Comment on page
Bug bounty / Coverage
- 1.Critical Level:
- Up to $100,000 or 10% of the (potential) economic damage on contracts with more funds locked than 1 million USD.
- The 10% rule also applies to funds already removed without authorization from respective contracts. In such cases, 90% of the funds must be immediately returned, and 10% can be kept as a Whitehat bounty reward.
- The 10% rule can also be claimed as a general bug bounty on contracts above $1m TVL, by providing a PoC or by assisting the team in creating a PoC.
The 10% rule only applies for contracts that are live, and have a TVL more than $1M
- 1.High Level:
- $50,000 or up to 10% of the (potential) economic damage.
- The 10% rule, as outlined in the Critical Level section, also applies.
- 2.Medium Level:
- USD $5,000 Payout.
- Runnable PoC required.
- 3.Low Level:
- USD $1,000 Payout.
- Runnable PoC required.
Level | Impact |
---|---|
5. Critical | - Any governance voting result manipulation
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
- Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties
- Permanent freezing of funds
- Permanent freezing of NFTs
- Miner-extractable value (MEV)
- Unauthorized minting of NFTs
- Predictable or manipulable RNG that results in abuse of the principal or NFT
- Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)
- Protocol insolvency
|
4. High | - Theft of unclaimed yield
- Theft of unclaimed royalties
- Permanent freezing of unclaimed yield
- Permanent freezing of unclaimed royalties
- Temporary freezing of funds
- Temporary freezing NFTs
|
3. Medium | - Smart contract unable to operate due to lack of token funds
- Block stuffing for profit
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Theft of gas
- Unbounded gas consumption |
2. Low | - Contract fails to deliver promised returns, but doesn't lose value
|
1. None | - Best practices |
Payouts are handled by SYMMIO Team or DAO directly and are denominated in USDC or SYMM.
Last modified 2mo ago