We only accept reports for issues that can be reproduced in the smart contracts deployed at the following addresses:
0x9008d19f58aabd9ed0d60971565aa8510560ab41

- Ethereum: https://etherscan.io/address/0x9008d19f58aabd9ed0d60971565aa8510560ab41#code
- Gnosis Chain: https://gnosis.blockscout.com/address/0x9008d19f58aabd9ed0d60971565aa8510560ab41?tab=contract
0x9e7ae8bdba9aa346739792d219a808884996db67

- Ethereum: https://etherscan.io/address/0x9e7ae8bdba9aa346739792d219a808884996db67#code
- Gnosis Chain: https://gnosis.blockscout.com/address/0x9e7ae8bdba9aa346739792d219a808884996db67?tab=contract
0xc92e8bdf79f0507f65a392b0ab4667716bfe0110

- Ethereum: https://etherscan.io/address/0xc92e8bdf79f0507f65a392b0ab4667716bfe0110#code
- Gnosis Chain: https://gnosis.blockscout.com/address/0xc92e8bdf79f0507f65a392b0ab4667716bfe0110?tab=contract
0x2c4c28ddbdac9c5e7055b4c863b72ea0149d8afe

- Ethereum: https://etherscan.io/address/0x2c4c28ddbdac9c5e7055b4c863b72ea0149d8afe#code
- Gnosis Chain: https://gnosis.blockscout.com/address/0x2c4c28ddbdac9c5e7055b4c863b72ea0149d8afe?tab=contract

This corresponds to commit 6ebbd810ff2da635fb6f88e9a15fde196f8c852a in the [official repository](https://github.com/cowprotocol/contracts/blob/6ebbd810ff2da635fb6f88e9a15fde196f8c852a/src/contracts/).

For the Initializable, ReentrancyGuard, SafeCast, SafeMath, IERC20, and IVault smart contracts, this bug bounty program only accepts bug reports for the changes that were performed compared to the original, as well as any improper use of them that leads to actual issues in the contracts previously mentioned to be in scope. Any bug that is reproducible in the original vendored contract is out of scope.

Any vulnerabilities mentioned in this [audit report](https://github.com/gnosis/gp-v2-contracts/blob/main/audits/GnosisProtocolV2May2021.pdf) are considered as out-of-scope.

The CoW team, for and on behalf of and at the expense of [CoW DAO](https://forum.cow.fi/), is running a bug bounty program focused on CoW Protocol, a fully permissionless protocol that leverages batch auctions to provide MEV protection, plus integrates with on-chain liquidity sources to offer traders the best prices.

Changing the owner address of the authentication contract as well as adding a solver without authorization

Forgery of a user’s signature that would allow them to execute a funded trade without using the user’s private key

Execute arbitrary settlements without being a solver

Executing a user’s trade that is expired or at a price worse than the limit price (also as a solver)

Transferring in tokens more than once for the same fill-or-kill order in the same settlement (also as a solver)

Access to user funds outside of a trade.

Changing the order of a legitimate interaction, as well as skipping one, in a settlement

Removing a solver without authorization (also as a solver)

Making the contract unable to be operated by any solver, e.g., through self-destruction (also as a solver)

Freeing storage without being a solver

Invalidate an order without the permission of the user who created it

In addition to the Immunefi Severity Classification System, the following information is provided for each severity level. In case of discrepancies between this information and the Immunefi Severity Classification System, this information will prevail.

Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

The CoW Protocol bounty program considers a number of variables in determining rewards. Determinations of eligibility, score, and all terms related to an award are at the sole and final discretion of the CoW team bug bounty panel, on behalf of CoW DAO.

The CoW core team (whether paid directly or indirectly, incl. Grant Core Contributor and including external auditors) including current and former team members, which includes anyone currently or formerly paid by CoW DAO or its Service Providers as well as Gnosis, are not eligible for rewards.

In order to be eligible for a reward, bug reports must include an explanation of how the bug can be reproduced, a failing test case, a valid scenario in which the bug can be exploited. Critical vulnerabilities with all of these have a maximum reward of __USD 50 000__. If a fix that makes the test case pass is provided, an additional __USD 4 000__ is provided for critical vulnerabilities, for a maximum reward of __USD 54 000__.

Payouts are processed on behalf of and at the expense of CoW DAO and are denominated in __USD__. However, payouts are done in ETH, on Ethereum mainnet.

Once the CoW team bug bounty panel accepts an eligible bug, the team shall have the right to decide on and implement the mitigation and publishing steps of the eligible bug on their own terms and timeline.
By submitting a bug report on this platform, the submitter agrees to extend our timeline for resolving the issue (and to not disclose the report elsewhere or to any other party keeping the information confidential and without exploiting the vulnerability).

CoW Protocol

Resources & Documentation