# Security

The security of Auctus protocol is our highest priority. To ensure top-notch security, Auctus protocol smart contracts were audited by Open Zeppelin and have undergone rigorous internal testing. We also have an ongoing bug bounty program where community members can report any bugs or vulnerabilities.

## Audits

ACO has completed a full audit with Open Zeppelin. The link to the audit report can be found below.

[OpenZeppelin Audit](https://blog.openzeppelin.com/aco-protocol-audit/)

## Bug Bounty

The bug bounty covers any of the core smart contracts deployed on mainnet. The code can be found at: <https://github.com/AuctusProject/aco>

### Rewards

The bounty program will pay out rewards according to the severity of a vulnerability. The final reward amount is at the sole discretion of Auctus.

| Reward               | Severity | Examples                                                                                                                                     |
| -------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
| **$5,000 - $15,000** | Critical | <ul><li>Stealing collateral assets</li><li>Permanently freezing collateral assets</li></ul>                                                  |
| **$2,000 - $5,000**  | High     | <ul><li>Severe rounding errors where an attacker can steal significant collateral in excess of any gas costs</li></ul>                       |
| **$1,000 - $2,000**  | Medium   | <ul><li>Minor rounding errors that allow an attacker to slowly manipulate collateral to their advantage in excess of any gas costs</li></ul> |
| **$0 - $1,000**      | Low      | <ul><li>Informational and code quality based disclosures</li></ul>                                                                           |

### Reporting / Disclosures

Please report any findings **only to** <contact@auctus.org> with full details about any vulnerability and steps / code to reproduce. Allow us time to review and remediate any findings before public disclosure.&#x20;

### Ineligible Findings

* Duplicate vulnerabilities. Only the first reporter will be rewarded.
* Findings already known as part of a formal audit
* Front end bugs;
* DDOS attack;
* Spamming;
* Automated tools
* Compromising or misusing third party systems or services.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.auctus.org/security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.