deri-protocol

The Deri Protocol is the DeFi way to trade derivatives: to hedge, to speculate, to arbitrage, all on-chain. With Deri Protocol, trades are executed under the AMM paradigm, and positions are tokenized as NFTs, making them highly composable with other DeFi projects. By providing an on-chain mechanism to exchange risk exposures precisely and capital-efficiently, Deri Protocol has become a critical component of the DeFi infrastructure. For more information, visit Deri Protocol.

The goal of this Bug Bounty Program is to encourage responsible security research by providing incentives for finding and reporting vulnerabilities in the Deri Protocol codebase and related systems. By participating in this Program, you help us maintain a safe, secure, and reliable environment for our users.

Scope

In-Scope Targets:

• Core Contracts:
  • Deri V4 Smart Contracts
    • Only Exact Match Verified smart contracts are considered as in-scope of the bug bounty program.

If an impact can be caused to any other asset managed by Deri Protocol that isn’t on this table but for which the impact is in the Impacts in Scope section, you are encouraged to submit it for the consideration of the project. This applies to only Critical impacts.

• Web Interface / Application:
  • Main Web/App

If you discover a vulnerability in any component not explicitly listed but posing a critical risk to user funds, data, or the system's integrity, you may submit it for consideration. Such submissions will be reviewed on a case-by-case basis.

Out-of-Scope Targets:

• Contracts and code not listed in the in-scope table
• Third-party code and dependencies
• Development branches not yet deployed
• Known non-issues like rounding errors, gas optimizations, or best practices critiques
• Websites, APIs, or test environments not under Deri Protocol’s control

Prohibited Actions

• No Unauthorized Testing on Production Environments:
  Do not test vulnerabilities on mainnet or public testnet deployments. Use local or private test setups.

• No Public Disclosure Without Consent:
  Do not publicly disclose vulnerability details before addressing the issue and receiving written consent.

• No Exploitation or Data Exfiltration:
  Do not exploit vulnerabilities beyond the minimum necessary to demonstrate the issue. Avoid accessing private data, engaging in social engineering, or disrupting services.

• No Conflict of Interest:
  Individuals currently or formerly employed by Deri Protocol or its affiliates, or contributors to affected code, are ineligible to participate.

Disclosure Requirements

Reports must be submitted to Cantina Bug Bounty Platform. Include:

• A clear description of the vulnerability and its impact
• Steps to reproduce, ideally with a proof of concept (PoC)
• Conditions under which the issue occurs
• Potential implications if exploited

Submissions should be made as soon as possible—preferably within 24 hours of discovery.

Eligibility

To be eligible for a reward, you must:

• Be the first to report a previously unknown, non-public vulnerability within the defined scope
• Provide sufficient information to reproduce and fix the issue
• Not exploit the vulnerability maliciously
• Not disclose the vulnerability to third parties before receiving consent
• Comply with all Program rules and applicable laws

You must also be of legal age in your jurisdiction and not be a resident of a country under sanctions or restrictions.

Severity and Rewards

Severity Classification Matrix**

Severity Level	Impact: High	Impact: Medium	Impact: Low
Likelihood: High	Critical	High	Medium
Likelihood: Medium	High	Medium	-
Likelihood: Low	Medium	-	-

Severity Definitions

Smart Contracts

Impact Definitions:

• Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
• High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
• Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
• Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.

Likelihood Definitions:

• High: Very easy to exploit or highly incentivized.
• Medium: Exploitation is possible under certain conditions.
• Low: Difficult to exploit or requires highly specific conditions.

Rewards

Severity	Payout Range
Critical	Up to $10,000
High	Up to $5,000
Medium	Up to $1,000

Websites and Applications

• Critical:
  • Execution of unauthorized system commands
  • Disruption or takedown of an application or website
  • Circumvention of authentication mechanisms
  • Unauthorized signing of transactions
  • Redirection of user deposits or withdrawals
  • Subdomain takeovers leading to financial losses
  • Manipulation of wallet interactions resulting in financial loss
  • Direct theft or misappropriation of user funds

Rewards

Severity	Payout Range
Critical	Up to $1,000

Out of Scope & Rules

• Stale price check and sequencer uptime checks are Known issues and considered out of scope

Excluded Vulnerabilities:

• Attacks already exploited
• Vulnerabilities requiring leaked keys/privileged access
• Third-party data issues (e.g., incorrect oracle data)
• Centralization risks
• Theoretical vulnerabilities without PoC
• Feature requests or best practices critiques

Prohibited Activities:

• Testing on mainnet/public testnet
• Testing third-party systems/applications
• Phishing or social engineering attacks
• Denial of service attacks
• Public disclosure of unpatched vulnerabilities

Other Terms

By submitting a report, you grant Deri Protocol the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions are at Deri Protocol’s sole discretion. Program terms and scope are subject to change. Participants are responsible for reviewing the latest version before submitting a report.