A duplicate report is a report that showcases the same vulnerability as another report that has already been submitted to the project’s bug bounty program on the Immunefi platform.
When a duplicate report is submitted, the project is only required to pay out the first valid report. The duplicate report is not eligible for a reward and can be closed. This is true regardless of how much time has elapsed between the initial report and the duplicate.
For example: if Report 11894 and Report 12001 both detail the same re-entrancy vulnerability but Report 11894 was submitted first, then Report 12001 is a duplicate and is not eligible for reward.
How does Immunefi determine if a report is a duplicate?
Sometimes, two different reports have a similar attack logic. This does not necessarily mean that the second report is a duplicate of the first.
In these situations, there are two questions that we ask to determine whether or not the second report is a duplicate:
1. Are the files/endpoints different in the two reports?
If the files/endpoints are different, then the reports represent two distinct issues and are not treated as duplicates.
Two smart contracts can have the same issue, but because they are in two different files, they are not the same.
2. Does fixing one report automatically fix the second?
If fixing the issue in the first report would not automatically fix the second, then they are distinct issues and are not treated as duplicates.
This is true even if both reports have the same endpoint. The fact that one fix would not address both reports indicates that the attack vectors are different and should therefore be treated as distinct.
However, if one fix would address the issue in both reports, then the second report is a duplicate and is not eligible for a reward.
Comments
0 comments
Article is closed for comments.