Submit a Bug
22 April 2021
Live since
KYC required
Maximum bounty

Program Overview

Polymath makes it easy to create, issue, and manage tokens on the blockchain. Over 200 tokens have been deployed using our Ethereum-based solution and we are now in the midst of launching mainnet of Polymesh, an institutional-grade blockchain built specifically for regulated assets. It streamlines antiquated processes and opens the door to new financial instruments by solving the inherent challenges with public infrastructure around identity, compliance, confidentiality, and governance.

For more detailed information about Polymath, you can read their whitepaper.

Polymesh currently powers their testnet, and the aim of the Bug Bounty program is to find bugs in Polymesh, to make it more robust.

This is focused around its smart contracts and is mostly concerned with the loss of user funds and the denial of service.

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability severity with the following categorization:

Critical: Transaction manipulation/censorship, double-spending, POLY/POLYX minting, unauthorized token minting, staled or undermined consensus/network, governance censorship or compromise, manipulation of signing keys or master keys to gain unauthorised access to an identity.

High: Ability to use an extrinsic panic unexpectedly without proper handling, block the on-chain governance system from it’s expected behaviour, block other users from their ability to perform expected tasks (griefing).

Medium: Ability to put chain data into an unexpected state which otherwise doesn’t cause any disruption, forcing the emission of events which are incorrect.

Low: DoS’ing of the operator nodes, incorrect data being logged through events.

Smart Contracts and Blockchain

CriticalUp to USD $3,000 - USD $5,000
HighUp to USD $1,000 - USD $3,000
MediumUp to USD $250 - $USD 750
LowUp to USD $100 - USD $300
NoneUSD $0

Variables considered for rewards include: the quality of the issue description, the instructions for reproducibility, and the quality of the fix (if included).

Payouts are handled by the Polymath team directly and are denominated in USD. However, payouts are done in USDC.

Assets in Scope


In addition to these listed above, the following repositories, sources and sites are explicitly out-of-scope of the Program:


While researching, please refrain from:

  • Denial of service in general and of Public RPC nodes
  • Attacks that consume a substantial amount of Kovan ETH, Kovan POLY or Testnet POLYX and which would otherwise be cost-prohibitive on mainnet
  • Spamming
  • Social engineering (including phishing) of Polymath staff
  • Any physical attempts against Polymath property or data centres