Announcing MilkySwap’s Bug Bounty Program

Since the start of our journey, we’ve been commited to a fully-secure DEX. We’ve undergone two audits with both Certik & Peckshield in order to find any form of vulnerability that could threaten the safety and security of our users’ funds. We’ve been active in rectifying some of these vulnerabilities as well as removing any bugs that may threaten the security of our users. However, we want to go a step further in fully securing our DEX. Today, we are announcing the launch of our Immunefi Bug Bounty Program.

As with any bug bounty program, rewards will be distributed based on the impact of the vulnerability. Our distribution of bug bounty rewards will be tied into the Immunefi Vulnerability Severity Classification System. This system adopts a simplified 5-level scale ranging from 1-None to 5-Critical. This scale encompasses all aspects of a bug: From the consequence of a successful exploit, to the level of access required to exploit it, to the probability that an exploitation attempt will be successful.

Scope

The scope of our bug bounty program are as follows:

Assets in Scope

• Smart Contract: Router
• Smart Contract: $MILKY
• Smart Contract: MasterMilker
• Smart Contract: Factory
• Smart Contract: Vesting Factory

Impacts in Scope

Only the following impacts are accepted within this bug bounty program:

Smart Contracts

Critical:

• Any governance voting result manipulation
• Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
• Permanent freezing of funds

High:

• Theft of unclaimed yield
• Permanent freezing of unclaimed yield
• Temporary freezing of funds for any amount of time

Medium:

• Unbounded gas consumption
• Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

For more in-depth information on scope, please visit our Immunefi bounty bounty page

Rewards

Smart Contracts and Blockchain

• Critical: Up to USD 200 000
• High: USD 10 000
• Medium: USD 1 500

Rules

All bug reports require PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.

Any reports involving issues highlighted in our audit reports are not eligible for a bounty.

Payout

Payouts for bounties will be handled by the MilkySwap team and will be denominated in USD. However, payouts are done in USDC, MILKY, or wADA at the discretion of our team

Submission

Please submit your findings on our Immunefi Bug Bounty page

A More Secure MilkySwap

We look forward to closely working with our community as we continue to grow and scale MilkySwap. The collective effort of our developers and community will ensure that MilkySwap will become the most secure DEX within the Milkomeda ecosystem.