Comment on page
Bug Bounty Program
Information about our bug bounty program
We are excited to announce the launch of our Testnet Bug Bounty Program, designed to strengthen the security of our smart contracts. As a part of our ongoing commitment to providing a safe and secure environment for our users, we are inviting security researchers, developers, and the wider community to participate in this program and help us identify potential vulnerabilities.
The main objectives of our Testnet Bug Bounty Program are:
- 1.Detect and address security vulnerabilities in our smart contracts before they are deployed on the mainnet.
- 2.Encourage collaboration and knowledge sharing between our team and the security community.
- 3.Promote transparency and build trust with our users.
To participate in the program, simply follow these steps:
- 1.Review our Testnet Bug Bounty Program guidelines and rules, which will be available below.
- 2.Explore our testnet smart contracts and identify potential security vulnerabilities.
We will carefully evaluate each submission and reward participants based on the severity and impact of the reported vulnerabilities. The more critical the vulnerability, the higher the reward.
We believe that the Testnet Bug Bounty Program is an essential step towards ensuring the security and reliability of our smart contracts. We are eager to collaborate with the community and together, build a more secure and resilient ecosystem.
Our budget for the Bug Bounty Program is $20,000, and we plan to allocate it as follows:
- 1.Critical vulnerabilities: $12,000 (60%) - Ranging from $2,000 to $12,000 depending on the complexity of the vulnerability. These vulnerabilities allow attackers to steal user funds.
- 2.High-risk vulnerabilities: $5,000 (25%) - These vulnerabilities disrupt the smart contract's functionality, preventing users from withdrawing funds, for example. Rewards range from $1,000 to $5,000.
- 3.Medium-risk vulnerabilities: $2,600 (13%) - Issues with calculations, incorrect percentages, etc. Rewards range from $400 to $2,500.
- 4.Low-risk vulnerabilities: $400 (2%) - Suboptimal script performance. Rewards range from $100 to $400.
Please note that we may exclude category 4 since we might not make significant changes to our smart contracts due to minor performance inefficiencies.
- 1.The reported vulnerability must be previously unknown to our team and not reported by other users.
- 2.Vulnerabilities must be reproducible. The report should include steps to reproduce the issue, and ideally, a proposed solution, which will be valued higher.
- 3.If a vulnerability arises due to discrepancies between our implementation and Scilla documentation, we will consider it for a reward, provided that it is serious.
Terms and Conditions:
- 1.Participants must not use their knowledge of vulnerabilities maliciously. Vulnerabilities should be reported privately, giving us time to address the issue. Disclosing vulnerability information or exploiting it in any way will be considered a violation and will not be eligible for a reward.
- 2.Rewards are available until the program's end date. After that, we will decide whether to continue the Bug Bounty Program without changes or make adjustments.
- 3.Vulnerabilities must be reported through the specified communication channels only. Public disclosure is not allowed.
- 4.We reserve the right to determine the eligibility of a vulnerability for a reward and the reward amount based on our assessment of the issue, the provided evidence, and the proposed solution.
In our project, we have conducted a total of 4 security audits of our smart contracts, out of which 2 were not completed and thus their reports are not published.
The first audit (https://drive.google.com/file/d/1WmYoqfFOmCBLSKbCAx1OEMW7uU4cQXeN/view?usp=sharing) took place on March 28th, 2022, and focused on the initial version of our liquid staking protocol. Following this audit, we introduced new functionality - support for multiple SSN nodes to enhance decentralization, and implemented Avely Swap. Due to these additions, another audit was necessary to cover the entire range of features.
The latest audit (https://drive.google.com/file/d/1O_22adQF7qn_BOwCYN74NbgT96c587aS/view?usp=sharing) was conducted on March 10th, 2023, incorporating all recent changes up to that point. No major issues were discovered during the audit; however, we still rectified some minor concerns, as detailed in the report.
We take the security of our project seriously and are committed to maintaining transparency and accountability. As part of our ongoing dedication to this, we invite security researchers and developers to participate in our Bug Bounty program, with the aim of discovering and addressing any potential vulnerabilities.
For a better understanding of our smart contracts, we highly recommend reviewing our technical documentation. This document will provide you with detailed information about the architecture, functionality of our liquid staking protocol: https://www.dropbox.com/scl/fi/fw9z37nebwdby5jnmnngj/stZIL-Protocol-Tech-Details.paper?dl=0&rlkey=vv8dhj5im6pisisgcv0uz655y
For the participants of our bug bounty program, we provide a link to the latest version of our smart contracts deployed on the Zilliqa testnet. We invite you to explore it and report any vulnerabilities you find.
To facilitate your exploration of our smart contracts and to help you identify potential vulnerabilities, we have made our GitHub repository publicly available. This repository contains the source code of our smart contracts, as well as any related scripts and tools.