An ongoing bug bounty for the smart contracts of the mStable protocol is now live. We intend for hackers to look for smart contract vulnerabilities in our system that can lead to loss of collateral, unfair payouts or locked components. We want mStable to be as resilient as possible - submit a bug and earn a reward of up to US$25,000 (or more in extreme circumstances). Submissions must adhere to the bug bounty rules.
Rewards will be awarded at the sole discretion of the mStable team. Quality of the report and reproduction instructions can impact the reward. Rewards are denominated in USD and will be paid out in mUSD.
The bug bounty program is ongoing and has been running since June 05th, 2020.
NB: Payout amounts increased (max 25k) as of July 14th, 2020.
The reward will be based on the following severity scheme, based on the OWASP risk rating methodology:
The bug bounty is applicable to mStable's solidity contract suite, specifically any contracts residing in mstable/mStable-contracts/contracts on "master" branch (excluding the "z_mocks" sub-folder).
Any front-end applications or client-side code interacting with the contracts, as well as testing code
Mismatch of the functionality of the contracts and outdated spec documents
Loss of collateral or stealing of funds from the mAsset, resulting in it becoming under-collateralised (related:
Unfair payouts through SAVE, MINT, REDEEM or SWAP functionalities that results in under-collateralised or affected system (related:
Manipulating or circumvention of mStable governance mechanism (related:
Locking or freezing or any of the mStable contracts or inability to upgrade (related:
Ineffective or error prone forge validation mechanisms (related:
Public disclosure of the vulnerability, before explicit consent from mStable to do so, will make the vulnerability ineligible for a bounty
Attempting to exploit the vulnerability in any public Ethereum network will also make it ineligible for a bounty
Only unknown vulnerabilities will be awarded a bounty; in case of duplicate reports, the first report will be awarded the bounty
If you want to add more information to a provided issue, create a new submission giving reference to the initial one
Rewards will be decided on a case by case basis and the bug bounty program, terms, and conditions are at the sole discretion of mStable
Submissions need to be related with the Bounty Scope. Submissions out of the Bounty Scope won’t be eligible for a reward
Any interference with the protocol, client or platform services, on purpose or not during the process will make the submission invalid
Terms and conditions of the bug bounty process may vary over time
It is mandatory to read and follow the responsible disclosure policy available in the references. Submissions not following the disclosure policy will not be eligible for a reward
While researching, we’d like to ask you to refrain from:
Denial of service
Social engineering (including phishing) of mStable staff or contractors
In case you discover a vulnerability, we would like to know about it immediately so we can take steps to address it as quickly as possible.
If you discover a vulnerability, please do the following:
E-mail your findings to email@example.com with the subject "Bug bounty"
Do not take advantage of the vulnerability or problem you have discovered
Do not reveal the problem to others until it has been resolved
Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties;
Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Complex vulnerabilities may require further explanation so we might ask you for additional information
We promise the following:
We will respond to your report with a confirmation of receipt, followed by our evaluation of the report and an expected resolution date within 3 business days
If you have followed the instructions above, we will not take any legal action against you in regard to the report
We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission
If you so wish we will keep you informed of the progress towards resolving the problem;
In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise)
We offer a reward for every report of a security problem that was not yet known to us. The amount of the reward will be determined based on the severity of the leak, the quality of the report and any additional assistance you provide