Alchemix

Alchemix is your unified platform for saving, earning, borrowing, and fixed-term fixed-yield opportunities—all in one place. Built on years of iteration since launching the original self-repaying loan in 2021, Alchemix v3 brings all three pillars together with a smarter, more flexible design.

Arbitrum

ETH

Optimism

Base

Defi

CDP

DAO

Lending

Synthetic Assets

Token

Yield Aggregator

Asset Management

Solidity

Maximum Bounty

$300,000

Live Since

26 February 2026

Last Updated

07 April 2026

PoC Required

Submit a Bug

Information Scope Resources

Rewards

Alchemix provides rewards in USDC on Ethereum, Arbitrum , Optimism, denominated in USD.

Rewards by Threat Level

Smart Contract

Critical

Max: $300,000Min: $50,000

Primacy of Impact

High

Max: $35,000Min: $5,000

Primacy of Impact

Medium

Flat: $4,000

Primacy of Impact

Low

Flat: $1,000

Primacy of Impact

Critical Reward Calculation

Mainnet assets:

Reward amount is 10% of the funds directly affected up to a maximum of:

$300,000

Minimum reward to discourage security researchers from withholding a bug report:

$50,000

Rewards Body

Reward Calculation for Critical Level Reports For critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 300,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 50,000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.

Repeatable Attack Limitations

If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward.

Reward Calculation for High Level Reports High impacts concerning theft/permanent freezing of unclaimed yield/royalties are rewarded with a range of 5,000 to 35,000 with the reward calculated based on 100% of the funds at risk, though capped at the maximum high reward.

In the event of temporary freezing, the reward doubles from the full frozen vallue for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward.

View impacts in scope

Program Overview

For more information about Alchemix, please visit https://alchemix.fi/ Alchemix privides rewards on USDC on ETH, Arb and OP. For more details about the payment process, please review the Rewards by Threat Level section further below.

Primacy of Impact vs Primacy of Rules

Alchemix adheres to the Primacy of Impact for the following impacts:

Smart Contracts / Critical
Smart Contracts / High
Smart Contracts / Medium
Smart Contracts / Low

Primacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see Best Practices: Primacy of Impact

When submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.

If the project has any testnet and/or mock files, those will not be covered under Primacy of Impact. All other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.

Proof of Concept (PoC) Requirements

A PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.

Public Disclosure of Known Issues

Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, perform necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk.

Audits

Auditor	Link	Completed at
Spearbit and Cantina	https://cantina.xyz/portfolio/f638950d-a8ad-4df8-a6ec-8b067e416d7b	15 May 2025
Aleph V	https://hackmd.io/@geistermeister/SkSZiU9ybe	15 December 2025
immunefi	https://drive.google.com/file/d/18LmIajwn6NOCbxKQJ49MVLyLSKb9gmD1/view	1 January 2026
Nethermind	https://docs.alchemix.fi/assets/files/v3-nethermind-3195e302f55244d130f49ec41e6d1539.pdf	2 February 2026
yAudit	https://docs.alchemix.fi/assets/files/v3-yearn-e44c37454c3ba188ea81d6d583c399aa.pdf	15 March 2026

Auditor

Spearbit and Cantina

Link

https://cantina.xyz/portfolio/f638950d-a8ad-4df8-a6ec-8b067e416d7b

Completed at

15 May 2025

Auditor

Aleph V

Link

https://hackmd.io/@geistermeister/SkSZiU9ybe

Completed at

15 December 2025

Auditor

immunefi

Link

https://drive.google.com/file/d/18LmIajwn6NOCbxKQJ49MVLyLSKb9gmD1/view

Completed at

1 January 2026

Auditor

Nethermind

Link

https://docs.alchemix.fi/assets/files/v3-nethermind-3195e302f55244d130f49ec41e6d1539.pdf

Completed at

2 February 2026

Auditor

yAudit

Link

https://docs.alchemix.fi/assets/files/v3-yearn-e44c37454c3ba188ea81d6d583c399aa.pdf

