Ondo Perps

Ondo Perps

@OndoPerps
Live

Maximum reward

$1,500,000

Severity

Max. Reward

Critical

$1,500,000

High

$100,000

Medium

$20,000

Low

$1,000

Deposit required

$20

Findings submitted

10

Start date

2 Jun 2026

KYC

Required to join

Please sign in as a researcher to join the bounty.

Log in

Ondo Perps is a platform for perpetual futures on equities, indices, and commodities with up to 20x leverage and 24/7 trading. The first-of-its-kind permissionless platform is designed to unlock liquidity, execution speed, and capital efficiency that rivals traditional derivatives exchanges. It is powered by Ondo Finance technology, which also powers the institutional-grade infrastructure behind Ondo Global Markets, the world's largest tokenized stocks platform. Accessible worldwide outside the U.S., Panama, and other prohibited jurisdictions. Made available by Ondo Global (Panama) Inc.

Rewards are provided in USDC on Ethereum, denominated in USD.

Severity Definitions

Vulnerabilities are classified by Impact and Likelihood. The combination determines the severity and guides the reward amount.

Critical

Vulnerabilities that demonstrate a direct, reproducible, and unauthorized path to one or more of the following impacts:

  • Loss, theft, permanent freezing, or unauthorized movement of user or protocol funds at large scale.
  • Unauthorized access to wallet private keys, signing material, or systems capable of authorizing movement of user or protocol funds at large scale.
  • Unauthorized control of custody, wallet, settlement, withdrawal, or administrative infrastructure where that control directly enables large-scale loss, theft, freezing, or unauthorized movement of funds.

The following do not qualify as Critical unless they directly enable one of the impacts above: business disruption, denial of service, data exposure, account takeover, access to internal systems, compromise of non-fund-bearing infrastructure, or impact limited to a single user or self-owned accounts.

High

Vulnerabilities that demonstrate a direct, reproducible path to material financial, operational, or market-integrity impact, but do not meet the standard for Critical severity:

  • Incorrect pricing, valuation, or accounting behavior that results in material financial loss or extractable value.
  • Significant monetary loss to users or the protocol, where the loss is material but not widespread or large-scale enough to qualify as Critical.
  • Sustained business disruption affecting production systems that support deposits, withdrawals, trading, or other core financial workflows.

High severity does not include speculative market impact, temporary service degradation, informational issues, isolated user inconvenience, low-value accounting discrepancies, or vulnerabilities requiring privileged access, social engineering, third-party compromise, or assumptions outside the stated scope.

Medium

Vulnerabilities that demonstrate a direct, reproducible security or operational impact, but do not meet the thresholds for Critical or High severity:

  • Account impersonation, session confusion, authorization bypass, or identity-mapping flaws that allow an attacker to act as, appear as, or submit requests on behalf of another user, but do not directly enable material financial loss or unauthorized fund movement.
  • Notable degradation of order placement, withdrawal, transfer, settlement, or other core financial workflows, where the degradation is reproducible and affects a meaningful number of users or materially impairs normal use.
  • Unauthorized freezing, pausing, blocking, cancellation, delay, or state change affecting accounts, orders, transactions, deposits, withdrawals, or transfers, where the impact is meaningful but temporary, reversible, or limited in scope.

Medium severity does not include cosmetic issues, rate-limit observations without demonstrated impact, low-sensitivity metadata exposure, temporary inconvenience, minor latency, theoretical impersonation concerns, or issues affecting only the reporter's own account unless the report demonstrates impact to other users or production workflows.

Low

Vulnerabilities that demonstrate a direct, reproducible weakness with limited but concrete security impact:

  • Minor monetary loss, bounded abuse, or limited extractable value that does not meet the Medium, High, or Critical thresholds.
  • Localized exploitation within a constrained environment, where the impact is limited to non-sensitive functionality, a single user context, or a narrow workflow and does not affect funds, pricing, settlement, account integrity, or sensitive information.
  • Security misconfigurations that create a plausible but limited security risk to an in-scope production asset.
  • Web application security issues that are practically exploitable but do not cause sensitive information exposure, account impersonation, material workflow disruption, or financial loss beyond the Low threshold.

