Bug bounty

Besides performing audits for each upgrade, ZKsync has an ongoing massive bug bounty program.

ZKsync has a very detailed Bug bounty Program on Immunefi. In the listing, you can find all the information related to assets in scope, reporting, and the payout process.

Scope

The bug bounty program for ZKsync Era aims to identify and resolve security vulnerabilities in our system before they can be exploited by malicious actors. The program is open to all individuals and teams who are interested in participating and are willing to comply with the program's rules and guidelines. The scope of the program covers all aspects of our blockchain products, including smart contracts, protocols, portals, and any other components that are part of our ecosystem.

Requirements

  1. Eligibility: The bug bounty program is open to anyone who is interested in participating and who complies with the program's rules and guidelines.
  2. Responsible Disclosure: All participants must agree to follow the responsible disclosure policy and report any security vulnerabilities they discover to our security team in a timely and responsible manner.
  3. Rewards: The bug bounty program offers rewards to participants who discover and report security vulnerabilities. The rewards are determined based on the severity of the vulnerability and are paid in USDC.
  4. Reporting Guidelines: Participants must follow the reporting guidelines specified by the program.
  5. No Public Disclosure: Participants must not publicly disclose any vulnerabilities they discover until after they have been resolved by our security team.
  6. No Exploitation: Attacks that the reporter has already exploited themselves, leading to damage are not eligible for a reward.
  7. Legal Compliance: Participants must comply with all applicable laws and regulations, including data privacy and security laws.
  8. Program Changes: We reserve the right to modify or terminate the program at any time and without prior notice. We also reserve the right to disqualify any participant who violates the program's rules and guidelines.

Unscoped Bug

If you think you have found a critical or major bug that is not covered by our existing bug bounty, please report it to us via the Immunefi program regardless. We will seriously consider the impact of any issues and may award a bounty even for out of scope assets or impacts.

Audits

Withdrawal delay

Made with ❤️ by the ZKsync Community