Bug Bounty

Protocol security is a top priority for Bonzo Finance Labs. To encourage responsible disclosure of vulnerabilities, a Bug Bounty Program exists with financial rewards based on the severity of the identified issues.

Within Scope

• Bonzo Lend testnet & mainnet contracts and GitHub repository

• Bonzo Lend testnet & mainnet interface

• Bonzo Vaults mainnet contracts and GitHub repository

• Single-Sided Staking contracts and GitHub repository

Out of Scope

• Third-party contracts not directly associated with Bonzo Finance

• Known issues from audits, bug bounty reports, or in-development fixes

• Third-party applications which utilize Bonzo Finance contracts

• Any findings that rely on Denial of Service (DoS) or Distributed Denial of Service (DDoS)

Rewards

The Bug Bountry program includes the following four-level severity scale, based on the OWASP risk rating methodology:

⚠️ Critical: Issues that could impact numerous users and have serious reputational, legal, or financial implications. An example would be being able to lock contracts permanently or take funds from all users.

🟥 High: Issues that impact individual users where exploitation would pose reputational, legal, or moderate financial risk to the user.

🟨 Medium: The risk is relatively small and does not pose a threat to user funds.

🟩 Informational: The issue does not pose an immediate risk but is relevant to security best practices.

Bonzo Finance Labs will determine rewards based on the bug's severity and its potential for exploitation. Rewards may be disbursed in USDC, various cryptocurrency assets, or a mix of both. Receipt of reaward requires idenenty

Disclosure

Please report vulnerabilities to [email protected]. An acknowledgment will be sent within two to three business days if the issue identified qualifies. Do not disclose the bug publicly until it has been resolved and official notice has been provided by Bonzo Finance Labs, acting as an independent protocol development and operations steward for the Bonzo Finance Foundation.

A detailed report of a vulnerability increases the likelihood of a reward — it also may increase the reward amount. Please provide as much information about the discovered vulnerability as possible, including:

• A detailed description of the conditions required for reproducing the bug

• Step-by-step guide or proof of concept for reproduction

• Detailed explanation / reasoning of the potential consequences if exploited

• Suggestions on how best to remediate the vulnerability (optional)

Anyone who reports a unique, previously-unreported bug or vulnerability — which results in a change to the codebase or configuration — AND who keeps such discovery confidential until it has been resolved will be financially rewarded.

Eligibility

To be eligible for a reward under this program, you must meet the following conditions:

1. Uniqueness: Discover a previously unreported, non-public vulnerability that is not already known to the Bonzo Finance Labs or Bonzo Finance Foundation team(s) and is within the scope of the program.

2. First Disclosure: Be first to disclose the unique vulnerability to [email protected] and adhere to the program's disclosure requirements.

3. Detailed Reporting: Provide comprehensive information that enables core engineers to reproduce and remedy the vulnerability.

4. Non-Exploitation: Do not exploit the vulnerability in any form, including publicizing it or seeking other forms of profit, except under this program.

5. Non-Publication: Do not disclose the vulnerability to the public or any third party without our explicit approval.

6. Ethical Conduct: Provide best faith efforts to prevent privacy violations, data destruction, service interruption, and any degradation of in-scope assets.

7. Lawful Behavior: Do not engage in any unlawful conduct during the disclosure process, such as making threats, demands, or extortion of any kind.

8. Age Requirement: Must be at least 18 years of age; if younger, you may participate with the consent of a parent or guardian.

9. Legal Compliance: Cannot be subject to U.S. sanctions or reside in a U.S.-embargoed or sanctioned country.

10. Non-Affiliation: Cannot be a current or former employee, vendor, or contractor who contributed to development of the affected code.

11. Complete Compliance: Must be in compliance with all other eligibility requirements specified in this program.

By meeting these criteria, you become eligible for a reward under the Bonzo Finance Bug Bounty Program ✨

Other Terms

By submitting a report, you grant Bonzo Finance Foundation the rights necessary to validate and resolve the vulnerability itself or by independent services providers. All reward decisions are made at Bonzo Finance Foundation's sole discretion. The program's terms may be changed at any time.

For questions about the bug bounty program, please contact [email protected].