defirisk.co
rubric v1.7.0

Bug bounty scope gap on highest-TVL contracts

Dolomite's assessment for RD-F-183 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Dolomite's in-house bug bounty (security@dolomite.io) publishes no contract scope list, no maximum payout, and no Immunefi/third-party listing. The highest-TVL contracts (DolomiteMargin 0x003Ca23Fd5F0ca87D01F6eC6CD14A8AE60c2b97D on Ethereum, $129.7M) are not explicitly covered by a named, transparent bounty scope. At $189.3M TVL with no Immunefi listing and no published scope, the bounty cannot be verified as covering the highest-TVL contracts.

Sources #

  • Docs
    Dolomite Audits & Securitydocs.dolomite.io/audits-and-security: Chainalysis CIR listed as security measure — incident response only, not a bug bountyretrieved 2026-05-16
  • Docs
    Dolomite Bug Bountydocs.dolomite.io/bug-bounty: no max payout, no specific contract scope, email-only channel security@dolomite.ioretrieved 2026-05-16

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol dolomite factor RD-F-183 score red collected_at 2026-05-16 11:12:56