Uniswap Launches $15.5M Bug Bounty Program On Cantina To Strengthen Security

In Brief

Uniswap has launched a bug bounty program with rewards up to $15.5 million to incentivize researchers to identify security vulnerabilities across its protocol, contracts, and related infrastructure.

Decentralized exchange (DEX) Uniswap announced that it has introduced a new bug bounty initiative on the Web3 security platform Cantina, offering a maximum reward of $15.5 million

The initiative is intended to motivate researchers to identify and submit reports on security issues within the Uniswap protocol, associated websites, backend services, mobile and extended wallets, and related infrastructure

Uniswap protocol operates as a peer-to-peer framework intended for exchanging value, relying on a collection of permanent and non-upgradable smart contracts that are structured to run independently without requiring intermediaries.

The program covers vulnerabilities and defects found in the most recently deployed versions of designated Uniswap contracts, including V4 Core Contracts, the Universal Router Contract Code, the Permit2 Contract Code, the V3 Contract Code, the UniswapX Contract Code, as well as other components, along with commit b619b67 of the specified undeployed v4-core contracts

The initiative provides compensation based on the assessed severity of each vulnerability, categorized as critical, high, medium, or low, with corresponding maximum rewards of $15.5 million, $1 million, $100,000, and $50,000.

Bug Bounty Rules Require Confidential Reporting And Compliance For Rewards

According to the program requirements, any identified vulnerability must remain undisclosed to the public or to any external party until Uniswap Labs has been informed, has resolved the issue, and has granted approval for public disclosure

A report must also be submitted within twenty-four hours of discovering the vulnerability. A comprehensive explanation of the issue increases the likelihood of receiving a reward and may enhance the reward amount. Reports should include detailed information about the conditions necessary to reproduce the problem, the steps required to replicate it or a proof of concept, and the possible consequences if the vulnerability were to be exploited

Individuals who report a unique and previously unknown vulnerability that leads to a modification of the code or a configuration change, and who maintain confidentiality until the issue has been addressed, may receive public acknowledgment for their contribution if desired.

In order to qualify for a reward under the program, participants must identify a previously unreported and non-public vulnerability that is not already known to the Uniswap Labs team and falls within the defined scope. All requested KYC and supporting documentation must be provided. Eligibility requires being the first to submit the unique vulnerability while following the program’s disclosure rules, supplying enough detail for engineers to reproduce and correct the issue, and refraining from exploiting the vulnerability for any purpose other than receiving a reward through the program

Participants must avoid publicizing or using the vulnerability outside of confidential reporting, avoid actions that compromise privacy, damage data, or disrupt any assets within scope, and must not submit issues that stem from the same underlying cause as one previously rewarded. Disclosing the vulnerability must not involve unlawful behavior, including coercive or threatening conduct

Furthermore, participants must meet the age of majority, must not be located in regions subject to U.S. trade or economic sanctions or where participation is prohibited, and must not be current or former employees, vendors, or contractors who contributed to the relevant code. Full compliance with all program rules, including restrictions on prohibited actions, is required.