Bug bounty scope gap on highest-TVL contracts

deBridge's assessment for RD-F-183 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Immunefi program lists 90 assets in scope across Ethereum, BNB Chain, Polygon, Arbitrum, Avalanche, Fantom, Heco. Specific contract enumeration in scope not confirmed from Immunefi page (API returned truncated data). The DeBridgeGate proxy (0x43dE...) is the highest-TVL contract on the protocol (~$6.26M aggregate as of 2026-05-07, DefiLlama; down from a ~$200M peak in 2022–2023) and is the core subject of the entire protocol; DLN is 0-TVL by architecture so DeBridgeGate is necessarily the largest TVL surface regardless of magnitude. No explicit exclusion of DeBridgeGate or DLN contracts identified from the Immunefi page content. DLN contracts (DlnSource, DlnDestination) are cross-chain bridging infrastructure and the unconfirmed scope is the basis for yellow.

Sources #

URL
https://api.llama.fi/protocol/debridgeretrieved 2026-05-06
URL
https://immunefi.com/bug-bounty/debridge/retrieved 2026-04-28

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol debridge factor RD-F-183 score yellow collected_at 2026-04-28 01:27:58