# Bug Bounty ## HyENA Bug Bounty Program ### 1. Scope On mainnet, any bug that could reasonably lead to **user fund loss, unfair execution, or integrity failures** in the HIP-3 DEX or oracle system is in scope, including: * Incorrect oracle price publication or calculation * Manipulation vectors in oracle updates or aggregation logic * Desynchronization between on-chain oracle state and off-chain reference prices * Availability issues that can be turned into profit (e.g., asymmetric downtime that enables manipulation) * Any additional issue not contemplated above that could reasonably lead to user fund loss, unfair execution, or integrity failures ### 2. Submission Reports and Rewards Reports must include: * **Description**: Clear explanation of the vulnerability and affected component(s) * **Reproduction**: Detailed step‑by‑step instructions and any required scripts or transactions * **Proof of Concept**: Working PoC that demonstrates real exploitability (not just a theoretical issue) * **Impact Assessment**: Reasonable explanation of potential impact (e.g., “X% price manipulation”, “Y funds at risk”) Submit your report to: If the same bug is reported by multiple parties, **only the first valid report** is eligible for a reward. Rewards are paid in **USDe** on either HyperEVM or HyperCore for responsible disclosure based on severity. HyENA contributors commit **not to pursue legal action** for security research conducted in **good faith** and **in compliance with this program**. ### 3. Prohibited Activity To protect users, infrastructure, and third parties, the following are strictly prohibited: * **Mainnet Exploitation** * Active exploitation on mainnet beyond what is strictly necessary to prove impact in a controlled manner - if impact can be proven or demonstrated without such action, the action is expressly prohibited * Any testing that leads to real user losses or large-scale disruption * **Testing Scope** * Testing on mainnet when equivalent tests can reasonably be performed on testnet or local forks * DoS attacks * Testing involving third-party systems and applications * **Abuse & Extortion** * Phishing or other social engineering * Ransom demands, blackmail, or threats * Public disclosure of a vulnerability before it is fixed and any bounty is paid * Threatening to publish or publishing personally identifiable information (PII) or sensitive data without consent * Exploiting vulnerabilities for personal financial gain beyond the bounty, including trading on undisclosed vulnerabilities, MEV-style extraction, or manipulating on-chain markets * **Bypassing Program Rules** * Attempting to bypass the submission process * Engaging in unauthorized activity outside the scope defined in this program ### 4. Eligibility To be eligible for a bounty: * Reports must be submitted to only (no external platforms). * The reporter must comply with any required **KYC/KYB** procedures. * The reporter must be technically able to receive **USDe** on the supported networks. * The reporter must maintain **confidentiality** about the vulnerability and related communications until and unless authorized in writing to disclose. * The issue must be **reproducible** and supported with clear evidence and a PoC. * **Contributors to the codebase** (employees, contractors, core devs) are **not eligible** to receive bounties for vulnerabilities in code they contributed to. HyENA reserves the right to declare an entity or individual ineligible based on applicable sanctions, regulatory requirements, or legal restrictions. ### 5. Ineligible Submissions The following types of submissions are not eligible for rewards: * Reports without sufficient detail: * Missing step‑by‑step reproduction * No working PoC when one is reasonably feasible * Vulnerabilities requiring **extremely unlikely or unreasonable user behavior**, such as: * Disabling basic security features * Ignoring explicit warnings in the UI or docs * Issues dependent on: * Outdated or unsupported software versions * Unpatched browsers or operating systems that are no longer supported * Rooted / jailbroken / otherwise modified user devices * Issues in **third‑party libraries, extensions, tools, or infrastructure** that do not result in a direct exploitable vulnerability in the HIP3 DEX or oracle system * Purely non‑security issues: * Minor performance problems * Cosmetic UI bugs * Typos or documentation nits (unless they cause a real loss or security issue) * Vulnerabilities that only manifest under **extreme, unrealistic, or clearly contrived market conditions** that do not reflect plausible real‑world scenarios. ### 6. General Conditions * No bounty is owed for submissions that: * Do not meet the program’s requirements, or * Are excluded by the scope or ineligibility criteria. * The project retains **sole discretion** to determine: * Whether a submission is valid, * How to classify its severity, and * The exact bounty amount within the published ranges. * All submissions become the property of the project. The project may: * Use, modify, or disclose submissions for security and operational purposes * Share information with partners or auditors as needed, without additional consent from the reporter Participation in this program does not create any employment or partnership relationship. ### 7. Classification & Reward Guidelines Severity is determined by impact and likelihood. Payouts may vary within each range depending on exploitability, quality of report, and whether the researcher provided fixes or mitigations. ### Critical – up to 100,000 USDe Bugs that can cause direct, **significant loss of user funds** or catastrophic integrity failures, for example: * Oracle price manipulation allowing profitable, repeated abuse (e.g., under/over-pricing leading to liquidations or unfair PnL) * Smart contract vulnerabilities allowing: * Direct draining or theft of user funds * Permanent lockup of significant funds ### High – up to 25,000 USDe Bugs causing **severe disruption or partial but contained impact**, for example: * HyENA HIP-3 DEX downtime that blocks: * New orders/cancellations for a significant period * Oracle updates critical to fair pricing * Oracle or data-feed disruptions that: * Cannot be directly exploited for fund theft, but * Materially affect trading or risk systems * Access control or authentication issues that: * Allow privileged but non‑catastrophic actions * Risk targeted but not systemic losses ### Medium – up to 7,500 USDe Bugs with **moderate impact** or **limited exploitability,** such as: * Logic errors that: * Only occur in rare edge cases * Have limited or no immediate fund impact * Information disclosure that: * Reveals non‑public but non‑sensitive data * Could aid future attacks but is not directly exploitable ### Low – up to 1,500 USDe Bugs that have **low impact** or are primarily **best‑practice violations**, for example: * Minor API inconsistencies or error handling flaws * Documentation or configuration issues that: * Could mislead integrators or power users * Do not present an immediate exploit path\
*** ### 8. Process & Timelines * **Acknowledgment**: The HyENA team aims to acknowledge valid reports within 72 hours. * **Triage & Classification**: Severity assessment and initial triage typically completed within 7–14 days. * **Remediation & Payout**: * Fixes for critical/high issues are prioritized and deployed as soon as safely possible. * Bounty awards are generally paid within 14 days of confirming the vulnerability and agreeing on classification, subject to KYC/KYB completion. Timelines are best‑effort and may vary based on complexity or required coordination with external partners. ### 9. Contact **Primary security contact**: