The Furucombo team has been seeking to combine the merits of every kind of DeFi protocol to create the most comprehensive DeFi aggregator platform on Ethereum. The structure of Furucombo is composed of Proxy Contract and Handler Contracts. The security of our system is of paramount importance to us. While we keep conducting professional audits for the whole system, a bug bounty program is necessary to further ensure the platform’s safety.
This program is intended to work with independent security researchers across the globe and set out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what users can expect from us in return. Should you encounter a security vulnerability in one of our products, we want to hear from you. We believe that the Furucombo ecosystem will be further bolstered with support from our community.
The scope of the bug bounty will be applicable for the following repositories and sites:
Note: Other issues found outside of the locations mentioned above, will be considered on a case by case basis, please, reach out to the Furucombo development team for clarification.
The value of rewards will vary depending on severity as judged by the Furucombo team. The severity of a bug will be assessed according to the OWASP risk rating model based on Impact and Likelihood:
Note: Up to $100 USD
Low: $100 — $1,000 USD
Medium: $1,000 — $5,000 USD
High: $5,000 — $20,000 USD
Critical: $20,000 — $250,000 USD
Furucombo team determines the eligibility of vulnerability, scores, and whether a reward is granted at its sole and own discretion. The payouts will be denominated in USD and be paid in COMBO tokens.
Any vulnerability or bug discovered must be reported only to the following email: [email protected]
Please do not disclose any vulnerability or bug to the public or to any person.
Please limit each submission to one issue.
Please provide sufficient detail in your disclosure, including a description of the bug, its potential impact, and steps for reproducing it or proof of concept, to enable the Furucombo team to quickly understand, reproduce, and address the vulnerability promptly.
A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount.
Identify an original, previously unreported, non-public vulnerability within the scope of the Furucombo bug bounty program.
Provide sufficient information to reproduce the problem to enable the Furucombo team to address the issue.
Do not exploit the vulnerability in any way, including through making it public or by obtaining a profit.
Duplicated issues are not eligible for reward. The first submission would be the eligible one.
Avoid privacy violations, destruction of data, interruption, degradation, or any malicious attack on Furucombo.