Opium Network
  • Opium Documentation
  • Introduction to Opium
    • What is Opium
    • FAQs
  • Restrictions
    • Restrictions
  • Security and Audits
    • Disclaimer
    • Audits
    • Bounty program
  • Governance
    • Decentralized setup
    • Governance flow
      • Proposal creating
      • Process of voting – technical description
    • $Opium governance token
  • For users
    • Opium.Finance
    • opium.exchange
  • FOR DEVELOPERS
    • Deployment Addresses
      • Opium Protocol v2
      • Opium Protocol v1
    • High-level overview
    • Opium Protocol V2
      • Core
      • Registry
      • SyntheticAggregator
      • OracleAggregator
      • OpiumProxyFactory
      • OpiumPositionToken
    • Opium Protocol V1
      • Core
      • Registry
      • TokenMinter
      • TokenSpender
      • SyntheticAggregator
      • OracleAggregator
      • Helpers
      • Interfaces
      • Common Errors
        • OracleAggregator Errors
        • Core Errors
      • oID - Oracle recipe
      • sID - Derivative recipe
      • EIP-2547: Composable Multiclass Token
    • Tutorials
      • OracleId examples
      • SyntheticId examples
      • End-to-end tutorial
    • Opium API
      • Subgraph V2
      • Subgraph V1
    • SDK
      • Opium V2 SDK
      • Opium Finance Pools SDK
      • Swap Rate SDK/API
  • Complex description
    • Glossary
    • Opium derivatives
    • Oracle and derivative recipes
    • Oracle and derivative registers
    • Opium margin
    • Opium swaps (TMtm)
    • Opium order books
Powered by GitBook
On this page
  • Rules
  • Scope
  • Compensation
  • Submission process

Was this helpful?

  1. Security and Audits

Bounty program

PreviousAuditsNextDecentralized setup

Last updated 3 years ago

Was this helpful?

The Opium bug bounty program supports a community-led effort to improve the on-chain security of the OPIUM Protocol. Contributors who make valuable security discoveries – such as detecting a previously unknown smart contract bug – will be rewarded a bounty according to the rules outlined below.

Rules

The rules are adopted from the Ethereum Foundation’s bug bounty program rules and applicable for the Opium Protocol bug bounty program:

  • Issues that have already been submitted by another user or are already known to the Opium team are not eligible for bounty rewards

  • Public disclosure of a vulnerability makes the reported bug ineligible for a bounty

  • The Opium core development team, core units, contributors, and all other people paid by Opium Ecosystem, directly or indirectly (including the external auditors), are not eligible for rewards

  • Submissions should be within the Bounty scope, outlined below.

Scope

Attack vectors that affect the off-chain components of an architecture are outside of the scope of the bounty programme but their submission is still welcome. Examples of such threats are:

  • Vulnerabilities in the supported third-party wallets

  • XSS attacks

  • DDoS

Furthermore, smart contract bugs that do not lead to a loss of funds might be classified as not bearing any threats and thus not be eligible for the bounty.

The scope of the present bounty is focused solely on smart contracts developed by the Opium core contributors for the Opium Protocol. The list of codebases eligible for the bounty program includes but is not limited to:

If a vulnerability satisfies the previously highlighted criteria but is not included in the list of repositories above, its eligibility will be at the discretion of the OPIUM DAO.

Compensation

  • High threat - up to 100,000 DAI

  • Medium threat - up to 20,000 DAI

  • Low threat - up to 2,000 DAI

The reward will be delivered only after ascertaining the severity of the reported issue and the successful implementation of a patch to the reported exploit.

Submission process

The vulnerability must not be disclosed publicly or to any other person, entity or email address before Opium Team has been notified, has fixed the issue, and has granted permission for public disclosure. In addition, disclosure must be made within 24 hours following discovery of the vulnerability.

A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount. Please provide as much information about the vulnerability as possible, including:

  • The conditions on which reproducing the bug is contingent

  • The steps needed to reproduce the bug or, preferably, a proof of concept

  • The potential implications of the vulnerability being abused

Anyone who reports a unique, previously-unreported vulnerability that results in a change to the code or a configuration change and who keeps such vulnerability confidential until it has been resolved by our engineers will be recognized publicly for their contribution if they choose so.

Send your bug findings to the or contact core contributors in

https://github.com/OpiumProtocol/opium-protocol-v2
https://github.com/OpiumProtocol/opium-contracts
https://github.com/OpiumProtocol/erc721o
Discord
Telegram