# \[DD] Bounty Distribution Rules

**Please always read the individual rules for each DualDefence Audit, as specific conditions may vary per project.**

## ✅ Accepted Reports

Only **Critical** vulnerabilities are eligible for rewards in a DualDefence Audit. All valid reports must include:

* A detailed description of the vulnerability.
* A working Proof-of-Concept (PoC) for re-testing.
* (Recommended) Screenshots or a screen recording demonstrating the exploit.

All submissions will be reviewed by our Triage Team, then forwarded to the Auditor and Client teams for final validation. **This process can take up until the final days of the audit**, so please be patient.

## 💰 Bounty Distribution

**Bounty Pool** – the total reward allocated for the audit\
**Allocated Bounty** – the portion of the bounty pool assigned to each *unique* valid vulnerability

The **entire bounty pool is distributed across unique Critical issues**, and then shared among researchers **proportionally** based on the uniqueness of their findings.

### **🧠 Sybil-Resistance Formula**

To discourage duplicate submissions under multiple accounts (Sybil attacks), we apply a **diminishing returns formula**:

**Issue Weight = 1 × (0.9 ^ (N - 1)) / N**

Where:

* `N` = number of researchers who submitted the same issue
* Issue Weight determines the bounty share assigned to each reporter

This rewards original findings more heavily and reduces the reward for duplicated issues. The fewer researchers who submit a specific vulnerability, the larger the portion they receive.

## **🧮 Example**

* **Issue A** reported by 1 researcher → Weight = 1.0
* **Issue B** reported by 2 researchers → Weight = 0.45 total (0.225 each)
* **Issue C** reported by 3 researchers → Weight ≈ 0.27 total (0.09 each)

If these are the only valid issues, the bounty pool is distributed in proportion to the total weights assigned to each researcher.

## ⚠️ Disclaimer

Bounty rewards are denominated in **staked tokens in the FlashPool**. Due to market volatility, the final USD equivalent may vary from the initially announced prize.<br>

## ✅ Recommended Before Submitting

* Complete **KYC**
* Create a wallet eligible to **claim FlashPool rewards**
* Thoroughly research the audit scope and project infrastructure