1inch - Aqua Improvement-logo

1inch - Aqua Improvement

|

1inch Aqua is a decentralized protocol for creating and managing custom liquidity positions with flexible strategies and advanced features. However, unlike the primary Aqua bug bounty program, this focuses on improvements only that would otherwise be out of scope.

Maximum Bounty
$25,000
Live Since
11 June 2026
Last Updated
15 July 2026
  • Triaged by Immunefi

  • PoC Required

  • KYC required

Select the category you'd like to explore

Assets in Scope

Target
Name
Aqua - src/*.sol
Added on
11 June 2026
Target
Name
Aqua - src/libs/Balances.sol
Added on
11 June 2026
Target
Name
Swap VM - src/*.sol
Added on
11 June 2026
Target
Name
Swap VM - src/routers/AquaSwapVMRouter.sol
Added on
11 June 2026
Target
Name
Swap VM - src/opcodes/AquaOpcodes.sol
Added on
11 June 2026
Target
Name
Swap VM - src/instructions/Balances.sol
Added on
11 June 2026
Target
Name
Swap VM - src/instructions/Controls.sol
Added on
11 June 2026
Target
Name
Swap VM - src/instructions/Decay.sol
Added on
11 June 2026
Target
Name
Swap VM - src/instructions/Extruction.sol
Added on
11 June 2026
Target
Name
Swap VM - src/instructions/Fee.sol
Added on
11 June 2026
Target
Name
Swap VM - src/instructions/PeggedSwap.sol
Added on
11 June 2026
Target
Name
Swap VM - src/instructions/XYCConcentrate.sol
Added on
11 June 2026

Impacts in Scope

Severity
Low
Title

Accounting/invariant correctness (liquidity shares, fees/rewards, rounding/precision)

Severity
Low
Title

Enhancements to existing protocol mechanics that materially improve user value, safety, or capital efficiency without introducing fundamentally new functionality

Severity
Low
Title

Integration fixes where 1inch-specific configuration/initialization of third-party libraries creates risk

Severity
Low
Title

Substantial gas efficiency improvements (≥1k gas net savings per typical user transaction on hot paths)

Severity
Low
Title

Security hardening of existing contracts (tighter authorization/roles, reentrancy mitigations, invariant enforcement)

Severity
Low
Title

MEV/price-manipulation resistance (oracle usage, slippage/deadline handling, sandwich protection, excluding TWAP)

Out of scope

Program's Out of Scope information

These impacts are out of scope for this bug bounty program.

All Categories:

  • Proposals previously submitted by another researcher (first-proposer policy applies)
  • Proposals already documented in publicly available audit reports listed in the Previous Audits section
  • Proposals that overlap with publicly known roadmap items, unless providing substantial new insight or a materially better implementation
  • Proposals submitted as AI-generated content without meaningful researcher analysis or original contribution
  • Proposals lacking the demonstrations described in the PoC Requirements section
  • Redundant code
  • Old compiler version
  • Code style guide violations
  • The compiler version is not locked
  • Theoretical or purely speculative exploits without demonstrated business impact

Blockchain/DLT & Smart Contract Specific:

  • Changes that weaken security/correctness or materially increase complexity risk
  • Pure refactors (style/naming/comments) without measurable security or cost impact
  • Compiler/pragma/lint/config changes that do not demonstrably improve safety or efficiency
  • New features or protocol mechanics (feature requests) rather than improvements to existing contracts
  • Duplicates of known issues/roadmap items, unless providing substantial new insight or a materially better solution
  • Micro gas optimizations (< 1k gas net savings per typical user transaction on hot paths) or changes that merely shift costs between paths without net benefit
  • Proposals dependent on third-party code we do not control, or targeting imported libraries, except where 1inch-specific integration/initialization causes the issue
  • Off-chain only suggestions (UI, backend, indexers, docs) unless they directly and materially improve on-chain security

Prohibited Activities:

  • Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
  • Any testing with pricing oracles or third-party smart contracts (Testing the integration logic on local forks is permitted)
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks that are executed against project assets
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty
  • Accessing or modifying data belonging to other users
  • Submitting AI-generated reports
  • Spamming forms or account creation flows (even with low volume)
  • Any testing of proposals on mainnet or public testnet deployments — testing should be done on local forks only
  • Submitting AI-generated proposals without substantive original analysis or contribution
  • Submitting low-quality or spam proposals (multiple repetitive proposals with minimal substantive difference will be treated as spam)
  • Attempting phishing or social engineering against 1inch employees or contractors

Public disclosure of any proposal details prior to receiving 1inch's explicit written approval, in accordance with the Responsible Publication policy