SOY Finance Bug Bounty
Contribute to our security and get rewarded!
Article published on Medium on 30th August 2021.

Scope

Excluded

  1. 1.

Contracts Overview

This contract system is an implementation of a decentralized exchange that features automated market making. The contract system is deployed at Callisto Network Mainnet:

Bug Bounty

GENERAL NOTE: only technical issues must be considered here. Trading losses or the lack of liquidity caused by insufficient engagement are not considered contract-related issues.

$15,000 for finding a critical vulnerability.

A critical vulnerability is a vulnerability that can be directly exploited at any time and cause:
  • Total breach of the contract system and the loss of operability.
  • Allow the withdrawal of funds or exchange of funds at an unexpected rate which can be exploited to the attacker’s advantage.
  • Any circumstance at which one user of the contract can cause a direct loss of funds for another user.

$3,000 for finding a medium severity vulnerability

A critical vulnerability is a vulnerability that can be exploited in some specific circumstances and cause:
  • Violation of access restrictions and performing owner-restricted functions without permission.
  • Total or partial breach of the contract system and partial loss of operability.
  • Allow the withdrawal of funds or exchange of funds at an unexpected rate which can be exploited to the attacker’s advantage.
  • Any circumstance at which one user of the contract can cause a direct loss of funds for another user.

$100–500 for code flaws that can not violate contract workflow.

Any code flaw reports and suggestions that can improve the SoyFinance workflow. This bounty will be paid if the suggested solution will be implemented in the final version of the contract system.

Participating

Submit an issue at the SoyFinance contracts repo: https://github.com/SoyFinance/smart-contracts/issues
The bugbounty will last for 20 days since the announcement. All reports submitted to the GitHub issues thread during this timeframe will be reviewed by members of the Callisto Security Department.
The first person to submit a bug report will be awarded a bounty if the reported issue is considered a vulnerability consistent with the bugbounty scope.
Payment method: the bounty can be paid in CLO or USDT. The requester must negotiate the payment method in the corresponding issue thread at GitHub and provide the payment address there. The transaction hash will be published in the same thread as proof after the payment is confirmed.
Questions: [email protected]