Bug bounty
Devnet beta scope — smart contracts, keeper/indexer services, and web API routes that move funds or sign transactions. Mainnet rewards announced after third-party audit.
In scope
- Solana programs under
programs/*on devnet - Keeper automation and indexer order/fill integrity
- Session delegation, limit-fill, and portfolio API auth bypasses
Out of scope
- Third-party protocols (Kamino, Pyth, Jupiter)
- Social engineering and issues without a reproducible PoC
- Secrets in
.envfiles you do not have access to
Rewards (proposed)
| Severity | Examples | Bounty |
|---|---|---|
| Critical | Fund loss, auth bypass | Up to $2,500 USDC |
| High | Liquidation bypass, oracle manipulation | Up to $1,000 USDC |
| Medium | Keeper DoS, indexer integrity | Up to $250 USDC |
| Low | UI/logic, no funds at risk | Recognition |
Report
Email or open a GitHub Security Advisory with description, impact, reproduction steps (devnet tx signatures preferred), and optional fix suggestion.
Do not exploit on mainnet or test with real user funds. Good-faith devnet research within scope will not be pursued legally. Allow 90 days before public disclosure.