Balancer Bug Bounty Program

About The Program

Balancer is a community-driven protocol, liquidity provider, and price sensor that empowers decentralized exchange and the automated portfolio management of tokens on the Ethereum blockchain and other EVM compatible systems.

Balancer Pools contain two or more tokens that traders can swap between. Liquidity Providers put their tokens in the pools in order to collect swap fees.

Balancer adopts powerful features to slash gas costs, super-charge capital efficiency, unlock arbitrage with zero-token starting capital, and open the door to custom AMMs.

Rewards

Rewards for eligible bug reports will be based on the severity of the issue and distributed through the Immunefi vulnerability system. Rewards may range from 25 ETH to 1,000 ETH depending on the impact and complexity of the issue.

Payouts are handled by the Balancer team directly and are denominated in ETH. However, payouts are done in ETH or USDC, at the discretion of the team.

Rewards By Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.

This bug bounty program has fixed rewards in ETH. The USD amounts reflected are only estimates.

All Critical/High severity bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.

Critical smart contract vulnerabilities are further capped at 10% of economic damage, primarily taking into account the funds at risk. However, there is a minimum reward of 250 ETH. Additionally, the maximum reward is capped at 1 000 ETH, even if 10% of the damage in USD equivalent is greater than the USD equivalent of 1 000 ETH.

High severity smart contract vulnerabilities are also further capped at 10% of economic damage, primarily taking into account the funds at risk. However, there is a minimum reward of 50 ETH. Additionally, the maximum reward is capped at 250 ETH, even if 10% of the damage in USD equivalent is greater than the USD equivalent of 250 ETH.

Vulnerabilities involving non-standard ERC20 tokens are considered out of scope, as it would be trivial to insert an exploit into a token for the sake of applying to this bug bounty. A standard, Balancer-compatible ERC20 token is one that conforms to all EIP-20 interfaces and exhibits expected behavior in implementation; i.e., transfers move exactly N tokens from sender to recipient, and balances do not change by any means other than transfers. Notably, tokens with transfer fees, rebasing supplies, streaming mechanics or multiple entrypoints are not compatible with Balancer, but that list is not exhaustive.

Known issues previously highlighted in the following audit reports are also considered out of scope:

• https://github.com/balancer-labs/balancer-v2-monorepo/tree/master/audits