Audits & Bug Bounty

Reports on Gearbox Protocol security.

PreviousLegal Disclaimer NextRisks and T&C

Last updated 1 year ago

Was this helpful?

Audits & Bug Bounty

Reports on Gearbox Protocol security.

Keep in mind that no number of audits can guarantee full safety. There are always high risks involved in DeFi, as many platforms are composable and depend on each other. There is no guaranteed return on Gearbox - you must understand the risks involved.

Audits

ChainSecurity (Q2-Q4 2023): full V3 coverage, reports (see multiple files)
ABDK (Q2-Q4 2023): full V3 coverage, reports (see multiple files)
Decurity (08/11/2023 - 20/11/2023): governor audit, report

Previous versions, including audits of many of the V3 contracts:

ChainSecurity (23/02/2022 - 19/10/2022): full V2 coverage, report
Consensys Diligence (25/07/2022 - 12/08/2022): full V2 coverage, report
Sigma Prime (21/02/2022 - 06/08/2022): partial V2 coverage, report
Consensys Diligence Fuzzing (04/10/2021 - 13/12/2021): V1 coverage, report
ChainSecurity (31/08/2021 - 13/12/2021): V1 coverage, report
MixBytes (06/07/2021 - 22/12/2021): V1 coverage, report
Peckshield (22/07/2021 - 10/08/2021): initial version coverage, report
Peckshield (09/04/2021 - 03/05/2021): first iteration coverage, report

Since Gearbox Protocol is modular, full protocol re-deployment is not required during changes. If approved by governance, enacted multisig can take pieces in-and-out.

Bug Bounty

The scope of the bug bounty refers to these contracts:

Rewards are distributed according to the impact of the vulnerability. The final decision on the payout amount will be determined by the Gearbox DAO developers at their discretion.

Severity

Payment in USDC / other stablecoin

Low

$100 - $1K

Medium

$1K - $5K

High

$5K - $20K

Critical

$20K - $200K (+ GEAR)

For all assets labeled as “Gearbox v1” or "Gearbox v2" and deployed on the Ethereum network, only Critical and High impacts are in-scope.

If you have found a bug that you think is within the security interests of the protocol but is outside of the scope of the repository above, please do notify us then anyway. We can decide ad-hoc together with you. 1/1 payouts have been done before based on this.

Join the Bug Bounty with Immunefi! Help Gearbox stay safe and be rewarded for it.

If you need more information on the protocol, please check:

Regular protocol docs: https://docs.gearbox.finance/
Developer docs: https://dev.gearbox.fi/

NOTE: for bugs related to the interface which are just referring to typos and non-security related issues, please feel free to report them in a community Discord pro bono - and Gearbox community can maybe send nice GIFs your way. In case a bug you found is related to the interface and is outside of the scope, but has serious security concerns, please do report it as well and a bounty can be also decided ad-hoc. Again, you can ask all your questions in Discord.

Disclosures and Multisig Actions

As a report for transparency on the actions of the multisig, as well as the disclosures related to certain actions, you can keep an eye on this transparency tool which details all that's going on:

More info can also be found on GitHub:

Rules

Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of Gearbox Protocol working DAO members. The goal is to make sure the ecosystem is safe, and that proper bug bounty work is rewarded well.

In order to be considered for a reward, all bug reports must contain the following:

Description of suspected vulnerability
Steps to reproduce the issue so we can check it
Your name and/or colleagues if you wish to be later recognized
(Optional) A patch and/or suggestions to resolve the vulnerability

The following activities are prohibited by bug bounty program:

Testing with mainnet or public testnet contracts: all testing should be done on private testnets
Any testing with pricing oracles or third party smart contracts
Attempting phishing or other social engineering attacks against our employees and/or customers
Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
Any denial of service attacks
Automated testing of services that generates significant amounts of traffic
Public disclosure of an unpatched vulnerability in an embargoed bounty

Security is a continuous effort which must always be following protocol growth. As a DAO, it is imperative to constantly dedicate ample resources to ensure safety of funds.

PreviousLegal Disclaimer NextRisks and T&C

Last updated 1 year ago

Was this helpful?

Audits

ChainSecurity (Q2-Q4 2023): full V3 coverage, reports (see multiple files)
ABDK (Q2-Q4 2023): full V3 coverage, reports (see multiple files)
Decurity (08/11/2023 - 20/11/2023): governor audit, report

Previous versions, including audits of many of the V3 contracts:

ChainSecurity (23/02/2022 - 19/10/2022): full V2 coverage, report
Consensys Diligence (25/07/2022 - 12/08/2022): full V2 coverage, report
Sigma Prime (21/02/2022 - 06/08/2022): partial V2 coverage, report
Consensys Diligence Fuzzing (04/10/2021 - 13/12/2021): V1 coverage, report
ChainSecurity (31/08/2021 - 13/12/2021): V1 coverage, report
MixBytes (06/07/2021 - 22/12/2021): V1 coverage, report
Peckshield (22/07/2021 - 10/08/2021): initial version coverage, report
Peckshield (09/04/2021 - 03/05/2021): first iteration coverage, report

Since Gearbox Protocol is modular, full protocol re-deployment is not required during changes. If approved by governance, enacted multisig can take pieces in-and-out.

Bug Bounty

The scope of the bug bounty refers to these contracts:

https://github.com/Gearbox-protocol/security/tree/main/bug-bounty

Rewards are distributed according to the impact of the vulnerability. The final decision on the payout amount will be determined by the Gearbox DAO developers at their discretion.

Severity

Payment in USDC / other stablecoin

Low

$100 - $1K

Medium

$1K - $5K

High

$5K - $20K

Critical

$20K - $200K (+ GEAR)

For all assets labeled as “Gearbox v1” or "Gearbox v2" and deployed on the Ethereum network, only Critical and High impacts are in-scope.

Join the Bug Bounty with Immunefi! Help Gearbox stay safe and be rewarded for it.

If you need more information on the protocol, please check:

Regular protocol docs: https://docs.gearbox.finance/
Developer docs: https://dev.gearbox.fi/

Disclosures and Multisig Actions

As a report for transparency on the actions of the multisig, as well as the disclosures related to certain actions, you can keep an eye on this transparency tool which details all that's going on:

Protocol Updates - Gearbox Risk Framework

More info can also be found on GitHub:

secutiry/disclosures at main · Gearbox-protocol/secutiryGitHub

Rules

In order to be considered for a reward, all bug reports must contain the following:

Description of suspected vulnerability
Steps to reproduce the issue so we can check it
Your name and/or colleagues if you wish to be later recognized
(Optional) A patch and/or suggestions to resolve the vulnerability

The following activities are prohibited by bug bounty program:

Testing with mainnet or public testnet contracts: all testing should be done on private testnets
Any testing with pricing oracles or third party smart contracts
Attempting phishing or other social engineering attacks against our employees and/or customers
Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
Any denial of service attacks
Automated testing of services that generates significant amounts of traffic
Public disclosure of an unpatched vulnerability in an embargoed bounty

Security is a continuous effort which must always be following protocol growth. As a DAO, it is imperative to constantly dedicate ample resources to ensure safety of funds.