Bug bounty scope gap on highest-TVL contracts

Hyperlane's assessment for RD-F-183 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Immunefi program (222 assets in scope, $2.5M max) appears to broadly cover smart contracts. Last updated 2026-04-13 (one day before the ERC4626 insolvency disclosure). Explicit in-scope/out-of-scope contract list not verified from accessible page text. April 2026 reporter could not find the Immunefi program easily enough to use it as a disclosure channel. Score: yellow (program appears comprehensive but per-contract scope coverage for highest-TVL Warp Routes not confirmed).

Sources #

GitHub
Issue #8589 — disclosure channel confusionIssue #8589 — reporter unable to find Immunefi channel, used GitHub issue insteadretrieved 2026-05-17
URL
Hyperlane Bug Bounty — ImmunefiImmunefi program — 222 assets in scope, $2.5M max, last updated 2026-04-13retrieved 2026-05-17

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol hyperlane factor RD-F-183 score yellow collected_at 2026-05-16 23:03:56