In the run-up to the launch of the necDAO, we are announcing a community bug bounty program offering ETH rewards (with the highest award being 10k USD equivalent for identifying a critical bug) to anyone reporting security vulnerabilities in the DAO contracts, locking mechanisms and governance processes. Read on to learn more.

On September 09, the team behind DeversiFi and Nectar announced the new Nectar 2.0 white-paper — an overhaul of the Nectar token which included deflationary tokenomics through an aggressive supply burn and buy-back & burn system, whitelist removal, fee discounts and perhaps most excitingly of all its role in the fast-approaching necDAO. More details can be found in the new Nectar whitepaper.

In preparation for the necDAO, this bug bounty program serves to incentivize the discovery of security vulnerabilities within the codebase of the DAO, as well as any potential issues related to locking NEC (required for earning reputation) which may see significant funds locked into these smart-contracts.

The Bug Bounty Program

The program will apply to the deployment of the necDAO contracts running on an Ethereum test network (Rinkeby) and as such there will be no real funds at stake. This codebase, however, is identical to the planned version to be deployed live.

Rewards will be granted to those who report legitimate bugs (more details below) to DeversiFi and DAOstack. The main areas of focus include, but are not limited to:

Reputation Process. In order to receive reputation in the necDAO users will be required to go through 1 of 3 options;

locking NEC tokens for selected periods; holding NEC for a reputation airdrop at a given blocktime; bidding GEN tokens in an auction.

For example, are you able to find vulnerabilities allowing an attacker to undermine/break these processes and gain access to ETH/NEC/GEN/TOKENS or additional reputation

Governance Process. Any unintended behaviour related to the actual governance mechanisms of the DAO. Can you undermine/break the DAO by passing a malevolent proposal? Draining funds against a majority vote? Or otherwise exploiting a major vulnerability in the code?

Useful technical information/resources for the above can be found at the following Github repository. An example DAO is deployed on rinkeby.

Rewards

We will be using the Ethereum Foundation’s Bug Bounty severity scale (using the OWASP principle) visible below. The value of each awarded bounty will be based on DeversiFi’s judgment of the severity of each reported bug:

Critical — USD 5000 to 10000

High — USD 2500

Medium — USD 1000

Low — USD 500

The judgement of the severity of the reported bug will be at the discretion of DeversiFi.

How long will the bounty run for?

There is currently no defined end date and the program as it stands will continue indefinitely or until the time the necDAO officially launches as detailed in the NEC 2.0 whitepaper.

General Rules

Most of the rules outlined in the Ethereum Foundation Bug Bounty Programme will also apply here. Mainly that:

Issues that have already been submitted by another user or are already known to the necDAO team are not eligible for bounty rewards. This includes the existing possibility for proposals to pass in Alchemy, despite there not being enough funds in the DAO contracts.

Public disclosure of a vulnerability before reporting makes it ineligible for a bounty.

Anyone who has been paid to work on the codebase or audit it is not eligible for rewards.

The necDAO bounty program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the necDAO bug bounty panel.

Bounties will be awarded to the first submitter of a given issue and only security vulnerabilities where funds are at risk will be included in the scope of this program.

How to Submit?

Submissions should be made to security@deversifi.com following the structure outlined below:

Name and social link

Description of bug

Instructions on reproducing the attack vector

Any other important information

Your Ethereum address

When submitting a bug report, please be as thorough and detailed in these answers as possible as this will play a role in influencing its placing in the severity chart above and ultimately your bounty reward.

For any questions or to stay updated, connect with us on Telegram, Twitter and Reddit.