Uniswap ($UNI) Labs has officially launched a Bug Bounty Program (“the Program”). The initiative aims to encourage ethical hackers and security researchers to identify and report vulnerabilities in Uniswap’s deployed contracts. Rewards for successful bug disclosures can reach up to 2,250,000 USDC, depending on the severity of the issue.
Scope of the Program
The Program specifically targets vulnerabilities in Uniswap’s deployed contracts, including but not limited to:
Universal Router Contract Code
Permit2 Contract Code
V3 Contract Code
UniswapX Contract Code
However, if a bug is discovered in a Uniswap smart contract outside of these repositories and poses a risk to user funds, it will be considered in-scope for the Program.
Exclusions
The Program does not cover:
- Third-party contracts not under Uniswap’s direct control
- Issues already listed in audits for the above contracts
- Bugs in third-party contracts or applications that use Uniswap contracts
- The Uniswap DAPP, web interface, or other non-contract related materials
Reward Structure
Uniswap Labs has categorized the severity of potential issues into four levels:
- Critical Issues: Impacting numerous users and posing serious reputational, legal, or financial risks.
- High Issues: Affecting individual users and posing moderate financial risk.
- Medium Issues: Posing relatively small risks and not threatening user funds.
- Low/Informational Issues: Relevant to security best practices but not posing an immediate risk.
The rewards will be allocated based on this severity scale and the likelihood of the bug being exploited, as determined solely by Uniswap Labs.
Disclosure Protocol
All vulnerabilities must be reported to Uniswap Labs via the designated email: security+bugbounty@uniswap.org. Public disclosure of the vulnerability is prohibited until Uniswap Labs has resolved the issue and granted permission for public disclosure.
Eligibility Criteria
To be eligible for a reward, the reporter must:
- Discover a unique, previously-unreported vulnerability within the scope of the Program.
- Be the first to disclose the vulnerability to Uniswap Labs.
- Provide sufficient information for the vulnerability to be reproduced and fixed.
- Comply with all other terms and conditions of the Program.
Final Remarks
Uniswap Labs retains the sole discretion to alter the terms and conditions of the Program at any time. By participating in the Program, you grant Uniswap Labs the rights needed to validate, mitigate, and disclose the vulnerability.
Image source: Shutterstock