Bug Bounty
Last updated
Last updated
Balancer has completed smart contract audits with Trail of Bits and Open Zeppelin. We also will run a continuous bug bounty program for the bronze release of Balancer core.
The bug bounty covers any of the core smart contracts deployed on Mainnet. The code can be found at: https://github.com/balancer-labs/balancer-core
Submissions should be based off commit hash: https://github.com/balancer-labs/balancer-core/tree/2d88257fb27ad3c84b5166304a342e66055a81b3
Mainnet BFactory can be found at: https://etherscan.io/address/0x9424b1412450d0f8fc2255faf6046b98213b76bd
Additional second layer contracts, such as the exchange proxy or individual smart pool contracts, may be added at a further date.
The bounty program will pay out rewards according to the severity of a vulnerability. The final reward amount is at the sole discretion of Balancer Labs. See eligibility section below for more details.
Please report any findings to security@balancer.finance, with full details about any vulnerability and steps / code to reproduce. Allow us time to review and remediate any findings before public disclosure.
Duplicate vulnerabilities. Only the first reporter will be rewarded.
Findings already known as part of a formal audit.
Findings related to non-standard ERC20 tokens might be ineligible as many vulnerabilities might be inserted in non-standard ERC20 tokens on purpose for applying for this bug bounty.
Reward
Severity
Examples
$20,000 - $50,000
Critical
Stealing assets from a pool
Permanently freezing pool assets
$10,000 - $20,000
High
Severe rounding errors where an attacker can steal significant funds in excess of any gas costs or swap fees
Manipulating a finalized pool's assets / weights / fees
$2,000 - $5,000
Medium
Minor rounding errors that allow an attacker to slowly manipulate funds to their advantage
$0 - $2,000
Low
Informational and code quality based disclosures