Layer3, a decentralized attention layer project, launched a bug bounty program with rewards of up to $500,000.

This initiative, in partnership with HackenProof, is designed to strengthen the security of its omnichain infrastructure, which supports critical functions like distribution, identity, and incentives across more than 500 ecosystems.

Tokenized attention needs next-level security.The @Layer3FDN has set up a $500K Bug Bounty program with @HackenProof. pic.twitter.com/VmBxKqi9vP

— Layer3 (@layer3xyz) August 16, 2024

Bounties range from $5,000 for medium-severity issues to a maximum of $500,000 for critical vulnerabilities. Critical-severity issues are rewarded with a six-month linear vesting schedule in DEXE tokens, while other bounties may be paid in stablecoins. 

The bounty program focuses on identifying and mitigating vulnerabilities within Layer3’s smart contracts. It targets critical issues that could lead to the theft or loss of staked funds, unauthorized transactions, or the permanent freezing of assets.

Hackers can submit reports on any vulnerabilities, even those outside the specified categories, as long as they adhere to the program rules. HackenProof’s team will review and triage each submission.

You might also like: Sea of red in crypto: Celestia, WIF, Ethena, and Sui lead losses

Layer3’s definition of vulnerabilities

Layer3 has clearly defined what constitutes “in-scope” and “out-of-scope” vulnerabilities. 

In-scope vulnerabilities include unauthorized fund transfers, bypassing access controls, and emergency withdrawals. Out-of-scope issues involve gas optimizations and other non-critical aspects that do not directly impact the smart contract’s functionality.

You might also like: WazirX shifts funds to new multisig wallets, cuts ties with Liminal after $230m hack

Program rules

Participants must follow strict program rules, including submitting one vulnerability per report and providing a proof of concept for all severity levels. Testing should only occur within a defined scope, avoiding any actions that could disrupt services or compromise personal data.

The program also prohibits activities like DoS/DDoS attacks, social engineering, and using automated tools to spam forms.