Bounties

Any registered warden can submit bugs to Code4rena bug bounties.

• Only Critical and High risk issues are acceptable, unless otherwise noted in the bounty repo.

• Coded runnable PoCs are required.

Submitting to a Code4rena bug bounty

• Visit code4rena.com/bounties to see all active bounties.

• Each bounty page outlines the scope and other details for the bounty.

• To submit a finding, use the submission form (linked from the bounty page).

• You will receive an email confirmation that your submission was successful.

Deposit requirements

• Each submission to a Code4rena bug bounty requires a $25 USDC deposit.

• Important — send the deposit from a wallet you control (avoid CEX withdrawals): Do not send the deposit directly from a custodial exchange (CEX) withdrawal. CEX withdrawals are non-deterministic — the exchange controls the originating wallet and may apply withdrawal fees, batching, or other behaviors that prevent us from reliably linking a transaction to your Code4rena account. In the event of a dispute where ownership of the sending wallet must be established, only an Externally Owned Account (EOA) you control provides deterministic proof of ownership. Additionally, some exchanges deduct a withdrawal fee which can result in the recipient receiving less than 25 USDC and cause the deposit to be treated as invalid. To avoid issues, send the exact 25 USDC from a self-custody EOA wallet you control. If you must move funds from an exchange, first withdraw to your own EOA and then send the deposit transaction from that wallet.

• To send your deposit: send 25 USDC to 0xB592d203fd9f55CC4746172A92E35baBA1046a14 on Ethereum mainnet.

• To confirm your deposit: enter an Etherscan link to the transaction in the Link to deposit transaction field.

• Submissions will be reviewed once the transaction has been confirmed.

• If a submission is judged valid or wontfix, the deposit will be refunded to the wallet used to pay the deposit.

• If a submission is judged unsatisfactory or spam, the deposit is not refunded.

Tracking progress on your submission

• Bounty submissions cannot be edited once submitted.

• Bounty submissions do not appear in-app, in the "Your submissions" view.

• All results for C4 bug bounties are communicated through the #c4-bounties channel in the Code4rena Discord server. Bug bounty participants are encouraged to enable notifications for that channel.

• If your bounty submission meets the criteria for a reward, C4 staff will notify you in a private thread in the Code4rena Discord server, to coordinate payment.

Judging process for Code4rena bug bounties

Unless otherwise noted in the bounty's README, bounty submissions are judged by the sponsor team. The following guidelines apply to sponsor-judged bounties.

Sponsor judging responsibilities

Sponsors are responsible for reviewing and assessing submitted findings, and providing a written response indicating their determination, within a timely manner.

Code4rena will make best efforts to share sponsors' written responses with the warden who reported the finding as soon as possible.

Findings which do not receive a sponsor response within 14 days of submission are closed by default.

Appeals process for bounty programs

Wardens may choose to appeal a sponsor's verdict for a Code4rena bounty submission, if they wish to formally contest the assessed validity and/or risk level of one or more findings.

In the event of a judge appeal, with permission from the sponsor, Code4rena staff will select judge(s), affiliated with Code4rena or independent, and the appointed judges will apply the bounty judging criteria to the relevant findings. Code4rena will administer the appeal process at its discretion. Decisions after an appeal are binding and final with respect to a finding’s validity, severity, and remuneration due to the warden who reported the finding.