Bug bounty scope gap on highest-TVL contracts
Lombard Finance's assessment for RD-F-183 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Immunefi program reports 40 contracts in scope. Core EVM contracts (LBTC proxy/impl, Consortium, BridgeV2, Bascule) appear covered based on Immunefi scope page. However: (1) 97.28% of $1.07B TVL ($1.041B) is native BTC held off-chain in CubeSigner HSM / Lombard Ledger Cosmos appchain — entirely outside any smart contract bug bounty scope, as this is not an EVM contract surface; (2) Cantina is listed as an audit partner in Lombard docs with no completed report found — possible audit competition scope gap; (3) Maximum payout is $250K — low relative to $1.07B TVL and below the $500K threshold. The Kelp DAO precedent (OFT adapter holding $1B+ excluded from bounty) is the motivating pattern for F183; Lombard's LayerZero OFT adapter is currently paused and its bounty scope inclusion during active periods is unclear. Green requires highest-TVL contracts explicitly in scope — the 97% off-chain BTC custody layer fundamentally cannot be in an EVM bounty scope.
Sources #
- URLLombard Finance Immunefi Bug Bounty ScopeImmunefi scope: 40 contracts in scope, max $250Kretrieved 2026-05-05
- Lombard LBTC Design Architecture97.28% TVL in off-chain BTC (CubeSigner HSM / Lombard Ledger) — outside EVM bounty scoperetrieved 2026-05-05
- Lombard Finance Audits PageLombard docs: 6 audit partners including Cantina — no Cantina report foundretrieved 2026-05-05
Methodology #
Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.
See the full factor methodology and distribution across all protocols →