We’ve already put the Gnosis Safe smart contracts under the microscope of formal verification. Given our confidence in the Gnosis Safe smart contracts’ security, we’ve decided at Gnosis to move our own company funds to the newly formally verified contracts. Our funds will be moved in stages, with the first 5,000 ETH already stored in this Gnosis Safe, a honeypot for hackers.

But that’s not all! We are also kicking off a bug bounty program to further audit and secure the Gnosis Safe smart contracts. Earn up to $50,000 for every bug you report.

Let’s get right into it…

The Rules

Many of the Ethereum Foundation’s bug bounty program rules are also applicable for the Gnosis Safe bug bounty program:

Issues that have already been submitted by another user or are already known to the Gnosis team are not eligible for bounty rewards.

Public disclosure of a vulnerability makes it ineligible for a bounty.

The Gnosis core development team, employees, and all other people paid by Gnosis, directly or indirectly (including the external auditor), are not eligible for rewards.

The Gnosis Safe bounty program considers a number of variables in determining rewards. Determinations of eligibility, score, and all terms related to an award are at the sole and final discretion of the Gnosis Safe bug bounty panel.

The Scope

The scope of our bug bounty program includes core contracts related to release v1.0.0 of the Gnosis Safe (check out the Readme or the release details for more information).

In scope:

GnosisSafe.sol

ProxyFactory.sol

CreateAndAddModules.sol, MultiSend.sol (the only libraries that are part of the bug bounty)

Examples of what’s in scope:

Being able to steal funds

Being able to freeze funds or render them inaccessible by their owners

Being able to perform replay attacks

Being able to change Safe settings without owner consent

Out of scope:

Any files, modules or libraries other than the ones mentioned above

More efficient gas solutions

Any points listed as an already known weaknesses

Any points listed in the audit or formal verification results report

Intended behavior

Please refer to the readme file, the readthedocs and the release details in the repository for an extensive overview of the intended behavior of the smart contracts.

Compensation

Any bugs — they do not need to necessarily lead to a redeploy — will be considered for a bounty. But the severity of the threat will change the reward. Below are the reward levels for each threat severity along with an example of such a threat.

High threat: up to $50,000

An identified attack that could steal funds or tokens or lock user funds would be considered a high threat. Likewise, a reported bug that, on its own, leads to a redeploy of the code will always be considered a high threat.

Medium threat: up to $10,000

An identified attack where it is possible to steal funds because of unexpected behavior on the part of the user. Unexpected behavior here means that it is not possible for the user to have a way to see what will happen before the funds are lost.

Low threat: up to $2,000

A way to avoid transaction fees or in some way compromising the experience of other Safe users.

All bounties will be paid in ETH.

Please note that the submission’s quality will factor into the level of compensation. A high-quality submission includes an explanation of how the bug can be reproduced, a failing test case, a valid scenario in which the bug can be exploited, and a fix that makes the test case pass. High-quality submissions may be awarded amounts higher than the amounts specified above.

Submission Process

Please email your submissions to: bounty@gnosis.pm

Don’t forget to include your ETH address so you can be rewarded. If more than one address is specified, only one will be used at the discretion of the bounty program administrators.

Anonymous submissions are welcome, too.

Responsible Disclosure Policy

If you comply with the policies below when reporting a security issue to us, we will not initiate a lawsuit or law enforcement investigation against you in response to your report.

We ask that:

You give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.

You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) destruction of data and interruption or degradation of our services.

You do not exploit a security issue you discover for any reason. This includes demonstrating additional risk, such as an attempted compromise of sensitive company data or probing for additional issues.

You do not violate any other applicable laws or regulations.

Public disclosure of the bug or indication of an intention to exploit it on the mainnet will make the report ineligible for a bounty. If in doubt about other aspects of the bounty, most of the Ethereum Foundation bug bounty program rules will apply here.

Any questions? Reach us via email (bounty@gnosis.pm) or Gitter. For more information on the Gnosis Safe, check out our blog and our Github.

Honey Pot

As mentioned above, we have transferred a significant amount of funds to a Gnosis Safe (5000 ETH), which serves as a honey pot for bounty hunters. We will continue gradually moving substantial company funds into a Gnosis Safe.

Happy hunting!