Disclosure SLA public

Frax Finance's assessment for RD-F-176 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Frax bug bounty page states 'a maximum turnaround time of 5 days due to timelock+mitigation' — this is a published SLA. However: (1) it covers payment turnaround, not acknowledgment; (2) the Dec 2025 RedemptionQueueV2 case shows the SLA was not honored — report denied within hours (Dec 5), no bounty paid, no follow-up; (3) no separate published acknowledgment SLA (e.g., 'acknowledge within 24h'). Yellow: SLA is stated but narrow (payment SLA only, not acknowledgment SLA), and the Dec 2025 case provides evidence the stated SLA was not followed.

Sources #

Governance
Attribution Dispute — RedemptionQueueV2 DoS — Frax Governancegov.frax.finance thread #3818 — Dec 5, 2025 report denied same day; no bounty paid; SLA not honored in this caseretrieved 2026-05-17
Docs
Bug Bounty — Frax Finance DocsFrax bug bounty page — 'maximum turnaround time of 5 days due to timelock+mitigation'retrieved 2026-05-17

Methodology #

Determine whether the protocol publishes an acknowledgment-time SLA for disclosed vulnerabilities (e.g., 72h ack).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol frax factor RD-F-176 score yellow collected_at 2026-05-16 20:44:31