Sanctum Partners With Immunefi to Coordinate on a 1-Week Bug Bounty Program for UNION’s C-OP Product.

Sanctum Security
4 min readApr 23, 2021

Sanctum is delighted to announce the launch of a bug bounty program for UNION’s collateral optimization (C-OP) with ImmuneFi — DeFi’s leading bug bounty platform. With C-OP set to launch soon, ImmuneFi will host a public 1-week bug bounty program to identify and disclose vulnerabilities in the C-OP product code.

“Ensuring the robust review and security of UNION infrastructure, processes, code, and data is a core Sanctum mandate. Immunify offers a best-of-breed platform, and unparalleled base of expertise to coordinate and constructively channel crowd-sourced feedback into improved suretty for the C-OP platform. We’re excited to have them engaged in our release process,” said Michael Beck, UNION’s project lead.

ImmuneFi has helped DeFi projects secure over $25 billion in value by rewarding white-hat hackers for discovering vulnerabilities in smart contract code for protocols, applications, and DeFi platforms deployed to the mainnet of public blockchains. The platform has paid out more than $1.7 million in bounties so far and is trusted by some of the leading projects in DeFi including Synthetix, Nexus Mutual, SushiSwap, and PoolTogether.

The C-OP bug bounty program has been provisioned this week and is going through final configuration for launch the week of April 26th. OFFICIAL ANNOUNCEMENT WILL BE IN OUR APRIL 26TH UPDATE — incentivizing hackers to discover bugs in the C-OP contracts that lead to:

  • Loss of user funds
  • Data breaches
  • Denial of service attacks
  • Data leaks
  • Flash loan vulnerability

The program will use ImmuneFi’s default rules, with payouts for successful identification and disclosure of bugs issued in USDT — KYC/AML is only a requirement for larger dollar-denominated payouts, and will not be required for general participation by hackers.

As a result, bug classification and rewards will follow ImmuneFi’s Vulnerability Severity Classification System, which is based on a 5-tier scale contingent on the consequences of a successful exploit:

  1. Critical
  2. High
  3. Medium
  4. Low
  5. None


Critical bug examples include emptying or freezing of the contract’s holdings, such as reentrancy attacks, flash loan exploits, logic errors, economic exploits, and integer over/under-flow.


High-level vulnerabilities include instances where token holders are temporarily unavailable to transfer holdings, users can spoof each other, trusting composability bugs, and transient consensus failures.


Medium-tier threats include contract out of gas scenarios, consumption of unbounded gas by the contract, block stuffing, and denial of service exploits (e.g., spamming block space).


Low-level threats constitute the contract’s failure to deliver promised returns but don’t lose value.


The “none” tier is classified as not following best practices.

Payout Tiers

Based on the above classifications, the total bug bounty budget will be divided amongst the following tiers:

  • Critical — $10,000 (requires KYC)
  • High — $5,000 (requires KYC)
  • Medium — $500
  • Low — $250
  • None — N/A

The program will also use ImmuneFi’s bug triaging and program management service to optimally handle incoming exploit disclosures and payouts.

Bug bounties are critical to uncovering vulnerabilities within DeFi contracts.

In a highly complex design space with anonymous users scouring open-source code for exploitable opportunities, bug bounty programs provide an additional layer of preventative protection for contracts storing millions of dollars in user funds on permissionless networks. In line with Sanctum’s Center of Excellence (COE) approach, the ImmuneFi bug bounty program for C-OP can provide both a technical exposition of the contract’s robustness to vulnerabilities and offer assurances to C-OP users that the product they’re using has undergone a comprehensive review at the highest tiers of smart contract security expertise on blockchains.

For more information, please refer to the ImmuneFi Severity Classification System Overview. We look forward to the launch of the bug bounty program and welcome all hackers to participate!

About Sanctum Security

Sanctum Security (“Sanctum”) is a cybersecurity Center of Excellence (CoE) within the UNION Protocol Foundation. It works actively within the scope of the UNION Protocol Foundation, UNN ecosystem, and external client engagement to ensure broad application of cutting edge approach and best practice application of infrastructure, operational, data, and smart contract security.


UNION is a technology platform that combines bundled protection and a liquid secondary market with a multi-token model. DeFi participants manage their multi-layer risks across smart contracts and protocols in one scalable system. UNION decreases the entry barriers for retail users and lays the foundation for institutional investors. UNION’s full-stack DeFi protection is inclusive, composable, and brings battle-tested capital and pricing models from TradFi to the DeFi ecosystem.




Telegram ANN:



Sanctum Security

Sanctum Security (“Sanctum”) is a cybersecurity Center of Excellence (CoE) within the UNION Protocol Foundation. It works actively within the scope of the UNION