Autonolas-logo

Autonolas

Olas (formerly Autonolas) is a protocol for creating, running and co-owning autonomous AI services, secured by the OLAS token and a multi-chain on-chain protocol. This bug bounty covers the Olas on-chain protocol — the Solidity smart contracts spanning service registries, tokenomics, governance, and the marketplace deployed across Ethereum and 7 additional chains. The scope reflects the contract set reviewed in the Code4rena 2026-01 audit, including the OLAS token, veOLAS, cross-chain governance, the staking infrastructure, and the reward, bonding and protocol-owned-liquidity mechanisms.

ETH
Base
Celo
Gnosis
Optimism
Polygon
Arbitrum
Mode
Infrastructure
DAO
Services
Token
Staking
Oracle
Solidity
Maximum Bounty
$5,000
Live Since
10 August 2022
Last Updated
16 June 2026
  • PoC Required

  • KYC required

Select the category you'd like to explore

Assets in Scope

Target
Primacy Of Impact
Name
Added on
21 May 2026
Target
Name
Bridge2BurnerPolygon — tokenomics. Bridge-then-burn for Polygon. Polygon.
Added on
16 June 2026
Target
Name
ServiceRegistryL2 — registries. ERC-721 registry of services (L2). Deployed on: Polygon 0xE3607b00E75f6405248323A9417ff6b39B244b50; Gnosis 0x9338b5153AE39BB89f50468E608eD9d764B755fD; Arbitrum 0xE3607b00E75f6405248323A9417ff6b39B244b50; Optimism 0x3d77596beb0f130a4415df3D2D8232B3d3D31e44; Base 0x3C1fF68f5aa342D296d4DEe4Bb1cACCA912D95fE; Celo 0xE3607b00E75f6405248323A9417ff6b39B244b50; Mode 0x3C1fF68f5aa342D296d4DEe4Bb1cACCA912D95fE.
Added on
16 June 2026
Target
Name
PolySafeSameAddressMultisig — registries. Polygon same-address multisig update helper. Polygon.
Added on
16 June 2026
Target
Name
PolySafeCreatorWithRecoveryModule — registries. Polygon service multisig creator with recovery module. Polygon.
Added on
16 June 2026
Target
Name
FxGovernorTunnel — governance. L2 governance message receiver. Polygon.
Added on
16 June 2026
Target
Name
BalancerPriceOracle — tokenomics. On-chain TWAP price oracle for OLAS (Balancer). Deployed on: Polygon 0x43117542A48588be59018A16443Ae75942ffDe91; Gnosis 0x7c2E4027C81ce72E59dFb947Cd45dBF6c2737AeC; Arbitrum 0x93111f6C267068A5d7356114D61d0f09bFD53a54; Optimism 0x887A511e3DfE4dDa77c0b1783c01d9920351A83D; Base 0x36DAD4628D5e406Dc85c4b2261888952aaE254A2.
Added on
16 June 2026
Target
Name
PolygonTargetDispenserL2 — tokenomics. L2 staking incentive target dispenser. Polygon.
Added on
16 June 2026
Target
Name
BuyBackBurnerBalancer — tokenomics. Buy-back-and-burn (Balancer variant) implementation. Deployed on: Polygon 0x1262136cac6a06A782DC94eb3a3dF0b4d09FF6A6; Gnosis 0xa343F8956A039beDdEAcBA4B64A7d36d4784648f; Arbitrum 0xE3e5Df46060370af5Fd37B2aA11e7dac3cCB4bd0; Optimism 0x7F69B6783855772d10A4bc2AFAaE650599F040DB; Base 0x7db6bb33bc6E39cCC4E6a213e8D4D953f6aB1E58.
Added on
16 June 2026
Target
Name
LiquidityManagerOptimism — tokenomics. Protocol-owned-liquidity manager implementation (OP-stack). Deployed on: Optimism 0xCf9B4710fe450Dca52374f28e4917FDCd44F9487; Base 0x1D64516E7654F23dB7cE2ddaD00FFb3E765cf5ce.
Added on
16 June 2026
Target
Name
OptimismTargetDispenserL2 — tokenomics. L2 staking incentive target dispenser (OP-stack). Deployed on: Optimism 0xaea9ef993d8a1A164397642648DF43F053d43D85; Base 0x9Ec97Be9FF55ff11606ce7c589956f7Bf3D0b241; Celo 0x4891f5894634DcD6d11644fe8E56756EF2681582; Mode 0xEB5638eefE289691EcE01943f768EDBF96258a80.
Added on
16 June 2026
Target
Name
OptimismMessenger — governance. L2 governance message receiver (OP-stack). Deployed on: Optimism 0x87c511c8aE3fAF0063b3F3CF9C6ab96c4AA5C60c; Base 0xE49CB081e8d96920C38aA7AB90cb0294ab4Bc8EA; Celo 0xC14E191A64a7FB0e5790a8a0B9a58683dFFce04d; Mode 0x9338b5153AE39BB89f50468E608eD9d764B755fD.
Added on
16 June 2026

