Enhancing Lido Bug Bounty Terms
As staked assets under Lido continue to grow, and as we expand the number of supported staking networks beyond Ethereum, we see it fit to enhance the scope of our bug bounty to continuously incentivise protocol review.
For more information on the Lido Bug Bounty program, please visit the relevant links below:
With Lido TVL growing, we want to ensure the best possible security practises along every step of the way to see our protocol expand along with TVL.
Live since May 2021, the Lido Immunefi bug bounty has now been updated to cover up to $2m (up from a maximum of $100k) in payouts for threats. Furthermore, supported networks now include Solana as well. The vote to enhance the terms of the bug bounty is viewable here.
As a mission-critical project, we feel that these changes properly reflect our growing commitment to keeping the Lido staking protocol secure.
Rewards Classification & Distribution
Bug bounty rewards are distributed according to the vulnerability based on the Immunefi Vulnerability Severity Classification System, and all web and app bugs must come with a PoC in order to be accepted. Given acceptance, payouts will be handled directly by Lido and are denominated in USD and can be paid in a currency preferred by the bounty hunter (ETH, DAI, RAI, LDO, etc).
The rewards by threat level are covered in greater detail below:
1. Smart Contracts and Blockchain
Critical (steal or freeze the contract’s holdings)
- Old: $100k
- Loss of user funds: 1% of assets at risk, min $100k, max $2m
- Loss of non-user funds (e.g. treasury): 1% of assets at risk, min $50k, max $1m
High (temporarily prevent transfer, theft of yield)
- Old: $20k
- New: 1% of assets at risk when attack persists for 1 month, min $20k, max $400k
Medium (griefing where attacker spends proportional to damage)
- Old: $5k
- New: 1% of assets at risk when attack persists for 1 month, min $5k, max $100k
Low (failing to deliver promised returns)
- Old: $1k
- New: $2k
2. Websites and Apps
Critical (RCE, injections, SSRF)
- Old: $20k
- New: $40k
High (privilege escalation, private key leaks, XSS)
- Old: $7.5k
- If attack can modify the transaction users approve so it sends funds to the wrong address: $40k
- Otherwise: $7.5k (unchanged)
Medium (Cloud bucket uploads, authenticated CSRF)
- Old: $3.25k
- New: $3.25k (unchanged)
Low (clickjacking, DoS)
- Old: $500
- New: $500 (unchanged)
Within the scope of the Lido bug bounty are both smart contracts and domains active on the mainnet.
Smart contracts and domains/subdomains labelled as testnet, and those not listed below, do not fall under the scope of the Lido bug bounty.
- Smart Contract - https://docs.lido.fi/deployed-contracts
- Smart Contract- https://github.com/lidofinance/dc4bc
- Smart Contract - https://github.com/lidofinance/steth-price-feed
- Smart Contract - https://github.com/lidofinance/curve-merkle-oracle
- Smart Contract - https://github.com/lidofinance/lido-dao
- Website/App - https://lido.fi
- Website/App - https://stake.lido.fi
- Website/App - https://solana.lido.fi
- Website/App - https://help.lido.fi
For a full overview of prioritised vulnerabilities as well as scope and rules, please visit immunefi.com/bounty/lido.
We are honoured by the work of Lido bounty hunters to date and are grateful for the energy and passion that has been put into reviewing the Lido protocol. We are hopeful that this increase in bug bounty terms reflects this and continues to motivate followers to scrutinise our work.
If you have any questions or desires to collaborate with us, please feel free to contact us via [email protected].