Congratulations, your report was confirmed and payment is being processed!
Often, projects pay out rewards in USDC, or a highly liquid asset such as ETH. But what happens when the project specifies in its bug bounty program that payouts are done in their own project token? Here are some considerations and scenarios that you may face when being paid in a project token.
Do I get to decide what type of token I am paid with?
No, projects get to determine their own payout terms which are stated in their BBP. With that being said, you are still responsible for determining if the payout value meets the requirements BEFORE accepting payment.
When paid with a project token, will my payout amount (in USD) be different from the amount shown on the BBP?
No, it should not differ. If the calculated reward value proposed by the project deviates at all from the stated value of the rewards table in the bug bounty program, you should insist that the reward value is an accurate reflection of what is stated in the BBP.
For assessing the reward value, an average price is determined across two different known data points, CoinGecko and CoinMarketCap. The final reward amount should match up to the bounty’s reward value in USD, when multiplied by the average price.
For example: if the reward value stated on the BBP is $10,000, and the token average price is $1.21 USD, then the final amount of tokens sent should be 8,264.46280992 units or as close to that as possible.
If you notice a difference between what the project is sending you vs. the stated $ value of the bounty, you should contact Immunefi immediately for help on your bug report, and also report the discrepancy of the BBP using this form.
Can projects pay me in a token with low or no liquidity? What should I do if they do?
No, projects can’t pay you in a token that has no liquidity, or so low that it cannot be exchanged for equivalent cash value. Immunefi has liquidity requirements that must be met for projects wanting to do payouts in their own token.
If you see ANY project listing payouts in a token that has low or no liquidity, you should report it using this form. If this is happening in an open bug report, contact Immunefi immediately to help mediate the situation. You can require the project to pay in stablecoin or another more liquid asset.
Remember, you are responsible for ensuring that the project token meets the liquidity requirement BEFORE accepting payment.
How is low liquidity for a token determined? What are the requirements?
Immunefi has the following liquidity requirements for projects that want to do payouts in their native token:
- The maximum bounty reward on the project's bug bounty program must not exceed 5 times the 30-day average of 24-hr trading volumes of the token on CoinGecko.
- For example, if the maximum bounty reward is $5M, the token must have at least $1M 24-hr trading volume in the average of the last 30 days.
- If the token meets this requirement, then the token has sufficient liquidity and can be used to pay the reward.
- If the token does not meet this requirement, then the token has insufficient liquidity and you should ask for the project to pay in a stablecoin or a more liquid asset. Request assistance on your bug report if you need to.
The project paid me in a token which does not have enough liquidity, but I’ve already accepted payment. What can I do?
Unfortunately, you must bring the matter to attention via mediation before accepting the payment.
To accept payment the project must confirm with you:
1. that your wallet address is correct.
2. that the severity & reward amount is agreed upon.
If you have not yet confirmed both of those things, and you meet an issue with liquidity, you can ask the project to adjust payment as necessary, or pay with a more liquid token or stablecoin. If negotiations are not moving forward productively, request for Immunefi’s help in the bug report.
The project paid me in their token, but privately asked me not to swap more than X amount per day/week/month. Should I follow their recommendation?
Once you’ve received the payment, it is yours to do with as you wish. You are not required to follow any recommendations on what to do with the payment.
I was paid with a project token with a mandatory swap fee/tax that reduces my payout amount. What should I do?
You should request help in the bug report before accepting payment in this case.