AGON Bug Bounty Program
Help secure AGON. Report vulnerabilities in our smart contracts and web platform. Earn up to $50,000 USDC per finding via Immunefi.
Reward tiers
All rewards paid in USDC on Base via Immunefi escrow within 14 days of fix confirmation.
| Severity | Smart Contract | Web / API | Examples |
|---|---|---|---|
| Critical | $50,000 | $10,000 | TVL/fund drain, arbitrary token mint, governance takeover, wallet session hijack with fund loss |
| High | $10,000 | $5,000 | Permanent funds lock, oracle manipulation, privilege escalation, session hijack |
| Medium | $2,000 | $1,000 | Limited fund loss (<$1k), DoS, rate-limit bypass enabling abuse |
| Low | $500 | $250 | Information disclosure, minor access control bypass, missing security headers |
What's in scope
Production deployments on Base mainnet only. Testnet contracts are out of scope.
TradingMarket.solPricePool.solTeamBattle.solBinaryDuel.solPMOracleDuel.solConditionalTokens.solMarketFactory.solAgonToken.solAgonRouter.solFeeDistributor.solGovernanceDAO.solOracleDAO.solAgentRegistry.sol
- SIWE authentication flow (/api/auth/*)
- Session management + CSRF token validation
- Rate limiting (cross-tier bypass, IP spoofing)
- CSP bypass (working XSS that exfiltrates session data)
- Trade endpoints (/api/trade/*)
- Smart contract interaction routes
agon.markets production onlyHow to report
Review our in-scope contracts and web surface. Build a working proof-of-concept that demonstrates the issue.
All reports go through the Immunefi platform. Include severity, impact analysis, and PoC code. Reports without PoC are rejected.
Valid findings are rewarded in USDC on Base within 14 days of fix deployment. 90-day responsible disclosure embargo applies.
Responsible disclosure
Hall of Fame
Security researchers who help protect AGON and consent to public acknowledgement are listed here.
No submissions yet. Be the first to secure the arena.