Completed at

15 March 2026

Known Issues

Category	Description / Link	Last Updated At
Smart Contract	We are pricing strategies based on the fundamental backing, rather than dex price, whenever possible. This means there may be scenarios where the fundamental backing has a queue to access (such as the exit queue for wstETH). In these scenarios, as an example, 1 alETH in the transmuter would return 1 ETH worth of MYT, but that 1 ETH of MYT would not be accessible until the withdrawal queue clears, OR the user could sell the 1 ETH of MYT for < 1 ETH. Thus, the MYT market price may be < 1 ETH, which may bring the price of the alAsset < 1 ETH. This is intended behavior, as should the withdrawal queue clear the 1 ETH of MYT value would once again be instantly accessible and thus the alAsset would be redeemable for 1 ETH.	1 October 2025
Smart Contract	IF the price of the MYT drops below the LTV (say 1 ETH of MYT has a market price of 0.85 ETH) due to withdrawal queues, then it would be expected that arbitragers mint alETH to sell at > 100% LTV. However, so long as the value of the MYT these arbitragers collateralize returns to 1:1, there is no bad debt created in the system. Only a situation that returns permanent bad debt, even after MYT recovery, would be in scope (or a situation where the MYT is prevented from recovering).	1 October 2025
Smart Contract	The DAO Multisig on each chain, which takes on an admin role in the system, is trusted.	1 October 2025
Smart Contract	Technically an individual could open numerous small positions at max LTV, hoping that they become eligible for liquidation so they can liquidate themselves and get paid from the feeVault for a net profit. However, the feeVault ONLY pays out when the alchemist is globally undercollateralized, NOT for liquidate individually undercollateralized positions when global collateralization is otherwise acceptable. This is an acceptable risk and therefore not considered in scope.	13 October 2025
Smart Contract	All curators and allocators are trusted (ie, low/med/high risk strategy cap maximums are not enforced on chain, assumed done by curators/allocators/admin)	3 April 2026

Category

Smart Contract

Description / Link

We are pricing strategies based on the fundamental backing, rather than dex price, whenever possible. This means there may be scenarios where the fundamental backing has a queue to access (such as the exit queue for wstETH). In these scenarios, as an example, 1 alETH in the transmuter would return 1 ETH worth of MYT, but that 1 ETH of MYT would not be accessible until the withdrawal queue clears, OR the user could sell the 1 ETH of MYT for < 1 ETH. Thus, the MYT market price may be < 1 ETH, which may bring the price of the alAsset < 1 ETH. This is intended behavior, as should the withdrawal queue clear the 1 ETH of MYT value would once again be instantly accessible and thus the alAsset would be redeemable for 1 ETH.

Last Updated At

1 October 2025

Category

Smart Contract

Description / Link

IF the price of the MYT drops below the LTV (say 1 ETH of MYT has a market price of 0.85 ETH) due to withdrawal queues, then it would be expected that arbitragers mint alETH to sell at > 100% LTV. However, so long as the value of the MYT these arbitragers collateralize returns to 1:1, there is no bad debt created in the system. Only a situation that returns permanent bad debt, even after MYT recovery, would be in scope (or a situation where the MYT is prevented from recovering).

Last Updated At

1 October 2025

Category

Smart Contract

Description / Link

The DAO Multisig on each chain, which takes on an admin role in the system, is trusted.

Last Updated At

1 October 2025

Category

Smart Contract

Description / Link

Technically an individual could open numerous small positions at max LTV, hoping that they become eligible for liquidation so they can liquidate themselves and get paid from the feeVault for a net profit. However, the feeVault ONLY pays out when the alchemist is globally undercollateralized, NOT for liquidate individually undercollateralized positions when global collateralization is otherwise acceptable. This is an acceptable risk and therefore not considered in scope.

Last Updated At

13 October 2025

Category

Smart Contract

Description / Link

All curators and allocators are trusted (ie, low/med/high risk strategy cap maximums are not enforced on chain, assumed done by curators/allocators/admin)

Last Updated At

3 April 2026

KYC not required

No KYC information is required for payout processing.

Proof of Concept

Proof of concept is always required for all severities.

Responsible Publication

Category 3: Approval Required

Prohibited Activities

Default prohibited activities

Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
Any testing with pricing oracles or third-party smart contracts
Attempting phishing or other social engineering attacks against our employees and/or customers
Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
Any denial of service attacks that are executed against project assets
Automated testing of services that generates significant amounts of traffic
Public disclosure of an unpatched vulnerability in an embargoed bounty
Any other actions prohibited by the Immunefi Rules

Feasibility Limitations

The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.

Therefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.

Submit a Bug

Total Assets in Scope