Immunefi Implements Bug Bounty Program for the Stacks Blockchain

Mitchell Cuevas

Head of Growth, Stacks Open Internet Foundation
March 31, 2022

Today, Immunefi, the leading bug bounty and security services platform for DeFi projects and decentralized networks, has opened its bug bounty program on Stacks. This means that a specific set of core smart contracts including PoX, BNS, and of course, the Stacks blockchain code itself are eligible for code review by Immunefi’s roster of security researchers or other developers who would like to participate in the bounty program.

Immunefi, which recently raised $5.5M, has quickly proven itself as the go-to service for bounty programs in crypto, protecting more than $100B in assets. With clients like Polygon, MakerDAO, Synthetix, Chainlink, SushiSwap, PancakeSwap, and Compound under its belt, Immunefi’s bug bounty for Stacks will be the first campaign to fortify DeFi services for Bitcoin.

This program will provide an extra layer of protection alongside a growing number of developer resources including recently introduced smart contract audits from top audit agencies. By incentivizing both audit agencies and individual security researchers to closely inspect financially sensitive code, we hope to reduce the risk of bugs and vulnerabilities for all builders leveraging the Stacks network to build applications secured by Bitcoin.

Bug Bounty Scope

Once a bug is identified within scope, security researchers will be able to submit the bug via the Immunefi bugs platform. For this program, the assets in scope are broken into two categories: Smart Contracts and Blockchain.

Smart Contracts:

  • BNS contract
  • PoX contract
  • Lockup contract
  • Costs contract
  • Cost voting contract


Blockchain:

  • Main Repo
  • Node implementation


Bug Bounty Rewards
After confirming the validity of the report, researchers are rewarded for their hard work. The rewards are priced as detailed below.

Smart Contracts & Blockchain

  • Critical Up to $1,000,000
  • High $50,000
  • Medium $10,000
  • Low $1,000


All critical bug reports must come with a Proof of Concept (PoC) with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.

This bug bounty program is only open to individuals outside the OFAC restricted countries. Bug bounty hunters will be required to provide evidence that they are not a resident or citizen of these countries. If the individual is a US person, tax information will be required, such as a W-9, in order to properly issue a 1099.

To learn more about the Stacks blockchain visit: stacks.co/learn/introduction
To learn more Clarity visit: clarity-lang.org
To get involved with the bug bounty, visit: immunefi.com/bounty/stacks

Mitchell Cuevas

Head of Growth, Stacks Open Internet Foundation

Mitchell Cuevas, previously Blockstack PBC's Head of Growth, currently leads growth efforts at the Stacks Foundation. Before joining Hiro/Stacks, he led Marketing at UP Global (Startup Weekend, Startup Digest, Startup Week) and was an integral part of the product team at Techstars.

Previous Post
Next Post

Get more of Stacks

Important updates from key Stacks Ecosystem projects and conversations about building on Stacks, delivered weekly.