SaucerSwap is running a dedicated V3 testnet bug bounty ahead of the V3 mainnet launch. This program is separate from the general SaucerSwap Bug Bounty Program. It is focused specifically on the V3 orderbook testnet release and related V3 surfaces.Documentation Index
Fetch the complete documentation index at: https://docs.saucerswap.finance/llms.txt
Use this file to discover all available pages before exploring further.
Test site
The primary site being tested is: https://orderbook.saucerswap.finance/tradeTimeline
The V3 testnet bug bounty opens Monday, May 25 and runs for one week. The program is scheduled to close Monday, June 1 at 17:00 UTC. SaucerSwap Labs may extend the program depending on the volume and quality of valid reports.Scope
The following V3 testnet surfaces are in scope:- V3 Trade Page
- V3 Order History on the dashboard page
- V3 Trade verification
- Other V3 orderbook testnet surfaces directly related to the V3 launch
Out of scope
The following are out of scope for this V3 testnet bug bounty:- SaucerSwap mainnet contracts and production environments
- V1 and V2 contracts
- Non-V3 sections of the SaucerSwap interface
- Third-party contracts or applications not directly associated with SaucerSwap
- Known issues from previous audits, bug bounty reports, or internal testing
- Known issues already identified during the current V3 security audit
- Denial of Service or Distributed Denial of Service attacks
- Phishing, social engineering, or attacks requiring collusion from SaucerSwap staff or third-party support
- Physical access attacks, stolen/unlocked devices, SIM-swap, device-level malware, or OS/kernel exploits unrelated to SaucerSwap
- Low-impact UI issues with no security, accounting, execution, or integrity impact
Rewards
Rewards are paid in SAUCE, with USD references used to size severity bands. Reports will be evaluated using the OWASP risk rating methodology, along with the actual impact to SaucerSwap V3.| Severity | Maximum reward |
|---|---|
| Critical | Up to $50,000 equivalent in SAUCE |
| High | Up to $10,000 equivalent in SAUCE |
| Medium | Up to $1,000 equivalent in SAUCE |
| Low | Up to $100 equivalent in SAUCE |
| Informational | Up to $25 equivalent in SAUCE |
Severity guidance
Critical findings may include issues that could result in loss of funds, unauthorized order execution, permanent loss of access to funds, severe market integrity failure, or other systemic impact. High findings may include issues that materially affect individual users, order correctness, settlement assumptions, balances, or critical V3 user flows. Medium findings may include issues with limited financial or integrity impact, but which still affect important V3 behavior. Low and Informational findings may include minor bugs, edge cases, or best-practice issues with limited direct risk. SaucerSwap Labs will make the final severity determination.Report requirements
Submit reports using the V3 bug bounty form: Submit a V3 testnet bug report Each report should include:- Name or handle
- Issue title
- Detailed issue description
- Affected component
- Affected URL, contract ID/address, or screen
- Conditions required to reproduce
- Step-by-step reproduction instructions or proof of concept
- Suggested remediation, if known
- Links to supporting evidence, such as screenshots, videos, logs, transaction IDs, or gists
Responsible disclosure
Do not publicly disclose any vulnerability until it has been resolved and disclosure has been explicitly approved by SaucerSwap Labs. Reports must be submitted in good faith. Do not exploit vulnerabilities beyond what is necessary to prove the issue. Do not access, modify, delete, or exfiltrate data that does not belong to you.Eligibility
To be eligible for a reward, a report must:- be unique and previously unreported
- be within the V3 testnet bug bounty scope
- include enough detail for SaucerSwap Labs to reproduce and validate the issue
- avoid public disclosure until approved
- avoid unlawful, abusive, or destructive testing
- comply with all program terms