Bug Bounty
This page describes the appeX Protocol bug bounty program for responsible disclosure of security vulnerabilities.
Why a Bug Bounty Program
Smart contract audits catch many vulnerabilities, but no audit can find every issue. Bug bounty programs provide an ongoing, crowdsourced security layer that operates continuously after deployment. Security researchers are incentivized to find and report vulnerabilities rather than exploit them.
The program creates a standing offer: if you find a vulnerability, report it responsibly and receive a reward. The reward scales with the severity of the finding. This aligns the interests of the security research community with the protocol's users.
Program Overview
appeX operates a bug bounty program to incentivize security researchers to identify and report vulnerabilities in protocol smart contracts and infrastructure. Responsible disclosure protects users and earns rewards for researchers.
Info: Bug bounty program details, including specific reward amounts, exclusions, and the submission portal, will be published here when the program launches. This section will be updated with the full program specification.
Planned Scope
The following components are expected to be in scope under the planned program structure. Final scope will be confirmed when the program launches:
| Component | Category | Why This Severity |
|---|---|---|
| Vault Contract | Critical | Holds all LP capital. A vulnerability here could lead to loss of deposited funds. |
| Staking Contract | Critical | Manages locked $APPEX and LP tokens. A vulnerability could allow unauthorized withdrawal or reward manipulation. |
| NAV Calculation Logic | Critical | Determines LP token pricing. A manipulation here could enable extraction of vault value through mispriced deposits or redemptions. |
| $APPEX Token Contract | High | Core protocol token. A vulnerability could affect token balances or transfer logic. |
| Fee Distribution Contract | High | Routes protocol fees to Treasury and stakers. A vulnerability could redirect fee flows. |
| Redemption Gate Logic | High | Controls LP withdrawals. A bypass could circumvent liquidity protections. |
Planned Reward Tiers
The following severity tiers represent the planned program structure. Final tier definitions and reward amounts will be confirmed when the program launches:
| Severity | Impact Description |
|---|---|
| Critical | Direct loss of user funds, NAV manipulation, unauthorized minting or burning of LP tokens |
| High | Unauthorized access to protocol functions, reward distribution manipulation, redemption gate bypass |
| Medium | Griefing attacks that degrade protocol usability, gas-based denial of service, minor economic exploits |
| Low | Informational findings, gas optimizations, code quality improvements |
Specific reward amounts will be published when the formal program launches. Rewards for Critical findings are expected to be substantial, reflecting the value of the assets protected by the protocol.
Responsible Disclosure
If you discover a vulnerability before the formal program launches:
- Do not exploit the vulnerability or share it publicly. Exploitation or public disclosure before a fix is deployed puts user funds at risk.
- Contact the appeX team through official channels.
- Provide sufficient detail for the team to reproduce and verify the issue. Include a proof-of-concept where possible.
- Allow reasonable time for the team to address the issue before any public disclosure.
Researchers who follow responsible disclosure practices will be recognized and rewarded when the formal program is established. Good-faith security research is valued. The program is designed to reward researchers, not penalize them.
What Is Not in Scope
The following are generally excluded from bug bounty programs and are expected to be excluded from the appeX program:
- Vulnerabilities in third-party protocols (Aave, Compound, DEXes) unless they specifically affect appeX vault funds
- Social engineering or phishing attacks
- Issues already reported by another researcher
- Theoretical vulnerabilities without a practical proof of concept
- Front-end or UI issues that do not affect smart contract security