Bug Bounty

The FlowX.Finance Bug Bounty program is focused around our smart contracts with a primary interest in the prevention of loss of user funds.

Program fund is 50.000 USD

Rewards

Level of vulnerability
Amount

Critical

Up to 5.000 USD

High

2.000 USD

Medium

500 USD

These rewards may be increased in the future.

Smart Contracts

Currently the scope of program only includes CLMM contract. The scope might be extended with other versions in the future.

Name of Contract
Link

CLMM Contract

https://github.com/FlowX-Finance/clmm-contracts

The contracts version may be updated in the future. Please contact our support team in Discord or Telegram to get access to scope.

Impacts in scope

Only the following impacts are accepted within this Bug Bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Type
Level

Direct theft of any user funds

Critical

Permanent freezing of funds

Critical

Protocol insolvency

Critical

Theft of unclaimed yield

High

Freeze ability of other users to trade

High

Temporary freezing of funds

High

Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

Medium

Rules

The following activities are prohibited by this Bug Bounty program:

  • Any testing with mainnet.

  • Any testing with pricing oracles or third party Smart Contracts

  • Attempting phishing or other social engineering attacks against our employees and/or customers

  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)

  • Automated testing of services that generates significant amounts of traffic

  • Any denial of service attacks

Non-issues

The following issues are excluded from the rewards for this Bug Bounty program:

  • Lack of liquidity

  • Best practice critiques

  • Centralization risks

  • Issues with information about user balances

  • Cases with disguising one asset with another asset

  • Issues with precision when providing liquidity: e.g. in certain case, if you provide liquidity and after that you directly burn it, you may receive a bit less of one jetton and a bit more of the other one

  • Any kind of optimization/logic improvements/coding style improvements

  • Issues related to contract deletion caused by inability to pay rent

  • Issues related to gas optimisation

  • Issues related to loss of funds caused by price slippage: frontrunning, backrunning, sandwich attacks, etc.

  • Possible loss of funds when attempting to perform a swap in non-initialized pool (before successful provideLP)

Reports

All bug reports must include a Proof of Concept demonstrating how the vulnerability can be exploited to be eligible for a reward. This may be a Smart Contract itself or a transaction. Only the reports that meet the requirements will be considered by the experts.

Please send reports to [email protected]

PreviousMeta SDKNextFLX Token

Last updated

Was this helpful?