The ImmuneFi Bug Bounty programme aims to strengthen Euler’s security while boosting collaboration with the greater DeFi ecosystem as part of our insurance partnership with Sherlock Protocol.
作为我们与 Sherlock Protocol 的保险合作伙伴关系的一部分,ImmuneFi 漏洞赏金(ImmuneFi Bug Bounty) 旨在加强 Euler 的安全性,同时促进与更大的 DeFi 生态系统的合作。
Euler is kicking off a $1 million bug bounty programme with ImmuneFi as part of our $10 million insurance partnership with Sherlock Protocol.
Euler 与 ImmuneFi 一起启动了 100 万美元的漏洞赏金计划,作为我们 1000 万美元 保险合作伙伴关系 的一部分。
This initiative will center on covering our smart contracts and incentivise ethical reporting of potential security vulnerabilities or exploits. The new bug bounty programme will go hand-in-hand with Sherlock’s $10 million smart contract coverage to advance the security of Euler.
该计划的重点是涵盖我们的智能合约,并激励对潜在安全漏洞或漏洞利用的符合道德规范报告。新的漏洞赏金计划将与 Sherlock 的 1000 万美元智能合约覆盖齐头并进,以提高 Euler 的安全性。
The Euler team benefits greatly from Sherlock’s skilled security team (Watsons) and their experienced leadership as part of the first cohort of protocols during Sherlock’s guarded launch. Sherlock is a risk management platform built on Ethereum and designed to keep end users protected by providing affordable and scalable coverage to protocols.
Euler 团队从 Sherlock 技术娴熟的安全团队 (Watsons) 及其经验丰富的领导力中受益匪浅,这是 Sherlock 安全启动期间第一批协议的一部分。 Sherlock 是一个基于以太坊的风险管理平台,旨在通过为协议提供负担得起且可扩展的覆盖范围来保护最终用户。
ImmuneFi is the leading bug bounty platform that has already paid out over $10 million in bounties, having prevented over $20 billion in potential losses with around $78 million worth of bounties currently available. ImmuneFi is trusted by a number of DeFi protocols including The Graph, Nexus Mutual, Olympus and many others.
ImmuneFi 是领先的漏洞赏金平台,已经支付了超过 1000 万美元的赏金,防止了超过 200 亿美元的潜在损失,目前可用的赏金价值约为 7800 万美元。 ImmuneFi 受到许多 DeFi 协议的信任,包括 The Graph、Nexus Mutual、Olympus 等。
The bug bounty program will only cover the following exploits and focuses wholly on smart contract vulnerabilities:
漏洞赏金计划将仅涵盖以下漏洞,且完全专注于智能合约漏洞:
-
Loss of user funds staked (principal) by freezing or theft
-
Loss of governance funds
-
Theft of unclaimed yield
-
Freezing of unclaimed yield
-
Temporary freezing of funds for more than 1 week
-
Unable to call smart contract
-
Smart contract gas drainage
-
Smart contract fails to deliver promised returns
-
Vote manipulation
-
Incorrect polling actions
-
因冻结或盗窃而损失的用户资金(本金)
-
治理资金损失
-
盗窃无人认领的收益
-
冻结无人认领的收益
-
资金临时冻结1周以上
-
无法调用智能合约
-
智能合约gas费用
-
智能合约无法兑现承诺的回报
-
投票操纵
-
不正确的投票动作
漏洞赏金奖励分配 (Bug Bounty Reward Distribution)
The breakdown of the rewards are in accordance with ImmuneFi’s distribution criteria for the impact of the vulnerability, see here for more details.
奖励的细分符合 ImmuneFi 对漏洞影响的分配标准,请参阅 此处 了解更多详细信息。
Threat Level and reward distribution:
威胁等级和奖励分配:
Critical **Up to USD 1,000,000 (sponsored by Sherlock)
Critical **高达 1,000,000 美元(由 Sherlock 赞助)
High USD 25,000 高 25,000美元
Medium USD 5,000 中 5,000 美元
Low USD 1,000 低 1,000 美元
All Medium, High and Critical Smart Contract bug reports require a PoC and a suggestion for a fix to be eligible for a reward. All Low Smart Contract bug reports require a suggestion for a fix to be eligible for a reward.
