Flow Community Rewards are here. Earn points for engaging in the ecosystem, spend points on prizes. Learn more.

Crescendo
Bounty Program

Help Secure the Biggest Flow Upgrade Since Launch

What is in the scope of this bounty program?

This bug bounty program seeks exploitable weaknesses in smart contract code, transactions, or scripts that could destabilize the Flow network, such as crashing or significantly slowing down network nodes.

The goal is to safeguard the Cadence and EVM runtime environment from unauthorized control and protect the non-public state of accounts from privilege escalation. Your expertise could earn substantial rewards and contribute to a more secure Flow network!

The bounty program welcomes any bug reports that clearly demonstrate unintended behavior and significantly impact Flow builders or users.

Bounty Tiers

Severity: Critical
Reward
$100,000USD
Severity: High
Reward
$50,000USD
Severity: Medium
Reward
$10,000USD
Severity: Low
Reward
$1,000USD

Where are potential bugs?

The Crescendo upgrade introduces major performance upgrades and full EVM equivalence. Here are the key areas that underwent significant changes, and potential bugs that could arise.

1. Cadence language

3. Cadence & EVM runtime environment

4. Privilege elevation / escalation / unauthorized access

5. EVM gateway

6. Onchain data

What is outside the scope of this program?

All vulnerabilities must be reported in accordance with the Flow Responsible Disclosure Process.

For a list of Flow protocol and web application exclusions (i.e. non-qualifying vulnerabilities), refer to the Flow Responsible Disclosure.