Bug bounty scope gap on highest-TVL contracts

Hyperliquid's assessment for RD-F-183 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

The bug bounty program is self-hosted and describes scope as 'any bug that would cause an outage or logical error on nodes or API servers.' The scope does NOT explicitly enumerate Bridge2 or any Solidity contract addresses as in-scope. The L1 binary is mentioned via 'nodes' reference. $3.26B of USDC lives in Bridge2 but the bounty scope is framed around L1 node/API behavior, creating ambiguity over whether Bridge2 smart contract bugs are explicitly in scope. No Immunefi page with contract addresses to confirm.

Sources #

Docs
Hyperliquid Bug Bounty ProgramHyperliquid bug bounty program page — scope descriptionretrieved 2026-04-28

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol hyperliquid factor RD-F-183 score yellow collected_at 2026-04-28 13:58:49