Bug Bounty
Open reward pool for discovering and reporting vulnerabilities in the mStable protocol.
Our awesome friends over at Immunefi.com are the best place to see a quick breakdown of mStable's bug bounty. Check it out here.
An ongoing bug bounty for the smart contracts of the mStable protocol is now live. mStable intends for hackers to look for smart contract vulnerabilities in our system that can lead to loss of collateral, unfair payouts or locked components. mStable must be as resilient as possible. Please submit a bug and earn a reward of up to US$25,000 **(or more in extreme circumstances).**
Rewards
Rewards will be awarded at the sole discretion of the mStableDAO. The quality of the report and reproduction instructions can impact the reward. Rewards are denominated mUSD and will be paid out in mUSD.
The bug bounty program is ongoing and has been running since June 05th, 2020.
NB: Payout amounts increased (max 25k) as of July 14th, 2020.
The reward will be based on the following severity scheme, based on the OWASP risk rating methodology:
Reporting
Found a bug? Follow the responsible disclosure guidelines to submit to the team at Immunefi or directly to the mStable team.
Failure to following the guidelines will result in a finding being ineligible for any bounties
Scope
The bug bounty is applicable to mStable's solidity contract suite, specifically any contracts residing in mstable/mStable-contracts/contracts **on "master" branch (excluding the "z_mocks" sub-folder).
GitHub - mstable/mStable-contracts: 📃 Smart Contracts that make up the core of the mStable protocol
GitHub
Out of scope
- Any front-end applications or client-side code interacting with the contracts, as well as testing code
- Mismatch of the functionality of the contracts and outdated spec documents
Areas of interest
- Loss of collateral or stealing of funds from the mAsset, resulting in it becoming under-collateralised (related:
contracts/masset/*/*) - Unfair payouts through SAVE, MINT, REDEEM or SWAP functionalities that results in under-collateralised or affected system (related:
contracts/masset/**/*,contracts/savings/*) - Manipulating or circumvention of mStable governance mechanism (related:
contracts/nexus/Nexus.sol,contracts/governance/*) - Locking or freezing or any of the mStable contracts or inability to upgrade (related:
contracts/upgradability/*) - Ineffective or error prone forge validation mechanisms (related:
contracts/masset/forge-validator/*)
Resources
Rules
- Public disclosure of the vulnerability, before explicit consent from mStable to do so, will make the vulnerability ineligible for a bounty
- Attempting to exploit the vulnerability in any public Ethereum network will also make it ineligible for a bounty
- Only unknown vulnerabilities will be awarded a bounty; in case of duplicate reports, the first report will be awarded the bounty
- If you want to add more information to a provided issue, create a new submission giving reference to the initial one
- Rewards will be decided on a case by case basis and the bug bounty program, terms, and conditions are at the sole discretion of mStable
- Submissions need to be related with the Bounty Scope. Submissions out of the Bounty Scope won’t be eligible for a reward
- Any interference with the protocol, client or platform services, on purpose or not during the process will make the submission invalid
- Terms and conditions of the bug bounty process may vary over time
- It is mandatory to read and follow the responsible disclosure policy available in the references. Submissions not following the disclosure policy will not be eligible for a reward
Exclusions
While researching, we’d like to ask you to refrain from:
- Denial of service
- Spamming
- Social engineering (including phishing) of mStable staff or contractors
Responsible disclosure
In case you discover a vulnerability, we would like to know about it immediately so we can take steps to address it as quickly as possible.
If you discover a vulnerability, please do the following:
- Do not take advantage of the vulnerability or problem you have discovered
- Do not reveal the problem to others until it has been resolved
- Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties;
- Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Complex vulnerabilities may require further explanation so we might ask you for additional information
We promise the following:
- We will respond to your report with a confirmation of receipt, followed by our evaluation of the report and an expected resolution date within 3 business days
- If you have followed the instructions above, we will not take any legal action against you in regard to the report
- We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission
- If you so wish we will keep you informed of the progress towards resolving the problem;
- In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise)
- We offer a reward for every report of a security problem that was not yet known to us. The amount of the reward will be determined based on the severity of the leak, the quality of the report and any additional assistance you provide
Last modified 7mo ago