Euler & ImmuneFi Bug Bounty Program
Add to Watchlist
Added to Watchlist
Reward pool
$1,000,000
1,000,000 USDC
Expected profit
$1,000 - 1,000,000
1,000 - 1,000,000 USDC
Max participants
∞
No limit
DropsEarn score
Neutral
Normal, Low Risks
Details
Euler is kicking off a $1 million bug bounty program with ImmuneFi as part of $10 million insurance partnership with Sherlock Protocol.
This initiative will center on covering Euler smart contracts and incentivise ethical reporting of potential security vulnerabilities or exploits. The new bug bounty program will go hand-in-hand with Sherlock’s $10 million smart contract coverage to advance the security of Euler.
The Euler team benefits greatly from Sherlock’s skilled security team (Watsons) and their experienced leadership as part of the first cohort of protocols during Sherlock’s guarded launch. Sherlock is a risk management platform built on Ethereum and designed to keep end users protected by providing affordable and scalable coverage to protocols.
ImmuneFi is the leading bug bounty platform that has already paid out over $10 million in bounties, having prevented over $20 billion in potential losses with around $78 million worth of bounties currently available. ImmuneFi is trusted by a number of DeFi protocols including The Graph, Nexus Mutual, Olympus and many others.
The bug bounty program will only cover the following exploits and focuses wholly on smart contract vulnerabilities:
- Loss of user funds staked (principal) by freezing or theft
- Loss of governance funds
- Theft of unclaimed yield
- Freezing of unclaimed yield
- Temporary freezing of funds for more than 1 week
- Unable to call smart contract
- Smart contract gas drainage
- Smart contract fails to deliver promised returns
- Vote manipulation
- Incorrect polling actions
Bug Bounty Reward Distribution
The breakdown of the rewards are in accordance with ImmuneFi’s distribution criteria for the impact of the vulnerability, see here for more details.
Threat Level and reward distribution:
- Critical - Up to $1,000,000 (sponsored by Sherlock)
- High - $25,000
- Medium - $5,000
- Low - $1,000
All Medium, High and Critical Smart Contract bug reports require a PoC and a suggestion for a fix to be eligible for a reward. All Low Smart Contract bug reports require a suggestion for a fix to be eligible for a reward.
Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of $50,000.
Critical payouts by Sherlock will only be paid out for critical bugs that would result in a loss of funds and can be executed profitably, and this then excludes Sherlock critical bounty payout for temporary freezing bugs.
Payouts up to $50,000 are handled by the Euler team directly and are denominated in USD. However, payouts are done in USDC. Payments above that have the remainder paid out by Sherlock with their bug bounty matching program and are done in USDC.
Eligibility & Out of Scope
Only certain exploits and vulnerabilities related to Euler smart contracts are eligible for a reward. Additionally, only assets covered in the ‘Assets in Scope’ Table are considered as in-scope of the bug bounty program. The Assets in Scope Table can be found here.
The following vulnerabilities are not eligible for a reward:
- Anything that involves a malicious or illiquid token being promoted from isolation tier (the default ‘safe’ tier on Euler) to cross or collateral tier (where there are many more potential attack vectors). We assume governance is responsible for blocking promotion up the tiers.
- Tokens exhibiting non-standard ERC20 behaviour that only affects holders of that token and does not impact any other assets managed by Euler. (E.g., a transfer function that fails to update users balances)
- Oracle failure/manipulation of the form described here https://github.com/euler-xyz/uni-v3-twap-manipulation: {E.g., manipulation of the Uniswap Pools from which we derive the time-weighted average price (TWAP)}.
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
Smart Contracts and Blockchain
- Attacks that require an illiquid/malicious token to be promoted from isolation tier to cross or collateral tier (governance is responsible for preventing this, see definitions here: https://docs.euler.finance/getting-started/white-paper#asset-tiers)
- Uniswap v3 TWAP oracle manipulation attacks of the form described here: https://github.com/euler-xyz/uni-v3-twap-manipulation
- Basic economic governance attacks (E.g. 51% attack)
- Tokens exhibiting non-standard ERC20 behaviour that only affects holders of that token and does not impact any other assets managed by Euler. (E.g., malicious transfer functions, malicious transferFrom functions in the ERC-20 token contract.) Such attacks caused by malicious tokens are considered out of scope.
- Lack of liquidity
- Best practice critiques
- Sybil attacks
- Centralization risks
The following activities are prohibited by this bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty
For more information and details about the programme, please visit ImmuneFi’s Euler page and check out their Twitter announcement.
About ImmuneFi
Immunefi is Web3’s leading bug bounty platform, protecting $100 billion in user funds. Focusing on Web3 and smart contract security, ImmuneFi provides bug bounty hosting, consultation, bug triaging, and program management services to blockchain and smart contract projects.
Links
About Euler
Euler is a capital-efficient permissionless lending protocol that helps users to earn interest on their crypto assets or hedge against volatile markets without the need for a trusted third-party. Euler features a number of innovations not seen before in DeFi, including permissionless lending markets, reactive interest rates, protected collateral, MEV-resistant liquidations, multi-collateral stability pools, sub-accounts, risk-adjusted loans and much more.
Links
About
The ImmuneFi Bug Bounty program aims to strengthen Euler’s security while boosting collaboration with the greater DeFi ecosystem as part of insurance partnership with Sherlock Protocol.
10 Jan 2022 03:00(UTC+3) - 10 Apr 2022 03:00(UTC+3)
Closed
None