Router Protocol Announces Bug Bounty In Cooperation with ImmuneFi

The Router Protocol team is proud to announce a massive bug bounty in cooperation with Immunefi — one of the leading teams of testing and securing web3 protocols in the world. The bounty, which is live as of today, rewards up to $200k for critical smart contract issues that fall within the defined scope of the bounty program.

The program can be accessed here : https://immunefi.com/bounty/router/

The program went live for the Router Protocol testnet and will be extended to the mainnet of Router Protocol once it goes live. This article will highlight the scope of vulnerabilities that this bug bounty is attempting to uncover.

What is Immunefi?

Motivation

As such, the reviews conducted throughout this bounty will be far more robust than that of an auditing company, and therefore far more valuable to the protocol.

Bounty Program Overview

  • Thefts and freezing of principle of any amount
  • Thefts and freezing of unclaimed yield of any amount
  • Theft of governance funds
  • Governance activity disruption
  • Product App goes down
  • Access to sensitive pages without authorization
  • Economic attacks of any kind

The rewards for detecting any issue within this scope will vary based on the severity of the bug. The severity will be determined by the Immunefi vulnerability severity classification system — a simplified level 5 scale. The rewards are as follows:

Smart Contracts and Blockchain

High USD 25,000

Medium USD 5,000

Low USD 1,000

Website and Apps

High USD 3,000

Medium USD 1,500

Low USD 500

To qualify for a reward, submissions must be submitted directly to Immunefi, and go to this link to see the bug bounty program and submit bugs:

Submit bugs: https://www.immunefi.com/bounty/router.

Also, rules of the bug bounty program are at the above link, such as submissions must come with PoC and (for medium severity or higher) must come with a suggested fix. All payments will be handled via Immunefi, and then paid by the Router team and will be paid in ETH, USDT, or ROUTE at the team’s discretion. Payments above $25000 will be paid in $ROUTE only and will be limited to 10% of the potential economic damage.

Rules

Attacks that the reporter has already exploited themselves, leading to damage

● Attacks requiring access to leaked keys/credentials

● Attacks requiring access to privileged addresses (governance, strategist)

● Incorrect data supplied by third party oracles

● Not to exclude oracle manipulation/flash loan attacks

● Basic economic governance attacks (e.g. 51% attack)

● Lack of liquidity

● Best practice critiques

● Sybil attacks

● Theoretical vulnerabilities without any proof or demonstration

● Content spoofing / Text injection issues

● Self-XSS

● Captcha bypass using OCR

● CSRF with no security impact (logout CSRF, change language, etc.)

● Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as

“httponly”)

● Server-side information disclosure such as IPs, server names, and most stack traces

● Vulnerabilities used to enumerate or confirm the existence of users or tenants

● Vulnerabilities requiring unlikely user actions

● URL Redirects (unless combined with another vulnerability to produce a more severe

vulnerability)

● Lack of SSL/TLS best practices

● DDoS vulnerabilities

● Attacks requiring privileged access from within the organization

● Feature requests

● Best practices

● Any testing with mainnet or public testnet contracts; all testing should be done on private testnets

● Any testing with pricing oracles or third party smart contracts

● Attempting phishing or other social engineering attacks against our employees and/or customers

● Any testing with third-party systems and applications (e.g. browser extensions) as well as

websites (e.g. SSO providers, advertising networks)

● Any denial of service attacks

● Automated testing of services that generates significant amounts of traffic

● Public disclosure of an unpatched vulnerability in an embargoed bounty

Conclusion

As a competitive, public bounty — only the first person to report a bug will be considered for a reward. However, hackers can submit multiple reports for different bugs. We do ask that any bugs found are kept confidential until the team has had adequate time to address any underlying vulnerabilities.

Additional information is available in the bug bounty program, located at https://www.immunefi.com/bounty/router.

About Router Protocol

Router Protocol is building a suite of cross-chain liquidity infra primitives that aims to seamlessly provide bridging infrastructure between current and emerging Layer 1 and Layer 2 blockchain solutions.

Website: https://routerprotocol.com/

Telegram: https://t.me/routerprotocol

Discord: https://discord.gg/yjM2fUUHvN

Twitter: https://twitter.com/routerprotocol

Litepaper: https://routerprotocol.com/assets/docs/Router-Litepaper.pdf

Telegram announcements: https://t.me/router_ann

Linkedin: https://www.linkedin.com/company/router-protocol

The best crosschain liquidity aggregator