Bug

Bounty

Overview

Open source, on-chain protocols benefit from community member participation in testing, debugging and assisting to fortify the smart contracts.

While much of the foundational work is forked and repurposed from other stable, well-secured, highly tested smart contracts, at times, use case, regression and other changes can create issues.

HaloDeFi believes it is beneficial to have a formal incentive to those dedicated security engineers who can help make HaloDeFi safer.

Scope

The Bug Bounty Program is limited to the vulnerabilities affecting HaloDeFi HLD Token and peripheral contacts:

HaloDeFi Contracts

Bugs in Periphery Contracts will be considered less severe than those found in the HLD Token contract isself.

There will not be Bug Bounty for the following:

  • Example contracts
  • Test contracts
  • Depcreated contracts
  • Removed contracts
  • External (third party) contracts that harness HaloDeFi contracts
  • Vulnerabilities already discovered
  • Already-reported bugs.
  • DDOS attacks
  • Spamming
  • Phishing
  • Automated tools / scrapers / bots
  • Compromising or misusing third party systems or services.

Bug Bounty Rewards

The severity of bugs will be assessed under the CVSS Risk Rating scale, as follows:

  • Critical (9.0-10.0): Up to $30,000
  • High (7.0-8.9): Up to $10,000
  • Medium (4.0-6.9): Up to $1,000
  • Low (0.1-3.9): Up to $500

In addition to assessing severity, rewards will be considered based on the impact of the discovered vulnerability as well as the level of difficulty in discovering such vulnerability.

Disclosure

Any vulnerability or bug discovered must be reported only to the following email: masterbuilder@halodefi.org must not be disclosed publicly; must not be disclosed to any other person, entity or email address prior to disclosure to the masterbuilder@halodefi.org email; and must not be disclosed in any way other than to the masterbuilder@halodefi.org email. In addition, disclosure to masterbuilder@halodefi.org must be made promptly following the discovery of the vulnerability. Please include as much information about the vulnerability as possible, including:

  • The conditions on which reproducing the bug is contingent.
  • The steps needed to reproduce the bug or, preferably, a proof of concept.
  • The potential implications of the vulnerability being abused.

A detailed report of the vulnerability increases the likelihood of a reward and may increase the reward amount.

Anyone who reports a unique, previously-unreported vulnerability that results in a change to the code or a configuration change and who keeps such vulnerability confidential until it has been resolved by our engineers will be recognized publicly for their contribution if agreed.

Eligibility

To be eligible for a reward under this Bug Bounty, you must:

  • Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on HaloDeFi (but not on any third party platform interacting with HaloDeFi) and that is within the scope of this bug bounty program.
  • Be the first to disclose the unique vulnerability to masterbuilder@halodefi.org, in compliance with the disclosure requirements above.
  • Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.
  • Not engage in any unlawful conduct when disclosing the bug to masterbuilder@halodefi.org including through threats, demands or any other coercive tactics.
  • Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under the Bug Bounty Program).
  • Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of HaloDeFi.
  • Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.
  • Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.
  • Be at least 18 years of age.
  • Not be subject to US sanctions or reside in a US-embargoed country.
  • Not be one of our current or former employees, vendors, or contractors or an employee of any of those vendors or contractors.
  • Comply with all the eligibility requirements of the Bug Bounty Program.

Other Terms

All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at our sole discretion.

The terms and conditions of the Bug Bounty Program may be altered at any time.