Audits & Bug Bounty
Reports on Gearbox Protocol security.
Join the Bug Bounty with Immunefi! Help Gearbox stay safe and be rewarded for it.
The scope of the bug bounty refers to the core contracts available in these repositories:
If you need more information on the protocol, please check:
NOTE: for bugs related to the interface which are just referring to typos and non-security related issues, please feel free to report them in a community Discord pro bono - and Gearbox community can maybe send nice GIFs your way. In case a bug you found is related to the interface and is outside of the scope, but has serious security concerns, please do report it as well and a bounty can be also decided ad-hoc. Again, you can ask all your questions in Discord.
Rewards are distributed according to the impact of the vulnerability. The final decision on the payout amount will be determined by the Gearbox DAO at its discretion.
As a report for transparency on the actions of the multisig, as well as the disclosures related to certain actions, you can keep an eye on this specific Discord announcement channel:
More info can also be found on GitHub:
In order to be considered for a reward, all bug reports must contain the following:
- Description of suspected vulnerability
- Steps to reproduce the issue so we can check it
- Your name and/or colleagues if you wish to be later recognized
- (Optional) A patch and/or suggestions to resolve the vulnerability
The following activities are prohibited by bug bounty program:
- Testing with mainnet or public testnet contracts: all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty