We take the security of Set Protocol very seriously and have completed smart contract audits with ABDK Consulting and OpenZeppelin.
Set Protocol Bug Bounty Program will run continuously and pay up to $50,000 for critical exploits and is open to anyone interested in helping to improve the security of Set Protocol.
The bug bounty program will cover exploits found in Set Protocol. The codebases in scope can be found our smart contract repository here.
A user authorized a transaction or trade but spends more assets than expected
A user’s assets are moved out of their account that they did not authorize
A Rebalancing SetToken or SetToken becomes undercollateralized by its underlying components.
A user is able to update the state of a contract such that it is no longer usable
Any assets get unexpectedly “stuck” in a contract with regular use of the contract’s public methods.
A user is able to freeze the assets in the Vault smart contract
A non-permissioned user is able to make an unauthorized transaction
Exploits will be evaluated on the extent to which they materially pose a risk to user funds and the liveness of the protocol.
Payout eligibility will be evaluated under the sole discretion of Set Labs.
We will only consider submissions outlining issues outside of those already documented in previous audit reports.
When duplicates occur, we may only award the first report that was received.
Before discussing your findings publicly, please inform us and allow us a reasonable timeframe to fix the vulnerability.
Please send any questions & submit any findings to [email protected] and include [Bug Bounty] in the subject line. Anonymous submissions are accepted.
Compensation will primarily be based on the severity of the bug found. To determine a bug’s severity, we will use the OWASP risk assessment methodology.
In calculating the payout, we will also consider the quality of the submission. This includes a clear description, a test case, and a provided fix. The payouts are guided by the below estimates, but are determined at the sole discretion of Set Labs.
All bounties are payable in Sets of your selection at the equivalent value at the time of payment.