Low severity does not include automated AI or scanner output without validation, best-practice recommendations, speculative attack paths, self-XSS, open redirects without credential or authorization impact, or clickjacking without a sensitive action. A finding is not eligible if it proves only that a vulnerability pattern exists; the report must show why the issue matters.

Likelihood

  • High: Very easy to exploit or highly incentivized.
  • Medium: Exploitation is possible under certain conditions.
  • Low: Difficult to exploit or requires very specific conditions.

In addition to the above definitions, we may also use the Cantina Bug Bounty Severity Classification Framework to determine severity.

Prohibited Actions

  • No public disclosure without consent: Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.
  • No exploitation or data exfiltration: Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.
  • No conflict of interest: Individuals currently or formerly employed by Ondo Global (Panama) Inc., or who contributed to the development of the affected code, are ineligible to participate.
  • Do not perform high-volume testing.

Disclosure Requirements

Please report vulnerabilities directly to the Cantina platform. Include:

  • A clear description of the vulnerability and its impact.
  • Steps to reproduce the issue (proof of concept preferred).
  • Conditions under which the issue occurs.
  • Potential implications if exploited.

Reports should be made as soon as possible, ideally within 24 hours of discovery.

Eligibility

To be eligible for a reward, you must:

  • Be the first to report a previously unknown, non-public vulnerability within scope.
  • Provide sufficient information to reproduce and fix the issue.
  • Not have exploited the vulnerability in a malicious manner.
  • Not have disclosed the vulnerability to third parties prior to receiving permission.
  • Comply with all program rules and applicable laws.

You must also be of legal age in your jurisdiction and not reside in a country under sanctions or restrictions, as required by applicable laws.

Security researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:

  • Official contributors, both past or present.
  • Employees and/or individuals closely associated with the project.
  • Compensated team members of Ondo Global (Panama) Inc. or any of its affiliates.
  • Third-party vendors, suppliers, and service providers to Ondo Global (Panama) Inc. or any of its affiliates, and team members of those third parties.
  • Businesses or organizations that are not Ondo Global (Panama) Inc. affiliates but hold or have held assets considered critical infrastructure covered under the bug bounty program; third-party vendors, suppliers, and service providers to those businesses or organizations; and team members of those businesses, organizations, or third parties.
  • Security auditors that directly or indirectly participated in the review of the impacted code.

KYC: Ondo Global (Panama) Inc. will request KYC information in order to pay for successful bug submissions. The following information will be required: full name, date of birth, proof of address (either a redacted bank statement with address or a recent utility bill), and a copy of a passport or other government-issued ID.

Other Terms

By submitting a report, you grant Ondo Global (Panama) Inc. the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions, eligibility, and actual reward amounts are determined by Ondo Global (Panama) Inc. in its sole discretion, based on factors including report quality, completeness, severity, exploitability, and practical impact.

The terms, conditions, and scope of this program may be revised at any time. Participants are responsible for reviewing the latest version before submitting a report.

Once a finding is deemed valid and the payout amount is confirmed, Cantina will coordinate any required KYC or compliance process with the researcher. Subject to successful completion of any required KYC or compliance checks, Cantina will invoice Ondo Global (Panama) Inc and, following receipt of payment, process the payout to the researcher.

Payout Guidance

For vulnerabilities involving potential loss or theft of funds, Ondo Global (Panama) Inc. generally uses 10% of reasonably estimated funds at risk, capped at the maximum payout for the applicable severity category, as a reference point when determining bounty amounts.

Final payouts remain at Ondo Global (Panama) Inc.'s sole discretion. Funds at risk can be difficult to assess and may depend on exploitability, attacker assumptions, mitigations, protocol limits, available liquidity, duration of exposure, and other practical constraints. Accordingly, the 10% figure is guidance only and does not guarantee any specific payout.