pSTAKE is on the path to creating a comprehensive and robust multi-chain liquid staking ecosystem. As we aim to have millions of user funds liquid staked via the protocol, security is of the utmost importance for us.
The following post outlines the Immunefi bug bounty program for stkBNB which will be live within the first week of the mainnet launch (8 August 2022) to incentivise white-hat hackers to report any bugs they may find.
Immunefi is Web3’s leading bug bounty platform (protecting USD100 billion in user funds) through which security researchers, developers, and more can review code and disclose vulnerabilities in smart contract based applications for compensation.
The bug bounty program covers stkBNB’s smart contracts and apps and is focused on the prevention of loss of user funds, denial of service, governance hijacks, data breaches, and data leaks.
The details of the bug bounty program are as follows:
Rewards by Threat Level
Based on the Immunefi Vulnerability Severity Classification System 2 (IVSCS), rewards are distributed according to the impact of the vulnerability.
This is a simplified 5-level scale (separate for websites/apps and smart contracts/blockchains) encompassing all the aspects of a bug, from the consequence of a successful exploit, to the level of access required to exploit it, to the probability that an exploitation attempt will be successful.
Smart Contracts and Blockchain*
- Critical - USD 25,000 to USD 300,000
- Loss of user funds:
- 10% of assets at risk, minimum USD 50,000 and maximum USD 300,000
- Loss of non-user funds (e.g. treasury):
- 10% of assets at risk, minimum USD 25,000 and maximum USD 200,000
- Loss of user funds:
- High - USD 20,000 to USD 100,000
- 10% of assets at risk, minimum USD 20,000 and maximum USD 100,000
- Medium - USD 20,000
- Low - USD 1,000
Website and Apps*
- Critical - USD 20,000
- High - USD 5,000
- Medium - USD 2,000
- Low - USD 1,000
*The numbers mentioned above are tentative and will be finalized before launching the bug bounty program. The impacts covered by the bug bounty program & their severities will be updated on the stkBNB Immunefi Bug Bounty Program page.
All smart contracts, and web and app bugs must come with a Proof of Concept (PoC) to be accepted. All such bug reports without a PoC will be rejected with a request to include the PoC.
Payouts are handled by the pSTAKE team directly and are denominated in USD. Payouts can be done in PSTAKE, USDC, and BUSD, at the discretion of the pSTAKE protocol.
Assets in Scope
| Target | Type |
|---|---|
| GitHub - stkBNB deployed smart contracts | Smart Contract |
| pSTAKE Website | Website/App |
| pSTAKE stkBNB Web App | Website/App |
Links to above Smart Contracts & Web App will be added once they are deployed on the mainnet. Other rules and details for the bug bounty program including bifurcation of bugs based on impact, out of scope activities, etc will be listed during launch of the bug bounty program on Immunefi.
While we are confident in the security of the protocol after audits by Peckshield, Halborn, and Certora, we remain vigilant and have put a heavy price on security: the allocation being up to USD 300,000 for each discovered critical bug
Please note that this amount is not a guaranteed spend, but a reserve in case exploits are found. This amount might have to be topped up in case of severe and critical bugs, or when the TVL of the protocol grows significantly.