Legion Bug Bounty

• Read our guidelines for more details
• Submit findings using the C4 form

Background on Legion

What Is Legion?

Legion connects investors and contributors with promising crypto projects, enabling compliant and incentive-aligned investments before and after Token Generation Events (TGEs). Our platform supports both pre-TGE fundraising and token launches, streamlining capital raising and token distribution.

How Does It Work?

Legion facilitates ERC20 token sales — Fixed Price, Sealed Bid Auction, and Pre-Liquid (Approved & Open Application), ERC20 capital raises and ERC20 token distribution — using the EIP-1167 Minimal Proxy Standard Clone Pattern for deployment and Merkle Proofs + Signatures for eligibility verification.

Legion’s smart contracts are designed to work seamlessly with our backend for off-chain calculations, such as sale result processing, ensuring efficiency and compliance. While this introduces dependency, it enables complex operations not feasible on-chain alone.

Further Technical Resources & Links

• Legion Docs: Our system documentation, subject to change. Link
• Legion Changelog: Link
• Legion Whitepaper: Link
• Legion Website: Link
• Twitter: @legiondotcc
• Discord https://discord.gg/legiondotcc

Scope & Severity Criteria

Smart Contracts in Scope

Source: GitHub

Out-of-Scope

Known Issues

Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. Every issue opened in the repo, closed PRs, previous contests and audits are out of scope.

The following are known issues and therefore are out of scope:

• Centralization risks
• Lack of support for fee-on-transfer and rebasing tokens
• Project owners are not required to provide ask tokens to pre-liquid sales before withdrawing capital
• Signature reuse when investing (users are allowed to invest multiple times in the same sale, using the same signature)
• Refunding is allowed prior to official sale end, technically allowing users more time for refund than the specified refundPeriod

Previous Audits

Any previously reported vulnerabilities mentioned in past audit reports are not eligible for a reward.

Legion's previous audits can be found below: Audits

Specific Types of Issues

An example of that would be the following:

• Code outside the master branch.
• Anything in test, script, src/mocks, src/lib, src/utils, or src/interfaces folders.
• Bugs already reported by others.
• Known issues tied to third-party contracts built on top of Legion.
• Problems in external systems or contracts interacting with us.
• Testnet deployments — no points for sandbox wins.

And these don’t count either:

• Incorrect input data supplied by users.
• Missing input data validation.
• MEV / Frontrunning attacks.
• Breakdowns in outside services.
• Compromised private keys.
• Phishing schemes or fake sites.
• DDoS onslaughts.
• Social manipulation tricks.
• UI bugs (like misleading clicks).
• Spam floods.
• Automated tool outputs (e.g., CI/CD scans).

Additional Context

Trusted Roles

• Legion - Legion's admin access and interactions are controlled through the LegionBouncer contract. A BROADCASTER role is granted to a AWS Broadcaster Wallet, responsible for executing function calls requiring Legion's access privileges.
• Project Admin - Projects have the ability to withdraw raised capital and supply tokens for distribution.

Miscellaneous

Employees of Legion, contractors and their family members are ineligible for bounties.