Daimo Pay

Daimo Pay is a intent-based system for crypto payments. In particular, it supports fast 1:1 transfers from any major stablecoin across chains.

Supported Networks:

• ETH
• Arbitrum
• Base
• Polygon
• Linea
• Optimism

Maximum Bounty: $20,000

Live Since: 06 June 2025

Rewards

Daimo Pay provides rewards in USDC on Arbitrum, denominated in USD.

Rewards by Threat Level

Smart Contract

Critical

• Max: $20,000
• Min: $7,500

High

• Max: $7,500
• Min: $2,500

Low

• Max: $2,000
• Min: $1,000

Reward Calculation for Critical Level Reports

For critical smart contract bugs, the reward amount is 10% of the funds directly affected up to the listed maximum. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. There is also a listed minimum reward in order to incentivize security researchers against withholding a critical bug report.

Repeatable Attack Limitations

• If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward.
• The amount of funds at risk will be calculated with the impact of the first attack.

Reward Calculation for High Level Reports

High impacts concerning theft/permanent freezing of funds are rewarded within the listed range. The reward is calculated based on 100% of the funds at risk, capped at the maximum high reward.

Scope

The assets in scope for this bounty are specifically our Daimo smart contracts.

Not in scope:

• Web app/SDK/JS issues. The test page (https://daimo.com/demo/tests) is listed only as an aid for researchers to test and understand contracts more quickly, not as a target for bug reports.

Special case:

• 'DaimoPayRelayer'. This is an untrusted contract. Any issues that result in loss of user funds will be treated as critical, while issues resulting in loss of our own company funds in DaimoPayRelayer will be treated as high severity but not critical.

Program Overview

Daimo Pay is a intent-based system for crypto payments. In particular, it supports fast 1:1 transfers from any major stablecoin across chains.

The purpose of this bug bounty is to build confidence in the Daimo Pay intent address contract system.

We will treat all contract issues that result in loss of user funds as critical.

Temporarily frozen funds count as vulnerabilities only if they occur:

1. Due to an error in our contracts, or
2. Last longer than 'expirationTimestamp' for a given Daimo Pay intent.

There are a variety of (known, expected) ways that funds can be frozen temporarily due to user error (for example, double-paying the same intent address twice). These are not vulnerabilities.

Audits

Requirements

KYC Required

The submission of KYC information is a requirement for payout processing. Participants must adhere to the Eligibility Criteria.

Proof of Concept

Proof of concept is always required for all severities.

Prohibited Activities

• Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
• Any testing with pricing oracles or third-party smart contracts
• Attempting phishing or other social engineering attacks against employees and/or customers
• Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
• Any denial of service attacks that are executed against project assets
• Automated testing of services that generates significant amounts of traffic
• Public disclosure of an unpatched vulnerability in an embargoed bounty
• Any other actions prohibited by the Immunefi Rules

Feasibility Limitations

The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. Therefore, Immunefi has developed feasibility limitation standards which by default state what security researchers and projects can or cannot cite when reviewing a bug report.