Security Researcher (SR) Reward Pool
This Audit Competition is running on mainnet. The following conditions apply:
- Lombard team will freeze the codebase during the duration of the Audit Competition.
- Duplicates are rewarded
Rewards are denominated in USD and distributed in USDC on ETH.
Rewards are distributed all at once after the competition has ended. No rewards are distributed during the competition.
The reward pool size is determined by the greatest condition met. If multiple conditions are met only the largest reward pool applies.
- If one or more Critical severity bugs are found, the reward pool will be - $100,000 USD
- If one or more High severity bugs are found, the reward pool will be - $75,000 USD
- If one or more Medium severity bugs are found, the reward pool will be - $35,000 USD
- Otherwise the reward pool will be - $20,000 USD
More information about severities and Insight reports can be found in Immunefi's Severity Classification System.
Private known issues and duplicates are considered valid.
Private known issues will unlock higher reward pools as though they were one severity level lower. For example, a Critical severity bug which was a private known issue would unlock the reward pool conditional on a High severity bug being found.
The severity level of private known issues remains unchanged and SRs earn their portion of the reward pool and position on the leaderboard according to this unchanged severity level.
Public known issues are invalid as normal.
- If a bug found during the event requires an immediate fix, then that bug will be considered a publicly known issue as soon as the fix is deployed. Future submissions of the same bug will be considered invalid.
Private known issues and duplicates are considered valid.
Private known issues will unlock higher reward pools according to their severity level without any downgrade. For example, a Critical severity bug which was a private known issue would unlock the reward pool conditional on a Critical severity bug being found.
Public known issues are invalid as normal.
Reward Pool Distribution Formula
SR rewards are earned based on the severity of each bug found, in a Sybil-resistant manner.
The chief finder of each bug earns bonus points (worth 10% of that bug’s rewards). The chief finder is the first person to prove the greatest severity level of the bug.
LowBugPoints = 0.9 * (0.9 ^ (NumberOfFinders - 1)) / NumberOfFinders
ChiefFinder_LowBugBonus = 0.1 * (0.9 ^ (NumberOfFinders - 1))
MediumBugPoints = 2.7 * (0.9 ^ (NumberOfFinders - 1)) / NumberOfFinders
ChiefFinder_MediumBugBonus = 0.3 * (0.9 ^ (NumberOfFinders - 1))
HighBugPoints = 8.1 * (0.9 ^ (NumberOfFinders - 1)) / NumberOfFinders
ChiefFinder_HighBugBonus = 0.9 * (0.9 ^ (NumberOfFinders - 1))
CriticalBugPoints = 32.4 * (0.9 ^ (NumberOfFinders - 1)) / NumberOfFinders
ChiefFinder_CriticalBugBonus = 3.6 * (0.9 ^ (NumberOfFinders - 1))
A SR’s portion of the reward pool is equivalent to their percentage of all points earned.
Rewards for Insight Reports
If one or more Insights and at least one Critical, High, or Medium severity bug is found then the following percent of the reward pool is allocated to Insights:
- 1 - 3 unique bugs found = 10%
- 4 - 9 unique bugs found = 5%
- 10+ unique bugs found = 3%
If only Insights [no valid bugs] are found, then the reward pool is distributed at Immunefi’s discretion.
It's not an option to select the Insight severity when submitting a report. The Immunefi or project team may designate the severity of ‘Insight’ when applicable.
Insights are not intended to earn more than valid bugs, so in such cases where this would occur the percent of the reward pool allocated to Insights may be reduced at Immunefi’s discretion. The remaining portion of the reward pool is distributed according to the reward pool distribution formula.
Duplicates of Insight reports are not eligible for a reward.
KYC Terms
Lombard will be requesting KYC information in order to pay for valid bug submissions. The following information will be required:
- Full name
- Date of birth
- Proof of address (either a redacted bank statement with address or a recent utility bill)
- Copy of Passport or other Government issued ID
Final Notes
- More information about severities and Insight reports can be found in Immunefi's Severity Classification System.
- SRs may provide more info to upgrade the severity of their bug reports until the Audit Competition ends.
- If a bug found during the event requires an immediate fix, it will be considered a publicly known issue as soon as the fix is deployed. Future submissions of the same bug will be considered invalid.
- Rewards will be distributed all at once after the Audit Competition has ended. No rewards are distributed during the Audit Competition.
- Audit Competition reward distribution terms may change at Immunefi’s discretion to prevent unintended results and abuse by not-so-SRs.
Comments
0 comments
Please sign in to leave a comment.