Delv / DELV Bounty
The bug bounty program is focused on DELV's Hyperdrive smart contracts and is mostly concerned with the loss of user funds and access to those funds without user permission.
To be eligible for a reward under the DELV Bug Bounty Program, you must:
- Discover a previously unreported and non-public vulnerability that would result in a loss of or a lock on any ERC-20 token in Hyperdrive. Each bug will only be considered for a reward once. This does not include third-party platforms interacting with the system.
- Be the first to disclose the unique vulnerability, in compliance with the disclosure requirements and the section below.
- Provide sufficient information to enable our team to reproduce and fix the vulnerability. This includes providing a PoC.
- Not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.
- Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than the reward subject under this Program).
- Submit only one vulnerability per submission, unless you need to bundle vulnerabilities together in order to provide an accurate assessment of impact regarding any of the vulnerabilities.
- Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.
- Not be one of our current or former employees or contractors.
- Comply with all applicable laws.
- Not be listed on any sanctions list of the United States, the United Kingdom, the European Union, or the United Nation, or directly or indirectly owned by or associated with such sanctioned person, or operating from or ordinarily resident in any jurisdiction subject to such sanctions.
Smart Contracts in Scope
delvtech/hyperdrive
Disclosure and Reporting Guidelines
To be eligible for a bounty, we require that Bug bounty hunters, security engineers, and researchers must:
- Make it a priority to avoid privacy violations, degradation of user experience, and disruption to production systems during security testing.
- Report vulnerabilities as soon as they have been discovered and keep them confidential between yourself and the DELV team. You may not use (other than as necessary to participate in this bug bounty program) and may not disclose to a third party any DELV confidential information, including identified vulnerabilities.
- Only use the Cantina.xyz bug reporting interface to report vulnerability information to us.
- Provide the team with at least 5 working days to investigate the issue and get back to you before taking any further action.
- DELV reserves the right to verify that the bounty hunter/researcher/security engineer meets these requirements and is eligible for payment.
- By reporting a vulnerability, you assign to Cantina (who assigns it to DELV) any intellectual property developed from your participation in this bug bounty program.
Severity Definitions
Smart Contracts
Severity level | Impact: High | Impact: Medium |
---|---|---|
Likelihood:high | $100,000.00 (Critical) | $20,000.00 (High) |
Likelihood:medium | $20,000.00 (High) | $5,000.00 (Medium) |
Critical
- Direct theft of any user funds,
High
- Any governance voting result manipulation
- Temporary freezing of funds
Medium
- Smart contract unable to operate due to lack of token funds
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Theft of gas
- Unbounded gas consumption
Low
- At the discretion of DELV
Not all bugs will be material or warrant a bounty.
Out of Scope (all repositories)
Known Issues
- all acknowledged issues in the delvtech/hyperdrive repo are considered out of scope
- all known issues in previous security reviews are considered out of scope
- (any attempted fixes, that do not remediate the issue, remain in scope if the vulnerability exists after the fix)
Specific Types of Issues
- Informational findings.
- Design choices related to protocol.
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0)
. - Rounding errors.
- Relatively high gas consumption.
- Extreme market turmoil vulnerability.
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Sybil attack
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of bugs or unpatched vulnerabilities. See "Disclosure and Reporting Guidelines" above for additional protections of DELV's confidential information.
Summary
Status
LiveTotal reward:
$100,000 USDC
Start date:
10 Jul 2024 8:00pm (local time)
You need to be logged in as a researcher in order to join.