Overview
The Bonfida Bug Bounty Program is set to incentivize responsible bug disclosure by our users. This program prioritizes bugs detected in the Bonfida smart contracts and is not focused on UI bugs.
Appropriate rewards will be distributed to users detecting medium to critical severity bugs on the core contracts of Bonfida.

Impacts in Scope

  1. 1.
    Loss of user funds staked
  2. 2.
    Loss/manipulation of governance funds
    • Including novel governance attacks
  3. 3.
    Logic errors
  4. 4.
    Theft of unclaimed funds
  5. 5.
    Freezing unclaimed funds
  6. 6.
    Trusting trust/dependency vulnerabilities
    • Including composability vulnerabilities
  7. 7.
    Oracle failure and/or manipulation
  8. 8.
    Congestion and scalability
  9. 9.
    Consensus failures
  10. 10.
    Cryptography problems
  11. 11.
    Leak and/or deletion of user data
  12. 12.
    Redirecting funds by address modification
  13. 13.
    Accessing sensitive pages without authorization

Impacts out of Scope

  1. 1.
    Report on third party bugs
    • Any third party contract or platform that interacts with Bonfida
    • Incorrect data supplied by third party oracles
  2. 2.
    Lack of liquidity
  3. 3.
    Critiques on best practices
  4. 4.
    Reporting of sybil attacks
  5. 5.
    Reports about outdated dependencies
  6. 6.
    Theoretical vulnerabilities without any proof or demonstration
    • As well as vulnerabilities requiring unlikely user actions
  7. 7.
    URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
  8. 8.
    Attacks requiring privileged access from within the organization
  9. 9.
    Feature requests do not count as bugs
  10. 10.
    Reporting phishing or other social engineering attacks against our employees and/or customers
    • This includes reports on spamming
  11. 11.
    Front-end bugs