Audits & Bug Bounty Program
Loopscale allocates time and resources to third-party security audits to mitigate risks associated with smart contracts. A second audit of the complete protocol scope is in progress and additional audits are planned.
Auditors | Scope | Date | Report | |
|---|---|---|---|---|
| OShield | Loopscale Protocol | 02-25-2025 | loopscale-v1 | |
| sec3 | Loopscale Protocol | 05-16-2025 |
Bug Bounty Program
Loopscale offers a bug bounty program with rewards of up to $250,000. The goal of the program is to encourage security researchers to identify and responsibly disclose security vulnerabilities that may affect the Loopscale protocol. To report a bug, please read the information and instructions below.
Scope
The program covers the following:
- Core Loopscale program libraries
- Economic mechanisms, including liquidations
- Collateral pricing and oracle integrations
- Internal API endpoints and supporting backend services/infrastructure
The primary focus of the program is to prevent exploits resulting in the locking, loss, or theft of any funds.
Rewards
The rewards below are the maximum USD rewards for vulnerabilities dependent on their severity and origin.
| Severity | Program | Application & Services |
|---|---|---|
| Critical | $250,000 | $50,000 |
| High | $100,000 | $10,000 |
| Medium | $10,000 | $5,000 |
| Low | $2,500 | $500 |
Eligibilty Requirements
To qualify for a reward under this program, you must:
- Identify a previously unknown, unreported vulnerability within the scope described above.
- Provide sufficient description of the vulnerability such that our team can replicate and resolve the vulnerability.
- Report the vulnerability privately without exploiting the vulnerability, including publicizing or otherwise profiting from the vulnerability.
- Not be subject to OFAC sanctions or reside in a country under OFAC embargo.
- Not be a current or former employee, vendor, or contractor involved in the development of code related to the reported vulnerability.
Out-of-Scope
The following vulnerabilities or issues are explicitly out-of-scope and will not qualify for rewards:
- Previously reported or publicly known vulnerabilities
- Issues documented clearly in code comments, READMEs, or official documentation
- Findings from prior audits or identified in non-production branches
- Third-party service integration failures or misconfigurations
- Configuration errors by Vault Curators
- SPL token compatibility edge cases without direct security impact
- Email deliverability issues, including those caused by incorrect DKIM, SPF, or DMARC configurations
- Clickjacking or other UI redress attacks that do not result in direct theft, locking, or loss of funds
- Basic economic or governance-based attacks (e.g., 51% attacks)
- Attacks involving phishing or social engineering techniques
- Reports of secrets, API keys, or credentials publicly available without proof of active exploitation
- Best practice recommendations and feature requests
- Issues strictly related to test files, scripts, or testing configurations
- Subdomain takeovers, SSL/TLS certificate issues, and open redirect vulnerabilities without direct security impact
How to Submit
Send your report to [email protected] and include:
- A clear description of the vulnerability
- Steps to reproduce the issue (screenshots or PoC encouraged)
- Affected components or programs
You can expect a response within 24 hours.