Bug bounty

Bug bounty program of the Algofi protocol.

Program overview

The bug bounty program covers the Algofi smart contracts (not web application, SDK etc.) and aims to reduce the chance of hack or protocol failure.


Rewards are distributed according to the following classifications:
Max Prize
10% of value at risk, up to $200,000 USD
$25,000 USD
$5,000 USD
The severity is classified based on:
  • Draining of protocol funds
  • A realizable scenario that results in unrecoverable failure of smart contracts (e.g. the protocol breaks and can not be updated in event of X...)
  • Deviation from expected protocol behavior (e.g. liquidators do not earn their expected reward, user cannot borrow when liquidity is available, etc.)
  • Erasure of user data
  • Breaking of rewards program
  • Theft of yield or rewards
  • Unexpected exploitative behavior (e.g. a in a repeatable scenario rounding could favor the transaction sender, ...)
  • Behavior that could be exploited by decentralized governance contracts
Actual bounty payout is determined according to value at risk, likelihood/ease of exploitation, and complexity.


Email us at [email protected] a detailed description of the attack. Critical and high bug reports must come with a proof of concept.


Assets in Scope

Mainnet TEAL contracts (link to AlgoExplorer coming soon)
Impacts in Scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Out of scope

Any bug publicly acknowledged or mentioned in a publicly published audit. Additional exclusions may apply.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and the core developers will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, Algofi will take steps to make it known that your actions were conducted in compliance with this policy.
While researching, the core developers would like to ask you to refrain from:
  • Denial of service
  • Spamming
  • Social engineering (including phishing) of Algofi core developers
  • Any physical attempts against Algofi property or data centers