Bug Bounty Program
Dualis Finance values the security research community and encourages responsible disclosure of vulnerabilities. This page outlines the scope, severity levels, and reporting process for our bug bounty program.
Reporting Vulnerabilities
If you have discovered a security vulnerability in Dualis Finance, please report it responsibly. Do not disclose the vulnerability publicly until it has been addressed.
Send all vulnerability reports to:
Include the following information in your report:
- A clear description of the vulnerability and its potential impact.
- Step-by-step reproduction instructions.
- The affected component (DAML contracts, API, frontend, infrastructure).
- Any proof-of-concept code or screenshots that demonstrate the issue.
- Your assessment of the severity level (see below).
Scope
The bug bounty program covers the following components of the Dualis Finance protocol:
| Component | In Scope | Examples |
|---|---|---|
| DAML Smart Contracts | Yes | Signatory bypass, unauthorized choice exercise, interest calculation errors, liquidation logic flaws, state manipulation |
| API (Fastify) | Yes | Authentication bypass, authorization escalation, injection attacks, rate limit bypass, sensitive data exposure |
| Frontend (Next.js) | Yes | XSS, CSRF, open redirects, client-side logic that bypasses server validation, wallet interaction vulnerabilities |
| Infrastructure | Limited | TLS misconfiguration, exposed services, Docker escape vectors. Note: denial of service attacks against infrastructure are out of scope. |
| Third-party services | No | Vulnerabilities in Sumsub, Chainalysis, PartyLayer, or Canton itself should be reported to those providers directly. |
Severity Levels
Vulnerabilities are classified into four severity levels based on their potential impact on user funds, data integrity, and protocol operations:
| Severity | Description | Examples |
|---|---|---|
| Critical | Direct loss of user funds or complete protocol compromise | Unauthorized asset transfer, DAML signatory bypass allowing fund drain, authentication bypass granting admin access |
| High | Significant financial impact or data breach | Interest rate manipulation, incorrect liquidation thresholds, access to other users' position data, privilege escalation to admin role |
| Medium | Limited financial impact or partial data exposure | Rate limit bypass enabling resource exhaustion, information leakage in error responses, CSRF on non-critical state-changing endpoints |
| Low | Minimal impact, best practice violations | Missing security headers on non-sensitive pages, verbose error messages in development endpoints, minor UI rendering issues with security implications |
Responsible Disclosure Policy
Dualis Finance follows a responsible disclosure model to protect users while giving the security team adequate time to address vulnerabilities:
- Report privately: Send your findings to security@cayvox.com. Do not post vulnerabilities on social media, GitHub issues, Discord, or any public forum.
- Allow remediation time: Give the Dualis team a reasonable timeframe (typically 90 days) to investigate, develop a fix, and deploy it before any public disclosure.
- Do not exploit: Do not use the vulnerability to access, modify, or delete data beyond what is necessary to demonstrate the issue. Do not interact with other users' accounts or funds.
- Coordinated disclosure: Once the fix is deployed, the Dualis team will coordinate with the reporter on a joint disclosure that credits their contribution.
Recognition
We believe in recognizing the contributions of security researchers who help make Dualis safer. With the reporter's consent, we will credit them in our security advisories and maintain a public Hall of Fame on this documentation site. Bounty rewards will be determined based on severity, quality of the report, and impact assessment.