Lido on Polygon | Bug Bounty Terms
In collaboration with Shard Labs and Immunefi, we’re pleased to unveil our comprehensive bug bounty program for Lido on Polygon. Earn up to $2 million in bounties - with no KYC requirements - for helping us ensure the security of a cutting-edge liquid staking solution for Polygon.
Get started on immunefi.com/bounty/lidoonpolygon.
Lido On Polygon
Working in conjunction with Shard Labs, Lido launched liquid staking for Polygon in March 2022.
Built around stMATIC, Lido now lets users earn staking rewards on their MATIC without the need for complex infrastructure or locked/illiquid tokens. With Lido, MATIC ecosystem participants can generate staking rewards and contribute to the security and stability of the Polygon chain through 1-click staking.
Lido on Polygon launched with an initial $1m cap on staked assets. This cap was raised to $10M and staked assets have since grown to approximately $7.4m at the time of writing.
Bug Bounty Scope
For a full overview of the scope of the bug bounty, please visit immunefi.com/bounty/lidoonpolygon.
Only the impacts listed below are accepted within this bug bounty program:
Smart Contracts
1. Critical
- Any governance voting result manipulation
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
- Permanent freezing of funds
- Miner-extractable value (MEV)
- Insolvency
- Theft of unclaimed yield
2. High
- Permanent freezing of unclaimed yield
- Temporary freezing of funds for a minimum period of 24 hours
3. Medium
- Smart contract unable to operate due to lack of funds
- Block stuffing for profit
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Theft of gas
- Unbounded gas consumption
4. Low
- Smart contract fails to deliver promised returns, but doesn’t lose value
Websites and Applications
1. Critical
- Ability to execute system commands
- Extract Sensitive data/files from the server such as /etc/passwd
- Stealing User Cookies
- Taking Down the application/website
- Signing transactions for other users
- Redirection of user deposits and withdrawals
- Subdomain takeover resulting in financial loss (applicable for subdomains with addresses published)
- Wallet interaction modification resulting in financial loss
- Direct theft of user funds
- Tampering with transactions submitted to the user’s wallet
- Submitting malicious transactions to an already-connected wallet
2. High
- Spoofing content on the target application (Persistent)
- Users Confidential information disclosure such as Email
- Subdomain Takeover without financial loss (applicable for subdomains with no addresses published)
- Privilege escalation to access unauthorized functionalities
3. Medium
- Changing details of other users without direct financial impact (CSRF)
- Third-Party API keys leakage that demonstrates loss of funds or modification on the website.
- Redirecting users to malicious websites (Open Redirect)
4. Low
- Framing sensitive pages leading to financial loss (ClickJacking)
- Any impact involving a publicly released CVE without a working PoC
- Broken Link Hijacking
Payouts are handled by the Lido on Polygon team directly and are denominated in USD. Payouts can be done in ETH, DAI, RAI or LDO, at the decision of the bug bounty hunter.
Moving Forwards
At Lido, our priority is the security of our staking solutions and ensuring the long-term well being of both our users and the surrounding staking communities. It is for this reason that we’re offering a bug bounty, inviting third-party developers to test out the robustness of our systems.
If you have any questions or desire to collaborate with us, please feel free to contact us via info@lido.fi.
Happy hunting!