Today, Alpha Finance Lab is joining hands with Immunefi and Armor to create a thorough and active bug bounty program. Our official bug bounty program can be found on Immunefi’s platform here and verification of this program can be found in Alpha’s documentation.
The incumbent bug bounty programs in DeFi are typically seen as ‘passive,’ due to a heavy reliance on external security researchers to hunt for bugs in their own time. While this standard has worked in the past, we believe the most secure bug bounty programs are ‘active’ - where there’s established incentive structures and an active process consistently approaching bounty hunters to continuously identify bugs.
This active management of our bug bounty program will be on full display with our Immunefi and Armor partnership, as Immunefi’s community of developers and security researchers will be constantly combing through all existing and new lines of code Alpha Finance Lab pushes publicly in exchange for generous rewards that we’ve set for various vulnerabilities found.
Now, let's dive into the program specifics of our Immunefi and Armor partnership for all you bounty hunters out there.
Bug Bounty Program
Rewards for bounty hunters will be distributed according to the impact of the vulnerability identified based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains - encompassing everything from consequence of exploitation, to privilege required, to likelihood of a successful exploit. As our bounty program will currently only focus on smart contracts/blockchains, the tiered reward payout will be as follows:
Smart Contracts and Blockchain
Critical* Up to USD 750,000
High USD 20,000
Medium USD 5,000
Low USD 1,000
*Critical vulnerabilities are capped at 10% of economic damage. This includes a bounty of up to $500,000 from the Alpha Finance team and an additional bounty of up to $250,000 from the Armor Alliance Bug Bounty program.
Payouts are handled by the Alpha Finance and Armor teams directly and are denominated in USD. However, actual payouts are completed in ALPHA and ARMOR. For critical level smart contract vulnerabilities, payouts of up to $500,000 in ALPHA tokens will take place with an upfront payout of up to $100,000 and a $50,000 monthly vesting thereafter. For payouts above $500,000, the critical bug report will receive the remaining reward in ARMOR with a vesting period of up to 24 months under the Armor Alliance Bug Bounty Challenge provided by ArmorFi, resulting in a total maximum payout of $750,000. All payments for critical vulnerabilities are capped at 10% of economic damage.
For bugs reported that don’t lead to the potential loss of user funds, the subsequent qualified bounty will be paid to the whitehacker from the Alpha Finance Lab treasury. However for bugs that lead to potential loss of users funds, the subsequent qualified bounty will be paid from Alpha Staking, as staking is put in place for community members to help secure the protocol in exchange for the protocol fees that Alpha Finance Lab collects from all Alpha products.
Assets in Scope
*Contract address for Alpha Homora v2 on Ethereum will be shared once relaunched.
Prioritized Smart Contract/Blockchain Vulnerabilities
While all identified bugs should be reported, we are especially interested in receiving and rewarding vulnerabilities of the following types:
- Logic errors
- Including user authentication errors
- Solidity/EVM details not considered
- Including integer over-/under-flow
- Including unhandled exceptions
- Trusting trust/dependency vulnerabilities
- Including composability vulnerabilities
- Oracle failure/manipulation
- Novel governance attacks
- Economic/financial attacks
- Including flash loan attacks
- Congestion and scalability
- Including running out of gas
- Including block stuffing
- Including susceptibility to frontrunning
- Consensus failures
- Cryptography problems
- Signature malleability
- Susceptibility to replay attacks
- Weak randomness
- Weak encryption
- Susceptibility to block timestamp manipulation
- Missing access controls / unprotected internal or debugging interfaces
Out of Scope Vulnerabilities and Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
The following activities are prohibited for this bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty
The cataclysmic growth DeFi has undergone in the past 16 months - from $700M in total value locked (TVL) in the beginning of 2020 to over $54B TVL today (and this activity excludes DeFi beyond Ethereum) - means security for DeFi protocols has never been more crucial. As bug bounty programs become an increasingly vital component of security in DeFi, the passive bounty model used back in 2020 may not be as effective in the current DeFi environment - hence our joining hands with Immunefi and Armor to create an active bug bounty program.
At Alpha Finance Lab, security (including active bug bounty programs) is at the cornerstone of our ecosystem; We have thought through and implemented our proprietary security model as previously covered in our blog post. To recap, the security model implemented for all Alpha products includes:
- Multiple audits by top audit firms
- Continuous external peer reviews
- Continuous internal reviews
- Internal monitoring tools
- Active bug bounty program
We hope this thorough security model, and our active bug bounty program with Immunefi and Armor, helps to set an example for other DeFi projects to follow, as we believe ensuring sustainable security for the entire DeFi landscape will require collaboration between the entire DeFi landscape.
About Alpha Finance Lab
Alpha Finance Lab is a DeFi Lab and on a mission to build an ecosystem of DeFi products (the Alpha ecosystem), consisting of innovative building blocks that capture unaddressed demand in key pillars of the financial system. These building blocks will interoperate, creating the Alpha ecosystem that will be an innovative and more capital efficient way to banking in DeFi.
Alpha Homora is Alpha Finance Lab’s first product and DeFi’s first leveraged yield farming product that captures the market gap in lending, one of the key pillars of the financial system.