Founfloor · C4 Bug Bounty · EVM / Solidity

Intuition

Decentralised knowledge network — InfoFi. Bounty resumed Mar 11 2026. Contest findings = known issues = excluded. Clean slate on MultiVault.sol (77KB).

$100K

max bounty

3

PoC matches

P0

priority

🔴 POC BUILDING · CLO PENDING

Attack Surface

MultiVault.sol · 77KB

ERC-4626 vault aggregator. Primary target. Key vectors: share price manipulation via flash loans, rounding errors on deposit/withdraw, vault ordering affecting allocation logic. Contest found issues here — we need the post-contest surface only.

Access Control

Role-based permission model across vault operations. Check: initialiser patterns, admin privilege escalation, timelock bypass via ordering of operations. ERC-4626 admin functions need full mapping.

InfoFi Primitives

Novel architecture — knowledge attestation + staking. Vectors: attestation replay, staking accounting errors, cross-vault state inconsistency. Less competition here than the vault itself.

PoC Library Matches

multivault-001 ✓ erc4626-001 ✓ access-control-001 ✓ flash-loan-001 ~ attestation (new)

Sorry Loop Position

MAPPED

SCANNING

POC CLEAN

CLO GATE

FILED

BOOM

3-Team Read

OG · Technical

ERC-4626 rounding is the highest-signal surface. Post-contest = clear runway. MultiVault.sol fresh scan is the first move. Map all external calls first.

RHONE · Floor

P0 and bounty resumed. Clean slate is rare. Most hunters are scared off by the contest history — that's our edge. First mover on the post-contest surface.

RICK · Dissect

InfoFi primitives are novel. Novel = less known = less hunted. The attestation + staking layer could have a sorry nobody has looked at yet. Start there.

Next Action · Tonight

Pull MultiVault.sol. Run the fresh scan. Focus on post-contest attack surface only — any finding that wasn't in the contest known issues list. Map the InfoFi attestation layer separately. CLO review when PoC is clean.

← leaderboard codebase →

Founfloor · C4 Bug Bounty · EVM / Solidity

Moonwell

Compound-fork lending protocol. Biggest bounty on the board at $250K. PoCs exist — lending-liquidation and compound-fork patterns match. Blocker: fork test suite not passing.

$250K

max bounty

2

PoC matches

P1

priority

🟡 POC FAILING · TEST SUITE BLOCKER

Attack Surface

Liquidation Logic

Compound-fork liquidation has historically had incentive miscalculation, bad debt accumulation, and liquidation threshold bypass patterns. Moonwell extends Compound — check all overrides. Our lending-liquidation-001 PoC targets this.

Oracle Dependencies

Price oracle for collateral valuation. Stale price acceptance, TWAP manipulation window, multi-oracle inconsistency. Lending protocols live and die on oracle integrity. Our oracle-manipulation PoC applies.

Cross-Chain (Base)

Moonwell is deployed on Base (Coinbase L2). Check bridge interaction assumptions, L2-specific gas behaviours, sequencer downtime handling. Compound-fork wasn't designed for L2.

PoC Library Matches

lending-liquidation-001 ✓ compound-fork-001 ✓ oracle-manipulation-001 ~ L2-specific (new)

Sorry Loop Position

MAPPED

POC EXISTS

TEST FAILING

POC CLEAN

CLO GATE

FILED

BOOM

3-Team Read

OG · Technical

The test suite failure is the only blocker. Check if it's a Foundry config issue, wrong fork block, or actual logic difference. Compound-fork tests need mainnet fork block that matches protocol state.

RHONE · Floor

$250K is the biggest bounty on the board. One passing PoC here = BOOM. This is the priority fix — if the test suite issue is config, 30 minutes resolves it.

RICK · Dissect

L2 deployment introduces assumptions the original Compound code never handled. Fork block mismatch in tests suggests we're testing against wrong state. Set fork block to latest before running.

Next Action · Fix The Test Suite

Set fork block to latest. Check RPC URL. Rerun. If it's a config issue it resolves in one try. If it's a logic difference, that tells us something about the finding itself. Either way, run it.

Founfloor · C4 Bug Bounty · EVM / Solidity

Legion

Crypto fundraising platform — token sales, raises, allocation. Access control and token sale PoCs potentially match. Needs scope analysis.

$75K

max bounty

2

partial matches

P2

priority

🔵 UNSCOPED · SCOPE ANALYSIS NEEDED

Attack Surface

Token Sale Logic

Fundraising = allocation management. Key vectors: allocation overflow, refund logic bypass, whitelist circumvention, raise cap manipulation. Token-sale-001 PoC is a direct match candidate.

