Loopscale allocates time and resources to third-party security audits to mitigate risks associated with smart contracts. A second audit of the complete protocol scope is in progress and additional audits are planned.

Auditors
Scope
Date
Report
OShieldLoopscale Protocol02-25-2025loopscale-v1
sec3Loopscale Protocol05-16-2025

Bug Bounty Program

Loopscale offers a bug bounty program with rewards of up to $250,000. The goal of the program is to encourage security researchers to identify and responsibly disclose security vulnerabilities that may affect the Loopscale protocol. To report a bug, please read the information and instructions below.

Scope

The program covers the following:

  • Core Loopscale program libraries
  • Economic mechanisms, including liquidations
  • Collateral pricing and oracle integrations
  • Internal API endpoints and supporting backend services/infrastructure

The primary focus of the program is to prevent exploits resulting in the locking, loss, or theft of any funds.

Rewards

The rewards below are the maximum USD rewards for vulnerabilities dependent on their severity and origin.

SeverityProgramApplication & Services
Critical$250,000$50,000
High$100,000$10,000
Medium$10,000$5,000
Low$2,500$500

Eligibilty Requirements

To qualify for a reward under this program, you must:

  1. Identify a previously unknown, unreported vulnerability within the scope described above.
  2. Provide sufficient description of the vulnerability such that our team can replicate and resolve the vulnerability.
  3. Report the vulnerability privately without exploiting the vulnerability, including publicizing or otherwise profiting from the vulnerability.
  4. Not be subject to OFAC sanctions or reside in a country under OFAC embargo.
  5. Not be a current or former employee, vendor, or contractor involved in the development of code related to the reported vulnerability.

Out-of-Scope

The following vulnerabilities or issues are explicitly out-of-scope and will not qualify for rewards:

  • Previously reported or publicly known vulnerabilities
  • Issues documented clearly in code comments, READMEs, or official documentation
  • Findings from prior audits or identified in non-production branches
  • Third-party service integration failures or misconfigurations
  • Configuration errors by Vault Curators
  • SPL token compatibility edge cases without direct security impact
  • Email deliverability issues, including those caused by incorrect DKIM, SPF, or DMARC configurations
  • Clickjacking or other UI redress attacks that do not result in direct theft, locking, or loss of funds
  • Basic economic or governance-based attacks (e.g., 51% attacks)
  • Attacks involving phishing or social engineering techniques
  • Reports of secrets, API keys, or credentials publicly available without proof of active exploitation
  • Best practice recommendations and feature requests
  • Issues strictly related to test files, scripts, or testing configurations
  • Subdomain takeovers, SSL/TLS certificate issues, and open redirect vulnerabilities without direct security impact

How to Submit

Send your report to [email protected] and include:

  • A clear description of the vulnerability
  • Steps to reproduce the issue (screenshots or PoC encouraged)
  • Affected components or programs

You can expect a response within 24 hours.