SushiSwap

SushiSwap is an automated market-making (AMM) decentralized exchange (DEX) that allows users to provide liquidity for token swaps.

Further resources regarding SushiSwap can be found on their website, https://sushi.com and documentation.

SushiSwap contracts consist of two protocols (Swap/AMM & Furo/Payments) built on top of the BentoBox vault system (where all funds are stored), and a set of peripheral contracts to perform various duties like fee collecting.

Program focuses on three sets of contracts w/ majority of the contracts being built on top of BentoBox:

• Swap/Trident (AMM contracts)
• SushiXSwap (Cross-chain swaps)
• Furo (Streams/Vesting contracts)
• Peripherals (Routers & Makers)

The bug bounty program is focused around it's smart contracts for the purpose of preventing the loss of user funds.

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

Theft of Yield vulnerability reports are temporarily not in scope for this bug bounty program, though this attack may be in the future.

All web/app bug reports must come with a PoC. All bug reports without a PoC will not be accepted under this bug bounty program.

All critical payments for smart contracts are capped at 10% of economic damage.

Sushiswap is open to rewarding bounties beyond the critical cap for vulnerabilities with extreme impact.

Payouts are handled by the SushiSwap team directly and are denominated in USD. Payouts worth USD $100,000 and below are done in USDC. Payouts beyond USD $100,000 up to USD 200,000 are made in SUSHI, though the first $100,000 can be made in USDC if requested.

Smart Contract

A full list of the smart contracts of SushiSwap can be found in their Github repository. However, only the contracts listed in this table are considered as within the scope of the bug bounty program.

BentoBox can be found here. Trident contracts can be found here. SushiXSwap contracts can be found here. Furo contracts can be found here. Other contracts, outside of the ones mentioned here, might be considered on a case by case basis, as long as economic damage can be achieved.

Submission Requirements

In order to be considered for a reward, all bug reports must contain the following:

• Description of suspected vulnerability
• POC demonstrating the vulnerability for reproduction, can be a high-level POC
• Steps to reproduce the issue
• Your name and/or colleagues if you wish to be later recognized
• (Optional) A patch and/or suggestions to resolve the vulnerability

Ethical Behavior Requirements

Responsible disclosure is predicated on ethical behavior. These guidelines outline best practices for the community as whole, whether you are reporting, or the recipient of a report. By stating that you adhere to this policy, you’re claiming to handle vulnerability information ethically, and abide by the following:

• Do not attempt to leverage a vulnerability, or information of its existence as part of a financial trading strategy or otherwise for financial gain.
• Do not attempt to compromise systems upon which development of a product relies; including but not limited to compromising development systems, accounts, domains, email, etc..
• Do not attempt to sell vulnerability information or exploits.
• Do not ask for any form of compensation from an affected party. You may compensate a disclosing party if you would like to after all known vulnerability details have been disclosed.
• Do not disclose a bug or vulnerability on mailing lists, public boards, forums, social media or any other channel prior to Responsibly Disclosing to the organizations you have a published relationship with
• Do not attempt any illegal acts, including phishing, physical attacks, DDoS, or any attempt to gain access without authorization.

3rd Party Affected Projects

In the case where we become aware of security issues affecting other projects that have never affected SushiSwap, our intention is to inform those projects of security issues on a best effort basis.

In the case where we fix a security issue in SushiSwap that also affects the following neighboring projects, our intention is to engage in responsible disclosures with them as described in the adopted standard, subject to the deviations described in the deviations section below.

Deviations from the Standard

In the case of a counterfeiting or fund-stealing bug affecting SushiSwap, however, we might decide not to include those details with our reports to partners ahead of coordinated release, as long as we are sure that they are not vulnerable.

Notes on Expected Behaviors

• Any unaccounted ETH or ERC20 in the BentoBox can be skimmed.
• Any reports that involve tokens outside of ERC20s will not be considered in scope. (i.e. ERC777 tokens)

When submitting a bug report, please select the severity level you feel best corresponds to the severity classification system.

The following vulnerabilities are excluded from the rewards for this bug bounty program:

• Attacks that the reporter has already exploited himself, leading to damage
• Attacks that rely on social engineering
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses (i.e. owners of contracts)
  • Basic economic governance attacks (i.e. 51% attack)
  • Loss of positive slippage through Sandwich Attacks
  • Lack of liquidity
  • Best practice critiques
  • Sybil attacks

Smart Contracts

• Incorrect data supplied by third party oracles/exchange rate being outdated
  • Not to exclude oracle manipulation/flash loan attacks
• Basic economic governance attacks (e.g. 51% attack)
• Loss of positive slippage through Sandwich Attacks
• Lack of liquidity
• Best practice critiques
• Sybil attacks

The following activities are prohibited by bug bounty program:

• Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
• Any testing with pricing oracles or third party smart contracts
• Attempting phishing or other social engineering attacks against our employees and/or customers
• Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
• Any denial of service attacks
• Automated testing of services that generates significant amounts of traffic
• Public disclosure of an unpatched vulnerability in an embargoed bounty

RULES

The rules of this bug bounty are as follows:

• Testing has been done on a private testnet; Any testing with mainnet or public testnet contracts will not be warranted to a bounty reward.
• Bug has not been publicly disclosed.
• Vulnerabilities that have been previously submitted by another contributor or already known by the SushiSwap development team are not eligible for rewards.
• The size of the bounty payout depends on the assessment of the severity of the exploit. Please refer to the rewards section for additional details.
• Bugs must be reproducible in order for us to verify the vulnerability.
• Rewards and the validity of bugs are determined by the SushiSwap development team and any payouts are made at their sole discretion.
• Terms and conditions of the Bug Bounty program can be changed at any time at the discretion of SushiSwap.

Bug Bounty FAQ

Q: Is there a time limit for the Bug Bounty program? A: No, the Bug Bounty program currently has no end date, but this can be changed at any time at the discretion of SushiSwap.

Q: Can I submit bugs anonymously and still receive payment? A: Yes, if you wish to remain anonymous you can do so and still be eligible for rewards as long as they are for valid bugs. Rewards will be sent to the valid Ethereum address that you provide.