Bug Bounty

Program Overview

Zearn provides a cutting-edge liquid staking solution on the ZetaChain, designed to offer users a seamless experience in staking their ZETA. This platform allows for uninterrupted participation in various on-chain activities such as lending, while eliminating the need to lock assets or manage any complex infrastructure.

The primary objective of Zearn is to address the core challenges associated with traditional staking on the ZetaChain, namely illiquidity, immovability, and accessibility. By making staked ZETA liquid, Zearn empowers users to contribute to the ZetaChain network's security with any amount of ZETA.

For detailed information regarding Zearn, we invite you to visit zearn.xyz.

Bug Bounty Program

The Zearn bug bounty program is an initiative to fortify its smart contracts and applications by incentivizing the discovery and reporting of potential vulnerabilities. The focus is on preventing incidents that could result in the loss of user funds, denial of service, governance compromise, and breaches of data integrity and privacy.

Reward Tiers by Threat Level

We have established a five-tier threat level system to classify potential vulnerabilities, with separate scales for websites/apps and smart contracts/blockchains. The system evaluates the severity of threats based on various factors, including the potential consequences of exploitation, the level of access required, and the likelihood of a successful exploit.

All submissions concerning web and app vulnerabilities must include a Proof of Concept (PoC). Submissions lacking a PoC will be returned with a request for such evidence.

Smart Contracts Rewards Breakdown

  • Critical:

    • User fund loss: Rewards range from a minimum of 1,000 USD to a maximum of 20,000 USD, at 1% of the assets at risk.

    • Non-user fund loss (e.g., treasury): Rewards range from a minimum of 5,000 USD to a maximum of 20,000 USD, at 1% of the assets at risk.

  • High:

    • Rewards range from a minimum of 2,000 USD to a maximum of 20,000 USD at 1% of the assets at risk, if the issue persists for 1 month.

  • Medium:

    • Rewards range from a minimum of 500 USD to a maximum of 10,000 USD at 1% of the assets at risk, if the issue persists for 1 month.

  • Low:

    • A standard reward of 500 USD.

Payouts are conducted directly by the Zearn team and are denominated in USD. Bug bounty hunters may choose to receive payouts in ZETA, DAI, or USDC.

Out of Scope & Rules

Certain vulnerabilities are deemed out of scope for rewards within this bug bounty program, including:

  • Previously exploited attacks causing damage

  • Attacks requiring leaked keys/credentials or privileged addresses

  • Third-party oracle incorrect data (excluding oracle manipulation/flash loan attacks)

  • Basic economic governance attacks, such as 51% attacks

  • Liquidity issues, critiques on best practices, and Sybil attacks

For websites and applications, vulnerabilities such as theoretical risks without PoC, content spoofing, self-XSS, and similar low-impact findings are excluded from rewards. Additionally, vulnerabilities requiring privileged organizational access or those categorized as feature requests or best practices critiques are out of scope.

The bug bounty program strictly prohibits certain activities, including:

  • Testing on mainnet or public testnets; all testing should occur on private testnets.

  • Engaging with pricing oracles or third-party smart contracts.

  • Conducting phishing or social engineering attacks.

  • Testing with third-party systems and applications.

  • Initiating any denial of service attacks.

  • Automated testing that results in significant traffic.

  • Public disclosure of unpatched vulnerabilities under an embargoed bounty.

Zearn remains committed to the continuous improvement of its security posture and encourages responsible disclosure of potential vulnerabilities through its bug bounty program.

PreviousFAQNextMeet Our Team

Last updated