AIP-134: Bug Bounty Program for AIP-21 Updates

The bug bounty program is live! You can view the details here: ApeCoin Mainnet Bug Bounties | Immunefi

We’ll post updates here on the number of submissions we’re receiving and if any payouts have be rewarded.

We’re about 5 days into the mainnet bounty program. We’ve received 17 submissions so far and no bugs have been found. 16 reports were determined to not be eligible for a reward and have been closed.

We’ve decided to issue one goodwill payment for a low severity report. Although we determined the identification to be out of scope because it requires user or admin error, we think it’s best to show our appreciation to the whitehat.

They found that there are multiple times in the contract where the pools[_poolId].timeRanges array is accessed without a require statement that prevents an array out of bounds error. This means a user could trigger a panic exception.

Although this doesn’t put any funds at risk and is not possible to trigger without user/admin error, we thought it was best to show our appreciation by rewarding the Low risk bounty payout. As always let us know if you have any questions!

Posting from here since the llama account appears to be locked by discourse. Since our last report, we’ve received 17 submissions. All have been determined to be invalid and no rewards have been issued.

Happy holidays and happy staking everyone!

Thank you for the detailed updates! And Happy holidays to you all as well!

Thank you @austin for the updates. Happy holidays to you and the whole Llama team

@holocronape @adventurousape thank you, happy new year!

Happy New Year everyone! A quick recap on the bounty program as we head into 2023:

• We ran a bug bounty program for a testnet deployment of staking from 11/10/22-11/24/22. We then launched a mainnet version of the program when staking was deployed in early December.
• We’ve received 68 total submissions across the two programs from whitehat hackers
• We’ve confirmed 3 of these reports for a total of $4,500 in APE in payouts.

All of us at Llama hope everyone is enjoying the Holidays! Let us know if there are any questions we can answer.

Thanks for the update!

Just a quick update as things have been pretty quiet this month! We’ve reviewed an additional 22 reports since our last posting. None of these resulted in a payout as they were determined to be ineligible for the program.

Thank you all for the support and us at Llama hope you’re enjoying the staking program.

Thank you for the update!

Hey @austin! Just wanted to check in to see if there were any additional updates that could be shared. Thanks!

Hey Vulkan, thanks for asking! The bug bounty program has been quiet since I last posted in January. We’ve received 33 submissions in the past four months. 31 did not result in a payout and 2 were low severity identifications. We paid each whitehat $1,000 in APE for those identifications.

Now that the staking program has been in production for so long, I’d expect submissions to gradually taper off. I will alert the community if any serious vulnerabilities are reported though.

Great, thanks for the update Austin!

Hope everyone is doing well. To follow up on my last message, the bounty program will continue to operate to ensure the health of the staking contract, but I will only post an update if needed. We continue to monitor for credible submissions, but as expected there is a lot less activity now that staking has been live for over 6 months.

Between the testnet and mainnet program we’ve had great results engaging the whitehat community!

Thank you for all your help in coordinating and running the bounty program!