Bug Bounty

Program Overview

This bug bounty is specifically for Drift's smart contract code; client / UI only bugs are omitted.

Drift's smart contract is open-source (opens in a new tab).

The severity guidelines are based on Immunefi's classification system (opens in a new tab).

Note that these are simply guidelines for the severity of the bugs. Each bug bounty submission will be evaluated on a case-by-case basis.

Submission

Please email hello@drift.trade with a detailed description of the attack vector. For critical and moderate bugs, we require a proof of concept done on a privately deployed mainnet contract. We will reach back out in 1 business day with additional questions or the next steps on the bug bounty.

Bug Bounty Payment

Bug bounties will be paid in USDC. Alternative payment methods can be used on a case-by-case basis.

Invalid Bug Bounties

The following are out of scope for the bug bounty:

• Attacks that the reporter has already exploited themselves, leading to damage

• Attacks requiring access to leaked keys/credentials

• Attacks requiring access to privileged addresses (governance, admin)

• Incorrect data supplied by third-party oracles (This does not exclude oracle manipulation/flash loan attacks)

• Lack of liquidity

• Third-party, off-chain bot errors (for instance bugs with an arbitrage bot running on the smart contracts)

• Best practice critiques

• Sybil attacks

• Attempted phishing or other social engineering attacks involving Drift contributors or users

• Denial of service, or automated testing of services that generate significant traffic.

• Any submission violating Immunefi's rules