We have an active bug bounty on Immunefi that has been live since January 2021. Immunefi is a leading bug bounty platform for Web3 with the world's largest bug bounties.
Impacts in Scope
The assets in scope for each severity level are:
- Any governance voting result manipulation,
- Direct theft of any user funds, whether in-rest or at-motion, other than unclaimed yield,
- Permanent freezing of funds,
- Miner-extractable Value (MEV),
- Protocol insolvency.
- Theft of unclaimed yield,
- Permanent freezing of unclaimed yield.
- Smart contract unable to operate due to lack of token funds,
- Block stuffing for profit,
- Griefing (e.g., no profit motive for an attacker, but damage to the users or the protocol).
- Contract fails to deliver promised returns, but doesn't lose value.
The severity guidelines are based on Immunefi's vulnerability severity classification system.
Rewards are distributed based on the severity of the vulnerability, as shown below:
|Critical||10% of the TVL in the Clearinghouse contract (minimum: $10,000, maximum base payout: $820,000)|
|High||$5,000 to $9,999|
|Medium||$1,000 to $4,999|
|Low||Up to $999|
You must create an account with Immunefi and submit any in-scope bugs you discover here: https://bugs.immunefi.com/. Each bug submission will be evaluated on a case-by-case basis.
More information about the submission process is available via Immunefi's blog: https://medium.com/immunefi/a-hackers-guide-to-submitting-bugs-on-immunefi-1e6b7ada71a9
Base payouts will be handled by the Perpetual Protocol team and will be denominated in USD, but paid in PERP tokens. All amounts are calculated using a 7-day TWAP price which ends on the day of submission.
Invalid Bug Bounties
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage,
- Attacks requiring access to leaked keys/credentials,
- Attacks requiring access to privileged addresses (governance, strategist),
- Incorrect data supplied by third party oracles Not to exclude oracle manipulation/flash loan attacks,
- Basic economic governance attacks (e.g. 51% attack),
- Lack of liquidity,
- Best practice critiques,
- Sybil attacks,
- Centralization risks.