Immunefi Bug Bounty
Bounties are an important tool for testing and enhancing application and contract security. We appreciate the skilled hackers and programmers within the community and believe in rewarding those working to protect and strengthen the ecosystem. Working in partnership with Immunefi, we will be releasing additional bounties in the near future, and invite the community to help identify any possible exploits we may have missed.
Security is the #1 priority of the Gnosis team. This bounty program is not being enacted in response to any known exploits, we are proactively implementing to ensure safety and soundness of our applications and protect users and their funds.
There is one ongoing bug bounty program: Bridges bug bounty.
Each bug bounty program requires different assets in scope and both offer rewards determined by thread level.
Bridge(Omnibridge, xDAI Bridge) Bounty
Asset in scope
All smart contract bug from Gnosis Chain Bridges includes ETH-xDAI Omnibridge, xDAI bridge, BSC-xDAI Omnibridge.
|Smart Contract - DAI-xDAI TokenBridge contract on the Ethereum Mainnet
|Smart Contract - DAI-xDAI OmniBridge contract on the Gnosis chain
|Smart Contract - ETH-xDAI OmniBridge contract on the Ethereum Mainnet
|Smart Contract - ETH-xDAI OmniBridge contract on the Gnosis chain
|Smart Contract - BSC-xDAI OmniBridge contract on the Binance Smart Chain
|Smart Contract - BSC-xDAI OmniBridge contract on the Gnosis chain
Reward by Thread level
The quantity of rewards awarded are based on the Immunefi Vulnerability Severity Classification System V2.2.
All smart contract bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward.
Only the following smart contract impacts are accepted within this bug bounty program:
|Smart Contract Impact
|Up to USD 2,000,000
*All Critical smart contract vulnerabilities are further capped at 10% of economic damage, primarily taking into consideration the funds at risk. However, there is a minimum reward of USD 50 000.
Payouts are handled by the Gnosis Chain team directly and are denominated in USD. However, payouts are done in USDT for payments up to USD 100 000. All remaining rewards are paid in STAKE.
Out of scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
The following activities are prohibited by bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty
Please visit Immunefi bounty page for more details.
- Is the bug bounty program time limited?
- How to submit a bug on Immunefi?