Note that these are simply guidelines for the severity of the bugs. Each bug bounty submission will be evaluated on a case-by-case basis.
Please email [email protected] with a detailed description of the attack vector. For critical and moderate bugs, we require a proof of concept done on a privately deployed mainnet contract. We will reach out in 1 business day with additional questions or next steps on the bug bounty.
Bug Bounty Payment
Bug bounties will be paid in USDC or locked MNGO, after a DAO vote. The Mango DAO has never refused a bug bounty so far.
Invalid Bug Bounties
The following are out of scope for the bug bounty:
Attacks that the reporter has already exploited themselves, leading to damage.
Attacks requiring access to leaked keys/credentials.
Attacks requiring access to privileged addresses (governance, admin).
Incorrect data supplied by third party oracles (this does not exclude oracle manipulation/flash loan attacks).
Lack of liquidity.
Third party, off-chain bot errors (for instance bugs with an arbitrage bot running on the smart contracts).