Impacts in Scope

Impacts Body

For NFT-related impacts, "NFTs" refers to the ERC-721 tokens minted by ComponentRegistry, AgentRegistry and ServiceRegistry (representing components, agents and services). For fund-related impacts, "funds" covers OLAS, ETH, bridged OLAS, LP tokens, and the security deposits / bonding / staking balances held by in-scope contracts. Cross-chain attacks are classified by their end-effect impact (e.g. a forged bridge message that drains funds is "Direct theft of funds").

Severity
Critical
Title

Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results

Severity
Critical
Title

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Severity
Critical
Title

Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties

Severity
Critical
Title

Permanent freezing of funds

Severity
Critical
Title

Permanent freezing of NFTs

Severity
Critical
Title

Unauthorized minting of NFTs

Severity
Critical
Title

Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)

Severity
Critical
Title

Protocol insolvency

Severity
High
Title

Theft of unclaimed yield

Severity
High
Title

Permanent freezing of unclaimed yield

Severity
High
Title

Temporary freezing of funds

Severity
High
Title

Temporary freezing of NFTs

Out of scope

Program's Out of Scope information
  • Best practice critiques.
  • Attacks that attempt to disrupt the protocol's availability, such as flooding the system with an excessive number of non-useful components or non-useful components within agents, resulting in gas resource exhaustion. Additionally, attacks that attempt to cause gas resource exhaustion issues by making minimal donations to a large number of services with numerous components.
  • All vulnerabilities that arise from misconfigured registration from users (e.g. component owners, agent owners, service owners, agent operators) or misuse of the registration logic (e.g. accidental locking of funds, loss of keys to control services, etc.).
  • Vulnerabilities that arise or are built upon the fact that GuardCM implies a reduction of the community multisig functionalities as originally designed, such as self-calls within the community multisig.
  • The following are considered out of scope for the "Permanent freezing of funds" Critical impact, when the freezing is attributed to unintended use of the contracts: Component Registry, Agent Registry, Service Registry, Service Registry Token Utility, Registries Manager, Operator Whitelist, Gnosis Safe Multisig, Gnosis Safe Same Address Multisig, Service Registry L2, Service Manager, Service Manager Proxy, Recovery Module, Safe Multisig with Recovery Module, Complementary Service Metadata, Identity Registry Bridger, Identity Registry Bridger Proxy, PolySafe Creator with Recovery Module, PolySafe Same Address Multisig.
  • The following contracts are not in scope for the "Griefing" Medium impact: Component Registry, Agent Registry, Service Registry, Service Registry Token Utility, Registries Manager, Operator Whitelist, Gnosis Safe Multisig, Gnosis Safe Same Address Multisig, Service Registry L2, Service Manager, Service Manager Proxy, Recovery Module, Safe Multisig with Recovery Module, Complementary Service Metadata, Identity Registry Bridger, Identity Registry Bridger Proxy, PolySafe Creator with Recovery Module, PolySafe Same Address Multisig.
  • Currently-deployed contracts that are being replaced by new, already-audited implementations (notably StakingToken in the governance and registries repos, and BalanceTrackerNvmSubscriptionNative on Gnosis and Base in the marketplace repo) remain in scope. However, any bug already identified and fixed in the corresponding new contract is out of scope if reported against the older, currently-deployed version. (Note: the GuardCM and GovernorOLAS transitions previously listed here were completed on-chain on 2026-06-15 and the legacy addresses are no longer in scope.)
  • The marketplace SubscriptionProvider contract (Gnosis / Base / Polygon / Optimism deployments) is out of scope; it is the only Olas-side integration with the Nevermined subscription condition contracts and is excluded together with them.
  • Non-EVM deployments (e.g. Solana) and all off-chain components (agent software, relayers, front-ends, RPC infrastructure). This program covers only the on-chain EVM Solidity contracts of the autonolas-governance, autonolas-registries, autonolas-tokenomics and autonolas-marketplace repositories.

