Summary
Sometimes, you may find a bug that affects multiple assets on the same project.
I found a bug that is present on multiple assets of a project — what should I do?
While a vulnerability can exist across multiple assets, keep in mind that only the first instance of each cited vulnerability is eligible for a bounty reward. One bug, one fix, one payout is the general rule.
For example, if the bug appears in contract.sol, regardless of whether it appears 1 times or 10 times, you will only get 1 payout.
However, if the bug appears in staking.sol, AND farming.sol, you can get 2 payouts.
If the bug appears in staking.sol, farming.sol, reward.sol etc., then you can get as many payouts as the number of fixes required. Each asset/file/endpoint should each have their own bug report if multiple fixes are required.
I found a bug that is present on one asset, but it affects other assets of a project — what should I do?
For example, you found a vulnerability in staking.sol, and although the bug itself is not present in other contracts, it freezes funds or affects other contracts in a way that constitutes an in-scope impact on the other assets.
In this case, you can only get 1 payout, as it is one bug, one fix, one payout.
Comments
0 comments
Article is closed for comments.