Open in app

Sign in

Write

Sign in

AutoLayer Bug Bounty Program: Full Information Release

AutoLayer Bug Bounty Program Starts Today! 🐞⚠️

AutoLayer
4 min readMar 29, 2024

To enhance the security of our protocol, we are looking for your keen eye in identifying any existing vulnerabilities. For this bug bounty program, we are especially interested in issues related to incorrect behavior of the smart contract which could cause unintended functionality. Examples can be found below, under the “Focus Area”.

Rewards:

By helping us identify (critical) vulnerabilities, you are able to earn rewards. The reward amounts vary based on the severity and impact of the reported vulnerabilities.

  • Critical Severity: $50,000 — $100,000 in $LAY3R
  • High Severity: $50,000 — $100,000 in $LAY3R
  • Medium Severity: $5,000 in $LAY3R
  • Low Severity: $2000 in $LAY3R

Preliminary List (with more contracts to follow shortly)

AutoLayer Forwarders:

https://arbiscan.io/address/0x450713aef72f41b4d1f2c5f9d87ce1748c518079

Focus Areas:

In-Scope:

  • Stealing or loss of funds
  • Unauthorized transactions
  • Transaction manipulation
  • Attacks on logic (behavior of the code is different from the business description)
  • Reentrancy
  • Reordering
  • Over and underflows

Out of Scope:

  • Theoretical vulnerabilities without proof
  • Old compiler versions
  • The compiler version is not locked
  • Vulnerabilities in imported contracts
  • Code style guide violations
  • Redundant code
  • Gas optimizations
  • Best practice issues

Guidelines:

  1. Refrain from utilizing web application scanners for automated vulnerability searches, as they generate excessive traffic.
  2. Make diligent efforts to avoid causing damage or limiting the availability of products, services, or infrastructure.
  3. Do not compromise any personal data, cause interruptions, or degrade any services.
  4. Refrain from accessing or altering other users’ data; confine all testing activities to your own accounts.
  5. Conduct testing strictly within the predefined scope.
  6. Do not exploit any Denial of Service (DoS)/Distributed Denial of Service (DDoS) vulnerabilities, engage in social engineering attacks, or spamming.
  7. Avoid spamming forms or account creation processes using automated scanners.
  8. If multiple vulnerabilities are discovered in a chain, compensation will be provided only for the one with the highest severity.
  9. Adhere to all legal regulations and remain within the defined scope of the program.
  10. Any details regarding discovered vulnerabilities must not be shared with individuals outside of the AutoLayer Team or authorized employees without proper permission.

Disclosure Guidelines:

  1. Do not discuss the program or any vulnerabilities outside of it without explicit consent from the organization.
  2. No disclosure of vulnerabilities, even partial, is permitted at this time.
  3. Refrain from publishing or discussing bugs.

Eligibility and Coordinated Disclosure:

  1. We appreciate all valid reports that aid in enhancing security, but only those meeting the following criteria are eligible for monetary rewards:

a. You must be the first to report a vulnerability.
b. The vulnerability must qualify according to predefined criteria.
c. Reports of vulnerabilities must be submitted within 24 hours of discovery, exclusively through AutoLayer Discord Ticket service.
d. Provide a clear textual description of the report along with reproducibility steps, including any necessary attachments such as screenshots or proof of concept code.
e. You must not be a current or former employee or contractor of our organization.
f. Only use your AutoLayer address; violation of this may result in the forfeiture of any bounty.

2. Furnish detailed yet concise reproduction steps.

This bug bounty program is subject to potential updates or modifications to improve its effectiveness and align with evolving security needs.

Additional info:

The Bug Bounty Program is available to everyone, offering rewards in the form of our token, $LAY3R. AutoLayer will assess each bounty submission and pay users based on severity. Successful bounties will be rewarded in $LAY3R on the Arbitrum network.

To participate, submit bug reports to support@autolayer.io or by opening a ticket on our Discord server. Ensure your report includes detailed information and steps to reproduce findings. Reports that cannot be reproduced will not be eligible for payout.

Join the hunt for vulnerabilities and help us enhance security today!

Should you have missed our recent article:

Partnership Announcement: AutoLayer x SPACE ID

We’re happy to announce that we’ve added another layer of integration — that being a collaboration with the SPACE ID…

autolayer.medium.com

Thank you for taking the time to read our blog! We hope you found it informative. If you enjoyed what you read, please leave a comment below. Follow us on Twitter, LinkedIn, YouTube, and Discord.

Get the latest news every week, and you’ll be the first to know. Click here to subscribe.

About AutoLayer (Formerly Tortle Ninja)

AutoLayer is the premier Liquid Restaking Tokens (LRT) Finance app on Arbitrum. Harness the potential of EigenLayer by restaking into various LRT/LST options with just one click while conserving and compounding your yields effortlessly. All LRTfi. One interface.

Bug Bounty
Defi

--

--

AutoLayer
AutoLayer

Written by AutoLayer

3.8K Followers
18 Following

The multi-chain hub for Liquid Restaking, Yields, & LRT Airdrops

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams