Mezo / Mezo Bug Bounty bounty

Mezo is a Bitcoin finance protocol that enables everyday financial services using Bitcoin. Built on a hybrid EVM-compatible architecture (Cosmos SDK + CometBFT consensus via the mezod client), Mezo allows users to borrow against BTC collateral, mint MUSD (a Bitcoin-backed stablecoin), earn yield through vaults and liquidity pools, and participate in governance. The protocol uses BTC as its native gas token.

Key components include the Mezo chain core (mezod), MUSD lending/borrowing smart contracts, cross-chain bridges (Wormhole NTT for MUSD and MEZO token), Mezo Passport (account abstraction and wallet connection), Mezo Earn (veBTC/veMEZO locking, voting, pools, vaults), and oracle infrastructure. Mezo is built by Thesis - creators of tBTC - with 10+ years dedicated to expanding Bitcoin's utility. The protocol has been audited by Quantstamp, Halborn, Cantina, OtterSec, and Thesis Defense.

Documentation

Severity Definitions

Severity is assessed based on impact to user funds, protocol integrity, and system availability.

Critical

Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Permanent freezing of funds
Protocol insolvency

High

Theft of unclaimed yield
Permanent freezing of unclaimed yield
Temporary freezing of funds for more than 1 week

Medium

Smart contract unable to operate due to lack of token funds
Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
Unbounded gas consumption

Low

Contract functions affected but does not result in loss of funds or impact severely

In addition to the above definitions, we will also use the Cantina Bug Bounty Severity Classification Framework to determine severity.

Prohibited Actions

The following actions are prohibited. Researchers who violate these rules will be disqualified and may face legal action.

No live testing on public chains. Do not interact with mainnet funds or accounts you do not own. Do not attempt to exploit bridge contracts (Wormhole NTT) on production networks.
No denial-of-service attacks against Mezo validators or RPC endpoints.
No public disclosure of bugs. Do not submit vulnerabilities publicly (Discord, Twitter, on-chain) before Mezo has acknowledged and deployed a fix. All findings must be submitted via the Cantina platform.
Conflict of interest. Avoid potential conflicts of interest, such as attempting to exploit the program itself or testing outside of defined scope.

Other Terms

By submitting findings to this program, researchers agree to confidentiality and to coordinated disclosure through the Cantina platform.

Eligibility

The bounty rewards are subject to compliance with local laws, rules, and regulations. To be eligible to participate in the Program, you must not (a) be a citizen or resident of a country in which use or participation is prohibited by law, decree, regulation, treaty, or administrative act; (b) be a citizen or resident of, or located in, a country or region that is subject to the U.S. or other sovereign country sanctions or embargoes; (c) an individual or an individual employed by or associated with an entity identified on the U.S. Department of Commerce's Denied Persons or Entity List, the U.S. Department of Treasury's Specially Designated Nationals or Blocked Persons Lists, or the Department of State's Debarred Parties List or otherwise ineligible to receive items subject to U.S. export control laws and regulations, or other economic sanction rules of any sovereign nation; (d) be under 18 years old; If you are at least 18 years old, but considered an underage in your place of residence, you must obtain consent from your parents or legal guardians prior to getting enrolled in the Program; (e) be employees or individuals closely associated with the project or security auditors who directly or indirectly participated in the audit review.

Intellectual Property, Grants, and Ownership

Intellectual Property Rights and Ownership

We retain all intellectual property rights in our products including, without limitation, all our source code and associated related binaries. Nothing herein shall grant you any right in any part of our products, or any improvement or derivative in any deliverable you provide us. You agree that to the extent required to abide by these Terms, you will waive any and all rights that may otherwise accrue to you in such deliverable and agree that we will not be obliged to license back any derivative or improvements of the delivered work to you.

Grants to Mezo

By submitting a work deliverable to us, you represent and warrant that your submission is an original work of authorship and does not violate any applicable law or any third party intellectual property rights. Furthermore, you grant us a royalty-free, fully paid-up, perpetual, non-revocable, exclusive, worldwide, transferable, and sub-licensable license in respect of such work deliverable and any feedback thereto. We will not have an obligation to utilize any item you provide us. You waive any compensation related to the incorporation of any materials in a deliverable or any feedback provided to us into our products and services.

Privacy

To receive a bounty reward, you must provide us with your personal information to conduct a Know Your Customer ("KYC") process to ensure the eligibility requirements are met.

The following details must be provided:

Full name
Date of birth
A copy of your passport or other government-issued ID
Your crypto wallet address

Supernormal is committed to protecting and respecting your privacy. Any access and use of your personal information will be subject to applicable law and our privacy policy available at https://www.supernormal.foundation/privacy-policy.