Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
Maker Ecosystem Growth Holdings, Inc logo
Hall of Fame


100 $ 

In Scope

Scope Type Scope Name
other __
other __
other __
other __
other __
other __
other __
other __
other __
other __
other __
other __
other __
other __
other __

Out of Scope

Scope Type Scope Name
web_application *

Maker Ecosystem Growth Holdings, Inc


System security is paramount for the success of the Maker vision of an open financial system. In addition to multiple independent security audits and formal verification of our smart contracts for multi-collateral Dai (MCD), we also encourage responsible disclosure of security vulnerabilities via our bug bounty program as described in this document.

The bug bounty program will develop in iterations towards the launch of MCD where:

  • The scope of assets will increase. Assets already in scope may be updated on a bi-weekly basis as shown on
  • Bug bounty amounts will increase.

The program is planned to be a long-running program that will continue indefinitely after launch of MCD.

The scope is initially a selection of the core smart contracts of MCD as deployed on Ethereum Kovan/Görli testnets, while more contracts will be added towards MCD launch. The scope may also expand to include web applications, tools, etc.

To qualify for a reward, the investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.

Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.


We base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood.

Multiple issues caused by one underlying vulnerability may only qualify for one reward.

A bug report may qualify for a reward only when:

  • It makes the Maker team aware of the bug for the first time
  • The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public
  • The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document or allowed anyone else to profit outside the bug bounty program
  • A bug is reported without any conditions, demands, or threats
  • It complies with the other conditions in this document


At this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for multi-collateral Dai as listed below. Other Maker products and services are currently not in scope but may be added at a later date.

Exploits may be grouped as following:

  1. Function-level (exploitable through a single entry-point)
  2. Contract-level (combining multiple entry-points)
  3. System-level (combining multiple contracts)
  4. Game-level (attacking the incentive mechanisms) (currently not eligible for reward)

Only exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.

The following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.


Core System Contracts

  • Vat __(MCD_VAT) - Core CDP Engine
  • Spotter __(MCD_SPOT) - Price feed updater
  • Jug __(MCD_JUG) - Stability fee accumulator
  • Pot __(MCD_POT) - Dai Savings
  • Cat __(MCD_CAT) - Liquidation Module
  • End __(MCD_END) - Global Settlement Module
  • Flapper __(MCD_FLAP) - Surplus Auction
  • Flipper __(MCD_FLIP) - Collateral Auction
  • Flopper __(MCD_FLOP) - Debt Auction
  • Vow __(MCD_VOW)- Dai Settlement


  • Dai __(MCD_DAI) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is dss/Dai.sol)
  • DaiJoin __(MCD_JOIN_DAI) - Dai Token Adapter


  • WETH9_ __(MCD_ETH) - ETH Token Wrapper
  • GemJoin2 __(MCD_JOIN_OMG_A) - OMG Adapter
  • GemJoin3 __(MCD_JOIN_DGD_A) - DGD Adapter
  • GemJoin4 __(MCD_JOIN_GNT_A) - GNT Adapter


  • Median __(to get address call for a specific OSM, for exampleseth call $PIP_ETH 'src()(address)') Medianizer for Oracles
  • OSM __(PIP_ETH, PIP_REP, PIP_ZRX, PIP_OMG, PIP_BAT, PIP_DGD, PIP_GNT) Oracle Security Module

Bi-weekly Releases

Until MCD launch, the Maker Foundation will continue with bi-weekly deployments of the latest versions of the smart contracts to either the Kovan or Görli testnets. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements.

The bug bounty program will be applicable to only one release at a time, and this release is also expected to update approximately bi-weekly though with a delay relative to deployment.

The current release eligible for vulnerability reports is 0.2.10 __. Only vulnerabilities found in this deployment can currently be submitted for a reward.

Contract details for all the latest releases are available from __

Program Rules

  • Follow HackerOne's disclosure guidelines.
  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.

Ineligible methods

Vulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:

  • Social engineering
  • DDOS attack
  • Spamming
  • Any physical attacks against Maker Foundation property, data centers or employees
  • Automated tools
  • Compromising or misusing third party systems or services

Ineligible bugs

  • Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program
  • Vulnerabilities in outdated software from Maker or which affects only outdated third party software
  • Bugs that are not reproducible
  • Bugs disclosed to other parties without consent from the Maker team
  • Issues which we cannot reasonably be expected to be able to do anything about

Investigation Tools

MCD 101 Guide
A comprehensive overview of the smart contracts within MCD.

Source Code
The MCD core contracts and their documentation can be found here:

Deployment Scripts:

Ethereum command-line tool used by our deploy scripts:

Command line-tool for interacting with MCD.

A faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the changelog __to get the faucet address for the relevant deployment (FAUCET).

To claim tokens use the following seth command:

seth send $FAUCET ‘gimme()’

This will only work once per address.

Responsible Reporting

A detailed report with clear instructions on how to reproduce the vulnerability increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:

  • A description of the bug
  • The conditions on which reproducing the bug is contingent
  • The steps needed to reproduce the bug or a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid
  • The potential implications of the vulnerability being abused

Please allow 3 business days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.

Fine Print

This bug bounty program may be canceled or revised at any time at the discretion of the Maker team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to

Our employees, contractors, their close family members, and any other affiliated persons are ineligible to participate in this program.

Thank you for helping keep Maker safe!

FireBounty © 2015-2019

Legal notices