# Bug Bounty

#### Program fund is 50.000 USD

<h3 align="center">Rewards</h3>

| Level of vulnerability | Amount          |
| ---------------------- | --------------- |
| Critical               | Up to 5.000 USD |
| High                   | 2.000 USD       |
| Medium                 | 500 USD         |

These rewards may be increased in the future.

<h3 align="center">Smart Contracts</h3>

Currently the scope of program only includes CLMM contract. The scope might be extended with other versions in the future.

| Name of Contract | Link                                              |
| ---------------- | ------------------------------------------------- |
| CLMM Contract    | <https://github.com/FlowX-Finance/clmm-contracts> |

The contracts version may be updated in the future. Please contact our support team in Discord or Telegram to get access to scope.&#x20;

<h3 align="center">Impacts in scope</h3>

Only the following impacts are accepted within this Bug Bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

| Type                                                                                      | Level    |
| ----------------------------------------------------------------------------------------- | -------- |
| Direct theft of any user funds                                                            | Critical |
| Permanent freezing of funds                                                               | Critical |
| Protocol insolvency                                                                       | Critical |
| Theft of unclaimed yield                                                                  | High     |
| Freeze ability of other users to trade                                                    | High     |
| Temporary freezing of funds                                                               | High     |
| Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol) | Medium   |

<h3 align="center"></h3>

<h3 align="center">Rules</h3>

The following activities are prohibited by this Bug Bounty program:

* Any testing with mainnet.
* Any testing with pricing oracles or third party Smart Contracts
* Attempting phishing or other social engineering attacks against our employees and/or customers
* Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
* Automated testing of services that generates significant amounts of traffic
* Any denial of service attacks

<h3 align="center">Non-issues</h3>

The following issues are excluded from the rewards for this Bug Bounty program:

* Lack of liquidity
* Best practice critiques
* Centralization risks
* Issues with information about user balances
* Cases with disguising one asset with another asset
* Issues with precision when providing liquidity: e.g. in certain case, if you provide liquidity and after that you directly burn it, you may receive a bit less of one jetton and a bit more of the other one
* Any kind of optimization/logic improvements/coding style improvements
* Issues related to contract deletion caused by inability to pay rent
* Issues related to gas optimisation
* Issues related to loss of funds caused by price slippage: frontrunning, backrunning, sandwich attacks, etc.
* Possible loss of funds when attempting to perform a swap in non-initialized pool (before successful provideLP)

<h3 align="center">Reports</h3>

All bug reports must include a Proof of Concept demonstrating how the vulnerability can be exploited to be eligible for a reward. This may be a Smart Contract itself or a transaction. Only the reports that meet the requirements will be considered by the experts.

Please send reports to <development@flowx.finance>