Bug Bounties

MELD Smart Contract Bug Bounty Program

As a rapidly evolving protocol, our suite of products encompasses numerous applications spanning across the MELD DAO, MELD STAKING, L&B EVM, Token Contracts, and other on-chain solutions. The security and stability of our entire ecosystem is paramount. That's why we're inviting our community to assist in identifying and rectifying any vulnerabilities across our platform.

For transparency and insights into our previous security evaluations, our audit reports can be accessed below

Here are the details of the bug bounty program:

Scope

The bug bounty program encompasses all MELD smart contracts, from our DAO structures to L&B EVMs and Token Contracts, as well as their associated APIs. While the frontend platform is not within the program's purview, it serves as an interface to interact with the products under scrutiny.

Rewards

Rewards will be gauged based on the severity of the bug and the quality of the report. Severity determination will employ the CVSS (Common Vulnerability Scoring System).

Eligibility

The bug bounty program is open to anyone with access to the protocol, contingent on adherence to our terms and conditions.

Submissions

Spot a bug? Please reach out to us at security@meld.com, detailing the issue and the requisite steps to reproduce it.

Responsible Disclosure

Participants are urged to practice responsible disclosure, ensuring we are granted a reasonable window to address the issue before public announcement.

Eligible Bugs

Potential vulnerabilities of interest for this program include, but are not limited to:

Unauthorized Access: Vulnerabilities that allow attackers to gain unauthorized access or control over any component of the system.
Fund Theft: Smart contract vulnerabilities enabling unauthorized withdrawal or redirection of funds.
Token Manipulation: Vulnerabilities allowing unauthorized minting, burning, or altering token balances in token contracts.
Governance Exploits: Vulnerabilities allowing tampering with DAO governance, vote manipulation, or changing of proposals without proper authorization.
Interest Rate Tampering: Vulnerabilities enabling the manipulation of interest rates in lending and borrowing contracts outside of defined parameters.
Oracle Manipulation: Vulnerabilities allowing attackers to feed false data or take control of the oracles used by smart contracts.
Unauthorized Loan Creation: Vulnerabilities enabling the creation of loans with arbitrary amounts, interest rates, or without proper collateral.
Loan Liquidation: Vulnerabilities allowing unauthorized or premature liquidation of loans.
Collateral Issues: Vulnerabilities allowing the alteration of collateral requirements, creating fake collateral, or bypassing collateral checks.
Double-Spend Attack: Vulnerabilities enabling the same assets to be spent more than once.
Reentrancy Attacks: Vulnerabilities where external contract calls can be hijacked to re-enter the calling contract at the same point.
DAO Proposal Creation: Vulnerabilities allowing unauthorized creation or modification of DAO proposals.
Frozen Funds: Vulnerabilities that allow funds or tokens to be unintentionally locked or frozen within contracts.
Underflow/Overflow Issues: Vulnerabilities where numeric operations in smart contracts result in underflow or overflow, leading to unintended behavior.
Access Control Bypass: Vulnerabilities allowing attackers to circumvent any permissioned operations or restrictions.
Flash Loan Attacks: Vulnerabilities susceptible to uncollateralized loan attacks which can manipulate market prices or other critical parameters.
Delegate Attacks: Vulnerabilities related to wrongly delegated permissions, especially in token contracts and governance modules.
Gas Limit or State Growth Issues: Vulnerabilities leading to operations that consume an inordinate amount of gas or inflate the contract's state excessively.
Economic Attacks: Vulnerabilities where an attacker can drain funds or resources through economic manipulations or game theoretical weaknesses.
Improper Balance Checks: Vulnerabilities where smart contracts do not properly check or update balance states after operations.

Excluded Bugs

The bug bounty program expressly excludes:

Previously reported issues.
Publicly disclosed issues.
Issues stemming from the blockchain network or any third-party systems.
Social engineering tactics.
Physical infractions.
Denial of Service (DoS) onslaughts.

Rewards

The value we place on feedback is immense. However, rewards are reserved for bugs of the following criticality:

Medium

Issues with limited security impact, potentially affecting information dissemination or minimal funds. 10,000 $MELD tokens

High

Issues threatening severe security compromises, such as fund losses in a singular pool or overall protocol liquidity blockage. 150,000 $MELD tokens plus select MELD merchandise

Critical

Issues potentially culminating in an overarching system breach, risking a majority (>90%) of funds across one or more pools. 500,000 $MELD tokens along with MELD merchandise of your choice

Prohibited behaviour:

Misrepresenting assets in scope: claiming that a bug report impacts/targets an asset in scope when it does not
Misrepresenting severity: claiming that a bug report is critical when it clearly is not
Automated testing of services that generate significant amounts of traffic
Advertising or promotion of services
Attacks based on personal characteristics
Extortion/blackmail or threats of extortion/blackmail
Underreporting vulnerabilities
Misrepresenting vulnerabilities
Publicly disclosing a bug report--or even the existence of a bug report for a specific project--before it has been fixed and paid
Publicly disclosing a bug report before 30 days have elapsed since the project closed the report as being out of scope or not requiring a fix
Publicly disclosing a bug report deemed to be a duplicate or well-known to the project
Placeholder bug submissions, i.e., bugs that have a vague title, very few details, and no reproducible steps
Submitting AI-generated/automated scanner bug reports

Our commitment to user safety and platform integrity remains unwavering.

