Bug Bounty
Community engagement incentives

Bug Bounties

This bug bounty program is to engage its technically savvy community and incentives them when they contribute to hardening the security of the smart contract, preventing the potential loss of user funds and the disruption of the overall system.

To submit bug bounty, please proceed with the bug submission process on the SteakBank bug bounty page.

Smart Contracts and Blockchain
Critical USD 10,000
High USD 6,500
Medium USD 3,500
Low USD 1,000
Payouts will be provided by the SteakBank team directly and are denominated in USD. However, payouts are done in BUSD or SBF.
Assets in Scope
Prioritized vulnerabilities
We are especially interested in receiving and rewarding vulnerabilities of the following types:
Smart Contracts and Blockchain
    Logic errors
      including user authentication errors
    Solidity/EVM details not considered
      including integer over-/under-flow
      including unhandled exceptions
    Trusting trust/dependency vulnerabilities
      including composability vulnerabilities
    Oracle failure/manipulation
    Novel governance attacks
    Economic/financial attacks
      including flash loan attacks
    Congestion and scalability
      including running out of gas
      including block stuffing
      including susceptibility to frontrunning
    Consensus failures
    Cryptography problems
      Signature malleability
      Susceptibility to replay attacks
      Weak randomness
      Weak encryption
    Susceptibility to block timestamp manipulation
    Missing access controls / unprotected internal or debugging interfaces
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
All Programs
    Attacks that the reporter has already exploited themselves, leading to damage
    Attacks requiring access to leaked keys/credentials
    Attacks requiring access to privileged addresses (governance, strategist)
Smart Contracts and Blockchain
    Incorrect data supplied by third party oracles
      Not to exclude oracle manipulation/flash loan attacks
    Basic economic governance attacks (e.g. 51% attack)
    Lack of liquidity
    Best practice critiques
    Sybil attacks
The bug bounty program prohibits the following activities:
    Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
    Any testing with pricing oracles or third party smart contracts
    Attempting phishing or other social engineering attacks against our employees and/or customers
    Any testing with third-party systems and applications (e.g., browser extensions) as well as websites (e.g., SSO providers, advertising networks)
    Any denial of service attacks
    Automated testing of services that generates significant amounts of traffic
    Public disclosure of an unpatched vulnerability in an embargoed bounty
Last modified 6mo ago