Security is our highest priority. Our team has created a protocol that we believe is safe and dependable, and is audited by OpenZeppelin, Peckshield, and Certora. All smart contract code is publicly verifiable and we have a bug bounty for undiscovered vulnerabilities.
We encourage our users to be mindful of risk and only use funds they can afford to lose. Options are complex instruments that when understood correctly can be powerful hedges. Smart contracts are still new and experimental technology. We want to remind our users to be optimistic about innovation while remaining cautious about where they put their money.
Opyn's smart contracts have been audited by OpenZeppelin and Peckshield, and formally verified by Certora.
****Certora Formal Verification Report
Security is one of our highest priorities, and while Opyn's smart contracts have been rigorously tested and audited, there may still be undiscovered vulnerabilities with this new technology. We encourage and value the community's input in helping us discover vulnerabilities and responsibly disclosing them.
This program is limited to the vulnerabilities affecting the Gamma Protocol. Submissions should be based off this commit hash (752c5c336f28459a9d5ae14cae123e8e47b7b02f).
The following ineligible findings are not in the scope of the program:
- Bugs in Callee Contracts in the Gamma Protocol repo
- Bugs in any third party contract or platform that interacts with Gamma
- Vulnerabilities contingent upon the occurrence of any of the following activities also are outside the scope of this Program:
- Front end bugs
- DDOS attack
- Spamming
- Findings related to non-standard ERC20 tokens might be ineligible as many vulnerabilities might be inserted in non-standard ERC20 tokens on purpose for applying for this bug bounty.
- Exploiting the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
- Duplicate vulnerabilities: Only the first reporter will be rewarded (in compliance with the disclosure requirements)
- Findings already known as part of a formal audit or are marked on the repo as issues.
Severity of bugs will be assessed under the CVSS Risk Rating scale, as follows:
- Critical (9.0-10.0): Up to $100,000
- High (7.0-8.9): Up to $40,000
- Medium (4.0-6.9): Up to $5,000
- Low (0.1-3.9): Up to $1,000
In addition to assessing severity, rewards will be considered based on the impact of the discovered vulnerability as well as the level of difficulty in discovering such vulnerability.
Prior to the deployment of Gamma to the Ethereum mainnet, successful bug reporters will receive a 20% bonus on their bounty pay out. This is to help drive security efforts in the lead up to launch.
Any vulnerability or bug discovered must be reported only to the following email: security@opyn.co, must not be disclosed publicly, must not be disclosed to any other person, entity or email address prior to disclosure to the security@opyn.co email, and must not be disclosed in any way other than to the security@opyn.co email. In addition, disclosure to security@opyn.co must be made promptly following discovery of the vulnerability. Please include as much information about the vulnerability as possible, including:
- The conditions on which reproducing the bug is contingent.
- The steps needed to reproduce the bug or, preferably, a proof of concept.
- The potential implications of the vulnerability being abused.
Anyone who reports a unique, previously-unreported vulnerability that results in a change to the code or a configuration change and who keeps such vulnerability confidential until it has been resolved by our engineers will be recognized publicly for their contribution, if agreed.
All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at our sole discretion.
The terms and conditions of this program may be altered at any time.