Bug Bounty Program
Stake DAO maintains a bug bounty program to encourage responsible disclosure of security vulnerabilities in our smart contracts.
Scope
The following assets are in scope:
In Scope- Smart contracts deployed on Ethereum mainnet listed in Contract Addresses
- Smart contracts in the stake-dao GitHub organization tagged for production
- Frontend applications and web interfaces
- Third-party contracts and integrations
- Contracts on testnets
- Known issues documented in audit reports
- Theoretical vulnerabilities without proof of concept
- Vulnerabilities requiring compromised private keys
- Social engineering attacks
Severity Classification
| Severity | Description |
|---|---|
| Critical | Direct loss of user funds, unauthorized withdrawal from Lockers or strategies, permanent freezing of funds |
| High | Theft of unclaimed yield, manipulation of gauge votes or reward distribution, access control bypass on privileged functions |
| Medium | Griefing attacks requiring significant capital, incorrect reward calculations |
| Low | Issues with no direct fund risk but worth fixing |
Requirements
Valid submissions must include:
- Detailed description of the vulnerability
- Step-by-step reproduction instructions
- Working proof of concept (Foundry test or transaction simulation)
- Impact assessment with specific affected contracts and functions
- Suggested fix (optional but appreciated)
Submission Process
- Do not disclose the vulnerability publicly
- Email security findings to [email protected]
- Include "Bug Bounty" in the subject line
- Allow up to 72 hours for initial response
- Work with the team on remediation timeline
Rewards
Bounty amounts are determined based on severity and impact:
| Severity | Range |
|---|---|
| Critical | Up to $100,000 |
| High | Up to $25,000 |
| Medium | Up to $5,000 |
| Low | At team's discretion |
Final amounts are at Stake DAO's discretion based on:
- Quality and clarity of the report
- Severity of actual (not theoretical) impact
- Novelty of the vulnerability
Rules
- First valid report of a vulnerability receives the bounty
- Stake DAO service providers and recent contributors are ineligible
- No exploitation of vulnerabilities on mainnet
- Responsible disclosure requiredโpublic disclosure forfeits bounty
- One bounty per root cause
Previously Audited Code
All production contracts have undergone third-party security audits. Review our audit reports before submitting. Known issues from audits are out of scope.