This bug bounty is specifically for Drift's smart contract code; UI only bugs are omitted.
Drift's smart contract is open-source.
Bugs that freeze user funds or drain the contract's holdings or involve theft of funds without user signatures.
10% of the value of the hack up to $500,000.
Bugs that could temporarily freeze user funds or incorrectly assign value to user funds.
$10,000 to $50,000 per bug, assessed on a case by case basis
Bugs that don't threaten user funds
$1,000 to $5,000 per bug, assessed on a case by case basis
The severity guidelines are based on Immunefi's classification system.
Note that these are simply guidelines for the severity of the bugs. Each bug bounty submission will be evaluated on a case by case basis.
Please email firstname.lastname@example.org with a detailed description of the attack vector. For critical and moderate bugs, we require a proof of concept done on a privately deployed mainnet contract. We will reach back out in 1 business day with additional questions or next steps on the bug bounty.
Bug bounties will be paid in USDC. Alternative payment methods can be used on a case-by-case basis.
The following are out of scope for the bug bounty: