Links

Bug Bounty Program

As a protocol developing a lending and borrowing platform in the Cardano network, the security and stability of our system is of the utmost importance. That's why we're inviting our community to help us find and fix any bugs or vulnerabilities in our platform.
Here are the details of the program:

Scope

The bug bounty program covers all MELD smart contracts and their associated APIs. The frontend platform is not covered in this program but can be used to interact with the products in scope.

Rewards

Rewards will be based on the severity of the bug and the quality of the report. We will be using the CVSS (Common Vulnerability Scoring System) to determine the severity of the bug.

Eligibility

Anyone with access to the protocol can participate in the bug bounty program as long as they follow the terms and conditions.

Submission

To submit a bug, please email us at [email protected] with a detailed description of the issue and the steps to reproduce it.

Responsible Disclosure

We request that all participants practice responsible disclosure. This means that you should give us a reasonable amount of time to fix the issue before disclosing it to the public.

Exclusions

The following issues are excluded from the bug bounty program:
  • Issues that have already been reported.
  • Issues that have been disclosed to the public.
  • Issues that are related to the Cardano network or any other third-party systems.
  • Social engineering attacks.
  • Physical attacks.
  • Denial of Service (DoS) attacks.
Some example of bugs that will be considered for this bug bounty program are:
  • Smart contract vulnerabilities that allow for stealing funds.
  • Vulnerabilities that allow the attacker to mint new tokens or create new loans.
  • Vulnerabilities that allow the attacker to execute a double-spend attack.
  • Vulnerabilities that allow the attacker to take control of the oracle used by the smart contract.
  • Vulnerabilities that allow the attacker to prevent legitimate users from accessing the system.
  • Vulnerabilities that allow the attacker to bypass the system's access controls.
  • Vulnerabilities that allow the attacker to create loans with arbitrary amounts or interest rates.
  • Vulnerabilities that allow the attacker to liquidate loans without authorization.
  • Vulnerabilities that allow the attacker to change the collateral requirements for loans.
  • Vulnerabilities that allow the attacker to create fake collateral.
  • Vulnerabilities that allow the attacker to create fake loans and steal funds from the borrowers.
  • Vulnerabilities that allow the attacker to change the protocol's interest rate model.
  • Vulnerabilities that allow the attacker to change the protocol's lending and borrowing terms.
All feedback is welcome, but only the following levels of criticality of bugs will be entitled to rewards:

Medium

These are issues that have low impact on the security of the system, and only affect information flow or minor amounts of funds. 10,000 $MELD tokens

High

These are issues that have a severe impact on the security of the system and could result in loss of funds in a single pool, or blocking the liquidity of the whole protocol. 150,000 $MELD tokens and some MELD swag of our choice

Critical

These are issues that could result in a complete compromise of the system, potentially leading to a loss of majority (>90%) of funds on one or multiple pools, loosing them forever or withdrawing to a malicious actor. 500,000 $MELD tokens and MELD swag of your choice

Prohibited behaviour:

  • Misrepresenting assets in scope: claiming that a bug report impacts/targets an asset in scope when it does not
  • Misrepresenting severity: claiming that a bug report is critical when it clearly is not
  • Automated testing of services that generates significant amounts of traffic
  • Advertising or promotion of services
  • Attacks based on personal characteristics
  • Extortion/blackmail or threats of extortion/blackmail
  • Underreporting vulnerabilities
  • Misrepresenting vulnerabilities
  • Publicly disclosing a bug report--or even the existence of a bug report for a specific project--before it has been fixed and paid
  • Publicly disclosing a bug report before 30 days have elapsed since the project closed the report as being out of scope or not requiring a fix
  • Publicly disclosing a bug report deemed to be a duplicate or well-known to the project
  • Placeholder bug submissions, i.e., bugs that have a vague title, very few details, and no reproducible steps
  • Submitting AI-generated/automated scanner bug reports
We are committed to providing a safe and secure platform for our users and we appreciate your help in making that a reality. If you find a bug or vulnerability, please don't hesitate to reach out to us and help make MELD a better platform for everyone.