Program Period: October 27, 2021 — November 26, 2021 (23:59:59 UTC)
Max Bounty: USD 50,000 (paid in USDT)
WOOFi Swap is a decentralized exchange using a brand new on-chain market making algorithm called Synthetic Proactive Market Making (sPMM), which is designed for professional market makers to generate an on-chain orderbook simulating the price, spread and depth from centralized liquidity sources. Here’s a quick overview of WOOFi Swap and its core design principles.
With the Alpha launch, we are excited to introduce the community bug bounty program, which focuses on WOOFi Swap’s smart contracts and is mostly concerned with the loss of user funds. The program will last the entire Alpha testing period and you can submit your bugs here. A new bug bounty program will be released after the alpha period.
Rewards by Threat Level
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit:
The smart contracts under other folders are not considered as in-scope in this bug bounty program. The smart contracts have been deployed to mainnet, please see Contracts for the addresses.
General Rules & Exclusions
To be eligible for a reward under this Program, you must:
Discover a previously unreported, non-public vulnerability that would result in a loss of and/or lock on assets on WOOFi Swap (but not on any third party platform interacting with WOOFi Swap) and that is within the scope of this Program. Vulnerabilities must be distinct from the issues covered in audits.
Be the first to disclose the unique vulnerability via the application form, in compliance with the disclosure requirements above. If similar vulnerabilities are reported within the same 24 hour period, rewards will be split at the discretion of the team.
Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.
Not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.
Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of WOOFi Swap.
Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.
Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.
Not be one of our current or former employees, vendors, or contractors or an employee of any of those vendors or contractors.
Not be subject to US sanctions or reside in a US-embargoed country.
Be at least 18 years of age or, if younger, submit your vulnerability with the consent of your parent or guardian.
Reports containing the following issues or vulnerabilities are not eligible for a reward at any severity level:
Any issues that rely on running out of gas because of the variable-sized data structure for holding token information
Any issues that rely on custom or non-typical token implementations (here, “typical” means “included in the current implementations of BTC, ETH, BNB, and USDT”).
Issues related to the validation of function inputs if those functions are restricted to administrators only or if incorrect function inputs only affect the assets of the sender.
Anything related to the miscomputation of the square root of 2.
Any issues that involve contract ownership not being set correctly.
Any issues that involve an unrealistically large asset pool (more than twenty assets, more than $250M in assets at current prices).
The following vulnerabilities are excluded from the rewards for this bug bounty program:
Attacks that the reporter has already exploited themselves, leading to damage
Attacks requiring access to leaked keys/credentials
Attacks requiring access to privileged addresses or accounts (deployer, ownership, governance)