Skip to main content
Exponent offers a bug bounty program with rewards of up to $250,000 for critical vulnerabilities. Our goal is to encourage security researchers to identify and responsibly disclose issues that could affect the security or integrity of the Exponent protocol and its users. We welcome submissions related to the core smart contracts, application logic, and integrations. If you believe you’ve discovered a vulnerability, please review the details below before submitting.

Scope

The bounty program covers the following areas:
  • Core Exponent smart contracts (PT/YT tokens, AMM, market creation, etc.)
  • Economic mechanisms related to yield trading, swaps, liquidity provision
  • Backend infra and APIs that affect the safety or availability of the protocol
  • Frontend and app vulnerabilities with financial or user impact
The primary focus is the prevention of fund loss, incorrect accounting, or protocol behavior that deviates from intended design. Exponent’s deployed smart contracts can be found here.

Rewards

Bug bounty rewards depend on severity, impact, and reproducibility. Please see below for more details:
SeverityProgramApplication & Services
Critical$250,000$50,000
High$100,000$10,000
Medium$10,000$5,000
Low$2,500$500

Out of Scope

The following are excluded for bug bounty rewards:
  • Issues in third-party contracts or dependencies
  • Findings already disclosed in audits or public channels
  • UI/UX bugs without financial impact
  • Denial-of-service vectors fixable by upgrade and with no fund impact
  • Social engineering, phishing, or spam issues
  • Test contracts, scripts, and staging infra
  • Best practices, gas optimizations, or feature requests
  • SPL token compatibility edge cases without direct security impact
  • DNS or email intermittency and deliverability issues, including those caused by incorrect DKIM, SPF, or DMARC configurations

Eligibility Requirements

To qualify for a reward:
  • The vulnerability must be previously unknown and unreported.
  • You must not exploit the bug beyond what’s necessary to prove the finding.
  • No public disclosure before the fix is confirmed. DO NOT POST security issues on social media, discussion forums, or other public channels.
  • You must include sufficient detail to reproduce the issue (PoC, screenshots, logs, or clear steps).
  • You must not be a current or former team member, contractor, or auditor with access to the relevant code.
  • You must not reside in or be subject to OFAC-sanctioned jurisdictions.

How to Submit

  • Send your report to: [email protected]
  • Please include:
    • Your contact details
    • Clear description of the vulnerability
    • Reproduction steps or PoC (code, screenshots, or logs)
  • You’ll receive an acknowledgment within 24-48h
  • Eligible bounties are paid monthly in USDC on Solana