Bug bounty

Lucid maintains a bug bounty program for production smart contracts that are currently in use. The program is intended for serious security issues with real, present-day exploitability in live Lucid smart contract systems.

This is a rolling bug bounty program running from May 22, 2026 through September 1, 2026.

Smart Contracts

Only Critical and High findings are eligible for bounty payouts under this program.

Risk score	Payout
Critical	Up to $10,000 USDC
High	Up to $2,000 USDC

This is Lucid's initial public bug bounty program. Reward levels are intentionally conservative at launch and will be increased in future bug bounty programs.

Payment Terms

• Bounty payouts are processed after a 30-day waiting period following deployment of a fix.
• KYC is required for payout. If a submission qualifies for a reward, the reporter must complete identity verification.
• Because Lucid Labs Ltd is a UK-registered entity, bounty payouts are subject to applicable sanctions, export control, and compliance restrictions. Lucid cannot accept or pay bounty claims where doing so would violate applicable laws or sanctions restrictions, including restrictions relating to sanctioned persons, sanctioned entities, or sanctioned jurisdictions.
• Reward amounts are denominated in USDC.
• Final payout amounts are determined by Lucid based on severity, exploitability, report quality, and whether the issue can be reproduced and remediated efficiently.

How It Works

This bug bounty program is focused exclusively on Lucid's production smart contracts, with emphasis on preventing:

• Loss of user funds from live Lucid smart contracts.
• Exploitable failures in active production contracts that can halt, lock, corrupt, or critically disrupt core protocol operations.
• Severe access control, accounting, execution, or settlement failures in production smart contracts that are currently in use.

To be eligible, a submission must describe an exploit that is actionable at the time of submission against an in-scope production contract that is currently used by Lucid.

The following are not eligible:

• Theoretical issues that depend on future integrations, future configuration, or hypothetical deployments.
• Misconfigurations that are not presently exploitable in production.
• Issues in code paths, features, roles, switches, assets, chains, or modules that exist in contracts but are not currently used.
• Findings that are technically valid but do not create a meaningful path to loss of funds, protocol stoppage, permanent locking, or other severe live impact.

Further Technical Resources and Links

• Deployed Contracts
• Multibridge Contracts
• VEO Contracts
• LUSDT & LUSDC Contracts

Scope and Severity Criteria

Smart Contracts in Scope

All production smart contracts listed in Lucid's deployed contract documentation are in scope, provided they are both:

• deployed in production; and
• actively used by Lucid at the time of submission.

Primary scope references:

• Deployed Contracts
• Multibridge Contracts
• VEO Contracts
• LUSDT & LUSDC Contracts

Critical

Critical findings are limited to vulnerabilities that are currently exploitable and can directly cause loss of user funds from an in-scope production smart contract.

Examples may include:

• Unauthorized draining, theft, or redirection of user funds.
• Unauthorized minting, release, withdrawal, or transfer of assets that results in user fund loss.
• A live exploit path that irreversibly destroys or misallocates user funds.

High

High findings are limited to vulnerabilities that are currently exploitable in active production contracts and create severe protocol impact, but do not themselves qualify as direct loss of user funds.

To be eligible as High, an issue must be capable of causing at least one of the following in production:

• Permanent locking of user funds or protocol funds in a core contract flow.
• Full stoppage or severe denial of service of a core production contract or settlement flow.
• Unauthorized takeover or bypass of critical privileges that materially compromises core protocol safety.
• A severe accounting, message execution, or state integrity failure that breaks core protocol operation in a way that is immediate and material.

The following do not qualify as High on their own:

• Best-practice improvements or hardening suggestions.
• Limited-scope griefing, nuisance, or edge-case disruption.
• Issues requiring unusual operator mistakes, future governance actions, or non-existent production configuration.
• Problems affecting only dormant functionality, non-live integrations, or features not currently used.
• Small or partial findings that do not stop, lock, or critically compromise a core production flow.

Out of Scope

Known Issues

The following are not eligible for rewards:

• Previously disclosed, previously reported, or already known issues.
• Findings covered by prior audits, security reviews, previous contests or remediation discussions.
• Findings previously identified in Olympix reports.
• Issues Lucid is aware of and has consciously accepted or mitigated operationally.
• Issues that apply only to smart contracts that have been paused already.

Previous Audits

Any previously reported vulnerabilities mentioned in past Lucid audit reports are out of scope for bounty rewards.

See the audit links on the Security page.

Specific Types of Issues

The following are excluded unless they directly lead to an otherwise in-scope Critical or High impact in a currently used production contract:

• Attacks already exploited on a public network before submission.
• Attacks requiring compromised private keys, leaked credentials, or control of trusted signers without an underlying code vulnerability.
• Attacks that require full trusted admin or governance control and do not rely on a protocol vulnerability.
• Generic best-practice observations without a concrete production exploit path.
• Issues arising from oracle behavior or oracle dependencies, including mispricing, stale prices, incorrect feeds, delayed updates, or other external data quality problems, unless the submission demonstrates a separate in-scope vulnerability in Lucid's own production smart contracts.
• Issues that affect only test environments, staging systems, mock deployments, inactive chains or non-production contracts.
• Frontend, website, infrastructure, email, social, or offchain operational issues.

Cross-Submission Policy

Cross-submissions are not allowed. If the same vulnerability is submitted to another active bug bounty program, coordinated disclosure platform, or third party, it will only be considered valid in a single program based on the earliest verified submission timestamp. In cases of duplicate or cross-program submissions, priority and eligibility for reward will be determined solely at our discretion according to the first valid submission received.

Prohibited Activities

The following activities are strictly prohibited under this bug bounty program:

• Any testing on mainnet that risks real user or protocol funds.
• Any testing against third-party contracts, bridges, messaging layers, or services beyond what is necessary to demonstrate impact on an in-scope Lucid production contract.
• Phishing, social engineering, extortion, or attempts to obtain private information from Lucid team members, partners, or users.
• Denial of service attacks against Lucid infrastructure or production systems.
• Automated scanning, fuzzing, or traffic generation that degrades service for real users.
• Public disclosure of an unpatched vulnerability before Lucid confirms remediation.

Submission Guidelines

Please include:

• A PDF document containing the full vulnerability report.
• A clear description of the vulnerability and impacted contracts.
• The exact production deployment, chain, and contract addresses affected.
• Step-by-step reproduction instructions or proof of concept.
• A clear explanation of impact and why the issue is currently exploitable in production now.
• Any suggested remediation if available.

Before submission, the PDF report must be timestamped using OpenTimestamps, and proof of timestamping must be attached to the email submission.

This requirement supports first come, first served handling when multiple parties report the same vulnerability. Submissions that do not include proof of timestamping will not be considered.

Send submissions to security@lucidlabs.fi. Please use the subject format: Bug Bounty Submission: <short vulnerability description>.

Submissions consisting of low-quality, AI-generated, spam-like, or non-validated vulnerability reports will not be considered eligible for review or reward.

Miscellaneous

• Employees of Lucid and their family members are not eligible for bounties.
• Lucid may request additional information, reproduction support, or reasonable time to validate submissions before confirming severity or reward eligibility, however that should not exceed 90 days from the date of submission.