The Aurigami bug bounty program is focused on our smart contracts, websites, and apps with a primary interest in the prevention of loss of user funds, either by direct draining of locked funds or social engineering attacks by redirecting users or forcing them to sign a transaction.
Submit a bug or learn more about the program on Immuefi.
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.
Up to USD 500,000
All web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.
Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of USD 50 000.
All vulnerabilities marked in https://github.com/Aurigami-Finance/aurigami-smart-contracts/tree/main/docs are not eligible for a reward.
Payouts are handled by the Aurigami team directly and are denominated in USD. However, payouts are done in USDC and PLY, and up to 80% of the rewards can be paid in PLY.