Rewards are distributed according to the impact of the vulnerability based on the Vulnerability Classification System. Rewards for critical vulnerabilities are capped at 10% of economic damage, primarily focusing on the possible loss of funds controlled by FIO System contracts.
Payouts are handled by the Foundation and are denominated in USD. All payouts are done in FIO.
|Critical||Up to USD $100,000|
|High||Up to USD $20,000|
|Medium||Up to USD $5,000|
|Low||Up to USD $1,000|
FIO classifies vulnerabilities on a 5-level scale:
This scale encompasses all the aspects of a vulnerability, from the consequence of a successful exploit, to the level of access required to exploit it, to the probability that an exploitation attempt will be successful.
- A bug that results in loss of funds is more severe than a bug that temporarily prevents token holders from transferring their tokens.
- A bug that can be triggered by any token holder is more severe than a bug that requires a block producer to go rogue.
- A bug that can be triggered by a third party invoking a particular function/method is more severe than a bug that requires the affected token holder to invoke that same function/method.
The table below provides examples of the the consequence of a successful exploit. Keep in mind that if the exploit requires elevated privileges or uncommon user interaction, the level of the bug may be downgraded to reflect that.
|5. Critical||Empty or freeze protocol tokens (e.g. economic attacks, logic errors, integer over-/under-flow)|
|4. High||Token holders temporarily unable to transfer tokens|
|3. Medium||Users are temporarily unable to create transactions or use FIO features|
|2. Low||Protocol returns inaccurate information, but on-chain data is not affected|
|1. None||Best practices|
Updated 4 months ago