Drift Protocol v2

โŒ˜K
๐Ÿ‘พWelcome to Drift Protocol
๐ŸงฎDrift DEX
๐Ÿ‘‹Getting Started
๐Ÿ“ˆPerpetual Futures
๐Ÿ“ŠSpot Margin Trading
๐ŸฆBorrow & Lend
๐Ÿ›๏ธStaking
๐ŸชMarket Makers
๐Ÿ”ฌTechnical Explanations
๐Ÿ“Accounting and Settlement
โž—Borrow Interest Rate
๐Ÿ“œDelisting Process
โ›ฒDrift AMM
๐ŸƒJust-In-Time (JIT) Auctions
๐Ÿ“šKeepers & Decentralised Orderbook
โ˜ ๏ธLiquidators
๐Ÿ’งLiquidity Providers (LPs)
๐Ÿ“‹Protocol Guard Rails
๐Ÿ“Risks
๐Ÿ–ฅ๏ธDeveloper Resources
๐Ÿ“”Program/Vault Addresses
โŒจ๏ธSDK Documentation
โŒจ๏ธTutorial: Bots
โš ๏ธTroubleshooting
๐Ÿ› ๏ธKeeper Bots
๐Ÿ› ๏ธTrading Bots
โŒจ๏ธHistorical Data (v1)
โŒจ๏ธAPI
๐Ÿ›ก๏ธSecurity
๐Ÿ›ก๏ธAudits
๐Ÿ›ก๏ธBug Bounty
โš–๏ธLegal and Regulations
๐Ÿ“Terms of Use
๐Ÿ“Disclaimer
๐Ÿ“Privacy Policy
๐Ÿ“Competition Terms and Conditions
๐Ÿ“šGlossary
Docs powered byย archbeeย 

Bug Bounty

5min

Program Overview

This bug bounty is specifically for Drift's smart contract code; UI only bugs are omitted.

Drift's smart contract is open-source.

Severity

Description

Bug Bounty

Critical

Bugs that freeze user funds or drain the contract's holdings or involve the theft of funds without user signatures.

10% of the value of the hack up to $500,000.

High

Bugs that could temporarily freeze user funds or incorrectly assign value to user funds.

$10,000 to $50,000 per bug, assessed on a case-by-case basis

Medium/Low

Bugs that don't threaten user funds

$1,000 to $5,000 per bug, assessed on a case-by-case basis

The severity guidelines are based on Immunefi's classification system.๏ปฟ

Note that these are simply guidelines for the severity of the bugs. Each bug bounty submission will be evaluated on a case-by-case basis.

Submission

Please email hello@drift.trade with a detailed description of the attack vector. For critical and moderate bugs, we require a proof of concept done on a privately deployed mainnet contract. We will reach back out in 1 business day with additional questions or the next steps on the bug bounty.

Bug Bounty Payment

Bug bounties will be paid in USDC. Alternative payment methods can be used on a case-by-case basis.

Invalid Bug Bounties

The following are out of scope for the bug bounty:

  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses (governance, admin)
  • Incorrect data supplied by third-party oracles (This does not exclude oracle manipulation/flash loan attacks)
  • Lack of liquidity
  • Third-party, off-chain bot errors (for instance bugs with an arbitrage bot running on the smart contracts)
  • Best practice critiques
  • Sybil attacks
  • Attempted phishing or other social engineering attacks involving Drift contributors or users
  • Denial of service, or automated testing of services that generate significant traffic.
  • Any submission violating Immunefi's rules

Updated 01 May 2023
Did this page help you?
Yes
No
PREVIOUS
Audits
NEXT
Terms of Use
Docs powered byย archbeeย 
TABLE OF CONTENTS
Program Overview
Submission
Bug Bounty Payment
Invalid Bug Bounties