that the reporter has already exploited themselves, leading to damage,
  • Attacks requiring access to leaked keys/credentials,
  • Attacks requiring access to privileged addresses (governance, strategist),
  • Incorrect data supplied by third party oracles Not to exclude oracle manipulation/flash loan attacks,
  • Basic economic governance attacks (e.g. 51% attack),
  • Lack of liquidity,
  • Best practice critiques,
  • Sybil attacks,
  • Centralization risks.