If you discover a security vulnerability in Xeon Protocol, we encourage you to report it to us as soon as possible. We will handle your report with the highest priority and confidentiality.
We encourage responsible disclosure, please do not open an issue for sensitive vulnerabilities. Instead, email your findings to [email protected] or send a DM on Warpcast. Include as much detail as possible in your report to help us understand and reproduce the issue. If applicable, include a link/hash to any relevant onchain transactions and a minimal repo including tests that showcase the behavior in question.
- Acknowledgement: We will acknowledge receipt of your report within 48 hours.
- Initial Triage: We will complete an initial assessment of your report within 5 business days.
- Resolution: We will work to resolve the issue as quickly as possible, keeping you informed of our progress.
- Reward: If the findings are eligible for a reward, we will reach out for a receiving address and process payment within 5 business days after resolution.
Bug bounties that meet certain criteria are eligible for XEON token rewards, that are paid upon completion.
| Vulnerability | Max Reward | Description |
|---|---|---|
 |
 |
Bug that would definitely result in the direct loss of user funds if not fixed |
 |
 |
Bug that may result in the direct loss or user or protocol funds if not fixed |
 |
 |
Bug that prevents core logic from behaving as required; No loss of funds |
 |
 |
Fix that optimizes or improves core or auxiliary contract logic or gas efficiency |
Although general enhancements such as gas efficiency improvements and refactoring are appreciated, they are not subject to payouts for bug bounties. We do however recognize regular contributors who commit to our repositories with XEON rewards paid out through our Galxe campaign, which you can sign up for here.
The following deployments are subject to bounty rewards up to and including the vulnerability levels listed below:
| Codebase | Bounty |
|---|---|
| xeon-dapp | |
| xeon-v1 | |
| xeon-testnet | |
| xeon-periphery | |
Completed bug bounties are claimable per-codebase, not per-network deployment of that codebase.
Portions of our codebase are subject to the Xeon Protocol Bug Bounty (the "Program") to incentivize responsible disclosure of vulnerabilities. We are offering XEON token rewards for submissions that meet eligibility criteria.
In order to maximize the security of our v1-core contracts, we will be opening them for community audit prior to their release on mainnet. If you are a Solidity developer with auditing experience, and would like to earn XEON token rewards in exchange for providing a detailed contract audit, please contact us on Telegram, or by email for an invite to an audit discussion in Slack.
To stay informed about security updates, follow us on Warpcast and X for the latest updates. Additionally, we publish regular articles on our Paragraph Newsletter.
We are committed to ensuring the security of our platform and follow best practices, including:
- Regular penetration testing
- Open-Sourcing public contracts
- Continuous dependency management
- Proactive vulnerability scanning
Thank you for helping us keep the Xeon Protocol secure.