Bug Bounty

Below we describe UXD's bug bounty program. Bounty amounts, criteria, and award denomination are subject to change.

UXD Protocol is proud to offer a generous bug bounty program in order to align the incentives of users and various security testers. UXD Protocol believes a generous bug bounty program is key to protocol security, as it makes the decisions of white and grey hat hackers more aligned with the users of UXD.

Program Details

The program will initiate at UXD Protocol's launch, on January 18th at 14:00 UTC. Although UXD's smart contracts are not yet open sourced, we will still be awarding any critical issues that may be found.

2% of UXP is allocated to our bug bounty program, coming from the "Community Fund" token allocation. Eventually, these funds may be redirected towards protocol development if voted on by the forthcoming DAO.

We use the below severity guidelines (informed by Immunefi's classification system):

Please direct all bug bounty inquiries to uxdlegal@gmail.com. Please provide a detailed description of the attack vector. If it is possible, we require a demonstrated proof-of-concept on a privately deployed mainnet contract.

Other notable exceptions

The following are out of scope for the bug bounty program:

  • Attacks that the reporter has already exploited themselves, leading to damage and/or loss of funds.

  • Attacks that the reporter has deployed on a public mainnet which is consequently used by an attacker to exploit, even if the reporter was not the attacker

  • Attacks requiring access to leaked keys/credentials

  • Attacks requiring access to other privileged addresses (governance, admin)

  • Incorrect data supplied by third party oracles (This does not exclude oracle manipulation/flash loan attacks)

  • Issues arising solely from liquidity

  • Third party, off-chain bot errors (for instance bugs with an arbitrage bot running on the smart contracts)

  • Best practice critiques

  • Sybil attacks

Last updated