Uniswap

@uniswap

Live

Maximum reward

$15,500,000

Severity

Max. Reward

Critical

$15,500,000

High

$1,000,000

Medium

$100,000

Findings submitted

432

Start date

26 Nov 2024

Please sign in as a researcher to join the bounty.

Instructions Scope

In scope

Smart Contracts Websites Other Unichain L1 Contracts Unichain Infrastructure

Severity

Min and Max Reward

Critical

Up to $15,500,000

High

Up to $1,000,000

Medium

Up to $100,000

The Program includes vulnerabilities and bugs in the latest deployed versions of the specified Uniswap contracts below, and commit b619b67 of the specified undeployed v4-core contracts. These files are found within the following GitHub repositories.

However if you find a bug in a Uniswap smart contract outside of these repositories, where user funds are at risk, the team will consider the issue to be in-scope for our bounty as an Other Uniswap Contract Code (for purposes of payout eligibility). Additionally, we anticipate adding v4-periphery to the Program soon.

Asset	Description
V4 Core Contracts	https://github.com/Uniswap/v4-core/tree/b619b6718e31aa5b4fa0286520c455ceb950276d
Universal Router Contract Code	https://github.com/Uniswap/universal-router
Permit2 Contract Code	https://github.com/Uniswap/permit2
V3 Contract Code	https://github.com/Uniswap/v3-core
UniswapX Contract Code	https://github.com/Uniswap/UniswapX
Uniswap Interface Code	https://github.com/Uniswap/interface
Calibur 7702 Delegation Contract	Deployed on Mainnet, Unichain, Base, Optimism, BNB. Testnet deployments on Unichain and Sepolia

Out of scope

V4 Periphery Contracts
v4 hooks that were not developed by Uniswap Labs.
Clickjacking (we do allow 3rd parties to iframe us)
DDOS
Bugs in third party code
Dev branches that are not deployed in public packages or contracts
Third party contracts that are not under the direct control of Uniswap Labs
Issues already listed in the audits for the contracts above
Bugs in third party contracts or applications that use Uniswap contracts
Brute force attacks
Rounding errors
Cache-control header settings
Extreme market turmoil vulnerability
Gas optimization recommendations
Task Hijacking (Strandhogg)
Any vulnerability that is previously known by the Uniswap Labs team
Certificate Pinning on Mobile
Cache-control header settings

Unichain Out of Scope

Core OP Stack code. Researchers should notify Optimism via their Immunefi Bedrock Bug Bounty Program
Flashblocks
UVN
unichain-node repository
unichain.org top level and docs.unichain.org