Voltz Bug Bounty Program
We are extremely diligent and conscious of the security of Voltz Protocol and all the supporting infrastructure. As a result, the Smart Contracts that power Voltz Protocol v1 have been audited by leading third-party research firms.
Alongside third-party auditors we want help from the community in ensuring Voltz Protocol remains secure. As a result, we are launching a generous bug-bounty program on Immunefi. We look forward to your help in creating one of the most important lego-blocks of a new financial system!
Reward Table
The table below outlines the impacts in scope accepted by the bug bounty program.
Severity
USD Amount
Impacts Covered
Critical
$100,000
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
- Permanent freezing of funds
Low
High
- Insolvency
- Theft of unclaimed yield
- Permanent freezing of unclaimed yield
$15,000
Medium
- Smart contract unable to operate due to lack of funds
- Black stuffing for profit
- Theft of gas
- Unbounded gas consumption (gas drainage)
$5,000
$1,000
- Smart contract fails to deliver promised returns, but doesn’t lose value
Smart Contract Scope
The bug bounty program is limited to the issues and vulnerabilities that have an effect on Voltz Protocol.
Vulnerabilities that fall into the below categories are of particular interest to us:
- Re-entrancy Logic
- Errors Integer
- Overflow/Underflow
- Composability Vulnerabilities
- Interest Rate Oracle manipulation
- Susceptibility to block timestamp manipulation
Vulnerabilities that are excluded from the programme are:
- DDOS attacks
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance)
- Lack of liquidity
- Best practice critiques
Reporting Guidelines
- It is critical to proactively aim to cause no issues to the UX of the protocol and/or interfere with Voltz Protocol contract deployments
- The bug reports should only be done via the Immunefi UI
- A reporter cannot be one of our current or former team members, vendors, contractors or an employee of any of those contractors or vendors
- Report a single vulnerability per submission, unless it is necessary to chain vulnerabilities to provide context regarding any of the issues
Disclosures
Following is not allowed in the scope of the programme:
- Any testing with mainnet or public testnet contracts; all testing should be done in private development environments
- Attempting phishing or other social engineering attacks against our team
- Any testing that involves third party applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
Other terms
The decisions regarding the reward payouts are made by our team. The terms of the program may change as the protocol and DAO evolves.
People Powered Protocol
We look forward to welcoming you to the Voltz Discord server. Our community would love to answer any outstanding questions or queries you may have!
About Immunefi
Immunefi is Web3’s leading bug bounty platform, protecting $100 billion in user funds. Immunefi is the premier bug bounty platform for smart contracts and DeFi projects, where security researchers review code, disclose vulnerabilities, get paid, and make crypto safer. Immunefi removes security risk through bug bounties and comprehensive security services.
About Voltz
Voltz is a noncustodial automated market maker for Interest Rate Swaps (IRS). The protocol uses a concentrated liquidity virtual AMM (vAMM) for price discovery only, with the management of the underlying assets performed by the Margin Engine. The combined impact of these modules means counterparties can create and trade fixed and variable rates through a mechanism that is up to 3,000x more capital efficient than alternative interest rate swap models.