Security Researcher (SR) Reward Pool

Rewards are denominated in USD and distributed in USDC on Ethereum.

Rewards are distributed all at once after the competition has ended. No rewards are distributed during the competition.

The reward pool is $30,000 USD if any bug is found.

If not a single bug is found (Insights do not count as bugs) the reward pool is $15% of 30k Rewards.

More information about severities can be found in Immunefi's Severity Classification System.

Reward Pool Distribution Formula

Audit Competition:

SR rewards are earned based on the severity of each bug found, in a Sybil-resistant manner.

The chief finder of each bug earns bonus points (worth 10% of that bug’s rewards). The chief finder is the first person to prove the greatest severity level of the bug.

LowBugPoints = 0.9 * (0.9 ^ (NumberOfFinders - 1)) / NumberOfFinders

ChiefFinder_LowBugBonus = 0.1 * (0.9 ^ (NumberOfFinders - 1))

MediumBugPoints = 2.7 * (0.9 ^ (NumberOfFinders - 1)) / NumberOfFinders

ChiefFinder_MediumBugBonus = 0.3 * (0.9 ^ (NumberOfFinders - 1))

HighBugPoints = 8.1 * (0.9 ^ (NumberOfFinders - 1)) / NumberOfFinders

ChiefFinder_HighBugBonus = 0.9 * (0.9 ^ (NumberOfFinders - 1))

CriticalBugPoints = 32.4 * (0.9 ^ (NumberOfFinders - 1)) / NumberOfFinders

ChiefFinder_CriticalBugBonus = 3.6 * (0.9 ^ (NumberOfFinders - 1))

A SR’s portion of the reward pool is equivalent to their percentage of all points earned.

Rewards for Insight Reports

Audit Competition:

If one or more Insights and at least one Critical, High, or Medium severity bug is found then the following percent of the reward pool is allocated to Insights:

• 1 - 3 unique bugs found = 7%
• 4 - 9 unique bugs found = 5%
• 10+ unique bugs found = 3%

If only Insights [no valid bugs] are found, then the reward that is unlocked is 15% of the reward pool and is fully distributed among those Insights.

It's not an option to select the Insight severity when submitting a report. The Immunefi or project team may designate the severity of ‘Insight’ when applicable.

Insights are not intended to earn more than valid bugs, so in such cases where this would occur the percent of the reward pool allocated to Insights may be reduced at Immunefi’s discretion. The remaining portion of the reward pool is distributed according to the reward pool distribution formula.

Duplicates of Insight reports are not eligible for a reward. 

Final Notes

• More information about severities and Insight reports can be found in Immunefi's Severity Classification System.
  
  
• SRs may provide more info to upgrade the severity of their bug reports until the Audit Competition ends.

• If a bug found during the event requires an immediate fix, it will be considered a publicly known issue as soon as the fix is deployed. Future submissions of the same bug will be considered invalid. 

• Rewards will be distributed all at once after the Audit Competition has ended. No rewards are distributed during the Audit Competition.

• Audit Competition reward distribution terms may change at Immunefi’s discretion to prevent unintended results and abuse by not-so-SRs.