Uniswap’s New Bug Bounty the Largest Ever at $15.5M

In a groundbreaking move for the decentralized finance (DeFi) sector, Uniswap Labs has announced the launch of a staggering $15.5 million bug bounty program for its upcoming Uniswap v4 core contracts. This initiative, launched on November 26, 2024, marks a significant milestone in DeFi security, aiming to attract the sharpest minds to ensure the robustness of what could be one of the most influential updates in blockchain technology.

Commitment to Security

Uniswap v4 isn't just another update; it's a transformation into a more developer-friendly platform. With the introduction of hooks, developers can now tailor interactions within pools, swaps, fees, and liquidity provider (LP) positions, opening up new possibilities for market structures and assets. This version promises to reduce costs dramatically, with pool creation being 99.99% cheaper and significant savings on multi-hop swaps. The community's involvement has been monumental, with contributions from over 90 developers through hundreds of pull requests, reflecting the open-source ethos of blockchain development.

To underscore their commitment to security, Uniswap v4 has already undergone nine independent audits by renowned firms like OpenZeppelin, Spearbit, Certora, Trail of Bits, ABDK, and Pashov Audit Group. These audits have covered both core and peripheral aspects of the protocol. Additionally, a previous $2.35 million security competition engaged over 500 researchers, with no critical vulnerabilities detected. The $15.5 million bug bounty further elevates this commitment, providing an unprecedented incentive for uncovering any potential weaknesses as deployment nears.

The focus of this bounty is strictly on the Uniswap v4 core contracts, accessible through the Uniswap v4 Github repository. However, several elements are explicitly excluded from the bounty's scope. This includes third-party contracts not deployed by Uniswap Labs, issues already documented in prior audits, bugs in third-party applications interfacing with Uniswap contracts, and previously identified issues from internal reviews and competitions. Currently, the periphery contracts of v4 are not included but are slated for future inclusion in the program.

For those eager to participate, the process is straightforward yet stringent. All discoveries must be reported directly to the v4 Bug Bounty Page on Cantina within 24 hours of being found. Reports should be detailed, providing clear steps to reproduce the vulnerability and highlighting potential risks if exploited. The confidentiality of these reports is paramount until the vulnerability is addressed, ensuring that the community's trust and the protocol's integrity are maintained. Successful reporters of unique vulnerabilities that lead to code changes have the option to be publicly acknowledged for their contributions.

Bug Bounty Now Live

The $15.5 million bug bounty is now active, inviting the global community to delve into the v4 codebase. By fostering such an engaging and rewarding environment, Uniswap not only strengthens its security but also continues to lead by example in the DeFi space. This bounty is more than just a call for bug hunters; it's an invitation to be part of a pivotal moment in blockchain history, ensuring that Uniswap v4 will be as secure as it is innovative.

Explore the v4 codebase and submit your findings, helping to build a safer and more efficient DeFi ecosystem. The full details of the bug bounty rules and disclosure requirements are available on the v4 Bug Bounty Page on Cantina, marking what could be the beginning of a new era in decentralized trading platforms.