Uniswap Labs recently launched what it describes as “the largest bounty in history” before its v4 release.
The bounty program, which is presently in progress, offers payouts ranging from $2,000 to a total of $15.5 million purse for discovering unique vulnerabilities that result in code changes.
The program’s terms require bounty seekers to identify a critical flaw or exploit in the Uniswap v4 core contracts code to receive the highest payouts.
“Introducing the largest bug bounty in history. We’re rewarding up to $15.5M to anyone that finds a critical vulnerability in v4 core contracts. Find a critical bug, become a millionaire.”
About the Bug bounty
Whether this is the most extensive bounty program in history is still being determined. In 2021, Immunefi, a bug bounty platform, reportedly distributed a $14.82 million bounty as part of its ongoing security initiatives.
Other notable bounty payouts include Google’s highest-ever vulnerability discovery compensation of $605,000 in 2022, a year in which the company reported $12 million in payouts. Additionally, Microsoft recently disclosed $4 million in AI and cloud bounties.
According to the available data, if it were to be claimed in a single payout, the $15.5 million bounty from Uniswap would be the largest in recent memory.
Nevertheless, Uniswap Labs reports that a security competition in which over 500 researchers competed for a prize of $2.35 million for the unreleased v4 did not yield any critical vulnerabilities. The company stated that the $15.5 million program is “an additional measure to guarantee that v4 is as secure as possible.”
The utmost payout of $15.5 million is exclusively available to researchers identifying distinctive vulnerabilities in the Uniswap v4 core contracts code that lead to code modifications.
The program’s details indicate that vulnerabilities classified as “critical” will be eligible for the highest compensation. In contrast, those classified as “high” may be eligible for up to $1 million. The payouts for “medium” risk vulnerabilities are reduced to $100,000, while those for low-risk vulnerability findings will be distributed on a “discretionary” basis.
In addition to the primary contracts code, the program addresses vulnerabilities in “other contracts,” other websites, backends, and Uniswap v4 wallet codes.