Bug bounty scope gap on highest-TVL contracts
Balancer (v2 + v3)'s assessment for RD-F-183 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
v3 contracts (Vault, VaultExtension, core routers) were NOT in Immunefi bounty scope at v3 launch (Dec 2024). BIP-758 proposal added v3 contracts to scope post-launch — the highest-TVL v3 contracts had a bounty scope gap during their initial deployment period. Current status: v3 is now in scope per BIP-758. BIP-687 uncertainty about responsible party under Labs wind-down is an ongoing concern. Aug 2023 exploit confirms that when bounty scope covers the affected contracts, bounties work (whitehatter paid $1M). The period of v3 being out of scope is a historical gap now partially remediated.
Sources #
- URLBalancer Immunefi Bug Bounty ($1M max, 38 assets, last updated 2026-04-27)https://immunefi.com/bug-bounty/balancer/retrieved 2026-05-05
- BIP-687: Bug bounty management transition to DAOhttps://forum.balancer.fi/t/bip-687-transition-of-bug-bounty-program-responsibility-to-balancer-dao/5847/8retrieved 2026-05-05
- BIP-758: Update Bug Bounty Program scope for v3 assetshttps://forum.balancer.fi/t/bip-758-update-bug-bounty-program-scope-for-v3-assets/6295retrieved 2026-05-05
Methodology #
Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.
See the full factor methodology and distribution across all protocols →