Skip to main content

Immunefi

Immunefi Bounty Campaign

MetalSwap's ongoing bug bounty campaign with Immunefi invites security experts to examine its Smart Contracts for vulnerabilities.

Details at Immunefi Campaign.
The campaign allows the white-hat hacker community members to contribute to MetalSwap’s security, enhancing overall platform integrity.

MetalSwap Bug Bounty Program Overview

Rewards by Threat Level

Rewards are based on the Immunefi Vulnerability Severity Classification System V2.2, a 5-level scale. Requirements for a reward include a PoC impacting an asset-in-scope and a suggested fix. Known issues from CertiK's audit are out of scope.

KYC Requirements

- KYC is mandatory for all participants.
- A signed document confirming tax disclosure is required, including personal and tax identification details.

Payout Information

- Payouts are in USDT, handled directly by MetalSwap, denominated in USD.
- Maximum bounty: $20,000.
- Program hard cap: USDT 50,000.
- Distribution on a first-come, first-served basis.

Smart Contract Vulnerability Rewards

- Critical Level: USD $20,000 - PoC Required
- High Level: USD $5,000 - PoC Required

Assets in Scope

Specific smart contracts listed at MetalSwap GitHub are in scope. Others are excluded.

In-scope Impacts for Smart Contracts

- Direct theft of user funds
- Permanent freezing of funds
- MEV mechanisms hindering end-user operations
- Protocol insolvency excluding XMT
- Theft or freezing of unclaimed yield
- Temporary freezing of funds for at least 1 hour

Out of Scope & Rules

Exclusions include:

- Self-exploited attacks.
- Attacks requiring privileged access or leaked credentials.
- Known vulnerabilities or best practice critiques.
- External factors like oracle errors, Sybil attacks, or centralization risks.
- Protocol insolvency related to XMT or operational issues fixable by MetalSwap.

Prohibited Activities

- Testing on mainnet or public testnets.
- Interactions with third-party systems or oracles.
- Social engineering, phishing, or DoS attacks.
- Public disclosure of unpatched vulnerabilities in embargoed bounties.