Deq

GENERAL INFORMATION

Welcome to the Deq.fi Bug Bounty Program! Deq.fi is a decentralized liquid staking platform for Avail, designed to enhance staking efficiency while maintaining liquidity. Security is our top priority, and we invite security researchers to help us identify vulnerabilities in our smart contracts, infrastructure, and application.

Website: https://deq.fi

Assets type: Smart Contracts

Chains: ETH

Programming language: Solidity

Product types: DeFi

Project categories: Liquid Staking

PAYOUTS

Smart Contracts

Critical: $25,000 - $50,000

• Permanent freezing of funds
• Protocol insolvency
• Direct theft of any user funds (at-rest, in-motion)
• Unclaimed yield is excluded

High: $5,000 - $20,000

• Unclaimed yield permanent freeze
• Unclaimed yield theft
• Profit-oriented block stuffing

Medium: up to $2,000

• Unbounded gas consumption
• Gas theft
• Smart contract incapacitated due to insufficient token funds
• Griefing

Low: Not eligible

Informational: Not eligible

PROGRAM RULES

• Respect the scope of the program
• Don't discuss or disclose vulnerability information without prior written consent

ELIGIBILITY CRITERIA

To participate in the Deq.fi Bug Bounty Program, researchers must meet the eligibility criteria and comply with the following exclusions:

• Individuals listed on OFAC's SDN list
• Residents of "Restricted Territories"
• Current or past employees, vendors (auditors), partners and contractors
• An employee and/or individual closely associated with the program
• A security auditor that directly or indirectly participated in the audit review

Restricted Territories include:

• Cuba
• Iran
• North Korea
• Russia
• Syria
• Ukraine (Donetsk, Luhansk, and Crimea only)

KYC REQUIREMENTS

To receive a payout from the Deq.fi Bug Bounty Program, participants must complete KYC verification. The required information includes:

• Full Name
• Date of Birth
• Proof of Address
• Copy of Passport or Government-Issued ID

KYC information is only required on confirmation of the validity of a bug report.

REWARDS AND RECOGNITION

• Payouts are handled by the team directly and are denominated in USD. However, payouts are done in USDC/USDT at the discretion of the Deq team
• The bug bounty program reserves the right to adjust award amounts based on the quality and accuracy of submissions within the specified range

SUBMISSION GUIDELINES

• Reports should be submitted through the Remedy platform only
• You must be the first reporter of the vulnerability
• All bug reports should include a runnable Proof of Concept (PoC) in order to prove impact
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary

DISCLOSURE GUIDELINES

• Do not discuss any vulnerabilities (even after resolution) outside of the Remedy platform without written consent from Deq
• No vulnerability disclosure, including partial disclosures is allowed without written consent from Deq

ASSETS IN SCOPE

Smart Contracts

In Scope:

• https://github.com/refresh-labs/deq-contracts

Out of Scope:

The following vulnerabilities are considered out of scope and are not eligible for payout:

• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses (governance, strategist)
• Incorrect data supplied by third-party oracles
• Not to exclude oracle manipulation/flash loan attacks
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Best practice critiques
• Sybil attacks
• Centralization risks
• Impacts requiring basic economic and governance attacks (e.g. 51% attack)
• Impacts from Sybil attacks
• Problems Caused by L1 Gas Pricing
• Freezing of own funds due to mistaken operation
• Impacts from malicious upgrades to third party contracts
• Temporary impacts resulting from configuration adjustment race-conditions

All vulnerabilities identified in Deq.fi's previous audits are considered out of scope and are not eligible for a payout.

Previous Audit: https://github.com/Hexens/Smart-Contract-Review-Public-Reports/blob/main/deq.fi-audit-may24(Public).pdf