Immunefi
Immunefi
Back to Explore
CoW Protocol-logo

CoW Protocol

The CoW team, for and on behalf of and at the expense of CoW DAO, is running a bug bounty program focused on CoW Protocol, a fully permissionless protocol that leverages batch auctions to provide MEV protection, plus integrates with on-chain liquidity sources to offer traders the best prices.

ETH
Gnosis
Defi
AMM
DEX
Solidity
Maximum Bounty
$54,000
Live Since
15 June 2021
Last Updated
28 August 2024

  • PoC required

Submit a Bug
InformationScopeResources

Select the category you'd like to explore

Assets in Scope

Target
Type
Added on
Smart Contract - IVault.sol
18 February 2022
Target
Type
Added on
Smart Contract - IERC20.sol
18 February 2022
Target
Type
Added on
Smart Contract - SafeMath.sol
18 February 2022
Target
Type
Added on
Smart Contract - SafeCast.sol
18 February 2022
Target
Type
Added on
Smart Contract - ReentrancyGuard.sol
18 February 2022
Target
Type
Added on
Smart Contract - Initializable.sol
18 February 2022
Target
Type
Added on
Smart Contract - GPv2VaultRelayer.sol
18 February 2022
Target
Type
Added on
Smart Contract - GPv2EIP1271.sol
18 February 2022
Target
Type
Added on
Smart Contract - GPv2Authentication.sol
18 February 2022
Target
Type
Added on
Smart Contract - GPv2SafeERC20.sol
18 February 2022
Target
Type
Added on
Smart Contract - GPv2Transfer.sol
18 February 2022
Target
Type
Added on
Smart Contract - GPv2Trade.sol
18 February 2022

Impacts in Scope

In addition to the Immunefi Severity Classification System, the following information is provided for each severity level. In case of discrepancies between this information and the Immunefi Severity Classification System, this information will prevail.

Critical
Changing the owner address of the authentication contract as well as adding a solver without authorization
Critical
Forgery of a user’s signature that would allow them to execute a funded trade without using the user’s private key
Critical
Execute arbitrary settlements without being a solver
Critical
Executing a user’s trade that is expired or at a price worse than the limit price (also as a solver)
Critical
Transferring in tokens more than once for the same fill-or-kill order in the same settlement (also as a solver)
Critical
Access to user funds outside of a trade.
High
Changing the order of a legitimate interaction, as well as skipping one, in a settlement
High
Removing a solver without authorization (also as a solver)
High
Making the contract unable to be operated by any solver, e.g., through self-destruction (also as a solver)
Medium
Freeing storage without being a solver
Medium
Invalidate an order without the permission of the user who created it
View rewards

Out of scope

Program's Out of Scope information

Any vulnerabilities mentioned in CoW Swap’s official audits are considered out-of-scope. Audits can be found in the official contracts repository.

Any vulnerability that has already been reported to the CoW team or the CoW DAO, whether publicly or privately, is not eligible for a bounty. We recommend checking if the reported vulnerability is discussed in the issue tracker of the CoW Swap contracts repository.

Some known vulnerability may not (yet) have been publicly reported but are already privately known to the CoW team or have already been discovered by other parties and communicated to the CoW Team, but not yet fixed. Any such reports are not eligible.

The decision of eligibility of any submitted bug reports and their assessment is at the sole discretion of the Cow Team.

The following are also considered as out-of-scope:

  • Migration methods.
  • Services that build and submit the settlement transaction (e.g., denial of service, exploiting settlement transactions to extract value via sandwich attacks).
  • Gas efficiency improvements.
  • Any issues relating to networks other than the Ethereum Mainnet.
  • Steal funds from the settlement contract as a solver.
  • Price manipulation from the solver, for example:
    • Choosing the prices in a settlement so as to receive a premium from an order.
    • Reusing the same token twice in a settlement to give different prices to different orders.

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses (governance, strategist)
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Best practice critiques
  • Sybil attacks
  • Running out of gas

The following activities are prohibited by bug bounty program:

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
  • Attempting phishing or other social engineering attacks against the CoW Team and/or customers
  • Any denial of service attacks
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty
Total Assets in Scope
19
Total Impacts in Scope
11