defirisk.co
rubric v1.7.0

Bug bounty scope gap on highest-TVL contracts

SUNSwap (sun.io)'s assessment for RD-F-183 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No active bug bounty program confirmed on Immunefi (404), HackenProof (not listed), HackerOne, or Bugcrowd. No economic incentive for whitehat disclosure on any surface including $240M V2 Factory/Router, $112M V3, or newly-launched V4 PoolManager with hooks. Secondary $500K claim unverified.

Sources #

  • URL
    HackenProof programs listingHackenProof programs — sunswap not listedretrieved 2026-05-17
  • Internal
    SUNSwap protocol profile section 900-profile.md §9 — bug bounty not found as of 2026-05-17retrieved 2026-05-17
  • URL
    Immunefi SUNSwap bug bounty (404)Immunefi SUNSwap bug bounty page — 404retrieved 2026-05-17

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sunswap factor RD-F-183 score red collected_at 2026-05-17 14:37:31