SushiSwap
SushiSwap is an automated market-making (AMM) decentralized exchange (DEX) that allows users to provide liquidity for token swaps.
PoC required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
When submitting a bug report, please select the severity level you feel best corresponds to the severity classification system.
Out of scope
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited himself, leading to damage
- Attacks that rely on social engineering
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (i.e. owners of contracts)
- Basic economic governance attacks (i.e. 51% attack)
- Loss of positive slippage through Sandwich Attacks
- Lack of liquidity
- Best practice critiques
- Sybil attacks
Smart Contracts
- Incorrect data supplied by third party oracles/exchange rate being outdated
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Loss of positive slippage through Sandwich Attacks
- Lack of liquidity
- Best practice critiques
- Sybil attacks
The following activities are prohibited by bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty
RULES
The rules of this bug bounty are as follows:
- Testing has been done on a private testnet; Any testing with mainnet or public testnet contracts will not be warranted to a bounty reward.
- Bug has not been publicly disclosed.
- Vulnerabilities that have been previously submitted by another contributor or already known by the SushiSwap development team are not eligible for rewards.
- The size of the bounty payout depends on the assessment of the severity of the exploit. Please refer to the rewards section for additional details.
- Bugs must be reproducible in order for us to verify the vulnerability.
- Rewards and the validity of bugs are determined by the SushiSwap development team and any payouts are made at their sole discretion.
- Terms and conditions of the Bug Bounty program can be changed at any time at the discretion of SushiSwap.
Bug Bounty FAQ
Q: Is there a time limit for the Bug Bounty program? A: No, the Bug Bounty program currently has no end date, but this can be changed at any time at the discretion of SushiSwap.
Q: Can I submit bugs anonymously and still receive payment? A: Yes, if you wish to remain anonymous you can do so and still be eligible for rewards as long as they are for valid bugs. Rewards will be sent to the valid Ethereum address that you provide.