Smart Contracts and Bug Bounty

AirSwap Team
Oct 5, 2017 · 3 min read

Update Dec 3, 2019: This article is out of date. See the latest Bug Bounty.

Today we are publishing two Ethereum smart contracts for public review.

The AirSwap exchange contract facilitates atomic swaps of ERC20 tokens between two Ethereum addresses. The contract is considered the “on-chain” part of the protocol, and everything prior is the “off-chain” work done between peers. Two independent audits have been completed by Phil Daian and Nick Johnson that will soon be available in the GitHub repository.

Exchange Contract

The exchange contract takes advantage of the ERC20 standard to transfer token balances between counterparties. After approving the contract to transfer his or her balances, a trader submits a signed order by calling a function “fill”. This function then calls “transfer” on each respective token to complete the trade.

Token Contract

The token contract is based on ERC20, but includes some special features. First, token holders may lock a balance of tokens for a set amount of time. This allows off-chain services to detect these locks and provide additional utility to users who have locked. All token transfers are locked until October 17, 2017 at 10:10:10 AM ET. The token contract is also “pausable”, which means that we can pause transfers in case of a major security vulnerability.

Because transfers are locked and the sale is being done through the exchange contract, the token contract is constructed with an initial balance for the sale wallet. During the sale, the sale wallet signs orders and buyers fill them on the exchange contract.

Bug Bounty

We will run a bug bounty indefinitely to reward community members for discovering and reporting bugs. The scope of the bounty will be limited to Exchange.sol and AirSwapToken.sol and the contracts they inherit from.

The value of rewards will vary depending on severity as judged by the AirSwap team. The severity of a bug is determined according to the OWASP risk rating model based on Impact and Likelihood, as employed in the Ethereum bug bounty campaign:

Bounty payout is as follows:

  • Low: Up to 5 ETH
  • Medium: Up to 20 ETH
  • High: Up to 50 ETH
  • Critical: Up to 100 ETH

A few friendly rules:

  1. Bounties go to the first to report.
  2. Don’t steal or attempt to steal others funds.
  3. Don’t publicly disclose a bug before it has been fixed.
  4. Paid auditors of this code are not eligible for rewards.
  5. Issues that are mentioned in the security audits are not eligible.
  6. Non-security critical issues (style issues, gas optimizations) are not eligible.
  7. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the AirSwap team.

Please take a close look at our contracts on GitHub and submit any issues for review to

To learn more about AirSwap, sign up for email updates on our website. To stay up to date on AirSwap news and announcements, follow us on Facebook, Twitter, and join the conversation on Telegram.


Rebuilding Finance for a Frictionless World

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store