Bug Bounty

Overview

Zeta.finance will run a continuous bug bounty program to help us identify bugs, vulnerabilities, and exploits for the first release of Zeta core. This bounty program will run on the testnet network until August 1st, 2020.

Rewards

The bounty program will pay out rewards according to the severity of a vulnerability. The final eligibility is at the sole discretion of Zeta Labs.

Reward

Severity

Examples

$10,000 - $2,000

Critical

Stealing assets from a contract
Permanently freezing funds

$2,000 - $1,000

High

Severe rounding errors where an attacker can steal significant funds in excess of gas costs
Manipulating an order's rate / amount

$1000 -

$200

Medium

Low probability of exploit success / brute force methods with high computational cost

$0 -$200

Low

Informational / code quality based disclosures

Scope

The bug bounty covers any of the core smart contracts deployed on testnet. Duplicate vulnerabilities are ineligible, only the first reporter will be rewarded. The frontend is not in the scope.

Additional second layer contracts such as the order router or individual exchange contracts may be added at a further date.

Disclosure Process

Please report any findings to [email protected] with full details about any vulnerability and steps / code to reproduce. Allow us time to review and remediate any findings before public disclosure.

Ineligible Findings

Duplicate vulnerabilities. Only the first reporter will be rewarded.
Findings already known as part of a formal audit.
Findings related to non-standard ERC20 tokens might be ineligible as many vulnerabilities might be inserted in non-standard ERC20 tokens on purpose for applying for this bug bounty.

PreviousSecurity

Last updated 5 years ago