Bug bounty scope gap on highest-TVL contracts

Concrete's assessment for RD-F-183 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Cantina $250K USDC bug bounty scope stated as 'universal yield infrastructure, strategy integrations, supporting libraries' and 'core contracts of Concrete' — this description encompasses highest-TVL contracts (ConcreteStandardVaultImpl, ConcreteFactory). However, no explicit per-contract address enumeration in Cantina scope definition found publicly. GitHub self-hosted repo (concrete-earn-v2-bug-bounty) exposes V2 core source but no explicit scope list. Yellow — scope description covers core contracts but lacks explicit per-address confirmation that the $857M Ethereum vaults are in scope.

Sources #

GitHub
Bug Bounty Repositoryconcrete-earn-v2-bug-bounty repo — no explicit per-contract scope list foundretrieved 2026-05-17
URL
Cantina x Concrete Bug BountyCantina bug bounty — $250K USDC scope: core contracts of Concreteretrieved 2026-05-17

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol concrete factor RD-F-183 score yellow collected_at 2026-05-17 14:36:59