BitGo Bug Bounty

BitGo Bug Bounty

@bitgo
Live

Maximum reward

$75,000

Severity

Max. Reward

Critical

$75,000

High

$37,500

Medium

$2,500

Low

$1,500

No deposit required

Findings submitted

20

Start date

17 Mar 2026

Please sign in as a researcher to join the bounty.

Log in
InstructionsScope

The BitGo ETH Multisig is a secure multi-signature wallet protocol for Ethereum. It enables users to manage their digital assets collaboratively, requiring multiple parties to approve transactions before they are executed. Designed for reliability and flexibility, the protocol protects funds from single points of failure and unauthorized access, serving as a foundation for secure decentralized applications and asset custody solutions in the Web3 ecosystem.

Severity Definitions

Critical:

  • Allows bypassing multisig approval requirements (e.g., unauthorized transfers)
  • Fund draining via EVM opcode misuse (delegatecall, storage manipulation, etc)
  • Arithmetic overflows/underflows causing direct fund loss or permanent lockout
  • Signature validation failures that let attackers spoof approvals
  • Admin or ownership takeover

High:

  • Non-critical exploits of EVM opcodes resulting in locked funds or denial of legitimate withdrawals
  • Vulnerabilities in balance management that lead to double spending or partial fund loss
  • Attacks on transaction ordering or replay bugs affecting multisig operations

Medium:

  • Logical issues allowing partial unauthorized control, manipulation of wallet state (without total asset loss)
  • Minor arithmetic miscalculations affecting user balances without enabling theft
  • Temporary DoS (e.g., unable to execute valid transactions for a short period)

Low:

  • Gas inefficiencies or waste that could lead to DOS or gas griefing type attacks
  • Minor implementation bugs with security implications

In addition to the above definitions, we will also use the Cantina Bug Bounty Severity Classification Framework to determine severity.

Prohibited Actions

  • No Testing on Production Environments: Do not test vulnerabilities on mainnet or public testnet deployments. Use local test environments or private test setups.
  • No Public Disclosure Without Consent: Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.
  • No Exploitation or Data Exfiltration: Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.
  • No Conflict of Interest: Individuals currently or formerly employed by BitGo, or who contributed to the development of the affected code, are ineligible to participate.

Eligibility

To be eligible for a reward, you must:

  • Be the first to report a previously unknown, non-public vulnerability within scope.
  • Provide sufficient information to reproduce and fix the issue.
  • Not have exploited the vulnerability in a malicious manner.
  • Not have disclosed the vulnerability to third parties prior to receiving permission.
  • Comply with all Program rules and applicable laws.
  • Not be a current or former employee of BitGo. BitGo employees are not eligible to participate in or receive rewards from this bounty program.

You must also be of legal age in your jurisdiction and not reside in a country under sanctions or restrictions, as required by applicable laws.

Other Terms

By submitting a report, you grant BitGo the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of BitGo. The terms, conditions, and scope of this Program may be revised at any time. Participants are responsible for reviewing the latest version before submitting a report.

Rewards are denominated and paid in USD or USDC at BitGo's discretion.