Bug bounty scope gap on highest-TVL contracts

Symbiotic's assessment for RD-F-183 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Immunefi program covers 5 service/registry contracts: OperatorRegistry, OperatorNetworkOptInService, OperatorVaultOptInService, NetworkRegistry, NetworkMiddlewareService. The DefaultCollateral contracts (wstETH, cbETH, rETH, sUSDe) holding actual restaked TVL ($472M) and the VaultFactory are not confirmed in scope from available secondary sources. Immunefi scope page returned 404 on direct access. Plausible scope gap on highest-TVL-holding contracts, but not definitively confirmed as excluded.

Sources #

Etherscan
DC_wstETH DefaultCollateralDefaultCollateral wstETH at 0xC329400492c6ff2438472D4651Ad17389fCb843a holding significant TVL - not confirmed in bounty scoperetrieved 2026-05-16
URL
Symbiotic Immunefi ScopeImmunefi search result listing 5 in-scope contracts (service layer only) active since Feb 21 2025retrieved 2026-05-16

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol symbiotic factor RD-F-183 score yellow collected_at 2026-05-16 09:25:24