1inch - Smart Contracts-logo

1inch - Smart Contracts

|

The 1inch ecosystem comprises interconnected smart contracts that aggregate liquidity from various decentralized exchanges to execute optimal token swaps.

Maximum Bounty
$500,000
Live Since
11 June 2026
Last Updated
15 July 2026
  • Triaged by Immunefi

  • PoC Required

  • KYC required

Select the category you'd like to explore

Assets in Scope

Target
Name
Limit Order Protocol
Added on
10 June 2026
Target
Name
Limit Order Settlement
Added on
10 June 2026
Target
Name
Token-plugins
Added on
10 June 2026
Target
Name
Farming Contracts
Added on
10 June 2026
Target
Name
Delegating Contracts
Added on
10 June 2026
Target
Name
Cross-chain Swap
Added on
10 June 2026
Target
Name
Solana Crosschain
Added on
10 June 2026
Target
Name
Solana Fusion
Added on
10 June 2026

Impacts in Scope

Severity
Critical
Title

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Severity
Critical
Title

Permanent freezing of funds

Severity
Critical
Title

Protocol insolvency

Severity
High
Title

Theft of unclaimed yield

Severity
High
Title

Permanent freezing of unclaimed yield

Severity
High
Title

Temporary freezing of funds

Severity
Medium
Title

Smart contract unable to operate due to lack of token funds

Severity
Medium
Title

Theft of coins or tokens (e.g gas) in a smart contract intended for transaction fees

Severity
Low
Title

Smart contract fails to deliver promised token amounts but the remaining token amounts is not stolen or lost and can still be claimed

Severity
Low
Title

Impacts caused by griefing with no economic damage other than transaction fees where fix requires a change or a pause of a smart contract

Out of scope

Program's Out of Scope information

These impacts are out of scope for this bug bounty program.

All Categories:

  • Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
  • Impacts caused by attacks requiring access to leaked keys/credentials
  • Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible
  • Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
  • Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
  • Best practice recommendations
  • Feature requests
  • Impacts on test files and configuration files unless stated otherwise in the bug bounty program
  • Impacts requiring phishing or other social engineering attacks against project's employees and/or customers
  • Redundant code
  • Old compiler version
  • Code style guide violations
  • The compiler version is not locked
  • Theoretical or purely speculative exploits without demonstrated business impact

Blockchain/DLT & Smart Contract Specific:

  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
  • Impacts requiring basic economic and governance attacks (e.g. 51% attack)
  • Lack of liquidity impacts
  • Impacts from Sybil attacks
  • Impacts involving centralization risks
  • Micro gas optimizations (less than 1k of gas)
  • Lack of support for Fee-on-Transfer (FoT) tokens

Prohibited Activities:

  • Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
  • Any testing with pricing oracles or third-party smart contracts (Testing the integration logic on local forks is permitted)
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks that are executed against project assets
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty
  • Accessing or modifying data belonging to other users
  • Submitting AI-generated reports
  • Spamming forms or account creation flows (even with low volume)
1inch - Smart Contracts Bug Bounties | Immunefi