Immunefi Vaults System Overview
The new Vaults System feature has been designed to increase transparency between projects and whitehats, as well as to guarantee the security and swift delivery of payments.
Now, projects can deposit and withdraw funds using a secure vault on the Immunefi platform. This vault is visible to whitehats via the Immunefi UI, which means they are able to see how much money your project has specifically deposited for potential bug bounty reward payments.
Projects that have a vault with significant funds are much more likely to receive bug reports because whitehats will be confident that the project has enough money to pay for bugs.
How to Set Up a Vault
To set up a vault, have your project admin select the ‘Vaults’ tab located in the navbar of the Immunefi Dashboard. There you will see a ‘Create vault’ button for each program you manage.
Once you click the ‘Create vault’ button, a popup window will appear asking you to accept the terms and conditions. After doing so, you will need to click ‘Connect wallet’ so that you can select the wallet that will be used to pay the transaction fees for deploying the vault.
You will also need to add an owner wallet address. It can be the same wallet that you are using to pay the transaction fees, but it does not have to be. We strongly recommend that you connect a multisig wallet because it is much more secure than a personal wallet.
The owner address denotes the address that will be used to interact with the vault. It is the only one that can withdraw funds, reward whitehats, and pay the Immunefi fee. Only one owner address can be connected to a vault, and it cannot be changed afterwards.
*Note: the program admin should OWN the address as it is critical for later flows
Multisig Wallet Option
If you choose a multisig wallet, then you will need to select WalletConnect as your provider.
After selecting your provider, you will be given a QR code that you can use to connect your wallet to your new Immunefi vault. Click the ‘Copy to clipboard’ button on the upper-right corner to copy the connection code, then open your multisig wallet. There, you will see an option to connect your wallet using WalletConnect. After clicking ‘Use WalletConnect’, a popup window will appear allowing you to paste the connection code, thereby connecting your wallet to your new Immunefi vault.
Personal Wallet Option
We do not recommend using a personal wallet because it is much less secure than a multisig wallet. However, if you choose to connect a personal wallet, you can connect it using either WalletConnect or MetaMask.
Deploying Your Vault
Once you have connected your wallet and selected an owner address, you will be given the chance to review your selections. When you are satisfied with your choices, click the ‘Create vault’ button. This will create a transaction that you will need to confirm in your wallet application.
After confirming the transaction, your vault will be deployed on-chain. Please note that this may take a few moments.
When the process is finished, you will be taken to a success page on the Immunefi Dashboard. Congratulations on setting up your vault!
Now all you need to do is activate the vault, and it will be visible on the Explore Bounties page. This will result in more interest from whitehats because they will see that you have set aside funds to pay bug bounty rewards.
*Note: If you encounter any issues while setting up your vault, you can always click the ‘Ask for help’ button on the bottom right side of the vault setup wizard.
How to Activate a Vault
Vaults are not activated until you have deposited assets into them. A vault that has not been activated is not visible on the Explore Bounties page, so it is important to activate it if you want to draw whitehats to your bug bounty program.
To deposit assets, your project admin should go to the ‘Vaults’ tab in the dashboard and click the ‘Deposit’ button to open the deposit window.
In the left panel of the deposit window, you will be able to see all of the assets contained in the connected wallet that are supported by our Vaults System.
If you are using a multisig wallet, you can only deposit one type of token to your vault at a time. Therefore, if you would like to deposit more than one type of asset, you will need to do it in multiple transactions.
If you are using a personal wallet, you can select how much of each asset you want to deposit.
Your selected funds along with the USD value of those funds will appear on the right panel of the window.
Values are updated every minute, and they are based on CoinGecko estimations. If you mouse over an underlined value, it will show you the last time it was updated.
Once you have selected the funds that you would like to deposit into the vault, click the ‘Deposit assets’ button. You (and the other multisig wallet owners if applicable) will then need to confirm the deposit in your selected wallet application before the funds appear in the vault.
Regarding assets currently supported, we recommend stablecoins and ETH because it's what whitehats prefer.
When you connect a wallet to deposit, supported tokens will show up. If a token is not supported, it will not show up in the deposit form.
*Note: Anyone with the vault address can deposit assets in the vault, but assets can only be withdrawn from the vault to the owner address.
Once the owner wallet is connected to the vault, you can withdraw assets to it by going to the ‘Vaults’ tab in the dashboard and clicking the ‘Withdraw’ button to open the withdrawal window.
In the left panel of the window, you can select funds from the vault that you would like to move to the owner wallet. Once you have selected the funds, you will see the calculated total in the right panel of the window.
Be sure to review the calculated total funds in the right panel, and when you are satisfied with your selection, check the acknowledgement box and click the ‘Withdraw assets’ button.
Once you (and the other multisig wallet owners) confirm the transaction with your wallet provider, the funds will appear in the owner wallet address, and you will see a confirmation pop-up window in the dashboard.
If you would like to see the transaction history of the vault, you can click ‘Options’ in the top right corner of the vault window and click the ‘See transactions’ option. This will open a new window allowing you to see the history of deposits to and withdrawals from the vault.
Paying Out a Valid Bug Report Using a Vault
To pay out a valid report using a vault, you should advance the report as you would normally. Once you have determined that the bug is valid and in scope, you and the whitehat have agreed on the severity, and the whitehat has verified their wallet address, you can proceed to payment. To do so, click the ‘Select assets’ button to open the vault window.
In the left panel of the vault window, you can select the funds that you would like to pay the whitehat with. In the right panel of the vault window, you will see the funds that you have selected for payment as well as the total USD vault balance.
You will also see the calculated 10% Immunefi fee that will be sent from the vault along with the funds you have selected to pay the whitehat with (this is done automatically, so you do not need to manually select the funds for the Immunefi fee). The calculated total funds to be paid to the whitehat and Immunefi, as well as the future vault balance, are also provided in this panel.
Once you have selected the assets that you would like to pay with, click the ‘Add assets to reward’ button. This will create an offer in the report page, which you can edit by clicking the ‘Edit reward’ button.
Once you have reviewed the offer and you are ready to pay, click the ‘Send reward’ button and confirm the payment with your chosen client (MetaMask or WalletConnect). When the transaction is completed, the report will automatically be changed to the ‘Paid’ status.
If, after the initial payment, you decide to submit another payment, you can do so using the same process listed above. You can also see the payout history for the report at the bottom of the ‘Payout’ tab on the report page.
Process for Removing Your Vault
If you would like to remove your vault, you should first withdraw all of the assets contained within. Once you have done so, reach out to one of our customer coordinators to let them know that you no longer wish to have a vault. We will then remove all mentions of your vault from Immunefi*.
*Note: Because vaults are Smart Contract entities, they can never be fully removed from the block chain. We can only remove mentions of the vault from the Immunefi platform.