thirdweb’s mission depends on security. We value the assistance provided by ethical hackers who assist us in upholding strict privacy and security guidelines for our users and technology. The below information outlines the definition of good faith with respect to the identification and reporting of vulnerabilities and makes it clear what you can anticipate from us in return.
We are offering a bug bounty program for our live deployed smart contracts & areas around our product itself. Proof of concept for re-producing the issue is required.
Up to $50,000 USD.
The reward depends on the severity of the finding and will be reviewed on a case by case basis. Vulnerability priority and reward may be modified based on likelihood or impact at thirdweb’s sole discretion. In cases of downgraded issues, researchers will receive a detailed explanation.
| Severity | Classification | Bounty Payout |
|---|---|---|
| Critical | ||
| (SEV-1) | • Assets can be stolen/lost/compromised directly | |
| • Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results | ||
| • Direct theft of any user funds/NFTs, whether at-rest or in-motion, other than unclaimed yield/royalties | ||
| • Permanent freezing of funds, NFTs, unclaimed yield, unclaimed royalties | ||
| • Protocol insolvency | ||
| • Hijack / manipulate ownership of a contract and its assets (incl upgradeability related issues) | Upto $50,000 | |
| High | ||
| (SEV-2) | • Indirect/potential loss of assets | |
| • Manipulation of state or permissions by external/unauthorized actors | ||
| • Unauthorized minting of tokens, NFTs | ||
| • Temporary freezing of funds, NFTs, unclaimed yield, unclaimed royalties | ||
| • Predictable or manipulable RNG that results in abuse of the principal or NFT | ||
| • Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content) | Upto $10,000 | |
| Medium | ||
| (SEV-3) | • Assets not at direct risk, but the function of the protocol or its availability could be impacted, or leak value with a hypothetical attack path with stated assumptions, but external requirements. | |
| • Smart contract unable to operate due to lack of token funds | ||
| • Block stuffing | ||
| • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol) | ||
| • Theft of gas | ||
| • Unbounded gas consumption | Upto $3,000 | |
| Low | ||
| (SEV-4) | • Includes both Non-critical (events, etc) and Low risk (e.g. assets are not at risk: state handling, function incorrect as to spec, issues with comments). Excludes Gas optimizations, which are submitted and judged separately. | |
| • Contract fails to deliver promised return value, but no funds are at threat | Upto $500 |