Skip to content
Submit a form
Submit issue
  • There are no suggestions because the search field is empty.

Marinade's bug bounty program

Participating in Marinade’s Bug Bounty Program is straightforward. Follow these steps to report a vulnerability and earn a reward:

    1. Identify a Vulnerability:

      • Conduct a thorough review of the Marinade protocol to identify potential security issues.

    2. Report the Bug:

      • Submit a detailed report of the vulnerability to our dedicated bug bounty team. Ensure your report includes all necessary information for replication and resolution.

    3. Await Assessment:

      • Our team will evaluate the severity and impact of the reported vulnerability using the Immunefi Vulnerability Severity Classification System.

    4. Receive Your Reward:

      • Upon successful validation and resolution of the bug, you will receive the appropriate bounty as per the reward structure.

Rewards by Threat Level

Bounties are distributed based on the impact and severity of the identified vulnerabilities. We utilize the Immunefi Vulnerability Severity Classification System, which is a simplified 5-level scale tailored for websites/apps and smart contracts/blockchains. The classification considers factors such as the consequence of exploitation, required privileges, and the likelihood of a successful exploit.

Reward Structure for Smart Contracts and Blockchain Vulnerabilities:

Threat Level Reward Amount
Critical Up to USD 250,000*
High Up to USD 15,000

Important Notes:

  • Critical Vulnerabilities:

    • Cap: Rewards for critical vulnerabilities are capped at 10% of the economic damage caused by the vulnerability.
    • Minimum Payout: There is a minimum payout of USD 50,000 for critical bug reports.
    • Considerations: The final reward amount also takes into account the funds affected, public relations (PR) impact, and brand considerations, at the discretion of the Marinade team.

  • Payout Details:

    • Currency: Rewards are primarily denominated in USD.
    • Distribution: Payouts are made in mSOL and MNDE tokens.
    • Administration: The Marinade Finance team handles all payouts directly.

Scope of the Bug Bounty Program

Understanding the scope of the Bug Bounty Program is crucial for participants to know what is eligible for rewards and what is not. The scope is divided into Assets in Scope, Impacts in Scope, Prioritized Vulnerabilities, Out of Scope Vulnerabilities, and Prohibited Activities.

A. Assets in Scope

The following assets are within the scope of this bug bounty program:

  • Smart Contracts: All smart contracts of Marinade Finance available on our GitHub repository.

B. Impacts in Scope

Only the following impacts are accepted within this bug bounty program. All other impacts are considered out of scope, even if they affect assets listed above.

  1. Loss of User Funds:

    • Freezing or theft of staked principal funds.

  2. Loss of Governance Funds:

    • Unauthorized access or manipulation leading to the loss of governance-related funds.

  3. Theft of Unclaimed Yield:

    • Unauthorized extraction of unclaimed yields.

  4. Freezing of Unclaimed Yield:

    • Preventing access to unclaimed yields through freezing mechanisms.

  5. Temporary Freezing of Funds:

    • Freezing funds for at least 6 days (2 epochs).

  6. Inaccessibility of Smart Contracts:

    • Situations where smart contracts become uncallable or non-functional.

C. Prioritized Vulnerabilities

We are particularly interested in receiving and rewarding vulnerabilities of the following types:

  1. Re-entrancy:

    • Exploits that allow multiple entries into a function before the previous execution completes.

  2. Logic Errors:

    • Including authentication errors that disrupt the intended logic of the smart contracts.

  3. Trusting Trust/Dependency Vulnerabilities:

    • Including composability vulnerabilities that arise from dependencies on other contracts or services.

  4. Oracle Failures/Manipulation:

    • Issues related to the failure or manipulation of oracles that provide external data.

  5. Novel Governance Attacks:

    • New and innovative methods to attack the governance mechanisms.

  6. Economic/Financial Attacks:

    • Including flash loan attacks that exploit economic vulnerabilities.

  7. Congestion and Scalability Issues:

    • Such as running out of gas, block stuffing, and susceptibility to frontrunning.

  8. Consensus Failures:

    • Problems that disrupt the consensus mechanism of the blockchain.

  9. Cryptography Problems:

    • Including signature malleability, susceptibility to replay attacks, weak randomness, and weak encryption.

  10. Susceptibility to Block Timestamp Manipulation:

    • Vulnerabilities that allow manipulation of block timestamps.

  11. Missing Access Controls:

    • Unprotected internal or debugging interfaces that can be exploited.

D. Out of Scope Vulnerabilities

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  1. Exploited Attacks:

    • Attacks that the reporter has already exploited themselves, leading to damage.

  2. Leaked Keys/Credentials:

    • Attacks requiring access to leaked keys or credentials.

  3. Privileged Addresses:

    • Attacks requiring access to privileged addresses (e.g., governance, strategist).

  4. Incorrect Data from Oracles:

    • Attacks based on incorrect data supplied by third-party oracles (excluding oracle manipulation/flash loan attacks).

  5. Basic Economic Governance Attacks:

    • Such as 51% attacks.

  6. Lack of Liquidity:

    • Issues arising from insufficient liquidity.

  7. Best Practice Critiques:

    • Suggestions or critiques that do not involve security vulnerabilities.

  8. Sybil Attacks:

    • Attacks involving the creation of multiple fake identities.

E. Prohibited Activities

The following activities are strictly prohibited under this bug bounty program:

  1. Testing on Mainnet/Public Testnets:

    • Any testing with mainnet or public testnet contracts. All testing should be conducted on private testnets.

  2. Testing with Pricing Oracles/Third-Party Contracts:

    • Any testing involving pricing oracles or third-party smart contracts.

  3. Phishing or Social Engineering:

    • Attempting phishing or other social engineering attacks against our employees and/or customers.

  4. Testing with Third-Party Systems:

    • Any testing with third-party systems and applications (e.g., browser extensions) as well as websites (e.g., SSO providers, advertising networks).

  5. Denial of Service (DoS) Attacks:

    • Any form of DoS attacks.

  6. Automated High-Traffic Testing:

    • Automated testing of services that generate significant amounts of traffic.

  7. Public Disclosure Before Patch:

    • Public disclosure of an unpatched vulnerability during an embargoed bounty period.