Summary:
Immunefi is proposing to the stake.link DAO to host a bug bounty program on our platform for a crowd-sourced review of the current live contracts. Doing so will provide access to the largest and industry-leading security researchers (SR) community that benefits stake.link and its community.
Web3 security is never guaranteed even after a thorough internal and external audit. A bug bounty program is essential in Web3 space for identifying and fixing vulnerabilities; inviting the entire SR community to review your code and report vulnerabilities in exchange for a reward before a vulnerability is exploited by a blackhat. Immunefi provides an option for blackhats of earning an attractive reward instead of dealing with stolen funds. Unlike traditional audits, reward payments to SRs are not made until a valid bug report has been found and validated by the bug bounty administrators. If no bugs are found, no payment is required to the SRs.
Background to Immunefi
Immunefi is the largest onchain security platform for Web3 projects. Immunefi delivers effective bug bounty programs that deliver results, and 8x more vulnerabilities are found on Immunefi compared with alternatives. Immunefi has prevented over $25B of funds from being lost to hacks and currently helps protect over $190B in user funds.
We specialize in surfacing the most mission-critical smart contract and blockchain vulnerabilities before they can be exploited, and our entire product is built around serving this need. Today we work with leading projects including Sky (fka MakerDAO), Optimism, Polygon, GMX, Chainlink, TheGraph, Lido, LayerZero, Arbitrum, Starknet, EigenLayer, and many, many more. We have one mission: to protect Web3’s most important projects from getting hacked.
Cost
Immunefi proposes a maximum reward of 100 000 USD for the stake.link bug bounty program for the most critical impacts. Reward amounts will be adjusted depending on the impact and the volume of the funds at risk (if relevant). The validity of every single bug report will not be determined by Immunefi, but by the bug bounty program administrators. However, the Immunefi mediation team will be available whenever there are any disputes in any of the bug report submissions. The stake.link and Immunefi team determined the max critical amount by analyzing similar projects on our platform.
The subscription packaging of stake.link plans will include hosting/design of the bounty program, co-marketing plan, Managed Triage Service, and access to Safe Harbor.
Immunefi will filter all spam and low-quality reports, and will manage other initial engagements with the SR with the Time-Saver Managed Triage Service, helping to minimize the time triaging reports by the administrators. This plan provides 24/7 coverage for all bug reports submitted to the program so the administrators are not bothered by spam/low-quality reports.
Immunefi’s Safe Harbor is a legal framework developed by the Security Alliance (SEAL) for protocols to empower the whitehat SRs to rescue stake.link’s funds during a blackhat attack and redirect those funds back to a protocol-controlled vault on Immunefi; in exchange for up to 60% of the max critical reward.
The total cost for the first year for this service will be $27,450, payable in USDC. It is an all-inclusive plan so no matter how many bugs are found, no additional fee will be needed to Immunefi. This price includes a discount from our standard rate due to the relationship with Sigma Prime.
Stake.link Bug Bounty Program on Immunefi
Assets: The assets in scope can all be found in stake.link’s Deployed Contracts documentation page and the website for the web/app asset.
Impacts: the impacts in scope are based on Immunefi’s severity classification system
Reward: The following is the breakdown of the reward payout for Smart Contract vulnerabilities:
- Critical: $10 000 - $100 000
- High: $5 000 - $10 000
- Medium: $2 000
- Low: $1 000
For Critical and High Smart Contract levels, there is a range due to impacts that involves funds at risk. Depending on the severity of these types of reports, Immunefi recommends adding a cap on the critical/high to not exceed the security budget of each client.
The following is the breakdown of the reward payout for Web/App vulnerabilities:
- Critical: $5 000 - $10 000
- High: $4 000
- Medium: $2 000
- Low: $1 000
For Critical web/app level, there is also a range. The maximum payout would only be paid for “loss of funds” or “private key or private key generation leakage leading to unauthorized access to user funds”.
Thank you to the stake.link DAO for taking your time to read through our proposal for stake.link’s bug bounty program. We are looking forward to providing the security enhancement for the community’s peace of mind.