Immunefi
Blog
Platform
Bug Bounty ProgramsPR ReviewsAuditsAudit CompetitionsInvite OnlySafe HarborVaultsManaged TriageHelp Center
Security Researchers

Join Immunefi

Find bugs. Get paid.

Immunefi Profile PicHacker PledgingHelp for WhitehatsAll StarsLearnLeaderboardImmunefi Top 10 BugsWhitehat AwardsWhitehat Hall of FameCompetition FindingsResponsible Publication
Token
FoundationInstitutionalDocsIR ContactBuy IMU
LoginExplore BountiesGet Protected
Back to Explore
Audit Comp | Firedancer V1-logo

Audit Comp | Firedancer V1

|

Firedancer is a new validator client for Solana.

Solana
Infrastructure
Validator
C/C++

Live

29d: 20h remaining
Primary Pool
$700,000
All Stars Pool
$200,000
Podium Pool
$100,000
Start Date
09 April 2026
End Date
09 May 2026
Rewards Token
USDC
Lines of Code
636,000

  • Triaged by Immunefi

  • Runnable PoC Required

  • KYC required

Submit a Bug
InformationScopeResources

This Audit Competition Is Live!

$1,000,000 USD is available in rewards for finding eligible bugs in Firedancer v1 codebase of about 636,000 nSLOC.

KYC is required.

Firedancer v1 team will respond within 48 hours on weekdays to all bug reports. Any technical questions and support requests can be asked directly to Firedancer v0.1 or Immunefi in the Firedancer v0.1 Audit Competition Discord channel.

In this contest bug fixes may be applied mid-contest. Further details are in the 'Assets In Scope' section.

When the Audit Competition has ended Immunefi will publish an event-specific leaderboard and bug reports from the event.

Start Date
09 April 2026 17:00 UTC
End Date
09 May 2026 17:00 UTC

Rewards

Audit Comp | Firedancer V1 provides rewards in USDC on Solana, denominated in USD.

Rewards by Threat Level

Blockchain/DLT
Critical
Portion of the Reward Pool
High
Portion of the Reward Pool
Medium
Portion of the Reward Pool
Low
Portion of the Reward Pool
All categories *
Insight
Portion of the Reward Pool
Rewards Body

Frankendancer codebase (code that is ONLY reachable from fdctl/fddev) is not the focus of this contest, please report issues via the standing bug bounty.

The following reward terms are a summary; read our Standardized Audit Competition Reward Terms for full context.

The reward pool will be entirely distributed among participants. The size depends on the bugs found:

  • If no valid bugs are found, the reward pool will be $50,000 USD
  • If no High or Critical severity bugs are found, the reward pool will be $250,000 USD
  • If one or more High severity bugs are found, the reward pool will be $500,000 USD
  • If one or more Critical severity bug is found, the reward pool will be $1,000,000 USD

For this Audit Competition, duplicates are valid for a reward under the following conditions:

  • Duplicate reports for the same unfixed bug are valid
  • Once a fix is merged to main, new reports for that bug are invalid
  • Reports submitted before the fix are still eligible

Fixes may be applied mid-contest.

Private known issues are not valid.

Rewards are distributed among SRs according to Immunefi’s Standardized Competition Reward Terms and includes All Star Pool and Podium Pool reserved for All Star Program participants.

Reward Payment Terms

Payouts are handled by the Firedancer team directly and are denominated in USD. However, payments are done in USDC on Solana.

After the event has concluded and the final bug reports have been resolved, rewards will be distributed all at once based on Immunefi’s distribution formula.

View impacts in scope

Program Overview

Firedancer is a new, independent validator client for Solana, written from scratch in C.

  • Fast - Built using a low-latency, high-throughput concurrency model optimized for modern hardware.
  • Secure - Tile-based sandboxing with process, thread, and memory isolation. Each tile is an independent security domain.
  • Independent - A fully independent Solana protocol implementation, providing client diversity to the network.

Firedancer v1.0 is the first full, independent Solana validator client - all Agave dependencies from the v0.x hybrid client (Frankendancer) have been replaced with native C implementations.

KYC required

The submission of KYC information is a requirement for payout processing.

Participants must adhere to the Eligibility Criteria.

Proof of Concept

Proof of concept is always required for all severities.

Prohibited Activities

Default prohibited activities
  • Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
  • Any testing with pricing oracles or third-party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks that are executed against project assets
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty
  • Any other actions prohibited by the Immunefi Rules

Feasibility Limitations

The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.

Therefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.

Total Assets in Scope
1