Curve Security Incident Reports
This repository documents security-related disclosures at Curve Finance. Vulnerability reports are mentioned in disclosures/ and audits are reported in audits/.
Curve Finance Bug Bounty Program
Scope:
Issues which can lead to substantial loss of money, critical bugs like a broken live-ness condition or irreversible loss of funds.
Disclosure policy:
Let us know as soon as possible upon discovery of a potential security issue. Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Exclusions:
Already known vulnerabilities. Vulnerabilities in front-end code not leading to smart contract vulnerabilities.
Eligibility:
You must be the first reporter of the vulnerability You must be able to verify a signature from same address Provide enough information about the vulnerability
Bounty
There are three tiers of Severity:
- Low
- Moderate
- High
There are three tiers of likelihood:
- Almost Certain
- High Severity: $250,000
- Moderate Severity: $50,000
- Low Severity: $10,000
- Possible
- High Severity: $50,000
- Moderate Severity: $10,000
- Low Severity: $1,000
- Unlikely
- High Severity: $10,000
- Moderate Severity: $1,000
- Low Severity: $1,000