DO NOT CREATE A GITHUB ISSUE to report a security problem. Instead, please send an email to [email protected] with a detailed description of the attack vector and security risk you have identified.
marginfi offers bug bounties for marginfi's on-chain program code. UI-only bugs are omitted.
| Severity | Bounty |
|---|---|
| Critical | 10% of the value of the hack, up to $500,000 |
| High | $10,000 to $50,000 per bug, assessed on a case by case basis |
| Medium/Low | $1,000 to $5,000 per bug, assessed on a case by case basis |
| |
The severity scale is based on Immunefi's classification system. Note that these are simply guidelines for the severity of the bugs. Each bug bounty submission will be evaluated on a case-by-case basis.
Please email [email protected] with a detailed description of the attack vector. For critical- and high-severity bugs, we require a proof of concept reproducible on a privately deployed mainnet contract (NOT our official deployment). You should expect a reply within 1 business day with additional questions or next steps regarding the bug bounty.
Bug bounties will be paid in USDC or equivalent.
A number of attacks are out of scope for the bug bounty, including but not limited to:
- Attacks that the reporter has already exploited themselves, leading to damage.
- Attacks requiring access to leaked keys/credentials.
- Attacks requiring access to privileged addresses (governance, admin).
- Incorrect data supplied by third party oracles (this does not exclude oracle manipulation/flash loan attacks).
- Lack of liquidity.
- Third party, off-chain bot errors (for instance bugs with an arbitrage bot running on the smart contracts).
- Best practice critiques.
- Sybil attacks.
- Attempted phishing or other social engineering attacks involving marginfi contributors or users
- Denial of service, or automated testing of services that generate significant traffic.