Bug Bounty
Responsible disclosure program for Writz Protocol. If you find a security vulnerability in Writz Protocol, we want to hear from you before it becomes a problem. Report it responsibly and we will reward you fairly.Scope
The following are in-scope for the bug bounty program: Soroban contracts (high priority):commitment-tree— ZK lending logic, nullifier set, Merkle treezk-verifier— Groth16 verification, verification key managementbitcoin-spv— SPV verification, SHA256d implementation, Merkle proofsprivate-lend— Lending mechanics, interest accrual, liquidation
deposit.circom— Soundness issues, underconstrained signalsborrow_repay.circom— Collateral ratio enforcement, state transitionliquidation.circom— Undercollateralization proof, usdc_debt bindingmerkle.circom— Poseidon Merkle tree components
- SPV proof assembly correctness
- API authentication and rate limiting
- Data integrity issues
- Theoretical attacks that require physical access to infrastructure
- Social engineering attacks
- Denial-of-service attacks (network or application layer)
- Issues in third-party dependencies (report to the dependency maintainer)
- Issues in Stellar or Bitcoin protocols themselves
- Findings already documented in known limitations or audit reports
Severity Levels and Rewards
Rewards are paid in USDC on Stellar. Amounts are guidelines — actual rewards depend on impact and quality of the report.| Severity | Description | Reward |
|---|---|---|
| Critical | Theft of user funds, ZK circuit soundness bypass, unauthorized BTC access | Up to $50,000 |
| High | Significant fund loss risk, privacy leak of user positions, oracle manipulation | Up to $15,000 |
| Medium | Denial of service for a specific user, minor fund loss risk, incorrect calculations | Up to $5,000 |
| Low | Minor issues, incorrect error handling, non-exploitable edge cases | Up to $1,000 |
| Informational | Best-practice improvements, documentation issues | Recognition only |
- A ZK circuit that accepts a proof where the loan-to-value constraint is not enforced
- A Soroban contract bug that allows withdrawing more USDC than was deposited
- A Bitcoin SPV verification bypass that accepts a fabricated transaction as valid
How to Report
Email: security@writz.io PGP key: Published on Keybase atkeybase.io/writz (coming soon)
Include in your report:
- A description of the vulnerability
- The affected component (contract name, circuit name, function name)
- Step-by-step reproduction instructions
- Proof of concept code or test case (if available)
- Your assessment of impact and severity
- Your Stellar wallet address for the reward payment
Disclosure Process
- You submit a report to security@writz.io
- We acknowledge within 48 hours
- We assess the report and confirm the severity within 7 business days
- We fix the issue; Critical/High findings are patched within 14 days
- We pay the reward upon fix deployment
- We publish a post-mortem (for Critical/High findings) after the fix is live and users are safe
- You can disclose publicly after the fix is live and 30 days have passed — we will coordinate with you
Hall of Fame
Researchers who responsibly disclose valid vulnerabilities will be acknowledged here (with permission).| Researcher | Finding | Date |
|---|---|---|
| — | — | — |