Bug bounty scope gap on highest-TVL contracts

Frax Finance's assessment for RD-F-183 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Frax self-hosted bounty scope is broad ('all smart contracts deployed by Frax Deployer addresses including Fraxswap, Fraxlend, frxETH' and 'any chain managing Frax Protocol value/user deposited value'). No explicit exclusion of highest-TVL contracts found. However: the Dec-2025 allegation suggests the team used discretionary 'no bug found' denial to suppress a valid disclosure on FraxEtherRedemptionQueueV2 — effectively removing economic incentive for whitehats even on in-scope contracts. The self-hosted, third-party-unverified nature means scope enforcement depends entirely on team discretion. Yellow: nominally broad scope but effective coverage undermined by disputed denial incident.

Sources #

Governance
Attribution Dispute - RedemptionQueueV2 DoS VulnerabilityAttribution dispute showing team denied valid disclosureretrieved 2026-05-17
Docs
Frax Finance Bug BountyFrax bug bounty scope descriptionretrieved 2026-05-17

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol frax factor RD-F-183 score yellow collected_at 2026-05-16 20:44:31