# Bug Bounty

## Bug Bounty Program

The bug bounty program is hosted on [Immunefi](https://immunefi.com/bug-bounty/enzyme-onyx).

All submissions must follow Immuenfi and program rules.

## Out-of-scope

In addition to Immunefi scope rules, the following are considered out-of-scope:

* everything noted in this document set (e.g., [risks-and-limitations](https://docs.enzyme.finance/onyx-protocol/security/risks-and-limitations "mention"))
* everything noted in [audit reports](https://github.com/enzymefinance/protocol-onyx/tree/main/audits)
* everything noted in QA reports \[link forthcoming]
* user error; i.e., inadequate inputs or config, lack of mechanism understanding, etc (see below)
* unrealistic fund state (see below)

### Examples of out-of-scope "user error"

Onyx is designed for flexibility of different setups and administrative needs. The `admin` role is often tasked with ensuring fairness, avoidance of denial-of-service (DoS) and similar ill effects, executing steps in order, and otherwise following manual processes to achieve desired results (e.g., [suggested-subscription-rounds](https://docs.enzyme.finance/onyx-protocol/general-flows/suggested-subscription-rounds "mention")).

#### Example: deposit and redeem handler DoS due to request cancelations&#x20;

Some deposit and redeem handlers (e.g., `ERC7540LikeDepositQueue` and `ERC7540LikeRedeemQueue`) use a `minRequestDuration`, where a request is cancelable after `minRequestDuration` has elapsed.

As long as `minRequestDuration` is always set adequately (i.e., greater than the maximum time between batches), there will never be a cancelation DoS opportunity.

#### Example: deposit and redeem handler DoS due to small amounts that round to 0 shares

`admin` has full control to omit requests with amounts that are considered too small.

#### Example: share price staleness/fairness/etc during deposit or redemption

`admin` has full control over the price at which deposits and redemptions are executed, and it must be part of their process to validate that the currently-set share price is adequate for any action according to their needs.

#### Example: failure to initialize contract

Contracts are always expected to be properly-initialized, and all proxies are always deployed with their init data bundled into the same call.

### Examples of "unrealistic fund state"

Onyx vaults are assumed to operate within common-sense constraints for how managed funds work.

Closely related to [#examples-of-out-of-scope-user-error](#examples-of-out-of-scope-user-error "mention").

#### Example: more debt than assets

A reasonable managed fund cannot take on more debt than assets such that `share value <= 0`.

#### Example: shares totalSupply > 0 when share value == 0

At the point where a fund truly loses all assets (e.g., hack, violent value deprecation that rounds to 0) and shares have no value, a fund would shut down rather than, e.g., accept new depositors who immediately get diluted by the shares totalSupply.