1inch Aqua is a decentralized protocol for creating and managing custom liquidity positions with flexible strategies and advanced features. However, unlike the primary Aqua bug bounty program, this focuses on improvements only that would otherwise be out of scope.
Triaged by Immunefi
PoC Required
KYC required
Rewards
Rewards by Threat Level
Primacy of Impact vs Primacy of Rules
1inch - Aqua Improvement adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page.
Proof of Concept (PoC) Requirements
A PoC is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.
A demonstration of the proposal's value is required for this program. Depending on the type of improvement, this may take the form of:
- Before/after benchmarks (for gas optimizations or performance improvements)
- Test cases demonstrating accounting/invariant correctness
- A minimal reproducible example showing the integration issue or hardening gap
A brief implementation outline demonstrating how the change would be applied
Previous Audits
1inch’s completed audit reports can be found at https://github.com/1inch/1inch-audits. Any improvement suggestions mentioned in these reports are not eligible for a reward.
Rewards by Threat Level
Rewards are distributed according to the Impacts in Scope table.
Reward Calculation for All Reports
Reports under this program follow a goodwill payout process. There is no guaranteed minimum reward — 1inch retains full discretion on whether to provide a reward for any submitted improvement suggestion, and on the exact amount within the range of USD 100 to USD 25000 based on the demonstrated value of the proposal. Submission of a proposal does not entitle the proposer to a reward.
Other Limitations and Requirements
https://github.com/1inch/sdks asset is out-of-scope.
Within the https://github.com/1inch/swap-vm asset, the file src/strategies/AquaAMM.sol is explicitly out of scope. Vulnerabilities or improvements affecting this file are not eligible for rewards.
This license applies only to the assets explicitly listed in scope and does not extend to any other 1inch property or third-party dependencies.
Publishing or distributing modified versions of Aqua source code, binaries, or compiled artifacts in any form is prohibited, both during and after the embargoed period. After coordinated disclosure, only minimal technical details necessary to describe the vulnerability or fix may be shared, and only with prior written approval from 1inch consistent with the Responsible Publication policy above.
Each proposal should describe the rationale and expected impact, identify affected contracts or components, outline minimal tests and benchmarks, and, if relevant, note any migration considerations. A good PoC typically includes clear before/after evidence, a minimal reproducible example, and a brief implementation outline demonstrating how the change would be applied.
Immunefi Mediations are not possible with this bug bounty program as it only covers improvement suggestions. Any request for mediation will be closed.
Research License
Participants are granted a limited, non-exclusive, non-transferable license to compile, deploy, and test the Aqua codebase listed in the Assets in Scope table solely for the purpose of identifying vulnerabilities under this bug bounty program. This license:
- Is limited to local development environments, local forks, and testnets — production deployments and live mainnet usage are prohibited
- Does not permit redistribution, sublicensing, or commercial use of the code
- Does not transfer any intellectual property rights
- Provides safe harbor against claims under applicable computer fraud and copyright statutes (including but not limited to ARSL, EULA, DMCA, and CFAA) for actions taken in good faith and in compliance with the rules of this program
- Auto-terminates upon any breach of program rules, after which the safe harbor no longer applies and 1inch reserves all rights
This license applies only to the assets explicitly listed in scope and does not extend to any other 1inch property or third-party dependencies.
Publishing or distributing modified versions of Aqua source code, binaries, or compiled artifacts in any form is prohibited, both during and after the embargoed period. After coordinated disclosure, only minimal technical details necessary to describe the vulnerability or fix may be shared, and only with prior written approval from 1inch consistent with the Responsible Publication policy above.
Reward Payment Terms
Payouts are handled by the 1inch team directly and are denominated in USD. However, payments are done in USDC on Ethereum.
The calculation of the net amount rewarded is based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.
Reports and payout details may be checked against OFAC, EU, and UK sanctions lists prior to payment. Payment may be withheld, delayed, or refused entirely if prohibited by applicable law, sanctions regimes, or 1inch's compliance obligations. Researchers are responsible for ensuring their participation does not violate the laws of their jurisdiction.
Program Overview
For more information about 1inch, please visit https://1inch.com/.
1inch provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below. 1inch maintains six additional bug bounty programs on Immunefi. In addition to this, they are:
Audits
Completed audit reports for this project can be found at the links below.
Any unpatched or unresolved vulnerabilities disclosed in these reports are not eligible for rewards.
KYC required
The submission of KYC information is a requirement for payout processing.
Proof of Concept
Proof of concept is always required for all severities.
Responsible Publication
Category 3: Approval Required
Feasibility Limitations
The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.
Therefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.


