Concrete
Maximum reward
$250,000
Severity
Max. Reward
Critical$250,000
High$100,000
No deposit required
Findings submitted
162
Start date
5 Nov 2025
KYC
Required to join
Please sign in as a researcher to join the bounty.
Log inIn scope
Severity
Min and Max Reward
CriticalUp to $250,000
High
Up to $100,000
Other in-scope on-chain artifacts and current production deployments (contract addresses and deployed vaults).
If you discover a vulnerability in any component not explicitly listed but which poses a risk to user funds, user data, or system integrity, you may submit it for consideration. Our team will review such submissions on a case-by-case basis.
Rewards will be further capped at 10% of direct funds at risk at the time of reporting the bug. Funds at risk defined as funds at risk of being stolen to an EOA not controlled by the protocol or permanently locked and unrecoverable due to smart contract failure caused by griefing. Calculated based on a snapshot at report timestamp;
Note: Actual reward amounts are determined at Concrete’s sole discretion. Factors influencing payout include report quality, completeness, and severity/exploitability.
Name | Description | Asset |
|---|---|---|
| Other In-Scope Assets | General assets in Other In-Scope Assets category | - |
On chain artifacts strictly limited to Current Deployments and In-Scope ERC20 Tokens (integration as the vault asset)
Currently deployed production contract addresses that are in-scope.
Name | Description | Asset |
|---|---|---|
| Concrete Vault Factory | Concrete Vault Factory contract (production deployment). | |
| Stable USDT Pre-Deposit (ctStableUSDT) | ctStableUSDT production contract address. | |
| Stable Frax USD Pre-Deposit (ctStablefrxUSD) | ctStablefrxUSD production contract address. | |
| Stable USDT Pre-Deposit Pendle Loop (ctPendleLoopStableUSDT) | ctPendleLoopStableUSDT production contract address. | |
| Stable Frax USD Pre-Deposit Pendle Loop (ctPendleLoopStablefrxUSD) | ctPendleLoopStablefrxUSD production contract address. | |
| Current Production vault assets | Current Production vault assets (USDT, Frax USD) | Curr…sets |
| Standard ERC20 | Standard ERC20 (see out-of-scope tokens in the next section) | Stan…RC20 |
Out of scope
The following targets are excluded from this bug bounty program:
- Attacks resulting from privileged roles becoming compromised
- Third-party libraries. However upstream bugs that directly impact user funds in our protocol are in-scope as well as the correctness of integration with the library, e.g. OpenZeppelin, LayerZero etc
- Deployed non-production contracts.
- Non-standard assets (e.g. non-transferrable, soul-bound, erc-777 or in/de-flationary assets)
- Gas optimizations and best practices
- Backend and any attack vectors involving privileged roles becoming compromised.
- Deployment scripts and test code