Bug bounty scope gap on highest-TVL contracts

Falcon Finance's assessment for RD-F-183 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No active bug bounty program exists for Falcon Finance. No scope at all — worse than 'highest-TVL contracts excluded.' Off-chain custody layer ($1.6B+ via Fireblocks/Ceffu) is categorically uninsurable via on-chain bounty.

Detail #

F183 asks specifically whether the highest-TVL contracts are excluded from an active bug bounty scope. Falcon Finance has no bug bounty program at all (confirmed: Immunefi search 2026-05-12 returns no results; protocol docs/security guide makes no mention). This is more adverse than the factor's red threshold ('highest-TVL contracts explicitly out of scope') — the program is entirely absent. Additionally, the majority of $1.618B TVL is off-chain (Fireblocks CVA + Ceffu MirrorX) which is categorically out of scope for any on-chain smart contract bug bounty. Red is unambiguous.

Sources #

URL
Falcon Finance Transparency and Security GuideFalcon Finance transparency/security guide — no bug bounty mentionedretrieved 2026-05-12
Docs
Falcon Finance Audits DocumentationFalcon Finance audits page — no bug bounty sectionretrieved 2026-05-12
URL
Immunefi Bug Bounty ProgramsImmunefi bug bounty index — Falcon Finance not listedretrieved 2026-05-12

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol falcon-finance factor RD-F-183 score red collected_at 2026-05-12 04:06:37