WhiteSwap
Bug Bounty

Submit a report

WhiteSwap offers a bug bounty for software engineers who can help improve WhiteSwap’s code. If you discover a bug, we appreciate your cooperation in responsibly investigating and reporting it to us so we can address it as soon as possible.

  • This program is limited to the vulnerabilities affecting WhiteSwap in the following contracts:
  • WSPair: 0x33c6e6fC3DF75aE3e9C2482Ca1f36Be71dEF2664
  • WSFactory: 0xFBacBc64E684c0C5Bf572Fc6d42458c3E3fd1d1D
  • WSRouter: 0x1504d0ba9C6fE130D3cE750fCBe7407047D986BF
  • WSController: 0xA9229c9D3720CD359cEc51A259003C845E4C8224
  • WSProxyFactory: 0x69bd16aE6F507bd3Fc9eCC984d50b04F029EF677
  • WSProxyRouter: 0x463672ffdED540f7613d3e8248e3a8a51bAF7217
  • The following are not within the scope of the program:
  • The example contracts and the contracts in the test folder for the Router Contracts link set forth above;
  • Any contract removed from the list of contracts in the Router Contracts link set forth above (such list may change from time to time without notice);
  • Bugs in any third party contract or platform that interacts with WhiteSwap;
  • Vulnerabilities already reported and/or discovered in contracts built by third parties on WhiteSwap; and
  • Any already-reported bugs.
  • Vulnerabilities contingent upon the occurrence of any of the following activities also are outside the scope of this program:
  • Front end bugs;
  • DDOS attack;
  • Spamming;
  • Automated tools; and
  • Compromising or misusing third party systems or services.

Program Rewards

A $5,000 initial bounty pool is available, which will be followed by an additional pool of WSD governance tokens. Rewards will be considered based on the impact of the discovered vulnerability as well as the level of difficulty in discovering such vulnerability.

    Disclosure

    Any vulnerability or bug discovered must be reported only to the following email: [email protected]; must not be disclosed publicly; must not be disclosed to any other person, entity or email address prior to disclosure to the [email protected]; and must not be disclosed in any way other than to the [email protected] email. In addition, disclosure to [email protected] must be made promptly following discovery of the vulnerability. Please include as much information about the vulnerability as possible, including:

    • The conditions on which reproducing the bug is contingent.
    • The steps needed to reproduce the bug or, preferably, a proof of concept.
    • The potential implications of the vulnerability being abused.

    A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount.\n\nAnyone who reports a unique, previously-unreported vulnerability that results in a change to the code or a configuration change and who keeps such vulnerability confidential until it has been resolved by our engineers will be recognized publicly for their contribution, if agreed.

    Eligibility

    To be eligible for a reward under this program, you must:

    • Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on WhiteSwap (but not on any third party platform interacting with WhiteSwap) and that is within the scope of this program.
    • Be the first to disclose the unique vulnerability to [email protected], in compliance with the disclosure requirements above.
    • Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.
    • Not engage in any unlawful conduct when disclosing the bug to [email protected], including through threats, demands or any other coercive tactics.
    • Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this program).
    • Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of WhiteSwap.
    • Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.
    • Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this program.
    • Be at least 18 years of age.
    • Not be one of our current or former employees, vendors, or contractors or an employee of any of those vendors or contractors.
    • Comply with all the eligibility requirements of the program.

    Other Terms

      All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at our sole discretion.\n\nThe terms and conditions of this program may be altered at any time.