Access Control

Admin functions over raise parameters. Privilege escalation during active raise, owner key compromise surface, role assignment ordering. Standard access-control-001 applies.

Vesting / Distribution

Token distribution after raise closes. Vesting cliff manipulation, token distribution before raise valid, claiming before eligibility. Novel surface — no existing PoC.

PoC Library Matches

access-control-001 ~ token-sale-001 ~ vesting (new) refund-bypass (new)

Sorry Loop Position

MAPPED

SCOPING

POC BUILD

POC CLEAN

CLO GATE

FILED

BOOM

3-Team Read

OG · Technical

Fundraising platforms have a narrow critical window — during the raise. Test all state transitions: pre-raise → active → closed → distributing. Bugs in transitions are harder to find and high impact.

RHONE · Floor

$75K is solid for a bug bounty. Less competition than Moonwell/Intuition. Scope analysis is fast — one read through the contracts tells us if our PoCs translate.

RICK · Dissect

Crypto fundraising = lots of edge cases nobody tested in prod. Refund logic during mid-raise state changes. That's where the sorry lives.

Next Action · Scope Analysis

Pull contracts. Map all public functions. Check which of access-control-001 and token-sale-001 apply directly. 1-hour analysis to know if this is worth a full PoC build.

Founfloor · C4 Bug Bounty · Rust / Solana

GMX-Solana

Decentralised perpetual exchange on Solana. GMX EVM already on our Immunefi map — this is the Solana port. Different stack (Rust/Anchor) but same business logic. perp-exchange-001 PoC may translate.

$200K

max bounty

1

PoC match

P2

priority

🔵 UNSCOPED · RUST/ANCHOR BLOCKER

Attack Surface

Perp Exchange Logic

Perpetual positions — leverage, funding rates, liquidation. Position accounting errors, funding rate manipulation, liquidation threshold bypass. Our perp-exchange-001 PoC was built against GMX EVM logic — much may translate.

Solana-Specific

Account validation gaps (Anchor checks), PDA derivation issues, signer verification. Solana has different ownership model — bugs that can't exist in EVM are possible here. High-value novel surface.

Oracle / Price Feed

Perps need oracles. Solana oracle landscape = Pyth, Switchboard. Price staleness, oracle fallback manipulation, TWAP window attacks. Same pattern as EVM but Solana timing model differs.

PoC Library Matches

perp-exchange-001 ~ (EVM, needs Solana port) anchor-account-001 (new) pyth-oracle-001 (new)

Sorry Loop Position

MAPPED

SCOPING

POC PORT

POC CLEAN

CLO GATE

FILED

BOOM

3-Team Read

OG · Technical

If we already understand GMX's EVM logic, we know where the sorrys live. Porting to Solana/Anchor means re-expressing the same finding in a different execution model. Not starting from zero.

RHONE · Floor

$200K for a Rust/Solana bounty is top tier. Rust barrier keeps competition lower. If we can express the PoC in Anchor test framework, huge edge.

RICK · Dissect

Solana account model is where the novel bugs live. EVM hunters can't find them easily. Our EVM PoC is a map — the Solana execution model is the new territory.

Next Action · Port Assessment

Check if perp-exchange-001 logic translates to Anchor test framework. If yes, GMX-Solana moves to P1. The Rust/Anchor barrier is a moat — if we can cross it, $200K is in range.

Founfloor · C4 Bug Bounty · Rust

Renegade

First on-chain dark pool. Novel architecture — private trading via MPC/ZK. High novelty = high potential for novel bugs nobody has found.

$100K

max bounty

0

PoC matches

P2

priority

🔵 UNSCOPED · NOVEL ARCHITECTURE

Attack Surface

Dark Pool Order Matching

Private order book — orders hidden until matched. Key vectors: order front-running despite privacy, match manipulation, settlement ordering. Novel attack surface with no existing playbook.

MPC / Cryptographic Layer

Multi-party computation for order privacy. MPC protocol implementation bugs, key management errors, proof verification bypass. Rust cryptography is hard to audit — but implementation bugs are more common than people think.

Settlement Logic

When orders match, settlement must be atomic. Partial settlement exploits, settlement revert manipulation, asset accounting errors. Standard DeFi patterns apply at settlement layer even if order layer is novel.

