Mezo Bug Bounty

Mezo Bug Bounty

@mezo
Live

Maximum reward

$500,000

Severity

Max. Reward

Critical

$500,000

High

$100,000

Medium

$50,000

Low

$10,000

Deposit required

$30

Findings submitted

64

Start date

13 May 2026

Please sign in as a researcher to join the bounty.

Log in
InstructionsScope

In scope

Smart Contracts & Infrastructure

Severity

Min and Max Reward

Critical

Up to $500,000

High

$50,000 to $100,000

Medium

$10,000 to $50,000

Low

$1,000 to $10,000

Solidity contract files, validator infrastructure, and supporting documentation for the Mezo protocol. See contract addresses and audit reports for additional context.

Special Focus Areas

  • MUSD lending/borrowing logic and stablecoin issuance
  • Cross-chain bridge integrations (Wormhole NTT) for MUSD and MEZO token
  • veBTC/veMEZO locking, voting, pools, and vault accounting
  • Validator and consensus configuration
Name
Description
Asset
musd

MUSD lending/borrowing smart contracts

https://github.com/mezo-org/musd

validator-kit

Mezo Validator Kit

https://github.com/mezo-org/validator-kit

documentation

Mezo developer and user documentation

https://github.com/mezo-org/documentation

Out of scope

Out of Scope

The following issues are out of scope and not eligible for rewards.

For generic exclusions, see the Cantina Bug Bounty Out-of-Scope Policy.

Known Issues

  • Informational findings, design choices related to protocol
  • Issues that are ultimately user errors and can easily be caught in the frontend (e.g. transfers to address(0))
  • Rounding errors
  • Relatively high gas consumption
  • Extreme market turmoil vulnerability

Other Exclusions

  • Previous security reports
  • Expected behaviors such as trusted/untrusted roles and/or any accepted risks

Default Out of Scope

Standard out-of-scope items per the Cantina Bug Bounty Out-of-Scope Policy.