Comment on page
- Issues already submitted by another user or known to the Safe team are not eligible for bounty rewards.
- Public disclosure of a vulnerability makes it ineligible for a bounty.
- The Safe core development team, employees, and all other people paid by Safe, directly or indirectly (including the external auditors), are not eligible for rewards.
- The Safe Bounty program considers several variables in determining rewards. Determinations of eligibility, score, and all terms related to an award are at the sole and final discretion of the Safe Bug Bounty panel.
The scope of the bug bounty program includes the core contracts related to the following releases of the Safe contracts:
Safe core contracts (version 1.4.1)
- Safe.sol (formerly GnosisSafe.sol)
- SafeL2.sol (formerly GnosisSafeL2.sol)
- SafeProxyFactory.sol (formerly GnosisSafeProxyFactory.sol)
- SafeProxy.sol (formerly GnosisSafeProxy.sol)
- MultiSend.sol, MultiSendCallOnly.sol, CreateCall.sol
- TokenCallbackHandler.sol (formerly DefaultCallbackHandler.sol), CompatibilityFallbackHandler.sol, HandlerContext.sol
Gnosis Safe core contracts (up to version 1.3.0)
- GnosisSafeProxyFactory.sol (formerly ProxyFactory.sol)
- GnosisSafeProxy.sol (formerly Proxy.sol)
- CreateAndAddModules.sol, MultiSend.sol, MultiSendCallOnly.sol, CreateCall.sol
- DefaultCallbackHandler.sol, CompatibilityFallbackHandler.sol, HandlerContext.sol
Safe Modules contracts
- Being able to steal funds
- Being able to freeze funds or render them inaccessible by their owners
- Being able to perform replay attacks on the same chain
- Being able to change Safe settings or module settings without the consent of owners
- Any files, Safe Modules, or libraries other than the ones mentioned above
- More efficient gas solutions
- Any points listed as an already known weaknesses
- Any points listed in the audit or formal verification results reports
- Any points fixed in a newer version
All bugs (they do not necessarily need to lead to a redeploy) will be considered for a bounty, but the severity of the threat will change the reward. Below are the reward levels for each threat severity and an example of such a threat.
An identified attack that could steal funds or tokens or lock user funds would be considered a high threat. Likewise, a reported bug that, on its own, leads to a redeploy of the code will always be regarded as a high threat.
An identified attack where it is possible to steal funds because of unexpected behavior on the user's part. Unexpected behavior here means the user can't anticipate and comprehend that they will lose the funds.
A way to avoid transaction fees or an exploit that in some way compromises the experience of other Safe users.
Safe will pay all bounties in ETH.
Please note that the submission's quality will factor into the level of compensation. A high-quality submission should include an explanation of how somebody can reproduce the bug.
Remember to include your ETH address so that you may be rewarded. If more than one address is specified, Safe will use only one at the discretion of the bounty program administrators. Anonymous submissions are welcome, too.
If you comply with the policies below when reporting a security issue to us, we will not initiate a lawsuit or law enforcement investigation against you in response to your report.
We ask that:
- You give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.
- You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) data destruction and interruption or degradation of our services.
- You do not exploit a security issue you discover for any reason. This includes demonstrating additional risk, such as an attempted compromise of sensitive company data or probing for additional issues.
- You do not violate any other applicable laws or regulations.
Public disclosure of the bug or the indication of an intention to exploit it on Mainnet will make the report ineligible for a bounty. If in doubt about other aspects of the bounty, most of the Ethereum Foundation bug bounty program rules will apply here.