🐛Bug Bounty

A bug bounty program for Increment's smart contracts is now live. Whitehats are welcome to submit reports either on https://bugrap.io/ or through emails.


Vulnerability reports will be scored using the CVSS v3 standard. The reward amounts for different types of vulnerabilities are:

🚨 Critical (CVSS 9.0–10.0)

→ $5,000 - $15,000

⚠️ Major (CVSS 7.0–8.9)

→ $2,500 - $5,000​

⚡ Medium (CVSS 4.0–6.9)

→ $750 - $2,500

🐛 Low (CVSS 1.0–3.9)

→ $500 - $750

Rewards will be awarded at the sole discretion of Increment Team. Quality of the report and reproduction instructions can impact the reward. Rewards are denominated and paid out in USD. If both parties agree, rewards can also be paid out in crypto.

The bug bounty program is ongoing and has been running since July 20 2022.

Reporting a Vulnerability

Please responsibly disclose any findings to the development team, following these instructions:

  • In order to report a vulnerability, please write an email to contact@increment.fi with [SECURITY DISCLOSURE] in the subject of the email.

  • We will make our best effort to reply in a timely manner and provide a timeline for resolution.

  • Please include a detailed report on the vulnerability with clear reproduction steps. The quality of the report can impact the reward amount.

Failure to do so will result in a finding being ineligible for any bounties.


In scope for the bug bounty are all the smart contract components of the Increment protocols. They can be found in the following sections:

Out of scope

  • Any frontend applications or client-side code interacting with the contracts, as well as testing code.

  • Mismatch of the functionality of the contracts and outdated spec documents.

Areas of interest

These are some examples of vulnerabilities that would be interesting:

  • Stealing tokens or manipulating the token generation process.

  • Locking or freezing any of the Increment's contracts.

  • Griefing attacks: is it possible to block liquidations, redemptions, borrower operations, etc?

  • Do the desired constraints on borrower operations hold?

  • Flash loan exploits



Terms for eligible bounties:

  • Only unknown vulnerabilities will be awarded a bounty; in case of duplicate reports, the first report will be awarded the bounty.

  • Public disclosure of the vulnerability, before explicit consent from Increment Team to do so, will make the vulnerability ineligible for a bounty.

  • Attempting to exploit the vulnerability in Flow mainnet will also make it ineligible for a bounty.

Last updated