# Bug Bounty ## Program Overview Zearn provides a cutting-edge liquid staking solution on the ZetaChain, designed to offer users a seamless experience in staking their ZETA. This platform allows for uninterrupted participation in various on-chain activities such as lending, while eliminating the need to lock assets or manage any complex infrastructure. The primary objective of Zearn is to address the core challenges associated with traditional staking on the ZetaChain, namely illiquidity, immovability, and accessibility. By making staked ZETA liquid, Zearn empowers users to contribute to the ZetaChain network's security with any amount of ZETA. For detailed information regarding Zearn, we invite you to visit [zearn.xyz](https://zearn.xyz). ## Bug Bounty Program The Zearn bug bounty program is an initiative to fortify its smart contracts and applications by incentivizing the discovery and reporting of potential vulnerabilities. The focus is on preventing incidents that could result in the loss of user funds, denial of service, governance compromise, and breaches of data integrity and privacy. ### Reward Tiers by Threat Level We have established a five-tier threat level system to classify potential vulnerabilities, with separate scales for websites/apps and smart contracts/blockchains. The system evaluates the severity of threats based on various factors, including the potential consequences of exploitation, the level of access required, and the likelihood of a successful exploit. All submissions concerning web and app vulnerabilities must include a Proof of Concept (PoC). Submissions lacking a PoC will be returned with a request for such evidence. ### **Smart Contracts Rewards Breakdown** * **Critical**: * User fund loss: Rewards range from a minimum of 1,000 USD to a maximum of 20,000 USD, at 1% of the assets at risk. * Non-user fund loss (e.g., treasury): Rewards range from a minimum of 5,000 USD to a maximum of 20,000 USD, at 1% of the assets at risk. * **High**: * Rewards range from a minimum of 2,000 USD to a maximum of 20,000 USD at 1% of the assets at risk, if the issue persists for 1 month. * **Medium**: * Rewards range from a minimum of 500 USD to a maximum of 10,000 USD at 1% of the assets at risk, if the issue persists for 1 month. * **Low**: * A standard reward of 500 USD. Payouts are conducted directly by the Zearn team and are denominated in USD. Bug bounty hunters may choose to receive payouts in ZETA, DAI, or USDC. ### Out of Scope & Rules Certain vulnerabilities are deemed out of scope for rewards within this bug bounty program, including: * Previously exploited attacks causing damage * Attacks requiring leaked keys/credentials or privileged addresses * Third-party oracle incorrect data (excluding oracle manipulation/flash loan attacks) * Basic economic governance attacks, such as 51% attacks * Liquidity issues, critiques on best practices, and Sybil attacks For websites and applications, vulnerabilities such as theoretical risks without PoC, content spoofing, self-XSS, and similar low-impact findings are excluded from rewards. Additionally, vulnerabilities requiring privileged organizational access or those categorized as feature requests or best practices critiques are out of scope. The bug bounty program strictly prohibits certain activities, including: * Testing on mainnet or public testnets; all testing should occur on private testnets. * Engaging with pricing oracles or third-party smart contracts. * Conducting phishing or social engineering attacks. * Testing with third-party systems and applications. * Initiating any denial of service attacks. * Automated testing that results in significant traffic. * Public disclosure of unpatched vulnerabilities under an embargoed bounty. Zearn remains committed to the continuous improvement of its security posture and encourages responsible disclosure of potential vulnerabilities through its bug bounty program. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.zearn.xyz/resources/bug-bounty.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.