Bug bounty
Triaged by Hackenproof

1inch Smart Contract: Program info

1inch Smart Contract

Company: 1inch
KYC required POC required
Live
Program is active now
Program infoHackers (39)Reports

The 1inch ecosystem comprises interconnected smart contracts that aggregate liquidity from various decentralized exchanges to execute optimal token swaps.

In scope
TargetTypeSeverityReward
https://github.com/1inch/limit-order-protocol
copy
Copy
success Copied

Limit order protocol

Smart Contract
None
Bounty
https://github.com/1inch/fusion-protocol
copy
Copy
success Copied

Limit order settlement

Smart Contract
None
Bounty
https://github.com/1inch/token-plugins
copy
Copy
success Copied

Token-plugins

Smart Contract
None
Bounty
https://github.com/1inch/farming
copy
Copy
success Copied

Farming contracts

Smart Contract
None
Bounty
https://github.com/1inch/delegating
copy
Copy
success Copied

Delegating contracts

Smart Contract
None
Bounty
https://github.com/1inch/calldata-compressor
copy
Copy
success Copied

Calldata Compressor and Decompressor

Smart Contract
None
Bounty
Target
https://github.com/1inch/limit-order-protocol
copy
Copy
success Copied

Limit order protocol

TypeSmart Contract
Severity
None
RewardBounty
Target
https://github.com/1inch/fusion-protocol
copy
Copy
success Copied

Limit order settlement

TypeSmart Contract
Severity
None
RewardBounty
Target
https://github.com/1inch/token-plugins
copy
Copy
success Copied

Token-plugins

TypeSmart Contract
Severity
None
RewardBounty
Target
https://github.com/1inch/farming
copy
Copy
success Copied

Farming contracts

TypeSmart Contract
Severity
None
RewardBounty
Target
https://github.com/1inch/delegating
copy
Copy
success Copied

Delegating contracts

TypeSmart Contract
Severity
None
RewardBounty
Target
https://github.com/1inch/calldata-compressor
copy
Copy
success Copied

Calldata Compressor and Decompressor

TypeSmart Contract
Severity
None
RewardBounty

Focus Area

In-scope vulnerabilities

The following vulnerabilities are considered in-scope:

  • Reentrancy
  • Reordering
  • Overflows and underflows
  • Stealing or loss of funds
  • Unauthorized transaction
  • Transaction manipulation
  • Attacks on logic (behavior of the code is different from the business description)

All in-scope vulnerability reports must include a Proof of Concept (PoC) that demonstrates real-world impact. Submissions without a PoC will not be considered.

Out-of-scope vulnerabilities

Vulnerabilities identified in out-of-scope resources are generally not eligible for rewards unless they present a significant business risk, as determined at our sole discretion.

The following items are generally excluded from reward eligibility due to insufficient severity or lack of relevance to the program’s defined scope:

  • Redundant code
  • Gas optimizations
  • Best practice issues
  • Old compiler version
  • Code style guide violations
  • The compiler version is not locked
  • Vulnerabilities in imported contracts
  • Theoretical or purely speculative exploits without demonstrated business impact

Program Rules

  • Avoid using application scanners that generate massive traffic. Automated scanning results without clear analysis will not be considered
  • Avoid causing any disruption to the availability of products, services, or infrastructure
  • Avoid compromising any personal data, interruption, or degradation of any service
  • Bounty reward is determined by proportion of potential damage and is limited by a severity rewards range
  • Non-production vulnerabilities are limited to High severity
  • Do not access or modify data belonging to other users
  • Perform testing only within the scope described in this program
  • Do not exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam methods
  • Do not spam forms or account creation flows using automated tools
  • Remain compliant with all applicable laws and operate strictly within the defined testing scope
  • Do not share details of any vulnerabilities with anyone outside the authorized team without explicit written permission from the organization

Disclosure Guidelines

  • All information related to this program, including any discovered vulnerabilities (resolved or unresolved), must be kept strictly confidential. Public disclosure — including partial disclosure or discussion in any public forum, channel, or platform — is strictly prohibited without the organization's explicit written consent

Eligibility and Coordinated Disclosure

We value all valid reports that help us strengthen our security. To qualify for a monetary reward, the following eligibility conditions must be fulfilled:

  • You must be the first reporter of a vulnerability
  • The vulnerability must be a qualifying (in-scope) vulnerability
  • Any vulnerability found must be reported no later than 24 hours after discovery
  • You must send a clear textual description of the report and detailed steps to reproduce the issue. Include attachments such as screenshots or proof-of-concept code if necessary
  • You must not be a former or current employee of our company or any of its contractors
  • Include clear and concise reproduction steps to help us verify and assess the impact of the reported issue efficiently
Rewards
Range of bounty$100 - $500,000
Severity
Critical
$30,000 - $500,000
High
$10,000 - $30,000
Medium
$2,000 - $10,000
Low
$100 - $2,000
Stats
Scope Review31316
Submissions75
Total rewards$1,200
Types
smart contract
Languages
Solidity
Project types
DEX
Hackers (39) View all
Inch Maillist
1
0xMR0
3
PhantomSands
4
Roni Carta
5
SLA (Service Level Agreement)
Time within which the program's triage team must respond
Response TypeBusiness days
First Response3d
Triage Time3d
Reward Time90d
Resolution Time14d