Aztec Network Bug Bounty
Maximum reward
$50,000
Severity
Max. Reward
Critical$50,000
High$10,000
Medium$3,000
Low$1,000
Deposit required
$30
Findings submitted
11
Start date
4 May 2026
Please sign in as a researcher to join the bounty.
Log inProgram Overview
Aztec Network is a privacy-focused Ethereum Layer 2 that enables developers to build fully private smart contracts and decentralized applications using zero-knowledge cryptography. For more information about Aztec Network, please visit https://aztec.network/. The Aztec Foundation provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.
Privacy-preserving eligibility check
Aztec Network will be requesting a compliance check in order to pay for successful bug submissions. This will be executed through ZKPassport or alternatively Sumsub if ZKPassport is not preferred.
Eligibility Criteria
Security researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:
- On OFACs SDN list
- Official contributor, both past or present
- Employees and/or individuals closely associated with the project
- Security auditors that directly or indirectly participated in the audit review
Submission Guidelines
- Information on submitting findings can be found here
POC Requirement
Your Proof of Concept must compile and demonstrate the impact of the issue. Additional precautions that help reviewers:
- Mention which test file it’s part of
- Ensure it’s valid for the audit branch
- Note any additional requirements for the PoC to run
- Provide the PoC output
- Explain the PoC output vs. expected output
How Severity is Calculated
Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.
Risk Classification Matrix
| Severity Level | Impact: Critical | Impact: High | Impact: Medium | Impact: Low |
|---|---|---|---|---|
| Likelihood: High | Critical | High | Medium | Low |
| Likelihood: Medium | High | High | Medium | Low |
| Likelihood: Low | Medium | Medium | Low | Informational |
Impact Definitions
Smart contract
| Severity | Description |
|---|---|
| Critical | Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results. |
| Critical | Direct, unconstrained exploitability with irreversible outcomes. No preconditions required. Generally $100M+ in potential losses. |
| Critical | Permanent freezing of funds. |
| Critical | Protocol insolvency. |
| High | Theft of unclaimed yield. |
| High | Permanent freezing of unclaimed yield. |
| High | Temporary freezing of funds. |
| Medium | Smart contract unable to operate due to lack of token funds. |
| Medium | Block stuffing. |
| Medium | Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol). |
| Medium | Theft of gas. |
| Medium | Unbounded gas consumption. |
| Low | Contract fails to deliver promised returns, but doesn't lose value. |
In addition to the above definitions, we will also use the Cantina Bug Bounty Severity Classification Framework to determine severity.
Likelihood Definitions:
- High: Very easy to exploit or highly incentivized.
- Medium: Exploitation is possible under certain conditions.
- Low: Difficult to exploit or requires highly specific conditions.
Prohibited Actions
- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
- Any testing with pricing oracles or third-party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks that are executed against project assets
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty
Disclosure Requirements
You must report vulnerabilities directly to the Spearbit/Cantina platform. Please include:
- A clear description of the vulnerability and its impact.
- Steps to reproduce the issue, ideally with a proof of concept.
- Details on the conditions under which the issue occurs.
- Potential implications if the vulnerability were exploited.
Reports should be made as soon as possible—ideally within 24 hours of discovery.
Other Terms
By submitting a report, you grant Aztec Network the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Aztec Network. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.