Auditor | Scope | Completed |
|---|---|---|
| OShield | Loopscale Protocol | 02-25-2025 |
| sec3 | Loopscale Protocol | 05-19-2025 |
| Highland Security | Loopscale Periphery (Etherfuse Integration) | 07-11-2025 |
| Adevar Labs | Loopscale Periphery (Integrations & Infrastructure Upgrades) | 07-31-2025 |
Bug Bounty Program
Loopscale offers a bug bounty program with rewards of up to $250,000. The goal of the program is to encourage security researchers to identify and responsibly disclose security vulnerabilities that may affect the Loopscale protocol. To report a bug, please read the information and instructions below.Scope
The program covers the following:- Core Loopscale program libraries
- Economic mechanisms, including liquidations
- Collateral pricing and oracle integrations
- Internal API endpoints and supporting backend services/infrastructure
Rewards
The rewards below are the maximum USD rewards for vulnerabilities dependent on their severity and origin.| Severity | Program | Application & Services |
|---|---|---|
| Critical | $250,000 | $50,000 |
| High | $100,000 | $10,000 |
| Medium | $10,000 | $5,000 |
| Low | $2,500 | $500 |
Eligibility Requirements
To qualify for a reward under this program, you must:- Identify a previously unknown, unreported vulnerability within the scope described above.
- Provide sufficient description of the vulnerability such that our team can replicate and resolve the vulnerability.
- Report the vulnerability privately without exploiting the vulnerability, including publicizing or otherwise profiting from the vulnerability.
- Not be subject to OFAC sanctions or reside in a country under OFAC embargo.
- Not be a current or former employee, vendor, or contractor involved in the development of code related to the reported vulnerability.
Out-of-Scope
The following vulnerabilities or issues are explicitly out-of-scope and will not qualify for rewards:- Previously reported or publicly known vulnerabilities
- Issues documented clearly in code comments, READMEs, or official documentation
- Findings from prior audits or identified in non-production branches
- Third-party service integration failures or misconfigurations
- Configuration errors by Vault Curators
- SPL token compatibility edge cases without direct security impact
- Email deliverability issues, including those caused by incorrect DKIM, SPF, or DMARC configurations
- Clickjacking or other UI redress attacks that do not result in direct theft, locking, or loss of funds
- Basic economic or governance-based attacks (e.g., 51% attacks)
- Attacks involving phishing or social engineering techniques
- Reports of secrets, API keys, or credentials publicly available without proof of active exploitation
- Best practice recommendations and feature requests
- Issues strictly related to test files, scripts, or testing configurations
- Subdomain takeovers, SSL/TLS certificate issues, and open redirect vulnerabilities without direct security impact
How to Submit
Send your report to security@loopscale.com and include:- A clear description of the vulnerability
- Steps to reproduce the issue (screenshots or PoC encouraged)
- Affected components or programs