Midas Bug Bounty

Midas is a platform for composable onchain investment products. It enables strategy managers to turn institutional strategies into regulatory-compliant tokens that offer investors full transparency, instant redemptions, and native composability across DeFi protocols such as Morpho and Pendle.

Midas products are compliant financial instruments that are issued with clearly defined investor rights, onchain transparency, and robust operational controls. Each product's underlying investment strategy is managed and monitored by appointed strategy managers, such as BlackRock, Hyperithm and M1 Capital, with ongoing oversight of risk parameters and performance.

www.midas.app | docs.midas.app | x.com/midasrwa

Severity Definitions

Critical

• Impact: Catastrophic damage to the protocol or its users. Examples include severe loss of assets, permanent system disruption, or widespread compromise.
• Likelihood: High, with minimal or no user interaction required. Exploitation is very easy or highly incentivized.
• Examples:
  • Permanent loss or freezing of assets
  • Network-wide shutdown or inability to confirm transactions
  • Unintended permanent chain splits requiring a hard fork
  • Protocol insolvency or governance manipulation leading to direct financial harm
  • Account takeover with significant impact (e.g., admin account compromise)

High

• Impact: Significant damage to the protocol or its users, but not catastrophic. Examples include notable financial loss or significant harm to user trust.
• Likelihood: Medium to high, with some user interaction or specific conditions required.
• Examples:
  • Temporary freezing of assets or transactions
  • Unintended chain splits (network partitions)
  • Theft of unclaimed yield or royalties
  • Exploits requiring elevated privileges but with high impact
  • Account takeover with moderate impact (e.g., user account compromise)

Medium

• Impact: Moderate damage, often limited to specific users or conditions. Examples include limited financial damage or moderate system impact.
• Likelihood: Medium, requiring specific conditions or user interaction.
• Examples:
  • Increased resource consumption or temporary disruption of network nodes
  • Theft of gas or griefing attacks with no direct profit motive
  • Bugs causing unintended smart contract behavior without direct financial risk
  • Non-sensitive data disclosure, open redirects, or reflected HTML injection

Low

• Impact: Minor damage, often limited to non-critical functionality. Examples include minimal direct risk or areas for improvement.
• Likelihood: Low, requiring significant user interaction or unlikely conditions.
• Examples:
  • Shutdown of a small percentage of network nodes without network-wide impact
  • Modification of transaction fees outside design parameters
  • Non-critical UI/UX issues or minor information disclosure
  • Minor UI/UX issues or non-critical functionality disruptions

In addition to the above definitions, we will also use the Cantina Bug Bounty Severity Classification Framework to determine severity.

Reward Calculation

Critical Vulnerabilities: The reward amount will be calculated as 10% of the funds directly affected, up to the maximum cap defined in the applicable reward range. The amount of funds at risk will be determined based on the time and date the bug report is submitted. A minimum reward will be granted for critical vulnerabilities to incentivize responsible disclosure and discourage withholding of bug reports. A vulnerability must place at least $10,000 USD at direct risk to be classified as Critical.

High Severity Vulnerabilities: Rewards will be capped at up to 100% of the funds directly affected, up to the maximum cap defined in the applicable reward range.

Hard Caps: Under no circumstances will total rewards for a given scope exceed the applicable hard cap defined in each scope category. If multiple valid bug reports are submitted and the cumulative rewards would exceed this limit, rewards will be allocated on a first-come, first-served basis, determined by the submission timestamp of each report, until the hard cap is reached. In all cases, the sum of total rewards paid will not exceed $1,000,000.

Disclosure Requirements

• Do not disclose the vulnerability publicly, to other researchers, or to any third party before the program owner has been notified, the issue has been fixed, and permission to disclose has been granted.
• Report as soon as possible — ideally within 24 hours of discovery.
• Provide a clear, actionable report including:
  • A concise description of the vulnerability and its impact.
  • Proof-of-concept (PoC) demonstrating the issue (reproducible steps and/or exploit code minimized to demonstrate impact).
  • The exact conditions under which the issue occurs (environment, preconditions, affected components).
  • Potential implications and attack scenarios if the vulnerability were to be exploited.
  • Any relevant logs, stack traces, transaction hashes (where applicable), or test scripts that reproduce the problem.
• Limit the demonstration to the minimum necessary to prove the issue. Do not exfiltrate private data or otherwise cause harm while validating.
• The program owner may request additional information (e.g., KYC) to validate the report before processing eligibility and rewards.

Eligibility

To be eligible for recognition under this program, researchers must meet the following criteria:

• Be the first to report a previously unknown, non-public vulnerability that the program owner has not been made aware of.
• If the same vulnerability is reported through multiple platforms or channels, only the submission with the earliest verifiable timestamp will be considered eligible for a reward. Subsequent or duplicate submissions will not be rewarded.
• Provide sufficient information to reproduce and fix the issue (clear PoC, reproduction steps, or test case).
• Not have exploited the vulnerability in a malicious manner.
• Not have disclosed the vulnerability to third parties prior to receiving permission.
• Comply with all program rules and applicable laws in the researcher's jurisdiction.
• Provide any requested identity verification (KYC) or documentation necessary for reward processing and legal compliance.
• Not be a current or former employee, vendor, contractor, or other person who was involved in the development of the affected code.
• Be of legal age in their jurisdiction at the time of submission and not be resident in countries under sanctions or legal restrictions that would prohibit participation.

To maximize the efficiency of the reward pool and reviews, low-risk vulnerabilities that were already identified, acknowledged, or fixed in previous external audits are explicitly excluded.

Terms and Conditions

By submitting a report, you accept the following terms and conditions:

• You grant the program owner the rights necessary to investigate, mitigate, and disclose the vulnerability, including the right to patch, mitigate, and publicly disclose the issue once remediated.
• Eligibility, reward decisions, and any recognition are at the sole discretion of the program owner. Submission does not guarantee a reward or public acknowledgment.
• The program owner may require identity verification (KYC) and other documentation before processing eligibility or rewards.
• The program terms, scope, and conditions may be revised at any time. Researchers are responsible for reviewing the latest program rules prior to submission.
• Reports that violate the disclosure requirements above, applicable laws, or that demonstrate malicious intent will be rejected and may be referred to law enforcement.
• The program owner is not liable for any actions taken by researchers that violate these rules or applicable laws; researchers participate at their own risk and responsibility.