Security & Risk
Reporting a vulnerability
How to disclose responsibly, and what to expect back.
No formal bug bounty exists yet. Until one does:
Report privately first
Email beboney.real@gmail.com before any public disclosure.
- Good-faith reports are acknowledged within 48 hours.
- Rewards for critical findings are negotiated case by case.
- Please include: the contract and function affected, a reproduction path (a Foundry test against a fork is ideal), and your assessment of impact against the trust model.
Scope
Everything deployed and verified on Robinhood Chain mainnet
(addresses) plus the public repository:
BasketToken, VimenZap/VimenZap2, and the curator-platform contracts as
they land in the repo.
Findings most valuable to the protocol, in order:
- Anything that breaks full backing (mint under-collateralizing the vault, redeem over-withdrawing).
- Anything that can block redemption other than a constituent's own transfer revert.
- Privilege escalation: any effect on funds beyond the guardian's three documented powers.
- Zap safety: paths to the router custodying funds between transactions or
settling a user worse than
maxSpend/minOut. - Fee- or burn-accounting flaws in the curator-platform contracts.
Known accepted findings and false positives are documented in Audits & analysis; please check there before reporting a static-analyzer result.