Disclosure channel exists

Frax Finance's assessment for RD-F-175 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

A public disclosure channel exists at docs.frax.finance/smart-contracts/bug-bounty: submission via private GitHub gist shared through Twitter DM, Telegram, Discord, or Signal. Channel is publicly documented. However: (1) no dedicated security@ email; (2) no third-party platform (Immunefi) with formal program management; (3) the Dec 2025 RedemptionQueueV2 incident demonstrates inconsistent channel response — the channel was used but resulted in denial and cessation of contact. Yellow: channel exists and is documented, but active-monitoring evidence is mixed given the Dec 2025 outcome.

Sources #

Governance
Attribution Dispute — RedemptionQueueV2 DoS — Frax Governancegov.frax.finance thread #3818 — disclosure submitted Dec 4-5 2025 via stated channel; team denied finding and ceased communicationretrieved 2026-05-17
Docs
Bug Bounty — Frax Finance DocsFrax bug bounty page — submission method: private GitHub gist via social DMs; scope: all smart contract code managing protocol value and user depositsretrieved 2026-05-17

Methodology #

Determine whether the protocol publishes a public security disclosure channel (security@ email, Immunefi program, in-house disclosure page).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol frax factor RD-F-175 score yellow collected_at 2026-05-16 20:44:31