Bug Bounty Program

The security of Rollup.Finance’s systems is of the most significance to us. Yet, even with significant scrutiny and auditing, there’s still a possibility of vulnerabilities due to the novelty of the growing DeFi ecosystem.
That’s why we set up a Bounty Program to identify bugs and vulnerabilities in Rollup.Finance.


Rewards will be allocated based on the severity of the bug and will be evaluated and rewarded at the discretion of the Rollup.Finance team. For critical bugs that cause any loss of funds, rewards of up to $50,000 will be granted. Lower severity bugs will be rewarded at the discretion of the team itself.


Any vulnerability or bug discovered must be reported only to the following email: [email protected] .
Before Rollup.Finance has been notified, has fixed the issue, and has granted permission for public disclosure the vulnerability must not be disclosed publicly or to any other person, entity or email address. Moreover, disclosure must be made within 24 hours following discovery of the vulnerability.
A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount. Please provide as much information about the vulnerability as possible, including:
  • The conditions which trigger the bug.
  • The steps needed to reproduce the bug or, preferably, a proof of concept.
  • The potential implications of the vulnerability being abused.
Disclosers who submit a vulnerability report or provide a usful solution for bug, with their permissions, will be publicly acknowledged for their contribution.


To gain a reward under this Program, you must:
  1. 1.
    Discover a previously unreported, non-public vulnerability
  2. 2.
    Be the first who disclose the vulnerability, in compliance with the disclosure requirements above. If similar vulnerabilities are reported within the 24 hour period, rewards will be at the discretion of Rollup.Finance.
  3. 3.
    Provide a report with sufficient information to enable our engineers to reproduce and fix the vulnerability.
  4. 4.
    Not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other kinds of coercive tactics.
  5. 5.
    In no way should the the vulnerability be exploited, including through making it public or by obtaining a profit (exclusive from the reward under this Program).
  6. 6.
    Make a good effort to avoid privacy violations, destruction of data, interruption or degradation of Rollup.Finance.
  7. 7.
    Submit only one vulnerability at a time, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.
  8. 8.
    Do not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid at this Program.
  9. 9.
    Disclosers should not be one of our current or former employees, vendors, or contractors or an employee of any of those vendors or contractors.
  10. 10.
    Be at least 18 years age or, if age below 18, submit your vulnerability with the consent of your parent.

Issue Outside The Scope

The followings are not within the scope of the Program

  • Bugs in any third party contract or platform that interacts or connects with Rollup.Finance. And vice versa.
  • Any already-reported bugs.

Any of the following activities also are outside the scope of this Program:

  • Any already-reported bugs.
  • DDOS attacks
  • Frontend bugs
  • Spamming
  • Phishing
  • Automated tools (AWS, etc.)
  • Compromising or misusing third party systems or services.

All reward decisions, including qualifying criteria for and amounts of the rewards as well as the way in which such rewards will be paid, are all made at our discretion.
The terms and conditions of this Program may be altered at any time.