Full Sail operates a targeted, high-severity bug bounty program focused on issues that pose a credible risk to user funds, protocol logic, or core contract integrity. This program is designed to reward meaningful contributions that enhance the safety and resilience of the protocol.

In-Scope Targets

  • All deployed Full Sail DEX smart contracts
  • Frontend vulnerabilities that can lead to:
    • User fund misdirection
    • Arbitrary contract calls
    • Manipulation of swaps/liquidity position state

Out-of-Scope Submissions

  • Email spoofing
  • Social engineering or phishing tricks
  • Broken links, typos, UI polish issues
  • “Best practices” suggestions with no exploitable vector
If it doesn’t affect funds or critical user interactions, it isn’t considered for rewards.

Reward Tiers

SeverityReward RangeExample Bugs
Critical5,000 USDC – 25,000 USDCFull asset drain, bypass of swap/LP limits, price manipulation via logic flaw, contract ownership takeover
High1,000 USDC – 5,000 USDCLocked funds, incorrect accounting, ability to grief LPs or force mispriced trades
All rewards are paid in USDC.

Submission Requirements

To be considered for a reward, reports must include:
  • A clear description of the bug
  • Step-by-step reproduction instructions (e.g. code snippet or testnet transaction)
  • Explanation of the impact (financial, functional, or security)
  • Suggested fix (optional, but helpful)
Incomplete or vague submissions will not be considered.

Disclosure Policy

All reports must be submitted privately via feedback@fullsail.finance Do not publish exploits, proof-of-concepts, or technical details until the issue has been patched or confirmed as safe. Public disclosure before official response will forfeit eligibility and may result in blacklisting from future programs.