ILLUSTRATIVE · Bug bounty data is illustrative. No live bounty program exists.

Security · responsible disclosure · paid in USDG

Break it. We'll pay you up to $1,000,000 USDG.

The EquiFlow vault holds tokenized stocks pledged by thousands of borrowers. Every line that touches vault.pledge() or vault.borrow() has been audited twice. We'd rather pay you to find the bug than read about it on Twitter. Submit via Immunefi, encrypted, with a working PoC.

HIGHEST PAID · TO DATE

$480K

EQ-2026-114 · USDG mint bypass

Bounty pool

$2.10M

USDG · fully funded

Highest single payout

$480K

Critical · in-scope

Paid · YTD

$1.41M

19 valid reports · 2026

Avg triage time

38h

from submission to severity decision

Audit coverage

100%

every in-scope LOC · 2 firms

Rewards · USDG · paid within 14 days

Severity tiers

Severity follows Immunefi's vulnerability classification. Final payout is scaled by economic impact, exploitability, and quality of disclosure.

Read the classification ↗

Severity	Reward range · USDG	Visual	Example findings
Critical	$250,000 – $1,000,000	up to $1.00M	Theft of user funds, permanent freezing of vault collateral, infinite USDG mint, oracle manipulation draining a market.
High	$50,000 – $250,000	up to $250K	Theft of yield, temporary freezing of vault for >24h, bypass of liquidation bonus, governance vote manipulation under quorum.
Medium	$10,000 – $50,000	up to $50K	Griefing that costs users >$10K, DoS of a single oracle adapter, fee accounting drift, accessor bypass on view-only methods.
Low	$2,500 – $10,000	up to $10K	Off-by-one rounding in interest accrual, frontend phishing surface, gas griefing, minor event-emission mismatches.
Informational	$500 – $2,500	up to $3K	Best-practice deviations, missing input validation that cannot be reached, hardcoded magic numbers, doc/inline-comment mismatches.

Payout currency

USDG · settled on Robinhood Chain L2

Payout time

≤ 14 days after fix is live in production

Duplicates

First valid report wins · subsequent get $500 referral

●In scope · 4 contracts · 4,712 LOC

Assets in scope

Source is open. Run forge tests against the testnet fork before submitting.

Contract	Address · explorer	Audit	Scope notes
EquiFlowVault src/vault/EquiFlowVault.sol · 2,840 LOC	0x7c4F12a1…B30002 view on explorer ↗	AUDITED Trail of Bits · OpenZeppelin	Pledge / borrow / repay / withdraw / liquidate paths. Interest model. Risk param storage. All non-view entrypoints.
USDGStable src/stable/USDGStable.sol · 720 LOC	0x91a2c4Ff…F90123 view on explorer ↗	AUDITED OpenZeppelin · Spearbit	Mint authority gating, pause hooks, blocklist behavior, ERC-20 invariants. Off-chain reserve attestation is OUT of scope.
OracleAdapter src/oracle/PythAdapter.sol · 612 LOC	0x33dF8a2b…3a2B11 view on explorer ↗	AUDITED Trail of Bits · Zellic	Pyth pull-update verification, staleness guard, circuit-breaker thresholds, fallback feed routing.
SmartAccountFactory src/aa/SmartAccountFactory.sol · 540 LOC	0x00170f8A…F4d5B2 view on explorer ↗	AUDITED OpenZeppelin	ERC-4337 account deployment, session-key permissioning, paymaster gating, signature validation paths.

●Out of scope

What we won't pay for

Submissions of these will be marked invalid and closed. They do not count against your validity ratio if it's your first one, but repeats will lead to program-level rate limiting.

