defirisk.co
rubric v1.7.0

Bug bounty scope gap on highest-TVL contracts

A code & audits factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor identifies whether the protocol's highest-TVL contracts -- particularly shared-primitive contracts such as LayerZero OFT adapters, ZK verifiers, or bridge inbox contracts -- are explicitly excluded from the scope of the protocol's bug bounty program, while other (lower-TVL) contracts remain in scope. The assessment cross-references the Immunefi scope definition and protocol bounty documentation against the contract addresses that collectively hold the majority of user funds.

**Why it matters** A bug bounty program that excludes the contracts holding the most value provides economic incentive for researchers to disclose only the low-value vulnerabilities, while the highest-risk surfaces remain economically unprotected from exploit. Kelp DAO's April 2026 exploit ($292M) is the clearest documented case: the protocol ran an active Immunefi program for its core rsETH contracts, but the LayerZero OFT adapter -- the contract through which the exploiter minted unbacked tokens -- was explicitly excluded from bounty scope despite holding over $1B in bridged value. A whitehat who discovered the 1/1 DVN misconfiguration had no economic incentive to disclose it through the bounty channel because the scope exclusion made the report ineligible for payout.

**Green / Yellow / Red** Green: the protocol's bug bounty scope explicitly includes all contracts that collectively hold more than 80% of TVL, including any bridge adapters, OFT contracts, or shared primitives. Yellow: the bounty scope includes primary lending or swap contracts but excludes some integration contracts (bridges, keepers) where the excluded contracts hold less than 20% of TVL. Red: any contract that individually holds more than $10M in TVL or more than 20% of protocol TVL is explicitly excluded from the bounty scope.

**Common gray cases** This factor is gray when the protocol does not have a bounty program at all (captured separately by RD-F-007), or when the bounty scope documentation is ambiguous and curator review cannot determine inclusion or exclusion of specific contracts.

**Notable historical examples** The Kelp DAO case (April 2026, $292M) is the primary motivating incident.

Measurement what to look for #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

Data & output #

Data source
Immunefi API bounty scope field + protocol security docs + curator review of in-scope/out-of-scope contract list vs on-chain TVL by contract address
Output format
Green / Yellow / Red
Evidence artifact
Immunefi program URL + scope JSON (in/out-of-scope contract list) + curator note mapping highest-TVL contracts to scope status
Confidence signal
green = highest-TVL contracts are in scope; yellow = scope ambiguous or partially covers high-TVL contracts; red = highest-TVL contracts explicitly out of scope; gray = no bug bounty program exists (see RD-F-007)

Scored protocols 80 carry this factor #

Protocol RD-F-183
Aave v3 ethereum green Across Protocol ethereum green Aerodrome Finance base red Axelar Network ethereum green Babylon Protocol bitcoin yellow Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum yellow BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum yellow Centrifuge ethereum yellow Chainlink CCIP ethereum yellow Circle USYC binance gray Compound V3 (Comet) ethereum green Concrete ethereum yellow Convex Finance ethereum not_applicable crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum yellow deBridge ethereum yellow Dolomite ethereum red dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum yellow Ethena ethereum yellow ether.fi ethereum yellow Euler V2 ethereum green Falcon Finance ethereum red Fluid ethereum green Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum yellow Hyperlane ethereum yellow Hyperliquid arbitrum yellow Jito solana green Jupiter solana red Jupiter Perpetual Exchange solana yellow JustLend DAO tron yellow Kamino Lend solana yellow Kinetiq hyperliquid green Lido ethereum yellow Liquid Collective (LsETH) ethereum red Liquity V1 + V2 (LUSD / BOLD) ethereum yellow Lista DAO bsc green Lombard Finance ethereum yellow M^0 ethereum red Maple Finance ethereum yellow Marinade Finance solana yellow Meteora solana red mETH Protocol ethereum red Midas ethereum green Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum yellow Ondo Finance ethereum yellow OpenEden ethereum red Orca solana green PancakeSwap bsc yellow Pendle Finance ethereum yellow Polymarket polygon yellow QuickSwap polygon red Raydium solana green Rocket Pool ethereum yellow Sanctum solana gray Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar red Stake DAO ethereum yellow StakeWise v3 ethereum red Stargate Finance ethereum yellow stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron red Superstate ethereum gray Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum yellow Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron red Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum yellow Venus Protocol bsc red Wormhole ethereum yellow Yearn Finance ethereum yellow
15 red · 38 yellow · 20 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-183 category 1 carried 80 critical no