Program Overview

The classification of severity levels is determined by Immunefi Vulnerability Severity Classification System. It is important to note that these levels are merely suggestions and each bug bounty submission will be individually assessed.

Invalid Bug Bounties

The following are not covered by the bug bounty program:

• Incidents where the reporter has caused harm by exploiting the vulnerability themselves.

• Vulnerabilities that can only be exploited by utilizing leaked keys or credentials.

• Vulnerabilities that require access to privileged addresses such as governance or admin addresses.

• Issues caused by incorrect data supplied by external oracles (however, oracle manipulation or flash loan attacks are still in scope)

• Situations where there is a lack of liquidity.

• Errors made by third-party off-chain bots (e.g. bugs in an arbitrage bot running on the smart contracts)

• Suggestions for best practice or critiques.

• Sybil attacks.