Ventuals Bug Bounty

@ventuals Live

Maximum reward

$1,000,000

Severity

Max. Reward

Critical$1,000,000

High$20,000

Medium$2,000

Deposit required

$20

Findings submitted

341

Start date

14 Oct 2025

Introduction

Ventuals is creating a HYPE LST (vHYPE) to raise the Hyperliquid https://hyperliquid.gitbook.io/hyperliquid-docs/hyperliquid-improvement-proposals-hips/hip-3-builder-deployed-perpetuals stake requirement. vHYPE is a fully transferable ERC20 token, and serves as the claim to the original HYPE plus accrued native staking yield.

We value the time and effort put into every submission—thank you for helping keep Ventuals and our users safe.

Documentation

Refer to https://github.com/ventuals/ventuals-contracts/blob/main/docs/ARCHITECTURE.md for the latest documentation about the Ventuals contracts

Prohibited Actions

Do not test vulnerabilities on mainnet or public testnet deployments without explicit written approval. We recommend testing on local or private test environments instead.
Do not publicly disclose a vulnerability before you have received written permission to disclose.
Do not conduct phishing or other social engineering attacks against our employees and/or customers.
Do not conduct denial-of-service attacks, or any other activity that could disrupt Ventuals services or users.
Do not exploit vulnerabilities for financial gain beyond the minimum steps necessary to demonstrate the issue.
Individuals currently or formerly employed by Ventuals, as well as those who contributed to the development of the affected code, are not eligible to participate.

Disclosure Requirements

Please report vulnerabilities directly through the Spearbit/Cantina platform. Please include:

A clear description of the vulnerability and its impact.
Steps to reproduce the issue, ideally with a proof of concept.
Details on the conditions under which the issue occurs.
Potential implications if the vulnerability were exploited.

Reports should be made as soon as possible—ideally within 24 hours of discovery.

Eligibility

To be eligible for a reward, you must:

Be the first to report a previously unknown, non-public vulnerability within the defined scope.
Provide sufficient information to reproduce and fix the vulnerability.
Not have exploited the vulnerability in any malicious manner.
Not have disclosed the vulnerability to third parties before receiving permission.
Comply with all Program rules and applicable laws.

You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.

Severity and Rewards

Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.

Risk Classification Matrix

Severity Level	Impact: Critical	Impact: High	Impact: Medium	Impact: Low
Likelihood: High	Critical	High	Medium	Low
Likelihood: Medium	High	High	Medium	Low
Likelihood: Low	Medium	Medium	Low	Informational

Impact Definitions:

Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.

Likelihood Definitions:

High: Very easy to exploit or highly incentivized.
Medium: Exploitation is possible under certain conditions.
Low: Difficult to exploit or requires highly specific conditions.

Payout Guidelines

Severity	Payout Range
Critical	Up to $1M
High	Up to $20,000
Medium	Up to $2,000

Rewards will be capped at 5% of direct funds at risk at the time of reporting the bug.

Final reward amounts are determined at the sole discretion of Ventuals. Factors influencing payouts include the quality of the report, clarity of reproduction steps, and the severity and exploitability of the vulnerability.

Other Terms

By submitting a report, you grant Ventuals the rights necessary to investigate, mitigate, and disclose the vulnerability. All submissions become the property of Ventuals. We reserve the right to use, modify, or disclose submissions for security purposes without requiring additional consent.

Reward decisions and eligibility are at the sole discretion of Ventuals. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.