Concrete
Maximum reward
$250,000
Severity
Max. Reward
Critical$250,000
High$100,000
No deposit required
Findings submitted
162
Start date
5 Nov 2025
KYC
Required to join
Please sign in as a researcher to join the bounty.
Log inIn scope
Severity
Min and Max Reward
CriticalUp to $250,000
High
Up to $100,000
Core smart contract code and related repositories for the protocol.
If you discover a vulnerability in any component not explicitly listed but which poses a risk to user funds, user data, or system integrity, you may submit it for consideration. Our team will review such submissions on a case-by-case basis.
Rewards will be further capped at 10% of direct funds at risk at the time of reporting the bug. Funds at risk defined as funds at risk of being stolen to an EOA not controlled by the protocol or permanently locked and unrecoverable due to smart contract failure caused by griefing. Calculated based on a snapshot at report timestamp;
Note: Actual reward amounts are determined at Concrete’s sole discretion. Factors influencing payout include report quality, completeness, and severity/exploitability.
Name | Description | Asset |
|---|---|---|
| concrete-earn-v2-bug-bounty (GitHub) | Repository containing core smart contract code for Concrete Earn v2. |
Out of scope
The following targets are excluded from this bug bounty program:
- Attacks resulting from privileged roles becoming compromised
- Third-party libraries. However upstream bugs that directly impact user funds in our protocol are in-scope as well as the correctness of integration with the library, e.g. OpenZeppelin, LayerZero etc
- Deployed non-production contracts.
- Non-standard assets (e.g. non-transferrable, soul-bound, erc-777 or in/de-flationary assets)
- Gas optimizations and best practices
- Backend and any attack vectors involving privileged roles becoming compromised.
- Deployment scripts and test code