Bug bounty scope gap on highest-TVL contracts

Spiko's assessment for RD-F-183 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No bug bounty program exists (RD-F-007 red). With $1.22B TVS across three codebases and no Immunefi, Cantina, or in-house bounty, there is no whitehat economic incentive for disclosure on the highest-TVL contracts including Stellar (~$547M) and Arbitrum (~$411M). Absence of any program is a superset of the out-of-scope failure mode this factor measures.

Sources #

Internal
spiko 00-data-cache.json bug bounty nullData cache bug_bounty.platform: null confirming no programretrieved 2026-05-16
URL
Immunefi Spiko (404)Immunefi 404 - no Spiko program existsretrieved 2026-05-16

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol spiko factor RD-F-183 score red collected_at 2026-05-15 22:52:13