[DD] Bounty Distribution Rules

How to participate in DualDefence Audit

Please always read the individual rules for each DualDefence Audit, as specific conditions may vary per project.

✅ Accepted Reports

Only Critical vulnerabilities are eligible for rewards in a DualDefence Audit. All valid reports must include:

  • A detailed description of the vulnerability.

  • A working Proof-of-Concept (PoC) for re-testing.

  • (Recommended) Screenshots or a screen recording demonstrating the exploit.

All submissions will be reviewed by our Triage Team, then forwarded to the Auditor and Client teams for final validation. This process can take up until the final days of the audit, so please be patient.

💰 Bounty Distribution

Bounty Pool – the total reward allocated for the audit Allocated Bounty – the portion of the bounty pool assigned to each unique valid vulnerability

The entire bounty pool is distributed across unique Critical issues, and then shared among researchers proportionally based on the uniqueness of their findings.

🧠 Sybil-Resistance Formula

To discourage duplicate submissions under multiple accounts (Sybil attacks), we apply a diminishing returns formula:

Issue Weight = 1 × (0.9 ^ (N - 1)) / N

Where:

  • N = number of researchers who submitted the same issue

  • Issue Weight determines the bounty share assigned to each reporter

This rewards original findings more heavily and reduces the reward for duplicated issues. The fewer researchers who submit a specific vulnerability, the larger the portion they receive.

🧮 Example

  • Issue A reported by 1 researcher → Weight = 1.0

  • Issue B reported by 2 researchers → Weight = 0.45 total (0.225 each)

  • Issue C reported by 3 researchers → Weight ≈ 0.27 total (0.09 each)

If these are the only valid issues, the bounty pool is distributed in proportion to the total weights assigned to each researcher.

⚠️ Disclaimer

Bounty rewards are denominated in staked tokens in the FlashPool. Due to market volatility, the final USD equivalent may vary from the initially announced prize.

  • Complete KYC

  • Create a wallet eligible to claim FlashPool rewards

  • Thoroughly research the audit scope and project infrastructure

Last updated