Links
🐞

Bug Bounty

Bug Bounty Program for Premia Finance

Introduction

Premia Finance is a decentralized finance (Defi) protocol built on the EVM. As part of our commitment to ensuring the security of our platform, we have established a bug bounty program to encourage the community to report any potential vulnerabilities or issues they may find in our code, white mad hatters also encouraged to apply. The Premian Republic has deposited 100k USDC into the Hat's Finance Platform under the Premia Bug Bounty Vault. Community Members looking to add to the bounty amount can find out more info here and here.

Scope

The bug bounty program covers all smart contracts and code deployed on the Ethereum mainnet, Arbitrum, Optimism, and Fantom. The scope of the program includes any potential vulnerabilities that could lead to the loss of user funds or the compromise of the integrity of the Premia Finance platform.

Rewards

Rewards for valid bug reports will be distributed in accordance with the following guidelines:
  • Critical: Up to 72% of the Bug Bounty Vault
  • High: Up to 27% of the Bug Bounty Vault
  • Medium: Up to 18% of the Bug Bounty Vault
  • Low: Up to 3.6% of the Bug Bounty Vault
The determination of the severity of a bug report will be left to the discretion of the Premia Finance team as outlined by the Hat's Finance Terms of Use. 100k USDC has been deposited into the vault at inception, however their are future plans to direct a portion of protocol fees to the vault, as well as community members are encouraged to contribute to the bounty as well (deposits can be withdrawn at any time under 7d time delay as long as there is no active vulnerability report)

Eligibility

Anyone is eligible to participate in the bug bounty program, except for the Premia Finance team and their immediate family members. By participating in the program, you agree to abide by the rules and guidelines outlined in this document.

Rules and Guidelines

  • Only previously undisclosed vulnerabilities will be eligible for rewards.
  • The first reporter of a valid vulnerability will receive the reward.
  • The determination of the validity of a vulnerability and the severity of the report will be left to the discretion of the Premia Finance team.
  • Duplicate reports of the same vulnerability will not be eligible for rewards.
  • Vulnerabilities that have already been reported by the Premia Finance team or another third-party security researcher will not be eligible for rewards.
  • Any attempt to exploit a vulnerability for personal gain will result in disqualification from the program and possible legal action.
  • The Premia Finance team reserves the right to modify or terminate the bug bounty program at any time without notice.
Known Areas where the concern is acknowledged, however, no action will be taken:
  • V2 Contracts utilize the ChainLink function: latestAnswer(), which is no longer the recommended (latestRoundData) method to retrieve Oracle price.
  • V2 Contracts do not utilize the ChainLink variable: latestTimestamp to validate that a stale price is not being utilized.

Reporting a Vulnerability

To report a vulnerability, please submit via the Hat's Anon Friendly Portal: https://app.hats.finance/vulnerability If you would like you can send an email to [email protected] with the subject line "Bug Bounty Program Report". The email should include a detailed description of the vulnerability and steps to reproduce it. Please also include your Arbitrum wallet address for reward distribution. If submitting only via the Hat's vulnerability ticketing system an email is not needed.
Once the report is received, the Premia Finance team will review the vulnerability and respond with a determination of its validity and severity. If the report is valid, the team will work to fix the vulnerability and distribute the reward to the reporter.

Conclusion

The Premia Finance bug bounty program is an important part of our commitment to security and the protection of user funds. We encourage anyone with knowledge of potential vulnerabilities to participate in the program and help us ensure the integrity of our platform.
About Hats Finance Hats Finance is the first of its kind, community-owned and decentralized bug bounty protocol. Because security exploits affect all parties involved, Hats Finance facilitates community involvement by allowing users to provide liquidity to their favorite bounties and earn $HAT tokens once they become available. We hope that by allowing community involvement we can raise awareness on the importance of security in crypto while encouraging white-hat hacker involvement. Learn more about the Hats mechanism here and deposit in the Premia’s bug bounty through the Hats dApp.​