Dear yelders,
We want to give you the opportunity to collaborate with us and make our project more approachable to the community. We have decided to crea a Bug Bountry Program, this will give you and opportunity to make our product better, more secure & free of bugs. 🔐
All the community is welcomed to participate, there will be compensations ranging from $100 for a minor bug to $30,000 a critical one.
Bug Bounty Program
You can participate in the bug bounty program for the YELD smart contracts in the following repository. The 5 contracts that we want secured are these ones:
- https://github.com/merlox/yeld-contracts/blob/master/contracts/RetirementYeldTreasury.sol
- https://github.com/merlox/yeld-contracts/blob/master/contracts/yDAI.sol
- https://github.com/merlox/yeld-contracts/blob/master/contracts/yTUSD.sol
- https://github.com/merlox/yeld-contracts/blob/master/contracts/yUSDC.sol
- https://github.com/merlox/yeld-contracts/blob/master/contracts/yUSDT.sol
The main functions in the yContracts are withdraw(), deposit(), buyNBurn(), usdtToETH(), extractYELDEarningsWhileKeepingDeposit(), getGeneratedYelds() and changeYeldToRewardPerDay(). You can ignore the other functions since they are the same from the well-audited yearn protocol.
The entire RetirementYeldTreasury.sol is new so all the functions are included in the bug bounty.
We are following the OWASP risk assessment methodology to determine the bug’s level of threat to the protocol.
- Note: Up to $100 USD in YELD
- Low: Up to $1,000 USD in YELD
- Medium: Up to $2,500 USD in YELD
- High: Up to $15,000 USD in YELD
- Critical: Up to $30,000 USD in YELD
Example:
An attack identified that could steal user funds through operating the protocol would be considered a critical threat. If there was a way for someone to spend more tokens than owned the bug would also be considered critical.
Please note that the submission’s quality will factor into the level of compensation. A high quality submission includes an explanation of how the bug can be reproduced, a failing test case, and a fix that makes the test case pass. High quality submissions may be awarded amounts higher than the values provided above.
Note that bounties will be paid in YELD (currently worth about $100 USD per token) and that team members and paid auditors are not eligible for bounty compensation.
How to submit
Submit every bug or vulnerability as an answer to this thread. More information about the project available on the announcements channel here: https://discord.gg/MmD6xsM
Soon, after the Bug Bounty Program we are going to relaunch our dApp. Any doubts and suggestions will be answered throughout our channels, you can find us at:
🗣Discord: https://discord.gg/TcjXnMU
💬Telegram: https://t.me/yeldDiscussion
🐣Twitter: https://twitter.com/yeldf
Lastly, thank you for reading us, hope you help us make our product better 💪
Sincerely,
YELD Team
