Balancer is a community-driven protocol, liquidity provider, and price sensor that empowers decentralized exchange and the automated portfolio management of tokens on the Ethereum blockchain and other EVM compatible systems.
Balancer Pools contain two or more tokens that traders can swap between. Liquidity Providers put their tokens in the pools in order to collect swap fees.
Balancer adopts powerful features to slash gas costs, super-charge capital efficiency, unlock arbitrage with zero-token starting capital, and open the door to custom AMMs.
For more information about Balancer, please visit https://balancer.fi/.
Rewards by Threat Level
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.
All Critical/High severity bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.
Critical smart contract vulnerabilities are further capped at 10% of economic damage, taking into account the funds at risk at the moment of the bug report submission. However, there is a minimum reward of USD 250 000. Additionally, the maximum reward is capped at USD 1 000 000, even if 10% of the damage in USD equivalent is greater than USD 1 000 000.
High severity smart contract vulnerabilities are also further capped at 10% of economic damage, taking into account the funds at risk at the moment of the bug report submission. However, there is a minimum reward of 50 000 USD. Additionally, the maximum reward is capped at USD 250 000, even if 10% of the damage is greater than USD 250 000.
Vulnerabilities involving non-standard ERC20 tokens are considered out of scope, as it would be trivial to insert an exploit into a token for the sake of applying to this bug bounty. A standard, Balancer-compatible ERC20 token is one that conforms to all EIP-20 interfaces and exhibits expected behavior in implementation; i.e., transfers move exactly N tokens from sender to recipient, and balances do not change by any means other than transfers. Notably, tokens with transfer fees, rebasing supplies, streaming mechanics or multiple entrypoints are not compatible with Balancer, but that list is not exhaustive.
Known issues such as those previously highlighted in the following audit report are considered out of scope (list is not exhaustive):
Payouts are handled by the Balancer team directly and are denominated in USD. However, payouts are done in ETH or USDC, at the discretion of the team.
- Up to USD $1,000,000
- Up to USD $250,000
- Up to USD $25,000
Assets in scope
- Smart Contract - BalancerGovernanceTokenType
- Smart Contract - AuthorizerType
- Smart Contract - VaultType
- Smart Contract - WeightedPoolFactoryType
- Smart Contract - WeightedPool2TokensFactoryType
- Smart Contract - ComposableStablePoolFactoryType
- Smart Contract - MetaStablePoolFactoryType
- Smart Contract - NoProtocolFeeLiquidityBootstrappingPoolFactoryType
- Smart Contract - BatchRelayerLibrary (V6)Type
- Smart Contract - BalancerRelayer (V6)Type
- Smart Contract - AuthorizerAdaptorType
- Smart Contract - BALTokenHolderFactoryType
- Smart Contract - BalancerTokenAdminType
- Smart Contract - GaugeAdder (V4)Type
- Smart Contract - VotingEscrowType
- Smart Contract - GaugeControllerType
- Smart Contract - BalancerMinterType
- Smart Contract - LiquidityGaugeV5 (V2)Type
- Smart Contract - LiquidityGaugeFactory (V2)Type
- Smart Contract - SingleRecipientGaugeFactory (V2)Type
- Smart Contract - VotingEscrowDelegation (V2)Type
- Smart Contract - VotingEscrowDelegationProxyType
- Smart Contract - ArbitrumRootGaugeFactory (V2)Type
- Smart Contract - PolygonRootGaugeFactory (V2)Type
- Smart Contract - FeeDistributor (V2)Type
- Smart Contract - SmartWalletCheckerType
- Smart Contract - DistributionSchedulerType
- Smart Contract - RewardsOnlyGaugeType
- Smart Contract - ChildChainGaugeFactory V2Type
- Smart Contract - ChildChainLiquidityGaugeFactory (V2)Type
All smart contracts of Balancer can be found at https://github.com/balancer-labs/balancer-v2-monorepo. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.
If a Critical impact can be caused to any other asset managed by Balancer that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.
Impacts in scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
- Theft of >1% of total funds in the VaultCriticalImpact
- Permanent freezing of >1% of total funds in the VaultCriticalImpact
- Theft of funds in excess of gas costs or swap feesHighImpact
- Permanent freezing of funds in excess of gas costs or swap feesHighImpact
- Temporary freezing of funds in excess of gas costs or swap feesMediumImpact
- Permanent freezing of unclaimed yieldMediumImpact
- Theft of unclaimed yieldMediumImpact
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
Smart Contracts and Blockchain
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
- Centralization risks
The following activities are prohibited by this bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty