Bug bounty scope gap on highest-TVL contracts

Multipli's assessment for RD-F-183 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

HackenProof program describes scope as 'on-chain smart contract code' broadly but lists no specific contract addresses. Highest-TVL contracts on Ethereum (~$178.9M) and Base (~$110M) have no published addresses, making scope verification impossible. rwaUSD contract suite not explicitly in scope. Max $10K payout provides minimal economic incentive for whitehat coverage of highest-TVL contracts. Scope is ambiguous rather than explicit exclusion.

Sources #

URL
HackenProof — Multipli Smart Contracts program scopeHackenProof Multipli smart contracts program — scope description, no specific addressesretrieved 2026-05-17

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol multipli factor RD-F-183 score yellow collected_at 2026-05-17 11:48:35