Bug bounty presence & max payout

Frax Finance's assessment for RD-F-007 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Self-hosted bug bounty program active. Max payout: lower of 10% of exploit or $10M in FRAX+FXS. Scope covers all Frax-deployed smart contracts managing protocol/user value. Submission via private GitHub gist or social DM. No third-party platform (not on Immunefi). The $10M maximum payout meets the >=500K threshold for green on payout alone, but: (a) no third-party verification of payouts, (b) the Dec-2025 disclosure allegation suggests the team used discretionary denial to suppress a valid report, undermining the effective bounty. Yellow: nominally adequate payout, but process integrity concern.

Sources #

Governance
Attribution Dispute - RedemptionQueueV2 DoS VulnerabilityAttribution dispute raising doubts about bounty process integrityretrieved 2026-05-17
Docs
Frax Finance Bug BountyFrax bug bounty program docs — scope and max payoutretrieved 2026-05-17

Methodology #

Check whether a public bug bounty program is active for this protocol and record the maximum payout in USD.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol frax factor RD-F-007 score yellow collected_at 2026-05-16 20:44:31