Bug bounty scope gap on highest-TVL contracts

Centrifuge's assessment for RD-F-183 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Cantina bug bounty ($250K max critical) active since July 17 2025 for Centrifuge V3.1. The Cantina scope page does not identify specific highest-TVL contracts as explicitly out of scope beyond 'spamming through vaults' exclusion. V3.1 protocol broadly in scope. Full contract-level in/out-of-scope details not enumerable from available page content.

Sources #

URL
https://hackenproof.com/public-bug-bounty-list/centrifuge-bug-bounty-programretrieved 2026-04-27
URL
https://cantina.xyz/bounties/6cc9d51a-ac1e-4385-a88a-a3924e40c00eretrieved 2026-04-27

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol centrifuge factor RD-F-183 score yellow collected_at 2026-04-30 21:19:10