High smart contract vulnerabilities will be further capped at up to 100% of the funds affected. Reward Calculation for High Level Reports For avoidance of doubt, if a second attack would happen at 600 blocks and then a third at 900 blocks, the funds at risk would be counted at 50% and 25% of the reward from the first attack, respectively. If the attack impacts a smart contract directly holding funds that cannot be upgraded or paused, the amount of funds at risk will be calculated with the first attack being at 100% of the funds that could be stolen and then a reduction of 25% from the amount of the first attack for every 300 blocks the attack needs for subsequent attacks from the first attack, rounded down. In cases of repeatable attacks for smart contract bugs, only the first attack is considered if the smart contracts where the vulnerability exists can be upgraded, paused, or killed. All other impacts that would be classified as Critical, or an impact resulting in a theft of funds that does not fall under this definition, would be rewarded USD 50 000. An impact of minting tokens on-chain beyond intended activity without requiring any user action would also be rewarded this amount due to the undesired dilution of existing circulating tokens. However, a minimum reward of USD 150 000 is to be rewarded in order to incentivize security researchers against withholding a bug report.Ĭritical website and application bug reports will be rewarded with USD 100 000, only if the impact leads to a direct loss in funds involving an attack that does not require any user action at all. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. ![]() Reward Calculation for Critical Level Reportsįor critical Smart Contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 10 000 000. ![]() Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below. The identity of the bug reporter may be included, either with their real name or pseudonymously, if they choose to, or they can choose to remain anonymous. Īll Critical and High bug reports will have a postmortem written by the Immunefi Security core unit to be published on the Immunefi Medium blog and distributed on its social media channels after the payout is made and the fixes finalized. To view the governance proposal poll, visit. This bug bounty program is governed by a governance proposal. MakerDAO adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms stated in this page. For more information about the category selected, please refer to our Responsible Publication page. This Policy determines what information whitehats are allowed to make public from their submitted bug reports. One mandate of this core unit is to launch a bug bounty program to protect the critical infrastructure of the ecosystem.įor more information about MakerDAO, please visit. One of these core units is the Immunefi Security (IS-001) core unit, a result of two decentralized organizations collaborating together. Since 2021, the project has become more decentralized, with the MakerDAO Foundation being shut down in order to move operations to decentralized business units known as core units. It is governed by those who hold and/or are delegated MKR, the governance token of the protocol. MakerDAO is one of the first DeFi protocols in the crypto space that introduced the first crypto-backed stablecoin called Dai (DAI), which is set at a value of 1:1 with the United States Dollar.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |