The scope of the bug bounty is limited to contracts located within the AirSwap Protocols repository that have been deployed onto mainnet. Latest mainnet deploys for the following are at this commit hash.

Swap: Atomic Swap Between Tokens

Indexer: Counterparty Discovery with Staking

Index: Ordered List of Locators

DelegateFactory: Deploys New Delegates

Delegate: Onchain Trading Delegate

Types: Types and Hashes

Wrapper: Use ether for WETH trades

The value of rewards will vary depending on severity as judged by the AirSwap team. Severity is determined according to the OWASP risk rating model based on Impact and Likelihood, as employed in the Ethereum bug bounty campaign.

Bounty payouts

Low: Up to 250 DAI

Medium: Up to 500 DAI

High: Up to 2,000 DAI

Critical: Up to 20,000 DAI

A few friendly rules

Bounties go to the first to report via email to bounty@airswap.io. Don’t steal or attempt to steal others funds. Don’t publicly disclose a bug before it has been fixed. Paid auditors of this code are not eligible for rewards. Issues that are mentioned in the security audits are not eligible. See the most recent security audit on GitHub. Issues that are mentioned in individual security reports (for example Swap) are not eligible. Non-security critical issues (e.g. style or gas optimizations) are ineligible. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the AirSwap team.

Submitting a bug report

Please send an email to bounty@airswap.io including the content in the bounty template found on the AirSwap Protocols repository.