|Scope Type||Scope Name|
Out of Scope
|Scope Type||Scope Name|
System security is paramount for the success of the Maker vision of an open financial system. In addition to multiple independent security audits and formal verification of our smart contracts for multi-collateral Dai (MCD), we also encourage responsible disclosure of security vulnerabilities via our bug bounty program as described in this document.
The bug bounty program will develop in iterations towards the launch of MCD where:
The program is planned to be a long-running program that will continue indefinitely after launch of MCD.
The scope is initially a selection of the core smart contracts of MCD as deployed on Ethereum Kovan/Görli testnets, while more contracts will be added towards MCD launch. The scope may also expand to include web applications, tools, etc.
To qualify for a reward, the investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.
We base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood.
Multiple issues caused by one underlying vulnerability may only qualify for one reward.
A bug report may qualify for a reward only when:
At this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for multi-collateral Dai as listed below. Other Maker products and services are currently not in scope but may be added at a later date.
Exploits may be grouped as following:
Only exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.
The following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.
Core System Contracts
MCD_VAT) - Core CDP Engine
MCD_SPOT) - Price feed updater
MCD_JUG) - Stability fee accumulator
MCD_POT) - Dai Savings
MCD_CAT) - Liquidation Module
MCD_END) - Global Settlement Module
MCD_FLAP) - Surplus Auction
MCD_FLIP) - Collateral Auction
MCD_FLOP) - Debt Auction
MCD_VOW)- Dai Settlement
MCD_DAI) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is
MCD_JOIN_DAI) - Dai Token Adapter
MCD_ETH) - ETH Token Wrapper
MCD_JOIN_ZRX_A) - BAT, REP, WETH, ZRX Adapter
MCD_JOIN_OMG_A) - OMG Adapter
MCD_JOIN_DGD_A) - DGD Adapter
MCD_JOIN_GNT_A) - GNT Adapter
seth call $PIP_ETH 'src()(address)') Medianizer for Oracles
PIP_GNT) Oracle Security Module
Until MCD launch, the Maker Foundation will continue with bi-weekly deployments of the latest versions of the smart contracts to either the Kovan or Görli testnets. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements.
The bug bounty program will be applicable to only one release at a time, and this release is also expected to update approximately bi-weekly though with a delay relative to deployment.
The current release eligible for vulnerability reports is 0.2.10 __. Only vulnerabilities found in this deployment can currently be submitted for a reward.
Contract details for all the latest releases are available from changelog.makerdao.com __
Vulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:
MCD 101 Guide
A comprehensive overview of the smart contracts within MCD.
The MCD core contracts and their documentation can be found here:
Ethereum command-line tool used by our deploy scripts:
Command line-tool for interacting with MCD.
A faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the changelog __to get the faucet address for the relevant deployment (
To claim tokens use the following
seth send $FAUCET ‘gimme()’
This will only work once per address.
A detailed report with clear instructions on how to reproduce the vulnerability increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:
Please allow 3 business days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.
This bug bounty program may be canceled or revised at any time at the discretion of the Maker team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to firstname.lastname@example.org.
Our employees, contractors, their close family members, and any other affiliated persons are ineligible to participate in this program.
Thank you for helping keep Maker safe!