pump-fun
Bounty Range
$10,000 - $500,000
external program
Pump.fun is a platform where anyone can launch a fair-launch coin, meaning everyone has equal access to buy and sell when the coin is created. Security is critical to us, and we appreciate your contributions to keeping our platform safe.
We welcome responsible disclosure of vulnerabilities that could impact:
Even if the vulnerability lies outside our defined scope, if it presents a real risk, please report it, we review these on a case-by-case basis.
Web & Infrastructure
Client-Side Applications
Smart Contracts
| Program Name | Devnet Address | IDL File |
|---|---|---|
| Pump | 6EF8rrecthR5Dkzon8Nwu78hRvfCKubJ14M5uBEwF6P | https://github.com/pump-fun/pump-public-docs/blob/main/idl/pump.json |
| Pump Fees | pfeeUxB6jkeY1Hxd7CsFCAjcbHA9rWtchMGdZ6VojVZ | https://github.com/pump-fun/pump-public-docs/blob/main/idl/pump_fees.json |
| Pump AMM | pAMMBay6oceH9fJKBRHGP5D4bD4sWpmSwMn52FMfXEA | https://github.com/pump-fun/pump-public-docs/blob/main/idl/pump_amm.json |
โ ๏ธ Only Devnet deployments of these smart contracts are in-scope.
We are especially interested in vulnerabilities related to:
Any security or privacy-related issue that affects in-scope assets is eligible for submission.
All reports must include:
Submit within 24 hours of discovery, if possible.
To be eligible for a reward:
Vulnerabilities are scored based on:
| Likelihood \ Impact | Critical | High | Medium | Low |
|---|---|---|---|---|
| High | Critical | High | Medium | Low |
| Medium | High | High | Medium | Low |
| Low | Medium | Medium | Low | Informational |
Critical Impact
For smart contract bugs: An issue that results in losses (by stealing, wasting, or permanently freezing) amounting to 20%โ100% of the total TVL across pump.fun's bonding curves or AMM liquidity pools.
Other considerations: Issues that could impact large groups of users across multiple tokens, undermine trust in pump.fun as a platform, or create severe reputational, legal, or systemic financial risk.
High Impact
For smart contract bugs: An issue that results in losses (by stealing, wasting, or permanently freezing) amounting to 0.5%โ20% of the total TVL across pump.fun's bonding curves or AMM liquidity pools.
Other considerations: Issues that significantly harm individual users or small groups of traders, where exploitation would result in moderate financial damage or reputational/legal risk to pump.fun or its ecosystem.
Medium Impact
For smart contract bugs: Issues leading to smaller losses (by stealing, wasting, or permanently freezing) that affect individual users, specific tokens, or isolated liquidity pools.
Other considerations: Bugs that do not pose systemic risk but degrade user experience, reliability, or create exploitable inefficiencies (e.g., incorrect slippage calculation on a bonding curve trade that allows an attacker to repeatedly skim small profits).
| Severity | Max. Reward |
|---|---|
| Critical | $500,000 |
| High | $100,000 |
| Medium | $10,000 |
Final reward is determined at Pump.fun's sole discretion and depends on report quality, completeness, and exploitability.
The following are generally not eligible, but may be reviewed if risk is demonstrated:
Please follow these important restrictions:
โ No Public Disclosure Without Permission
Do not disclose any findings publicly until resolved and explicitly approved by our team.
โ No Exploitation or Exfiltration
Do not go beyond proof-of-concept. Accessing real user data, performing DoS, or testing social engineering is forbidden.
โ No Conflict of Interest
Current or former Pump.fun employees and contributors to the codebase are not eligible.
By submitting a report, you grant Pump.fun the rights to:
Note: The program terms, scope, and rewards may change at any time. Please check for updates before reporting.