What to investigate
All contracts in our /contracts
in the repo https://github.com/sushiswap/sushiswap-settlement are eligible for the bounty.
Bounty Size
The size of the bounty will vary depending on the severity of the issue discovered. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood.
- Critical: up to 10000 SUSHI
- High: up to 5000 SUSHI
- Medium: up to 500 SUSHI
- Low: up to 100 SUSHI
Submission
If you found a vulnerability, leave a reply with this form:
- Summary
- Reproduce Steps
- URL of source code and line number (optional)
- Token Names (optional)
If we cannot reproduce an issue we will not be able to reward it.
Other considerations
In addition to severity, other variables are also considered:
- Quality of description. Higher rewards are paid for clear, well-written submissions.
- Quality of reproducibility. Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward.
- Quality of fix, if included. Higher rewards are paid for submissions with clear description of how to fix the issue.