Superform Bug Bounty Program

Superform Bug Bounty Program

@superform-xyz
Live

Maximum reward

100,000 USDC + $UP

Severity

Max. Reward

Critical

100,000 USDC + $UP

High

20,000 USDC + $UP

Deposit required

$20

Findings submitted

37

Start date

1 May 2026

KYC

Required to join

Please sign in as a researcher to join the bounty.

Log in
InstructionsScope

In scope

Smart Contracts

Severity

Min and Max Reward

Critical

20,000 USDC + $UP to 100,000 USDC + $UP

High

5,000 USDC + $UP to 20,000 USDC + $UP

Solidity contracts powering Superform v2 - including SuperVaults, the validator-attested PPS oracle, dual Merkle hook validation, the SuperVaultAggregator, and supporting periphery. All contracts under /src in the in-scope repositories are eligible except those explicitly marked deprecated or in-development.

Special Focus Areas

  • PPS oracle signature/quorum validation and validator set integrity
  • Dual Merkle hook validation (global root and strategy root)
  • SuperVaultAggregator timelock flows on hook-root, fee, and primary strategist updates
  • Banned-hook-leaf enforcement
  • Monotonicity, rate-limit, deviation, and dispersion checks at the strategy level
  • Post-unpause skim, upkeep withdrawal, primary strategist update, and fee configuration timelocks
  • Authorization controls on upkeep balance, oracle subsidy, and other protocol-controlled funds

Reward Payment Structure

All Critical and High rewards are paid 50% in USDC on Base and 50% in $UP tokens on Base. $UP is valued using the 7-day volume-weighted average price from CoinGecko on the UTC date the report is accepted. Unless otherwise stated in writing, $UP rewards are transferred without protocol-imposed lockup or vesting. Network fees, taxes, and any compliance-related costs are the responsibility of the recipient.

Medium severity findings are paid at Superform's discretion in $UP only (no minimum, no fixed maximum). Low and Informational findings are not rewarded.

Deployment Addresses

Canonical list of deployed Superform v2 contracts and the chains they are live on: Superform Deployment Addresses.

Name
Description
Asset
v2-periphery

All contracts under /src, excluding any explicitly marked deprecated or in-development. Latest main at time of submission.

https://github.com/superform-xyz/v2-periphery

Out of scope

Default Out of Scope

Standard out-of-scope items per the Cantina Bug Bounty Out-of-Scope Policy.

Out of Scope

The following are explicitly excluded from this program in addition to the Cantina Bug Bounty Out-of-Scope Policy.

Scope Exclusions

  • Any finding already surfaced in Superform's published audit reports (including but not limited to Orion, Cantina Competition, Node Security, Cantina Code, Sujith Somraaj, Octane Security, 0xMacro, GetRecon).
  • Anything in Superform v1 contracts.
  • Any contract or feature which is deprecated or in active development.
  • Any chain or network that Superform contracts are not deployed on.

Privileged-Role and Trust-Model Exclusions

  • Any attack that requires compromise of a privileged role (SuperGovernor, Primary Strategist, Secondary Strategist, Guardian, Validator). These roles are trusted by design. A vulnerability that lets an attacker bypass, forge, or simulate privileged authority could still be in scope.
  • Curator (primary and secondary manager) making suboptimal, risky, or malicious allocation decisions or vault configuration decisions. The curator role is trusted by design.
  • Scenarios requiring a majority or supermajority of PPS validators to be compromised or collude.

Market and External-Protocol Exclusions

  • Loss of funds in an underlying yield strategy due to that external protocol being exploited, paused, or failing.
  • Oracle or price feed manipulation at the underlying yield strategy level. Mispricing claims are in scope only where the report demonstrates a direct break of Superform's PPS validation, quorum, signature verification, monotonicity, deviation, rate-limit, or dispersion controls.
  • Attacks requiring control of an unrealistic proportion of vault shares (e.g. >50% of supply) to manipulate PPS. Deposit caps and curator limits make this impractical.
  • Loss attributable to external bridges, messaging layers, or third-party integrations.

Attack-Class Exclusions

  • Any form of gas griefing.
  • DoS attacks that do not produce loss of funds or freezing beyond normal pause recovery.
  • Front-running, sandwich attacks, MEV, and reorg-based attacks that do not exploit a protocol-level invariant.
  • Attacks requiring a chain reorganization or chain-level rollback.
  • Attacks only feasible on testnets or with centralized block builder cooperation.

Operational and Disclosure Exclusions

  • Any finding disclosed publicly before Superform has confirmed resolution in writing.
  • Any finding submitted by current or former Superform employees, contractors, or auditors who worked on the affected code.
  • Social engineering, phishing, physical attacks, or any attack targeting Superform team members or infrastructure outside the smart contracts themselves.
  • Any testing conducted against mainnet deployments, Superform-operated infrastructure, or third-party systems.

Known Issues

Findings matching any of the following characteristics are known and ineligible:

  • Any issue documented in Superform's published audit reports, including acknowledged-but-unfixed items. New exploit paths, bypasses of mitigations, or materially greater impacts may still be eligible.
  • Governance-controlled timelock parameters being set to low values by SuperGovernor - this is an intentional configuration lever.
  • Strategies entering a paused state after dispersion, deviation, participation, or staleness thresholds are crossed - this is intended circuit-breaker behavior, not a bug.
  • PPS being marked stale after unpause until a fresh oracle update - this is intended behavior.