Security & Bug Bounties
Immunefi Bug Bounty Program
We have an Immunefi bug bounty program with a maximum bounty of $100,000.
This program is focused on the protocol's smart contracts and is focused on preventing:
- Superfluid framework bugs
- Bugs in CFA/IDA in general
- Anything that would avoid streams from being closed
- Anything that would result in the sum of all account balances drifting significantly from the total supply
- Theft of tokens in third party wrapper contracts
- Other unexpected behavior in any super token contracts
Learn more here:
For more details, please visit the Immunefi Bug Bounty Program page.
Audit Resources
Superfluid has been audited on multiple occasions, you can find these past audit reports here:
For the audit reports, check out the Superfluid GitHub repository.
General Security Tips For Superfluid Developers
- We recommend what every good security expert would recommend: full test coverage, separation of concerns, and using automated tools like GitHub Actions or Trail of Bits' tools for fuzzing & static analysis
- Guides like this one from Consensys can be helpful in understanding what to think about before deploying smart contracts to mainnet.
- If you're looking for inspiration on setting up your own GitHub Actions pipelines, you can find a breakdown on Superfluid's own GitHub Actions setup here.
- Beyond this, we recommend that you continue to think about security & potential for loss of funds in the front end and off-chain components of your project (if you have them).
- For example, we highly recommend you adopt some of the same UX practices that we do in the Superfluid dashboard if you have a front end that allows people to create Superfluid streams.
- I.e., we let the user know that letting their balance hit zero before they close their stream will lead to a liquidation.
Security Tips for Building Super Apps
- Be careful that your application does not get jailed unexpectedly.
- We have detailed information here regarding the jail system and how to avoid a jailed Super App, but one of the most common reasons for a jailed super app is an unexpected revert in either the
beforeAgreementTerminated
orafterAgreementTerminated
callbacks.