所有中、高和关键的智能合约错误报告都需要 PoC 和修复建议才有资格获得奖励。所有低智能合约错误报告都需要提出修复建议才能获得奖励。
Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of USD 50,000.
严重的智能合约漏洞上限为经济损失的 10%,主要考虑资金风险,但也考虑公关和品牌方面,由团队自行决定。但是,最低奖励为 50,000 美元。
Critical payouts by Sherlock will only be paid out for critical bugs that would result in a loss of funds and can be executed profitably, and this then excludes Sherlock critical bounty payout for temporary freezing bugs.
Sherlock 的关键奖金只会支付给会导致资金损失并且执行上有利可图的关键错误,这不包括 Sherlock 对临时冻结错误的关键赏金支付。
Payouts up to USD 50 000 are handled by the Euler team directly and are denominated in USD. However, payouts are done in USDC. Payments above that have the remainder paid out by Sherlock with their bug bounty matching program and are done in USDC.
低于 50,000 美元的付款由 Euler 团队直接处理,并以美元计价。但是,付款以 USDC 进行。上述款项由Sherlock 通过他们的漏洞赏金匹配计划支付,并以USDC 支付。
资格与越界 (Eligibility & Out of Scope)
Only certain exploits and vulnerabilities related to Euler smart contracts are eligible for a reward. Additionally, only assets covered in the ‘Assets in Scope’ Table are considered as in-scope of the bug bounty program. The Assets in Scope Table can be found here.
只有与 Euler 智能合约相关的某些漏洞及利用才有资格获得奖励。此外,只有“范围内的资产”表中涵盖的资产才被视为漏洞赏金计划的范围内。范围表中的资产可在此处找到。
The following vulnerabilities are not eligible for a reward:
以下漏洞不符合奖励条件:
-
Anything that involves a malicious or illiquid token being promoted from isolation tier (the default ‘safe’ tier on Euler) to cross or collateral tier (where there are many more potential attack vectors). We assume governance is responsible for blocking promotion up the tiers.
任何涉及恶意或非流动性代币从隔离层(Euler 上的默认“安全”层)提升到交叉层或抵押层(存在更多潜在攻击向量)的事物。我们假设治理负责阻止升级。 -
Tokens exhibiting non-standard ERC20 behaviour that only affects holders of that token and does not impact any other assets managed by Euler. (E.g., a transfer function that fails to update users balances)
代币表现出非标准 ERC20 行为,仅影响该代币的持有者,不影响 Euler 管理的任何其他资产。(例如,无法更新用户余额的转移函数) -
Oracle failure/manipulation of the form described here https://github.com/euler-xyz/uni-v3-twap-manipulation: {E.g., manipulation of the Uniswap Pools from which we derive the time-weighted average price (TWAP)}.
此处描述的表单的 Oracle 故障/操作 https://github.com/euler-xyz/uni-v3-twap-manipulation:{例如,操纵 Uniswap 池,我们从中得出时间加权平均价格(TWAP)}。
The following vulnerabilities are excluded from the rewards for this bug bounty program:
此漏洞赏金计划的奖励不包括以下漏洞:
-
Attacks that the reporter has already exploited themselves, leading to damage
报告者已经利用自己的攻击,导致损害 -
Attacks requiring access to leaked keys/credentials
需要访问泄露的密钥/凭证的攻击 -
Attacks requiring access to privileged addresses (governance, strategist)
需要访问特权地址的攻击(治理、战略家)
Smart Contracts and Blockchain
智能合约和区块链
-
Attacks that require an illiquid/malicious token to be promoted from isolation tier to cross or collateral tier (governance is responsible for preventing this, see definitions here: https://docs.euler.finance/getting-started/white-paper#asset-tiers)
需要将非流动性/恶意代币从隔离层提升到交叉层或抵押层的攻击(治理负责防止这种情况,请参阅此处的定义:https://docs.euler.finance/getting-started/white-paper #asset-tiers) -
Uniswap v3 TWAP oracle manipulation attacks of the form described here: https://github.com/euler-xyz/uni-v3-twap-manipulation
此处描述的形式的 Uniswap v3 TWAP oracle 操纵攻击:https://github.com/euler-xyz/uni-v3-twap-manipulation -
Basic economic governance attacks (E.g. 51% attack)
基本经济治理攻击(例如 51% 攻击) -
Tokens exhibiting non-standard ERC20 behaviour that only affects holders of that token and does not impact any other assets managed by Euler. (E.g., malicious transfer functions, malicious transferFrom functions in the ERC-20 token contract.) Such attacks caused by malicious tokens are considered out of scope.
