Bug Bounty

Summary

The primary focus at Scallop is to provide a DeFi protocol that upholds the highest security standards. We are launching a bug bounty program, inviting the community to help identify potential vulnerabilities in our system. The emphasis is on smart contract security to protect user funds and maintain the platform's solvency. UI-related bugs are excluded. Submit any discovered bugs to bug@scallop.io for the opportunity to earn rewards up to $300,000.

Requirements To participate in the bug bounty program, please adhere to the following guidelines:

  1. Report any discovered bugs or vulnerabilities exclusively to the Scallop Project Contributors at bug@scallop.io.

  2. Ensure that the reported bug or vulnerability is previously undisclosed, falls within the scope of this program, and is not part of any publicly available audits.

  3. If multiple reports of the same vulnerability are received, only the first submission will be considered for a reward.

  4. Do not exploit the bug or vulnerability in any manner, including public disclosure or personal profit (aside from this program's rewards).

  5. All rewards will be paid in SUI/USDC/SCA and sent to the wallet address provided by the reporter. Rewards cannot be converted to other cryptocurrencies or fiat.

Payouts

The Scallop Project Contributors will evaluate each submission individually, and rewards will be determined based on the severity of the issue:

  • Critical: Up to $300,000

  • High: Up to $30,000

  • Medium: Up to $3,000

  • Low: Up to $300

Recommended Report Format Please include the following information when submitting a bug report:

  • Name:

  • Telegram ID:

  • Sui Wallet Address:

  • Description:

  • Vulnerability Type:

  • Affected Components:

  • Additional Information:

  • (Include any relevant screenshots or supporting documents)

In scope:

  • https://app.scallop.io (Medium)

  • https://scallop.io (Low)

  • https://sui.apis.scallop.io (Low)

  • https://sdk.api.scallop.io (Low)

Out off scope: - https://solana.scallop.io - https://solana.apis.scallop.io - Missing HTTP security headers. - DDoS. - Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking. - Descriptive error messages (e.g. Stack Traces, application or server errors). - Self-XSS that cannot be used to exploit other users. - Lack of Secure and HTTPOnly cookie flags. - OPTIONS/TRACE HTTP method enabled. - Host header issues without proof-of-concept demonstrating the vulnerability. - Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS. - Content Spoofing without embedded links/HTML.

Last updated