Reflexer Labs Bug Bounty

Updated October 11th 2021

Overview

Welcome to Reflexer’s Bug Bounty Program. Reflexer is deeply focused on the security of the GEB framework, so we’re calling on our community to help us find any bugs or vulnerabilities. You can submit a bug by emailing [email protected] and earn a reward of up to USD 250,000$. Please see our Scope, Disclosure and Eligibility sections for more details.

Scope

This Program is limited to the vulnerabilities affecting the GEB framework in the following contracts and repositories:

Core GEB Contracts - AddressesParameters

Chainlink oracle

UniswapConsecutiveSlotsPriceFeedMedianizer

GebProxyActions

GebProxyActionsGlobalSettlement

GebProxyLeverageActions

GEB Safe Manager

ds-pause

Proxy Registry

FSM Governance Interface

geb-fsm

ds-proxy

ESM

geb-debt-auction-param-setter

geb-surplus-distributor

geb-treasury-reimbursement

geb-protocol-token-authority

geb-keeper-flash-proxy

ds-roles

DSDelegateToken

SAFESaviourRegistry

geb-collateral-auction-throttler

CompoundSystemCoinSafeSaviour

NativeUnderlyingUniswapSafeSaviour

SystemCoinUniswapSafeSaviour

Lender of First Resort

The following contracts and repositories are not in the scope of this bounty program:

GebProxyActionsCoinSavingsAccount

GebProxyIncentivesActions

geb-testchain-medians

geb-governance-led-median

geb-deploy

geb-basic-multisig

ds-spell

ds-exec

ds-vote-quorum

ds-value

ds-thing

ds-guard

ds-weth

DSTokenBase

ds-token/factory

DSToken

ds-stop

ds-auth

geb-pause-schedule-proxy-actions

geb-token-faucet

vote-proxy

geb-interfaces

geb-tx-manager

geb-pit

ds-list

multicall

geb-printing-permissions

geb-polling-emitter

geb-darkfix

ds-sort

geb-safe-saviours/saviours

Vulnerabilities related to the following activities and infrastructure are also outside of the scope of the program:

Program Rewards

The reward will be received in the USDC token based on the following severity scheme:

Likelihood
Severity
Almost certain
Likely
Possible
Unlikely
Almost possible
$ 1,000
$ 500
$ 100
$ 100
$ 100
very low
$ 10,000
$ 1,000
$ 500
$ 100
$ 100
low
$ 50,000
$ 10,000
$ 1,000
$ 500
$ 100
moderate
$ 80,000
$ 50,000
$ 10,000
$ 1,000
$ 500
high
$ 250,000
$ 80,000
$ 50,000
$ 10,000
$ 1,000
severe

Classification of Vulnerabilities

Critical

An issue that might cause immediate loss of >= 5% of the funds, or may permanently affect the state of a GEB instance.

Very High / High

An issue that might cause immediate loss of < 5% of the funds, or severely damage state of a GEB instance.

Medium

An issue that might theoretically cause minimal loss of funds, damage the protocol state, or cause severe user dissatisfaction.

Low / Very Low / Note

An issue that might cause user dissatisfaction or minimal failure.

Disclosure

  • Any vulnerability or bug must be reported by sending an email to [email protected]

  • The vulnerability must not be disclosed publicly

  • The vulnerability must not be disclosed to any person, entity or email address prior to disclosure to [email protected]xer.finance

  • The vulnerability must not be disclosed in any other way other than to the [email protected] email

  • Disclosure must be made promptly after identifying a vulnerability

  • When disclosing a vulnerability, please include the following information in your email, if possible:

    • The steps needed to reproduce the bug

    • Potential implications of the vulnerability being abused

A detailed report of the vulnerability increases the likelihood of a reward and may also increase the amount received.

Eligibility

  • Submissions needs to be related with the Bounty Scope. Submissions out of the Bounty Scope won’t be eligible for a reward.

  • You must be the first to disclose the unique vulnerability to [email protected], in compliance with the disclosure requirements above.

  • You must provide sufficient information to enable our engineers to reproduce and fix the vulnerability.

  • You must not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).

  • You must submit only one vulnerability per submission, unless you need to provide more information related to the impact of the vulnerability.

  • You must be at least 18 years of age.

  • You must not be subject to US sanctions or reside in a US-embargoed country.

  • You must not be one of our current or former employees, vendors, or contractors or a current or former employee of any of those vendors or contractors.

  • Submissions not following the disclosure policy will not be eligible for a reward.

Other Terms

Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of Reflexer.  

Resources

The GEB documentation can be found here.