Uniswap, one of the largest decentralized exchanges, says it will give $15.5 million to anyone who can find vulnerabilities in the latest version of its namesake protocol. The size of the bounty – which the company says is the largest of its so-called “bug bounty” – is intended to ensure that the latest evolution of the protocol, known as Uniswap v4, is as secure as possible.
The idea behind bug bounty programs, which are widely used in the technology sector, is to incentivize non-malicious hackers — known as “white hats” — to discover vulnerabilities in computer code before bad guys do.
Uniswap v4 builds on version 3, launched in 2021, and seeks to make transactions cheaper and more customizable. Uniswap is unveiling a bug bounty as the development phase nears its end, and has chosen to make the bounty $15.5 million in order to get around that. Layer Zeroa cross-chain messaging protocol, has offered a $15 million bounty in 2023.
The company said in a statement that the latest version of the protocol has already undergone multiple security checks, including nine independent audits and a $2.35 million security competition in which 500 researchers participated, and no serious vulnerabilities were found.
While the security of version 4 has been repeatedly evaluated, Uniswap is taking this extra step to ensure that its protocol is theft-proof as it handles billions of dollars in volume every day and once deployed cannot be changed.
“The Uniswap protocol serves as an important infrastructure for DeFi, has generated over $2.5 trillion in trading volume, and v4 offers limitless customization,” said Hayden Adams, CEO of Uniswap Labs. “This $15.5 million bug bounty is the largest in history, reflecting our commitment to building secure smart contracts for all users and developers building on top.”
The program only covers errors found in core Uniswap v4 contracts and does not include “third-party contracts not published by Uniswap Labs, issues already included in contract audits in repository v4Or bugs in third-party contracts or applications that use contracts published by Uniswap Labs, or issues already known internally, according to the statement.
Not all successful hackers will get $15.5 million. The returns are based on a tiered approach that classifies each error using a risk score. The reward for discovering a “critical” bug is $15.5 million, while a “high-risk” bug gets $1 million and a “moderate” bug gets $100,000.
To be eligible for the reward, bugs must be reported within 24 hours of discovery It remains confidential until the problem is resolved.
These types of programs have been around since the 1980s when a software company called Hunter and Ready first offered a program Volkswagen Beetle, or “bug”, is for anyone who can find a vulnerability in their operating system. Since then, block bounties have become increasingly popular in the technology industry and are sometimes used by the US government.