AIP-134: Bug Bounty Program for AIP-21 Updates

Thanks for the update llama!


Thanks for the update, @llama !

One question - this two submission under review looks ok or possibly something more critical? Not sure if you can update us about the possible importance of these two during ongoing checks. Just curious.

Thank you,


Neither would be critical and we expect to close both later today or tomorrow but we’re just confirming with additional tests first.


Cool, so lets :crossed_fingers: :+1:


Good thing we did a big bounty :blush:


Loved learning about this on the @Amplify space on twitter thanks for much for all you guys shared and look forward to you guys keeping our DAO safe with your bug bounty programs!


We’ve now concluded the testnet bug bounty program. We are in contact with Horizen so we’ll be ready to begin the mainnet program on launch day. All submissions were tested, reproduced, and analyzed closely. We asked detailed questions to participants so we could ensure our decisions were correct. In total, we received 26 submissions during the program:

  • 25 of those submissions were closed and determined to be ineligible for a reward

  • 1 submission uncovered a medium severity bug

The medium severity bug could’ve potentially delayed users ability to claim funds. Horizen has already worked on a fix and the auditors are performing a reaudit. Let us know if you have any questions!


Thanks for informations

1 Like

Thank you for the info!

1 Like

As I’m sure most of you saw, the staking contract was deployed yesterday! We’re going to launch the mainnet version of the bug bounty program shortly.

I’ll post here once that’s live. As always, let us know if you have any questions.


The bug bounty program is live! You can view the details here: ApeCoin Mainnet Bug Bounties | Immunefi

We’ll post updates here on the number of submissions we’re receiving and if any payouts have be rewarded.


We’re about 5 days into the mainnet bounty program. We’ve received 17 submissions so far and no bugs have been found. 16 reports were determined to not be eligible for a reward and have been closed.

We’ve decided to issue one goodwill payment for a low severity report. Although we determined the identification to be out of scope because it requires user or admin error, we think it’s best to show our appreciation to the whitehat.

They found that there are multiple times in the contract where the pools[_poolId].timeRanges array is accessed without a require statement that prevents an array out of bounds error. This means a user could trigger a panic exception.

Although this doesn’t put any funds at risk and is not possible to trigger without user/admin error, we thought it was best to show our appreciation by rewarding the Low risk bounty payout. As always let us know if you have any questions!


Posting from here since the llama account appears to be locked by discourse. Since our last report, we’ve received 17 submissions. All have been determined to be invalid and no rewards have been issued.

Happy holidays and happy staking everyone!


Thank you for the detailed updates! And Happy holidays to you all as well!


Thank you @austin for the updates. Happy holidays to you and the whole Llama team :raised_hands:


@holocronape @adventurousape thank you, happy new year!


Happy New Year everyone! A quick recap on the bounty program as we head into 2023:

  • We ran a bug bounty program for a testnet deployment of staking from 11/10/22-11/24/22. We then launched a mainnet version of the program when staking was deployed in early December.
  • We’ve received 68 total submissions across the two programs from whitehat hackers
  • We’ve confirmed 3 of these reports for a total of $4,500 in APE in payouts.

All of us at Llama hope everyone is enjoying the Holidays! Let us know if there are any questions we can answer.


Thanks for the update!


Just a quick update as things have been pretty quiet this month! We’ve reviewed an additional 22 reports since our last posting. None of these resulted in a payout as they were determined to be ineligible for the program.

Thank you all for the support and us at Llama hope you’re enjoying the staking program.


Thank you for the update!

1 Like