Wrapped Products Bounty Program

This bug bounty program currently is in support of wXTZ and wALGO.

Each of our Wrapped Products has undergone security audits through Trail of Bits. However, additional undiscovered vulnerabilities may still exist. The following is a bug bounty program to encourage the discovery and disclosure of said vulnerabilities in good faith. This bug bounty program currently is in support of wXTZ and wALGO.

Smart Contracts

Critical $10,000 USD:

  • Stealing funds from vaults or minting wrapped tokens.

  • Freezing/burning wrapped tokens

  • Update of critical securuty components (e.g. changing multisig address)

  • General critical issues that severely impact the system or user’s funds

High/Moderate $2,500 - $5,000 USD:

  • Update of key components (e.g. changing values on fee points)

  • Stopping/severely slowing functionality to mint or redeem

  • General high/moderate issues impacting the normal usage of the system

Low $100 - $1,000 USD:

  • Informational disclosures

  • General issues posing no risk to the functionality of the product

Please submit all potential vulnerabilities to [email protected] and we will follow up with you promptly. Any issue submitted should be clear and reproducible by our engineering team.

Payouts are subject to StakerDAO’s discretion.

Terms and Conditions

To be eligible for bug bounty reward consideration, you must:

  • Identify an original, previously unreported, non-public vulnerability within the scope of the StakerDAO bug bounty program as described above.

  • Include sufficient detail in your disclosure to enable our engineers to quickly reproduce, understand, and fix the vulnerability.

  • Be at least 18 years of age.

  • Be reporting in an individual capacity, or if employed by a company, reporting with the company’s written approval to submit a disclosure to StakerDAO.

  • Not be subject to US sanctions or reside in a US-embargoed country.

  • Not be a current or former StakerDAO employee, vendor, contractor, or employee of a StakerDAO vendor or contractor.

To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attack, we require that you:

  • Play by the rules, including following the terms and conditions of this program and any other relevant agreements. If there is any inconsistency between this program and any other relevant agreements, the terms of this program will prevail.

  • Report any vulnerability you’ve discovered promptly.

  • Avoid violating the privacy of others, disrupting our systems, destroying data, or harming user experience.

  • Use only [email protected] to discuss vulnerabilities with us.

  • Keep the details of any discovered vulnerabilities confidential until they are fixed.

  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope.

  • Only interact with accounts you own or with explicit permission from the account holder.

  • Not engage in blackmail, extortion, or any other unlawful conduct.

When working with us according to this program, you can expect us to:

  • Pay rewards for eligible discoveries based on the severity and exploitability of the discovery, at StakerDAO’s sole discretion.

  • Extend safe harbor for your vulnerability research that is related to this program.

  • Work with you to understand and validate your report.

  • Work to remediate discovered vulnerabilities.

  • Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.

All reward determinations, including eligibility and payment amount, are made at StakerDAO’s sole discretion. StakerDAO reserves the right to reject submissions as a whole and/or in part and alter the terms and conditions of this program at any time.