Uniswap Labs Blog

$15.5M Bug Bounty for Uniswap v4: The Largest in History
November 26, 2024

Today, we’re excited to launch a $15.5M bug bounty, the largest in history, for vulnerabilities found in Uniswap v4 core contracts.

Uniswap v4 is the latest evolution of the Uniswap Protocol, transforming it into a developer platform, unlocking new market structures and more assets to serve more users. This is made possible with the introduction of hooks — contracts that developers can create to customize how pools, swaps, fees, and LP positions interact. Hooks allow new features on top of the Uniswap Protocol.

Beyond hooks, v4 also saves LPs and swappers money. Pools on v4 are expected to be 99.99% cheaper to create and swappers can expect significant savings on multi-hop swaps. v4 was built in public with hundreds of community pull requests from over 90 developers — now we're excited for the community to help make v4 as secure as possible.

Commitment to security

Uniswap v4 is already among the most thoroughly reviewed codebases in DeFi, with nine independent audits by OpenZeppelin, Spearbit, Certora, Trail of Bits, ABDK, and Pashov Audit Group (reports on core and periphery). In addition to these audits, over 500 researchers participated in a $2.35M security competition, and no critical vulnerabilities were found. As deployment approaches, we’re taking an extra step to ensure v4 is as secure as possible with the $15.5M bug bounty.

Scope

This bounty covers vulnerabilities in the Uniswap v4 core contracts, available in the Uniswap v4 Github repository.

The following are not within the scope of the Program:

  • Third party contracts that were not deployed by Uniswap Labs
  • Issues already listed in the audits for the contracts in the v4 repository
  • Bugs in third party contracts or applications that use contracts deployed by Uniswap Labs
  • Issues flagged in previous internal reviews, competitions, and audits

Uniswap v4 periphery contracts are not in scope at this time. We expect to add them to the bug bounty program soon.

How to submit a report

All reports must be submitted directly to the v4 Bug Bounty Page on Cantina within 24 hours of discovery. Please include as much information as possible in submissions, including how to reproduce the bug and potential implications of the vulnerability being abused. Sharing more information makes it more likely the vulnerability can be investigated and potentially rewarded.

To be eligible for a reward, the report must be kept confidential until the issue is resolved. All submissions will be subject to the full bug bounty rules and disclosure requirements here. If you report a unique vulnerability that leads to a code change, you can choose to be recognized publicly.

Bug bounty now live

The $15.5M bug bounty goes live today. Explore the v4 codebase here and submit any vulnerabilities here. For full bug bounty rules and disclosure requirements, please see the v4 Bug Bounty Page on Cantina.

Follow @Uniswap on Twitter for updates on v4 and Uniswap Labs products.