Bug bounty scope gap on highest-TVL contracts

Aerodrome Finance's assessment for RD-F-183 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Velodrome Immunefi program scope page lists 12 Optimism-chain Velodrome contracts: GaugeFactory, FactoryRegistry, Minter, PoolFactory, Router, etc. No Aerodrome Base-chain contracts (Voter, VotingEscrow, AERO token, Slipstream PoolFactory) are named in scope. Slipstream README states 'Velodrome has a live bug bounty hosted on Immunefi' implying coverage but scope page does not enumerate Aerodrome Base-chain addresses. Aerodrome's highest-TVL contracts ($133.9M TVL on Base) appear out of or absent from explicit bug bounty scope.

Sources #

GitHub
Slipstream repo README (Immunefi reference)Slipstream README reference to Velodrome Immunefi programretrieved 2026-05-04
URL
Velodrome Finance Immunefi scope pageVelodrome Immunefi scope â€” 12 Optimism contracts listed, zero Aerodrome Base addressesretrieved 2026-05-04

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol aerodrome factor RD-F-183 score red collected_at 2026-05-04 19:56:03