Bug Bounty

This page has been deprecated. V1 documentation is partially maintained here

Bug Bounty

Overview

Balancer has completed smart contract audits with Trail of Bits and Open Zeppelin. We also will run a continuous bug bounty program for the bronze release of Balancer core.

Scope

The bug bounty covers any of the core smart contracts deployed on Mainnet. The code can be found at: https://github.com/balancer-labs/balancer-core

Submissions should be based off commit hash: https://github.com/balancer-labs/balancer-core/tree/2d88257fb27ad3c84b5166304a342e66055a81b3

Mainnet BFactory can be found at: https://etherscan.io/address/0x9424b1412450d0f8fc2255faf6046b98213b76bd

Additional second layer contracts, such as the exchange proxy or individual smart pool contracts, may be added at a further date.

Rewards

The bounty program will pay out rewards according to the severity of a vulnerability. The final reward amount is at the sole discretion of Balancer Labs. See eligibility section below for more details.

Reward

Severity

Examples

$20,000 - $50,000

Critical

  • Stealing assets from a pool

  • Permanently freezing pool assets

$10,000 - $20,000

High

  • Severe rounding errors where an attacker can steal significant funds in excess of any gas costs or swap fees

  • Manipulating a finalized pool's assets / weights / fees

$2,000 - $5,000

Medium

  • Minor rounding errors that allow an attacker to slowly manipulate funds to their advantage

$0 - $2,000

Low

  • Informational and code quality based disclosures

Reporting / Disclosures

Please report any findings to security@balancer.finance, with full details about any vulnerability and steps / code to reproduce. Allow us time to review and remediate any findings before public disclosure.

Ineligible Findings

  • Duplicate vulnerabilities. Only the first reporter will be rewarded.

  • Findings already known as part of a formal audit.

  • Findings related to non-standard ERC20 tokens might be ineligible as many vulnerabilities might be inserted in non-standard ERC20 tokens on purpose for applying for this bug bounty.

Last updated