March 24, 2023

Bug Bounty for Polygon zkEVM

Today, Polygon Labs launched a bug bounty for Polygon zkEVM. The bounty program, which will be run by Immunefi, is one of the many guardrails in place for the upcoming release of Mainnet Beta.

Bug bounties provide a critical barrier of protection for open-source blockchain networks by incentivizing researchers and white hat hackers to find and document vulnerabilities. Immunefi helps protect $60B worth of user funds and, to date, has processed more than $66M in payouts—a fraction of what would be lost were those vulnerabilities exploited.

For a full rundown on the process for reporting bugs and payouts, check out Immunefi’s landing page for Polygon zkEVM. In keeping with the built-in-public ethos of Polygon zkEVM, Polygon Labs has also made the completed audit report, by Hexens, available on GitHub. As additional audit reports are finalized, we’ll share those, too.

Bugs by Size, Bounties by Probability

As is standard, bounty payouts are tiered based on the level of vulnerability identified. Bug bounties in Web3 are dramatically repriced relative to Web2. This is a reflection of the volume of financial assets held in smart contracts, where code is king.

As emergent technology, ZK rollups (ZKR) present a unique challenge: The threat model is brand new. Because the prover in a ZKR uses math to attest that some valid state transition has occurred, a dishonest actor may look for missing constraints that allow them to trick the prover into generating illegitimate state transitions.

Generating these validity proofs also requires many moving parts. Pricing these parts is difficult. But the goal is that, as Polygon zkEVM matures, bounties will increase.

Critical: up to $1,000,000
High: $10,000 - $50,000
Medium: $5,000

The specific bounty paid at each tier depends on the likelihood of exploitation—this follows v2.2 of Immunefi’s classification system. Polygon Labs may also classify vulnerabilities using the Common Vulnerability Scoring System.

Scope, Eligibility, and Timeframe

At a high level, the bug bounty covers the smart contracts and blockchain for Polygon zkEVM. However, even an out-of-scope bug may be eligible for a bounty—researchers should submit any bug for review by Immunefi and the security team at Polygon Labs.

To be eligible for a bounty, you have to show your work. A proof of concept (PoC) is required—and if you include how to fix it, you may be eligible for a juicy bonus.

The timeframe for the bug bounty is indefinite. In Web3, bug bounties are a critical component of the software development lifecycle.

Finally, while much of this is standard to blockchain bug bounties, all aspiring participants should carefully review the details of the scope, eligibility, and timeframes available on Immunefi.

For a comprehensive resource on Polygon zkEVM, check out the documentation wiki. And if you’re interested in (or perplexed by) ZKR, follow the handle dedicated to the inner workings of ZK and scaling protocols, @0xPolygon, or head over to the ZK forum.