Aztec Network Bug Bounty
Maximum reward
$50,000
Severity
Max. Reward
Critical$50,000
High$10,000
Medium$3,000
Low$1,000
Deposit required
$30
Findings submitted
11
Start date
4 May 2026
Please sign in as a researcher to join the bounty.
Log inIn scope
Severity
Min and Max Reward
Critical$10,000 to $50,000
High
$5,000 to $10,000
Medium
$3,000
Low
$1,000
Smart contracts in scope.
Rewards by Threat Level
Reward Calculation for Critical Level Reports
For critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 50 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 10 000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.
Repeatable Attack Limitations
-
If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk.
-
For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward.
Reward Calculation for High Level Reports
High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 5 000 to USD 10 000 depending on the funds at risk, capped at the maximum high reward.
In the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.
Reward Payment Terms
Payouts are handled by the Aztec Foundation directly and are denominated in USD. However, payments are done in USDC on Ethereum.
The calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability
Aztec Network’s codebase can be found at https://github.com/AztecProtocol.
Documentation and further resources can be found on https://docs.aztec.network/.
Name | Description | Asset |
|---|---|---|
| aztec-packages/l1-contracts/src/shared | All libraries used by deployed contracts |
aztec-packages/l1-contracts/src/core
Name | Description | Asset |
|---|---|---|
| Rollup.sol | ||
| EscapeHatch.sol | ||
| Inbox.sol | ||
| Outbox.sol | ||
| FeeJuicePortal.sol | ||
| RewardBooster.sol | ||
| Slasher.sol | ||
| TallySlashingProposer.sol | ||
| All libraries used by above listed contracts | All libraries used by above listed contracts under aztec-packages/l1-contracts/src/core |
aztec-packages/l1-contracts/src/governance
In-scope contracts under aztec-packages/l1-contracts/src/governance
Name | Description | Asset |
|---|---|---|
| CoinIssuer.sol | ||
| Governance.sol | ||
| GSE.sol | ||
| GovernanceProposer.sol | ||
| Registry.sol | ||
| RewardDistributor.sol | ||
| All libraries used by above listed contracts | All libraries used by above listed contracts under aztec-packages/l1-contracts/src/governance |
aztec-packages/l1-contracts/src/periphery
In-scope contracts under aztec-packages/l1-contracts/src/periphery
Name | Description | Asset |
|---|---|---|
| FlushRewarder.sol | ||
| All libraries used by above listed contracts | All libraries used by above listed contracts under aztec-packages/l1-contracts/src/periphery |
aztec-packages/barretenberg/sol/src/honk
In-scope contracts under aztec-packages/barretenberg/sol/src/honk
Name | Description | Asset |
|---|---|---|
| BaseHonkVerifier.sol | ||
| All libraries used by above listed contracts | All libraries used by above listed contracts under aztec-packages/barretenberg/sol/src/honk |
ignition-contracts/src/
In-scope contracts under ignition-contracts/src/
Name | Description | Asset |
|---|---|---|
| ProtocolTreasury.sol | ||
| GovernanceAcceleratedLock.sol | ||
| VirtualAztecToken.sol | ||
| Registry.sol | ||
| ATPFactory.sol | ||
| LATP.sol | ||
| MATP.sol | ||
| NCATP.sol | ||
| BaseStaker.sol | ||
| Aztec.sol | ||
| StakingRegistry.sol | ||
| ATPNonWithdrawableStaker.sol | ||
| ATPWithdrawableStaker.sol | ||
| ATPWithdrawableAndClaimableStaker.sol | ||
| ATPWithdrawableAndClaimableStakerV2.sol | ||
| All libraries used by above listed contracts | All libraries used by above listed contracts under ignition-contracts/src/ |
Out of scope
Previous Audits
Aztec Network’s completed audit reports can be found at https://github.com/AztecProtocol/audit-reports. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.
Impacts out of scope
These impacts are out of scope for this bug bounty program.
All Categories
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers
Blockchain/DLT & Smart Contract Specific:
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts
- Impacts from Sybil attacks
- Impacts involving centralization risks
Default Out of Scope
All items listed at https://docs.cantina.xyz/evaluations-and-standards/severity-classifications/bug-bounty-finding-severity#out-of-scope