- Read our guidelines for more details
- Submit findings using the C4 form
| Risk Score | Payout |
|---|---|
| Critical | Up to USD $75,000 |
| High | USD $10,000 |
Legion is a groundbreaking platform that connects value-add network participants with the most promising crypto projects seeking to build a dedicated community through compliant and incentive-aligned investments, both pre-Token Generation Event (TGE) and for token launches.
The Legion protocol consists of smart contracts designed to facilitate different types of ERC20 token sales and manage related operations.
Legion uses a Clone Pattern utilizing the EIP-1167 Minimal Proxy Standard for deploying sale and vesting schedule contracts. Standard Merkle Proofs and Signatures are used for verification of different conditions, such as eligibility to distribute tokens to investors, token and funds claiming etc.
Legion's smart contracts work together with Legion's backend, which is responsible for publishing sale results after analyzing and indexing events emitted during the sale process.
- Legion Docs: Our system documentation, subject to change. Link
- Legion Whitepaper: Link
- Legion Website: Link
- Twitter: @legiondotcc
- Discord https://discord.gg/legiondotcc
| Severity level | Impact: High | Impact: Medium | Impact: Low |
|---|---|---|---|
| Likelihood: High | Critical | High | - |
| Likelihood: Medium | High | - | - |
| Likelihood: Low | - | - | - |
Source: GitHub
Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. Every issue opened in the repo, closed PRs, previous contests and audits are out of scope.
The following are known issues and therefore are out of scope:
- Centralisation Risks
- Lack of support for fee-on-transfer and rebasing tokens
- Project owners are not required to provide ask tokens before withdrawing capital
Any previously reported vulnerabilities mentioned in past audit reports are not eligible for a reward.
Legion's previous audits can be found below: Audits
An example of that would be the following:
- Code outside the
masterbranch. - Anything in test, script, src/mocks, src/lib, src/utils, or src/interfaces folders.
- Bugs already reported by others.
- Known issues tied to third-party contracts built on top of Legion.
- Problems in external systems or contracts interacting with us.
- Testnet deployments — no points for sandbox wins.
And these don’t count either:
- Breakdowns in outside services.
- Compromised private keys.
- Phishing schemes or fake sites.
- DDoS onslaughts.
- Social manipulation tricks.
- UI bugs (like misleading clicks).
- Spam floods.
- Automated tool outputs (e.g., CI/CD scans).
- Legion - Legion's admin access and interactions are controlled through the
LegionBouncercontract. ABROADCASTERrole is granted to a AWS Broadcaster Wallet, responsible for executing function calls requiring Legion's access privileges. - Project Admin - Projects have the ability to withdraw raised capital and supply tokens for distribution.
Employees of Legion, contractors and their family members are ineligible for bounties.