Boba Network Bug Bounty Program

About the program

Boba is partnering with Immunefi to create a bug bounty program to reward individuals for finding and reporting security vulnerabilities in the Boba code. If you discover a bug or vulnerability, we encourage you to report it to us. We are committed to working with the community to identify and fix any security issues as quickly as possible.

Rewards

Rewards for eligible bug reports will be based on the severity of the issue and distributed through the Immunefi vulnerability system. Rewards may range from $1,000 to $1,000,000 depending on the impact and complexity of the issue.

Payouts are denominated in USD by the Boba Foundation. However, payouts are done in USDC.

In scope:

• Blockchain/DLT
• Smart Contracts
• Websites and Applications

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.

All web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. All High and Critical Blockchain/DLT/Smart Contract bug reports require a PoC to be eligible for a reward. Explanations and statements are not accepted as PoC and code is required.

Critical blockchain/DLT vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of USD 50 000.

Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of USD 50 000.

The following vulnerabilities are not eligible for a reward:

• Contracts are upgradable.
•    The fact that fraud proofs are not yet running.
•    A bug in Lib_MerkleTrie.sol which will prevent withdrawals from succeeding in some cases. There is a workaround for this, by modifying the proof to add an extra element.
•    A bug in Lib_ResolvedDelegateProxy.sol which could result in a storage slot key collision overwriting the address of the implementation. This bug is dependent on the layout of the implementation contract, and Boba is not affected.
•    The user cannot commit to a L1 gas price, the OVM_GasPriceOracle is owned by a key controlled by Boba and is responsible for setting the L1 gas price.
•    There appears to be an obvious bug which would allow an attacker to withdraw a fake ERC20 token from L2 in exchange for a real ERC20 (such as WBTC) token on L1. There is no check in the L2StandardBridge, however the withdrawal is prevented from finalizing by a check in the L1StandardBridge. Naturally if you do find a way to circumvent Boba Network’s protections, then you would be rewarded.
•    All vulnerabilities mentioned in https://github.com/bobanetwork/boba/tree/develop/boba_audits

Boba Network requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward for critical and high threat levels. The information needed is proof of your identity. The collection of this information will be done by the Boba Foundation.

Payouts are handled by the Boba Foundation and are denominated in USD. However, payouts are done in USDC.