Skip to main content

Bug Bounty

Firm Money Bug Bounty

If you discover a vulnerability specific to Firm Money's changes from base Liquity V2 (new collaterals, debt limits, price feeds, SuperToken proxy, etc.), please report it responsibly to the Firm Money team.

Liquity's Bug Bounty

A bug bounty program for Liquity's underlying smart contracts that Firm Money uses is also live. We intend for hackers to look for smart contract vulnerabilities in the system that can lead to loss of funds or locked components.

Check out Liquity's bug bounty program for the most up to date information.

The preferred way to submit a vulnerability is through Liquity's Vault on Hats Finance. If, for any reason, Hats can't be used, vulnerabilities can also be sent using the method described below.

Rewards will be awarded at the sole discretion of Liquity AG. The quality of the report and reproduction instructions can impact the reward. Rewards are denominated and paid out in USD. If both parties agree, rewards can also be paid out in crypto assets.

Reporting a Vulnerability

Please responsibly disclose any findings to the development team, following these instructions:

In order to report a vulnerability, please write an email to security@liquity.org with [SECURITY DISCLOSURE] in the subject of the email.

For sensitive vulnerabilities, please encrypt the email using this PGP key (Fingerprint: D4BA B0E7 3B99 4FC5 79DC 9E0A C640 0C72 C5B8 CA28).

We will make our best effort to reply in a timely manner and provide a timeline for resolution.

Please include a detailed report on the vulnerability with clear reproduction steps. The quality of the report can impact the reward amount.

Scope

In scope for the bug bounty are all the smart contract components of the Liquity V2 protocol. They can be found in the following repository: https://github.com/liquity/bold

Additionally, Firm Money's changes are in scope: https://github.com/firm-money/firm

Out of scope

Known issues will not be rewarded.

Eligibility

Only unknown vulnerabilities will be awarded a bounty; in case of duplicate reports, the first report will be awarded the bounty.

Public disclosure of the vulnerability, before explicit consent from Liquity AG to do so, will make the vulnerability ineligible for a bounty.

Attempting to exploit the vulnerability in a public network will also make it ineligible for a bounty.