Bug bounty scope gap on highest-TVL contracts
StakeWise v3's assessment for RD-F-183 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Critical scope gap confirmed. The Immunefi bug bounty program at immunefi.com/bug-bounty/stakewise/scope/ lists exactly 12 in-scope contracts — all are StakeWise v2 contracts (Pool, PoolEscrow, PoolValidators, StakedEthToken, RewardEthToken, StakeWiseToken, Oracles, VestingEscrow, VestingEscrowFactory, MerkleDistributor, Roles, Proxy Admin). The v3 contracts bearing ~$795M TVL — VaultsRegistry (0x3a0008...), OsToken/osETH (0xf1C9...), Keeper (0x6B5815...), OsTokenVaultController (0x2A261...), all EthVault instances, all factory contracts — are not listed in scope. The program was created May 2022 (before v3 launched October 2023) and scope was not updated. The $200K maximum payout exists but no whitehath has economic incentive to disclose v3 vulnerabilities.
Sources #
- URLStakeWise Immunefi Bug Bounty Scope PageImmunefi scope page listing 12 in-scope contracts — all v2 addresses (Pool 0xC874b064f465bdD6411D45734b56fac750Cda29A etc.); v3 contracts absentretrieved 2026-05-16
- StakeWise profile §3 v3 contract addresses cross-reference with Immunefi scopeProfile §3 v3 contract list vs. bounty scope: VaultsRegistry 0x3a0008..., OsToken 0xf1C9..., Keeper 0x6B5815..., OsTokenVaultController 0x2A261... all absent from Immunefi scoperetrieved 2026-05-16
- StakeWise Immunefi Bug Bounty ProgramImmunefi program page: Live Since 31 May 2022, Last Updated 10 March 2026 — pre-v3 launch scope not updatedretrieved 2026-05-16
Methodology #
Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.
See the full factor methodology and distribution across all protocols →