Wiselending

Sovryn: Program Info

sovryn.com

Public Bounty

Submit Reports

SCOPE

Targeted Assets

https://github.com/DistributedCollective/Sovryn-DEX/tree/bobDevelopment

$1,000,000

Max Payout

Max Resolution Time

30 Business Days

24th April 2024

Start Date

Documentation

wiki.sovryn.com/en/home

RULES

Focus Area

In Scope

  • Direct theft of any user funds - whether at-rest or in-motion - other than unclaimed yield
  • Freezing or shutdown of systems
  • Major price manipulation (>=50)
  • Unauthorized mint/burn/transfer of assets
  • Minor price manipulation
  • Temporary freezing of funds for any amount of time
  • Access control is bypassed - including privilege escalation
  • Theft or permanent freezing of unclaimed yield
  • Unexpected logic executions (doesn’t lose value)
  • Users could lose funds due to rounding
  • Griefing (e.g. no profit motive for an attacker but damage to the users or the protocol)

    • Out of Scope

  • Vulnerabilities that have already been exploited
  • Centralization-related vulnerabilities related to: private keys, privileged addresses, governance, credentials, etc.
  • Incorrect data supplied by third party oracles (Not to exclude oracle manipulation/flash loan attacks)
  • Basic economic governance attacks (e.g. 51% attack)
  • Best practice critiques
  • Social engineering, phishing, physical, or other fraud activities
  • Publicly accessible login panels without proof of exploitation
  • Reports that state that software is out of date/vulnerable without a proof of concept
  • Reports that generated by scanners or any automated or active exploit tools
  • Vulnerabilities involving active content such as web browser add-ons
  • Most brute-forcing issues without clear impact
  • Denial of service (DoS/DDoS)
  • Theoretical issues
  • Moderately Sensitive Information Disclosure
  • Spam (sms, email, etc)
  • Missing HTTP security headers
  • Infrastructure vulnerabilities, including:

    • Unique T&Cs

  • Rewards are distributed according to the impact of the vulnerability based on this classification system
  • All web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. In addition, Critical and High severity reports must come with a suggestion for a fix to be considered for a reward.
  • Critical and High severity Solidity Contracts bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code or pseudo code is required. In addition, Critical and High severity reports must come with a suggestion for a fix to be considered for a reward.
  • Rewards for critical smart contract and blockchain/DLT vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of USD 50 000 for Critical bug reports.
  • For Blockchain/DLT infrastructure, only vulnerabilities that result in direct economic damage to yield will be considered as High, and only vulnerabilities that result in direct economic damage to principal funds will be considered as Critical.
  • Payouts are handled by the Sovryn team directly and are denominated in USD. 50% of the payouts are done in BTC, and the other 50% is paid out in SOV according to a 24 month vesting schedule (with monthly vesting).

    • REWARDS

    Critical

    $50,000 to $1,000,000

    High

    $8,800 - $22,140

    Medium

    $2,200 - $8,800

    Low

    $2,200