The Router Protocol team is proud to announce a massive bug bounty in cooperation with Immunefi — one of the leading teams of testing and securing web3 protocols in the world. The bounty, which is live as of today, rewards up to $200k for critical smart contract issues that fall within the defined scope of the bounty program.
The program can be accessed here : https://immunefi.com/bounty/router/
The program went live for the Router Protocol testnet and will be extended to the mainnet of Router Protocol once it goes live. This article will highlight the scope of vulnerabilities that this bug bounty is attempting to uncover.
What is Immunefi?
Before delving into the details of this specific bounty, we want to take a moment to underscore the great work that Immunefi is doing in the DeFi space. Immunefi is the leading bug bounty platform in all of web3 and is comprised of white hat hackers that review all vulnerabilities a project has. The process of ethical hacking is meant to detect these bugs safely, with the “white hat” actors revealing all possible bugs and vulnerabilities to developers to fix before the apps go live on the mainnet. Immunefi has saved over $1B of users’ funds from various exploits, and as a result — their team has earned over $3M in bounties. Massive protocols and blockchain-based companies such as Binance, Chainlink, The Graph, Yearn Finance, Compound, and Synthetix have utilized Immunefi’s services.
Audits alone are not sufficient for DeFi protocols. As the countless exploits and hacks have made obvious, even audited projects can suffer from attacks and lose funds. By engaging in a bug bounty with the leading platform globally, we are not only engaging a single auditing firm but rather an entire community of whitehat hackers all competing for the top prize of $200k. To be on the safer side, we have already engaged multiple audit firms to audit the protocol.
As such, the reviews conducted throughout this bounty will be far more robust than that of an auditing company, and therefore far more valuable to the protocol.
Bounty Program Overview
The bug bounty program covers the smart contracts and application of the router protocol, and is focused on preventing the following:
- Thefts and freezing of principle of any amount
- Thefts and freezing of unclaimed yield of any amount
- Theft of governance funds
- Governance activity disruption
- Product App goes down
- Access to sensitive pages without authorization
- Economic attacks of any kind
The rewards for detecting any issue within this scope will vary based on the severity of the bug. The severity will be determined by the Immunefi vulnerability severity classification system — a simplified level 5 scale. The rewards are as follows:
Smart Contracts and Blockchain
Critical Up to USD 200,000
High USD 25,000
Medium USD 5,000
Low USD 1,000
Website and Apps
Critical USD 5,000
High USD 3,000
Medium USD 1,500
Low USD 500
To qualify for a reward, submissions must be submitted directly to Immunefi, and go to this link to see the bug bounty program and submit bugs:
Submit bugs: https://www.immunefi.com/bounty/router.
Also, rules of the bug bounty program are at the above link, such as submissions must come with PoC and (for medium severity or higher) must come with a suggested fix. All payments will be handled via Immunefi, and then paid by the Router team and will be paid in ETH, USDT, or ROUTE at the team’s discretion. Payments above $25000 will be paid in $ROUTE only and will be limited to 10% of the potential economic damage.
As is a part of every bounty program, some rules apply. Certain vulnerabilities are excluded from the rewards program:
Attacks that the reporter has already exploited themselves, leading to damage
● Attacks requiring access to leaked keys/credentials
● Attacks requiring access to privileged addresses (governance, strategist)
● Incorrect data supplied by third party oracles
● Not to exclude oracle manipulation/flash loan attacks
● Basic economic governance attacks (e.g. 51% attack)
● Lack of liquidity
● Best practice critiques
● Sybil attacks
● Theoretical vulnerabilities without any proof or demonstration
● Content spoofing / Text injection issues
● Captcha bypass using OCR
● CSRF with no security impact (logout CSRF, change language, etc.)
● Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as
● Server-side information disclosure such as IPs, server names, and most stack traces
● Vulnerabilities used to enumerate or confirm the existence of users or tenants
● Vulnerabilities requiring unlikely user actions
● URL Redirects (unless combined with another vulnerability to produce a more severe
● Lack of SSL/TLS best practices
● DDoS vulnerabilities
● Attacks requiring privileged access from within the organization
● Feature requests
● Best practices
● Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
● Any testing with pricing oracles or third party smart contracts
● Attempting phishing or other social engineering attacks against our employees and/or customers
● Any testing with third-party systems and applications (e.g. browser extensions) as well as
websites (e.g. SSO providers, advertising networks)
● Any denial of service attacks
● Automated testing of services that generates significant amounts of traffic
● Public disclosure of an unpatched vulnerability in an embargoed bounty
As a competitive, public bounty — only the first person to report a bug will be considered for a reward. However, hackers can submit multiple reports for different bugs. We do ask that any bugs found are kept confidential until the team has had adequate time to address any underlying vulnerabilities.
Additional information is available in the bug bounty program, located at https://www.immunefi.com/bounty/router.
About Router Protocol
Router Protocol is building a suite of cross-chain liquidity infra primitives that aims to seamlessly provide bridging infrastructure between current and emerging Layer 1 and Layer 2 blockchain solutions.
Telegram announcements: https://t.me/router_ann