Bug bounty scope gap on highest-TVL contracts

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-183 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Immunefi program lists 3 assets in scope: Constant Product AMM, Concentrated Liquidity AMM, RedSnapper. SushiXSwap v2 adapters (StargateAdapter, AxelarAdapter) and RouteProcessor4 do not appear in the stated scope from the program page. BentoBox/Kashi not confirmed in scope. The highest-TVL contracts on Ethereum include BentoBoxV1 (0xF5BCE5, holds ~$50M in TVL context) and SushiXSwap v2 routing layer. data-cache contracts_in_scope is empty (pipeline could not parse Immunefi scope). Scope ambiguity for cross-chain and lending components scoring yellow.

Sources #

Internal
00-data-cache.json — bug_bounty sectiondata-cache bug_bounty.contracts_in_scope: [] (empty — pipeline could not enumerate in-scope contracts from Immunefi)retrieved 2026-05-17
URL
Immunefi SushiSwap Bug BountyImmunefi SushiSwap bounty — 3 assets in scope: CP AMM, CL AMM, RedSnapper; other components scope ambiguousretrieved 2026-05-17

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-183 score yellow collected_at 2026-05-16 19:50:37