Bug Bounty Program

Lombard partners with Immunefi to operate an evergreen bug bounty program offering up to $250,000 for critical vulnerability discoveries. The program has been live since September 4, 2024, creating continuous incentive for security researchers to review and test the protocol.

Bug bounties complement formal audits by engaging the broader security community. While audits provide deep, focused reviews at specific points in time, bounty programs maintain ongoing vigilance as the protocol evolves and new attack vectors emerge.

Immunefi is the leading bug bounty platform in Web3, having facilitated over $100 million in payouts to white-hat hackers. Their infrastructure handles vulnerability disclosure, communication between researchers and projects, and secure reward distribution.

Rewards by Severity

Rewards scale with the severity and potential impact of discovered vulnerabilities.

Critical smart contract vulnerabilities—those enabling theft of funds, permanent freezing, or protocol insolvency—receive the highest rewards. The exact amount depends on the funds at risk and the sophistication of the exploit.

Payments are made in USDC and processed through Immunefi. KYC verification is required before receiving rewards for critical submissions.

Assets in Scope

The program covers Lombard's core smart contracts and web applications.

Smart Contracts (Ethereum Mainnet):

The full scope including additional contracts is available on the Immunefi program page.

Impacts in Scope

The program accepts reports for specific impact categories. Critical impacts include:

• Direct theft of user funds (at-rest or in-motion)

• Permanent freezing of funds

• Protocol insolvency

• Manipulation of governance voting results

• Execution of arbitrary system commands

• Retrieval of sensitive data from running servers (database passwords, blockchain keys)

• Taking down the application or website

• Unauthorized state-modifying actions on behalf of other users

• Subdomain takeover with wallet interaction

• Malicious interactions with connected wallets (modifying transactions, substituting addresses)

High, medium, and low severity impacts follow Immunefi's standard vulnerability classification system.

Out of Scope

Certain categories are excluded from the program:

• Impacts requiring basic economic attacks (51% attacks)

• Impacts from Sybil attacks

• Lack of liquidity impacts

• Incorrect data from third-party oracles (excluding oracle manipulation attacks)

• Centralization risks

• Vulnerabilities the reporter has already exploited

• Attacks requiring access to leaked credentials or privileged addresses

• Impacts from external stablecoin depegging not caused by code bugs

• Best practice recommendations without security impact

• Feature requests

• Impacts on test files and configuration files

Mentions of secrets, API keys, or private keys in GitHub repositories are out of scope without proof they are used in production.

How to Submit a Report

1. Create an Immunefi account at bugs.immunefi.com if you don't have one.

2. Review the program scope to confirm your finding affects in-scope assets and impacts.

3. Prepare your report with clear documentation of the vulnerability, including:

• Affected asset and impact category

• Step-by-step reproduction instructions

• Proof of Concept (required for all submissions)

• Potential impact assessment

4. Submit through Immunefi's dashboard at bugs.immunefi.com. Select "Lombard Finance" as the program.

5. Wait for triage. Immunefi's team reviews submissions before forwarding to Lombard. Initial response typically occurs within 48 hours.

6. Collaborate on remediation. If valid, Lombard's security team works with you to understand and fix the issue.

7. Receive payment after the vulnerability is confirmed and addressed. KYC required for critical rewards.

Program Requirements

Proof of Concept Required: All submissions must include a working PoC demonstrating the vulnerability. Reports without PoC are not eligible for rewards.

Responsible Disclosure: Do not publicly disclose vulnerabilities before they are fixed. Researchers may publish reports after resolution with Lombard's approval.

No Exploitation: Do not exploit vulnerabilities on mainnet or cause damage while researching. Use testnets and local environments for testing.

One Bug, One Report: Submit separate reports for distinct vulnerabilities. Do not bundle multiple issues into a single submission.

First Reporter Wins: Only the first report of a given vulnerability is eligible for reward. Duplicate reports receive no payout.

Program Policies

Primacy of Impact: Lombard follows this policy for critical smart contract vulnerabilities. If you discover a critical impact on a Lombard-owned asset not explicitly listed in scope, it may still be eligible for reward.

Known Issues: Previously discovered vulnerabilities documented in audits or self-reported by Lombard are not eligible. Immunefi maintains a known issues list to prevent duplicate rewards.

Geographic Restrictions: The program is not open to residents of OFAC-sanctioned countries or regions restricted by UN Security Council resolutions.

Arbitration: Disputes between researchers and Lombard can be escalated to Immunefi for mediation. The program has arbitration enabled for unresolved disagreements.

Why Lombard Invests in Bug Bounties

The protocol secures over $1.5 billion in user Bitcoin. A single critical vulnerability could result in catastrophic losses—not just financial, but to the trust that users place in the protocol.

Bug bounties create alignment between the protocol and the security research community. Researchers earn substantial rewards for finding issues before malicious actors do. Lombard benefits from continuous scrutiny that supplements formal audits.

The $250,000 maximum bounty reflects the value Lombard places on security. For critical vulnerabilities affecting substantial funds, paying six figures to a white-hat researcher is far preferable to losing user assets to an exploit.

Additional Security Measures

The bug bounty program is one layer of Lombard's security framework:

• Double audits by OpenZeppelin, Halborn, Veridise, Cantina, and Sherlock before every major release

• Runtime monitoring through Hexagate for 24/7 threat detection

• Proof of reserves via Chainlink and Redstone oracles

• Security Consortium of 15 institutional validators

• Hardware-isolated key storage through Cubist's CubeSigner

• Full-time security engineer reviewing all code changes

What's Next

• Immunefi Bug Bounty Page - Review the full program scope and submit findings at immunefi.com/bug-bounty/lombard-finance

• Audits Documentation - Read about Lombard’s completed security audits and review past assessments