🪲 Open Bug Bounty

Submission Process

Contact the team via Discord: https://www.opendollar.com/discord or email: security (at) opendollar.com
Reward amount will be determined by the severity of the vulnerability
Please include as much detail as possible, ideally including tests to reproduce the issue
Payouts will be given via USDC on mainnet. For US Citizens a W9 or business tax ID may be required.
Awards will not be given for previously addressed / acknowledged findings. A list of prior audits can be found in the Readme for each repository.

Only the owner of a particular NFV can ever mint debt against the corresponding safe.
If the ERC-721 token from Vault721 is transferred, so too is the ownership and control of the corresponding safe. Meaning only the owner can transfer it or mint debt against it.
Users must exclusively use the ODProxy to interact with their safes.
When a fresh account, which has never interacted with the protocol, receives an NFV via ERC721 transfer, an ODProxy should always be deployed for them.
ODProxy cannot be transferred or change owner.
There is 1 safe for each ERC-721 token, and the safe ID always corresponds to the NFT ID.
Proper Access Control ensures that transferring safes can only be performed using the Vault721 .
A user only ever has a single ODProxy deployed for them.

Server-side attacks such as SSRF, SQLi, Code Injection, RCE
GraphQL specific attacks(batch queries, DoS via nested queries, CSRF attacks)
Client-side review of the web application
Review for potential XSS, HTML injections, prototype pollutions and other client-side attacks
Processing of the NFT and any other external context
Security headers configuration review HSTS, CSP policies)
Storage review
Business logic contradicting the specification
Code clones, functionality duplication
Denial of service / logical oversights