Skip to main contentBug Bounty Program
Overview
Help secure the Monolith protocol and earn rewards by responsibly disclosing security vulnerabilities.
Program Scope
In Scope
- Smart contracts in the Monolith protocol
- Frontend interfaces
- API endpoints
- Integration services
Out of Scope
- Third-party dependencies
- Known issues already disclosed
- Social engineering attacks
- DDoS attacks
Reward Structure
Critical Vulnerabilities
- Direct theft of funds
- Permanent loss of funds
- Complete protocol compromise
Reward: Up to $100,000 + percentage of recovered funds
High Severity
- Temporary loss of funds
- Significant protocol disruption
- Major functionality compromise
Reward: 10,000−50,000
Medium Severity
- Limited loss of funds
- Temporary service disruption
- Data exposure without financial impact
Reward: 5,000−10,000
Low Severity
- Minor issues
- Edge case problems
- Documentation issues
Reward: 1,000−5,000
How to Participate
Step 1: Review Guidelines
Read our disclosure policy and testing guidelines carefully.
Step 2: Test Responsibly
- Only test on testnet/mainnet with permission
- Do not perform DoS attacks
- Respect rate limits
- Do not access private user data
Step 3: Report Findings
Send reports to: security@monolith.fi
Include:
- Detailed description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fixes (optional)
Step 4: Wait for Response
- Initial response within 48 hours
- Vulnerability validation within 7 days
- Reward payment within 30 days of fix deployment
Disclosure Policy
- We follow responsible disclosure practices
- We commit to not pursuing legal action against good-faith researchers
- We ask that you allow us reasonable time to fix issues before public disclosure
Rules
- No public disclosure without permission
- No exploitation of vulnerabilities for personal gain
- No testing on mainnet without explicit approval
- One report per vulnerability
For questions about the bug bounty program:
