Bug bounty program for EFG

Bug bounty program for EFG

Bug bounty program for EFG


Blockchain and dApps are all about security. We take the matter seriously. For this reason we are launching this bug bounty program. We encourage anyone, especially developers, to engage and they will be reward both financially and by increasing their fame.


There are three fields that the participants can test:

  • The smart contracts: They are written in Solidity(0.4.21). This is the most crucial part. Most critical bugs (if exist) can be found here.
    There are two smart contracts , one for lending and own for staking. They can be found here and here.
  • The UI: It is written in javascript using the Vue2 framework. Needless to say, it is completely decentralized, there is no backend. So the vulnerabilities (if any), will exist in frontend only. It can be found here.
  • The infrastructure: The website of EFG and the place to download the client (UI) must be hosted somewhere. If someone finds a security issue he can report it. The website url is this.

Rules and proccess

The participants are subject to the following restrictions:

  • They must not belong to ecochain or EFG team.
  • The participant must email us at support@efg.finance and must be the first email that reports the specific bug
  • The email must contain a detailed description of the bug.If it contains a solution even better, but is not obligatory for the reward.
  • The bug must be reported before the deadline. The deadline is set on December 6 , 2020 for smart contracts. For the other fields there is no deadline yet, it will be announced later. But surely the deadline for them will be much longer.
  • Rewards

    Yi Capital is funding this program. They provide the maximum of $50,000. We have set a maximum ourselves of $20,000 per bug. That doesn’t mean of course that a reward for any bug will be that high. Only critical bugs will be highily reward. We can categorize the reported bugs into four categories:

    • Critical: Any bug that can financially affect the participants of the EFG dApp belong to this category. Stealing assets from users, from the pool or smart contract, or locking forever assets, accidentally or maliciously also belong in this category. Needless to say, for reward to be high for a bug, it must belong to this category alone. The number one “suspect” of critical bugs is the first target described above (the smart contracts). The UI can also contain a critical bug (for example leaking the private key somehow). It is highly unlike but not impossible that such a bug exists.
    • Moderate risk: Moderate risk will be considered the bugs that can’t be proven that is a financial threat, but they have a potential to be a threat for the application. For example, to endanger the trust of the users to the application, convincing them that there is a security threat, even if the bug does not pose an actual security threat.
    • Low risk: Low risk bugs do not pose a threat to the application but they may decrease the user experience, making the Dapp to lose some users or potential users in the future. For example there is a serious flaw in responsiveness for a browser or for a specific device or screen size etc.
    • Rejected: This submitted bugs are not bugs or even if they are they do not negatively affect the application.

    The range of reward for each category is the following:

    • For critical bugs, $1,000-$20,000
    • For moderate risk bugs, $150-$1,000
    • For low risk bugs, $50-$300
    • For rejected submitted bugs, no reward. In any occasion, the applicant will receive an answer of why his submission was rejected.

    For contributors that don’t want to stay anonymous we are going to publish their names(or nicknames) on our website, along with the type of bug, its category and amount of reward. The payment will be carried out in USDT.

    For any question please email us or join our discord channel here.