Comment on page

Bug Bounty Program

The security of Alpaca Finance’s systems is of the highest priority for our team. Yet, even with significant scrutiny and auditing, there’s still a possibility of vulnerabilities considering the novelty of the growing DeFi ecosystem.
That’s why on top of our own efforts and professional auditing, we put in place a Bounty Program to identify bugs and vulnerabilities in the protocol infrastructure and smart contracts. In other words, we’ll reward you for helping us make the system as invulnerable as possible.
We kindly ask you to notify us in case you discover an issue so we can immediately take steps to address and fix it. As compensation, we’re allocating 0.5% of the total supply of $ALPACA tokens to successful bounty hunters, which will come from our Warchest. Please review the program terms and scope below.

Issue Severity Classification and Associated Rewards

The submitted issue needs to meet a minimum severity standard of Low as described below in order to qualify for a reward. A successfully-reviewed submission will receive a reward in BUSD-BEP20 tokens based on the classified severity of the issue:
Low: Up to $ 1,000 — An issue that could cause user dissatisfaction or minor technical failure.
Medium: Up to $ 5,000 — An issue that could theoretically cause a minor loss of <.1% of the protocol funds, damage the protocol state, or cause severe user dissatisfaction or moderate technical failure.
High: Up to $ 15,000 — An issue that could cause the immediate loss of protocol funds between .1%< X <10%, or severely damage the protocol state.
Critical: Up to $ 100,000 — An issue that could cause immediate loss of >10% of the protocol funds or permanently impair the protocol state.


Rewards will vary depending on the severity of the issue. In addition, you can increase the reward by providing high-quality information in the following aspects: Issue description, instructions to reproduce the issue, and a solution(optional).
  • If you’d like to add more information regarding the reported issue, you can create a new submission that includes a reference to the initial one.
  • Technical knowledge is necessary for the process.
  • Duplicated reports of known issues are ineligible. The first submission will get the reward. So be sure to report promptly.
  • Rewards will be determined on a case-by-case basis. The bug bounty program, and the terms and conditions are at the sole discretion of Alpaca Finance.
  • The terms and conditions of the bug bounty program may change over time.
  • While the issue is active, any interference with the protocol or client/platform services, whether accidental or not, will invalidate the submission from receiving a reward.
  • Public disclosure of a vulnerability would guarantee a submission’s disqualification. Please read and abide by the following responsible disclosure policy or your report may become ineligible for a reward.

Responsible Disclosure Policy

If you discover a vulnerability, make sure to follow all the steps below:
  1. 1.
    As soon as possible, write a report of the issue in as much detail and accuracy as you can, then send it to: [email protected]
  2. 2.
    Do not reveal any information about the issue to anyone outside the team.
  3. 3.
    Do not take advantage of the issue.
  4. 4.
    Do not attack our system or protocol.
Once we receive your report, we promise to do the following:
  1. 1.
    Respond to your report within 5 business days.
  2. 2.
    Handle your report with strict confidentiality.
  3. 3.
    Provide you updates regarding the progress of your submission status and the resolution of the reported issue.
  4. 4.
    Give you credit by naming you as the successful bounty hunter of the issue, unless you desire otherwise.
  5. 5.
    Offer you the proper reward as per the prior rules to thank you for helping us make Alpaca as secure as possible!