- Read our guidelines for more details
- Submit findings using the C4 form
| Risk Score | Payout |
|---|---|
| Critical | Up to USD $75,000 |
| High | USD $10,000 |
Legion connects investors and contributors with promising crypto projects, enabling compliant and incentive-aligned investments before and after Token Generation Events (TGEs). Our platform supports both pre-TGE fundraising and token launches, streamlining capital raising and token distribution.
Legion facilitates ERC20 token sales — Fixed Price, Sealed Bid Auction, and Pre-Liquid (Approved & Open Application), ERC20 capital raises and ERC20 token distribution — using the EIP-1167 Minimal Proxy Standard Clone Pattern for deployment and Merkle Proofs + Signatures for eligibility verification.
Legion’s smart contracts are designed to work seamlessly with our backend for off-chain calculations, such as sale result processing, ensuring efficiency and compliance. While this introduces dependency, it enables complex operations not feasible on-chain alone.
- Legion Docs: Our system documentation, subject to change. Link
- Legion Changelog: Link
- Legion Whitepaper: Link
- Legion Website: Link
- Twitter: @legiondotcc
- Discord https://discord.gg/legiondotcc
| Severity level | Impact: High | Impact: Medium | Impact: Low |
|---|---|---|---|
| Likelihood: High | Critical | High | - |
| Likelihood: Medium | High | - | - |
| Likelihood: Low | - | - | - |
Source: GitHub
Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. Every issue opened in the repo, closed PRs, previous contests and audits are out of scope.
The following are known issues and therefore are out of scope:
- Centralization risks
- Lack of support for fee-on-transfer and rebasing tokens
- Project owners are not required to provide ask tokens to pre-liquid sales before withdrawing capital
- Signature reuse when investing (users are allowed to invest multiple times in the same sale, using the same signature)
- Refunding is allowed prior to official sale end, technically allowing users more time for refund than the specified
refundPeriod
Any previously reported vulnerabilities mentioned in past audit reports are not eligible for a reward.
Legion's previous audits can be found below: Audits
An example of that would be the following:
- Code outside the
masterbranch. - Anything in test, script, src/mocks, src/lib, src/utils, or src/interfaces folders.
- Bugs already reported by others.
- Known issues tied to third-party contracts built on top of Legion.
- Problems in external systems or contracts interacting with us.
- Testnet deployments — no points for sandbox wins.
And these don’t count either:
- Incorrect input data supplied by users.
- Missing input data validation.
- MEV / Frontrunning attacks.
- Breakdowns in outside services.
- Compromised private keys.
- Phishing schemes or fake sites.
- DDoS onslaughts.
- Social manipulation tricks.
- UI bugs (like misleading clicks).
- Spam floods.
- Automated tool outputs (e.g., CI/CD scans).
- Legion - Legion's admin access and interactions are controlled through the
LegionBouncercontract. ABROADCASTERrole is granted to a AWS Broadcaster Wallet, responsible for executing function calls requiring Legion's access privileges. - Project Admin - Projects have the ability to withdraw raised capital and supply tokens for distribution.
Employees of Legion, contractors and their family members are ineligible for bounties.