Agglayer

Agglayer

@agglayer
Live

Maximum reward

$1,000,000

Severity

Max. Reward

Critical

$1,000,000

High

$20,000

Medium

$5,000

Findings submitted

2

Start date

14 Oct 2025

Please sign in as a researcher to join the bounty.

Log in
InstructionsScope

Agglayer is a cross-chain settlement layer that connects the liquidity and users of any blockchain for fast, low cost interoperability and growth.

The Agglayer’s Vault Bridge is a customizable yield-generating mechanism for providing L2s with a native revenue stream. It’s designed to help EVM chains move toward a more durable, less extractive economic model for funding ecosystem growth For more information about Agglayer: https://www.agglayer.dev/

Prohibited Actions

  • No Unauthorized Testing on Production Environments:
    Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.

  • No Public Disclosure Without Consent:
    Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.

  • No Exploitation or Data Exfiltration:
    Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.

  • No Conflict of Interest:
    Individuals currently or formerly employed by Polygon, or those who contributed to the development of the affected code, are ineligible to participate.

Disclosure Requirements

Please report vulnerabilities directly through the Spearbit/Cantina platform. Please include:

  • A clear description of the vulnerability and its impact.
  • Steps to reproduce the issue, ideally with a proof of concept.
  • Details on the conditions under which the issue occurs.
  • Potential implications if the vulnerability were exploited.

Reports should be made as soon as possible—ideally within 24 hours of discovery.

Eligibility

To be eligible for a reward, you must:

  • Be the first to report a previously unknown, non-public vulnerability within the defined scope.
  • Provide sufficient information to reproduce and fix the vulnerability.
  • Not have exploited the vulnerability in any malicious manner.
  • Not have disclosed the vulnerability to third parties before receiving permission.
  • Comply with all Program rules and applicable laws.

You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.

Severity definition

Notes

  • You must be able to prove the real exploitability/severity of a report without doubt or assumptions, and based on the current state of the blockchain at the time of the report.
  • Reports are classified by Impact and Likelihood/Probability and using common frameworks such as CVSS. The combination determines the severity and are determined at Polygon’s sole discretion.
  • Actual reward amounts are determined at Polygon’s sole discretion. Factors influencing payout include report quality, completeness, and severity/exploitability.

Other Terms

  • By submitting a report, you grant Polygon the rights necessary to investigate, mitigate, and disclose the vulnerability.

  • Reward decisions and eligibility are at the sole discretion of Polygon.

  • The terms, conditions, and scope of this Program may be revised at any time. Participants are responsible for reviewing the latest version before submitting a report.

  • Payouts are handled by the Polygon Labs team directly and are denominated in USD. Payouts are done in USDC or POL at the Polygon Labs teams' discretion.

  • Polygon Labs commits to honoring payouts according to the terms set out in this program at the time of report submission, and to treat this program as the agreement and source of truth concerning bug reports and responsible disclosures.

  • POL Payouts will be determined using TWAP 5 day price calculated from payment date.

  • Polygon Labs requires an invoice to be received for each payout. An invoice template can be provided by Polygon Labs.

  • This bug bounty program is only open to individuals who reside outside of the countries that are restricted by OFAC and by UNSC resolutions.

  • If the individual is a US person, tax information may be required in order to properly issue a 1099. Polygon Labs requires an invoice to be received for each payout. An invoice template can be provided by Polygon Labs.