Olas (formerly Autonolas) is a protocol for creating, running and co-owning autonomous AI services, secured by the OLAS token and a multi-chain on-chain protocol. This bug bounty covers the Olas on-chain protocol — the Solidity smart contracts spanning service registries, tokenomics, governance, and the marketplace deployed across Ethereum and 7 additional chains. The scope reflects the contract set reviewed in the Code4rena 2026-01 audit, including the OLAS token, veOLAS, cross-chain governance, the staking infrastructure, and the reward, bonding and protocol-owned-liquidity mechanisms.
PoC Required
KYC required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
For NFT-related impacts, "NFTs" refers to the ERC-721 tokens minted by ComponentRegistry, AgentRegistry and ServiceRegistry (representing components, agents and services). For fund-related impacts, "funds" covers OLAS, ETH, bridged OLAS, LP tokens, and the security deposits / bonding / staking balances held by in-scope contracts. Cross-chain attacks are classified by their end-effect impact (e.g. a forged bridge message that drains funds is "Direct theft of funds").
Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties
Permanent freezing of funds
Permanent freezing of NFTs
Unauthorized minting of NFTs
Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)
Protocol insolvency
Theft of unclaimed yield
Permanent freezing of unclaimed yield
Temporary freezing of funds
Temporary freezing of NFTs
Out of scope
- Best practice critiques.
- Attacks that attempt to disrupt the protocol's availability, such as flooding the system with an excessive number of non-useful components or non-useful components within agents, resulting in gas resource exhaustion. Additionally, attacks that attempt to cause gas resource exhaustion issues by making minimal donations to a large number of services with numerous components.
- All vulnerabilities that arise from misconfigured registration from users (e.g. component owners, agent owners, service owners, agent operators) or misuse of the registration logic (e.g. accidental locking of funds, loss of keys to control services, etc.).
- Vulnerabilities that arise or are built upon the fact that GuardCM implies a reduction of the community multisig functionalities as originally designed, such as self-calls within the community multisig.
- The following are considered out of scope for the "Permanent freezing of funds" Critical impact, when the freezing is attributed to unintended use of the contracts: Component Registry, Agent Registry, Service Registry, Service Registry Token Utility, Registries Manager, Operator Whitelist, Gnosis Safe Multisig, Gnosis Safe Same Address Multisig, Service Registry L2, Service Manager, Service Manager Proxy, Recovery Module, Safe Multisig with Recovery Module, Complementary Service Metadata, Identity Registry Bridger, Identity Registry Bridger Proxy, PolySafe Creator with Recovery Module, PolySafe Same Address Multisig.
- The following contracts are not in scope for the "Griefing" Medium impact: Component Registry, Agent Registry, Service Registry, Service Registry Token Utility, Registries Manager, Operator Whitelist, Gnosis Safe Multisig, Gnosis Safe Same Address Multisig, Service Registry L2, Service Manager, Service Manager Proxy, Recovery Module, Safe Multisig with Recovery Module, Complementary Service Metadata, Identity Registry Bridger, Identity Registry Bridger Proxy, PolySafe Creator with Recovery Module, PolySafe Same Address Multisig.
- Currently-deployed contracts that are being replaced by new, already-audited implementations (notably StakingToken in the governance and registries repos, and BalanceTrackerNvmSubscriptionNative on Gnosis and Base in the marketplace repo) remain in scope. However, any bug already identified and fixed in the corresponding new contract is out of scope if reported against the older, currently-deployed version. (Note: the GuardCM and GovernorOLAS transitions previously listed here were completed on-chain on 2026-06-15 and the legacy addresses are no longer in scope.)
- The marketplace SubscriptionProvider contract (Gnosis / Base / Polygon / Optimism deployments) is out of scope; it is the only Olas-side integration with the Nevermined subscription condition contracts and is excluded together with them.
- Non-EVM deployments (e.g. Solana) and all off-chain components (agent software, relayers, front-ends, RPC infrastructure). This program covers only the on-chain EVM Solidity contracts of the autonolas-governance, autonolas-registries, autonolas-tokenomics and autonolas-marketplace repositories.
Note on inherited and integrated third-party code: all external code is in scope where it is incorporated into or integrated with Olas's own contracts. The comprehensive list of in-scope external sources is:
- Inherited library code: OpenZeppelin (@openzeppelin/contracts and @openzeppelin/contracts-upgradeable), Solmate, Safe-Ecosystem safe-contracts (@gnosis.pm/safe-contracts), the Gnosis Mech base contract (gnosis-mech, used by the marketplace OlasMech), the Curve Finance VotingEscrow (ported into veOLAS), Uniswap V2 (@uniswap/v2-core and @uniswap/v2-periphery), Jeiwan zuniswapv2, and Polygon fx-portal.
- Integrated protocol / bridge infrastructure: Wormhole (wormhole-solidity-sdk and the L1/L2 transceivers), the OP-Stack CrossDomainMessenger (Optimism, Base, Celo, Mode), Polygon FxPortal, the Gnosis AMB / OmniBridge, the Arbitrum / Optimism / Base bridge contracts that the deposit processors call into, and the Balancer V2 Vault (queried by BalancerPriceOracle).
- The Wormhole governance + tokenomics pathway is fully deprecated (Celo migrated to OP-stack). The following four contract families are out of scope — both their deployed addresses and their source files — regardless of whether dormant on-chain storage in any legacy contract still references them: (a) WormholeMessenger Celo 0x397125902ED2cA2d42104F621f448A2cE1bC8Fb7 (replaced by OptimismMessenger Celo 0xC14E191A64a7FB0e5790a8a0B9a58683dFFce04d); (b) Wormhole Target Dispenser L2 Celo 0xb4096d181C08DDF75f1A63918cCa0d1023C4e6C7 (replaced by OptimismTargetDispenserL2 Celo 0x4891f5894634DcD6d11644fe8E56756EF2681582); (c) Wormhole Deposit Processor L1 0x223902b6C583f18E8dc84AF4E6a8fa523d088B78 (replaced by OptimismDepositProcessorL1 Celo instance 0x85d4E442225E04bb7822a87366831F0b2720DA1b); (d) the L1 GuardCM bridge payload verifier ProcessBridgedDataWormhole (governance PR #199 only redeploys the 4 non-Wormhole verifiers — Arbitrum, Gnosis, Optimism, Polygon — and the new GuardCM 0xC0b146D61e2A2C17E024477E01978D1Fcf598c6B is wired to none of the Wormhole verifier addresses). If a Wormhole pathway is ever re-introduced (e.g., for a new L2 without OP-stack or native EVM-bridge support), the four contract families above will be re-added as address-based assets at that time.
- StakingNativeToken (the source code in autonolas-registries and every deployed address across all chains, including the Mode deployment at 0x88DE734655184a09B70700aE4F72364d1ad23728) is out of scope. The exclusion is permanent and is not conditional on operational allowlist state: it applies regardless of whether the implementation is whitelisted in any chain's StakingFactory.mapImplementations or accepted by any chain's StakingVerifier.verifyImplementation. This is a contract-specific exclusion of StakingNativeToken itself, in the same style as the contract-and-impact-specific carve-outs above for the registries family; it does not reinterpret the «asset-in-scope» requirement on the Rewards section and applies only to submissions made after this clause takes effect.
Issues reported against any of these sources will be assessed on the basis of their concrete impact on the in-scope Olas contracts.
Smart Contract specific
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts
- Impacts from Sybil attacks
- Impacts involving centralization risks
All categories
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers


