Bug bounty scope gap on highest-TVL contracts

Liquid Collective (LsETH)'s assessment for RD-F-183 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No formal bug bounty program exists at $767M TVS. The vulnerability disclosure policy explicitly states 'We are currently designing our bug bounty program.' This is the absence of any program — not a scope-exclusion gap within an existing program. All River proxy contracts holding user ETH (0x8c1BEd5b...) have no whitehat economic incentive for responsible disclosure. At $767M TVS this is the most material standalone code-security gap. Retroactive rewards are promised once the program launches but no timeline is specified.

Sources #

GitHub
Liquid Collective Vulnerability Disclosure PolicyVulnerability disclosure policy — explicitly states bug bounty program not yet launchedretrieved 2026-05-17
URL
Protocol Security Audits — Liquid CollectiveSecurity audits page — no Immunefi or bounty program linkedretrieved 2026-05-17

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol liquid-collective factor RD-F-183 score red collected_at 2026-05-16 19:46:23