Note on inherited and integrated third-party code: all external code is in scope where it is incorporated into or integrated with Olas's own contracts. The comprehensive list of in-scope external sources is:

  • Inherited library code: OpenZeppelin (@openzeppelin/contracts and @openzeppelin/contracts-upgradeable), Solmate, Safe-Ecosystem safe-contracts (@gnosis.pm/safe-contracts), the Gnosis Mech base contract (gnosis-mech, used by the marketplace OlasMech), the Curve Finance VotingEscrow (ported into veOLAS), Uniswap V2 (@uniswap/v2-core and @uniswap/v2-periphery), Jeiwan zuniswapv2, and Polygon fx-portal.
  • Integrated protocol / bridge infrastructure: Wormhole (wormhole-solidity-sdk and the L1/L2 transceivers), the OP-Stack CrossDomainMessenger (Optimism, Base, Celo, Mode), Polygon FxPortal, the Gnosis AMB / OmniBridge, the Arbitrum / Optimism / Base bridge contracts that the deposit processors call into, and the Balancer V2 Vault (queried by BalancerPriceOracle).
  • The Wormhole governance + tokenomics pathway is fully deprecated (Celo migrated to OP-stack). The following four contract families are out of scope — both their deployed addresses and their source files — regardless of whether dormant on-chain storage in any legacy contract still references them: (a) WormholeMessenger Celo 0x397125902ED2cA2d42104F621f448A2cE1bC8Fb7 (replaced by OptimismMessenger Celo 0xC14E191A64a7FB0e5790a8a0B9a58683dFFce04d); (b) Wormhole Target Dispenser L2 Celo 0xb4096d181C08DDF75f1A63918cCa0d1023C4e6C7 (replaced by OptimismTargetDispenserL2 Celo 0x4891f5894634DcD6d11644fe8E56756EF2681582); (c) Wormhole Deposit Processor L1 0x223902b6C583f18E8dc84AF4E6a8fa523d088B78 (replaced by OptimismDepositProcessorL1 Celo instance 0x85d4E442225E04bb7822a87366831F0b2720DA1b); (d) the L1 GuardCM bridge payload verifier ProcessBridgedDataWormhole (governance PR #199 only redeploys the 4 non-Wormhole verifiers — Arbitrum, Gnosis, Optimism, Polygon — and the new GuardCM 0xC0b146D61e2A2C17E024477E01978D1Fcf598c6B is wired to none of the Wormhole verifier addresses). If a Wormhole pathway is ever re-introduced (e.g., for a new L2 without OP-stack or native EVM-bridge support), the four contract families above will be re-added as address-based assets at that time.
  • StakingNativeToken (the source code in autonolas-registries and every deployed address across all chains, including the Mode deployment at 0x88DE734655184a09B70700aE4F72364d1ad23728) is out of scope. The exclusion is permanent and is not conditional on operational allowlist state: it applies regardless of whether the implementation is whitelisted in any chain's StakingFactory.mapImplementations or accepted by any chain's StakingVerifier.verifyImplementation. This is a contract-specific exclusion of StakingNativeToken itself, in the same style as the contract-and-impact-specific carve-outs above for the registries family; it does not reinterpret the «asset-in-scope» requirement on the Rewards section and applies only to submissions made after this clause takes effect.

Issues reported against any of these sources will be assessed on the basis of their concrete impact on the in-scope Olas contracts.

Default Out of Scope and rules

Smart Contract specific

  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
  • Impacts requiring basic economic and governance attacks (e.g. 51% attack)
  • Lack of liquidity impacts
  • Impacts from Sybil attacks
  • Impacts involving centralization risks

All categories

  • Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
  • Impacts caused by attacks requiring access to leaked keys/credentials
  • Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
  • Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
  • Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
  • Best practice recommendations
  • Feature requests
  • Impacts on test files and configuration files unless stated otherwise in the bug bounty program
  • Impacts requiring phishing or other social engineering attacks against project's employees and/or customers