Reserve Protocol Bug Bounty

Reserve Protocol Bug Bounty

@reserve-protocol
Live

Maximum reward

$10,000,000

Severity

Max. Reward

Critical

$10,000,000

High

$100,000

Medium

$5,000

Low

$1,000

Deposit required

$10

Findings submitted

21

Start date

26 Mar 2026

Please sign in as a researcher to join the bounty.

Log in
InstructionsScope

The Reserve project is guided by the belief that everyone should be able to own their share of the world's wealth. Its platform lets anyone hold and transfer an entire portfolio of tokenized assets as a single unit, so as more of the world's wealth moves onchain, anyone can own their share of it.

This lays the groundwork for asset-backed currency: money backed by real assets rather than inflationary fiat that loses purchasing power over time. When people earn more than they spend while holding value this way, they steadily build ownership of a share of the world’s wealth.

Reserve is not just a platform. It’s a coordinated universe of protocols, products, and partners working to make this belief real in practice.

Rules & Eligibility

To be eligible for a reward, you must:

  • Be the first to report a previously unknown, non-public vulnerability within scope.
  • Provide sufficient information to reproduce and fix the issue.
  • Not have exploited the vulnerability in a malicious manner.
  • Not have disclosed the vulnerability to third parties prior to receiving permission.
  • Comply with all Program rules and applicable laws.

You must also be of legal age in your jurisdiction and not reside in a country under sanctions or restrictions, as required by applicable laws.

Disclosure Policy

Please report vulnerabilities directly through the Cantina platform. Include:

  • A clear description of the vulnerability and its impact.
  • Steps to reproduce the issue (proof of concept preferred).
  • Conditions under which the issue occurs.
  • Potential implications if exploited.

Reports should be made as soon as possible—ideally within 24 hours of discovery.

Prohibited Actions

  • No Unauthorized Testing on Production Environments: Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.
  • No Public Disclosure Without Consent: Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.
  • No Exploitation or Data Exfiltration: Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.
  • No Conflict of Interest: Individuals currently or formerly employed by Reserve Protocol, or who contributed to the development of the affected code, are ineligible to participate.

Risk Classification Matrix

Severity is determined by the combination of Impact and Likelihood:

Severity LevelImpact: CriticalImpact: HighImpact: MediumImpact: Low
Likelihood: HighCriticalHighMediumLow
Likelihood: MediumHighHighMediumLow
Likelihood: LowMediumMediumLowInformational

Likelihood Definitions

  • High: Very easy to exploit or highly incentivized.
  • Medium: Exploitation is possible under certain conditions.
  • Low: Difficult to exploit or requires very specific conditions.

Smart Contract Impact Definitions

  • Critical: Any governance voting result manipulation; direct theft of any user funds (at-rest or in-motion, other than unclaimed yield); permanent freezing of assets.
  • High: Theft of unclaimed yield; permanent freezing of unclaimed yield; protocol insolvency.
  • Medium: Temporary freezing of RToken ERC20 functionality; temporary freezing of funds; griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol).
  • Low: Contract fails to deliver promised returns, but does not lose value; theft of gas; unbounded gas consumption that does not cause a more severe bug.

KYC Requirements

Reserve has a KYC requirement for bug bounty payouts. Anyone who receives $600 or more will need to provide either a US taxpayer W-9 form, or a W-8BEN declaring that they are not a US taxpayer subject to withholding. KYC information is only required on confirmation of the validity of a bug report.

If you discover a vulnerability in any component not explicitly listed but which poses a risk to user funds, user data, or system integrity, you may submit it for consideration. Our team will review such submissions on a case-by-case basis.

Other Terms

By submitting a report, you grant ABC Labs the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Reserve Protocol. The terms, conditions, and scope of this Program may be revised at any time. Participants are responsible for reviewing the latest version before submitting a report.

Note: Actual reward amounts are determined at Reserve Protocol's sole discretion. Factors influencing payout include report quality, completeness, and severity/exploitability.