Bug bounty scope gap on highest-TVL contracts
Cap (cUSD / stcUSD)'s assessment for RD-F-183 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Sherlock Bug Bounty ($1M USDC max, audits.sherlock.xyz/bug-bounties/114, live since 2025-10-24) exists. The bug bounty scope list is not fully accessible via WebFetch (Sherlock SPA). The Electisec 'LZ vault' audit (2025-05-25) confirmed the OFT lockbox component was separately audited. OFTLockboxUpgradeable.sol bridges material TVL to MegaETH, Monad, Tempo, Katana chains. If this contract is not explicitly in the Sherlock bug bounty scope, it would be a material scope gap (per F183 definition — highest-TVL contracts explicitly out of scope). Yellow assigned pending curator verification of the full in-scope contract list against OFTLockboxUpgradeable.sol. No Immunefi program exists as a fallback.
Sources #
- URLCap Sherlock Bug BountySherlock Bug Bounty — $1M max, live 2025-10-24, scope not fully verifiable via WebFetchretrieved 2026-05-17
- Electisec LZ Vault Audit 2025-05-252025-05-25-Electisec.pdf — LZ vault component audited separatelyretrieved 2026-05-17
- OFT Configuration Reportoft-config-report.txt — OFT bridges confirmed to 5 networks (Ethereum, Monad, Tempo, MegaETH, Katana)retrieved 2026-05-17
Methodology #
Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.
See the full factor methodology and distribution across all protocols →