Bounty program
The Opium bug bounty program supports a community-led effort to improve the on-chain security of the OPIUM Protocol. Contributors who make valuable security discoveries – such as detecting a previously unknown smart contract bug – will be rewarded a bounty according to the rules outlined below.

Rules

The rules are adopted from the Ethereum Foundation’s bug bounty program rules and applicable for the Opium Protocol bug bounty program:
  • Issues that have already been submitted by another user or are already known to the Opium team are not eligible for bounty rewards
  • Public disclosure of a vulnerability makes the reported bug ineligible for a bounty
  • The Opium core development team, core units, contributors, and all other people paid by Opium Ecosystem, directly or indirectly (including the external auditors), are not eligible for rewards
  • Submissions should be within the Bounty scope, outlined below.

Scope

Attack vectors that affect the off-chain components of an architecture are outside of the scope of the bounty programme but their submission is still welcome. Examples of such threats are:
  • Vulnerabilities in the supported third-party wallets
  • XSS attacks
  • DDoS
Furthermore, smart contract bugs that do not lead to a loss of funds might be classified as not bearing any threats and thus not be eligible for the bounty.
The scope of the present bounty is focused solely on smart contracts developed by the Opium core contributors for the Opium Protocol. The list of codebases eligible for the bounty program includes but is not limited to:
If a vulnerability satisfies the previously highlighted criteria but is not included in the list of repositories above, its eligibility will be at the discretion of the OPIUM DAO.

Compensation

  • High threat - up to 100,000 DAI
  • Medium threat - up to 10,000 DAI
  • Low threat - up to 2,000 DAI
The reward will be delivered only after ascertaining the severity of the reported issue and the successful implementation of a patch to the reported exploit.
Last modified 30d ago
Copy link