Links
Comment on page

Bug Bounty

This page has been deprecated. V1 documentation is partially maintained here

Bug Bounty

Overview

Balancer has completed smart contract audits with Trail of Bits and Open Zeppelin. We also will run a continuous bug bounty program for the bronze release of Balancer core.

Scope

The bug bounty covers any of the core smart contracts deployed on Mainnet. The code can be found at: https://github.com/balancer-labs/balancer-core
Additional second layer contracts, such as the exchange proxy or individual smart pool contracts, may be added at a further date.

Rewards

The bounty program will pay out rewards according to the severity of a vulnerability. The final reward amount is at the sole discretion of Balancer Labs. See eligibility section below for more details.
Reward
Severity
Examples
$20,000 - $50,000
Critical
  • Stealing assets from a pool
  • Permanently freezing pool assets
$10,000 - $20,000
High
  • Severe rounding errors where an attacker can steal significant funds in excess of any gas costs or swap fees
  • Manipulating a finalized pool's assets / weights / fees
$2,000 - $5,000
Medium
  • Minor rounding errors that allow an attacker to slowly manipulate funds to their advantage
$0 - $2,000
Low
  • Informational and code quality based disclosures

Reporting / Disclosures

Please report any findings to [email protected], with full details about any vulnerability and steps / code to reproduce. Allow us time to review and remediate any findings before public disclosure.

Ineligible Findings

  • Duplicate vulnerabilities. Only the first reporter will be rewarded.
  • Findings already known as part of a formal audit.
  • Findings related to non-standard ERC20 tokens might be ineligible as many vulnerabilities might be inserted in non-standard ERC20 tokens on purpose for applying for this bug bounty.