Bancor 3 Bug Bounty


  • Stealing or loss of funds
  • Unauthorized transactions
  • Transaction manipulation
  • Price manipulation
  • Fee payment bypass
  • Balance manipulation
  • Privacy violation
  • Cryptographic flaws
  • Reentrancy
  • Logic errors (including user authentication errors)
  • Solidity details not considered, including integer over-/under-flow, rounding errors, unhandled exceptions)
  • Trusting trust/dependency vulnerabilities, including composability vulnerabilities)
  • Oracle failure/manipulation
  • Novel governance attacks and economic/financial attacks, including flash loan attacks
  • Congestion and scalability, including running out of gas, block stuffing, susceptibility to frontrunning
  • Consensus failures
  • Cryptography problems, e.g., signature malleability, susceptibility to replay attacks, weak randomness and weak encryption
  • Susceptibility to block timestamp manipulation
  • Missing access controls / unprotected internal or debugging interfaces
  • Issues arising from whitelisted tokens


  • The conditions on which reproducing the bug is contingent.
  • The steps needed to reproduce the bug or, preferably, a proof of concept.
  • The potential implications of the vulnerability being abused.


  • Discover a previously unreported, non-public vulnerability in Bancor V3 (but not on any third party platform interacting with Bancor V3) that is within the scope of this Program. Vulnerabilities must be distinct from issues covered in any of the official security audits.
  • Be the first to disclose the unique vulnerability to, in compliance with the disclosure requirements above. If similar vulnerabilities are reported within the same 24 hour period, rewards will be split at the discretion of Bprotocol Foundation.
  • Provide sufficient information to enable contributors to reproduce and fix the vulnerability.
  • Not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.
  • Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
  • Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of Bancor V3.
  • Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.
  • Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this program.
  • Not be a current or former vendor, contractor or subcontractor to the Bprotocol Foundation
  • Not be subject to Swiss sanctions or reside in a Swiss-embargoed country.
  • Be at least 18 years of age or, if younger, submit your vulnerability with the consent of your parent or guardian.

Out of Scope & Rules

  • Bugs in any third party contract or platform that interacts with Bancor V3.
  • Vulnerabilities already reported and/or discovered in contracts built by third parties on Bancor V3. We reserve the right to keep private previous bug disclosures.
  • Any previously reported bugs.
  • Attacks that the reporter has already exploited themselves, leading to damage.
  • Attacks requiring access to leaked keys/credentials.
  • Attacks requiring access to privileged addresses (governance, strategist)
  • Incorrect data supplied by third party oracles (Note that oracle manipulation and flash loan attacks are included in the bounty)
  • Basic economic governance attacks (e.g. 51% attack)
  • Best practice critiques
  • Sybil attacks
  • Bugs in any third party contract or platform that interacts with the Bancor protocol (Note that oracle manipulation and flash loan attacks are included in the bounty)
  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets or private mainnet forks
  • Any testing with pricing oracles or third party smart contracts
  • Attempting phishing or other social engineering attacks against contributors and/or customers
  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty

Other Terms




The only DeFi trading and staking protocol with Single-Sided Liquidity & 100% Impermanent Loss Protection

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to build a resilient DNS service

Real Time Detection of F5 RCE Vulnerability (CVE-2020–5902)

SSD’s Security Disclosure weekly news recap — April 1, 2021

Helping Platypus stay arbitrage-free

Cyber Risk Culture Part II

Privacy Policy Creation Guide

Voting service update released

Apply now for the position of Senior Account Executive

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


The only DeFi trading and staking protocol with Single-Sided Liquidity & 100% Impermanent Loss Protection

More from Medium

2022: Emerging New Tycoons as Hackers

Defi primer - how a hacker turned 0.04$ into 1.1 mil

iGain x Unstopppable Domains: Web3 Login Now Made Easier

Deus Finance Dao Hack 2