Bug bounty scope gap on highest-TVL contracts

Ethena's assessment for RD-F-183 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

27 assets in scope per Immunefi. Core Ethereum mainnet contracts (USDe, EthenaMinting V2, StakedUSDeV2, ENA, USDeSilo, EthenaLPStaking, StakingRewardsDistributor) are in scope. The USDe OFT adapters deployed across 18 chains via LayerZero (including Arbitrum, Base, Optimism, Mantle, BNB Chain, Solana) are NOT listed in the Immunefi scope table. This represents a material bug bounty scope gap: OFT adapters hold bridged USDe value across 18 chains and are excluded from bounty coverage. Similar in pattern to the Kelp DAO precedent where the OFT adapter holding >$1B was excluded from the bounty.

Sources #

URL
Ethena OFT 18-chain adoptionEthena OFT 18-chain adoptionretrieved 2026-04-28
URL
Ethena Bug Bounty ScopeImmunefi Ethena scope — 8 Ethereum mainnet contracts listed, no OFT adaptersretrieved 2026-04-28

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol ethena factor RD-F-183 score yellow collected_at 2026-04-28 13:58:51