Security Researcher (SR) Reward Pool
Rewards are denominated in USD and distributed in ETH.
Rewards are distributed all at once after the competition has ended. No rewards are distributed during the competition.
The reward pool size is determined by the greatest condition met. If multiple conditions are met only the largest reward pool applies.
- If one or more Critical severity bugs are found, the reward pool will be - $1,500,000 USD
- If one or more High severity bugs are found, the reward pool will be - $900,000 USD
- If one or more Medium severity bugs are found, the reward pool will be - $500,000 USD
- If one or more Low severity bugs are found, the reward pool will be - $250,000 USD
- If only one or more Insights [no valid bugs] are found, the reward pool will be - $0 to $50,000 USD*
*If only 1 Insight is found, the maximum reward amount is $1.5k
If 2-9 Insights are found, the Insight reward pool increases to 25k
If 10+ Insights are found, the Insight reward pool increases to $50k
More information about severities and Insight reports can be found in Immunefi's Severity Classification System.
Rewards are denominated in USD and will be distributed in ETH.
Private known issues are considered valid.
Duplicates are not valid for this Attackathon.
Private known issues will unlock higher reward pools as though they were one severity level lower. For example, a Critical severity bug which was a private known issue would unlock the reward pool conditional on a High severity bug being found.
The severity level of private known issues remains unchanged and SRs earn their portion of the reward pool and position on the leaderboard according to this unchanged severity level.
Public known issues are invalid as normal.
Judging Criteria:
Since this Attackathon is unique in its scope and the code is on mainnet, unique judging criteria apply, and the focus is on actual impact to the overall Ethereum network. The same bug in one client will be evaluated differently from that bug in another client, based on the % of network diversity, which determines impact.
For example, a High impact `Shutdown of greater than or equal to 33% of network processing nodes without brute force actions, but does not shut down the network` needs to actually account for >=33% of the whole Ethereum Network, meaning that this specific impact would only be applied if an individual affected client has greater than 33% diversity, or the vulnerability affects any combination of clients which in total exceed 33% diversity. It cannot be judged only by the client itself and if theoretically that client had 100% network running on it. We are looking at the impact to the whole Ethereum Network. For client diversity please check http://clientdiversity.org.
We do take this into account in our impacts section as we do have Medium impact `Shutdown of greater than or equal to 10% or equal to but less than 33% of network processing nodes without brute force actions, but does not shut down the network` which takes into account lower number of overall network effect.
Reward Pool Distribution Formula
SR rewards are earned based on the severity of each bug found, in a Sybil-resistant manner.
LowBugPoints = 0.9 * (0.9 ^ (NumberOfFinders - 1)) / NumberOfFinders
ChiefFinder_LowBugBonus = 0.1 * (0.9 ^ (NumberOfFinders - 1))
MediumBugPoints = 2.7 * (0.9 ^ (NumberOfFinders - 1)) / NumberOfFinders
ChiefFinder_MediumBugBonus = 0.3 * (0.9 ^ (NumberOfFinders - 1))
HighBugPoints = 8.1 * (0.9 ^ (NumberOfFinders - 1)) / NumberOfFinders
ChiefFinder_HighBugBonus = 0.9 * (0.9 ^ (NumberOfFinders - 1))
CriticalBugPoints = 32.4 * (0.9 ^ (NumberOfFinders - 1)) / NumberOfFinders
ChiefFinder_CriticalBugBonus = 3.6 * (0.9 ^ (NumberOfFinders - 1))
A SR’s portion of the reward pool is equivalent to their percentage of all points earned.
Rewards for Insight Reports
If one or more Insights and at least one Critical, High, Medium, or Low severity bug is found, then the following percent of the reward pool is allocated to Insights:
- 1 - 4 unique bugs found = 10%
- 5 - 9 unique bugs found = 5%
- 10+ unique bugs found = 3%
It's not an option to select the Insight severity when submitting a report. The Immunefi or project team may designate the severity of ‘Insight’ when applicable.
Insights are not intended to earn more than valid bugs, so in such cases where this would occur the percent of the reward pool allocated to Insights may be reduced at Immunefi’s discretion. The remaining portion of the reward pool is distributed according to the reward pool distribution formula.
Final Notes
- More information about severities and Insight reports can be found in Immunefi's Severity Classification System.
- SRs may provide more info to upgrade the severity of their bug reports until the Audit Competition ends.
- If a bug found during the event requires an immediate fix, it will be considered a publicly known issue as soon as the fix is deployed. Future submissions of the same bug will be considered invalid.
- Rewards will be distributed all at once after the Audit Competition has ended. No rewards are distributed during the Audit Competition.
- Audit Competition reward distribution terms may change at Immunefi’s discretion to prevent unintended results and abuse by not-so-SRs.
Comments
0 comments
Article is closed for comments.