Bug Bounty Program
Here at Teahouse Finance, ensuring the security of our smart contracts is our top priority. However, despite exerting the maximum effort into keeping our platform and users safe, it's crucial to acknowledge that the existence of vulnerabilities is still a possibility.
To help mitigate potential risks, we have launched our bug bounty program with Immunefi.
Join Teahouse's Bug Bounty Program on Immunefi!
Bug Bounty Overview
All bug bounty submissions must be submitted via Immunefi and undergo Immunefi’s submission process.
To be eligible for a reward, all submitted bug reports must include a PoC. Critical Smart Contract bug reports also require a suggested fix.
⚠️ Teahouse Finance retains exclusive authority and discretion over eligibility, scores, and all terms related to the rewards. The goal of this program is to ensure and enhance the safety of Teahouse’s ecosystem, and that bug bounty contributions are fairly rewarded appropriately.
Rewards by Threat Level
Rewards for identified vulnerabilities are based on the impact of the vulnerability, and the specific payout amount will be determined at the discretion of Teahouse Finance.
| Severity | Payment in USDC |
|---|---|
High | Up to USD $5,000 |
Critical | Up to USD $15,000 |
Payouts are directly handled by the Teahouse Finance team and are denominated in USD. However, payments will be made in USDC.
Assets in Scope
The scope of the bug bounty includes all smart contracts within this folder:
https://github.com/TeahouseFinance/TeaVaultV3Pair
The detailed list of the smart contracts in scope can be found on Teahouse Fianance’s bug bounty page on Immunefi.
Impacts in Scope
Teahouse’s bug bounty program only accepts the following impacts. All other impacts are not considered as in-scope, even if they affect something in the assets in the scope table.
| Smart Contract Impact | |
|---|---|
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield | Critical |
Permanent freezing of funds | Critical |
Protocol insolvency | Critical |
Theft of unclaimed yield | High |
Permanent freezing of unclaimed yield | High |
Out-of-Scope Issues
These impacts listed below are NOT included in the scope of this bug bounty program.
All Categories:
Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
Impacts caused by attacks requiring access to leaked keys/credentials
Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
Feature requests
Impacts on test files and configuration files unless stated otherwise in the bug bounty program
Blockchain/DLT & Smart Contract Specific:
Incorrect data supplied by third-party oracles Not to exclude oracle manipulation/flash loan attacks
Lack of liquidity impacts
Impacts involving centralization risks
Prohibited Activities
Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
Any testing with pricing oracles or third-party smart contracts
Attempting phishing or other social engineering attacks against our employees and/or customers
Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
Any denial of service attacks that are executed against project assets
Automated testing of services that generates significant amounts of traffic
Public disclosure of an unpatched vulnerability in an embargoed bounty
Other issues
In case you find a bug regarding Teahouse’s app, interface, or ecosystem with serious security concerns that fall outside the defined scope, please report it by creating a ticket in the “support-ticket” channel on our Discord server. We will evaluate the situation, and a bounty may be determined ad hoc.
If you find a non-security related issue or bug (e.g., a typo) please create a ticket in the “support-ticket” channel on our Discord server to let us know.
In the dynamic realm of decentralized finance, we fully understand our security must evolve alongside our growth. We invite our community to join hands with us in this ongoing journey, contributing to a safer and more robust decentralized financial landscape.
Last updated
