Balancer is a community-driven protocol, liquidity provider, and price sensor that empowers decentralized exchange and the automated portfolio management of tokens on the Ethereum blockchain and other EVM compatible systems.
Balancer Pools contain two or more tokens that traders can swap between. Liquidity Providers put their tokens in the pools in order to collect swap fees.
Balancer adopts powerful features to slash gas costs, super-charge capital efficiency, unlock arbitrage with zero-token starting capital, and open the door to custom AMMs.
For more information about Balancer, please visit https://balancer.fi/.
Rewards by Threat Level
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.
This bug bounty program has fixed rewards in ETH. The USD amounts reflected are only estimates.
All Critical/High severity bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.
Critical smart contract vulnerabilities are further capped at 10% of economic damage, primarily taking into account the funds at risk. However, there is a minimum reward of 250 ETH. Additionally, the maximum reward is capped at 1 000 ETH, even if 10% of the damage in USD equivalent is greater than the USD equivalent of 1 000 ETH.
High severity smart contract vulnerabilities are also further capped at 10% of economic damage, primarily taking into account the funds at risk. However, there is a minimum reward of 50 ETH. Additionally, the maximum reward is capped at 250 ETH, even if 10% of the damage in USD equivalent is greater than the USD equivalent of 250 ETH.
Vulnerabilities involving non-standard ERC20 tokens are considered out of scope, as it would be trivial to insert an exploit into a token for the sake of applying to this bug bounty. A standard, Balancer-compatible ERC20 token is one that conforms to all EIP-20 interfaces and exhibits expected behavior in implementation; i.e., transfers move exactly N tokens from sender to recipient, and balances do not change by any means other than transfers. Notably, tokens with transfer fees, rebasing supplies, streaming mechanics or multiple entrypoints are not compatible with Balancer, but that list is not exhaustive.
Known issues previously highlighted in the following audit reports are also considered out of scope:
Payouts are handled by the Balancer team directly and are denominated in ETH. However, payouts are done in ETH or USDC, at the discretion of the team.
- Up to 1,000 ETH (~Up to USD $1,000,000)
- Up to 250 ETH (~Up to USD $250,000)
- 25 ETH (~Up to USD $25,000)
Assets in scope
- Smart Contract - BalancerGovernanceTokenType
- Smart Contract - AuthorizerType
- Smart Contract - VaultType
- Smart Contract - WeightedPoolFactoryType
- Smart Contract - WeightedPool2TokensFactoryType
- Smart Contract - StablePoolFactoryType
- Smart Contract - MetaStablePoolFactoryType
- Smart Contract - InvestmentPoolFactoryType
- Smart Contract - NoProtocolFeeLiquidityBootstrappingPoolFactoryType
- Smart Contract - BatchRelayerLibraryType
- Smart Contract - BalancerRelayerType
- Smart Contract - AaveLinearPoolFactoryType
- Smart Contract - StablePhantomPoolFactoryType
- Smart Contract - AuthorizerAdaptorType
- Smart Contract - BALTokenHolderFactoryType
- Smart Contract - BalancerTokenAdminType
- Smart Contract - GaugeAdderType
- Smart Contract - VotingEscrowType
- Smart Contract - GaugeControllerType
- Smart Contract - BalancerMinterType
- Smart Contract - LiquidityGaugeV5Type
- Smart Contract - LiquidityGaugeFactoryType
- Smart Contract - SingleRecipientGaugeFactoryType
- Smart Contract - VotingEscrowDelegationType
- Smart Contract - VotingEscrowDelegationProxyType
- Smart Contract - ArbitrumRootGaugeFactoryType
- Smart Contract - PolygonRootGaugeFactoryType
- Smart Contract - FeeDistributorType
- Smart Contract - SmartWalletCheckerType
- Smart Contract - DistributionSchedulerType
- Smart Contract - RewardsOnlyGaugeType
- Smart Contract - ChildChainStreamerType
- Smart Contract - ChildChainLiquidityGaugeFactoryType
All smart contracts of Balancer can be found at https://github.com/balancer-labs/balancer-v2-monorepo. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.
If a Critical impact can be caused to any other asset managed by Balancer that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.
Impacts in scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
- Theft of >1% of total funds in the VaultCriticalImpact
- Permanent freezing of >1% of total funds in the VaultCriticalImpact
- Theft of funds in excess of gas costs or swap feesHighImpact
- Permanent freezing of funds in excess of gas costs or swap feesHighImpact
- Temporary freezing of funds in excess of gas costs or swap feesMediumImpact
- Permanent freezing of unclaimed yieldMediumImpact
- Theft of unclaimed yieldMediumImpact
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
Smart Contracts and Blockchain
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
- Centralization risks
The following activities are prohibited by this bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty