Expand and increase bug bounty program

EDIT: DAO Vote: Snapshot

We started a bug bounty program for Lido a while ago; since then, there have been two valid admissions out of two, both of no practical impact.

Immunefi’s handling of bounty programs is nothing but professional, and they attract the brightest security minds in the space.

It’s time to increase and expand Lido’s bug bounty program.

Expanding bug bounty program beyond Ethereum

Lido’s going increasingly more multichain. With bLuna and soon stSOL in its box of products, it’s important to secure all of our mission-critical code.

LEGO’s got a mandate to manage Lido’s bounty program, within allotted limits, and going to handle that increase. We will add separate programs on Immunefi, to limit potential compromise, with the same terms as the existing bounty program but a different set of targets.

Increasing bug bounty program

Lido’s a very mission-critical project and is a very lucrative target. The realities of the bug bounty market for DeFi these days also set the bar for critical vulnerabilities bounties quite high. It’s time to increase Lido’s bug bounty to a reasonably big level.

I propose granting LEGO the power to select critical targets and vulnerability types and raise a bounty for them up to $2m depending on potential impact.

We should designate a subset of targets and subset of vulnerabilities that will get a maximal payout, starting with:

  • Lido on ETH’s governance contracts, liquid staking contracts, oracle contracts, and node operators registry
  • Solido (Lido for Solana) contracts and governance multisig contracts
  • bLuna’s essential smart contracts

Make bug bounty payment more discreet

One more change is needed to be done for LEGO processes: currently, all payments of boulder and larger size need to be posted on research.lido.fi with details; that is not a great process when it’s a payment for a (yet or ever) unmitigated vulnerability in smart contracts.

I propose an amendment to LEGO rules that would allow bug bounty payments to go before specifying the exact reason of payment, at the condition that the reason will be disclosed within 90 days.

Next steps

The first change is being discussed and implemented as I write this.

The second and third amendments are not within LEGO’s mandate, so it requires a snapshot vote, which will come after the discussion on this topic is concluded.


Very much in favor of all of these to provide additional security to Lido, especially as the DAO/st-tokens expand to other networks. Imo, a large enough bug bounty program in relation to the Value-at-Risk is essential to sufficiently motivate bounty hunters. Given there is currently already $5bn at risk, an increase here to $2m seems very appropriate.


The vote is available at

We expect to stabilize our code soon enough and we want bug bounty for stKSM and eventually stDOT as well. Keep us in mind :slight_smile:

1 Like

Of course, hit LEGO up when you want it implemented.