Nimbus: Program Info


Ended 545 days ago

Nimbus is a DAO governed platform providing users with 16 earning strategies based on lending and borrowing, classic IPO participation, start-up financing, staking, and more.

In-Scope Vulnerabilities

We are interested in the following vulnerabilities:

  • Reentrancy
  • Logic errors
  • Including user authentication errors
  • Solidity/EVM details not considered
  • Including integer over-/under-flow
  • Including rounding errors
  • Including unhandled exceptions
  • Trusting trust/dependency vulnerabilities
  • Including composability vulnerabilities
  • Oracle failure/manipulation
  • Novel governance attacks
  • Economic/financial attacks
  • Including flash loan attacks
  • Congestion and scalability
  • Including running out of gas
  • Including block stuffing
  • Including susceptibility to frontrunning
  • Consensus failures
  • Cryptography problems
  • Signature malleability
  • Susceptibility to replay attacks
  • Weak randomness
  • Weak encryption
  • Susceptibility to block timestamp manipulation
  • Missing access controls / unprotected internal or debugging interfaces

Out-of-Scope Vulnerabilities

Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold:

  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses (governance, strategist)
  • Incorrect data supplied by third party oracles
  • Not to exclude oracle manipulation/flash loan attacks
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Best practice critiques
  • Sybil attacks
  • Only those vulnerabilities that are original should be awarded a bounty. Meaning in case of a duplicate report or two users reporting the same bug, the fastest user who submitted the report FIRST shall be awarded.
  • Public disclosure of the vulnerability, before the Nimbus team resolves it without explicit consent from the team, will make the bounty hunter ineligible for further participation.
  • In case you find chain vulnerabilities weโ€™ll pay only for vulnerability with the highest severity.
  • Donโ€™t break any law and stay in the defined scope
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission