All addresses: https://github.com/FraxFinance/frax-solidity/blob/master/src/types/constants.ts#L626

Oracle updater bot: 0xBB437059584e30598b3AF0154472E47E6e2a45B9

Utility / helper contract deployer: 0x36a87d1e3200225f881488e4aeedf25303febcae

Front Running Mitigation & Testing Environments

Frax Protocol testing suite uses Hardhat+Truffle (with Ganache support) on all testing scripts. Front running of smart contracts are mitigated on system contracts since swaps have ceiling sizes. Thus, Frax Protocol front running is dependent on protocols that AMOs mint into rather than endogenous system contracts.

Frax Bug Bounty

Frax Finance provides one of the largest bounties in the industry for exploits where user funds are at risk or protocol controlled funds/collateral are at risk. The bounty is simply calculated as the lower value of 10% of the total possible exploit or $10m worth paid in FRAX+FXS (evenly split). Both tokens are immediately liquid. The bounty will be delivered immediately or a maximum turnaround time of 5 days due to timelock+mitigation. This bounty is a "no questions asked" policy for disclosures and/or immediate return of funds after any incident. Slow arbitrage opportunities or value exchange over a prolonged period is not applicable to this bounty and will receive a base compensation bounty of 50,000 FRAX.

Note: This bounty does not cover any front-end bugs/visual bugs or any type of server-side code of any web application that interacts with the Frax Protocol. The above bug bounty is only for smart contract code. Smart contract code on any chain that manages Frax Protocol value and/or user deposited value is included in this bounty. This bounty applies to all smart contracts deployed by the Frax Deployer addresses including Fraxswap AMM, Fraxlend, and frxETH.

Contacts: you can reach out anonymously through any communication channel including Twitter, Telegram, Discord, or Signal.