BOB Bug Bounty Program

GENERAL INFORMATION

BOB ("Build on Bitcoin") is a first-of-its kind hybrid L2 network that connects Bitcoin and Ethereum. BOB empowers everyone to build and innovate on Bitcoin today by combining EVM smart contracts with tooling for Bitcoin-native protocols and assets such as Ordinals. Merging the security of Ethereum rollup technology with Bitcoin's Proof-of-Work makes BOB the most secure and reliable layer 2 network. Through trust-minimized bridges to both Ethereum and Bitcoin, BOB efficiently funnels liquidity from the two leading web3 economies.

Official Website: https://www.gobob.xyz/

Documentation: https://docs.gobob.xyz/

Asset Types

• Smart Contracts
• Websites and Applications

Chains

• ETH
• Other

Programming Languages

• Solidity
• JavaScript

Product Types

• DeFi
• Scaling solutions

Project Categories

• Cross-chain
• L2

PAYOUTS

Smart Contracts & Websites and Applications

Critical: $10,000 - $250,000

• Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results
• Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield of 10% or more of all funds
• Permanent freezing of funds
• Protocol insolvency

High: $2,000 - $10,000

• Theft of unclaimed yield
• Permanent freezing of unclaimed rewards
• Temporary freezing of funds for a minimum period of 1 day
• Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield less than 10% of all funds
• Permanent freezing of funds less than 10% of all funds

Medium: $1,000 - $2,000

• Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
• Theft of gas
• Unbounded gas consumption

Low: up to $1,000

• Contract fails to deliver promised returns, but doesn't lose value
• Permanent freezing of unclaimed yield
• Smart contract unable to operate due to lack of funds

Informational: Not eligible

PROGRAM RULES

• Respect the scope of the program
• Don't discuss or disclose vulnerability information without prior written consent
• Reports must explain how the bug can be abused in a live asset

Prohibited Activities

• Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
• Any testing with pricing oracles or third party smart contracts
• Attempting phishing or other social engineering attacks against employees and/or customers
• Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
• Any denial of service attacks
• Automated testing of services that generates significant amounts of traffic
• Public disclosure of an unpatched vulnerability in an embargoed bounty

ELIGIBILITY CRITERIA

• Current employees, vendors (auditors), partners and contractors are not eligible to participate in the bug bounty program

REWARDS AND RECOGNITION

• Payouts are handled by the BOB team directly and are denominated in USD. However, payouts are sent in USDC, at the discretion of the team
• The bug bounty program reserves the right to adjust award amounts based on the quality and accuracy of submissions within the specified range
• Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum critical reward of USD 10,000

SUBMISSION GUIDELINES

• Reports should be submitted through the Remedy platform
• High/Critical severity bug reports should include a runnable Proof of Concept (PoC) in order to prove impact

ASSETS IN SCOPE

Smart Contracts

1. L1 Proxy Admin https://etherscan.io/address/0x0d9f416260598313Be6FDf6B010f2FbC34957Cd0

2. L2 Proxy Admin https://explorer.gobob.xyz/address/0xaCdBaAC6707c7e28ac1A15007f22Aac1188910d7?tab=read_proxy

3. System Config Owner https://etherscan.io/address/0xaa0a1efd35d6578ea6b5704dbc2c40b36a55b590#code

4. Batcher https://etherscan.io/address/0x08f9f14ff43e112b18c96f0986f28cb1878f1d11

5. Proposer https://etherscan.io/address/0x7cB1022D30b9860C36b243E7B181A1d46f618C69

OUT OF SCOPE VULNERABILITIES

The following vulnerabilities are excluded from rewards:

• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts

• Incorrect data supplied by third party oracles (not to exclude oracle manipulation/flash loan attacks)
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Best practice critiques
• Sybil attacks
• Centralization risks

Additional Exclusions

The following are not eligible for rewards:

• Audit reports
• Blockchain implementation issues
• Off-chain client issues
• Security design limitations
• Economic design limitations

Only the impacts described in the "Payouts" section are accepted within this bug bounty program. However, if an impact can be caused to any other asset managed by BOB that isn't on the assets section but for which the impact is in the "Payouts" section, you are encouraged to submit it for consideration by the project. This only applies to Critical and High impacts.

---