Bug Bounty Program

Hello everyone!

In order to provide the best quality of the product to the community, we are starting WAVES Bug Bounty Program.

The scope of the Program: versions of the Node which currently deployed to official nodes on MainNet. We are interested in security issues, issues which can break the blockchain consensus, issues leading to inoperability of the Node.


Please have a look at the bullets below before starting your hunt!

  • Issues that have already been submitted by another user or are already known to the WAVES team are not eligible for bounty rewards.
  • Public disclosure of vulnerability makes it ineligible for a bounty.
  • WAVES core development team, employees are not eligible for rewards.
  • WAVES Bug Bounty Program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the WAVES Bug Bounty Panel.

The value of rewards paid out will vary depending on severity.

WAVES Bug Bounty Panel decides on the severity of the bug based (but not limited) on:

  • the complexity of the conditions for the occurrence (the number of conditions that must coincide)
  • how typical these conditions are for the most use cases
  • how often functions in which the bug is found are used
  • reproduction stability
  • ability to break the consensus rules
  • could it be used for unfair money getting
  • could it be used for DoS
  • could it lead to the fork
  • does it lead to Node inoperability

The minimum payout is 1 WAVES and the maximum is 1000 WAVES for the most bugs.
The highly critical bugs can be valued by the WAVES Bug Bounty Panel above the maximum.

Reward sizes are guided by the rules below, but are in the end, determined at the sole discretion of the WAVES Bug Bounty Panel.

Beyond monetary rewards, every bounty is also eligible for listing on our leaderboard with paid WAVES accumulating over the course of the Program.

In addition to severity, other variables are also considered when the WAVES Bug Bounty Panel decides the reward, including (but not limited to):

  • quality of description. Higher rewards are paid for clear, well-written submissions.
  • quality of reproducibility. Please include detailed instructions.
  • quality of fix, if included. Higher rewards are paid for submissions with a clear description of how to fix the issue.

How to report a bug

Just send your bug report to [email protected].

Important Legal Information

The WAVES Bug Bounty Program is an experimental and discretionary rewards program for our active WAVES community to encourage and reward those who are helping to improve the platform. It is not a competition. You should know that we can cancel the Program at any time, and awards are at the sole discretion of WAVES Bug Bounty Panel. You are responsible for all taxes. All awards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours.


Hello, I found a bug, a token that was not released was released, will I be rewarded for finding this bug?


Hi, we need more details.
Please send it according to the Program rules above.


Nice. Looks like you are interested in the platform security and it’s great!

But what if someone will find a bug that can be sold to someone else for much bigger price then 1000 Waves or $3000?


It turned out this was a very good question.


Good initiative but the incentive is far to low for this!
Come on Waves team, you’ve got over 20k BTC available in your warchest but are to scroodgy to sepnd even 1 BTC for people who find essential bugs?


Hi @Tradisys.com @Grootlily
I’ve updated the Program


Thank you @pavlov.ig!
However, it seems to me that you didn’t get the point at all… Adding “for the most bugs” does not solve the issue. The problem is that the community does not agree with the amount of the reward in general. 1000 WAVES is an extremely tiny reward in comparison with the consequences of the damage that can be caused by not reporting the bug. It is what people saying here. Also, I’ve seen the following comment from one of the Users in your Telegram channel (not sure why it is “2k waves” here… but the point is clear):

“ıf ı were a programmer, and ıf ı fınd a bug or somethıng that can be used to hack smart contrat ı wouldnt tell ıt for 2k waves, even you dont gıve 2k, you make contest for ıt”

This again proves my statement above.


And it is good to know that “The highly critical bugs can be valued by the WAVES Bug Bounty Panel above the maximum.” Hopefully, the bonus would be reasonable.


Thank you, Igor! Pretty good addition.


Привет! Нашел один баг при массовом отправлении токенов происходит удаление адресов из поля ввода, если ты делаешь это вручную! Видео процесса здесь https://vk.com/video?z=video364169331_456239031%2Fpl_cat_updates


Hello! I found one bug when sending bulk tokens, addresses are deleted from the input field, if you do it manually! Video process here https://vk.com/video?z=video364169331_456239031%2Fpl_cat_updates


Hello, Igor!
This is not a bug, but the normal behavior of the application. Once a second, the test is performed and the line is deleted if it does not match the correct format. The correct format in this case is [“string_address”, “number”]. We understand that in your case this is not very convenient, but this functionality, first of all, is intended for sending to the addressees whose list is uploaded from the CSV file. Alternatively, you can edit your TXT file, add amounts in front of each recipient and paste it through the clipboard.


Привет! Нашел несколько мелких недочетов DEX. Не работает функция свернуть биржевой стакан и количество монет отображается как Кол-Во. А хотелось бы что бы было Кол-во.
Hello! Found some minor DEX flaws. The function does not work to minimize the exchange cup and the number of coins is displayed as Кол-Во. And I would like that would be the Кол-во. Video here https://vk.com/video?z=video364169331_456239032%2Fpl_cat_updates

  1. Если вы про эту кнопку http://joxi.ru/5mdqj9JHkK4Np2, то это не “свернуть”, а “отцентровать” . Попробуйте проскроллить ордера вверх или низ и нажать, чтобы понять что она делает.
  2. Это тоже знаем, спасибо. В планах есть переработать стили.

looking further for this one


The reward for finding the bug is not assessed, as the support for the award said, why then promise?


The reward for a bug is up to 2000 WAVES depending on bug severity

1 Like