Bug Bounty

As a rapidly evolving protocol, our suite of products encompasses numerous applications. This bug bounty explains what is the process of reporting bugs, how they are categorised and the rewards for the different types of bugs reported.

For transparency and insights into our previous security evaluations, our audit reports can be accessed below

Audits

Scope

The bug bounty program encompasses:

• All smart contracts in the Fairside ecosystem. Including the token, membership management contracts, different rewards distribution mechanisms etc.

• APIs that interact with the Fairside protocol.

• Frontends of the dapps that interact with the Fairside protocol.

• Static pages that serve as marketing material and point of contact.

Rewards

Rewards will be gauged based on the severity of the bug and the quality of the report. Severity determination will employ the CVSS (Common Vulnerability Scoring System). You can know more about the CVSS system in this link:

NVD - Vulnerability Metrics

Eligibility

The bug bounty program is open to anyone with access to the protocol, contingent on adherence to our terms and conditions.

Submissions

Spot a bug? Please reach out to us at security@fairside.io detailing the issue and the requisite steps to reproduce it.

Responsible Disclosure

Participants are urged to practice responsible disclosure, ensuring we are granted a reasonable window to address the issue before public announcement.

Eligible Bugs

Potential vulnerabilities of interest for this program include, but are not limited to:

• Unauthorised Access: Vulnerabilities that allow attackers to gain unauthorised access or control over any component of the system.

• Fund Theft: Smart contract vulnerabilities enabling unauthorised withdrawal or redirection of funds.

• Token Manipulation: Vulnerabilities allowing unauthorised minting, burning, or altering token balances in token contracts.

• Governance Exploits: Vulnerabilities allowing tampering with DAO governance, vote manipulation, or changing of proposals without proper auth.

• Rate Tampering: Vulnerabilities enabling the manipulation of rates in the protocols deployed by Fairside

• Double-Spend Attack: Vulnerabilities enabling the same assets to be spent more than once.

• Reentrancy Attacks: Vulnerabilities where external contract calls can be hijacked to re-enter the calling contract at the same point.

• DAO Proposal Creation: Vulnerabilities allowing unauthorized creation or modification of DAO proposals.

• Frozen Funds: Vulnerabilities that allow funds or tokens to be unintentionally locked or frozen within contracts.

• Underflow/Overflow Issues: Vulnerabilities where numeric operations in smart contracts result in underflow or overflow, leading to unintended consequences.

• Access Control Bypass: Vulnerabilities allowing attackers to circumvent any permissioned operations or restrictions.

• Delegate Attacks: Vulnerabilities related to wrongly delegated permissions, especially in token contracts and governance modules.

• Gas Limit or State Growth Issues: Vulnerabilities leading to operations that consume an inordinate amount of gas or inflate the contract's state excessively.

• Economic Attacks: Vulnerabilities where an attacker can drain funds or resources through economic manipulations or game theoretical weaknesses.

• Improper Balance Checks: Vulnerabilities where smart contracts do not properly check or update balance states after operations.

Excluded Bugs

The bug bounty program expressly excludes:

• Previously reported issues.

• Publicly disclosed issues.

• Issues stemming from the blockchain network or any third-party systems.

• Social engineering tactics.

• Physical infractions.

• Denial of Service (DoS) onslaughts.

Rewards

The value we place on feedback is immense. However, rewards are reserved for bugs of the following criticality:

Low Severity:

Incidents that result in negligible or minor impacts, typically confined to issues such as small claims arising from traditional web-based transactions or disputes. These incidents do not provide unauthorized access to financial assets, and any potential harm is minimal and localized. There is no direct threat to user funds or sensitive information. No significant operational or security risk is posed to the system as a whole.

Incidents in this category are not eligible for rewards

Medium Severity:

Incidents that have a limited impact on security, operational functionality, or the dissemination of information. These incidents may involve unauthorized access or disclosure of non-sensitive data or could result in a financial impact that does not exceed $5,000. While the potential harm may affect a subset of users or limited protocol functionalities, the core system remains secure and operational.

Incidents in this category are rewarded with up to XXXXXXXXXXXX tokens

High Severity:

Incidents that present a substantial risk to the protocol's integrity or security. These issues may include the unauthorized loss or transfer of funds exceeding $5,000, significant operational failures, or disruptions to the protocol’s liquidity, potentially affecting a wide range of users. The risk of further compromise is elevated, and the incident may significantly affect the stability of the protocol.

Incidents in this category are rewarded with up to XXXXXXXXXXXX tokens, and require immediate remediation to prevent further harm or escalation.

Critical Severity:

Incidents that threaten the overall integrity and security of the protocol, with the potential to cause a full-scale system breach. In such cases, a majority (greater than 90%) of the protocol's funds are at risk of loss or compromise. These incidents could lead to systemic failure, widespread financial losses, or the collapse of the protocol's liquidity. They may also involve severe and unauthorized access to tokens, putting the majority of assets within the system in jeopardy. Immediate, comprehensive response measures are necessary to contain the damage and restore the system’s security and operational integrity.

Incidents in this category are rewarded with up to XXXXXXXXXXXX tokens, and require immediate remediation to prevent further harm or escalation.

Prohibited behaviour:

• Misrepresenting assets in scope: claiming that a bug report impacts/targets an asset in scope when it does not

• Misrepresenting severity: claiming that a bug report is critical when it clearly is not

• Automated testing of services that generate significant amounts of traffic

• Advertising or promotion of services

• Attacks based on personal characteristics

• Extortion/blackmail or threats of extortion/blackmail

• Underreporting vulnerabilities

• Misrepresenting vulnerabilities

• Publicly disclosing a bug report--or even the existence of a bug report for a specific project--before it has been fixed and paid

• Publicly disclosing a bug report before 30 days have elapsed since the project closed the report as being out of scope or not requiring a fix

• Publicly disclosing a bug report deemed to be a duplicate or well-known to the project

• Placeholder bug submissions, i.e., bugs that have a vague title, very few details, and no reproducible steps

• Submitting AI-generated/automated scanner bug reports

Our commitment to user safety and platform integrity remains unwavering.

Thank you for helping us make Fairside a stronger and safer ecosystem.