Concrete

Concrete

@concretefinance
Live

Maximum reward

$250,000

Severity

Max. Reward

Critical

$250,000

High

$100,000

No deposit required

Findings submitted

162

Start date

5 Nov 2025

KYC

Required to join

Please sign in as a researcher to join the bounty.

Log in
InstructionsScope

Introduction

Concrete is the DeFi Liquidity Metalayer - powering the highest yields and unlocking new derivatives for any on-chain asset. Concrete offers a one-stop solution that automates everything from yield optimization to liquidation protection. Handling the research, security, and optimization while giving users the best of DeFi without the risks or headaches

Prohibited Actions

Researchers must not perform the following actions:

  • No unauthorized testing on production environments:
    • Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use mainnet forks or local test environments instead.
  • No tests involving rate-limiting or denial-of-service (DoS) attacks on public/shared infrastructure:
    • Do not conduct stress tests, rate-limit bypass attempts, or DoS attacks against RPC endpoints, indexers, APIs, nodes, or other shared services.
  • No public disclosure without consent:
    • Do not publicly disclose details of any vulnerability before the program owner has been notified, the issue has been fixed, and written permission to disclose has been granted.
  • No exploitation or data exfiltration:
    • Do not exploit vulnerabilities beyond the minimum steps necessary to demonstrate the issue. Do not access private user data, engage in social engineering, or otherwise disrupt services.
  • No conflict of interest:
    • Individuals currently or formerly employed by, contracted to, or who contributed to the development of the affected code are ineligible to participate in reporting that code.

Disclosure Requirements

When reporting a vulnerability, follow these disclosure requirements:

  • Do not disclose the vulnerability publicly, to other researchers, or to any third party before the program owner has been notified, the issue has been fixed, and permission to disclose has been granted.
  • Report as soon as possible—ideally within 24 hours of discovery.
  • Provide a clear, actionable report including:
    • A concise description of the vulnerability and its impact.
    • Proof-of-concept (PoC) demonstrating the issue (reproducible steps and/or exploit code minimized to demonstrate impact).
    • The exact conditions under which the issue occurs (environment, preconditions, affected components).
    • Potential implications and attack scenarios if the vulnerability were to be exploited.
    • Any relevant logs, stack traces, transaction hashes (where applicable), or test scripts that reproduce the problem.
  • Limit the demonstration to the minimum necessary to prove the issue. Do not exfiltrate private data or otherwise cause harm while validating.
  • The program owner may request additional information (e.g., KYC) to validate the report before processing eligibility and rewards.

Eligibility

To be eligible for recognition under this program, researchers must meet the following criteria:

  • Be the first to report a previously unknown, non-public vulnerability that the program owner has not been made aware of.
  • Provide sufficient information to reproduce and fix the issue (clear PoC, reproduction steps, or test case).
  • Not have exploited the vulnerability in a malicious manner.
  • Not have disclosed the vulnerability to third parties prior to receiving permission.
  • Comply with all program rules and applicable laws in the researcher’s jurisdiction.
  • Provide any requested identity verification (KYC) or documentation necessary for reward processing and legal compliance.
  • Not be a current or former employee, vendor, contractor, or other person who was involved in the development of the affected code.
  • Be of legal age in their jurisdiction at the time of submission and not be resident in countries under sanctions or legal restrictions that would prohibit participation.

Severity

Vulnerabilities are classified by their Impact and Likelihood. The combination of impact and likelihood determines the severity rating and guides remediation prioritization.

Impact definitions:

  • Critical — Leads to severe loss of user funds, permanent system disruption, or widespread compromise of integrity or confidentiality.
  • High — Causes notable financial loss, significant degradation of service, or materially harms user trust at a meaningful scale.
  • Medium — Causes limited financial impact, partial loss of functionality, or a threat that is mitigable with operational changes.
  • Low — Minor issues with low impact to funds, availability, or confidentiality; typically best practices, information disclosure with limited consequence, or low-risk logic errors.

Likelihood definitions:

  • High — Very easy to discover and exploit; requires little to no special conditions or attacker skill.
  • Medium — Exploitation is possible under specific conditions, configuration, or attacker effort.
  • Low — Exploitation is difficult, unlikely, or requires unrealistic conditions.

Risk classification matrix (impact vs. likelihood):

Likelihood \ ImpactCriticalHighMediumLow
HighCriticalHigh--
MediumHighHigh--
Low----
  • Note: The above matrix indicates how combinations of impact and likelihood map to severity categories. The program owner will use these criteria, along with exploitability, scope, and report quality, to determine severity and remediation priority.
  • Rewards will be further capped at 10% of direct funds at risk at the time of reporting the bug. Funds at risk defined as funds at risk of being stolen to an EOA not controlled by the protocol or permanently locked and unrecoverable due to smart contract failure caused by griefing. Calculated based on a snapshot at report timestamp; Note: Actual reward amounts are determined at Blueprint Finance’s sole discretion. Factors influencing payout include report quality, completeness, and severity/exploitability.

Terms and Conditions

By submitting a report, you accept the following terms and conditions:

  • You grant the program owner the rights necessary to investigate, mitigate, and disclose the vulnerability, including the right to patch, mitigate, and publicly disclose the issue once remediated.
  • Eligibility, reward decisions, and any recognition are at the sole discretion of the program owner. Submission does not guarantee a reward or public acknowledgment.
  • The program owner may require identity verification (KYC) and other documentation before processing eligibility or rewards.
  • The program terms, scope, and conditions may be revised at any time. Researchers are responsible for reviewing the latest program rules prior to submission.
  • Reports that violate the prohibited actions above, applicable laws, or that demonstrate malicious intent will be rejected and may be referred to law enforcement.
  • The program owner is not liable for any actions taken by researchers that violate these rules or applicable laws; researchers participate at their own risk and responsibility.