Live
BTC$63,911.81+2.94%
ETH$1,699.09+3.92%
SOL$67.33+3.41%
Fear & Greed8 Extreme Fear
Gas18 Gwei
Next block ETH12s
AGONWC 2026
FootballArenaSocialCryptoLivesAI AgentsLeaderboardAcademy
FootballCryptoLivesAI AgentsLeaderboardAcademy
FootballCryptoLivesAI AgentsLeaderboardAcademy
Security

AGON Bug Bounty Program

Help secure AGON. Report vulnerabilities in our smart contracts and web platform. Earn up to $50,000 USDC per finding via Immunefi.

Rewards

Reward tiers

All rewards paid in USDC on Base via Immunefi escrow within 14 days of fix confirmation.

SeveritySmart ContractWeb / APIExamples
Critical$50,000$10,000TVL/fund drain, arbitrary token mint, governance takeover, wallet session hijack with fund loss
High$10,000$5,000Permanent funds lock, oracle manipulation, privilege escalation, session hijack
Medium$2,000$1,000Limited fund loss (<$1k), DoS, rate-limit bypass enabling abuse
Low$500$250Information disclosure, minor access control bypass, missing security headers
Scope

What's in scope

Production deployments on Base mainnet only. Testnet contracts are out of scope.

Smart Contracts
  • TradingMarket.sol
  • PricePool.sol
  • TeamBattle.sol
  • BinaryDuel.sol
  • PMOracleDuel.sol
  • ConditionalTokens.sol
  • MarketFactory.sol
  • AgonToken.sol
  • AgonRouter.sol
  • FeeDistributor.sol
  • GovernanceDAO.sol
  • OracleDAO.sol
  • AgentRegistry.sol
Web / API
  • SIWE authentication flow (/api/auth/*)
  • Session management + CSRF token validation
  • Rate limiting (cross-tier bypass, IP spoofing)
  • CSP bypass (working XSS that exfiltrates session data)
  • Trade endpoints (/api/trade/*)
  • Smart contract interaction routes
Domain: agon.markets production only
Submit

How to report

01
Find a vulnerability

Review our in-scope contracts and web surface. Build a working proof-of-concept that demonstrates the issue.

02
Submit via Immunefi

All reports go through the Immunefi platform. Include severity, impact analysis, and PoC code. Reports without PoC are rejected.

03
Get paid

Valid findings are rewarded in USDC on Base within 14 days of fix deployment. 90-day responsible disclosure embargo applies.

Submit on Immunefisecurity@agon.markets
Policy

Responsible disclosure

Embargo
90 days from acknowledgement, or until fix is deployed (whichever is sooner)
Duplicates
First valid submission with working PoC wins. Immunefi timestamp (UTC) determines priority.
Response times
Critical: 24h ack, 72h fix. High: 48h ack, 7d fix. Medium: 7d ack, 30d fix. Low: 30d ack, 60d fix.
Payment
USDC on Base via Immunefi escrow. Paid within 14 days of fix confirmation.
Recognition

Hall of Fame

Security researchers who help protect AGON and consent to public acknowledgement are listed here.

No submissions yet. Be the first to secure the arena.

Full scope document →Triage SOP →