Uniswap offers biggest ever ‘bug bounty’, promises up to $15.5 million to those who spot code vulnerabilities
Uniswap, one of the largest decentralized exchanges, says it will award $15.5 million to anyone who can find vulnerabilities in the latest version of its namesake protocol. The size of the reward—which the company says is the largest ever so-called “bug bounty”—is intended to ensure the latest evolution of the protocol, known as Uniswap v4, is as secure as possible.
The idea behind bug bounty programs, which are widely used in the tech sector, is to incentivize non-malicious hackers—known as “white hats”—to discover vulnerabilities in computer code before bad guys do.
Uniswap v4 builds off of v3, which launched in 2021, and seeks to make transactions cheaper and more customizable. Uniswap is unrolling the bug bounty as the development phase comes to an end, and chose to make the award $15.5 million in order to beat out LayerZero, a cross-chain messaging protocol, which offered a $15 million bug bounty in 2023.
The newest version of the protocol has already gone through multiple security checks, including nine independent audits and a $2.35 million security competition in which 500 researchers participated and no severe vulnerabilities were found, the company said in a statement.
While v4’s security has been repeatedly evaluated, Uniswap is taking this extra step to ensure their protocol is theft-proof because it handles billions of dollars worth of volume everyday and once it is deployed it cannot be changed.
“The Uniswap protocol serves as critical infrastructure for DeFi, and has secured over $2.5 trillion in trading volume, and v4 introduces limitless customization,” said Hayden Adams, CEO of Uniswap Labs. “This $15.5m bug bounty is the largest in history, reflecting our commitment to building secure smart contracts for all the users and developers building on top.”
The program only covers bugs found in the Uniswap v4 core contracts and does not include, “third party contracts that were not deployed by Uniswap Labs, issues already listed in the audits for the contracts in the v4 repository, bugs in third party contracts or applications that use contracts deployed by Uniswap Labs, or issues already known internally,” according to the statement.
Not all successful hackers will get $15.5 million. The payouts are based on a tiered approach that categorizes each bug using a risk score. The reward for discovering a “critical” bug is $15.5 million, while a “high” risk bug gets $1 million and a “medium” risk bug gets $100,000.
To be eligible for the reward, bugs must be reported within 24 hours of discovery and kept confidential until the issue is resolved.
These types of programs have been around since the 1980s when a software company called Hunter and Ready first offered a Volkswagen Beetle, or “bug,” to anyone who could find a vulnerability in their operating system. Since then, big bounties have become increasingly popular in the tech industry and are sometimes used by the U.S. government.