Uniswap Offers $15.5 Million Bug Bounty for v4 Core Vulnerabilities

Uniswap, the largest decentralized exchange (DEX), has announced a $15.5 million bug bounty for vulnerabilities in its v4 upgrade. This sets a new record for the highest bug bounty ever offered, surpassing LayerZero’s $15 million reward.

However, this bounty includes several caveats, and Uniswap will only offer a full payout to a “critical” vulnerability that doesn’t include third-party contracts or applications.

Uniswap v4’s Bug Bounty

Uniswap recently offered a substantial bounty for identifying code vulnerabilities. Specifically, the firm is looking for weaknesses in its massive v4 upgrade’s core capabilities. Uniswap also released a blog post with further details about the program:

“Today, we’re excited to launch a $15.5 million bug bounty, the largest in history, for vulnerabilities found in Uniswap v4 core contracts. Uniswap v4 is already among the most thoroughly reviewed codebases in DeFi, with nine independent audits. As deployment approaches, we’re taking an extra step to ensure v4 is as secure as possible,” the post read.

Strictly speaking, Uniswap’s claim to being the largest-ever “bug bounty” is somewhat ambiguous. In the past, certain platforms have offered large bounties to successful hackers, incentivizing them to return stolen funds. Last year, Mixin Network called their $20 million enticement to hackers a “bug bounty,” but the company slightly misused the term.

In this case, Uniswap only offers payments for identifying a weakness, not a ransom for actually exploiting it. In this genre, Uniswap’s $15.5 million offer is indeed massive: earlier this year, Solana offered only $1 million for a similar program. In other words, the company might view continued v4 security as integral to Uniswap’s continued success.

Alternatively, this substantial offer could come from a place of confidence. As mentioned, Uniswap carried out nine separate independent code audits and conducted a further $2.35 million security competition. Fortune claims that Uniswap chose $15.5 million to one-up LayerZero, which offered a $15 million bounty last year. This high reward, then, could just be a boast.

In any event, this massive reward comes with important caveats. First of all, a hacker cannot claim a vulnerability from any third-party contract or application, even those deployed by Uniswap Labs. Second, it can’t list any unfixed issues that previous audits identified. Finally, only a “critical” bug gets the full payment, with lower risks getting between $1 million and $100,000.