Bug Bounty

WardenSwap bug bounty program covers all Smart Contracts interacting or holding users fund. If there is any bug in our system, we encourage users or researchers to submit the report to us and receive a suitable intensive bounty.

Introduction

The bug bounty program from the Warden Swap Platform currently contains two separate scopes, which share the same rules with a few exceptions as noted below. The scopes are:

  1. Smart contracts for Multi-Chain Best Rate Swap

  2. Smart contracts for Farm & Liquidity Providing

The program may be expanded in the future to include more asset types such as frontends and apps.

Risk rating methodology

We generally base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood. One exception to this is described in the Smart Contracts section.

Report policy

A bug report may qualify for a reward only when:

  • It makes the Warden team aware of the bug for the first time.

  • The reporter allows the Warden team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public.

  • The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document or allowed anyone else to profit outside the bug bounty program.

  • A bug is reported without any conditions, demands, or threats.

  • The investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.

  • The reporter makes a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

  • A detailed report increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:

    • The conditions on which reproducing the bug is contingent.

    • The steps needed to reproduce the bug or, better yet, a proof-of-concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid.

    • The potential implications of the vulnerability being abused.

  • Multiples or duplicates

    • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

    • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

    • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

  • Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.

Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.

Ineligible methods

Vulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:

  • Social engineering

  • DDOS attack

  • Spamming

  • Any physical attacks against Warden property, data centers or employees

  • Automated tools

  • Compromising or misusing third party systems or services

Ineligible bugs

  • Vulnerabilities are already known to the public or to the Warden team including previous findings from another participant in the bug bounty program.

  • Vulnerabilities in outdated software from Warden or which affects only outdated third-party software.

  • Bugs that are not reproducible.

  • Bugs disclosed to other parties without consent from the Warden team.

  • Issues which we cannot reasonably be expected to be able to do anything about.

  • Cookies missing security flags (for non-sensitive cookies).

  • Additional missing security controls are often considered “Best practice”, such as:

    • Content Security Policy (CSP) HTTP header

    • HTTP Public Key Pinning (HPKP)

    • Subresource integrity

    • Referrer-Policy

  • The following vulnerabilities in a vendor we integrate with:

    • Cross-site Scripting (XSS)

    • Cross-Site Request Forgery (CSRF)

    • Cross Frame Scripting

    • Content Spoofing

  • Vulnerabilities only affect users of outdated or unpatched browsers and platforms.

  • Weak TLS and SSL cyphers (we are already aware of)

Time to response

Please allow 5 business days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.

Smart Contracts Scope

At this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for Warden Swap Platform as listed below. Exploits may be grouped as follows:

  1. Function-level (exploitable through a single entry-point)

  2. Contract-level (combining multiple entry-points)

  3. System-level (combining multiple contracts)

We have the level of Bug Bounty criteria (Smart Contract only) as follows:

Level Bounty

Critical

up to $100,000 + NFT*

High

up to $10,000 + NFT*

Medium

up to 5,000 + NFT*

Low

NFT*

  • For NFT souvenirs, if the NFT system doesn’t release, we will reward you later once it’s ready.

  • We accept only Smart Contract vulnerability or bugs.

  • All bounty will be paid in terms of WAD token (USD rate at the time of payment).

Conclusion

Our vision is to create the Best Rate Engine for all mankind, we all can make the future and the world better!

Last updated