Security & Audits
Gearbox Protocol takes security seriously. The protocol has undergone multiple independent audits and maintains an active bug bounty program.
Audit Reports
Gearbox smart contracts have been audited by leading security firms. The following reports cover the core protocol and its extensions:
| Auditor | Scope | Report |
|---|---|---|
| ChainSecurity | Core V3 | View Report |
| Consensys Diligence | Core V3 | View Report |
| Sigma Prime | V3 Integrations | View Report |
| ABDK | V3 Math Libraries | View Report |
Links above are placeholders. Visit the Gearbox security repository for the latest audit reports.
Bug Bounty Program
Gearbox maintains an active bug bounty program on Immunefi, one of the largest Web3 security platforms.
- Platform: Immunefi
- Scope: Smart contracts, protocol logic, and integrations
- Rewards: Up to $1,000,000 for critical vulnerabilities (severity-dependent)
If you discover a potential vulnerability, please report it through the Immunefi platform rather than public disclosure. Responsible disclosure is critical for protecting user funds.
Bytecode Repository (BCR) Verification
Gearbox uses a Bytecode Repository (BCR) to ensure that only audited, verified bytecode is deployed on-chain. This provides an additional layer of security beyond source-code audits by verifying the exact compiled output.
For details on how BCR verification works and how to check deployed contracts, see BCR Verification.
Security Contact
For security-related inquiries that do not fall under the bug bounty program:
- Email: security@gearbox.fi
- PGP Key: Available on the Gearbox security repository
Please do not report vulnerabilities via email. Use the Immunefi bug bounty program for all vulnerability disclosures.
Security Practices
The Gearbox Protocol follows several security best practices:
- Multiple independent audits before each major release
- Formal verification of critical mathematical components
- Timelocks and multisig governance for parameter changes
- Immutable core logic with upgradeable configuration
- On-chain BCR verification ensuring only audited bytecode is deployed
- Continuous monitoring of protocol health and anomalous activity