search

πŸ›‘οΈSecurity & Bug Bounties

Immunefi Program and Links to Audits

hashtag
Immunefi Bug Bounty Program

We have an Immunefiarrow-up-right bug bounty program with a maximum bounty of $100,000.

This program is focused on the protocol's smart contracts and is focused on preventing:

  • Superfluid framework bugs

  • Bugs in CFA/IDA in general

    • Anything that would avoid streams from being closed

    • Anything that would result in the sum of all account balances drifting significantly from the total supply

  • Theft of tokens in third party wrapper contracts

  • Other unexpected behavior in any super token contracts

Learn more here:

https://immunefi.com/bounty/superfluid/immunefi.comchevron-right

hashtag
Audit Resources

Superfluid has been audited on multiple occasions, you can find these past audit reports here:

Logoprotocol-monorepo/packages/ethereum-contracts/audits at dev Β· superfluid-org/protocol-monorepoGitHubchevron-right

hashtag
General Security Tips For Superfluid Developers

  • We recommend what every good security expert would recommend: full test coverage, separation of concerns, and using automated tools like Github Actions or Trail of Bitsarrow-up-right' tools for fuzzing & static analysis

    • Guides like this one from Consensysarrow-up-right can be helpful in understanding what to think about before deploying smart contracts to mainnet.

    • If you're looking for inspiration on setting up your own Github Actions pipelines, you can find a breakdown on Superfluid's own Github Actions setup herearrow-up-right

  • Beyond this, we recommend that you continue to think about security & potential for loss of funds in the front end and off-chain components of your project (if you have them).

    • For example, we highly recommend you adopt some of the same UX practices that we do in the Superfluid dashboardarrow-up-right if you have a front end that allows people to create Superfluid streams

    • I.e. we let the user know that letting their balance hit zero before they close their stream will lead to a liquidation

hashtag
Security Tips for Building Super Apps

  • Be careful that your application does not get jailed unexpectedly.

  • We have detailed information herearrow-up-right regarding the jail system and how to avoid a jailed Super App, but one of the most common reasons for a jailed super app is an unexpected revert in either the beforeAgreementTerminated or afterAgreementTerminated callbacks

hashtag
Custom Super Tokens

  • In general, we advise sticking to the existing Super Token interfaces seen herearrow-up-right unless you have a good reason not to

  • If you want to deviate from this, we strongly encourage you to reach out to the Superfluid developer team in the #dev-support channel in our Discord arrow-up-right

PreviousBounty ProgramNextToken Dashboard Submission

Last updated