# Bug Bounty
### Rewards by Threat Level
Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/)
This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from the consequence of exploitation to privilege required to likelihood of a successful exploit.
## **Introduction:**
DEUS DAO is committed to maintaining robust security within its Smart Contract system. As part of this commitment, we have instituted a bounty program to reward those who identify and responsibly disclose vulnerabilities. The program is categorized into different reward tiers, reflecting the severity and potential economic impact of the discovered bugs.
**Eligibility and Requirements:**
1. **Proof of Concept (PoC):** All bug reports should include a runnable PoC and a suggestion for a fix. Mere explanations and statements will be accepted if a PoC can be produced together with the team.
2. **Previously Discovered Bugs:** If a bug report covers an issue that has already been identified, it will not be eligible for the program. In such cases, DEUS DAO will provide proof that the issue is already known.
**Reward Tiers:**
1. **Critical Level:**
* $100,000 or up to 10% of the (potential) economic damage on contracts with more funds locked than 1 million USD.
* The 10% rule also applies to funds already removed without authorization from respective contracts. In such cases, 90% of the funds must be immediately returned, and 10% can be kept as a Whitehat bounty reward.
* The 10% rule can also be claimed as a general bug bounty on contracts above $1m TVL, by providing a PoC or by assisting the team in creating a PoC.
The 10% rule only applies for contracts that are live, and have a TVL more than $1M\
1. **High Level:**
* $50,000 or up to 10% of the (potential) economic damage.
* The 10% rule, as outlined in the Critical Level section, also applies.
2. **Medium Level:**
* USD $5,000 Payout.
* Runnable PoC required.
3. **Low Level:**
* USD $1,000 Payout.
* Runnable PoC required.
#### Smart Contracts
| Level | Impact |
| ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 5. Critical | - Any governance voting result manipulation
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
- Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties
- Permanent freezing of funds
- Permanent freezing of NFTs
- Miner-extractable value (MEV)
- Unauthorized minting of NFTs
- Predictable or manipulable RNG that results in abuse of the principal or NFT
- Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)
- Protocol insolvency
|
| 4. High | - Theft of unclaimed yield
- Theft of unclaimed royalties
- Permanent freezing of unclaimed yield
- Permanent freezing of unclaimed royalties
- Temporary freezing of funds
- Temporary freezing NFTs
|
| 3. Medium | - Smart contract unable to operate due to lack of token funds
- Block stuffing for profit
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Theft of gas
- Unbounded gas consumption
|
| 2. Low | - Contract fails to deliver promised returns, but doesn't lose value
|
| 1. None | - Best practices |
Payouts are handled by **DEUS DAO** directly and are denominated in **USDC or DEUS**.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.deus.finance/contracts/legals-and-disclaimer/bug-bounty.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.