Midas Bug Bounty

Midas Bug Bounty

@midas-app
Live

Maximum reward

$500,000

Severity

Max. Reward

Critical

$500,000

High

$25,000

Medium

$5,000

Low

$1,000

Deposit required

$20

Findings submitted

10

Start date

23 Mar 2026

Please sign in as a researcher to join the bounty.

Log in
InstructionsScope

In scope

Ethereum Smart ContractsSolana Smart ContractsContract ConfigurationMidas Web Interface

Severity

Min and Max Reward

Critical

$2,500 to $50,000

High

$500 to $2,500

Medium

$500

The Midas web application.

Hard Cap

Total rewards for this scope will not exceed $100,000.

Name
Description
Asset
midas.app

Midas web application

https://midas.app

Out of scope

Default Out of Scope

Standard out-of-scope items per the Cantina Bug Bounty Out-of-Scope Policy.

Out of Scope

The following issues are out of scope and not eligible for rewards.

For generic exclusions, see the Cantina Bug Bounty Out-of-Scope Policy.

Token & Design Issues

  • Issues related to non-compliant or weird ERC20 tokens
  • Centralization related risks
  • Issues related to the design philosophy of the protocol (e.g., trade-offs made on permissionless protocols)

Admin & User Errors

  • Issues based on admin errors, such as calling a function with wrong parameters and admin actions on integrated protocols (note: issues based on a wrong implementation of admin functions will have the severity defined based on the severity matrix)
  • Issues based on a malicious or compromised admin, unless explicitly included in the scope
  • Issues based on a user error, without significant impact on other users

Theoretical & Speculative

  • Speculation on future code, integrations, or upgrades unless the finding directly relates to current code and behavior
  • Known issues by the team
  • Theoretical vulnerabilities without proof of concept

Social & Physical

  • Social engineering attacks or phishing
  • Issues requiring physical access to a user's device or local network
  • Attacks requiring MITM or physical access to a user's device
  • Brute forcing account credentials

Low-Impact Web

  • Self-XSS or non-exploitable UI/UX issues
  • Clickjacking on pages with no sensitive actions
  • Server information and status pages (e.g., stack traces, descriptive error messages)
  • SSL/TLS best practices (e.g., missing SSL Pinning, insecure configurations)
  • Optional email security features (e.g., SPF/DKIM/DMARC configurations)
  • Most issues related to rate limiting
  • Content-Security-Policy configuration opinions
  • Verbose error messages without proof of exploitability
  • Content spoofing, text injection
  • Missing HTTP Only flags on non-sensitive cookies
  • Tabnabbing
  • Self-exploitation (e.g., self-XSS, self-DoS, cookie reuse)

General Exclusions

  • Best practice recommendations or feature requests
  • Third-party integrations or dependencies not under Midas's control
  • Denial of Service (DoS) attacks without demonstrated impact
  • Reports from automated tools or scans
  • Known vulnerable libraries without a working proof of concept
  • Open access to publicly-exposed resources (e.g., Google Sheets) without demonstration of vulnerability exploitation
  • Issues without clearly identified security impact