Bug bounty scope gap on highest-TVL contracts

Stake DAO's assessment for RD-F-183 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

In-house bug bounty at docs.stakedao.org/bug-bounty covers 'smart contracts deployed on Ethereum mainnet listed in Contract Addresses' and code 'tagged for production.' No Immunefi listing. Scope is ambiguous — does not provide a machine-readable list of in-scope addresses to verify coverage of highest-TVL liquid locker contracts. The $100K critical cap vs $160M TVL provides weak economic incentive for whitehat disclosure on core locker contracts. Yellow: scope ambiguous, not explicitly excluding highest-TVL contracts but not explicitly verifying inclusion.

Sources #

URL
Immunefi Bug Bounty PlatformImmunefi — no Stake DAO listing confirmedretrieved 2026-05-16
Docs
Stake DAO Bug Bounty ProgramBug bounty program — scope: production contracts; $100K critical maxretrieved 2026-05-16

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol stake-dao factor RD-F-183 score yellow collected_at 2026-05-16 12:29:20