# Bug Bounty ## Overview SIR is committed to the security of our protocol and users' funds. Following the March 2025 exploit and successful relaunch with four independent security audits, we continue to invite security researchers to help identify vulnerabilities in our core smart contracts through our bug bounty program. ## Scope The bug bounty program covers **high and critical severity vulnerabilities** in the SIR core contracts across all deployed chains (Ethereum, HyperEVM, and MegaETH). All verified contract addresses can be found in the [Deployments](/protocol-overview/deployments.md) section. **Bug Bounty Reward Address:** [`0x589F8D40370C9B5904f83B9C17815DDdB3eb6af9`](https://etherscan.io/address/0x589F8D40370C9B5904f83B9C17815DDdB3eb6af9) This address holds the SIR tokens allocated for bug bounty rewards, visible on-chain for transparency. ### In Scope * Core protocol contracts on all chains * Critical vulnerabilities that could lead to: * Loss of user funds * Protocol insolvency * Unauthorized access to privileged functions * Manipulation of core protocol mechanics ### Out of Scope * Frontend bugs * Third-party integrations * Already known issues * Issues in test contracts or deprecated contracts ## Severity Levels & Rewards The bug bounty address initially holds **20,000,000 SIR tokens**, with plans to add more SIR over time to ensure competitive rewards for security researchers. As the protocol's TVL and SIR token price appreciate, so does the value of the bounty reward. **Bounty Reward:** The full amount of SIR tokens held in the bug bounty address ### High/Critical Severity Eligible vulnerabilities include: * Direct theft of user funds * Permanent or temporary freezing of funds * Protocol insolvency * Theft of yield * Significant protocol manipulation * Unauthorized access to privileged functions High and critical severity vulnerabilities that meet the criteria will be rewarded with **the full amount of SIR tokens available in the bug bounty address**. ## Submission Process 1. **DO NOT** exploit the vulnerability on mainnet 2. Provide a detailed written description of the vulnerability 3. Include proof of concept code or steps to reproduce 4. Submit your findings privately via: * **Discord:** Xatarrer#0002 * **Email:** ## Rules & Guidelines * First reporter of a vulnerability receives the full bounty * Public disclosure before resolution disqualifies the submission * Provide sufficient detail for our team to reproduce and verify * Allow reasonable time for fixes to be implemented * Act in good faith and follow responsible disclosure practices ## Response Timeline * **Initial Response:** Within 48 hours * **Vulnerability Assessment:** Within 7 days * **Bounty Decision:** Within 14 days * **Payout:** Within 30 days of fix deployment ## Legal * No legal action will be taken against researchers acting in good faith * Researchers must comply with all applicable laws * Testing must be done on testnet or local forks only ## Contact For questions about the bug bounty program or to submit findings: * **Discord:** Xatarrer#0002 on our [Discord server](https://t.co/jFXfWEf9Rv) * **Email:** * **GitHub:** [SIR-trading](https://github.com/SIR-trading) *** *This bug bounty program may be updated at any time. Last updated: February 2026* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sir.trading/protocol-overview/user-risks/bug-bounty.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.