This document outlines the Security procedures for Mushrooms Finance, including vulnerability reporting and our Security Bounty program.
To submit a reporting, please check the details at Submit Reporting.
There is an incredible community-driven effort on security disclosure standard for responsible reporting in cryptocurrency and blockchain-related engineering.
TL;DR
- Initial Contact: How to establish initial contact with Mushrooms core dev team.
- Giving Details: What details to include with your vulnerability reporting after having received a reply from Mushrooms core dev to your initial contact.
- Setting Dates: How to agree on timelines for releasing updates and making details of the issue public available.
Mushrooms Finance is fully committed to co-working with white-hat developers who find and submit security vulnerability notifications to us, to resolve those issues on an appropriate timeline, and to perform a coordinated release, giving credit/reward to the reporter they deserve.
Please submit issues to ALL of the following main points of contact for security related issues according to the initial contact & giving details guidelines.
Also please ensure all related email communication being PGP encrypted or reach out over keybase encrypted chat
| Main Security Contact | Public key | Keybase | |
|---|---|---|---|
| Mushrooms core dev | PGP | earningpool at protonmail.com | @Mushrooms_Fin |
In the case where we become aware of security issues affecting other projects which howerver has never affected Mushrooms Finance, we might inform those projects of security issues on a best effort basis.
In the case where we fix a security issue in Mushrooms Finance that also affects other partner/well-known projects, our intention is to engage in responsible reporting with them as described in above mentioned security standard.
Mushrooms Finance has a Bug Bounty program to encourage security white-hat hacker/developer to spend time studying our code in order to uncover vulnerabilities. We believe they should get fairly awarded for their time and effort and acknowledged for the remarkable contributions to entire community.
- Bug has NOT been publicly disclosed.
- Vulnerabilities that have been previously submitted by other contributors or already known by the Mushrooms Finance team are not eligible for rewards.
- The size of the bounty payout depends on the assessment of the severity of the exploit. Please refer to the rewards section below for additional details.
- Bugs must be reproducible in order to verify the vulnerability locally in testnet or in some rare case on Ethereum mainnet.
- Rewards and the validity of bugs are determined by Mushrooms Finance team and any payouts are made at their sole discretion.
- Terms and conditions of the Bug Bounty program can be changed at any time at the discretion of Mushrooms Finance team.
- Details of any valid bugs may be shared with complementary protocols utilized in the Mushrooms Finance for the overal benefits of broader community.
- Severe: Highly likely to have a substantial impact on availability/integrity and loss of funds.
- High: Likely to have impact on availability/integrity and loss of funds.
- Medium: Possible to have an impact on availability/integrity.
- Low: Unlikely to have a meaningful impact on availability/integrity.
- Severe: 4000-50000 USDC($25000 in $USDC & $25000 in $MM)
- High: 800-4000 USDC
- Medium: 200-800 USDC
- Low: 50-200 USDC
Actual reward payouts are determined by classifying the vulnerability based on its impact and likelihood to be exploited successfully, as well as the process working with the reporting security developer. The rewards represent the maximum that will be paid out for a security bug reporting.
The scope of the Bug Bounty program spans 1) smart contracts and 2) frontend code utilized in the Mushrooms Finance ecosystem deployed in Ethereum mainnet and the website
For other artifacts outside of those mentioned above, please do reach out to the Mushrooms Finance core dev team for clarification on a case by case base.
Inspired by security practice and guideline from Yearn. Really appreciate