Bug Bounty
Overview
The Lithium Finance bug bounty program is focused on our smart contracts with a primary interest in the prevention of loss of user funds, either by direct draining of locked funds or social engineering attacks by redirecting users or forcing them to sign a transaction.
Rewards will be allocated based on the severity of the bug disclosed and evaluated for rewards up to $1,000 USD payable in LITH or USDT tokens.
Scope
The bug bounty program includes vulnerabilities and bugs in Lithium smart contracts, which is located here: https://github.com/Lithium-Finance/lithium-smart-contracts
Classification
The bug bounty program includes the following 4 level severity scale:
Critical Issues that could impact numerous users and have serious reputational, legal or financial implications. An example would be being able to lock contracts permanently or take funds from all users.
High Issues that impact individual users where exploitation would pose reputational, legal or moderate financial risk to the user.
Medium Issues that the risk involved is relatively small and does not pose a threat to user funds.
Low/Informational Issues that does not pose an immediate risk but is relevant to security best practices.
Rewards will be given based on the above severity as well as the likelihood of the bug being triggered or exploited, to be determined at the sole discretion of Lithium Finance. You can find out more about this scale at the OWASP risk rating methodology page.
Rewards
Critical: $1,000 USD equivalent
High: $500 USD equivalent
Medium: $200 USD equivalent
Low/Informational: $0 USD equivalent
All bug reports must include a Proof of Concept demonstrating how the vulnerability can be exploited to be eligible for a reward.
Rewards will be allocated based on the severity of the bug disclosed and evaluated for rewards up to $1,000 USD payable in LITH or USDT tokens.
The final reward amount for critical smart contract vulnerabilities is capped at 10% of the funds at risk based on the vulnerability reported.
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
Attacks that the reporter has already exploited themselves, leading to damage
Attacks requiring access to leaked keys/credentials
Attacks requiring access to privileged addresses (governance, strategist)
Smart Contracts
Incorrect data supplied by third party oracles
Not to exclude oracle manipulation/flash loan attacks
Basic economic governance attacks (e.g. 51% attack)
Lack of liquidity
Best practice critiques
Sybil attacks
Prohibitions
Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
Any testing with pricing oracles or third party smart contracts
Attempting phishing or other social engineering attacks against our employees and/or customers
Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
Any denial of service attacks
Automated testing of services that generates significant amounts of traffic
Public disclosure of an unpatched vulnerability in an embargoed bounty
Disclosure
Any vulnerability or bug discovered must be reported only to the following email: [email protected].
An acknowledgement of receipt will be given within 3 business days by Lithium Finance.
The vulnerability must not be disclosed publicly or to any other person, entity or email address before Lithium Finance has been notified, has fixed the issue, and has granted permission for public disclosure. In addition, disclosure must be made within 24 hours following discovery of the vulnerability.
A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount. Please provide as much information about the vulnerability as possible, including:
The conditions on which reproducing the bug is contingent.
The steps needed to reproduce the bug or, preferably, a proof of concept.
The potential implications of the vulnerability being abused.
Anyone who reports a unique, previously-unreported vulnerability that results in a change to the code or a configuration change and who keeps such vulnerability confidential until it has been resolved by our engineers will be recognized publicly for their contribution if they so choose.
Eligibility
To be eligible for a reward under this bug bounty program, you must:
Discover a previously-unreported, non-public vulnerability that is not previously known by the team and within the scope of this bug bounty program.
Be the first to disclose the unique vulnerability to [email protected], in compliance with the disclosure requirements.
Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.
Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this bug bounty program).
Not publicize a vulnerability in any way, other than through private reporting to us.
Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of any of the assets in scope.
Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this bug bounty program.
Not engage in any unlawful conduct when disclosing the bug to [email protected], including through threats, demands, or any other coercive tactics.
Be at least 18 years of age or, if younger, submit your vulnerability with the consent of your parent or guardian.
Not be subject to US sanctions or reside in a US-embargoed country.
Not be one of our current or former employees, or a vendor or contractor who has been involved in the development of the code of the bug in question.
Comply with all the eligibility requirements of the bug bounty program.
By submitting your report, you grant Lithium Finance any and all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at our sole discretion.
The terms and conditions of the bug bounty program may be altered at any time.
Last updated