

Payouts are handled by an independent financial outsourcing team appointed by DAO resolutions from the Bug Bounty budget. All other impacts that would be classified as Critical would be rewarded no more than USD 50 000. This is implemented in order to account for the increased relative impact based on the duration of the freezing of funds.Īll calculations of the amount of funds at risk are done based on the time the bug report is submitted.Ĭritical website and application bug reports will be rewarded with USD 100 000 only if the impact leads to a direct loss in funds. In the event of temporary freezing, the reward doubles for every additional 5 blocks that the funds could be temporarily frozen, rounded down to the nearest multiple of 5, up to the hard cap of USD 100 000. High smart contract vulnerabilities will be further capped at up to 100% of the funds affected. However, there is a minimum reward of USD 150 000 for valid Critical smart contract bug reports. In cases of repeatable attacks, only the first attack is considered unless the smart contract cannot be upgraded or paused.

#Ethereum wallet github code
Explanations and statements are not accepted as PoC and code is required.Ĭritical smart contract vulnerabilities are further capped at 10% of economic damage, which primarily takes into consideration the funds at risk. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts, focusing on the impact of the vulnerability reported.Īll web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.1.
