At Exactly Protocol, we prioritize security above all else. That is why we have had our smart contracts audited by top audit firms at various stages of development, and we have also conducted a mathematical audit. To continue our efforts in this regard, we are excited to announce our partnership with Immunefi and the launch of our Bug Bounty Program.
Bounty programs are open invitations to security researchers to discover and responsibly disclose vulnerabilities in projects' smart contracts and applications, which can save web3 projects hundreds of millions -and even billions- of dollars. These programs provide incentives for community members to find and report bugs or security vulnerabilities in the protocol’s code, which can help to improve its overall security.
Bounty programs are essential for ensuring the security of Defi protocols for several reasons. Firstly, they help ensure the protocol's quality and safety, which is crucial for building trust among users. Secondly, bounty programs can foster collaboration within a protocol's user base, which is necessary for driving adoption and growth.
Immunefi is a leading bug bounty platform for web3 that was launched in 2020. It has the world's most significant bounties and payouts, and its platform allows security researchers to review code, disclose vulnerabilities, get paid, and make crypto safer for everyone.
Security researchers who find vulnerabilities in a project's code are rewarded based on the severity of the vulnerability. Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2; this is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.
Within our Bug Bounty Program, critical smart contract vulnerabilities are capped at 10% of economic damages, mainly considering funds at risk and PR and branding aspects at the team's discretion. For critical vulnerabilities, there is a minimum reward of USD 50 000 and a maximum reward of USD 100 000.
Please see this link for more information about the program, including the distribution of rewards and in-scope and out-of-scope vulnerabilities.