Immunefi Implements Bug Bounty Program for the Stacks Blockchain
by Mitchell Cuevas on March 31, 2022
Today, Immunefi, the leading bug bounty and security services platform for DeFi projects and decentralized networks, has opened its bug bounty program on Stacks. This means that a specific set of core smart contracts including PoX, BNS, and of course, the Stacks blockchain code itself are eligible for code review by Immunefi’s roster of security researchers or other developers who would like to participate in the bounty program.

Immunefi, which recently raised $5.5M, has quickly proven itself as the go-to service for bounty programs in crypto, protecting more than $100B in assets. With clients like Polygon, MakerDAO, Synthetix, Chainlink, SushiSwap, PancakeSwap, and Compound under its belt, Immunefi’s bug bounty for Stacks will be the first campaign to fortify DeFi services for Bitcoin.

This program will provide an extra layer of protection alongside a growing number of developer resources including recently introduced smart contract audits from top audit agencies. By incentivizing both audit agencies and individual security researchers to closely inspect financially sensitive code, we hope to reduce the risk of bugs and vulnerabilities for all builders leveraging the Stacks network to build applications secured by Bitcoin.
Bug Bounty Scope
Once a bug is identified within scope, security researchers will be able to submit the bug via the Immunefi bugs platform. For this program, the assets in scope are broken into two categories: Smart Contracts and Blockchain.

Smart Contracts:
  • BNS contract
  • PoX contract
  • Lockup contract
  • Costs contract
  • Cost voting contract

Blockchain:
  • Main Repo
  • Node implementation

Bug Bounty Rewards
After confirming the validity of the report, researchers are rewarded for their hard work. The rewards are priced as detailed below.

Smart Contracts & Blockchain
  • Critical Up to $1,000,000
  • High $50,000
  • Medium $10,000
  • Low $1,000

All critical bug reports must come with a Proof of Concept (PoC) with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.

This bug bounty program is only open to individuals outside the OFAC restricted countries. Bug bounty hunters will be required to provide evidence that they are not a resident or citizen of these countries. If the individual is a US person, tax information will be required, such as a W-9, in order to properly issue a 1099.

To learn more about the Stacks blockchain visit: stacks.co/learn/introduction
To learn more Clarity visit: clarity-lang.org
To get involved with the bug bounty, visit: immunefi.com/bounty/stacks


Mitchell Cuevas leads partnership efforts and works to create scalable programming for builders, artists, and entrepreneurs in the Stacks Ecosystem. He's spent the last decade working in community-driven high-growth startups.