LogoLogo
UMA HomeProjectsVoter DappOO Dapp
  • Welcome to UMA
  • What's New!
  • FAQs
  • Developers
    • Optimistic Oracle v2
      • Quick Start
      • Deposit Box
      • Event-Based Prediction Market
      • Insurance Claim Arbitration
    • Optimistic Oracle v3
      • Quick start
      • Data Asserter
      • Escalation Managers
      • Sandboxed Oracle Environment
    • oSnap
      • oSnap Quick Start
      • oSnap Deployment Tutorial
      • Snapshot Proposal + Transaction Tutorial
      • oSnap Proposal Verification
      • oSnap Configuration Parameters
      • Migrate to oSnap Safe App
      • Monitoring Bot Setup
    • Setting Custom Bond and Liveness Parameters
  • Protocol Overview
    • How does UMA's Oracle work?
    • Example Projects
    • DVM 2.0
    • DVM 2.0 FAQ
  • Community
    • Governance
      • The UMIP Process
      • DAO Proposals
  • Using UMA
    • Voting Walkthrough
      • Voter Guide
      • Voting Gas Rebates
    • Proposing Oracle Data
    • Disputing Oracle Data
    • Resolving Disputes
  • Verification Guide
    • Verification System
    • Polymarket
    • Across
    • oSnap
    • Y2K
    • Index
  • Resources
    • Network Information
      • New Network Requests
    • Audit & Bug Bounty Programs
    • Approved Price Identifiers
    • Approved Collateral Types
    • Subgraphs
      • Mainnet Voting Entities
      • Queries
    • Voting with a 2-Key Contract
    • Unsupported Contracts
    • Additional Resources
    • Glossary
    • Links
    • UMA TVS Methodology
Powered by GitBook
On this page
  • Audits
  • Bug Bounty Rewards
  • Scope
  • Submissions
  • Terms & Conditions

Was this helpful?

Edit on GitHub
Export as PDF
  1. Resources

Audit & Bug Bounty Programs

PreviousNew Network RequestsNextApproved Price Identifiers

Last updated 1 year ago

Was this helpful?

Security of the platform is our highest priority. All contract code and balances are publicly verifiable, and security researchers are eligible for a bug bounty for reporting undiscovered vulnerabilities.

Audits

OpenZeppelin has performed the following audits on UMA contracts:

Additionally, OpenZeppelin audits incremental upgrades to UMA's contracts on a continuous basis. The continuous audit report can be found .

Bug Bounty Rewards

UMA encourages the community to audit our contracts and security; we also encourage the responsible disclosure of any issues. The bug bounty program is intended to recognize the value of working with the community of independent security researchers and sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.

UMA offers substantial rewards for discoveries that can prevent the loss of assets, the freezing of assets, or harm to users.

All rewards will be paid in $UMA, and the amount of compensation will vary depending on bug severity. Reward amounts typically correspond to severity in the following manner.

Severity
Reward amount in USD

Low

$250

Medium

$3,000

High

$10,000

Critical

up to $1,000,000

Scope

The scope of our bug bounty program includes any and all of UMA's production smart contracts. It does not include known issues with the intended behavior.

In scope

  • All UMA, Oval, or Across smart contracts that are deployed to mainnet or are otherwise noted as being applicable.

  • Bot or other offchain code to support deployed smart contracts.

Examples of what’s in scope:

  • Being able to steal funds

  • Being able to freeze funds or render them inaccessible by their owners

Out of scope:

  • Issues that have already been submitted by another user or are already known to the UMA team

    • Note: this includes bugs known to the UMA team, but have not been disclosed due to active mitigation efforts.

  • Vulnerabilities in contracts built on top of the protocol by third-party developers (such as smart contract wallets)

  • Vulnerabilities that require ownership of an admin key

  • Any files, modules or libraries other than the ones mentioned above

  • More efficient gas solutions (although these suggestions are appreciated)

  • Any points listed as an already known weaknesses

  • Any points listed in an audit report

Submissions

The submission must include clear and concise steps to reproduce the discovered vulnerability.

Terms & Conditions

If you comply with the policies below when reporting a security issue to us, we will not initiate a lawsuit or law enforcement investigation against you in response to your report.

We ask that you:

  • Report any vulnerability you’ve discovered promptly.

  • Avoid violating the privacy of others, disrupting our systems, destroying data, or harming user experience.

  • Keep the details of any discovered vulnerabilities confidential until they are publicly announced by Risk Labs.

  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope.

  • Not engage in blackmail, extortion, or any other unlawful conduct.

  • Not be a current or former UMA Foundation employee, vendor, contractor, or the employee of an UMA vendor or contractor.

All reward determinations, including eligibility and payment amount, are made at UMA’s sole discretion. UMA reserves the right to reject submissions and alter the terms and conditions of this program without notice.

Severity is calculated according to the risk rating model based on Impact and Likelihood.

Please email your submissions to .

Use only to discuss vulnerabilities with us.

Public disclosure of the bug or the indication of an intention to exploit it on Mainnet will make the report ineligible for a bounty. If in doubt about other aspects of the bounty, most of the will apply.

Any questions? Reach us via email (). For more information on the UMA platform, check out our and .

Common and oracle directory contracts: April 28, 2020
Financial-templates directory contracts: May 12, 2020
Updates to the Expiring Multiparty contracts and flash loan mitigations for the voting contracts: September 9, 2020
Perpetual Multiparty template contracts: February 2, 2021
Insured Bridge contracts: December 1, 2021
Governance, cross-chain oracle, and optimistic rewarder contracts: January 7, 2022
UMA Optimistic Governor Audit: July 21, 2022
Across Token and Token Distributor Audit: July 21, 2022
here
OWASP
bugs@umaproject.org
bugs@umaproject.org
Ethereum Foundation bug bounty program rules
bugs@umaproject.org
website
Github