Immunefi
Blog
Platform
Bug Bounty ProgramsPR ReviewsAuditsAudit CompetitionsInvite OnlySafe HarborVaultsManaged TriageHelp Center
Security Researchers

Join Immunefi

Find bugs. Get paid.

Immunefi Profile PicHacker PledgingHelp for WhitehatsAll StarsLearnLeaderboardImmunefi Top 10 BugsWhitehat AwardsWhitehat Hall of FameCompetition FindingsResponsible Publication
Token
FoundationInstitutionalDocsIR ContactBuy IMU
LoginExplore BountiesGet Protected
Back to Explore
Audit Comp | Base Azul-logo

Audit Comp | Base Azul

|

Base Chain is a fast, low-cost, decentralized network that delivers sub-second, sub-cent global transactions. It is the foundation for a new economy where anyone, anywhere can participate.

Base
Blockchain
L2
Rust
Solidity

Live

12d: 20h remaining
Primary Pool
$175,000
All Stars Pool
$50,000
Podium Pool
$25,000
Start Date
21 April 2026
End Date
04 May 2026
Rewards Token
USDC
Lines of Code
190,000

  • Runnable PoC Required

  • KYC required

Submit a Bug
InformationScopeResources

Documentation

Title
Offchain Components
Description
Offchain Components
Link
Title
Base Azul
Description
Base Azul
Link
Title
Implementation Contracts
Description
Implementation Contracts
Link
Go to Audits & Known Issues
Assets Body

Build Commands, Test Commands, and How to Run Them

Detailed build commands, test commands, and run instructions are available in the README files and documentation within each GitHub repository:

Mid-Contest Code Updates

In this contest bug fixes may be applied mid-contest.

The project is to keep changes private as far as possible. When changes need to be made public, then the changelog will be updated here & in the Base Azul Audit Competition Discord channel. Publicly fixed bugs are invalid and the scope is updated to the new code. All bug reports before the fix was public will earn a reward. All bug reports after are invalid. If a new bug is introduced by their fix then it is valid for a reward.

Mid-Contest Changelog

TBD

Asset Accuracy Assurance

Bugs found on assets incorrectly listed in-scope are valid.

Duplicate Rewarding

Duplicate submissions of bugs are valid under the following conditions:

  • Duplicate reports for the same unfixed bug are valid
  • Once a fix is publicly disclosed, new reports for that bug are invalid
  • Reports submitted before the fix are still eligible

Duplicate submissions of Insights are invalid.

Private Known Issues Reward Policy

Private known issues, meaning known issues that were not publicly disclosed, are not valid for a reward.

Primacy of Impact vs Primacy of Rules

Base adheres to the Primacy of Rules, meaning the whole bug bounty program is run strictly under the terms and conditions stated on this page.

KYC Requirement

Immunefi will be requesting KYC information to pay for successful bug submissions. The following information will be required:

  • Full name
  • Date of birth
  • Proof of address (either a redacted bank statement with the address or a recent utility bill)
  • Copy of Passport or other Government ID

Security researchers are required to submit KYC within 14 days of KYC being requested, else their rewards may be forfeited. Immunefi may make exceptions due to extenuating circumstances.

Eligibility Criteria

Security researchers who wish to participate must adhere to the rules of engagement outlined in this program and cannot be:

  • On OFAC SDN list
  • Official contributor, both past or present
  • Employees and/or individuals closely associated with the project
  • Employees of Solana Foundation or any other Solana client project
  • Security auditors who directly or indirectly participated in the audit review

Insight Reporting

Insight reports may be reported to this program and do not require a PoC. Insights are rewarded according to Immunefi’s Standardized Competition Reward Terms.

Dispute Resolution

If there is any dispute over bug reports between projects and security researchers, Immunefi has final say on validity and severity based on the terms of this program.

Responsible Publication

Whitehats may publish their bug reports after they have been fixed & paid or closed as invalid, with the following exceptions:

  • Bug reports in mediation may not be published until mediation has concluded and the bug report is resolved.

Immunefi may publish bug reports submitted to this program and a leaderboard of the participants and their earnings.

Feasibility Limitations

The project may receive valid reports (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the bug's impact, which are not feasible or would require unconventional action and, hence, should not be used as reasons for downgrading a bug's severity.

Therefore, Immunefi has developed a set of feasibility limitation standards that, by default, state what security researchers and projects can or cannot cite when reviewing a bug report.

Immunefi Standard Badge

By adhering to Immunefi’s best practice recommendations, Base has satisfied the requirements for the Immunefi Standard Badge.