01Third-party dependencies — Pyth Network, Permit2, OpenZeppelin libraries (report upstream)
02Off-chain frontend issues unless they result in loss of user funds (CSRF, XSS, etc — go to the web bounty)
03Issues requiring control of >50% of EQUI voting power or compromise of the governance multisig
04Already-known issues listed in the latest audit reports or our public issue tracker
05Theoretical attacks without a working PoC against the testnet deployment
06Best-practice violations with no demonstrable impact (e.g., missing NatSpec, gas optimizations)
07Front-running / MEV that is inherent to public blockchains and does not violate documented invariants
08Issues on testnet faucet contracts, demo scripts, or anything under examples/

How to submit · four steps

From a broken invariant to a paid reward.

Research

Fork the testnet, run the forge suite, identify a violated invariant. We publish the full invariant list in docs/SECURITY.md — every one of them is a paid finding if you break it.

Encrypt PoC

Bundle the PoC, root-cause writeup, and fix recommendation. Encrypt under the EquiFlow Labs PGP key (fingerprint 4A2C 91DE … 9013). Plaintext disclosures are not accepted.

Submit via Immunefi

File the encrypted payload at immunefi.com/bounty/equiflow. Include a Robinhood Chain testnet tx hash demonstrating the exploit. Optional: anonymous handle for payout.

Triage

We acknowledge within 24h, propose a severity within 72h, and pay within 14 days of fix-deploy. You get final approval on the public writeup. Confidential indefinitely if you prefer.

READY TO SUBMIT?security@equiflow.xyz · PGP 4A2C 91DE 7F4B C821 9013 5E0A

Hall of fame · paid researchers

Top researchers

Names appear with researcher consent only. Anonymous payouts are routed via Immunefi and not listed here.

by lifetime payout

Rank	Researcher	Lifetime payout	Valid reports	Highest finding
#1	researcher-1	$480K	3	Critical · USDG mint bypass
#2	researcher-2	$313K	5	Critical · oracle staleness window
#3	researcher-3	$184K	4	High · liquidation bonus drain
#4	researcher-4	$142K	7	High · session-key escalation
#5	researcher-5	$95K	6	Medium · interest accrual drift
#6	researcher-6	$68K	4	Medium · paymaster gas griefing
#7	researcher-7	$53K	3	Medium · accessor bypass

Disclosure policy · v2.1

Safe harbor for good-faith research

We follow the Immunefi standard. Researchers who act in good faith and within scope have full legal protection from EquiFlow Labs and the DAO, and will be indemnified against third-party claims arising from their disclosure.

EquiFlow Labs, the EquiFlow DAO, and any subsidiary will not initiate or support legal action against security researchers acting in good faith under this policy. We grant you safe harbor for: accessing testnet contracts, transferring no more value than necessary to demonstrate the issue, and disclosing in private to our triage team first.
In exchange, we ask that you do not publicly disclose a vulnerability before a fix is live in production, do not attempt to access or modify another user's funds beyond what is strictly necessary for a proof of concept, and do not exploit the bug for personal gain. Sharing the vulnerability with any third party before disclosure forfeits your reward.
— EQUIFLOW DAO · GOVERNANCE PROPOSAL EQUI-0024 · RATIFIED 2026-02-11

Recent reports · 90-day window

Recent disclosures

Live reports are redacted until a fix is shipped. Resolved reports include the full root-cause analysis once disclosed.

Full archive ↗

ID	Submitted	Severity	Title	Status	Researcher	Reward
EQ-2026-117	3 days ago	—	███ CONFIDENTIAL · IN TRIAGE ███	IN TRIAGE	[redacted]	pending
EQ-2026-116	8 days ago	—	███ CONFIDENTIAL · IN TRIAGE ███	IN TRIAGE	[redacted]	pending
EQ-2026-114	27 days ago	CRITICAL	USDG mint bypass via reentrant pledge in same block	RESOLVED	researcher-1	+$480K
EQ-2026-112	41 days ago	HIGH	Liquidation bonus paid twice when liquidator == borrower	RESOLVED	researcher-3	+$132K
EQ-2026-109	62 days ago	HIGH	Oracle staleness window allows stale-feed liquidation on TSLA	RESOLVED	researcher-2	+$175K