The 1inch dApp is the No. 1 DeFi aggregator, offering access to the deepest liquidity and the best token swap rates on various DEXes. Its unique features include partial fill and the ability to find the best swap paths across multiple liquidity sources.
In Scope
| Target | Type | Severity | Reward |
|---|---|---|---|
app.1inch.io |
Web | Critical | Bounty |
1inch.io |
Web | High | Bounty |
blog.1inch.io |
Web | Medium | Bounty |
In-scope vulnerabilities
The following vulnerabilities are considered in-scope:
- Business logic issues
- Remote code execution (RCE)
- Injection vulnerabilities
- Server-side request forgery (SSRF)
- Cross-site request forgery (CSRF)
- Cross-site scripting (XSS)
- Supply chain attack
- Cryptographic vulnerabilities
- Any other vulnerability with a clear potential for loss (such vulnerabilities will be considered at our discretion)
All in-scope vulnerability reports must include a Proof of Concept (PoC) that demonstrates real-world impact. Submissions without a PoC will not be considered.
Out-of-scope vulnerabilities
Vulnerabilities identified in out-of-scope resources are generally not eligible for rewards unless they present a significant business risk, as determined at our sole discretion.
The following items are generally excluded from reward eligibility due to insufficient severity or lack of relevance to the program’s defined scope:
- Recently (less than 30 days) disclosed zero-day vulnerabilities
- Vulnerabilities affecting users of outdated browsers or platforms
- Social engineering, phishing, physical, or other fraud activities
- Publicly accessible login panels without proof of exploitation
- Reports that simply identify outdated or vulnerable software without providing a valid proof of concept do not qualify.
- Reports generated by automated scanners or exploit tools (without researcher analysis or actionable proof)
- Vulnerabilities involving active content, such as web browser add-ons Most brute-forcing issues without a clear impact
- Denial of service (DoS/DDoS)
- Missing HTTP security headers
- Infrastructure vulnerabilities, including DNS issues (i.e., MX records, SPF records, DMARC records, etc.)
- Open redirects (unless a serious impact is demonstrated)
- Clickjacking/Tapjackingissues
- Descriptive error messages (e.g., stack traces, application or server errors)
- Self-XSS that cannot be used to exploit other users
- Login and logout CSRF
- Weak Captcha
- HTTPOnly cookie flags
- CSRF in forms that are available to anonymous users (e.g., contact forms)
- OPTIONS/TRACE HTTP method enabled
- Host header issues without proof-of-concept demonstrating a real impact
- Content spoofing and text injection issues without showing an actual attack vector or the ability to modify HTML/CSS
- Content spoofing without embedded links/HTML
- Reflected file download (RFD)
- Mixed HTTP/HTTPS content
- Man-in-the-middle (MitM) and local attacks
- Theoretical or purely speculative exploits without demonstrated business impact
- Avoid using application scanners that generate massive traffic. Automated scanning results without clear analysis will not be considered
- Avoid causing any disruption to the availability of products, services, or infrastructure
- Avoid compromising any personal data, interruption, or degradation of any service
- Bounty reward is determined by proportion of potential damage and is limited by a severity rewards range
- Non-production vulnerabilities are limited to High severity
- Do not access or modify data belonging to other users
- Perform testing only within the scope described in this program
- Do not exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam methods
- Do not spam forms or account creation flows using automated tools
- Remain compliant with all applicable laws and operate strictly within the defined testing scope
- Do not share details of any vulnerabilities with anyone outside the authorized team without explicit written permission from the organization
- All information related to this program, including any discovered vulnerabilities (resolved or unresolved), must be kept strictly confidential. Public disclosure — including partial disclosure or discussion in any public forum, channel, or platform — is strictly prohibited without the organization's explicit written consent
We value all valid reports that help us strengthen our security. To qualify for a monetary reward, the following eligibility conditions must be fulfilled:
- The vulnerability must be a qualifying (in-scope) vulnerability
- Any vulnerability found must be reported no later than 24 hours after discovery
- Include clear and concise reproduction steps to help us verify and assess the impact of the reported issue efficiently
- You must be the first reporter of a vulnerability
- You must send a clear textual description of the report and detailed steps to reproduce the issue. Include attachments such as screenshots or proof-of-concept code if necessary
- You must not be a former or current employee of our company or any of its contractors