Monad.xyz UI

Monad Foundation is an organization dedicated to supporting the development, decentralization, security, and adoption of the Monad protocol by providing a wide range of services including community engagement, business development, developer and user education, and marketing services.

Prohibited Actions

• No Unauthorized Testing on Production Environments: Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.
• No Public Disclosure Without Consent: Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.
• No Exploitation or Data Exfiltration: Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.
• No Conflict of Interest: Individuals currently or formerly employed by the Monad Foundation, or who contributed to the development of the affected code, are ineligible to participate. Former auditors ARE permitted to participate.
• Denial of Service: DDoS attacks are out of scope. DoS vulnerabilities should be investigated with caution to avoid service disruptions where possible.
• Social Engineering: Social engineering attacks are out of scope and not permitted for testing.
• Physical security: Testing of physical security is out of scope and not permitted for testing.

Disclosure Requirements

Please report vulnerabilities directly to the program on Cantina bug bounty platform. Include:

• A clear description of the vulnerability and its impact.
• Steps to reproduce the issue (proof of concept preferred).
• Conditions under which the issue occurs.
• Potential implications if exploited.

Reports should be made as soon as possible—ideally within 24 hours of discovery.

Reward Eligibility

To be eligible for a reward, you must:

• Be the first to report a previously unknown, non-public vulnerability within scope.
• Provide sufficient information to reproduce and fix the issue.
• Provide all KYC and other documents as requested
• Not have exploited the vulnerability in a malicious manner.
• Not have disclosed the vulnerability to third parties prior to receiving permission.
• Comply with all Program rules and applicable laws.

You must also be of legal age in your jurisdiction and not reside in a country under sanctions or restrictions, as required by applicable laws.

Severity and Rewards

Vulnerabilities are classified by Impact and Likelihood. The combination determines the severity and guides the reward amount.

Risk Classification Matrix:

Report issue severity is determined by the issue's impact and likelihood. Findings with higher impact and likelihood result in higher severity. Review the definitions and table below select a severity when making a report.

Impact Definitions:

• Critical: Leads to severe loss of user funds, permanent system disruption, or widespread compromise. Examples include:

  • Unauthorized write access to backend (direct server / db access)
  • Serving of malicious rich content payload to the majority of site visitors
  • A claim auth bypass that will not be flagged during subsequent validation stages prior to airdrop event

• High: Causes notable financial loss or significantly harms user trust, but on a lesser scale than Critical. Examples include:

  • Duplicated claim not detected in validation stage but limited in repeatability.
  • User data leak without compromising user credentials.

• Medium: Results in limited financial damage or moderate system impact. Examples include:

  • Duplicated claim during window but detected in validation stage.

• Low/Informational: Minimal direct risk but may indicate areas for improvement.

Likelihood Definitions:

• High: Very easy to exploit or highly incentivized.
• Medium: Exploitation is possible under certain conditions.
• Low: Difficult to exploit or requires very specific conditions.

Risk Classification Matrix

Note: Actual reward amounts are determined at Monad Foundation's sole discretion. Factors influencing payout include report quality, completeness, and severity/exploitability.

Payouts are handled by the Monad Foundation team directly and are denominated in USD. Payouts are done in USDC or MON at the Monad Foundation teams' discretion. MON payouts will be determined using the 14 day TWAP calculated as of the payment date. The Monad Foundation requires an invoice to be received via email for each payout. An invoice template can be provided by the Monad Foundation.

Reward Structure

Other Terms

By submitting a report, you grant Monad Foundation the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Monad Foundation. The terms, conditions, and scope of this Program may be revised at any time. Participants are responsible for reviewing the latest version before submitting a report.