Since the start of our journey, we’ve been commited to a fully-secure DEX. We’ve undergone two audits with both Certik & Peckshield in order to find any form of vulnerability that could threaten the safety and security of our users’ funds. We’ve been active in rectifying some of these vulnerabilities as well as removing any bugs that may threaten the security of our users. However, we want to go a step further in fully securing our DEX. Today, we are announcing the launch of our Immunefi Bug Bounty Program.
As with any bug bounty program, rewards will be distributed based on the impact of the vulnerability. Our distribution of bug bounty rewards will be tied into the Immunefi Vulnerability Severity Classification System. This system adopts a simplified 5-level scale ranging from 1-None to 5-Critical. This scale encompasses all aspects of a bug: From the consequence of a successful exploit, to the level of access required to exploit it, to the probability that an exploitation attempt will be successful.
The scope of our bug bounty program are as follows:
Assets in Scope
- Smart Contract: Router
- Smart Contract: $MILKY
- Smart Contract: MasterMilker
- Smart Contract: Factory
- Smart Contract: Vesting Factory
Impacts in Scope
Only the following impacts are accepted within this bug bounty program:
- Any governance voting result manipulation
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
- Permanent freezing of funds
- Theft of unclaimed yield
- Permanent freezing of unclaimed yield
- Temporary freezing of funds for any amount of time
- Unbounded gas consumption
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
For more in-depth information on scope, please visit our Immunefi bounty bounty page
Smart Contracts and Blockchain
- Critical: Up to USD 200 000
- High: USD 10 000
- Medium: USD 1 500
All bug reports require PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.
Any reports involving issues highlighted in our audit reports are not eligible for a bounty.
Payouts for bounties will be handled by the MilkySwap team and will be denominated in USD. However, payouts are done in USDC, MILKY, or wADA at the discretion of our team
Please submit your findings on our Immunefi Bug Bounty page
A More Secure MilkySwap
We look forward to closely working with our community as we continue to grow and scale MilkySwap. The collective effort of our developers and community will ensure that MilkySwap will become the most secure DEX within the Milkomeda ecosystem.