Bug Bounty Program

Here at Teahouse Finance, ensuring the security of our smart contracts is our top priority. However, despite exerting the maximum effort into keeping our platform and users safe, it's crucial to acknowledge that the existence of vulnerabilities is still a possibility.

To help mitigate potential risks, we have launched our bug bounty program with Immunefi.

Join !

Bug Bounty Overview

All bug bounty submissions must be submitted via Immunefi and undergo Immunefi’s submission process.

To be eligible for a reward, all submitted bug reports must include a PoC. Critical Smart Contract bug reports also require a suggested fix.

⚠️ Teahouse Finance retains exclusive authority and discretion over eligibility, scores, and all terms related to the rewards. The goal of this program is to ensure and enhance the safety of Teahouse’s ecosystem, and that bug bounty contributions are fairly rewarded appropriately.

Rewards by Threat Level

Rewards for identified vulnerabilities are based on the impact of the vulnerability, and the specific payout amount will be determined at the discretion of Teahouse Finance.

Payouts are directly handled by the Teahouse Finance team and are denominated in USD. However, payments will be made in USDC.

Assets in Scope

The scope of the bug bounty includes all smart contracts within this folder:

Impacts in Scope

Teahouse’s bug bounty program only accepts the following impacts. All other impacts are not considered as in-scope, even if they affect something in the assets in the scope table.

Out-of-Scope Issues

These impacts listed below are NOT included in the scope of this bug bounty program.

All Categories:

• Impacts requiring attacks that the reporter has already exploited themselves, leading to damage

• Impacts caused by attacks requiring access to leaked keys/credentials

• Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code

• Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production

• Feature requests

• Impacts on test files and configuration files unless stated otherwise in the bug bounty program

Blockchain/DLT & Smart Contract Specific:

• Incorrect data supplied by third-party oracles Not to exclude oracle manipulation/flash loan attacks

• Lack of liquidity impacts

• Impacts involving centralization risks

Prohibited Activities

• Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet

• Any testing with pricing oracles or third-party smart contracts

• Attempting phishing or other social engineering attacks against our employees and/or customers

• Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)

• Any denial of service attacks that are executed against project assets

• Automated testing of services that generates significant amounts of traffic

• Public disclosure of an unpatched vulnerability in an embargoed bounty

Other issues

If you find a non-security related issue or bug (e.g., a typo) please create a ticket in the “support-ticket” channel on our Discord server to let us know.

In the dynamic realm of decentralized finance, we fully understand our security must evolve alongside our growth. We invite our community to join hands with us in this ongoing journey, contributing to a safer and more robust decentralized financial landscape.