1inch Aqua is a decentralized protocol for creating and managing custom liquidity positions with flexible strategies and advanced features. However, unlike the primary Aqua bug bounty program, this focuses on improvements only that would otherwise be out of scope.
Triaged by Immunefi
PoC Required
KYC required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Accounting/invariant correctness (liquidity shares, fees/rewards, rounding/precision)
Enhancements to existing protocol mechanics that materially improve user value, safety, or capital efficiency without introducing fundamentally new functionality
Integration fixes where 1inch-specific configuration/initialization of third-party libraries creates risk
Substantial gas efficiency improvements (≥1k gas net savings per typical user transaction on hot paths)
Security hardening of existing contracts (tighter authorization/roles, reentrancy mitigations, invariant enforcement)
MEV/price-manipulation resistance (oracle usage, slippage/deadline handling, sandwich protection, excluding TWAP)
Out of scope
These impacts are out of scope for this bug bounty program.
All Categories:
- Proposals previously submitted by another researcher (first-proposer policy applies)
- Proposals already documented in publicly available audit reports listed in the Previous Audits section
- Proposals that overlap with publicly known roadmap items, unless providing substantial new insight or a materially better implementation
- Proposals submitted as AI-generated content without meaningful researcher analysis or original contribution
- Proposals lacking the demonstrations described in the PoC Requirements section
- Redundant code
- Old compiler version
- Code style guide violations
- The compiler version is not locked
- Theoretical or purely speculative exploits without demonstrated business impact
Blockchain/DLT & Smart Contract Specific:
- Changes that weaken security/correctness or materially increase complexity risk
- Pure refactors (style/naming/comments) without measurable security or cost impact
- Compiler/pragma/lint/config changes that do not demonstrably improve safety or efficiency
- New features or protocol mechanics (feature requests) rather than improvements to existing contracts
- Duplicates of known issues/roadmap items, unless providing substantial new insight or a materially better solution
- Micro gas optimizations (< 1k gas net savings per typical user transaction on hot paths) or changes that merely shift costs between paths without net benefit
- Proposals dependent on third-party code we do not control, or targeting imported libraries, except where 1inch-specific integration/initialization causes the issue
- Off-chain only suggestions (UI, backend, indexers, docs) unless they directly and materially improve on-chain security
Prohibited Activities:
- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
- Any testing with pricing oracles or third-party smart contracts (Testing the integration logic on local forks is permitted)
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks that are executed against project assets
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty
- Accessing or modifying data belonging to other users
- Submitting AI-generated reports
- Spamming forms or account creation flows (even with low volume)
- Any testing of proposals on mainnet or public testnet deployments — testing should be done on local forks only
- Submitting AI-generated proposals without substantive original analysis or contribution
- Submitting low-quality or spam proposals (multiple repetitive proposals with minimal substantive difference will be treated as spam)
- Attempting phishing or social engineering against 1inch employees or contractors
Public disclosure of any proposal details prior to receiving 1inch's explicit written approval, in accordance with the Responsible Publication policy


