meemz.bet โ€บ Bug Bounty

Bug
Bounty

Help keep meemz.bet safe. Report vulnerabilities in our smart contracts and earn up to $500,000 in rewards.

Maximum Reward
$500K
USDC on Solana
๐Ÿ›ก Hosted on Immunefi

01 / Rewards

Reward Tiers

โ— Critical
$500,000
Up to $500,000
Direct loss of user funds, admin key compromise, or total protocol takeover. Must be directly exploitable on mainnet.
โ— High
$50,000
Up to $50,000
Indirect loss of funds, oracle manipulation with profit, or liquidation mechanism bypass. Significant economic impact required.
โ— Medium
$10,000
Up to $10,000
Temporary freeze of protocol functions, incorrect fee accounting, or griefing attacks on individual users with minor financial impact.
โ— Low
$1,000
Up to $1,000
Minor bugs, edge cases with negligible financial impact, smart contract best practice deviations without exploitability.

All rewards paid in USDC. Critical rewards subject to KYC. Reward amounts at sole discretion of meemz.bet security team based on severity, likelihood, and quality of report.

02 / Scope

What's in Scope

โœ“ In Scope

  • meemz-perp-core smart contract (all instructions)
  • meemz-liquidity-pool contract
  • meemz-oracle-adapter and Pyth integration
  • meemz-liquidator contract and liquidation logic
  • meemz-governance program
  • Loss of user funds or collateral
  • Unauthorised position open/close/liquidation
  • Funding rate manipulation
  • PDA (program-derived address) spoofing
  • Oracle price manipulation and staleness bypasses
  • Arithmetic errors with financial impact
  • Governance bypass and upgrade authority attacks

โœ— Out of Scope

  • Frontend UI / webapp (meemz.bet website)
  • Off-chain keeper and liquidation bots
  • Third-party integrations (Pyth, Jupiter) โ€” report to them directly
  • Theoretical attacks with no practical impact
  • Social engineering of meemz team members
  • Bugs in already-known issues from audit report
  • Test network / devnet findings
  • Spam, rate-limiting, or DoS on web services
  • Bugs requiring malicious validator collusion
  • MEV / sandwich attacks (considered expected Solana behaviour)
  • Solana network-level vulnerabilities

03 / Process

How to Report

01

Submit via Immunefi

All reports must be submitted through our Immunefi program page. This ensures encrypted communication, anonymous reporting, and protects both parties. Do NOT disclose publicly before resolution.

immunefi.com/bounty/meemzbets
02

Include a Proof of Concept

Your report must include a working proof of concept demonstrating the vulnerability. This can be a unit test, a transaction on devnet, or a script. Reports without PoC will be deprioritised. The clearer your report, the faster we can triage.

03

Initial Response

We aim to acknowledge all reports within 24 hours. You'll receive an initial severity assessment within 72 hours. Our team operates globally across UTC-8 to UTC+9.

04

Remediation & Payment

Once a valid vulnerability is confirmed, we work to patch and deploy a fix, then pay the reward within 14 days of final confirmation. KYC is required for rewards above $10,000.

04 / Rules

Responsible Disclosure Rules

๐Ÿ”’ No Public Disclosure

Do not disclose any vulnerability publicly before it has been fully remediated. This includes social media, Discord, GitHub, or any other public channel. Premature disclosure voids eligibility for reward.

๐Ÿšซ No Exploitation

Do not exploit a discovered vulnerability beyond what is necessary to prove the concept. Do not profit from the vulnerability, access user data, or disrupt protocol operations. Any exploitation voids the bounty and may result in legal action.

โœ‰๏ธ Good Faith

Act in good faith. Do not use social engineering, phishing, or physical attacks on meemz team members. Automated scanning that could impact production stability is prohibited.

๐Ÿ† One Report, One Bug

Only the first researcher to report a unique vulnerability is eligible for the reward. If the same bug is reported by multiple researchers, the reward goes to the earliest valid report with a working PoC.

โš–๏ธ Safe Harbour

meemz.bet provides full safe harbour to security researchers acting in good faith and in accordance with these rules. We will not pursue legal action against researchers who follow this programme's guidelines.

๐ŸŒ Eligibility

The programme is open to everyone except meemz team members, contractors, and residents of countries subject to relevant sanctions laws. KYC may be required for reward claims above $10,000 per applicable law.

Found Something?

Security researchers are an essential part of keeping DeFi safe. If you've found a vulnerability, we want to hear from you โ€” and reward you for it.

Email [email protected]
PGP key available at meemz.bet/.well-known/security.txt ยท Never submit via Twitter/Discord DMs

05 / FAQ

Common Questions

How quickly will I be paid after a confirmed finding? โ–ผ
Once a vulnerability is confirmed and a fix is deployed, payment is made within 14 business days. For critical vulnerabilities, we aim to pay within 7 days. Payment is made in USDC to the Solana wallet address you provide during the submission process.
Can I test against mainnet? โ–ผ
We strongly prefer that testing be done against our devnet deployment, which is at all times running the same code as mainnet. The devnet program IDs are listed in our docs. If you believe a finding requires mainnet confirmation, contact us first โ€” do not exploit mainnet to prove a vulnerability.
I found a bug that's already in the audit report. Am I eligible? โ–ผ
No. Vulnerabilities already identified in the OtterSec audit report are not eligible for bounty, regardless of whether they have been fixed. The audit report is publicly available on this site โ€” please review it before submitting.
What counts as a working proof of concept? โ–ผ
A working PoC is a reproducible demonstration of the vulnerability. For smart contract bugs, this can be a Rust/Anchor test, a transaction signature on devnet, or a script that demonstrates the exploit path. We need to be able to independently verify the vulnerability from your PoC.
I want to remain anonymous. Can I still claim a reward? โ–ผ
Yes, for rewards under $10,000. You can submit through Immunefi anonymously. For rewards above $10,000, KYC is legally required per our compliance obligations. Immunefi's KYC process is confidential and your identity is not publicly disclosed.
Can I be rewarded for a finding in a future contract upgrade? โ–ผ
Yes. The bounty programme covers the currently deployed contracts and any future upgrades announced on our docs site. When we deploy an upgrade, we will update the programme scope accordingly on Immunefi.