Security of our system is of the utmost importance to us. We recognize the complexity of the protocol, the difficulties in deploying issue-free software, and the responsibility of maintaining a value-bearing protocol. Therefore, we’ve made a considerable effort to ensure the system has been reviewed by top security firms and heavily scrutinized line by line internally.
Set Protocol is audited by OpenZeppelin and ABDK consulting. You can find the reports from those audits below.
Our Set Protocol contracts repo has 100% line and branch coverage over the span of over 840+ unit, integration and simulation tests. Every line of smart contract code for Set Protocol is open source, and we encourage technical community members to review and verify our code (Link to Set Protocol V2 Github). For more information on our system, view the Litepaper.
Set Protocol V2 has completed 2 external audits with OpenZeppelin and ABDK Consulting for its Core Protocol contracts (SetToken, Controller). These contracts have been secure since the beginning of Set Protocol V2.
Link to the Core Protocol reports can be found below:
Set Protocol Bug Bounty Program will run continuously and pay up to $50,000 for critical exploits and is open to anyone interested in helping to improve the security of Set Protocol.
The bug bounty program will cover exploits found in Set Protocol. The codebases in scope can be found our smart contract repository here.
Main areas of Interest
Loss of assets
A user authorized a transaction or trade but spends more assets than expected
A user’s assets are moved out of their account that they did not authorize
A Rebalancing SetToken or SetToken becomes undercollateralized by its underlying components.
Unintended contract state
A user is able to update the state of a contract such that it is no longer usable
Any assets get unexpectedly “stuck” in a contract with regular use of the contract’s public methods.
A user is able to freeze the assets in the Vault smart contract
A non-permissioned user is able to make an unauthorized transaction
Exploits will be evaluated on the extent to which they materially pose a risk to user funds and the liveness of the protocol.
Payout eligibility will be evaluated under the sole discretion of Set Labs.
We will only consider submissions outlining issues outside of those already documented in previous audit reports.
When duplicates occur, we may only award the first report that was received.
Before discussing your findings publicly, please inform us and allow us a reasonable timeframe to fix the vulnerability.
Please send any questions & submit any findings to [email protected] and include [Bug Bounty] in the subject line. Anonymous submissions are accepted.
Compensation will primarily be based on the severity of the bug found. To determine a bug’s severity, we will use the OWASP risk assessment methodology.
Image for post
In calculating the payout, we will also consider the quality of the submission. This includes a clear description, a test case, and a provided fix. The payouts are guided by the below estimates, but are determined at the sole discretion of Set Labs.
Image for post
All bounties are payable in Sets of your selection at the equivalent value at the time of payment.