Bug bounty scope gap on highest-TVL contracts

Marinade Finance's assessment for RD-F-183 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Immunefi program shows 1 total asset in scope with functional description of preventing fund loss from the liquid staking program. The main program address MarBmsSgKXdrN1egZf5sqe1TMai9K1rChYNDJgjq7aD is not explicitly enumerated by address on the bounty page. No LayerZero OFT adapters or bridge inboxes are present (the Kelp DAO precedent that motivated F183 does not apply). The scope description is functionally inclusive but lacks explicit program ID enumeration. Yellow: scope appears to cover the highest-TVL contract functionally but is ambiguous without explicit address listing.

Sources #

URL
Marinade Bug Bounty on ImmunefiImmunefi Marinade bug bounty — 1 asset in scope, functional description of smart contract loss preventionretrieved 2026-05-16
URL
Marinade Immunefi Information PageImmunefi Marinade information page — scope detailsretrieved 2026-05-16

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol marinade factor RD-F-183 score yellow collected_at 2026-05-16 08:48:35