Ignored bounty disclosure

Uniswap (v2 + v3)'s assessment for RD-F-008 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

V2: zero direct protocol exploits in 6+ years; no documented ignored disclosures. V3: zero protocol-level exploits; 2022 phishing was social engineering not a protocol vulnerability. V2 oracle consumer failures (Visor, Inverse) are consumer protocol failures not V2 failures. Green.

Detail #

No post-mortem documents a disclosure ignored before exploit for either V2 or V3. The V2 TWAP oracle consumer failures by Visor Finance (Dec 2021, ~$8.2M) and Inverse Finance (Apr 2022, ~$15.6M; Jun 2022, ~$5.8M) were failures of protocols that consumed V2 TWAP output. V2 TWAP worked as designed; consumers failed to validate oracle staleness or manipulability. The July 2022 phishing incident targeted V3 LP users with fake token airdrops — this was social engineering, not a smart contract exploit.

Sources #

URL
HackRead — Uniswap V3 LPs Lose Millions in Fake Token Phishing AttackJuly 2022 fake-token phishing campaign against Uniswap V3 LPs, $4.7M ETH stolen — protocol itself NOT exploited (CZ initially called "potential exploit", later clarified phishing-only)retrieved 2026-05-12
URL
Uniswap v4 Bug Bounty AnnouncementUniswap Labs — $15.5M v4 bug bounty (Immunefi-hosted, largest in history)retrieved 2026-05-12

Methodology #

Determine whether any prior post-mortem documents a disclosed vulnerability that was reported to the team and not actioned before exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol uniswap factor RD-F-008 score green collected_at 2026-05-12 10:36:11