Polkamarkets Labs has ordered three audits for the Polkamarkets Protocol V1, which were performed by renowned independent agencies: Hacken, Red4Sec and Certik.

The audit reports are publicly available:

Bug Bounties

Polkamarkets Labs’ primary concern is the security of the smart contracts that power the Polkamarkets Protocol. We are happy to reward security researchers that find critical vulnerabilities in those smart contracts that would endanger users, their wallets and/or their funds, at scale.

The Polkamarkets Data API and Web Application are blockchain clients. Their role is to make it easier for anyone to participate in the Polkamarkets Protocol, and have a significantly lower risk profile. We will only consider bounties for researchers that identify vulnerabilities that endanger users, their wallets, and/or their funds, at scale.

Systems that are operated by third-parties are considered out-of-scope for bug bounties.

The Polkamarkets Protocol, Data API and Web Application are open source software. Please check out the Developer documentation for more information.

We are thankful to any researcher who wishes to report a vulnerability, even if the vulnerability or flaw falls outside of the scope of bug bounties. All vulnerabilities must be disclosed with our Responsible Disclosure policy detailed below.

Responsible Disclosure

We are thankful for the proactivity and the responsible approach of most researchers.

We encourage all researchers to report any vulnerability that they find, be it on the smart contracts, the web application or APIs, whatever their severity, to the Polkamarkets Labs team, by following the process described below, which is based on dioterms.


We require that all researchers:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, destruction of data and/or misappropriate user funds during security testing;

  • Perform research limited to the scope described above in the Bug Bounties section;

  • Use the identified communication channels to report vulnerability information to us;

  • Keep information about any vulnerabilities you’ve discovered confidential between yourself and Polkamarkets Labs until we’ve had 90 days to resolve the issue, or until we agree on public disclosure (whichever comes first); and

  • Do not engage in extortion.


If you adhere by our requirements when reporting an issue to us, Polkamarkets Labs commits to:

  • Working with you to understand and resolve the issue quickly (including an initial acknowledgement of your report within 72 hours of submission);

  • Not pursuing or supporting any legal action related to your research;

  • Rewarding you for your report when applicable (see Bug Bounties section above);

  • Recognizing your contribution on this page, in the “Thank you to researchers” section below, if you are the first to report an issue that we fix via a code or configuration change.

Communication channel

Please report any vulnerabilities via email to [email protected]

Thank you to Researchers

We acknowledge and thank researchers that have responsibly identified and submitted vulnerability reports, independently of the outcome, and who have agreed to appear on this list.

  • Be the first on this list by submitting a report in accordance to our policies described above.

Did this answer your question?