代币表现出非标准 ERC20 行为,仅影响该代币的持有者,不影响 Euler 管理的任何其他资产。 (例如,ERC-20 代币合约中的恶意转账函数、恶意 transferFrom 函数。)此类由恶意代币引起的攻击被视为超出范围。 -
Lack of liquidity 缺乏流动性
-
Best practice critiques 最佳实践评论
-
Sybil attacks 女巫攻击
-
Centralization risks 中心化风险
The following activities are prohibited by this bug bounty program:
此漏洞赏金计划禁止以下活动:
-
Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
使用主网或公共测试网合约进行的任何测试;所有测试都应该在私有测试网上完成 -
Any testing with pricing oracles or third party smart contracts
使用价格预言机或第三方智能合约进行的任何测试 -
Attempting phishing or other social engineering attacks against our employees and/or customers
尝试对我们的员工和/或客户进行网络钓鱼或其他社会工程攻击 -
Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
对第三方系统和应用程序(例如浏览器扩展)以及网站(例如 SSO 提供商、广告网络)的任何测试 -
Any denial of service attacks
任何拒绝服务攻击 -
Automated testing of services that generates significant amounts of traffic
产生大量流量的自动测试服务 -
Public disclosure of an unpatched vulnerability in an embargoed bounty
公开披露禁运赏金中未修补的漏洞
For more information and details about the programme, please visit ImmuneFi’s Euler page and check out their Twitter announcement.
有关该计划的更多信息和详细信息,请访问 ImmuneFi 的 Euler 页面 并查看他们的 Twitter 公告。
关于 ImmuneFi (About ImmuneFi)
Immunefi is Web3’s leading bug bounty platform, protecting $100 billion in user funds. Focusing on Web3 and smart contract security, ImmuneFi provides bug bounty hosting, consultation, bug triaging, and program management services to blockchain and smart contract projects.
Immunefi 是 Web3 领先的漏洞赏金平台,保护了 1000 亿美元的用户资金。 ImmuneFi 专注于 Web3 和智能合约安全,为区块链和智能合约项目提供漏洞赏金托管、咨询、漏洞分类和程序管理服务。
Check out their site, follow them on Twitter, Discord, Medium, and YouTube.
查看他们的 站点,在 Twitter、Discord 和 YouTube上关注他们。
关于Euler (About Euler)
Euler is a capital-efficient permissionless lending protocol that helps users to earn interest on their crypto assets or hedge against volatile markets without the need for a trusted third-party. Euler features a number of innovations not seen before in DeFi, including permissionless lending markets, reactive interest rates, protected collateral, MEV-resistant liquidations, multi-collateral stability pools, sub-accounts, risk-adjusted loans and much more. For more information, visit euler.finance.
Euler 是一种资本效率高的无许可借贷协议,可帮助用户从其加密资产中赚取利息或对冲波动的市场,而无需受信第三方。 Euler 具有许多在 DeFi 中前所未有的创新,包括无许可的借贷市场、回应性利率、受保护的抵押品、抗 MEV 清算、多抵押品稳定池、子账户、风险调整贷款等等。有关更多信息,请访问 euler.finance。
加入社区 (Join the Community)
Follow us Twitter. Join our Discord. Keep in touch on Telegram (community, announcements). Check out our website. Connect with us on LinkedIn.
关注我们 Twitter。加入我们的 Discord。在 Telegram 上保持联系(community、announcements)。查看我们的网站。在 LinkedIn 上与我们联系。