Bug Bounty

HyENA Bug Bounty Program

1. Scope

On mainnet, any bug that could reasonably lead to user fund loss, unfair execution, or integrity failures in the HIP-3 DEX or oracle system is in scope, including:

  • Incorrect oracle price publication or calculation

  • Manipulation vectors in oracle updates or aggregation logic

  • Desynchronization between on-chain oracle state and off-chain reference prices

  • Availability issues that can be turned into profit (e.g., asymmetric downtime that enables manipulation)

  • Any additional issue not contemplated above that could reasonably lead to user fund loss, unfair execution, or integrity failures

2. Submission Reports and Rewards

Reports must include:

  • Description: Clear explanation of the vulnerability and affected component(s)

  • Reproduction: Detailed step‑by‑step instructions and any required scripts or transactions

  • Proof of Concept: Working PoC that demonstrates real exploitability (not just a theoretical issue)

  • Impact Assessment: Reasonable explanation of potential impact (e.g., “X% price manipulation”, “Y funds at risk”)

Submit your report to: [email protected]

If the same bug is reported by multiple parties, only the first valid report is eligible for a reward.

Rewards are paid in USDe on either HyperEVM or HyperCore for responsible disclosure based on severity.

HyENA contributors commit not to pursue legal action for security research conducted in good faith and in compliance with this program.

3. Prohibited Activity

To protect users, infrastructure, and third parties, the following are strictly prohibited:

  • Mainnet Exploitation

    • Active exploitation on mainnet beyond what is strictly necessary to prove impact in a controlled manner - if impact can be proven or demonstrated without such action, the action is expressly prohibited

    • Any testing that leads to real user losses or large-scale disruption

  • Testing Scope

    • Testing on mainnet when equivalent tests can reasonably be performed on testnet or local forks

    • DoS attacks

    • Testing involving third-party systems and applications

  • Abuse & Extortion

    • Phishing or other social engineering

    • Ransom demands, blackmail, or threats

    • Public disclosure of a vulnerability before it is fixed and any bounty is paid

    • Threatening to publish or publishing personally identifiable information (PII) or sensitive data without consent

    • Exploiting vulnerabilities for personal financial gain beyond the bounty, including trading on undisclosed vulnerabilities, MEV-style extraction, or manipulating on-chain markets

  • Bypassing Program Rules

    • Attempting to bypass the submission process

    • Engaging in unauthorized activity outside the scope defined in this program

4. Eligibility

To be eligible for a bounty:

  • Reports must be submitted to [email protected] only (no external platforms).

  • The reporter must comply with any required KYC/KYB procedures.

  • The reporter must be technically able to receive USDe on the supported networks.

  • The reporter must maintain confidentiality about the vulnerability and related communications until and unless authorized in writing to disclose.

  • The issue must be reproducible and supported with clear evidence and a PoC.

  • Contributors to the codebase (employees, contractors, core devs) are not eligible to receive bounties for vulnerabilities in code they contributed to.

HyENA reserves the right to declare an entity or individual ineligible based on applicable sanctions, regulatory requirements, or legal restrictions.

5. Ineligible Submissions

The following types of submissions are not eligible for rewards:

  • Reports without sufficient detail:

    • Missing step‑by‑step reproduction

    • No working PoC when one is reasonably feasible

  • Vulnerabilities requiring extremely unlikely or unreasonable user behavior, such as:

    • Disabling basic security features

    • Ignoring explicit warnings in the UI or docs

  • Issues dependent on:

    • Outdated or unsupported software versions

    • Unpatched browsers or operating systems that are no longer supported

    • Rooted / jailbroken / otherwise modified user devices

  • Issues in third‑party libraries, extensions, tools, or infrastructure that do not result in a direct exploitable vulnerability in the HIP3 DEX or oracle system

  • Purely non‑security issues:

    • Minor performance problems

    • Cosmetic UI bugs

    • Typos or documentation nits (unless they cause a real loss or security issue)

  • Vulnerabilities that only manifest under extreme, unrealistic, or clearly contrived market conditions that do not reflect plausible real‑world scenarios.

6. General Conditions

  • No bounty is owed for submissions that:

    • Do not meet the program’s requirements, or

    • Are excluded by the scope or ineligibility criteria.

  • The project retains sole discretion to determine:

    • Whether a submission is valid,

    • How to classify its severity, and

    • The exact bounty amount within the published ranges.

  • All submissions become the property of the project. The project may:

    • Use, modify, or disclose submissions for security and operational purposes

    • Share information with partners or auditors as needed, without additional consent from the reporter

Participation in this program does not create any employment or partnership relationship.

7. Classification & Reward Guidelines

Severity is determined by impact and likelihood. Payouts may vary within each range depending on exploitability, quality of report, and whether the researcher provided fixes or mitigations.

Critical – up to 100,000 USDe

Bugs that can cause direct, significant loss of user funds or catastrophic integrity failures, for example:

  • Oracle price manipulation allowing profitable, repeated abuse (e.g., under/over-pricing leading to liquidations or unfair PnL)

  • Smart contract vulnerabilities allowing:

    • Direct draining or theft of user funds

    • Permanent lockup of significant funds

High – up to 25,000 USDe

Bugs causing severe disruption or partial but contained impact, for example:

  • HyENA HIP-3 DEX downtime that blocks:

    • New orders/cancellations for a significant period

    • Oracle updates critical to fair pricing

  • Oracle or data-feed disruptions that:

    • Cannot be directly exploited for fund theft, but

    • Materially affect trading or risk systems

  • Access control or authentication issues that:

    • Allow privileged but non‑catastrophic actions

    • Risk targeted but not systemic losses

Medium – up to 7,500 USDe

Bugs with moderate impact or limited exploitability, such as:

  • Logic errors that:

    • Only occur in rare edge cases

    • Have limited or no immediate fund impact

  • Information disclosure that:

    • Reveals non‑public but non‑sensitive data

    • Could aid future attacks but is not directly exploitable

Low – up to 1,500 USDe

Bugs that have low impact or are primarily best‑practice violations, for example:

  • Minor API inconsistencies or error handling flaws

  • Documentation or configuration issues that:

    • Could mislead integrators or power users

    • Do not present an immediate exploit path

8. Process & Timelines

  • Acknowledgment: The HyENA team aims to acknowledge valid reports within 72 hours.

  • Triage & Classification: Severity assessment and initial triage typically completed within 7–14 days.

  • Remediation & Payout:

    • Fixes for critical/high issues are prioritized and deployed as soon as safely possible.

    • Bounty awards are generally paid within 14 days of confirming the vulnerability and agreeing on classification, subject to KYC/KYB completion.

Timelines are best‑effort and may vary based on complexity or required coordination with external partners.

9. Contact

Primary security contact: [email protected]

PreviousTerms and Conditions

Last updated