defirisk.co
rubric v1.7.0

Bug bounty scope gap on highest-TVL contracts

Lista DAO's assessment for RD-F-183 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Immunefi program (last updated April 24, 2026) has 134 assets in scope covering DeFi protocols, lending, stablecoins (lisUSD), and yield aggregators on BSC. No highest-TVL contract is explicitly excluded. The program excludes prior-audit-documented vulnerabilities (reasonable exclusion, not a scope gap). Bounty scope appears to cover core CDP and lending contracts.

Sources #

  • URL
    Lista DAO Immunefi Bug Bounty — ScopeImmunefi program — 134 assets in scope, covers DeFi protocols/lending/lisUSD/yield aggregators; no explicit exclusion of core contracts; last updated April 24, 2026retrieved 2026-05-12

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol lista-dao factor RD-F-183 score green collected_at 2026-05-12 17:54:05