Uniswap
@uniswapLive
Maximum reward
$15,500,000
Severity
Max. Reward
Critical$15,500,000
High$1,000,000
Medium$100,000
Deposit required
$50
Findings submitted
631
Start date
26 Nov 2024
Please sign in as a researcher to join the bounty.
Log inIn scope
Smart ContractsWebsitesOtherUnichain L1 ContractsUniswap InfrastructureMobile Apps and Chrome Extension
Severity
Min and Max Reward
CriticalUp to $15,500,000
High
Up to $1,000,000
Medium
Up to $100,000
Low
Up to $0
Informational
Up to $0
Smart Contract - Uniswap v4 Core
Critical Impact Examples (Maximum Reward: $15,500,000)
| Vulnerability Type | Example Scenario | Why Critical |
|---|---|---|
| Theft of Pooled Liquidity | Reentrancy in modifyLiquidity() allows draining all liquidity from a pool during a single transaction | Affects 20%+ of TVL, immediate user fund loss |
| Accounting Manipulation | Integer overflow in swap calculation lets attackers drain pool reserves | Protocol insolvency, affects all pools |
| Hook Bypass | Vulnerability allows bypassing before/after hooks on all swaps, enabling unauthorized state changes | Breaks core security assumptions, affects all v4 pools using hooks |
| Misconfigured Contract Takeover | A misconfigured core protocol component allows taking ownership or DoS | Catastrophic protocol-wide impact |
| Flash Accounting Bypass | Exploit in flash accounting system allows withdrawing funds without repaying | Direct theft, affects entire protocol TVL |
High Likelihood Indicators
- Exploitable by any user with basic knowledge
- Requires < $1,000 initial capital
- Can be executed in a single transaction
- No special timing or conditions needed
High Impact Examples (Maximum Reward: $1,000,000)
| Vulnerability Type | Example Scenario | Why High |
|---|---|---|
| Single Pool Drain | Bug in specific tick math allows draining high-value pools (e.g., WETH/USDC) | 0.5–20% of TVL affected |
| Oracle Manipulation | Time-weighted average price (TWAP) can be manipulated through specific transaction ordering | Price oracle compromise, affects dependent protocols |
| Lock Bypassing | Reentrancy mechanism can be bypassed to perform unauthorized nested operations | Security model violation, medium exploitation difficulty |
| Fee Collection Exploit | Bug allows claiming fees belonging to other LPs in specific conditions | Theft of unclaimed yield |
Medium Likelihood Indicators
- Requires specific pool configurations or parameters
- Needs coordination of multiple transactions
- Requires moderate capital ($10K–$100K)
- Timing-dependent or requires specific market conditions
Medium Impact Examples (Maximum Reward: $100,000)
| Vulnerability Type | Example Scenario | Why Medium |
|---|---|---|
| Tick Manipulation | Edge case in tick bitmap causes incorrect liquidity allocation or substantially different swap outcomes than expected | Undermines protocol guarantees, impacts only one pool |
| Rounding Errors | Minor rounding in specific edge cases causes dust-level losses (<$1 per tx) | Minimal economic impact |
Low Likelihood Indicators
- Requires rare combination of conditions
- Very specific pool parameters needed
- Affects only certain token pairs or configurations
- Limited economic incentive for attacker
Smart Contract – Other Uniswap Contracts
Critical Examples – Up to $2,250,000
| Contract Type | Example | Impact |
|---|---|---|
| Permit2 | Signature validation bypass allows spending any user's tokens | Affects all users using Permit2 |
| Universal Router | Command execution bug allows arbitrary calls with user's token approvals | Direct theft from router users |
High Examples – Up to $500,000
| Contract Type | Example | Impact |
|---|---|---|
| NFT Position Manager | Bug allows transferring someone else's liquidity position NFT | Theft of specific positions |
| Swap Router | Slippage protection can be bypassed, enabling sandwich attacks beyond tolerance | Affects individual swaps |
Name | Description | Asset |
|---|---|---|
| V4 Core Contracts | - | |
| Universal Router Contract Code | - | |
| Permit2 Contract Code | - | |
| V3 Contract Code | - | |
| UniswapX Contract Code | - | |
| Uniswap Interface Code | - | |
| Calibur 7702 Delegation Contract | Deployed on Mainnet, Unichain, Base, Optimism, BNB. Testnet deployments on Unichain and Sepolia | - |
| Liquidity Launcher | - | |
| Continuous Clearing Auction | - | |
| Protocol Fees | - | |
| Protocol Fees | - |
Out of scope
- v4 hooks that were not developed by Uniswap Labs.
- Clickjacking (we do allow 3rd parties to iframe us)
- DDOS
- Bugs in third party code
- Dev branches that are not deployed in public packages or contracts
- Third party contracts that are not under the direct control of Uniswap Labs
- Issues already listed in the audits for the contracts above
- Bugs in third party contracts or applications that use Uniswap contracts
- Brute force attacks
- Rounding errors
- Cache-control header settings
- Extreme market turmoil vulnerability
- Gas optimization recommendations
- Task Hijacking (Strandhogg)
- Any vulnerability that is previously known by the Uniswap Labs team
- Certificate Pinning on Mobile
- Cache-control header settings
Unichain Out of Scope
-
Core OP Stack code. Researchers should notify Optimism via their Immunefi Bedrock Bug Bounty Program
-
Flashblocks
-
UVN
-
unichain-node repository
-
unichain.org top level and docs.unichain.org