Bug bounty scope gap on highest-TVL contracts

BENQI's assessment for RD-F-183 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Immunefi BENQI program (updated November 27 2025) covers 38 in-scope assets. Highest-TVL components covered: qiUSDC, qiETH, qiAVAX (implied via qiToken coverage), qisAVAX, qiBUSD, qiLINK, and ecosystem market qiTokens (JOE, SolvBTC, COQ, AUSD, USDTn). QiTokenSaleDistributorProxy also in scope. The Comptroller (governance hub of all markets) is implicitly in scope as the governing contract of all listed qiToken assets. Maximum payout $500K covers both lending and sAVAX surfaces. Notable limitation: 'centralization and economic attack impacts' are out of scope — does not affect structural smart-contract vulnerability coverage. No highest-TVL contract explicitly out of scope.

Sources #

URL
BENQI Immunefi Bug Bounty ScopeImmunefi BENQI scope — 38 in-scope assets, both lending and sAVAX covered, updated November 2025retrieved 2026-05-16
URL
BENQI Immunefi Bug Bounty ProgramImmunefi BENQI program — $500K max payout, live since August 2021retrieved 2026-05-16

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol benqi factor RD-F-183 score green collected_at 2026-05-16 11:02:12