Synthetix
Synthetix provides a building layer that allows other protocols to tap into its universal liquidity pool, offering derivative exposure on an EVM compatible chain.
Base
ETH
Optimism
Defi
DAO
DEX
Perpetuals
Staking
Synthetic Assets
Solidity
Maximum Bounty
$100,000Live Since
05 March 2021Last Updated
08 April 2024PoC required
Select the category you'd like to explore
Assets in Scope
Target
Type
Added on
Impacts in Scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
Critical
Direct theft of collateral from liquidity providers and borrowers (i.e. staked assets)
Critical
Direct theft of tokens and NFTs from token and NFT holders (i.e. v3 staking position / sUSD / snxUSD /…)
Critical
Permanent bricking of staking or trading contracts resulting in losses to owners, where the assets can’t be recovered by any means
Critical
Governance voting result manipulation that could result a critical severity classification
Critical
Immediate manipulation of the debt of the protocol, not related to oracle price changes, nor related to debt fluctuations from interactions that are within the intended design
Critical
Immediate protocol Insolvency of liquidity providers
Critical
Theft of unclaimed yield that can be become claimable by the attacker immediately (i.e. swapped to external assets), or claimable after a period of time where the protocol is unable to safeguard the funds at risk via code updates
Critical
Execute arbitrary system commands
Critical
Subdomain takeover with already-connected wallet interaction
High
Theft of unclaimed yield that can be become claimable by the attacker within 24 hours of the attack
High
Temporary freezing of funds
High
Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
Out of scope
Program's Out of Scope information
These impacts are out of scope for this bug bounty program.
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
Smart Contracts and Web/App
- Vulnerabilities that have been already been exploited are considered to be out of scope
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
- Best practice critiques
- Sybil attacks
- Any DDOS attack
- Attacks that require altering the configurations of the protocol from the time the vulnerability disclosure is submitted (i.e. listing new assets / changing parameters). However, changes in configuration that are staged to be implemented and have been voted on by governance are considered to be in scope.
- Security researchers from restricted countries, reference to the terms, are not eligible for bounties regardless of the scope of the vulnerability disclosure
- Activities that violate the whitehat rules of engagement would result in revocation of the bounty regardless of the disclosure merit.
The following activities are prohibited by this bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty