Bug bounty scope gap on highest-TVL contracts

ether.fi's assessment for RD-F-183 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Immunefi program active with $300K max payout and 60 assets in scope. Core contracts appear to be primary scope. However, the full enumeration of all 60 assets was not accessible due to JS rendering of the Immunefi page — specifically, whether weETH OFT adapter contracts (LayerZero adapters across 19 chains) are explicitly included cannot be confirmed from the publicly accessible page content. The profile notes a Paladin audit of the OFT adapter migration (2024-09-30), but bug bounty scope is separate from audit coverage. Curator must verify all 60 assets include weETH OFT adapters to confirm no Kelp DAO-style scope gap.

Sources #

Audit
Paladin — OFT adapter migration audited (audit != bounty scope)Paladin OFT adapter migration audit 2024-09-30retrieved 2026-04-28
URL
ether.fi Immunefi bug bounty — $300K max, 60 assets in scopeimmunefi.com/bug-bounty/etherfi/retrieved 2026-04-28

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol ether-fi factor RD-F-183 score yellow collected_at 2026-04-28 13:58:46