Join the Immunefi Discord serverLet's do it
26 March 2021
SushiSwap is an automated market-making (AMM) decentralized exchange (DEX) that allows users to provide liquidity for token swaps.
The bug bounty program is focused around its smart contracts and web app for the purpose of preventing the loss of user funds.
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.
Smart Contracts and Blockchain*
|Critical||up to USD $1,000,000|
|High||up to USD $40,000|
|Medium||up to USD $5,000|
|Low||up to USD $1,000|
Websites and Apps*
|Critical||up to USD $100,000|
*All payments, both for smart contracts and the website, are capped at 10% of economic damage. The only web vulnerabilities in scope are those which lead directly and unequivocally to loss of user funds, such as by spoofing transactions on the Sushi interface.
Sushiswap is open to rewarding bounties beyond the critical cap for vulnerabilities with extreme impact.
Payouts are handled by the SushiSwap team directly and are denominated in USD. Payouts worth USD $100,000 and below are done in USDC. Payouts beyond USD $100,000 are made in SUSHI, though the first $100,000 can be made in USDC if requested.
|https://etherscan.io/address/0xF5BCE5077908a1b7370B9ae04AdC565EBd643966||Smart contract - BentoBox|
|https://etherscan.io/address/0x6b3595068778dd592e39a122f4f5a5cf09c90fe2||Smart contract - Sushi Token|
|https://etherscan.io/address/0xc2edad668740f1aa35e4d8f227fb8e17dca888cd||Smart contract - MasterChef v1|
|https://etherscan.io/address/0xe94b5eec1fa96ceecbd33ef5baa8d00e4493f4f3||Smart contract - Treasury Wallet|
|https://etherscan.io/address/0xc0aee478e3658e2610c5f7a4a2e1777ce9e4f2ac||Smart contract - SushiFactory|
|https://etherscan.io/address/0xe11fc0b43ab98eb91e9836129d1ee7c3bc95df50||Smart contract - SushiMaker|
|https://etherscan.io/address/0xd9e1ce17f2641f24ae83637ab66a2cca9c378b9f||Smart contract - SushiRouter|
|https://etherscan.io/address/0x74A81CB5b6996d9347b864b9a1492a6509e51e65||Smart contract - Kashi Lending|
|https://etherscan.io/address/0x00632CFe43d8F9f8E6cD0d39Ffa3D4fa7ec73CFB||Smart contract - ChainlinkOracleV2|
|https://etherscan.io/address/0x1766733112408b95239aD1951925567CB1203084||Smart contract - SushiSwapSwapperV1|
|https://etherscan.io/address/0x2cBA6Ab6574646Badc84F0544d05059e57a5dc42#code||Smart contract - KashiPairMediumRiskV1|
|https://etherscan.io/address/0xcbe6b83e77cdc011cc18f6f0df8444e5783ed982#code||Smart contract - SushiDistributor|
We are especially interested in receiving and rewarding vulnerabilities of the following types:
The following vulnerabilities are excluded from the rewards for this bug bounty program:
Websites and Apps
The following activities are prohibited by bug bounty program:
Join our whitehat community and get notified when new bounties launch on the platform