Optimism Extends $2 Million Bug Bounty Program to Protocol Upgrades Ahead of Superchain Interop

Optimism is extending its $2 million bug bounty program to cover proposed protocol upgrades before they ever go into production, as OP Stack core developers prepare to roll out native interoperability to the Superchain. The proposed Upgrade 16 to the OP Stack is now live as the first upgrade proposal covered under the bounty program.

In a first for Optimism and the industry, this bug bounty now includes calldata for protocol upgrades. Frequent unaudited administrative transactions have long been a security gap in crypto protocols, and including calldata in scope for this bounty helps further strengthen Optimism’s security positioning. 

Optimism has paid out $2.6 million in bug bounties since 2022 (second only to Polygon on the current Immunefi leaderboard), including a past $2 million bounty to the software engineer saurik. 

Powered by Optimism’s OP Stack, the Superchain is designed to support multiple Ethereum L2 networks with shared governance, upgrades and security. As of June 2025, three of the top five Ethereum Layer 2s are on the Superchain, accounting for over $16 billion in total value secured. As part of Optimism-governed blockspace, these chains and their users benefit from regular protocol upgrades that help maintain peak performance. 

Developers perform upgrades to the Superchain network every few months. A robust security approach requires a combination of skilled engineering, internal testing, third-party auditing and external bug bounties. As core developers prepare for Superchain-native interop, these added layers of protection become even more crucial. 

“All Superchain upgrades are put through an intensive process of testing and security reviews, and bug bounties provide an extra line of defense against any potential threats,” said Matt Solomon, Head of Protocol Security at OP Labs, a core developer of the OP Stack. “At this critical juncture for the Superchain, we welcome other developers and security reviewers to dive into the code and help ensure it’s the best it can be.” 

Superchain Upgrade 16 introduces: 

• Interop-Ready smart contracts: Interoperability is critical to realizing the Superchain as a unified network of OP Chains. This upgrade begins the rollout of foundational interoperability features by updating the OptimismPortal to handle future cross-chain messaging safely and extensibly. This upgrade does not turn on interop yet.
• Max gas limit increase: Update to MAX_GAS_LIMIT from 200m to 500m gas after improvements to OP Stack infrastructure and the Cannon proof system.
• Stage 1 updates: Modifications to meet L2Beat's updated Stage 1 requirements from January 2025, including the removal of DeputyGuardianModule and updates to DeputyPauseModule. 

With Superchain Upgrade 16 now published, fresh code awaits and bounty hunters are invited to dive in. 

Terms and conditions apply. See Immunefi for details.