Introducing the PoolTogether Bug Bounty Program
Get rewarded for disclosing unknown vulnerabilities in the PoolTogether smart contracts.
PoolTogether is a prize savings protocol, that promotes financial security by making saving fun. The protocol allows users to deposit tokens for a daily chance to win ETH. Since its inception in 2019, PoolTogether has helped tens of thousands of users save their crypto and distributed more than $12M in prizes.
The recent launch of the new PoolTogether is a major leap forward. The system is now:
Fully autonomous. There are no admin controls; prize sizes and counts adapt automatically.
Automated. All external functions are incentivized so the protocol continues running perpetually.
Permissionless. Anyone can add new assets or yield sources to the protocol by adding new vaults.
This article outlines the Immunefi bug bounty program for PoolTogether which is live now. Report bugs and get rewards on the Immunefi platform: https://immunefi.com/bounty/pooltogether.
Bug Bounty Program
Security is paramount to PoolTogether. That's why Generation (G9) Software Inc. partnered with Immunefi to launch an open bug bounty program. Hackers in good faith should be rewarded, so the program is designed to encourage the responsible disclosure of vulnerabilities and bugs.
The bug bounty program covers the PoolTogether V5 core smart contracts and is focused on preventing the theft or freezing of user funds, prizes, or yield, as well as any potential griefing attacks. Whitehats can receive up to $22,727 in rewards for responsibly reporting a bug, depending upon its severity.
Other rules and details for the bug bounty program including assets and impacts in scope, out-of-scope activities, limitations, etc. can be found on the full Bug Bounty Program Overview on Immunefi.
Rewards
Rewards are based on the severity of the bug detected and distributed according to the impact the vulnerability could otherwise cause, based on the Impacts in Scope table below:
All smart contract vulnerabilities must be proven with a Proof of Concept (PoC) to be accepted. Bug reports without a PoC will be rejected with a request to include a PoC in the next submission.
Payouts are handled directly by the G9 Software Inc. team and are denominated in USD. All payments are carried out in $USDC.
Submitting a Finding
To responsibly report a potential vulnerability, please create an account and submit the bug via the Immunefi bugs platform.
Please adhere to the full Bug Bounty Program Overview on Immunefi for all information about assets and impacts in scope and the rules that apply.
Security Audits
The bug bounty program with Immunefi is one more step to ensure a true no loss experience for PoolTogether's users. In addition to the bug bounty program, the protocol underwent security audits with Code4rena and Macro Security. You can browse all audit reports here.
Join us by the pool
Github: Generation Software
Developer Docs: dev.pooltogether.com
Builders Portal: builders.cabana.fi
Twitter: @PoolTogether_
Farcaster: @PoolTogether | /pool-together
Lens: pooltogether.lens
Mirror: pooltogether.mirror.xyz