Reward Levels

Rewards are distributed according to the impact of the vulnerability based on the Vulnerability Classification System. Rewards for critical vulnerabilities are capped at 10% of economic damage, primarily focusing on the possible loss of funds controlled by FIO System contracts.

Payouts are handled by the Foundation and are denominated in USD. All payouts are done in FIO.

CriticalUp to USD $100,000
HighUp to USD $20,000
MediumUp to USD $5,000
LowUp to USD $1,000

Vulnerability Classification System

FIO classifies vulnerabilities on a 5-level scale:

  • Critical
  • High
  • Medium
  • Low
  • None

This scale encompasses all the aspects of a vulnerability, from the consequence of a successful exploit, to the level of access required to exploit it, to the probability that an exploitation attempt will be successful.

For example:

  • A bug that results in loss of funds is more severe than a bug that temporarily prevents token holders from transferring their tokens.
  • A bug that can be triggered by any token holder is more severe than a bug that requires a block producer to go rogue.
  • A bug that can be triggered by a third party invoking a particular function/method is more severe than a bug that requires the affected token holder to invoke that same function/method.

The table below provides examples of the the consequence of a successful exploit. Keep in mind that if the exploit requires elevated privileges or uncommon user interaction, the level of the bug may be downgraded to reflect that.

Sample Consequences to Smart Contracts/Blockchain

5. CriticalEmpty or freeze protocol tokens (e.g. economic attacks, logic errors, integer over-/under-flow)
4. HighToken holders temporarily unable to transfer tokens
Cryptographic flaws
3. MediumUsers are temporarily unable to create transactions or use FIO features
2. LowProtocol returns inaccurate information, but on-chain data is not affected
1. NoneBest practices