DISCLAIMER: All assets traded on Energiswap are tokenized versions of the underlying asset that exist only on the Energi blockchain.

logoslogos

Energiswap Bug Bounty

As part of our ongoing efforts to ensure the security of Energiswap contracts, we have implemented a bug bounty reward program. The security and stability of open source software like Energiswap is reliant on the feedback and testing efforts of community members. By offering rewards for the discovery and reporting of certain high-value vulnerabilities, we hope to incentivize an ongoing process of community testing. This will build on the extensive audits that Energiswap has already undergone to make the platform as safe as possible.

Scope

This program is limited to the reporting of vulnerabilities affecting the following contracts:

  • Energiswap Contracts
  • Energiswap Governance Contracts
  • Energi Wrapped Token Contracts

Qualifying Vulnerabilities

At this time, rewards will only be paid out for the discovery of vulnerabilities in the Energiswap core smart contracts listed above.

Exploits may be grouped in the following ways:

  • Function-level: exploitable through a single entry-point.
  • Contract-level: combining multiple entry-points.
  • System-level: combining multiple contracts.
  • Game-level: attacking the incentive mechanisms. (currently not eligible for reward)

Non-Qualifying Vulnerabilities

  • The example contracts and the contracts in the test folder.
  • Any contract removed from the Energiswap Contracts & Energiswap Governance Contracts lists (these lists may change from time to time without notice).
  • Bugs in any third-party contract or platform that interacts with Energiswap Contracts.
  • Vulnerabilities already reported and/or discovered in contracts built by third parties on Energiswap.
  • Any bugs that have already been reported.
  • DDOS attacks.
  • Spamming.
  • Automated tools.
  • Compromising or misusing third party systems or services.

Bug Rating / Reward

The severity of bugs will be assessed under the CVSS Risk Rating scale as follows:

  • Critical (9.0-10.0): 1300 - 2100 NRG
  • High (7.0-8.9): 700 - 900 NRG
  • Medium (4.0-6.9): 300 - 500 NRG
  • Low (0.1-3.9): 100 - 200 NRG

Reporting Process

To be eligible for reward under the program, all bugs or vulnerabilities must be reported exclusively to [email protected] without being disclosed to any other parties, either public or private. Please include as much detail as you possibly can, including:

  • The environment conditions in which the bug was produced.
  • The steps required to reproduce the bug.
  • The potential impact of the vulnerability being exploited.

The more detail and evidence included in your report, the more likely it is that you will qualify for a reward.

Reporter Eligibility

In order to be eligible for a reward, you must:

  • Be the first person to report the vulnerability to the [email protected] account.
  • Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.
  • Provide sufficiently clear instructions for our engineers to reproduce and fix the vulnerability.
  • Not exploit the vulnerability yourself or make it public.
  • Not engage in any illegal activity in the discovery or reporting process.
  • Not be one of our current or former employees, vendors, or contractors (or an employee of any of those vendors or contractors).
  • Comply with all the eligibility requirements of the program.

Estimated Processing Time

This is the estimated time it would normally take to process a bug report:

  • First response (to support ticket) - 2 days
  • Report processing - 14 days
  • Sign-off / Pay-out - 7 days