Thank you for helping us make MELD a stronger and safer ecosystem.

PreviousL1-Subnet NextCareers

Last updated 9 months ago

Eligible Bugs

Potential vulnerabilities of interest for this program include, but are not limited to:

Unauthorized Access: Vulnerabilities that allow attackers to gain unauthorized access or control over any component of the system.

Fund Theft: Smart contract vulnerabilities enabling unauthorized withdrawal or redirection of funds.

Token Manipulation: Vulnerabilities allowing unauthorized minting, burning, or altering token balances in token contracts.

Governance Exploits: Vulnerabilities allowing tampering with DAO governance, vote manipulation, or changing of proposals without proper authorization.

Interest Rate Tampering: Vulnerabilities enabling the manipulation of interest rates in lending and borrowing contracts outside of defined parameters.

Oracle Manipulation: Vulnerabilities allowing attackers to feed false data or take control of the oracles used by smart contracts.

Unauthorized Loan Creation: Vulnerabilities enabling the creation of loans with arbitrary amounts, interest rates, or without proper collateral.

Loan Liquidation: Vulnerabilities allowing unauthorized or premature liquidation of loans.

Collateral Issues: Vulnerabilities allowing the alteration of collateral requirements, creating fake collateral, or bypassing collateral checks.

Double-Spend Attack: Vulnerabilities enabling the same assets to be spent more than once.

Reentrancy Attacks: Vulnerabilities where external contract calls can be hijacked to re-enter the calling contract at the same point.

DAO Proposal Creation: Vulnerabilities allowing unauthorized creation or modification of DAO proposals.

Frozen Funds: Vulnerabilities that allow funds or tokens to be unintentionally locked or frozen within contracts.

Underflow/Overflow Issues: Vulnerabilities where numeric operations in smart contracts result in underflow or overflow, leading to unintended behavior.

Access Control Bypass: Vulnerabilities allowing attackers to circumvent any permissioned operations or restrictions.

Flash Loan Attacks: Vulnerabilities susceptible to uncollateralized loan attacks which can manipulate market prices or other critical parameters.

Delegate Attacks: Vulnerabilities related to wrongly delegated permissions, especially in token contracts and governance modules.

Gas Limit or State Growth Issues: Vulnerabilities leading to operations that consume an inordinate amount of gas or inflate the contract's state excessively.

Economic Attacks: Vulnerabilities where an attacker can drain funds or resources through economic manipulations or game theoretical weaknesses.

Improper Balance Checks: Vulnerabilities where smart contracts do not properly check or update balance states after operations.

Rewards

The value we place on feedback is immense. However, rewards are reserved for bugs of the following criticality:

Medium

Issues with limited security impact, potentially affecting information dissemination or minimal funds. 10,000 $MELD tokens

High

Issues threatening severe security compromises, such as fund losses in a singular pool or overall protocol liquidity blockage. 150,000 $MELD tokens plus select MELD merchandise

Critical

Issues potentially culminating in an overarching system breach, risking a majority (>90%) of funds across one or more pools. 500,000 $MELD tokens along with MELD merchandise of your choice

Prohibited behaviour:

Misrepresenting assets in scope: claiming that a bug report impacts/targets an asset in scope when it does not

Misrepresenting severity: claiming that a bug report is critical when it clearly is not

Automated testing of services that generate significant amounts of traffic

Advertising or promotion of services

Attacks based on personal characteristics

Extortion/blackmail or threats of extortion/blackmail

Underreporting vulnerabilities

Misrepresenting vulnerabilities

Publicly disclosing a bug report--or even the existence of a bug report for a specific project--before it has been fixed and paid

Publicly disclosing a bug report before 30 days have elapsed since the project closed the report as being out of scope or not requiring a fix

Publicly disclosing a bug report deemed to be a duplicate or well-known to the project

Placeholder bug submissions, i.e., bugs that have a vague title, very few details, and no reproducible steps

Submitting AI-generated/automated scanner bug reports

Our commitment to user safety and platform integrity remains unwavering.

Thank you for helping us make MELD a stronger and safer ecosystem.