Bug bounty scope gap on highest-TVL contracts

Liquity V1 + V2 (LUSD / BOLD)'s assessment for RD-F-183 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

v2/BOLD has active Cantina bounty covering liquity/bold and liquity/V2-gov repos (max 125,000 BOLD for critical). Scope tab details not fully verifiable via WebFetch. v1 is unbountied (discontinued after v2 launch) but holds ~$174.6M TVL in immutable contracts. Per the factor's focus on highest-TVL contracts: v2 core contracts appear to be in Cantina scope; v1 core contracts are unbountied. Yellow given: (a) scope tab not fully confirmed, (b) v1 unbountied-but-immutable posture. Platform is Cantina not Immunefi.

Sources #

URL
Liquity v2 Cantina Bug Bounty Programv2 Cantina bounty — max 125,000 BOLD for critical, both liquity/bold and V2-gov tracksretrieved 2026-05-16
Docs
Liquity v1 Bug Bounty Documentationv1 bug bounty discontinued, security@liquity.org contact maintainedretrieved 2026-05-16

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol liquity factor RD-F-183 score yellow collected_at 2026-05-16 10:35:50