Bug Bounty Program

Introduction

The Security of Sperax’s USDs and Demeter users is paramount. The engineering team and our auditors have invested significant time and resources to ensure that USDs and Demeter are secure and dependable. The USDs and Demeter smart contracts are publicly verifiable. The details and statistics of circulating supply, underlying collateral, collateral strategies, Farms etc are publicly available.

On 1st March 2024 we are launching our bug bounty program. Security researchers, fulfilling the eligibility criteria as mentioned in this document, are eligible for a bug bounty for reporting undiscovered vulnerabilities. The Program aims to incentivize responsible disclosure and enhance the security of the USDs protocol and Demeter.

Bug Bounty Program

Security is one of our core values. We value the input of hackers acting in good faith to help us maintain the highest standard for the security and safety of the Sperax ecosystem. The USDs protocol and Demeter, while it has gone through a professional audit, depends on new technology that may contain undiscovered vulnerabilities.

The Sperax team encourages the community to audit our contracts and security. We also encourage the responsible disclosure of any issues. This program is intended to recognize the value of working with the community of independent security researchers. It sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as, what you can expect from us in return.

Scope

The Program includes the vulnerabilities and bugs in the USDs protocol core repository (located in the GitHub repositories, primarily at: https://github.com/Sperax/USDs-v2/tree/main/contracts and https://github.com/Sperax/Demeter-Protocol-Contracts. This list may change as new contracts are deployed or existing contracts are removed from usage.

The following are not within the scope of the Program:

  1. Bugs in any third-party contract or platform that interacts with USDs protocol;

  2. Vulnerabilities related to domains, DNS, or servers of websites;

  3. Vulnerabilities already reported or discovered in contracts built by third parties on USDs;

  4. Any already-reported bugs or other vulnerabilities.

  5. Test contracts and staging servers unless the discovered vulnerability also affects the USDs Protocol or could otherwise be exploited in a way that risks user funds.

Disclosure

A researcher needs to submit all bug bounty disclosures to here. The disclosure must include clear and concise steps to reproduce the discovered vulnerability in written or video format. The Sperax team will follow up promptly with acknowledgment of the disclosure.

Terms and Conditions

To be eligible for a reward under this Program, you must:

  • Discover a previously unreported, non-public vulnerability within the scope of this Program. Vulnerabilities must be distinct from the issues covered in the previously conducted publicly available audits.

  • Include sufficient detail in your disclosure to enable our engineers to quickly reproduce, understand, and fix the vulnerability.

  • Be the first to disclose the unique vulnerability to the Team by the disclosure requirements below. If similar vulnerabilities are reported, the first submission shall be rewarded (if determined valid and otherwise in the scope of this Program)

  • Be reporting in an individual capacity, or if employed by a company, reporting with the company’s written approval to submit a disclosure to Sperax

  • Not be a current or former Sperax team member, vendor, contractor, or employee of a SperaxDAO vendor or contractor.

  • Not be subject to any international, national, or state-level sanctions.

  • Be at least 18 years of age or, if younger, submit your vulnerability with the consent of your parent or guardian.

  • Not exploit the vulnerability in any way, including by making it public or obtaining a profit (other than a reward under this Program). Any publicity in any way, whether direct or indirect, relating to any bug or vulnerability will automatically disqualify it and you from the Program.

To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attacks, we require that you:

  • Play by the rules, including following the terms and conditions of this program and any other relevant agreements. If there is any inconsistency between this program and any other relevant agreements, the terms of this program will prevail.

  • Report any vulnerability you’ve discovered promptly.

  • Make a good faith effort to avoid privacy violations, data destruction, harming user experience, interruption, or degradation of the Sperax ecosystem and services.

  • Use only the google form to submit vulnerabilities with us.

  • Keep the details of any discovered vulnerabilities confidential until they are fixed.

  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope.

  • Not submit a separate vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.

  • Only interact with accounts you own or with explicit permission from the account holder.

  • Not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.

When working with us according to this program, you can expect us to:

  • Pay generous rewards for eligible discoveries based on the severity and exploitability of the discovery, at The Sperax team's sole discretion

  • Extend Safe Harbor for your vulnerability research related to this program, meaning we will not threaten or bring any legal action against anyone who makes a good faith effort to comply with our bug bounty program.

  • Work with you to understand and validate your report, including a timely initial response to the submission.

  • Work to remediate discovered vulnerabilities promptly.

  • Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.

  • All reward determinations, including eligibility and payment amount, are made at Sperax’s sole discretion. The Sperax team reserves the right to reject submissions and alter the terms and conditions of this program.

Rewards

Sperax Treasury offers rewards for discoveries that can prevent the loss of assets, the freezing of assets, or harm to a user, commensurate with the severity and exploitability of the vulnerability. Sperax Treasury will pay a reward of $500 to $15,000 for eligible discoveries according to the terms and conditions provided below.

The Team evaluates all submissions on a case-by-case basis. Rewards are allocated based on the severity of the issue, and other variables, including, but not limited to a) the quality of the issue description, b) the instructions for reproducibility, and c) the quality of the fix (if included). A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount. Therefore, please provide as much information about the vulnerability as possible.

The Program intends to follow a similar approach as the Ethereum Bug Bounty, where the severity of the issues will be based according to the OWASP risk rating model based on “Impact” and “Likelihood”. The evaluation of scoring is however at the sole discretion of the Sperax Team.

All rewards are paid in SPA and xSPA tokens with a 50-50 split (15-day TWAP) via a transfer to the wallet address provided by the participant to the Team. As a condition of participating in this Program, the participants give the Sperax Team permission to share their wallet addresses and other information provided by them to third parties to administer this Program and comply with applicable laws, regulations, and rules.

The reward will be received in SPA token based on the following severity scheme:

  • Note = Up to 100 US dollars

  • Very low = Up to 500 US dollars

  • Low = Up to 1,000 US dollars

  • Medium = Up to 2,500 US dollars

  • High = Up to 5,000 US dollars

  • Very High = Up to 10,000 US dollars

  • Critical = Up to 15,000 US dollars

Other terms

The decisions made regarding rewards are final and binding.

By submitting your report, you grant the Company all rights, including without limitation intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and how such rewards will be paid, are made at the Company's sole discretion.

Terms and conditions of the Program may be altered at any time. The company may change or cancel this Program at any time, for any reason.

Last updated