The Opium bug bounty program supports a community-led effort to improve the on-chain security of the OPIUM Protocol. Contributors who make valuable security discoveries – such as detecting a previously unknown smart contract bug – will be rewarded a bounty according to the rules outlined below.

Rules

The rules are adopted from the Ethereum Foundation’s bug bounty program rules and applicable for the Opium Protocol bug bounty program:

• Issues that have already been submitted by another user or are already known to the Opium team are not eligible for bounty rewards

• Public disclosure of a vulnerability makes the reported bug ineligible for a bounty

• The Opium core development team, core units, contributors, and all other people paid by Opium Ecosystem, directly or indirectly (including the external auditors), are not eligible for rewards

• Submissions should be within the Bounty scope, outlined below.

Scope

Attack vectors that affect the off-chain components of an architecture are outside of the scope of the bounty programme but their submission is still welcome. Examples of such threats are:

• Vulnerabilities in the supported third-party wallets

• XSS attacks

• DDoS

Furthermore, smart contract bugs that do not lead to a loss of funds might be classified as not bearing any threats and thus not be eligible for the bounty.

The scope of the present bounty is focused solely on smart contracts developed by the Opium core contributors for the Opium Protocol. The list of codebases eligible for the bounty program includes but is not limited to:

https://github.com/OpiumProtocol/opium-protocol-v2

https://github.com/OpiumProtocol/opium-contracts

https://github.com/OpiumProtocol/erc721o

If a vulnerability satisfies the previously highlighted criteria but is not included in the list of repositories above, its eligibility will be at the discretion of the OPIUM DAO.

Compensation

• High threat - up to 100,000 DAI

• Medium threat - up to 20,000 DAI

• Low threat - up to 2,000 DAI

The reward will be delivered only after ascertaining the severity of the reported issue and the successful implementation of a patch to the reported exploit.

Submission process

Send your bug findings to the Discord or contact core contributors in Telegram

The vulnerability must not be disclosed publicly or to any other person, entity or email address before Opium Team has been notified, has fixed the issue, and has granted permission for public disclosure. In addition, disclosure must be made within 24 hours following discovery of the vulnerability.

A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount. Please provide as much information about the vulnerability as possible, including:

• The conditions on which reproducing the bug is contingent

• The steps needed to reproduce the bug or, preferably, a proof of concept

• The potential implications of the vulnerability being abused

Anyone who reports a unique, previously-unreported vulnerability that results in a change to the code or a configuration change and who keeps such vulnerability confidential until it has been resolved by our engineers will be recognized publicly for their contribution if they choose so.