PoC Library Matches

dark-pool-order (new) mpc-implementation (new) settlement-atomic ~ (flash-loan-001)

Sorry Loop Position

MAPPED

RESEARCH

SCOPING

POC BUILD

CLO GATE

FILED

BOOM

3-Team Read

OG · Technical

Novel architecture = novel bugs. The dark pool concept hasn't been battle-tested at scale. Read the whitepaper first — understand the privacy model — then find where it breaks.

RHONE · Floor

$100K for Rust with no existing playbook = low competition. Most hunters skip novel. We don't skip novel — novel is where the floor has an edge.

RICK · Dissect

Cryptographic implementation in Rust. The sorry isn't usually in the crypto math — it's in the plumbing around it. State management, key handling, error paths.

Next Action · Architecture Read

Read the Renegade whitepaper + protocol docs first. Understand the privacy model before touching code. The attack surface map comes from the architecture, not the code.

Founfloor · C4 Bug Bounty · Rust / ZK

Succinct

SP1 ZK virtual machine — prove the world's software. High complexity, high value. ZK proving systems have a specific class of bugs that are high-impact when found.

$150K

max bounty

0

PoC matches

P2

priority

🔵 UNSCOPED · ZK/RUST SPECIALISED

Attack Surface

Proof Verification

ZK proof systems must reject invalid proofs. Soundness bugs — accepting false proofs — are catastrophic. Completeness gaps — rejecting valid proofs — are DoS. Both are high-severity in a ZK VM.

Constraint System

SP1 compiles Rust to a constraint system. Under-constrained operations = soundness bug. Missing boundary checks in arithmetic circuits. Hard to find, extremely high value when found.

Precompile Layer

SP1 has precompiles for common operations (hashing, elliptic curves). Precompile implementation errors, input validation gaps, memory handling. Rust bugs at the precompile boundary.

PoC Library Matches

zk-soundness (new) constraint-underspec (new) precompile-input (new)

Sorry Loop Position

MAPPED

RESEARCH

SCOPING

POC BUILD

CLO GATE

FILED

BOOM

3-Team Read

OG · Technical

ZK soundness bugs are the holy grail. Hard to find, maximum severity, guaranteed payout if valid. Constraint system analysis requires mathematical background — this is a longer play.

RHONE · Floor

$150K and almost nobody can compete at this level. ZK expertise is rare. If the fleet has the capability, this is a DIAMOND-level target.

RICK · Dissect

Start with the precompile layer — it's the most accessible surface. Rust input validation errors are findable without deep ZK math. Work up from there.

Next Action · Capability Assessment

Assess ZK expertise on the floor first. If we have constraint system knowledge, this is P1. If not, start with precompile layer which is accessible. Long play but worth the research time.

Founfloor · C4 Bug Bounty · THORChain / Rust

Rujira

THORChain App Layer — DeFi suite on THORChain. Niche stack limits competition. Lowest bounty on the board but lowest barrier to being first.

$25K

max bounty

0

PoC matches

P3

priority

⚪ MONITORING · NICHE STACK

3-Team Read

OG · Technical

THORChain has had significant bridge exploits historically. The App Layer inherits those risks. If we can read THORChain Rust, the surface is interesting.

RHONE · Floor

$25K is small but the competition is near zero. THORChain expertise is extremely rare. One valid finding here = first blood in the THORChain ecosystem.

RICK · Dissect

Monitor only until we have THORChain-specific capability. Don't start from zero on a $25K target when $250K targets are unresolved.

Next Action · Monitor

Hold at P3. Revisit after Moonwell and Intuition are resolved. If THORChain expertise surfaces on the floor, move to P2.

Founfloor · C4 Bug Bounty · Solana / Rust

Glow Finance

Liquidity hub on Solana — trade, borrow, earn, restake. $60K bounty. Known issue: sponsor response times 20+ days. Not worth leading on.

$60K

max bounty

0

PoC matches

P3

priority

⚪ MONITORING · SLOW SPONSOR

3-Team Read

OG · Technical

Solana DeFi hub — lending + restaking. Similar surface to what we'd build for GMX-Solana. If GMX-Solana PoC lands, Glow becomes P2 automatically.

RHONE · Floor

Slow sponsor = slow payout = bad floor experience. 20+ day response times documented. Wait until GMX-Solana PoC exists — then this is a fast follow-on.

RICK · Dissect

Restaking on Solana is novel. If Glow's restaking implementation has accounting errors, $60K is the floor — actual impact could justify higher severity escalation.

Next Action · Monitor + Follow GMX-Solana

Hold at P3. When GMX-Solana PoC is ready, assess if Glow restaking surface has the same patterns. Fast follow-on opportunity.