🐛Bug Bounty

Overview

SIR is committed to the security of our protocol and users' funds. We invite security researchers to help identify vulnerabilities in our core smart contracts through our bug bounty program.

Scope

The bug bounty program covers high and critical severity vulnerabilities in the SIR core contracts. All verified contract addresses can be found in the Contract Addresses section.

Bug Bounty Reward Address: 0x589F8D40370C9B5904f83B9C17815DDdB3eb6af9

This address holds the SIR tokens allocated for bug bounty rewards, visible on-chain for transparency.

In Scope

• Core protocol contracts

• Critical vulnerabilities that could lead to:

  • Loss of user funds

  • Protocol insolvency

  • Unauthorized access to privileged functions

  • Manipulation of core protocol mechanics

Out of Scope

• Frontend bugs

• Third-party integrations

• Already known issues

• Issues in test contracts or deprecated contracts

Severity Levels & Rewards

The bug bounty address initially holds 20,000,000 SIR tokens, with plans to add more SIR over time to ensure competitive rewards for security researchers. As the protocol's TVL and SIR token price appreciate, so does the value of the bounty reward.

Bounty Reward: The full amount of SIR tokens held in the bug bounty address

High/Critical Severity

Eligible vulnerabilities include:

• Direct theft of user funds

• Permanent or temporary freezing of funds

• Protocol insolvency

• Theft of yield

• Significant protocol manipulation

• Unauthorized access to privileged functions

High and critical severity vulnerabilities that meet the criteria will be rewarded with the full amount of SIR tokens available in the bug bounty address.

Submission Process

1. DO NOT exploit the vulnerability on mainnet

2. Provide a detailed written description of the vulnerability

3. Include proof of concept code or steps to reproduce

4. Submit your findings privately via:

   • Discord: Xatarrer#0002

   • Email: [email protected]

Rules & Guidelines

• First reporter of a vulnerability receives the full bounty

• Public disclosure before resolution disqualifies the submission

• Provide sufficient detail for our team to reproduce and verify

• Allow reasonable time for fixes to be implemented

• Act in good faith and follow responsible disclosure practices

Response Timeline

• Initial Response: Within 48 hours

• Vulnerability Assessment: Within 7 days

• Bounty Decision: Within 14 days

• Payout: Within 30 days of fix deployment

Legal

• No legal action will be taken against researchers acting in good faith

• Researchers must comply with all applicable laws

• Testing must be done on testnet or local forks only

Contact

For questions about the bug bounty program or to submit findings:

• Discord: Xatarrer#0002 on our Discord server

• Email: [email protected]

• GitHub: SIR-trading

This bug bounty program may be updated at any time. Last updated: January 2025