Project
Reflexer Labs Bug Bounty
Overview
Welcome to Reflexer’s Bug Bounty Program. Reflexer is deeply focused on the security of the GEB framework, so we’re calling on our community to help us find any bugs or vulnerabilities. You can submit a bug by emailing [email protected] and earn a reward of up to USD 250,000$. Please see our Scope, Disclosure and Eligibility sections for more details.
Scope
This Program is limited to the vulnerabilities affecting the GEB framework in the following contracts and repositories:
Core GEB Contracts - Addresses, Parameters
UniswapConsecutiveSlotsPriceFeedMedianizer
GebProxyActionsGlobalSettlement
geb-collateral-auction-throttler
NativeUnderlyingUniswapSafeSaviour
The following contracts and repositories are not in the scope of this bounty program:
GebProxyActionsCoinSavingsAccount
geb-pause-schedule-proxy-actions
Vulnerabilities related to the following activities and infrastructure are also outside of the scope of the program:
Frontend bugs
Keeper code such as pyflex, auction-keeper, settlement-keeper and pyexchange
geb.js and geb-console
Gas APIs and clients
DDOS attacks
Spamming
Automated tools
Social engineering of Reflexer staff or contractors
Program Rewards
The reward will be received in the USDC token based on the following severity scheme:
Classification of Vulnerabilities
Critical
An issue that might cause immediate loss of >= 5% of the funds, or may permanently affect the state of a GEB instance.
Very High / High
An issue that might cause immediate loss of < 5% of the funds, or severely damage state of a GEB instance.
Medium
An issue that might theoretically cause minimal loss of funds, damage the protocol state, or cause severe user dissatisfaction.
Low / Very Low / Note
An issue that might cause user dissatisfaction or minimal failure.
Disclosure
Any vulnerability or bug must be reported by sending an email to [email protected]
The vulnerability must not be disclosed publicly
The vulnerability must not be disclosed to any person, entity or email address prior to disclosure to [email protected]xer.finance
The vulnerability must not be disclosed in any other way other than to the [email protected] email
Disclosure must be made promptly after identifying a vulnerability
When disclosing a vulnerability, please include the following information in your email, if possible:
The steps needed to reproduce the bug
Potential implications of the vulnerability being abused
A detailed report of the vulnerability increases the likelihood of a reward and may also increase the amount received.
Eligibility
Submissions needs to be related with the Bounty Scope. Submissions out of the Bounty Scope won’t be eligible for a reward.
You must be the first to disclose the unique vulnerability to [email protected], in compliance with the disclosure requirements above.
You must provide sufficient information to enable our engineers to reproduce and fix the vulnerability.
You must not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
You must submit only one vulnerability per submission, unless you need to provide more information related to the impact of the vulnerability.
You must be at least 18 years of age.
You must not be subject to US sanctions or reside in a US-embargoed country.
You must not be one of our current or former employees, vendors, or contractors or a current or former employee of any of those vendors or contractors.
Submissions not following the disclosure policy will not be eligible for a reward.
Other Terms
Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of Reflexer.
Resources
The GEB documentation can be found here.