The bug bounty program from the Maker Foundation currently contains two separate scopes, which share the same rules with a few exceptions as noted below. The scopes are:
The program may be expanded in the future to include more asset types such as frontends and apps.
We generally base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood. One exception to this is described in the Smart Contracts section.
A bug report may qualify for a reward only when:
The reporter makes a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
A detailed report increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:
Multiples or duplicates
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Vulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:
Please allow 5 days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.
This bug bounty program may be canceled or revised at any time at the discretion of the Maker team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to email@example.com.
Our employees, contractors, their close family members, any other affiliated persons, as well as anyone who belonged to the aforementioned categories at any time during the past 6 months, are ineligible to participate in this program.
Thank you for helping keep Maker safe!
The smart contracts bug bounty program will develop in iterations towards the launch of Multi-Collateral Dai (MCD) where:
The program is planned to be a long-running program that will continue indefinitely after launch of MCD.
The scope is initially a selection of the core smart contracts of MCD as deployed on Ethereum Kovan/Görli testnets, while more contracts will be added towards MCD launch.
The minimum amounts will also increase in iterations of the bug bounty program towards the launch of Multi-Collateral Dai.
Like the rest of the program, the smart contracts program generally uses the OWASP risk rating methodology for classifying bugs. One exception pertains to Critical bugs which must meet the following requirements:
At this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for Multi-Collateral Dai as listed below.
Exploits may be grouped as following:
Only exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.
The following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.
Core System Contracts
MCD_VAT) - Core CDP Engine
MCD_SPOT) - Price feed updater
MCD_JUG) - Stability fee accumulator
MCD_POT) - Dai Savings
MCD_CAT) - Liquidation Module
MCD_END) - Global Settlement Module
MCD_FLAP) - Surplus Auction
MCD_FLIP) - Collateral Auction
MCD_FLOP) - Debt Auction
MCD_VOW)- Dai Settlement
MCD_DAI) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is
MCD_JOIN_DAI) - Dai Token Adapter
MCD_ETH) - ETH Token Wrapper
MCD_JOIN_ZRX_A) - BAT, REP, WETH, ZRX Adapter
MCD_JOIN_OMG_A) - OMG Adapter
MCD_JOIN_DGD_A) - DGD Adapter
MCD_JOIN_GNT_A) - GNT Adapter
seth call $PIP_ETH 'src()(address)') Medianizer for Oracles
PIP_GNT) Oracle Security Module
Until MCD launch, the Maker Foundation will continue with bi-weekly deployments of the latest versions of the smart contracts to either the Kovan or Görli testnets. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements.
The bug bounty program will be applicable to only one release at a time, and this release is also expected to update approximately bi-weekly though with a delay relative to deployment.
The current release eligible for vulnerability reports is 0.2.17 __. Only vulnerabilities found in this deployment can currently be submitted for a reward.
Contract details for all the latest releases are available from changelog.makerdao.com __
MCD 101 Guide
A comprehensive overview of the smart contracts within MCD.
The MCD core contracts and their documentation can be found here:
Ethereum command-line tool used by our deploy scripts:
Command line-tool for interacting with MCD.
A faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the changelog __to get the faucet address for the relevant deployment (
To claim tokens use the following
seth send $FAUCET ‘gimme()’
This will only work once per address.
Like the rest of the bug bounty program, the infrastructure program will evaluate bug reports based on the OWASP Risk Rating methodology. However, only Critical bugs are currently in scope.
The scope of our program focuses on exploiting specific externally facing infrastructure owned by Maker Foundation. This program covers security vulnerabilities discovered within the Maker Foundation public infrastructure including select websites and DNS configurations.
Systems in scope with this program are listed below. We expect to include more domains in the future.
|Scope Type||Scope Name|
|Scope Type||Scope Name|
Firebounty have crawled on 2019-08-06 the programe Maker Ecosystem Growth Holdings, Inc on the platform Hackerone.