The bug bounty program from the Maker Foundation currently contains two separate scopes, which share the same rules with a few exceptions as noted below. The scopes are:
The program may be expanded in the future to include more asset types such as frontends and apps.
We generally base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood. One exception to this is described in the Smart Contracts section.
A bug report may qualify for a reward only when:
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Vulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:
Please allow 5 business days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.
This bug bounty program may be canceled or revised at any time at the discretion of the Maker Foundation team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to email@example.com
Our employees, contractors, their close family members, any other affiliated persons, as well as anyone who belonged to the aforementioned categories at any time during the past 6 months, are ineligible to participate in this program.
Thank you for helping keep Maker safe!
The smart contracts bug bounty program will develop in iterations:
The program is planned to be a long-running program that will continue indefinitely.
The scope is a selection of the core smart contracts of MCD as deployed on the Ethereum Kovan testnet, while more contracts will be added as needed.
The minimum amounts will also increase in future iterations of the bug bounty program.
Like the rest of the program, the smart contracts program generally uses the OWASP risk rating methodology for classifying bugs. One exception pertains to Critical bugs which must meet the following requirements:
At this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for Multi-Collateral Dai as listed below.
Exploits may be grouped as following:
Only exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.
The following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.
Core System Contracts
MCD_VAT) - Core CDP Engine
MCD_SPOT) - Price feed updater
MCD_JUG) - Stability fee accumulator
MCD_POT) - Dai Savings
MCD_CAT) - Liquidation Module
MCD_END) - Global Settlement Module
MCD_FLAP) - Surplus Auction
MCD_FLIP) - Collateral Auction
MCD_FLOP) - Debt Auction
MCD_VOW)- Dai Settlement
MCD_DAI) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is
MCD_JOIN_DAI) - Dai Token Adapter
MCD_ETH) - ETH Token Wrapper
MCD_JOIN_ZRX_A) - BAT, REP, WETH, ZRX Adapter
MCD_JOIN_OMG_A) - OMG Adapter
MCD_JOIN_DGD_A) - DGD Adapter
MCD_JOIN_GNT_A) - GNT Adapter
MCD_JOIN_USDC_A) - USDC Adapter
Instant Access Modules
OSM_MOM) - allows oracle price updates to be halted without a governance delay
FLIPPER_MOM) - allows liquidations to be enabled and disabled without a governance delay
seth call $PIP_ETH 'src()(address)') Medianizer for Oracles
PIP_GNT) Oracle Security Module
The smart contracts included for "governance" have special limitations on the types of bugs that are currently considered in scope. For instance, it is a known design aspect of governance that governance has "root" access to the MCD system and with this permission is able to manipulate system parameters in such as a way that it could take actions that would qualify under this program scope. We have recently added the Governance Security Module (see pause scope below) to provide a delay in governance actions and additional protection against malicious governance proposals. Generic "Governance could be malicious" reports are not in scope.
However, bugs in the DS-Chief contract that result in the voting with, locking, or theft of MKR tokens that are not owned by the attacker are considered in scope. A bug that shows an attacker locking, voting with, or stealing another user's MKR through a bug in the Chief would be considered critical.
Additionally, bugs in the Pause or Pause Proxy contracts or MCD system permissions that allow a Governance proposal to be enacted without waiting for the pause would be considered in scope. Specifically excluded from this scope would be an attack that relies on clogging the Ethereum network, colluding with miners, or Governance not noticing or being overwhelmed by malicious proposals long enough for the delay to pass. A bug that allows governance to act instantaneously through the pause contract or to directly affect some permissionned part of the MCD system is in scope unless done via an Instant Access Module (IAM). IAMs are smart contracts with permissions that permit bypassing of the governance delay for specific actions, which are either deemed to be safe, or to be necessary as emergency defenses. Any behavior of an instant access module that violates the intent of that module is still a bug.
Attacks Leveraging Other DeFi Protocols
Attacks in the DeFi space sometimes combine multiple protocols (e.g. utilizing flash loans from a margin protocol or manipulating the spot prices on a DEX). POCs or descriptions of bug exploits may utilize such mechanisms, either to make an attack more severe than it would be in isolation, or to achieve an attack that would otherwise be impossible or infeasible. However, they will only be considered in-scope so long as:
The Maker Foundation will continue with as-needed deployments of the latest versions of the smart contracts to the Kovan testnet. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements, unless otherwise noted.
The bug bounty program will be applicable to only one release at a time as specified in this policy. Submissions should indicate to which release they relate.
The current release eligible for vulnerability reports is 1.0.4. Only vulnerabilities found in this deployment can currently be submitted for a reward.
Contract details for all the latest releases are available from changelog.makerdao.com
MCD 101 Guide
A comprehensive overview of the smart contracts within MCD.
The MCD core contracts and their documentation can be found here:
If reading the codebase for the first time, we recommend overlaying our annotations for easier comprehension:
Ethereum command-line tool used by our deploy scripts:
Command line-tool for interacting with MCD.
A faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the changelog to get the faucet address for the relevant deployment (
To claim tokens use the following
seth send $FAUCET ‘gimme()’
This will only work once per address.
Like the rest of the bug bounty program, the infrastructure program will evaluate bug reports based on the OWASP Risk Rating methodology. However, only Critical bugs are currently in scope.
The scope of our program focuses on exploiting specific externally facing infrastructure owned by Maker Foundation. This program covers security vulnerabilities discovered within the Maker Foundation public infrastructure including select websites and DNS configurations.
Systems in scope with this program are listed below. We expect to include more domains in the future.
|Scope Type||Scope Name|
|Scope Type||Scope Name|
Firebounty have crawled on 2019-08-06 the program Maker Ecosystem Growth Holdings, Inc on the platform Hackerone.