Inverse Finance Sec-Ops Team has set up a 20,000 DOLA Bug Bounty vault on Hats.Finance. Users can report bugs anonymously through Hats to be reviewed by our committee. Inverse Finance has previously settled one bug bounty payout of 20,000 privately. Read more about the Inverse Finance Hats.Finance Bug Bounty Program here.
All smart contracts of Inverse Finance can be found at https://github.com/InverseFinance. However, only those items explicitly listed in the Assets in Scope tables below are considered eligible for Inverse’s bug bounty program and, therefore, in-scope. We consider bug bounties to be a lasting complement to any external or in-house security audit capabilities that Inverse Finance develops. As such, smart contracts will only be eligible for the Bug Bounty Program once they have undergone our review process which may include rigorous testing by a third party auditor. Further information or risk prevention can be found in the RWG Gitbook.
The following vulnerabilities are excluded and ineligible from the bug bounty program rewards:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
- Incorrect data supplied by third party oracles
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
- Centralization risks
- Theoretical vulnerabilities without any proof or demonstration
- Attacks requiring physical access to the victim device
- Attacks requiring access to the local network of the victim
- Reflected plain text injection ex: url parameters, path, etc.
- This does not exclude persistent plain text injection
- Captcha bypass using OCR without impact demonstration
- CSRF with no state modifying security impact (ex: logout CSRF)
- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact
- Server-side non-confidential information disclosure such as IPs, server names, and most stack traces
- Vulnerabilities used only to enumerate or confirm the existence of users or tenants
- Vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows
- Lack of SSL/TLS best practices
- DDoS vulnerabilities
- Feature requests
- Issues related to the frontend without concrete impact and PoC
- Best practices issues without concrete impact and PoC
- Vulnerabilities primarily caused by browser/plugin defects
- Leakage of non sensitive api keys ex: etherscan, Infura, Alchemy, etc.
- Any vulnerability exploit requiring browser bugs for exploitation. ex: CSP bypass
- Any vulnerability related software-as-a-service used by Inverse for collaboration or communications including but not limited to email, document sharing systems like Google Drive, Discord, forums, Twitter, or other social media.
The following activities are prohibited by this bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our DAO contributors and/or users
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty
Please feel free to contact our the Risk Working Group via our Discord Server with any questions about the rules or rewards for this program.