Uniswap unveils $15.5M core contracts bug bounty ahead of v4 launch

From cointelegraph by Tristan Greene

Uniswap Labs announced the launch of what it deems “the largest bounty in history” ahead of the Uniswap v4 release.

The bounty program, currently underway, features payouts ranging from $2,000 up to the full $15.5 million purse for the discovery of unique vulnerabilities resulting in code change.

In order to achieve the highest payouts, bounty hunters will need to uncover a critical flaw or exploit in the Uniswap v4 core contracts code, per the terms of the program.

“Introducing the largest bug bounty in history. We're rewarding up to $15.5M to anyone that finds a critical vulnerability in v4 core contracts. Find a critical bug, become a millionaire.”

Bug bounty

It’s unclear if this is the biggest bounty program in history. For comparison, bug bounty platform Immunefi reportedly paid out a $14.82 million bounty in 2021 as part of its ongoing security efforts.

Other notable bounty payouts include Google’s highest-ever vulnerability discovery payout of $605,000 in 2022, a year in which the company paid out a reported total of $12 million. And, more recently, Microsoft announced $4 million in cloud and AI bounties.

Based on available data, Uniswap’s $15.5 million bounty would become the largest in recent memory if it were claimed in a single payout.

However, according to Uniswap Labs, over 500 researchers participated in its previously held $2.35 million security competition for the unreleased v4, and no critical vulnerabilities were found. The firm said the $15.5 million program is “an extra step to ensure v4 is as secure as possible.”

The maximum payout of $15.5 million is only available to researchers who discover unique vulnerabilities in the Uniswap v4 core contracts code that result in code change.

A table demonstrating top payout requirements for Uniswap Lab’s $15.5 millionbounty program. Source: Uniswap Labs/Cantina

Vulnerabilities deemed “critical” will be eligible for the top payout, according to the program’s details, while those labeled “high” could qualify for a payment of up to $1 million. Payouts dip to $100,000 for “medium” risk vulnerabilities and those for low-risk vulnerability findings will be paid out on a “discretionary” basis.

Beyond the core contracts code, the program also covers vulnerabilities in “other contracts,” other websites, back ends, and Uniswap v4 wallet codes.

Magazine: Make Ethereum feel like Ethereum again: Based rollups explained