CoW Protocol
The CoW team, for and on behalf of and at the expense of CoW DAO, is running a bug bounty program focused on CoW Protocol, a fully permissionless protocol that leverages batch auctions to provide MEV protection, plus integrates with on-chain liquidity sources to offer traders the best prices.
PoC required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
In addition to the Immunefi Severity Classification System, the following information is provided for each severity level. In case of discrepancies between this information and the Immunefi Severity Classification System, this information will prevail.
Changing the owner address of the authentication contract as well as adding a solver without authorization
Forgery of a user’s signature that would allow them to execute a funded trade without using the user’s private key
Execute arbitrary settlements without being a solver
Executing a user’s trade that is expired or at a price worse than the limit price (also as a solver)
Transferring in tokens more than once for the same fill-or-kill order in the same settlement (also as a solver)
Access to user funds outside of a trade.
Changing the order of a legitimate interaction, as well as skipping one, in a settlement
Removing a solver without authorization (also as a solver)
Making the contract unable to be operated by any solver, e.g., through self-destruction (also as a solver)
Freeing storage without being a solver
Invalidate an order without the permission of the user who created it
Out of scope
Any vulnerabilities mentioned in CoW Swap’s official audits are considered out-of-scope. Audits can be found in the official contracts repository.
Any vulnerability that has already been reported to the CoW team or the CoW DAO, whether publicly or privately, is not eligible for a bounty. We recommend checking if the reported vulnerability is discussed in the issue tracker of the CoW Swap contracts repository.
Some known vulnerability may not (yet) have been publicly reported but are already privately known to the CoW team or have already been discovered by other parties and communicated to the CoW Team, but not yet fixed. Any such reports are not eligible.
The decision of eligibility of any submitted bug reports and their assessment is at the sole discretion of the Cow Team.
The following are also considered as out-of-scope:
- Migration methods.
- Services that build and submit the settlement transaction (e.g., denial of service, exploiting settlement transactions to extract value via sandwich attacks).
- Gas efficiency improvements.
- Any issues relating to networks other than the Ethereum Mainnet.
- Steal funds from the settlement contract as a solver.
- Price manipulation from the solver, for example:
- Choosing the prices in a settlement so as to receive a premium from an order.
- Reusing the same token twice in a settlement to give different prices to different orders.
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
- Running out of gas
The following activities are prohibited by bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Attempting phishing or other social engineering attacks against the CoW Team and/or customers
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty