Valantis STEX Bug Bounty Program
Program Status: Active
Launched: 23 Jul 2025
Expires: Non-expiring
Participants: 69
Max Payout: $200,000
Payout Quantity: 3
GENERAL INFORMATION
Valantis Stake Exchange (STEX) is a modular DEX design custom-made for yield-bearing assets paired against their underlying token, such as LSTs and yield-bearing stablecoins.
STEX uses a reference exchange rate contract as the ask price of the yield-bearing asset, ensuring that it does not sell it below fair value. STEX is natively integrated with the yield-bearing asset's withdrawal queue/rebalancing mechanism and third-party lending protocols.
STEX is built on the Valantis Sovereign Pool contract, a modular framework to build DEXes.
Asset Type: Smart Contracts
Chains: Other
Programming Language: Solidity
Product Types: DeFi
Project Categories: DEX
PAYOUTS
Smart Contracts
Critical - up to $200,000
- Permanent funds freeze
- Protocol Insolvency
- Direct theft of any user funds (at-rest, in-motion)
- Unclaimed yield excluded
High - up to $50,000
- Unclaimed yield permanent freeze
- Unclaimed yield theft
- Profit-oriented block stuffing
Medium - Out of scope
Low - Out of scope
Informational - Out of scope
PROGRAM DETAILS
Prohibited Activities
The following activities are prohibited by bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets.
- Any testing with pricing oracles or third party smart contracts.
- Attempting phishing or other social engineering attacks against our employees and/or customers.
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks).
- Any denial of service attacks.
- Automated testing of services that generates significant amounts of traffic.
- Public disclosure of an unpatched vulnerability in an embargoed bounty.
Rewards and Recognition
- All payouts are conducted by the Valantis Labs team, pegged to USD values and payable in USDC or USDT.
- The bug bounty program reserves the right to adjust award amounts based on the quality and accuracy of submissions within the specified range. The sole decision to payout is at the Valantis Labs Team's discretion.
Submission Guidelines
- Reports should be submitted through the Remedy platform.
- All bug reports must include a Proof of Concept demonstrating how the vulnerability can be exploited to qualify for a reward.
ASSETS IN SCOPE
Smart Contracts
In Scope:
- STEXAMM, stHYPEWithdrawalModule, kHYPEWithdrawalModule
- https://github.com/ValantisLabs/valantis-stex
EXCLUDED VULNERABILITIES
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks which lead to manipulation of the bid or ask price, but do not yield more output token amount on swaps than the amount quoted by the integrated price conversion functions (convertToToken0 and convertToToken1 functions in stHYPEWithdrawalModule and kHYPEWithdrawalModule), are not included in scope.
- Attacks that the reporter has already exploited, leading to damage.
- Attacks requiring access to leaked keys/credentials.
- Attacks requiring access to privileged addresses (e.g. multi-sig, governance, strategist, keeper).
- Incorrect data supplied by third-party oracles.
- Basic economic governance attacks (e.g. 51% attack).
- Insolvency risks due to faults in external lending protocol integrations.
- Lack of liquidity.
- Best practice critiques.
- Sybil attacks.
- Problems Caused by L1 Gas Pricing
- Freezing of own funds due to mistaken operation
- Impacts from malicious upgrades to third-party contracts
- Temporary impacts resulting from configuration adjustment race conditions
