Euler launches $1M ImmuneFi Bug Bounty Programme!

The ImmuneFi Bug Bounty programme aims to strengthen Euler protocol’s security while boosting collaboration with the greater DeFi ecosystem as part of an insurance partnership with Sherlock Protocol.

Euler protocol is kicking off a $1 million bug bounty programme with ImmuneFi as part of a $10 million insurance partnership with Sherlock Protocol.

This initiative will center on covering Euler protocol’s smart contracts and incentivise ethical reporting of potential security vulnerabilities or exploits. The new bug bounty programme will go hand-in-hand with Sherlock’s $10 million smart contract coverage to advance the security of Euler.

The Euler community benefits greatly from Sherlock’s skilled security team (Watsons) and their experienced leadership as part of the first cohort of protocols during Sherlock’s guarded launch. Sherlock is a risk management platform built on Ethereum and designed to keep end users protected by providing affordable and scalable coverage to protocols.

ImmuneFi is the leading bug bounty platform that has already paid out over $10 million in bounties, having prevented over $20 billion in potential losses with around $78 million worth of bounties currently available. ImmuneFi is trusted by a number of DeFi protocols including The Graph, Nexus Mutual, Olympus and many others.

The bug bounty program will only cover the following exploits and focuses wholly on smart contract vulnerabilities:

  • Loss of user funds staked (principal) by freezing or theft
  • Loss of governance funds
  • Theft of unclaimed yield
  • Freezing of unclaimed yield
  • Temporary freezing of funds for more than 1 week
  • Unable to call smart contract
  • Smart contract gas drainage
  • Smart contract fails to deliver promised returns
  • Vote manipulation
  • Incorrect polling actions

Bug Bounty Reward Distribution

The breakdown of the rewards are in accordance with ImmuneFi’s distribution criteria for the impact of the vulnerability, see here for more details.

Threat Level and reward distribution:
Critical Up to USD 1,000,000 (sponsored by Sherlock)
High USD 25,000
Medium USD 5,000
Low USD 1,000

All Medium, High and Critical Smart Contract bug reports require a PoC and a suggestion for a fix to be eligible for a reward. All Low Smart Contract bug reports require a suggestion for a fix to be eligible for a reward.

Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects. However, there is a minimum reward of USD 50,000.

Critical payouts by Sherlock will only be paid out for critical bugs that would result in a loss of funds and can be executed profitably, and this then excludes Sherlock critical bounty payout for temporary freezing bugs.

Eligibility & Out of Scope

Only certain exploits and ​​vulnerabilities related to Euler smart contracts are eligible for a reward. Additionally, only assets covered in the ‘Assets in Scope’ Table are considered as in-scope of the bug bounty program. The Assets in Scope Table can be found here.

The following vulnerabilities are not eligible for a reward:

  • Anything that involves a malicious or illiquid token being promoted from isolation tier (the default ‘safe’ tier on Euler) to cross or collateral tier (where there are many more potential attack vectors). We assume governance is responsible for blocking promotion up the tiers.
  • Tokens exhibiting non-standard ERC20 behaviour that only affects holders of that token and does not impact any other assets managed by Euler. (E.g., a transfer function that fails to update users balances)
  • Oracle failure/manipulation of the form described here https://github.com/euler-xyz/uni-v3-twap-manipulation: {E.g., manipulation of the Uniswap Pools from which we derive the time-weighted average price (TWAP)}.

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts and Blockchain

  • Attacks that require an illiquid/malicious token to be promoted from isolation tier to cross or collateral tier (governance is responsible for preventing this, see definitions here: https://docs.euler.finance/getting-started/white-paper#asset-tiers)
  • Uniswap v3 TWAP oracle manipulation attacks of the form described here: https://github.com/euler-xyz/uni-v3-twap-manipulation
  • Basic economic governance attacks (E.g. 51% attack)
  • Tokens exhibiting non-standard ERC20 behaviour that only affects holders of that token and does not impact any other assets managed by Euler. (E.g., malicious transfer functions, malicious transferFrom functions in the ERC-20 token contract.) Such attacks caused by malicious tokens are considered out of scope.
  • Lack of liquidity
  • Best practice critiques
  • Sybil attacks
  • Centralization risks

The following activities are prohibited by this bug bounty program:

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
  • Any testing with pricing oracles or third party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty

For more information and details about the programme, please visit ImmuneFi’s Euler page and check out their Twitter announcement.

About ImmuneFi

Immunefi is Web3’s leading bug bounty platform, protecting $100 billion in user funds. Focusing on Web3 and smart contract security, ImmuneFi provides bug bounty hosting, consultation, bug triaging, and program management services to blockchain and smart contract projects.

Check out their site, follow them on Twitter, Discord, Medium, and YouTube.

About Euler

Euler is a capital-efficient permissionless lending protocol that helps users to earn interest on their crypto assets or hedge against volatile markets without the need for a trusted third-party. Euler features a number of innovations not seen before in DeFi, including permissionless lending markets, reactive interest rates, protected collateral, MEV-resistant liquidations, multi-collateral stability pools, sub-accounts, risk-adjusted loans and much more. For more information, visit euler.finance.

Join the Community

Follow us on Twitter. Join our Discord. Keep in touch on Telegram (community, announcements). Check out our website.

This content is provided by Euler Labs, Ltd., for informational purposes only and should not be interpreted as investment, tax, legal, insurance, or business advice. Euler Labs, Ltd, is an independent software development company.

Neither Euler Labs, Ltd. nor any of its owners, members, directors, officers, employees, agents, independent contractors or affiliates are registered as an investment advisor, broker-dealer, futures commission merchant or commodity trading advisor or are members of any self-regulatory organization.

The information provided herein is not intended to be, and should not be construed in any manner whatsoever, as personalized advice or advice tailored to the needs of any specific person. Nothing on the Website should be construed as an offer to sell, a solicitation of an offer to buy, or a recommendation for any asset or transaction.

Euler Labs Ltd, does not represent or speak for on or behalf of Euler Finance or the users of Euler Finance. The commentary and opinions provided by Euler Labs Ltd., are for general informational purposes only, are provided “AS IS,” and without any warranty of any kind. To the best of our knowledge and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable at the time of publication.

All content provided is presented only as of the date published or indicated, and may be superseded by subsequent events or for other reasons. As events markets change continuously, previously published information and data may not be current and should not be relied upon.

2024 Euler © All Rights Reserved

Press enquiry:

[email protected]