Bug bounty campaign

Welcome to our Bug Bounty Program. We want Aave protocol to be the best it can be, so we’re calling on our community to help us find any bugs or vulnerabilities. Submit a bug here and earn a reward of up to USD 250,000$. Please see our Rules & Rewards section for more details.

Rules

Public disclosure of a vulnerability would make it ineligible for a reward.
Technical knowledge is required for the process.
Duplicated issues are not eligible for reward. The first submission would be the eligible one.
If you want to add more information to a provided issue, create a new submission giving reference to the initial one.
Rewards will be decided on a case by case basis and the bug bounty program, terms, and conditions are at the sole discretion of Aave.
Rewards will vary depending on the severity of the issue. Other variables considered for rewards include: the quality of the issue description, the instructions for reproducibility, and the quality of the fix (if included).
Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of Aave.
Submissions needs to be related with the Bounty Scope. Submissions out of the Bounty Scope won’t be eligible for a reward.
Any interference with the protocol, client or platform services, on purpose or not during the process will make the submission process unvalid.
Terms and conditions of the bug bounty process may vary over time.
Our bug bounty follows a similar approach as Ethereum Bug Bounty. The severity of the issues will be based according to the OWASP risk rating model based on Impact and Likelihood.
It is mandatory to read and follow the responsible disclosure policy available in the references. Submissions not following the disclosure policy will not be elegible for a reward.

Rewards

The reward will be received in aUSDC token based on the severity scheme following:

Note = Up to $ 100

Very low = Up to $ 500

Low = Up to $ 1,000

Medium = Up to $ 5,000

High = Up to $ 10,000

Very High = Up to $ 50,000

Critical = Up to $ 250,000

Likelihood

Severity

Almost certain	$ 1,000	$ 5,000	$ 10,000	$ 50,000	$ 250,000
Likely	$ 500	$ 1,000	$ 5,000	$ 10,000	$ 50,000
Possible	$ 100	$ 500	$ 1,000	$ 5,000	$ 10,000
Unlikely	$ 100	$ 100	$ 500	$ 1,000	$ 5,000
Almost possible	$ 100	$ 100	$ 100	$ 500	$ 1,000
	Very low	Low	Moderate	High	Severe

Likelihood

Severity

Almost certain	$ 1,000	$ 5,000	$ 10,000	$ 50,000	$ 250,000
Likely	$ 500	$ 1,000	$ 5,000	$ 10,000	$ 50,000
Possible	$ 100	$ 500	$ 1,000	$ 5,000	$ 10,000
Unlikely	$ 100	$ 100	$ 500	$ 1,000	$ 5,000
Almost possible	$ 100	$ 100	$ 100	$ 500	$ 1,000
	Very low	Low	Moderate	High	Severe

Bounty Scope

The bug bounty will be applicable for the following repositories, sources and sites:

https://github.com/aave/protocol-v2 https://github.com/aave/governance-v2 https://github.com/aave/aave-token-v2 https://github.com/aave/aave-stake-v2 https://github.com/aave/aave-protocol

References

Additional references to help during the bug finding process

Documentation

Whitepaper

Disclosure Policy

Vulnerabilities Classification

Critical

An issue that might cause immediate loss of > 10% of the funds, or permanent impairment of the protocol state.

Very High / High

An issue that might cause immediate loss of <10% of the funds, or severely damage the protocol state.

Medium

An issue that might theoretically cause minimal loss of funds, damage the protocol state, or cause severe user dissatisfaction.

Low / Very Low / Note

An issue that might cause user dissatisfaction or minimal failure.

Exclusions

While researching, we’d like to ask you to refrain from:

Denial of service
Spamming
Social engineering (including phishing) of Aave staff or contractors
Any physical attempts against Aave property or data centers

Frequently Asked Questions

You can submit a bug by filling out this form.

There is no end date for our bug bounty, as this is an ongoing bug bounty program. Terms of the program are at the sole and final discretion of Aave.

In order to claim your reward (if you are eligible), you will require your own Ethereum address. Using a third party address from exchanges or other platforms could make it hard to claim your address and is not recommended.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Submit a bug

Please report the bug you found via this form. Try to be as specific and clear as possible when you fill out this form. We will be in touch as soon as possible after receiving the form.

Contact us

Feel free to contact us through our live chat, or email at: [email protected]

We are also available in our discord channel.

Choose your language