Immunefi
Immunefi
Back to Explore
SushiSwap-logo

SushiSwap

SushiSwap is an automated market-making (AMM) decentralized exchange (DEX) that allows users to provide liquidity for token swaps.

Arbitrum
Avalanche
BSC
Celo
ETH
Fantom
Gnosis
Harmony
Heco
Kava
Linea
Metis
Moonbeam
Optimism
Polygon
Defi
AMM
DEX
Staking
Solidity
Maximum Bounty
$200,000
Live Since
26 March 2021
Last Updated
18 November 2024

  • PoC required

Submit a Bug
InformationScopeResources

Codebase

Title
SushiXSwap Contracts
Description
Program Contracts
Link
Title
SushiSwap Smart Contracts
Description
Github repository
Link

Documentation

Title
SushiSwap Documentation
Description
Program Documentation
Link
Go to Audits & Known Issues

However, only the contracts listed in this table are considered as within the scope of the bug bounty program.

SushiXSwap contracts can be found here. Furo contracts can be found here. RouteProcesor contracts can be found here. Other contracts, outside of the ones mentioned here, might be considered on a case by case basis, as long as economic damage can be achieved.

Submission Requirements

In order to be considered for a reward, all bug reports must contain the following:

  • Description of suspected vulnerability
  • POC demonstrating the vulnerability for reproduction, can be a high-level POC
  • Steps to reproduce the issue
  • Your name and/or colleagues if you wish to be later recognized
  • (Optional) A patch and/or suggestions to resolve the vulnerability

Ethical Behavior Requirements

Responsible disclosure is predicated on ethical behavior. These guidelines outline best practices for the community as whole, whether you are reporting, or the recipient of a report. By stating that you adhere to this policy, you’re claiming to handle vulnerability information ethically, and abide by the following:

  • Do not attempt to leverage a vulnerability, or information of its existence as part of a financial trading strategy or otherwise for financial gain.
  • Do not attempt to compromise systems upon which development of a product relies; including but not limited to compromising development systems, accounts, domains, email, etc..
  • Do not attempt to sell vulnerability information or exploits.
  • Do not ask for any form of compensation from an affected party. You may compensate a disclosing party if you would like to after all known vulnerability details have been disclosed.
  • Do not disclose a bug or vulnerability on mailing lists, public boards, forums, social media or any other channel prior to Responsibly Disclosing to the organizations you have a published relationship with
  • Do not attempt any illegal acts, including phishing, physical attacks, DDoS, or any attempt to gain access without authorization.

3rd Party Affected Projects

In the case where we become aware of security issues affecting other projects that have never affected SushiSwap, our intention is to inform those projects of security issues on a best effort basis.

In the case where we fix a security issue in SushiSwap that also affects the following neighboring projects, our intention is to engage in responsible disclosures with them as described in the adopted standard, subject to the deviations described in the deviations section below.

Deviations from the Standard

In the case of a counterfeiting or fund-stealing bug affecting SushiSwap, however, we might decide not to include those details with our reports to partners ahead of coordinated release, as long as we are sure that they are not vulnerable.

Notes on Expected Behaviors

  • Any unaccounted ETH or ERC20 in the BentoBox can be skimmed.
  • Any reports that involve tokens outside of ERC20s will not be considered in scope. (i.e. ERC777 tokens)