Builder's Dashboard Launch in

Buy MOR

Morpheus Bug Bounty Program ($150,000)

Calling All Independent Security Researchers (White Hat Hackers and Auditors)

Synopsis

Here in the Morpheus Community we’re a bit obsessed with the concept of strong property rights. In the land of Web3, white hat hackers, coders, and contributors help make sure things work the way they should.

The Morpheus smart contracts have undergone a thorough multi-tiered audit and mitigation process. However the contract and interface is operating in a dynamic environment with new technologies that may contain vulnerabilities that have yet to be discovered.

In short, we can use your help. If you’re able to find and help resolve vulnerabilities that could put Morpheus community members at risk, we want to get you paid.

Below is a quick outline of the Morpheus Bug Bounty Program

Rewards

  • Morpheus will pay a reward of $500 to $150,000 for eligible discoveries in proportion to the severity of the vulnerability discovered and averted.

(Note: Payments earned prior to the end bootstrapping period will be paid after May 9, 2024)

Scope

The primary scope of the bug bounty program is for vulnerabilities affecting the on-chain Morpheus Protocol, deployed to the Ethereum Mainnet, or the claim function to Arbitrum, for contract addresses listed in this developer documentation.

This list may change as new contracts are deployed, or as existing contracts are removed from usage. Vulnerabilities in contracts built on top of the protocol by third-party developers (such as smart agents or wallets) are not in-scope, nor are vulnerabilities that require ownership of an admin key.

The secondary scope of the bug bounty program is for vulnerabilities affecting the Morpheus Interface hosted at https://dashboard.mor.org/#/mainnet/capital that could conceivably result in exploitation of user accounts.

Finally, test contracts (Sepolia and other testnets) and staging servers are out of scope, unless the discovered vulnerability also affects the Morpheus Protocol or Interface, or could otherwise be exploited in a way that risks user funds.

Disclosure Process

Submit all bug bounty disclosures to devs@mor.org. The disclosure must include clear and concise steps to reproduce the discovered vulnerability in either written or video format. Members from the Morpheus Community will follow up promptly with acknowledgement of the disclosure.

Terms/Conditions

To be eligible for bug bounty reward consideration, you must:

  • Identify an original, previously unreported, non-public vulnerability within the scope of the Morpheus bug bounty program as described above.
  • Include sufficient detail in your disclosure to enable our engineers to quickly reproduce, understand, and fix the vulnerability

To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attack, you must:

  • Be a good faith actor following the terms and conditions of this program and any other relevant agreements. If there is any inconsistency between this program and any other relevant agreements, a good faith determination will be made.
  • Report any vulnerability you’ve discovered promptly
  • Avoid violating the privacy of others, disrupting our systems, destroying data, or harming user experience.
  • Use only devs@mor.org to discuss vulnerabilities with us.
  • Keep the details of any discovered vulnerabilities confidential until they are fixed.
  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope.
  • Only interact with accounts you own or with explicit permission from the account holder.
  • Not engage in blackmail, extortion, or any other unlawful conduct.

When working with us according to this program, you can expect us to:

  • Pay generous rewards for eligible discoveries based on the severity and exploitability of the discovery, at the Morpheus Community’s sole discretion
  • Extend Safe Harbor for your vulnerability research that is related to this program, meaning we will not threaten or bring any legal action against anyone who makes a good faith effort to comply with our bug bounty program.
  • Work with you to understand and validate your report, including a timely initial response to the submission.
  • Work to remediate discovered vulnerabilities in a timely manner.
  • Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.

TL;DR

  • Payment up to $150,000 to be paid from the protection fund (Payable after the end of the bootstrapping period)
  • Submit any discovered vulnerabilities to devs@mor.org
  • Payments will be in proportion to the severity of the issue, exploitability, and harm being averted by the community
  • The scope includes any vulnerability affecting the on-chain Morpheus protocol, deployed to the Ethereum Mainnet, for contract addresses listed in the github developer documentation, the user interface at (https://dashboard.mor.org/#/mainnet/capital), and the claim functionality to Arbitrum
  • The scope excludes testnets.
  • Vulnerability must not become public before they are resolved

Resources

Additional Protection Fund Details

Links to past audits

Internal Audit

Private Audit

Public Audit

Open Zepellin Audit of Mor Token