Ammalgam Bug Bounty
Maximum reward
$25,000
Severity
Max. Reward
Critical$25,000
High$10,000
Deposit required
$50
Findings submitted
8
Start date
9 Jul 2026
Please sign in as a researcher to join the bounty.
Log inAmmalgam introduces a new primitive in decentralized finance: the Decentralized Lending Exchange (DLEX). By combining trading and lending into a single protocol, DLEX unlocks a level of capital efficiency that traditional platforms can't match, offering up to a 60% increase in yield for liquidity providers.
Protocol and security documentation is available in the Ammalgam security docs.
Severity Definitions
Only vulnerabilities that result in an on-chain loss of funds are eligible for a reward. Severity classification is secondary to this requirement: a finding must be reproducible in a proof-of-concept that demonstrates a loss of funds to the protocol's liquidity providers, using reasonably likely scenarios that are achievable without a malicious token or other conditions that would not be expected to occur on-chain.
Critical
- Direct theft of user funds, whether at-rest or in-motion, other than unclaimed yield
- Permanent freezing of funds
- Protocol insolvency that cannot be recovered from through the protocol's bad debt handling logic
High
- A loss of funds that requires a specific precondition or a lower-likelihood scenario, but that can still occur under certain conditions
- Bypass of authorized-user (trusted address) functionality, for example an untrusted address invoking logic restricted to trusted addresses, resulting in a loss of funds
- Theft of unclaimed yield
- Permanent freezing of unclaimed yield
- Temporary freezing of funds for more than one week
Issues that do not result in a loss of funds are not eligible for a reward (see the Out of Scope group for examples).
In addition to the above definitions, we will also use the Cantina Bug Bounty Severity Classification Framework to determine severity.
Prohibited Actions
- No live testing on public chains: Live testing on public or mainnet chains is explicitly prohibited to prevent unintended disruptions.
- No public disclosure of bugs: Do not publicly disclose any vulnerability before it has been addressed.
- Conflict of interest: Avoid any conflict of interest, including attempting to exploit the program itself or testing outside of defined hours or environments.