Break Solana programs. Before attackers do.
Proof of Bug is a bug-bounty-style training ground for intentionally vulnerable Solana targets. Audit real code, submit real reports, and rank against real auditors.
Built for auditors, not spectators.
Pinned source, structured disclosure, and verifiable payouts. Every workflow is designed around how professional security researchers actually review code.
Real targets, pinned source
Every engagement links to a public repo with a frozen commit. Audit it the way you'd audit a client engagement.
Public leaderboard
Rank by points, severity and quality of report. Build a profile that hiring teams can verify.
Human triage
No bot grading. Every submission is reviewed by an auditor with sign-off and reasoning.
Built for auditors, not tourists
Markdown reports, severity rubric, scope tables, attachments. Familiar workflow for anyone who's filed an Immunefi report.
From repo to report in four steps.
No gimmicks. The same workflow auditors use on real engagements, minus the NDA.
- 01
Pick a target
Browse intentionally vulnerable Solana programs. Every target ships with a pinned commit and full source on GitHub.
- 02
Audit the code
Use your own tooling. We don't gate the source. Read, fork, fuzz, run tests locally — there's no in-browser editor magic.
- 03
Submit a report
Markdown report with severity, impact, PoC and recommendation. Triage is human, fast and transparent.
- 04
Earn points
Climb the leaderboard, build a public profile, and prove what you can break before bounties pay you to find it.
Cloning into 'jupiter-swap-v3'...✓ Pinned commit a3f9e2c verified> cargo test --features auditrunning 12 tests⚠ test_oracle_freshness ... FAILED✗ panic: arithmetic overflow in calc_amount_out()> pob submit --severity critical