Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Bug Bounty

Bounce Tech has a bug bounty program available for their production smart contracts. See below for details on the program.

Severity and Rewards

Severity classifications will be done via the Immunefi Vulnerability Severity Classification System v2.3.

Severity
Bounty

Critical

10% of funds at risk, up to $100,000, min $15,000

High

Range $5,000 to $15,000

Medium

Flat $1,500

Low

Flat $500

Scope

The bug bounty program does not cover the website, API or other supporting services. The bug bounty program only covers smart contracts that are considered part of the core protocol, so excludes any Helper Contracts. You can find the smart contract codebase here.

Rules and Requirements

  • Critical and High reports must include a runnable PoC against a local fork of Hyperliquid.

  • Any issues that have been raised in a previous audit report are not eligible for bounties. You can see previous reports here.

  • Duplicates after the first valid report are not eligible.

  • Chained bugs are evaluated by the highest-severity impact.

  • Reporters who exploited the bug themselves before reporting are ineligible and may trigger legal action.

  • Payouts are conditional on completion of KYC and sanctions screening to the satisfaction of the Bounce Foundation. The Foundation reserves the right to withhold payment where screening cannot be completed or where payment would breach applicable sanctions or AML laws.

  • Current or former Bounce team members, paid auditors of the affected code, and their immediate family are not eligible.

  • Bounties will be paid in Fiat, within 14 days of fix deployment, or within 30 days of report acceptance for criticals where fix takes longer.

  • No bug submission is eligible if it has already been included in a historic paid bug bounty (see below)

Submissions

All bug bounty submissions can be made by messaging chase_9128 on Telegram.

28th April 2026: perpUsdc clamps negative values (Low)

The perpUsdc functions in the Hyperliquid Handler clamp negative values returned by Hyperliquid. If a perp position on hyperliquid was to be negative due to system failure, this could result in Bounce Tech failing to account for these negative values in the exchange rate. Remediation is to properly account for negative values and propagate this through to exchange rate for accounting.

29th April 2026: executeRedemptionFee not charged when baseAmount is zero (Low)

When baseAmount is zero, in _redemptionFee, there is an early 0 return. However, if it is a prepare redeem, gas costs are still incurred for processing a zero amount, and so should still charge executeRedemptionFee . Remediation is charging executeRedemptionFee in this case. Note that this also solves a potentially undesirable behaviour where users may not want to receive a zero amount for their prepare redeem, and would rather keep their leveraged tokens in this case.

PreviousRisks & SecurityNextBrand Assets

Last updated