White Whale Docs

Bug Bounty Program

The White Whale Bug Bounty Program encourages developers and researchers to find and report bugs in the following repositories:
Before reporting a bug, please read this document carefully!

Bounty Types

The bug bounty program contains two types of bugs that vary in severity and bounty size.
B-0 Vulnerabilities that could cause user or protocol funds to be exploited, stolen, or locked up:
  • A bug that allows actors to drain the vaults via flash loans.
  • A bug that allows actors to withdraw more funds from a pool or vault than their shares justify.
  • A bug that allows actors to drain more incentives than their weight justifies.
B-1 Vulnerabilities that could dilute user or protocol rewards or fees:
  • A bug that could lead to a situation where users get fewer fees or incentives than their shares or weight justify.
  • A bug that could result in a situation where the protocol gets fewer fees than configured.


Based on the bug severity and complexity, White Whale will, at its sole discretion, grant the following rewards:
  • B-0: up to $5000
  • B-1: up to $2000
A comprehensive and meaningful submission may positively impact the reward size and reduce the processing time. Code examples that describe the exploit or even the appropriate fix are especially welcome.

Disclosure and Reporting

Bugs should be reported directly via email at [email protected]. All bounty hunters must abide by the following rules when reporting bugs to be eligible for rewards:
  • Document the attack and create reproducible instructions in your submission.
  • Do not exploit the reported bug.
  • Do not publicize the vulnerability before the core contributors have rolled out a fix.
  • Do not violate the privacy of contributors, users, or other bounty hunters.
  • Do not attack or defraud contributors, users, or other bounty hunters on social media.


All bounty hunters must successfully follow the disclosure and reporting rules. White Whale is entitled to disqualify any contributor if their behavior is deemed harmful or malicious to the protocol or its users. Furthermore, it is White Whale's sole responsibility to evaluate the submissions and to decide whether and to what extent White Whale will issue rewards. We appreciate your cooperation.