Balancer
Search…
Bug Bounties
The bug bounties on this page apply only to the Balancer smart contracts which secure protocol funds on the Ethereum mainnet. Bug reports pertaining to Balancer's web interfaces, both in terms of UI/UX or servers/infrastructure, are not eligible. Only the first reporter of a given contract vulnerability will be rewarded, and findings already discovered as part of a formal audit are ineligible. Vulnerabilities involving non-standard ERC20 tokens are also ineligible, as it would be trivial to insert an exploit into a token for the sake of applying to this bug bounty. A standard, Balancer-compatible ERC20 token is one that conforms to all EIP-20 interfaces and exhibits expected behavior in implementation; i.e., transfers move exactly N tokens from sender to recipient, and balances do not change by any means other than transfers. Notably, tokens with transfer fees, rebasing supplies, or streaming mechanics are not compatible with Balancer, but that list is not exhaustive.

Overview

Balancer has completed smart contract audits with Trail of Bits, OpenZeppelin, and Certora. We also will run a continuous bug bounty program for the V2 release of the Balancer core contracts.

Scope

The bug bounty covers any of the core smart contracts deployed on Ethereum mainnet. The code can be found on GitHub. The list of deployed contracts eligible for the bug bounty, with their mainnet addresses and commit hashes are:
Note that Balancer V2 smart contract development occurs within a single repository, so e.g. the commit corresponding to the Vault's deployment might also include source code not only for Weighted Pools, but also for as-yet-unreleased contracts.
Only deployed contracts are in scope of the bounty! Be sure to always use a contract's deployment commit when looking at its source!

Rewards

The bounty program will pay out rewards according to the severity of a vulnerability. See eligibility section below for more details. The final reward amount is at the sole discretion of Balancer Labs and will be paid in the specified sum of either USD or ETH, whichever amount is more valuable. In other words, the reward value increases with the price of ETH but can never fall below the given dollar amount.
Reward
Severity
Examples
1,000 ETH or $2,000,000
Critical
  • Draining significant funds from the Vault
  • Permanently locking significant funds in the Vault
250 ETH or $500,000
High
  • Severe rounding errors where an attacker can steal funds in excess of any gas costs or swap fees
25 ETH or $50,000
Medium
  • Minor rounding errors that allow an attacker to slowly manipulate balances to their advantage
5 ETH or $10,000
Low
  • Informational and code quality based disclosures

Reporting / Disclosures

Please report any findings to [email protected], with full details about any vulnerability and steps/code to reproduce. Allow us time to review and remediate any findings before public disclosure.
Last modified 10d ago