Midas Bug Bounty Programme: Up to $500,000 with Sherlock and Cantina
Midas is launching a dual-platform bug bounty programme in partnership with Sherlock and Cantina, offering up to $500,000 USDC for critical findings across our smart contract infrastructure.
Security Doesn't Stop at Audits
Every piece of smart contract code that goes into production has been reviewed. Reviewed by the team that wrote it, reviewed by internal engineers, and for protocols that take security seriously, reviewed by independent audit firms. At Midas, that means audits with Hacken, Sherlock and various independent researchers.
But an audit is a point-in-time exercise. Auditors review a specific version of the codebase, under a defined scope, in a fixed window of time. Once that window closes, the code keeps running. New integrations are added. Market conditions change. Edge cases that seemed theoretical become exploitable under conditions no one anticipated.
This is the gap a bug bounty programme fills. It converts the global community of security researchers into a continuous, economically incentivised layer of oversight. Rather than waiting for a vulnerability to be discovered and exploited, you create conditions where finding it responsibly is more valuable than finding it maliciously.
The logic is straightforward: if a critical flaw exists in production code, it is better to pay a researcher $500,000 to surface it privately than to have it exploited for far more. The bounty is not a cost, it is priced-in risk management.
What's in Scope
The full Midas contract suite across Ethereum and Solana:
- All mToken contracts including:
- Access control
- Deposit vaults
- Redemption vaults
- Data feeds
- Layer zero OFT
- Axelar vault
- The Contract configuration
- The Midas web interface
Known issues from prior audits are excluded. The complete file-level scope is listed on both platforms.
What Makes a Vulnerability Critical
Not all bugs are equal. The severity framework used across both Sherlock and Cantina classifies findings across four levels, based on the combination of impact and likelihood.
A critical vulnerability is one that could cause catastrophic, immediate harm with little or no friction for the attacker. In the context of Midas contracts, that means:
- An attacker finds a flaw in a deposit or redemption vault that allows them to withdraw assets they do not own, draining funds directly from the protocol.
- A data feed manipulation exploits a gap in price validation logic, allowing the minting of mTokens at an artificially favourable rate, effectively extracting value from other token holders.
- A flaw in access control logic allows an unpermissioned address to invoke admin functions, pausing the protocol, changing fee parameters, or redirecting yield.
These are not hypothetical categories invented for the programme. They reflect the attack surface that exists in any protocol managing real capital onchain. The severity tiers ensure that researchers are rewarded in proportion to the risk they surface, and that the most dangerous findings are prioritised accordingly.
Reward Structure
Rewards scale with impact and the funds directly at risk at time of submission. For critical vulnerabilities, the reward is calculated as 10% of affected funds, up to the maximum cap. A minimum reward applies to all valid critical reports, responsible disclosure is always incentivised, regardless of fund size at the time of submission. The same reward structure applies across both Sherlock and Cantina.
Two Platforms, One Programme
Running simultaneously across Sherlock and Cantina is a deliberate choice. The two platforms attract overlapping but distinct researcher communities. Sherlock's stake-gated submission model requires researchers to post collateral with every report, filtering low-effort submissions before they reach the engineering team. Cantina brings independent researchers operating under the same severity framework.
The combined coverage means more qualified eyes on the same codebase, continuously.
Submit a Report
About Midas
Midas is a platform for composable onchain investment products. It enables strategy managers to turn institutional strategies into regulatory-compliant tokens that offer investors full transparency, instant redemptions, and native composability across DeFi protocols such as Morpho and Pendle.