The DeFiedge-Repository-link repository is subject to the DefiEdge Bug Bounty (the “Program”) to incentivize responsible bug disclosure.
We are limiting the scope of the Program to critical and high severity bugs, and are offering a reward of up to $5000. Happy hunting!
The scope of the Program is limited to bugs that result in the loss of user funds.
The following are not within the scope of the Program:
- Any contract located under contract/test
- Bugs in any third party contract or platform that interacts with DefiEdge.
- Vulnerabilities already reported and/or discovered in contracts built by third parties on DefiEdge.
- Any already-reported bugs.
Vulnerabilities contingent upon the occurrence of any of the following also are outside the scope of this Program:
- Frontend bugs
- DDOS attacks
- Automated tools (Github Actions, AWS, etc.)
- Compromise or misuse of third party systems or services
DefiEdge was developed with the following assumptions, and thus any bug must also adhere to the following assumptions to be eligible for the bug bounty:
DefiEdge has following major components
- Share Tokens
Everytime the user deposits funds into a specific strategy, the strategy will mint the shares proportional to the liquidity added by the user. The starting price of the share token would be $100.
DefiEdge uses Uniswap TWAP for calculating the share price
- Swap between tokens in the pool using 1inch.
- The liquidity can be rebalanced to new ticks using one click
- If the market is volatile and the manager is not able to make the decision, DefiEdge lets the manager hold the funds into the contract.
- Performance Fees
- Managers on DefiEdge can charge performance fees. The performance fees are debited from the fees earned in the Uniswap V3 pool of the users assets. A small portion of performance fees go to the protocol if the protocol fee is enabled.
- Management Fees
- The smart contracts also allow the managers to take upfront fees. A portion of it will also go to the protocol if the protocol fees are enabled.
DE-shares are standard ERC20 tokens which issued based on proportion of liquidity that liquidity provider (LP) has deposited into a strategy
For the first LP, the share price is fixed to $100 (this is arbitrary, it could have been any number).
So, for example if a user deposits 1 WETH and $1000, when the price of 1WETH is $2500 they are issued 35 DE-shares : (1000+2500)/100 = 35
Assuming the management and protocol fees are 0%. If it is some non-zero p%, the LP receives 35(1-p/100) shares and 35p/100 shares go to the strategy manager.
The share price then changes based on the value of the underlying assets. So if the price of WETH goes up to $3000; the DE-shares in the strategy mentioned above would be worth $114.2857 (4000/35)
Rewards will be allocated based on the severity of the bug disclosed and will be evaluated and rewarded at the discretion of the DefiEdge security team. For critical bugs that lead to loss of user funds (more than 1% or user specified slippage tolerance), rewards of up to $50,000 will be granted. Lower severity bugs will be rewarded at the discretion of the team. In addition, all vulnerabilities disclosed prior to the mainnet launch date will be subject to receive higher rewards.
Any vulnerability or bug discovered must be reported only to the following email: email@example.com
The vulnerability must not be disclosed publicly or to any other person, entity or email address before DefiEdge has been notified, has fixed the issue, and has granted permission for public disclosure. In addition, disclosure must be made within 24 hours following discovery of the vulnerability.
A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount. Please provide as much information about the vulnerability as possible, including:
- The conditions on which reproducing the bug is contingent.
- The steps needed to reproduce the bug or, preferably, a proof of concept.
- The potential implications of the vulnerability being abused.
Anyone who reports a unique, previously-unreported vulnerability that results in a change to the code or a configuration change and who keeps such vulnerability confidential until it has been resolved by our engineers will be recognized publicly for their contribution if they so choose.
To be eligible for a reward under this Program, you must:
- Discover a previously unreported, non-public vulnerability that would result in a loss of and/or lock on any ERC-20 token on Defiedge (but not on any third party platform interacting with DefiEdge) and that is within the scope of this Program. Vulnerabilities must be distinct from the issues covered in the WatchPug or ABDK audits.
- Be the first to disclose the unique vulnerability to firstname.lastname@example.org, in compliance with the disclosure requirements above. If similar vulnerabilities are reported within the same 24 hour period, rewards will be split at the discretion of DefiEdge.
- Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.
- Not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.
- Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
- Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of DeFiedge.
- Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.
- Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.
- Not be one of our current or former employees, vendors, or contractors or an employee of any of those vendors or contractors.
- Not be subject to US sanctions or reside in a US-embargoed country.
- Be at least 18 years of age or, if younger, submit your vulnerability with the consent of your parent or guardian.
By submitting your report, you grant DefiEdge any and all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at our sole discretion.
The terms and conditions of this Program may be altered at any time.