Balancer
Balancer V1
Balancer V1Balancer V2
Balancer V1
Balancer V1Balancer V2
  • Home
  • Getting Started
    • Use Cases
    • FAQ
  • Core Concepts
    • Protocol
      • Background
      • Glossary
      • Pool Lifecycle
      • Limitations
      • Math
        • Exponentiation
    • BAL Governance Token
      • BAL for Gas
    • Liquidity Mining
      • Exchange Listing
      • Liquidity Mining Estimates API
    • Security
      • Audits
      • Bug Bounty
  • Smart Contracts
    • Exchange Proxy
    • Smart Order Router
      • Development & Examples
    • Smart Pools
      • Overview
      • Configurable Rights Pool
      • Component Libraries
        • Rights Manager
      • Smart Pool Templates
      • Liquidity Bootstrapping FAQ
    • On Chain Registry
    • Interfaces
    • Addresses
  • API
    • Migration to Version 1.0
    • Events
    • API Index
    • UML Docs
  • Guides
    • Interact via Etherscan
    • Using the SOR
    • Creating a Shared Pool
    • Creating a Smart Pool
    • CRP Tutorial
      • Liquidity Bootstrapping Example
    • Smart Pool Use Cases
      • Liquidity Bootstrapping Pool
      • Swing Trading Pool
      • Smart Treasury
      • Perpetual Synthetic Pool
      • Investors' Club
      • Experimental
    • Testing on Kovan
    • Hackathons
      • Hacking & Testing
      • Judging
      • Ideas
Powered by GitBook
On this page
  • Overview
  • Scope
  • Rewards
  • Reporting / Disclosures
  • Ineligible Findings

Was this helpful?

  1. Core Concepts
  2. Security

Bug Bounty

Overview

Balancer has completed smart contract audits with Trail of Bits and Open Zeppelin. We also will run a continuous bug bounty program for the bronze release of Balancer core.

Scope

The bug bounty covers any of the core smart contracts deployed on Mainnet. The code can be found at: https://github.com/balancer-labs/balancer-core

Submissions should be based off commit hash: https://github.com/balancer-labs/balancer-core/tree/2d88257fb27ad3c84b5166304a342e66055a81b3

Mainnet BFactory can be found at: https://etherscan.io/address/0x9424b1412450d0f8fc2255faf6046b98213b76bd

Additional second layer contracts, such as the exchange proxy or individual smart pool contracts, may be added at a further date.

Rewards

The bounty program will pay out rewards according to the severity of a vulnerability. The final reward amount is at the sole discretion of Balancer Labs. See eligibility section below for more details.

Reward

Severity

Examples

$20,000 - $50,000

Critical

  • Stealing assets from a pool

  • Permanently freezing pool assets

$10,000 - $20,000

High

  • Severe rounding errors where an attacker can steal significant funds in excess of any gas costs or swap fees

  • Manipulating a finalized pool's assets / weights / fees

$2,000 - $5,000

Medium

  • Minor rounding errors that allow an attacker to slowly manipulate funds to their advantage

$0 - $2,000

Low

  • Informational and code quality based disclosures

Reporting / Disclosures

Please report any findings to security@balancer.finance, with full details about any vulnerability and steps / code to reproduce. Allow us time to review and remediate any findings before public disclosure.

Ineligible Findings

  • Duplicate vulnerabilities. Only the first reporter will be rewarded.

  • Findings already known as part of a formal audit.

  • Findings related to non-standard ERC20 tokens might be ineligible as many vulnerabilities might be inserted in non-standard ERC20 tokens on purpose for applying for this bug bounty.

PreviousAuditsNextExchange Proxy

Last updated 3 years ago

Was this helpful?