# Bug Bounty
### Program Overview
The bug bounty program covers the Lumen smart contracts and is focused on preventing thefts and freezing of funds. The Lumen smart contracts are fully[ open source](https://github.com/Lumen-Money).
### Rewards
| Severity | Max Prize |
| -------- | ---------------------------------------- |
| Critical | 10% of value at risk, up to $100,000 USD |
| High | $20,000 USD |
| Medium | $2,000 USD |
Severity is classified by the following:
| Severity | Description |
| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Critical | Empty or freeze the contract's holdings (e.g. economic attacks, flash loans, reentrancy, MEV, logic errors, integer over-/under-flow) - Cryptographic flaws |
| High | Token holders temporarily unable to transfer holdings - Users spoof each other - Theft of yield - Transient consensus failures |
| Medium | Contract consumes unbounded gas - Block stuffing - Griefing denial of service (i.e. attacker spends as much in gas as damage to the contract) - Gas griefing |
The actual prize amount is determined by a combination of factors including but not limited to severity, value at risk, and likelihood of being exploited.
Payouts will be done in USDC on Neon EVM.
### Reporting
Email us a detailed description of the attack at . Critical and High bug reports must come with a proof of concept.
### Scope
**Assets in Scope**
[Smart contract code](https://github.com/Lumen-Money/lumen-protocol)
**Impacts in Scope**
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect the assets in the scope table.
**Smart Contracts**
* Loss of user funds staked (principal) by freezing or theft
* Loss of governance funds
* Theft of unclaimed yield
* Freezing of unclaimed yield
* Temporary freezing of funds for at least 1 hour
* Unable to call smart contract
**Known Issues (not qualified)**
Bug reports involving position limit, where a user can only have so many positions before actions fail due to the computation limit, are not accepted in this bug bounty program.
Bug reports involving borrow limit, where a user can borrow even when the limit is set, are not accepted in this bug bounty program.
**Prioritized Vulnerabilities**
We are especially interested in receiving and rewarding vulnerabilities of the following types:
**Smart Contracts and Blockchain**
* Re-entrancy
* Logic errors, including user authentication errors
* Trust/dependency vulnerabilities/ Composability vulnerabilities
* Oracle failure/manipulation
* Economic/financial attacks/ Flash loan attacks
* Congestion and scalability
* Consensus failures
* Cryptography problems
* Susceptibility to block timestamp manipulation
* Missing access controls / unprotected internal or debugging interfaces
### Out of Scope Rules
#### Out of Scope Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
* Attacks that the reporter has already exploited themselves, leading to damage
* Attacks requiring access to leaked keys/credentials
* Attacks requiring access to privileged addresses (governance, strategist)
**Smart Contracts and Blockchain**
* Incorrect data supplied by third party oracles
* Lack of liquidity
* Best practice critiques
* Sybil attacks
The following activities are prohibited by this bug bounty program:
* Any testing with mainnet contracts; all testing should be done on devnet or private testnets
* Any testing with live pricing oracles or live third party smart contracts
* Attempting phishing or other social engineering attacks against our employees and/or customers
* Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
* Any denial of service attacks
* Automated testing of services that generates significant amounts of traffic
* Public disclosure of an unpatched vulnerability in an embargoed bounty\
