defirisk.co
rubric v1.7.0

Bug bounty scope gap on highest-TVL contracts

Veda (BoringVault)'s assessment for RD-F-183 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Immunefi program active with 52 assets in scope and $1M max payout. The publicly extractable portion of the Immunefi page lists out-of-scope items including 'Funds in other contracts, vaults, strategies, or positions' — which could introduce ambiguity for vault-specific peripheral deployments. The liquidETH BoringVault (0xf0bb20865277abd641a307ece5ee04e79073416c) is the highest-TVL contract; its explicit inclusion in the 52-asset scope could not be confirmed from the extracted page content. Yellow: scope likely covers primary vaults but explicit per-address confirmation is missing.

Sources #

  • URL
    Veda Immunefi Bug Bounty — scopeImmunefi Veda — 52 assets in scope, out-of-scope: 'Funds in other contracts, vaults, strategies, or positions'retrieved 2026-05-17

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol veda factor RD-F-183 score yellow collected_at 2026-05-17 12:41:22