VimenDocs
Security & Risk

Reporting a vulnerability

How to disclose responsibly, and what to expect back.

No formal bug bounty exists yet. Until one does:

Report privately first

Email beboney.real@gmail.com before any public disclosure.

  • Good-faith reports are acknowledged within 48 hours.
  • Rewards for critical findings are negotiated case by case.
  • Please include: the contract and function affected, a reproduction path (a Foundry test against a fork is ideal), and your assessment of impact against the trust model.

Scope

Everything deployed and verified on Robinhood Chain mainnet (addresses) plus the public repository: BasketToken, VimenZap/VimenZap2, and the curator-platform contracts as they land in the repo.

Findings most valuable to the protocol, in order:

  1. Anything that breaks full backing (mint under-collateralizing the vault, redeem over-withdrawing).
  2. Anything that can block redemption other than a constituent's own transfer revert.
  3. Privilege escalation: any effect on funds beyond the guardian's three documented powers.
  4. Zap safety: paths to the router custodying funds between transactions or settling a user worse than maxSpend/minOut.
  5. Fee- or burn-accounting flaws in the curator-platform contracts.

Known accepted findings and false positives are documented in Audits & analysis; please check there before reporting a static-analyzer result.

On this page