Midas Bug Bounty

Midas Bug Bounty

@midas-app
Live

Maximum reward

$500,000

Severity

Max. Reward

Critical

$500,000

High

$25,000

Medium

$5,000

Low

$1,000

Deposit required

$20

Findings submitted

10

Start date

23 Mar 2026

Please sign in as a researcher to join the bounty.

Log in
InstructionsScope

In scope

Ethereum Smart ContractsSolana Smart ContractsContract ConfigurationMidas Web Interface

Severity

Min and Max Reward

Critical

$2,500 to $50,000

High

$500 to $2,500

Medium

$500

Any misconfiguration or unsafe configuration state in deployed smart contracts (used in production) that could reasonably lead to loss of funds, protocol insolvency, unauthorized privilege escalation, or creation of exploitable attack paths.

Hard Cap

Total rewards for this scope will not exceed $100,000.

Out of scope

Default Out of Scope

Standard out-of-scope items per the Cantina Bug Bounty Out-of-Scope Policy.

Out of Scope

The following issues are out of scope and not eligible for rewards.

For generic exclusions, see the Cantina Bug Bounty Out-of-Scope Policy.

Token & Design Issues

  • Issues related to non-compliant or weird ERC20 tokens
  • Centralization related risks
  • Issues related to the design philosophy of the protocol (e.g., trade-offs made on permissionless protocols)

Admin & User Errors

  • Issues based on admin errors, such as calling a function with wrong parameters and admin actions on integrated protocols (note: issues based on a wrong implementation of admin functions will have the severity defined based on the severity matrix)
  • Issues based on a malicious or compromised admin, unless explicitly included in the scope
  • Issues based on a user error, without significant impact on other users

Theoretical & Speculative

  • Speculation on future code, integrations, or upgrades unless the finding directly relates to current code and behavior
  • Known issues by the team
  • Theoretical vulnerabilities without proof of concept

Social & Physical

  • Social engineering attacks or phishing
  • Issues requiring physical access to a user's device or local network
  • Attacks requiring MITM or physical access to a user's device
  • Brute forcing account credentials

Low-Impact Web

  • Self-XSS or non-exploitable UI/UX issues
  • Clickjacking on pages with no sensitive actions
  • Server information and status pages (e.g., stack traces, descriptive error messages)
  • SSL/TLS best practices (e.g., missing SSL Pinning, insecure configurations)
  • Optional email security features (e.g., SPF/DKIM/DMARC configurations)
  • Most issues related to rate limiting
  • Content-Security-Policy configuration opinions
  • Verbose error messages without proof of exploitability
  • Content spoofing, text injection
  • Missing HTTP Only flags on non-sensitive cookies
  • Tabnabbing
  • Self-exploitation (e.g., self-XSS, self-DoS, cookie reuse)

General Exclusions

  • Best practice recommendations or feature requests
  • Third-party integrations or dependencies not under Midas's control
  • Denial of Service (DoS) attacks without demonstrated impact
  • Reports from automated tools or scans
  • Known vulnerable libraries without a working proof of concept
  • Open access to publicly-exposed resources (e.g., Google Sheets) without demonstration of vulnerability exploitation
  • Issues without clearly identified security impact