At Uniswap Labs, security is our top priority. The Uniswap Protocol has, to date, processed over $2T in all-time volume with zero hacks. We take security seriously, and so does our community. That’s why we’re excited to announce that we’re teaming up with Cantina to help scale our bug bounty program.
Bugs and vulnerabilities should now be submitted through the Uniswap Labs Cantina Bug Bounty Page. Rewards are allocated based on the severity of the bug disclosed and assets at risk (up to $2.25M).
Scope
The bug bounty program includes vulnerabilities and bugs in any contract deployed by Uniswap Labs as well as Uniswap interfaces. This includes production-deployed code from the following GitHub repositories:
- Universal Router Contract Code
- Permit2 Contract Code
- V3 Contract Code
- UniswapX Contract Code
- V2 Contract Code
- The Uniswap web interface
- The Uniswap mobile applications
- The Uniswap Chrome extension
If you find a bug in a smart contract outside of these repositories where user funds are at risk, the team will consider the issue to be in-scope for our bounty on a case by case basis.
The following are not within the scope of the Program:
- Third party contracts that were not deployed by Uniswap Labs
- Issues already listed in the audits for the contracts above
- Bugs in third party contracts or applications that use contracts deployed by Uniswap Labs
- Issues already known internally
Disclosure
Any vulnerability or bug discovered must be reported to the Uniswap Labs Cantina Bug Bounty Page.
The vulnerability must not be disclosed publicly or to any other person, entity, or email address before Cantina has been notified, has fixed the issue, and has granted permission for public disclosure. In addition, disclosure must be made within 24 hours following discovery of the vulnerability.
A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount. Please provide as much information about the vulnerability as possible, including:
- The conditions on which reproducing the bug is contingent
- The steps needed to reproduce the bug or, preferably, a proof of concept
- The potential implications of the vulnerability being abused
Anyone who reports a unique, previously-unreported vulnerability that results in a change to the code or a configuration change and who keeps such vulnerability confidential until it has been resolved by our engineers will be recognized publicly for their contribution if they so choose.
Additional Information
By submitting your report, you grant Uniswap Labs any and all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at our sole discretion.
For full eligibility requirements, please visit the Uniswap Labs Cantina Bug Bounty Page.