RedStone Bug Bounty

RedStone Bug Bounty

@RedStone
Live

Maximum reward

$250,000

Severity

Max. Reward

Critical

$250,000

High

$50,000

Medium

$10,000

Low

$1,000

No deposit required

Findings submitted

18

Start date

1 Nov 2025

Please sign in as a researcher to join the bounty.

Log in
InstructionsScope

RedStone Is The Fastest Growing oracle, specialising in yield-bearing collateral for lending markets and securing $10bn+. Blue chip DeFi protocols are our clients including Spark, Morpho, Compound, Pendle, Venus, Lido, EtherFi, Ethena, Puffer, Balancer, Lombard, Enzyme, Frax, Agora, M^0 and 80+ other Clients. RedStone is also the official oracle provider for Securitize assets such as BUDIL (BlackRock), ACRED (Apollo) and others. RedStone provides a wide variety of in-demand assets such as LSTs, LRTs, Bitcoin LSTs and many others.

Prohibited Actions

  • No Unauthorized Testing on Production Environments:
    Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.

  • No Public Disclosure Without Consent:
    Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.

  • No Exploitation or Data Exfiltration:
    Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.

  • No Conflict of Interest:
    Individuals currently or formerly employed by Redstone, or those who contributed to the development of the affected code, are ineligible to participate.

Disclaimers and assumptions

  • We assume that the node operators behave in the honest way (we audit the code not the cryptoeconomic incentives)
  • We assume correctness of the underlying blockchain technology and consensus algorithms
  • We assume that the sources (exchanges and DEX’es) continuously report true values

Disclosure Requirements

Please report vulnerabilities directly through the Spearbit/Cantina platform. Please include:

  • A clear description of the vulnerability and its impact.
  • Steps to reproduce the issue, ideally with a proof of concept.
  • Details on the conditions under which the issue occurs.
  • Potential implications if the vulnerability were exploited.

Reports should be made as soon as possible—ideally within 24 hours of discovery.

Eligibility

To be eligible for a reward, you must:

  • Be the first to report a previously unknown, non-public vulnerability within the defined scope.
  • Provide sufficient information to reproduce and fix the vulnerability.
  • Not have exploited the vulnerability in any malicious manner.
  • Not have disclosed the vulnerability to third parties before receiving permission.
  • Comply with all Program rules and applicable laws.

You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.

Severity and Rewards

Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.

Risk Classification Matrix

Severity LevelImpact: CriticalImpact: HighImpact: MediumImpact: Low
Likelihood: HighCriticalHighMediumLow
Likelihood: MediumHighHighMediumLow
Likelihood: LowMediumMediumLowInformational

Impact Definitions:

  • Critical: Leads to severe loss of user funds. An exploit that will lead to extraction of 10% of the funds protected by RedStone oracle during typical market conditions
  • High: : Causes notable financial loss, permanent system disruption, widespread compromise or significantly harms user trust, but on a lesser scale than Critica (at least 1% of the funds protected by RedStone oracle during typical market conditions).
  • Medium: Results in at least some financial damage (no minimum) to value .
  • Low/Informational: Minimal direct risk but may indicate areas for improvement.

Likelihood Definitions:

  • High: Very easy to execute independent of market and network conditions.
  • Medium: Exploitation is possible under certain but regularly occurring conditions.
  • Low: Difficult to exploit or requires very specific conditions.

Other Terms

By submitting a report, you grant RedStone the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of RedStone. The terms, conditions, and scope of this Program may be revised at any time. Participants are responsible for reviewing the latest version before submitting a report.