Bug bounty scope gap on highest-TVL contracts

Venus Protocol's assessment for RD-F-183 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Venus docs claim a bug bounty exists but no platform URL, scope document, or payout cap is published. Immunefi returns 404. Data cache confirms bug_bounty.platform=null. At $1.26B TVL, the Core Pool Diamond Comptroller and vToken contracts are almost certainly not in scope of any published bounty. This is structurally analogous to the Kelp DAO OFT adapter out-of-scope finding — the unquantified/unpublished bounty removes whitehat disclosure incentives for the most consequential contracts.

Sources #

URL
Immunefi Venus bug bounty — page not foundImmunefi Venus page (404)retrieved 2026-04-28
Docs
Venus security-and-audits.md — bug bounty claimed without URLVenus security-and-audits docsretrieved 2026-04-28
Etherscan
Data cache confirming bug_bounty.platform=nullData cache bug_bounty sectionretrieved 2026-04-28

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol venus factor RD-F-183 score red collected_at 2026-04-28 18:30:49