🛡️Security & Bug Bounties

Immunefi Program and Links to Audits

Immunefi Bug Bounty Program

We have an Immunefi bug bounty program with a maximum bounty of $100,000.

This program is focused on the protocol's smart contracts and is focused on preventing:

Superfluid framework bugs
Bugs in CFA/IDA in general
- Anything that would avoid streams from being closed
- Anything that would result in the sum of all account balances drifting significantly from the total supply
Theft of tokens in third party wrapper contracts
Other unexpected behavior in any super token contracts

Learn more here:

Audit Resources

Superfluid has been audited on multiple occasions, you can find these past audit reports here:

General Security Tips For Superfluid Developers

We recommend what every good security expert would recommend: full test coverage, separation of concerns, and using automated tools like Github Actions or Trail of Bits' tools for fuzzing & static analysis
- Guides like this one from Consensys can be helpful in understanding what to think about before deploying smart contracts to mainnet.
- If you're looking for inspiration on setting up your own Github Actions pipelines, you can find a breakdown on Superfluid's own Github Actions setup here
Beyond this, we recommend that you continue to think about security & potential for loss of funds in the front end and off-chain components of your project (if you have them).
- For example, we highly recommend you adopt some of the same UX practices that we do in the Superfluid dashboard if you have a front end that allows people to create Superfluid streams
- I.e. we let the user know that letting their balance hit zero before they close their stream will lead to a liquidation

Security Tips for Building Super Apps

Be careful that your application does not get jailed unexpectedly.
We have detailed information here regarding the jail system and how to avoid a jailed Super App, but one of the most common reasons for a jailed super app is an unexpected revert in either the beforeAgreementTerminated or afterAgreementTerminated callbacks

Custom Super Tokens

In general, we advise sticking to the existing Super Token interfaces seen here unless you have a good reason not to
If you want to deviate from this, we strongly encourage you to reach out to the Superfluid developer team in the #dev-support channel in our Discord

PreviousBounty Program NextToken Dashboard Submission

Last updated 2 years ago

Was this helpful?

Immunefi Bug Bounty Program

We have an Immunefi bug bounty program with a maximum bounty of $100,000.

This program is focused on the protocol's smart contracts and is focused on preventing:

Superfluid framework bugs

Bugs in CFA/IDA in general

Anything that would avoid streams from being closed
Anything that would result in the sum of all account balances drifting significantly from the total supply

Theft of tokens in third party wrapper contracts

Other unexpected behavior in any super token contracts

Learn more here:

General Security Tips For Superfluid Developers

We recommend what every good security expert would recommend: full test coverage, separation of concerns, and using automated tools like Github Actions or Trail of Bits' tools for fuzzing & static analysis

Guides like this one from Consensys can be helpful in understanding what to think about before deploying smart contracts to mainnet.
If you're looking for inspiration on setting up your own Github Actions pipelines, you can find a breakdown on Superfluid's own Github Actions setup here

Beyond this, we recommend that you continue to think about security & potential for loss of funds in the front end and off-chain components of your project (if you have them).

For example, we highly recommend you adopt some of the same UX practices that we do in the Superfluid dashboard if you have a front end that allows people to create Superfluid streams
I.e. we let the user know that letting their balance hit zero before they close their stream will lead to a liquidation

Security Tips for Building Super Apps

Be careful that your application does not get jailed unexpectedly.

We have detailed information here regarding the jail system and how to avoid a jailed Super App, but one of the most common reasons for a jailed super app is an unexpected revert in either the beforeAgreementTerminated or afterAgreementTerminated callbacks

Custom Super Tokens

In general, we advise sticking to the existing Super Token interfaces seen here unless you have a good reason not to

If you want to deviate from this, we strongly encourage you to reach out to the Superfluid developer team in the #dev-support channel in our Discord