Security

Security is our highest priority. Our team has created a protocol that we believe is safe and dependable, and is audited by OpenZeppelin, Peckshield, and Certora. All smart contract code is publicly verifiable and we have a bug bounty for undiscovered vulnerabilities.

We encourage our users to be mindful of risk and only use funds they can afford to lose. Options are complex instruments that when understood correctly can be powerful hedges. Smart contracts are still new and experimental technology. We want to remind our users to be optimistic about innovation while remaining cautious about where they put their money.

Audits

Opyn's smart contracts have been audited by Trail of Bits, OpenZeppelin and Peckshield, and formally verified by Certora.

Monoceros Alpha Audit Report - Aug 2021

Trail of Bits Audit Report - May 2021

Peckshield Audit Report - Feb 2021

Certora Formal Verification Report - Dec 2020

OpenZeppelin Audit Report - Nov 2020

Bug Bounty Program

Security is one of our highest priorities, and while Opyn's smart contracts have been rigorously tested and audited, there may still be undiscovered vulnerabilities with this new technology. We encourage and value the community's input in helping us discover vulnerabilities and responsibly disclosing them.

Scope

This program is limited to the vulnerabilities affecting the Gamma Protocol. Submissions should be based off this commit hash (67a2bff57ec49c4bb7c9c454c8ad945fd5bdcf51).

The following ineligible findings are not in the scope of the program:

  • Bugs in any third party contract or platform that interacts with Gamma

  • Vulnerabilities contingent upon the occurrence of any of the following activities also are outside the scope of this Program:

    • Front end bugs

    • DDOS attack

    • Spamming

  • Findings related to non-standard ERC20 tokens might be ineligible as many vulnerabilities might be inserted in non-standard ERC20 tokens on purpose for applying for this bug bounty.

  • Exploiting the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).

  • Duplicate vulnerabilities: Only the first reporter will be rewarded (in compliance with the disclosure requirements)

  • Findings already known as part of a formal audit or are marked on the repo as issues.

Rewards

Severity of bugs will be assessed under the CVSS Risk Rating scale, as follows:‌

  • Critical (9.0-10.0): Up to $100,000

  • High (7.0-8.9): Up to $40,000

  • Medium (4.0-6.9): Up to $5,000

  • Low (0.1-3.9): Up to $1,000

In addition to assessing severity, rewards will be considered based on the impact of the discovered vulnerability as well as the level of difficulty in discovering such vulnerability.

Prior to the deployment of Gamma to the Ethereum mainnet, successful bug reporters will receive a 20% bonus on their bounty pay out. This is to help drive security efforts in the lead up to launch.

Disclosures

Any vulnerability or bug discovered must be reported only to the following email: [email protected], must not be disclosed publicly, must not be disclosed to any other person, entity or email address prior to disclosure to the [email protected] email, and must not be disclosed in any way other than to the [email protected] email. In addition, disclosure to [email protected] must be made promptly following discovery of the vulnerability. Please include as much information about the vulnerability as possible, including:

  • The conditions on which reproducing the bug is contingent.

  • The steps needed to reproduce the bug or, preferably, a proof of concept.

  • The potential implications of the vulnerability being abused.‌

Anyone who reports a unique, previously-unreported vulnerability that results in a change to the code or a configuration change and who keeps such vulnerability confidential until it has been resolved by our engineers will be recognized publicly for their contribution, if agreed.

Other Terms

All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at our sole discretion.

The terms and conditions of this program may be altered at any time.