Bifrost Launches Bug Bounty on Immunefi With $500,000 for a Single Critical Vulnerability
Announcements
2025 / 07 / 28 09:00
Bifrost

In the DeFi world, even the smallest vulnerability can trigger millions in losses. Just recently, Hydration awarded a $500,000 whitehat bounty for the discovery of a critical flaw that, if left unpatched, could have resulted in over $22 million in potential damage — a timely fix that safeguarded both the protocol and user funds.

At Bifrost, we understand that security is the sword of Damocles hanging over every DeFi protocol, and that whitehats are the indispensable guardians of this decentralized world. That’s why we’re launching a new bounty program — offering up to $500,000 for anyone who can find a protocol-level flaw before it’s too late.

If you can find a vulnerability that allows someone to illegitimately increase the supply of any vToken (e.g., vDOT, vMANTA, vBNC, etc.) without staking or collateral input — you could earn up to $500,000 in a single payout.

This is part of our Immunefi bug bounty, designed to uncover the deepest, most dangerous risks in the Bifrost protocol — before malicious actors do.

Why It Matters

vTokens like vDOT and vBNC represent real, staked capital. Their minting is tightly controlled through validator participation, staking queues, and reward distribution.

This bounty program focused on:

  • Protocol-level exploits
  • Severe Fund or governance manipulation
  • unauthorized vToken minting

Reward Highlights

Protocol Vulnerabilities (Blockchain/DLT)

| Severity | Reward (Up to) | Description | | --- | --- | --- | | 🟥 Critical | $500,000 | Unauthorized vToken minting (vDOT, vKSM, etc.), chain halt, or permanent fund freeze | | 🟧 High | $25,000 | Chain splits, RPC crashes, mempool abuse | | 🟨 Medium | $10,000 | Node shutdowns, resource exhaustion | | 🟩 Low | $1,000 | Fee miscalculations, partial disruption |

Website / Application Vulnerabilities (Front-end)

| Severity | Reward (Up to) | Description | | --- | --- | --- | | 🟥 Critical | $5,000 | Wallet exploit, unauthorized withdrawals, full server access | | 🟧 High | $2,000 | Subdomain takeover, HTML injection, private info leaks | | 🟨 Medium | $1,000 | Redirects, non-sensitive user manipulation | | 🟩 Low | $500 | Broken links, minor UI abuse |

Please check the full scope on Immunefi

How to Participate:

  1. Review the code
  2. Identify an exploit path that leads to unbacked vToken inflation
  3. Submit a full report, including reproduction steps and impact assessment via Immunefi
  4. If verified, receive the reward

Terms

  • Only the first valid submission is eligible for the bounty
  • Must be previously unknown and exploitable
  • Bifrost reserves the right to validate findings with internal and external audit partners

Code is law — until it’s not. And in a world where billions move across trustless bridges, where staking powers ecosystems, and where a single vulnerability can unravel everything, we’re not leaving anything to chance. That’s why we’re offering up to $500,000 for a single critical discovery, and inviting the smartest minds in Web3 to test the very foundations of our protocol before the wrong person ever gets the chance.