Mound Finance

Submit a Bug
20 July 2021
Live since
KYC required
Maximum bounty

Program Overview

Mound is an innovative financial technology company that develops blockchain-based financial platform services. They are dedicated to creating widely-used, cutting edge blockchain-based services with a heavy focus on DeFi and cross-chain functionality. Their products include:

  • PancakeBunny, a decentralized finance (DeFi) yield aggregator and optimizer for the Binance Smart Chain, which is used for PancakeSwap (CAKE) and Venus (XVS). The protocol gives yield farmers the opportunity to reap the benefits of auto compounding.

  • polyBunny, which utilizes the same successful strategies as PancakeBunny, is able to maximize returns while minimizing risk and continue building incentives for the PolyBUNNY token on the Polygon network.

  • Qubit, which is an innovative DeFi lending protocol that is optimized to deliver lending as a utility for the BSC. With zero withdrawal fees, Qubit not only reduces the cost of lending and borrowing for retail users, it also enables PancakeBunny and other BSC yield aggregators to employ leveraged strategies to maximize Single Asset returns.

The bug bounty programs are focused around their smart contracts and web/app assets and are primarily concerned with the loss of user funds.

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing subjects from consequence of exploitation, to privilege requirements, to likelihood of a successful exploit.

The rewards shown here are reflective of the maximum amount of rewards for all the Mound Finance bug bounty programs on Immunefi.

All web and app bugs must come with a PoC in order to be accepted. All web and app bug reports without a PoC will be rejected with a request for a PoC. High and Critical smart contract bug reports are required to come with a proof of concept (PoC) for consideration of a reward.

Critical vulnerabilities for smart contract and blockchain vulnerabilities only get the classification if they have an impact of USD 100 000 or greater. If the impact is below that amount, the bug report is reclassified as High even if it would normally classify as Critical. Additionally, if a smart contract bug report with a classification of High has an impact of USD 100 000 or greater, it gets reclassified as Critical.

Payouts are handled by the respective project of Mound Finance directly and are denominated in USD. However, payouts are done in USDT for all projects with payouts less than or equal to USD 1000. All other payouts are done in the respective project token and over their respective networks.

Smart Contracts and Blockchain

CriticalUp to USD $250,000
HighUp to USD $40,000
MediumUp to USD $5,000
LowUp to USD $1,000

Website and Apps

CriticalUp to USD $5,000
HighUp to USD $3,000
MediumUp to USD $1,000

Bug Bounty Programs