This document specifies the Bug Bounty program for Yearn Finance, including the rules of the program, descriptions of eligible bugs, and the reward amount for each bug. Follow the steps in the “Submission” section at the bottom of this page and our technical developer team will contact you shortly to discuss your submission.
- Bug has not been publicly disclosed.
- Vulnerabilities that have been previously submitted by another contributor or already known by the Yearn developer team are not eligible for rewards.
- The value of rewards are paid out depending on Impact and Likelihood of an exploit, using the OWSAP risk-rating model. Please refer to the reward chart below for additional details.
- Bugs must be reproducible in order for us to verify the vulnerability. A secret Gist or git patch of a test case is a good way to provide this to us.
- Rewards and the validity of bugs are determined by the Yearn developer team and any payouts are made at the sole discretion of Yearn.
- Terms and conditions of the Bug Bounty program can be changed at any time at the discretion of Yearn.
- The Yearn Bug Bounty program adheres to the Responsible Disclosure Standard. Please refer to that document for additional details on how to handle your disclosure.
- Details of any valid bugs may be shared with complementary protocols utilized in the Yearn ecosystem in order to promote ecosystem cohesion and safety.
Severe - an issue that may result in a loss of greater than $10m of funds locked in Yearn, or may result in permanent impairment of the ecosystem.
High - an issue that may result in a loss of greater than $1m but less than $10m of funds locked in Yearn, or may result in severe damage to the ecosystem.
Medium - an issue that may result in a loss of greater than $10k but less than $1m of funds locked in Yearn, or cause either extreme user dissatisfaction or damage to the ecosystem.
Low - an issue that may result in user dissatisfaction but less than $10k loss of funds locked in Yearn.
Note - an issue that may result in minimal user dissatisfaction and no financial loss, but could be rectified to improve the Yearn ecosystem.
Certain - exploitable by anyone, with no preconditions required for success.
Likely - exploitable by anyone, under certain conditions (e.g., user with x amount of funds locked, or exploitable only over a longer period of time).
Possible - exploitable with 1 external fault required to access vulnerability, or direct access by single privileged key (e.g., Yearn strategist, bot, etc).
Unlikely - exploitable with 2 or more external faults required to access, or direct access by a compromised Yearn multi-sig or Governance system).
Maximum payouts per vulnerability:
- Severe - 40000 yUSD
- High - 10000 yUSD
- Medium - 4000 yUSD
- Low - 1600 yUSD
- Note - 100 yUSD
Reward payouts are determined by a combination of the vulnerability and likelihood classifications identified above. The rewards represent the maximum that will be paid out for a disclosure.
| Low | Medium | High | Severe | |
|---|---|---|---|---|
| Certain | 1600 | 4000 | 10000 | 40000 |
| Likely | 800 | 2000 | 5000 | 20000 |
| Possible | 400 | 1000 | 2500 | 10000 |
| Unlikely | 200 | 500 | 1250 | 5000 |
Rewards are paid out in yUSD.
The scope of the Bug Bounty program spans smart contracts utilized in the Yearn ecosystem – the Solidity and/or Vyper smart contracts in the contracts folder of the master branch of the yearn-protocol repo, including historical deployments that still see active use on Ethereum Mainnet associated with YFI, and excluding any contracts used in a test-only capacity (including test-only deployments).
Note: Other contracts, outside of the ones mentioned above, might be considered on a case by case basis, please, reach out to the technical developer team for clarification.
Please, send a detailed description of vulnerability to [email protected] and [email protected], PGP keys can be found in yearn-security repo.
In your letter include:
- Title: "Yearn Vulnerability".
- A clear, concise description.
- Steps to reproduce vulnerability.
- Areas/smart contracts affected.
- Code to reproduce the vulnerability, if available.
- Potential solutions, if available.
For faster communication reach out to @milkyklim.
Q: Is there a time limit for the Bug Bounty program?
A: No. The Bug Bounty program currently has no end date, but this can be changed at any time at the discretion of Yearn.
Q: How big is the Bug Bounty program?
A: There is currently a rolling $500,000 bounty for bugs. This amount may be changed by a Yearn governance vote.
Q: How are bounties paid out?
A: Rewards are paid out in yUSD.
Q: Can I submit bugs anonymously and still receive payment?
A: Yes. If you wish to remain anonymous you can do so and still be eligible for rewards as long as they are for valid bugs. Rewards will be sent to the valid Ethereum address that you provide.
Q: Can I donate my reward to charity?
A: Yes. You may donate your reward to a charity of your choosing, or to a gitcoin grant.