Security

If you found any potential issue in any of our smart contracts or in any piece of code you consider critical for the safety of the protocol, please contact us through [email protected].

Audits

Different formal verification processes and manual security audits have been performed along the way during Mimic's development process. The audit process involves a comprehensive analysis of the smart contracts, system architecture, and overall implementations to identify any potential vulnerabilities or weaknesses. The audit results provide valuable insights and recommendations to further enhance the protocol’s security measures and strengthen its resilience against potential attacks or vulnerabilities.

Bug Bounty

A bug bounty for the smart contracts of Mimic Finance will be live once the external audit has finished. We intend for hackers to look for smart contract vulnerabilities in our system that can lead to loss of funds or locked components.

Rewards

Vulnerability reports will be scored using the CVSS v3 standard. The reward amounts for different types of vulnerabilities are:

Critical – $5,000 - $25,000 (CVSS 9.0 - 10.0)

Major – $2,500 - $5,000 (CVSS 7.0 - 8.9)

Medium – $1,000 - $2,500 (CVSS 4.0 - 6.9)

Low – $500 - $1,000 (CVSS 1.0 - 3.9)

Rewards will be awarded at the sole discretion of Mimic Finance. The quality of the report and reproduction instructions can affect the reward amount. Rewards are denominated in USD and can be paid out in USDC, USDT, DAI, or ETH. For this initial bug bounty program, there will be a maximum bounty pool of $200,000.

Reporting

Please responsibly disclose any findings to the security team. If you found any potential issue in any of our smart contracts or in any piece of code you consider critical for the safety of the protocol, please contact us through [email protected].

Failure to do so will result in a finding being ineligible for any bounties.

Scope

In scope for the bug bounty are all the smart contract components of Mimic Finance. These can be found in the following repositories:

  • v3 core

    • Any solidity smart contract excluding test components or mocks

    • Excluding test files

  • v3 deployments

    • Any deployment task or configuration

    • Excluding test files

We consider out-of-scope for this bug bounty any frontend applications or client-side code interacting with the contracts, as well as testing code. It's also not considered part of the scope any mismatch or outdated spec documents.

Areas of interest

These are some examples of vulnerabilities that would be interesting:

  • Locking or freezing any core component or smart vault

  • Being able to manipulate permissions to perform undesired actions

  • Stealing or locking funds from a smart vault

Eligibility

Terms for eligible bounties:

  • Only unknown vulnerabilities will be awarded a bounty; in case of duplicate reports, the first report will be awarded the bounty.

  • Public disclosure of the vulnerability, before explicit consent from Mimic to do so, will make - the vulnerability ineligible for a bounty.

  • Attempting to exploit the vulnerability in a public blockchain will also make it ineligible for a bounty.

PreviousGasless transactionsNextCommunity and Governance

Last updated