Bug Bounty Program

TokensFarm offers financial rewards to any security professional for identifying and reporting valid vulnerabilities and exploits on our app and domains.

TokensFarm
Bug Bounty

One of the foundations of decentralized security is community-driven auditing. We encourage you to identify bugs, penetration vectors, front-end vulnerabilities, financial attack vectors, and other issues that may risk or destabilize the network and its operations.

How it Works

To report a potential bug, please fill out the form below with detailed and comprehensive information.

Our team reviews and prioritizes reported bugs and implements fixes accordingly.
Please allow us time to correct an issue before making it public.

Rewards

Rewards are proportional to the severity of the reported issue. Upon receipt of the completed form, our development team assigns a severity score to the problem and prioritizes it accordingly.

The assessment of the reported bug will follow the OWASP risk rating model based on the impact and likelihood of the reported issue.

The following factors determine the reward amount per report:

  • Demonstration of how the issue may be exploited to maximum effect.
  • The severity of the issue.
  • Issue complexity.
  • Reproducibility of the issue.
  • Existence of a Pull request with a valid fix of the issue.

Below is a list of the approximate maximum amounts distributed, listed by order of bug severity:

  • Low
    up to $100
  • Medium
    up to $500
  • High
    up to $2,000
  • Critical
    up to $5,000

We pay rewards in stablecoins or other tokens in an equivalent amount. We might even pay higher amounts if we find the bug supercritical.

We encourage you to uncover issues with the following characteristics:

Contracts
  • Logic flaws/security issues / financial breaches.
  • Possible exploits and vulnerabilities - both architecture and implementation.
  • Upgradability and versions of schema attack vectors.
TokensFarm protocol
  • Bugs, vulnerabilities, exploits, security breaches, cryptography errors.
API
  • Exploits, data breaches, leakages, permissions breaches, wrong behavior.
Front-end
  • Possible exploit by inserting malicious code, XSS attacks, clickjacking attacks any vulnerabilities during Web3 interactions.
Please report issues for the related mainnet environment.
  • As future specs are continuously developed and deployed, we will review issues in the context of the current expected behavior on the mainnet. This excludes issues already undergoing fixes to be launched in the next version.
    *We reserve the right to enlarge this pool or modify the reward amount without prior notice.

Eligibility

The first reporter who brings attention to a valid issue will be rewarded. TokensFarm’s team might also choose to reward the first few people signaling the same problem within 7-14 days of the initial report.

The following factors determine the reward amount per report:

Issues on a test environment that have just been deployed and are work-in-progress by the TokensFarm devs.
Any issues on 3rd party sites/apps unless they are directly linked to an exploit or bug specific to TokensFarm.
Issues depending on or arising from physical attacks.
Game-theoretic issues.
Known Issues.
Issues affecting outdated or unpatched browsers.
Issues that have not been thoroughly investigated and comprehensively reported.
Issues that cannot be reproduced.

We ask and encourage the community to report any bugs, even if it's not eligible for a reward. A better TokensFarm is a win for all of us :)

Scope for

* Including subdomains and related mainnet environment.

Process

  • Fill out the form

    Complete a bug report via this form

  • Get rewarded

    Earn up to $25,000 per bug report

* For security reasons, we might fix the bug even before contacting the reporter.

Frequently Asked Questions

What is TokensFarm?

TokensFarm is the leading platform to create or participate in crypto token farming programs easily. Currently, TokensFarm is a leading yield service provider, according to DefiLlama. These farms engage their communities, have been audited by top blockchain security firms, and can be deployed in minutes. We currently offer two types of farms: staking farms and liquidity pool farms, commonly referred to as LP farms.

Which blockchains are supported?

Currently, we support all the Ethereum virtual machine-compatible blockchains such as BNB Chain, Polygon, Avalanche, Moonriver, Fantom, OKEx chain, and more.

What is the security protocol of TokensFarm?

TokensFarm uses the highest security standards in the crypto space. All of Tokensfarm’s smart contracts have been independently audited multiple times by top cyber security firms. The audit reports can be seen below in our website’s footer.

What is a bug bounty program?

A bug bounty program is offered by companies or organizations that reward individuals who report vulnerabilities or bugs in their systems or products.

What type of vulnerabilities are eligible for rewards in the bug bounty program?

Contracts:

Logic flaws/security issues / financial breaches.

Possible exploits and vulnerabilities - both architecture and implementation.

Upgradability and versions of schema attack vectors.

Front-end:

Possible exploit by inserting malicious code, XSS attacks, clickjacking attacks any vulnerabilities during Web3 interactions.

TokensFarm protocol:

Bugs, vulnerabilities, exploits, security breaches, cryptography errors.

API:

Exploits, data breaches, leakages, permissions breaches, wrong behavior.

How do I submit a bug report?

It’s easy! Just fill out this form

How long does receiving a reward after submitting a bug report take?

When a bug report is submitted, we will investigate it, and if it is valid, we will reward the reporter. Depending on how critical the bug is, we will handle it in order of priority and pay rewards up to 14 days after the bug is fixed.

What are the criteria for determining the amount of the reward?

Rewards are proportional to the severity of the reported issue. Upon receipt of the completed form, our development team assigns a severity score based on the OWASP model to the problem and prioritizes it accordingly.