This bug bounty program applies only to smart contract–related vulnerabilities. For issues related to Safe{Wallet}, please contact wallet-reports@safe.global.
Audits
Safe smart contracts are regularly reviewed by independent security experts. For details, see the Audits page.Rules
Many rules from the Ethereum Foundation Bug Bounty Program apply to Safe as well:- Issues already known to the Safe team or previously reported are not eligible.
- Public disclosure of a vulnerability makes it ineligible for a bounty.
- Safe employees, contractors, auditors, and anyone paid by Safe (directly or indirectly) are not eligible.
- Eligibility, severity classification, and reward amounts are determined solely by the Safe Bug Bounty panel.
Scope
The bug bounty covers core Safe contracts and selected officially supported modules.Safe Smart Account versions
- v1.5.0 (Release, README)
- v1.4.1 (Release,README)
- v1.3.0 (Release,README)
- v1.2.0 (Release,README)
- v1.1.1 (Release,README)
Supported Safe Modules
In scope contracts
Safe core contracts (v1.4.1, v1.5.0)Safe.sol,SafeL2.solSafeProxy.sol,SafeProxyFactory.solMultiSend.sol,MultiSendCallOnly.sol,CreateCall.solTokenCallbackHandler.sol,CompatibilityFallbackHandler.sol,ExtensibleFallbackHandler.sol
GnosisSafe.sol,GnosisSafeL2.solGnosisSafeProxy.sol,GnosisSafeProxyFactory.solCreateAndAddModules.sol,MultiSend.sol,MultiSendCallOnly.sol,CreateCall.solDefaultCallbackHandler.sol,CompatibilityFallbackHandler.sol
Safe4337Module.solSafeWebAuthnSignerFactory.solSafeWebAuthnSignerProxy.solSafeWebAuthnSignerSingleton.solSafeWebAuthnSharedSigner.solWebAuthn.sol,P256.sol
Examples of issues in scope
- Theft of funds or tokens
- Freezing or permanently locking funds
- Replay attacks on the same chain
- Changing Safe or module settings without owner consent
Out of scope
- Contracts, modules, or libraries not listed above
- Gas optimizations
- Known issues listed in audits or documentation
- Issues already fixed in newer versions
- Issues related to additional non-standard features or alternative gas schedules on EVM-compatible chains that differ from Ethereum Mainnet
Intended behavior
To understand expected contract behavior, refer to:- The Safe Smart Account README
- Release notes and the CHANGELOG
- The Safe Smart Account documentation
Compensation
All valid bug reports are considered for a bounty. Rewards depend on severity and impact.High severity — up to $1,000,000
- Direct theft of funds or tokens
- Permanent fund lockups
- Bugs that require an urgent redeploy
Medium severity — up to $50,000
- Fund loss due to unexpected or unintuitive behavior
- Issues users cannot reasonably anticipate
Low severity — up to $10,000
- Fee avoidance
- Exploits that degrade user experience
Submission process
Email your report to bounty@safefoundation.org. Please include:- A detailed description of the issue
- Steps to reproduce
- Your Ethereum Mainnet address for payment
Responsible disclosure policy
If you follow the guidelines below, Safe will not pursue legal action in response to your report. We ask that you:- Allow reasonable time for investigation and remediation before public disclosure
- Avoid privacy violations or service disruption
- Do not exploit the issue in production
- Comply with all applicable laws
Note on Safe{Wallet}
Issues related to Safe{Wallet} (web, mobile, or backend services) are generally out of scope. For non-security bugs, open an issue in the relevant repository, such as safe-wallet-monorepo. For severe security issues affecting Safe{Wallet}, contact wallet-reports@safe.global.Any rewards for Safe{Wallet} issues are granted at the sole discretion of the team maintaining Safe{Wallet}.