Security & Bug Bounties
Immunefi Program and Links to Audits
Last updated
Was this helpful?
Immunefi Program and Links to Audits
Last updated
Was this helpful?
We have an bug bounty program with a maximum bounty of $100,000.
This program is focused on the protocol's smart contracts and is focused on preventing:
Superfluid framework bugs
Bugs in CFA/IDA in general
Anything that would avoid streams from being closed
Anything that would result in the sum of all account balances drifting significantly from the total supply
Theft of tokens in third party wrapper contracts
Other unexpected behavior in any super token contracts
Learn more here:
Superfluid has been audited on multiple occasions, you can find these past audit reports here:
Beyond this, we recommend that you continue to think about security & potential for loss of funds in the front end and off-chain components of your project (if you have them).
Be careful that your application does not get jailed unexpectedly.
We recommend what every good security expert would recommend: full test coverage, separation of concerns, and using automated tools like Github Actions or ' tools for fuzzing & static analysis
Guides like can be helpful in understanding what to think about before deploying smart contracts to mainnet.
If you're looking for inspiration on setting up your own Github Actions pipelines, you can find a breakdown on Superfluid's own Github Actions setup
For example, we highly recommend you adopt some of the same UX practices that we do in the if you have a front end that allows people to create Superfluid streams
I.e. we let the user know that letting their balance hit zero before they close their stream will
We have detailed information regarding the jail system and how to avoid a jailed Super App, but one of the most common reasons for a jailed super app is an unexpected revert in either the beforeAgreementTerminated or afterAgreementTerminated callbacks
In general, we advise sticking to the existing Super Token interfaces seen unless you have a good reason not to
If you want to deviate from this, we strongly encourage you to reach out to the Superfluid developer team in the #dev-support channel in our
