# Bug Bounty Bounce Tech has a bug bounty program available for their production smart contracts. See below for details on the program. ### Severity and Rewards Severity classifications will be done via the [Immunefi Vulnerability Severity Classification System v2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). | Severity | Bounty | | -------- | ------------------------------------------------- | | Critical | 10% of funds at risk, up to $100,000, min $15,000 | | High | Range $5,000 to $15,000 | | Medium | Flat $1,500 | | Low | Flat $500 | ### Scope The bug bounty program does not cover the website, API or other supporting services. The bug bounty program only covers smart contracts that are considered part of the core protocol, so excludes any Helper Contracts. You can find the [smart contract codebase here](https://github.com/bounce-tech/bounce-smart-contracts). ### Rules and Requirements * Critical and High reports must include a runnable PoC against a local fork of Hyperliquid. * Any issues that have been raised in a previous audit report are not eligible for bounties. You can see [previous reports here](https://bounce.tech/audits). * Duplicates after the first valid report are not eligible. * Chained bugs are evaluated by the highest-severity impact. * Reporters who exploited the bug themselves before reporting are ineligible and may trigger legal action. * Payouts are conditional on completion of KYC and sanctions screening to the satisfaction of the Bounce Foundation. The Foundation reserves the right to withhold payment where screening cannot be completed or where payment would breach applicable sanctions or AML laws. * Current or former Bounce team members, paid auditors of the affected code, and their immediate family are not eligible. * Bounties will be paid in Fiat, within 14 days of fix deployment, or within 30 days of report acceptance for criticals where fix takes longer. * No bug submission is eligible if it has already been included in a historic paid bug bounty (see below) ### Submissions All bug bounty submissions can be made by messaging `chase_9128` on Telegram. ### Paid Bug Bounties #### 28th April 2026: perpUsdc clamps negative values (Low) The `perpUsdc` functions in the Hyperliquid Handler clamp negative values returned by Hyperliquid. If a perp position on hyperliquid was to be negative due to system failure, this could result in Bounce Tech failing to account for these negative values in the exchange rate. Remediation is to properly account for negative values and propagate this through to exchange rate for accounting. #### 29th April 2026: executeRedemptionFee not charged when baseAmount is zero (Low) When `baseAmount` is zero, in `_redemptionFee`, there is an early 0 return. However, if it is a prepare redeem, gas costs are still incurred for processing a zero amount, and so should still charge `executeRedemptionFee` . Remediation is charging `executeRedemptionFee` in this case. Note that this also solves a potentially undesirable behaviour where users may not want to receive a zero amount for their prepare redeem, and would rather keep their leveraged tokens in this case. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.bounce.tech/technical/bug-bounty.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.