Superform Bug Bounty Program

Superform Bug Bounty Program

@superform-xyz
Live

Maximum reward

100,000 USDC + $UP

Severity

Max. Reward

Critical

100,000 USDC + $UP

High

20,000 USDC + $UP

Deposit required

$20

Findings submitted

35

Start date

1 May 2026

KYC

Required to join

Please sign in as a researcher to join the bounty.

Log in
InstructionsScope

Superform is a non-custodial protocol that allows anyone to build and distribute onchain financial products. SuperVaults allocate user deposits across yield strategies via curator-defined hooks, with onchain price-per-share (PPS) accounting secured by a validator-attested oracle and dual Merkle hook validation.

This program rewards security researchers who responsibly disclose previously unknown vulnerabilities in Superform v2 smart contracts.

Severity Definitions

Final severity and reward amount may consider maximum demonstrated loss, affected TVL, number of affected vaults or users, exploit complexity, required capital, preconditions, quality of PoC, clarity of report, ease of remediation, and whether the report identifies a broader vulnerability class.

Impact Definitions

  • Critical - Direct, irrecoverable loss of user funds, or protocol-wide compromise of PPS accounting that produces loss of funds at scale, including impact across multiple SuperVaults, a material percentage of affected TVL, or an unbounded class of users.
  • High - Theft or permanent freezing of unclaimed fees, yield, or a bounded subset of user funds.
  • Medium - Limited financial damage, accounting inaccuracies that don't place funds at imminent loss, or temporary freezing of funds below the high-severity threshold.
  • Low / Informational - Code quality, defense-in-depth suggestions, or edge cases with no realistic exploitation path. Not rewarded.

Likelihood Definitions

  • High - Exploitable with publicly available tooling, no special access, no unrealistic market conditions.
  • Medium - Exploitable under specific but plausible conditions.
  • Low - Requires a highly specific confluence of events, attacker-funded market manipulation, or edge-case state.

In-Scope Impacts

The following impact categories are eligible, provided the exploit path does not rely on any item listed in the out-of-scope sections.

Critical Impacts

  • Direct theft of principal from any SuperVault without privileged role compromise.
  • Permanent freezing of user funds in any SuperVault or periphery contract.
  • Unauthorized minting or inflation of SuperVault shares.
  • Bypass of the PPS oracle's signature or quorum validation that allows posting a fraudulent PPS on behalf of the validator set.
  • Bypass of the dual Merkle hook validation (global root or strategy root) that allows executing a hook + parameter combination not present in the active tree.
  • Bypass of the SuperVaultAggregator's timelock flow on hook-root, fee, or primary strategist updates, in a way that enables loss of funds.
  • Draining of the upkeep balance, oracle subsidy, or other protocol-controlled funds without authorization.

High Impacts

  • Theft of unclaimed protocol fees or yield accruals.
  • Temporary freezing of user funds for >48 hours (excluding time attributable to Superform's or curator's own pause/unpause response).
  • Permanent or long-duration denial of PPS updates that forces extended strategy pause states beyond normal recovery.
  • Bypass of individual banned-hook-leaf enforcement, allowing a banned leaf to execute.
  • Breaking the monotonicity, rate-limit, deviation, or dispersion checks at the strategy level in a way that produces a mispriced PPS.
  • Bypass of post-unpause skim, upkeep withdrawal, primary strategist update, or fee configuration timelocks.

Medium Impacts (discretionary, paid in $UP only)

  • Accounting inaccuracies that do not place funds at loss and are not caught by existing invariant tests.
  • Bypass of a secondary validation layer where a primary layer still catches the attack.
  • Edge cases in pause/unpause state transitions that do not produce loss.

In addition to the above definitions, we will also use the Cantina Bug Bounty Severity Classification Framework to determine severity.

Proof of Concept Requirements

A working PoC is required for all submissions. Submissions without a reproducible PoC will be rejected.

Acceptable PoC formats:

  • Foundry or Hardhat test against a local fork of the relevant mainnet deployment. Report must include tested commit hash.
  • Self-contained test demonstrating the invariant break.

PoCs must NOT be executed against mainnet or any Superform-operated testnet. Testing must be done on local forks.

Eligibility

To be eligible for a reward, the researcher must:

  • Be the first to submit a previously unknown, in-scope vulnerability with a working PoC.
  • Not be a current or former Superform employee, contractor, or auditor who contributed to the affected code in the past 12 months.
  • Not be a resident of a sanctioned jurisdiction.
  • Complete KYC before payout is processed.
  • Not have exploited the vulnerability.
  • Not publicize the vulnerability in any way unless Superform directly authorizes disclosure.
  • Not have disclosed the vulnerability to any third party unless Superform directly authorizes disclosure.

Prohibited Actions

  • No testing against mainnet deployments, Superform-operated infrastructure, or third-party systems. PoCs must run on local forks only.
  • No public disclosure of any finding before Superform has confirmed resolution in writing.
  • No disclosure of any finding to third parties unless Superform directly authorizes disclosure.

Other Terms

Reward amounts and severity classification are determined at Superform's sole discretion, consistent with the criteria above. Superform reserves the right to update this program at any time; participants are responsible for reviewing the current version before submitting.

All findings must be disclosed exclusively through the Cantina platform.