Bug bounty scope gap on highest-TVL contracts

USDD (Decentralized USD)'s assessment for RD-F-183 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No bug bounty program exists at all (Immunefi 404 confirmed; data cache bug_bounty.platform: null). The highest-TVL contracts — TRON TRC-20 (TPYmHEhy5n8TCEfYGqW2rPxsghSfzghPDn, ~$1.364B) — have zero whitehatch incentive. Per taxonomy F183: red when highest-TVL contracts are out of scope; scored red (stronger adverse finding: no program at all, not just scope gap). $1.475B TVS with no public bug bounty program of any kind.

Sources #

URL
Immunefi USDD - 404 Not FoundImmunefi USDD bounty page - 404 confirmed absenceretrieved 2026-05-17
Internal
USDD data cache - bug_bounty sectionData cache 00-data-cache.json bug_bounty.platform: null, url: nullretrieved 2026-05-17

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol usdd factor RD-F-183 score red collected_at 2026-05-17 11:34:18