Bug Bounty

Dark Fusion Bug Bounty

The Dark Fusion Bug Bounty allows community members and external participants to get rewarded for reporting bugs in the Dark Fusion protocol, application and smart contracts. Below is the necessary overview, rules, exclusions and scope for the Bug Bounty.


The Dark Fusion Bug Bounty Program (the ”Program”) is aimed to incentivise responsible bug disclosures within the Dark Fusion software.

$DFG from the Dark Fusion Treasury will be used as rewards to users who disclose appropriate bugs within Dark Fusion technology, and that fit within the rules below.

General Rules & Guidelines:

  1. Decisions on the eligibility and size of a reward are at the sole discretion of the Dark Fusion team and selected community members and/or auditors.

  2. The vulnerability must not be disclosed publicly or to any other person/s, entity, or email address before the Dark Fusion team has been notified, has fixed the issue, and has granted permission for public disclosure. In addition, disclosure must be made within 24 hours following discovery of the vulnerability.

  3. Provide us with at least 5 working days to investigate the issue and respond to you.

  4. Any vulnerabilities should be submitted via email to the following contact: bugbounty@darkfusion.tech, and/or contacting admins in the official channel Telegram.

  5. Issues without steps to reproduce are ineligible for the bug bounty.

  6. Issues must be new to the team. They can’t have already been identified by another user or by our audit.

  7. When possible, avoid privacy violations, degradation of user experience, disruption to production systems or data during security testing.

  8. No employees, contractors or others with current or prior commercial relationships with Dark Fusion or any of its holding and or operating companies are eligible for rewards.

  9. Technical knowledge is required for the process.

  10. Submissions needs to be related with the Bounty Scope. Submissions out of the Bounty Scope won’t be eligible for a reward.

  11. Any activities conducted in a manner consistent with the rules and guidelines will be considered authorised conduct and we will not initiate legal action against you.

Prioritised Vulnerabilities:

We are especially interested in receiving and rewarding vulnerabilities of the following types:

Smart Contracts/Blockchain:

  • Re-entrancy

  • Logic errors

  • including user authentication errors

Trusting trust/dependency vulnerabilities:

  • including composability vulnerabilities

Oracle failure/manipulation:

  • excluding real market activity

  • excluding external oracle manipulation

Novel governance attacks:

Congestion and scalability

  • including running out of gas

  • including block stuffing

  • including susceptibility to frontrunning

Consensus failures:

Cryptography problems

  • Signature malleability

  • Susceptibility to replay attacks

  • Weak randomness

  • Weak encryption

Susceptibility to block timestamp manipulation:

Missing access controls / unprotected internal or debugging interfaces


  • For web vulnerabilities, Dark Fusion is strictly interested in those that cause direct and unequivocal loss or permanent locking of user funds

  • An example would be a vulnerability that lets an attacker spoof transactions on Dark Fusion web applications, leading to theft of funds

How to submit a bug report:

Please send your bug report to bugbounty@darkfusion.tech

Last updated