Bagels Finance Bug Bounty Program

Program Overview

Bagels Finance is a Decentralized Finance (DeFi) platform that provides products for yield farming and lending aggregation on the BSC, Polygon and Ethereum blockchains. The bug bounty program is focused on the main goal of preventing the loss of user funds due to smart contract vulnerabilities, and faults in our code that affect usability or security. Security is our most important concern. Although we have completed professional smart contract code audits and security verifications, we recognize the importance of our community in uncovering vulnerabilities and maintaining the safety of the Bagels ecosystem. Bagels recognizes the hard work of independent developers and rewards community participants who audit our contracts and disclose any vulnerabilities. Below we have set out the rules and rewards of the program.

References

Website: https://app.bagels.finance/

White paper: View here.

Test Environment: https://pre.bagels.finance

Github: https://github.com/bagels-dev/protocol-v1/

Scope

The bug bounty is eligible for the following repositories:Please add the GitHub repositories or testnets where people should go here

Priority Vulnerabilities

Please check/add to list of vulnerabilities that our team would like to see/ are possible or eligible. You can remove some as well

• User authentication errors

• Weak encryption

• Unique governance attacks

• Financial attacks, such as flash loan attacks

• Solidity/EVM errors

• Dependency vulnerabilities (written in Vyper language)

• Oracle Manipulation

• Scalability issues: frontrunning, gas, etc.

• Consensus failures

• Cryptography issues

• Signature malleability

• Susceptibility to replay attacks

• Weak randomness

• Block timestamp manipulation

• Missing access controls

• Internal interfaces showing

Terms and Conditions

• To be eligible, you must identify a previously unreported, original, non-public vulnerability within the scope;

• To participate in this program, you must be at least 18 years old;

• Must report as an individual or company. If reporting as employee of a company, you need the company's written consent to submit the disclosure;

• Must not be a current or former Bagels Finance employee, vendor, or contractor, or work for a current or former Bagels Finance vendor or contractor;

• There is no time limit for the bug bounty program at the moment;

• You can choose to disclose anonymously;

• You must read the disclosure policy;

• Some level of technical knowledge is required.

Rewards

Bagels Finance offers rewards for discoveries that may prevent harm to users, loss of information, the shutdown of the platform, loss or freezing of assets, and/or other material impacts. Rewards are determined by both the likelihood of the vulnerability occurring and having a meaningful impact on loss of funds or system availability; and the severity of the potential exploit.The decision of the reward amount will be at the discretion of the Bagels Finance team. Rewards are paid by the Bagels Finance, are denominated in USD and can be made in USDC, DAI, USDT or CAKE. Payouts can be made in USDC, DAI, ETH, YFI, or their Yearn Vault counterparts.

Threat Level	Payout (USD)
Critical	$50,000 - $200,000
Severe	$10,000- $50,000
High	$5000- $10,000
Medium	$1000- $5000
Low	$100-$1000

Threat Level	Definition
Critical	Permanent damage of the protocol and/or loss of funds greater than 10%
Severe	Severely damages the protocol and/or loss of funds less than 10%
High	Damages the protocol and/or causes loss of funds
Medium	May cause minimal loss of funds, damage the protocol state for short period of time, or cause high user dissatisfaction.
Low	Issue may cause minimal failure and/or user dissatisfaction

Disclosure Policy

If you discover a vulnerability, Bagels would like to know as soon as possible so that we are able to address it quickly.

Submission Requirements

All submissions are to be sent to security@bagels.finance. Bug submissions must include the below:

• Description of the bug or vulnerability;

• Sufficient information and steps to reproduce the vulnerability or issue;

• Any suggestions you may have on how to correct or fix the bug, or a patch;

• Instructions on how we can contact you if we have additional questions about the vulnerability or need additional information.

Excluded from rewards:

• Duplicate submissions

• Attacks that you have exploited that may have lead to damage

• Bugs or vulnerabilities that required access to leaked or stolen confidential logins or privileged addresses

• Third party oracles supplying wrong information

• Basic economic governance attacks such as 51% attacks or sybil attacks

• Suggestions about best practices

Ethical Policy

Please follow these ethical guidelines while you are in the search for bugs and for your submissions:

• Please follow the terms and conditions.

• Perform testing on in-scope systems only.

• Use security@bagels.finance for all correspondence with us.

• Be aware of the privacy of others - do not access accounts or information without consent from the account holders.

• Avoid disrupting our systems, destroying data, or harming user experience.

• Do not use social engineering, DDoS (Distributed Denial of Service), attacks on physical security, phishing or spam to gain access or uncover vulnerabilities.

• Do not attempt to use bugs or vulnerabilities as part of a trading strategy or for financial gain within the Bagels platform,

• Do not exploit any vulnerabilities that you have discovered.

• Do not attempt to sell information about bugs to a third party.

• Do not communicate any vulnerabilities to another party until it has been resolved by the Bagels Finance team.

• Do not publicly disclose information about a bug to public forums, social media sites or message boards until you have disclosed it with the Bagels Finance team and it has been resolved.

• Do not engage in illegal conduct, including blackmail or extortion.

Rewards may be withheld and/or legal action may be taken if it is determined that the above policies were knowingly breached.

Our Responsibilities

When you submit a bug bounty report to Bagels Finance, you can be sure that we will:

• Respond to your report within 7 business days with our evaluation and expected resolution time.

• We handle your report with complete confidentiality and will not pass your personal information to a third party without your written consent.

• We will keep you updated with our progress on solving the bug or vulnerability if you request

• We will work to remediate vulnerabilities quickly.

• As a sign of our appreciation for your assistance, we offer a reward based on the terms laid out in the rewards section, at our discretion.

• We offer you Safe Harbour: We will not bring legal action against anyone who makes a good faith effort to comply with our bug bounty program rules. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

• Publicly recognize your contribution to our security if you discover a vulnerability and your report leads to a configuration or code change. You can choose to not be named publicly.

All reward judgements are made at Bagels Finance’s sole discretion, including eligibility and reward amount. Bagels Finance reserves the right to reject submissions and alter the terms and conditions of the bug bounty program.