The security of Arkadiko’s systems is of the highest priority for our team and the Bug Bounty Program is a key component of our strategy to maximize security. We’ll reward you for helping us make the system as invulnerable as possible. Happy hunting!
The submitted issue needs to meet a minimum severity standard of Low as described below in order to qualify for a reward. A successfully-reviewed submission will receive a reward in DIKO tokens based on the classified severity of the issue.
Low:
- An issue that could theoretically cause a loss of less than 1% of the protocol funds, damage the protocol state, or cause severe user dissatisfaction or moderate technical failure.
- Up to 50.000 DIKO
Medium:
- An issue that could cause the immediate loss of protocol funds between 1% and 10%, or severely damage the protocol state.
- Up to 200.000 DIKO
High:
- An issue that could cause immediate loss of over 10% of the protocol funds or permanently impair the protocol state.
- Up to 500.000 DIKO
- The scope of the Bug Bounty program spans smart contracts utilized in the Arkadiko ecosystem – the Clarity smart contracts in the contracts folder of the master branch of the arkadiko repo, excluding any contracts used in a test-only capacity (including test-only deployments)
- You must be the first to report a non-public vulnerability
- You must provide sufficient information to enable our engineers to reproduce and fix the vulnerability
- You must not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics
- Do not exploit the vulnerability in any way, including through making it public or by obtaining a profit
- Do not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Bug Bounty Program
- Rewards will vary depending on the severity of the issue. Other variables considered for rewards include: the quality of the issue description, the instructions for reproducibility, and the quality of the fix if included
- Rewards will be decided on a case by case basis and the Bug Bounty Program terms are at the sole discretion of Arkadiko
When you discover a vulnerability, please write a detailed report and send it to [email protected].
Do not reveal any information about the issue and do not take advantage of it in any way.
We will respond to your report within 5 business days and handle it with strict confidentiality. While we investigate the issue and implement a solution, we will keep you informed about the progress. Once the vulnerability is solved we will make sure you receive your reward.