Bug bounty scope gap on highest-TVL contracts

Stargate Finance's assessment for RD-F-183 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Immunefi bounty lists 15 assets in scope on Ethereum: FeeLib variants (ETH, USDC, USDT, METIS, mETH), StargatePool variants (Native, USDC, USDT, METIS, mETH), StargateMultiRewarder, and StargateStaking. **TokenMessaging (0x6d6620eFa72948C5f68A3C8646d58C00d3f4A980) — the contract that routes cross-chain messages for all bridging — is not explicitly listed in the Immunefi in-scope asset list based on available data.** StargatePool contracts hold the primary TVL (~$92M aggregate as of 2026-05-07; down from ~$345M v2-peak), and those are in scope. The message-routing contract being potentially out-of-scope is a meaningful gap regardless of pool TVL magnitude. Score retained yellow: scope-gap concern is structural, not TVL-dependent.

Sources #

URL
https://immunefi.com/bug-bounty/stargate/scope/retrieved 2026-04-28
URL
https://api.llama.fi/protocol/stargate-financeretrieved 2026-05-06

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol stargate factor RD-F-183 score yellow collected_at 2026-04-28 01:38:41