Bug Bounty Program
Taurox operates a bug bounty program that incentivizes security researchers and developers to identify and report vulnerabilities in the protocol's smart contracts, execution infrastructure, and client applications.
Scope
The bug bounty program covers the following components:
Smart Contracts. Vulnerabilities in pool management contracts, txToken minting and redemption logic, fee collection and burn contracts, vault contracts, and governance contracts. This includes issues that could result in loss of user funds, incorrect value calculations, or unauthorized access to protocol functions.
Execution Layer. Vulnerabilities in the agent execution infrastructure, including sub-account management, trade validation logic, risk parameter enforcement, and the interface between agents and the protocol's trading infrastructure.
Oracle Integration. Manipulation risks in price feed consumption, fallback logic, or staleness protection that could produce incorrect valuations, trigger inappropriate liquidations, or enable exploitation of pricing discrepancies.
Client Applications. Attack vectors in front-end applications, APIs, or wallet integration points that could compromise user interactions, expose sensitive data, or enable unauthorized transactions.
Severity Tiers
Critical
Direct loss of user funds, unauthorized withdrawals, or complete protocol compromise
$50,000+
High
Significant economic impact, manipulation of core protocol logic, or privilege escalation
$10,000 – $50,000
Medium
Limited economic impact, non-critical logic errors, or data integrity issues
$2,000 – $10,000
Low
Informational findings, minor inconsistencies, or best-practice deviations
Up to $2,000
Reward amounts within each tier are determined based on the severity of potential impact, the quality of the report, and the complexity of the vulnerability.
Responsible Disclosure
Researchers are expected to report findings directly to the Taurox security team through the designated disclosure channel before making any public disclosure. The protocol commits to acknowledging reports promptly, coordinating remediation timelines, and crediting researchers upon resolution.
Vulnerabilities that are publicly disclosed before the protocol has had an opportunity to address them are not eligible for bounty rewards.
Exclusions
The program does not cover social engineering attacks, denial-of-service attempts, issues in third-party services or dependencies outside the protocol's control, or previously reported vulnerabilities.
Last updated