Below we describe UXD's bug bounty program. Bounty amounts, criteria, and award denomination are subject to change.
UXD Protocol is proud to offer a generous bug bounty program in order to align the incentives of users and various security testers. UXD Protocol believes a generous bug bounty program is key to protocol security, as it makes the decisions of white and grey hat hackers more aligned with the users of UXD.
The program will initiate at UXD Protocol's launch, on January 18th at 14:00 UTC. Although UXD's smart contracts are not yet open sourced, we will still be awarding any critical issues that may be found.
2% of UXP is allocated to our bug bounty program, coming from the "Community Fund" token allocation. Eventually, these funds may be redirected towards protocol development if voted on by the forthcoming DAO.
Please direct all bug bounty inquiries to [email protected]. Please provide a detailed description of the attack vector. If it is possible, we require a demonstrated proof-of-concept on a privately deployed mainnet contract.
The following are out of scope for the bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage and/or loss of funds.
- Attacks that the reporter has deployed on a public mainnet which is consequently used by an attacker to exploit, even if the reporter was not the attacker
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to other privileged addresses (governance, admin)
- Incorrect data supplied by third party oracles (This does not exclude oracle manipulation/flash loan attacks)
- Issues arising solely from liquidity
- Third party, off-chain bot errors (for instance bugs with an arbitrage bot running on the smart contracts)
- Best practice critiques
- Sybil attacks