Berachain (Web/Apps)
Bounty Range
$1,000 - $10,000
external program
Berachain (Web/Apps)
Bounty Range
$1,000 - $10,000
external program
Berachain is a high-performance EVM-Identical Layer 1 (L1) blockchain utilizing Proof-of-Liquidity (PoL) as a consensus mechanism and built on top of a modular EVM-focused consensus client framework named BeaconKit.
BeaconKit is a modular framework for building EVM-based consensus clients. The framework offers the most user-friendly way to build and operate an EVM blockchain while ensuring a functionally identical execution environment to the Ethereum Mainnet.
Websites and Applications
For critical web/apps bug reports will be rewarded with USD 10,000, only if the impact leads to:
All other impacts that would be classified as Critical would be rewarded a flat amount of USD 5,000. The rest of the severity levels are paid out according to the Impact in Scope table.
Payouts are handled by the Berachain team directly and are denominated in USD. However, payments are made in BERA on Berachain.
The net amount rewarded is calculated based on the average price between CoinMarketCap.com and CoinGecko.com at the time the bug report was submitted. No adjustments are made based on liquidity availability.
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.3.
Berachain is a high-performance EVM-Identical Layer 1 (L1) blockchain utilizing Proof-of-Liquidity (PoL) as a consensus mechanism and built on top of a modular EVM-focused consensus client framework named BeaconKit.
BeaconKit is a modular framework for building EVM-based consensus clients. The framework offers the most user-friendly way to build and operate an EVM blockchain while ensuring a functionally identical execution environment to the Ethereum Mainnet.
Berachain will be requesting KYC information to pay for successful bug submissions. The following information will be required:
Security researchers who wish to participate must adhere to the rules of engagement outlined in this program and cannot be:
Berachain adheres to category 3 - Approval Required. This Policy determines what information researchers can make public from their submitted bug reports.
Berachain adheres to the Primacy of Rules, meaning the whole bug bounty program is run strictly under the terms and conditions stated on this page.
A PoC demonstrating the bug's impact is required for this program and must comply with the Immunefi PoC Guidelines and Rules.
Bug reports covering previously discovered bugs are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to "fix", necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk.
Berachain's completed audit reports will be available soon. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.
The project may receive valid reports (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack is. Conversely, there may also be mitigation measures that projects can take to prevent the bug's impact, which are not viable or would require unconventional action.
Immunefi has developed a set of feasibility limitation standards that, by default, state what security researchers and projects can or cannot cite when reviewing a bug report.