Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.monolith.market/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Monolith runs a live bug bounty program hosted on Sherlock. Security researchers who responsibly disclose valid vulnerabilities in Monolith’s smart contracts are eligible for rewards based on severity. All submissions must be made through the Sherlock platform in accordance with their platform rules.
Submit all vulnerability reports through Sherlock. Do not publicly disclose findings before they are resolved, and do not test on mainnet or public testnets.

Rewards

SeverityReward
Critical5,0005,000 – 20,000
High$3,000
Medium$1,000
Low / Informational250250 – 500
Reward amounts within ranges are determined at the discretion of the Monolith team based on the actual impact, exploitability, and quality of the report. Rewards are paid in DOLA. Duplicate submissions — where the same vulnerability has already been reported — are not eligible for a reward.

Assets in Scope

The following contracts are in scope for the bug bounty program:
  • Factory.sol
  • Coin.sol
  • InterestModel.sol
  • Vault.sol
  • Lender.sol
Only contracts explicitly listed in the active Sherlock program page are considered in scope. Scope is updated to reflect new deployments and to remove deprecated contracts as the protocol evolves.

Impacts in Scope

Critical

  • Direct theft of user funds or collateral
  • Protocol insolvency or permanent loss of funds
  • Unauthorized minting of stablecoins
  • Permanent freezing of user funds

High

  • Temporary freezing of funds
  • Significant disruption to liquidations or redemptions
  • Material miscalculation of borrowing power or debt

Medium

  • Smart contract unable to operate due to missing token funds
  • Griefing attacks causing damage without direct profit motive
  • Theft of gas or unbounded gas consumption

Low / Informational

  • Contract fails to deliver promised returns without loss of principal
  • Edge case behavior inconsistent with specification

Out of Scope

The following are not eligible for rewards:
  • Attacks requiring access to leaked keys or privileged addresses
  • Oracle manipulation where the reporter did not cause the depeg through a code bug
  • Issues already disclosed in a prior audit report
  • Best practice recommendations or feature requests
  • Impacts requiring attacks the researcher has already exploited themselves
  • Any testing conducted on mainnet or public testnet
  • Social engineering, phishing, or denial-of-service attacks
  • Third-party infrastructure not controlled by the Monolith protocol

Previous Audits

The following audits have been completed. Issues identified in these reports are out of scope for the bug bounty program.
AuditorTypeDateReport
Electisec (yAudit)Private auditJune 2025View report
ChainSecurityPrivate auditOctober 2025View report
SherlockPublic contestDecember 2025View report
ChainSecurityRe-audit (v5.1)March–April 2026View report
Sherlock AIAI-assisted reviewApril 2026View report
NemesisAI-assisted reviewApril 2026View report
Zellic v12AI-assisted reviewApril 2026View report

Rules

All participants must adhere to Sherlock’s platform rules. Key requirements:
  • All testing must be conducted on local forks — never on mainnet or public testnet
  • Do not publicly disclose vulnerabilities before they are resolved
  • Do not exploit discovered vulnerabilities or threaten to do so
  • Submit all reports through the official Sherlock channel
  • Do not communicate with the protocol team outside of Sherlock’s platform

How to Submit

Submissions are made directly through the Sherlock bug bounty platform. Sherlock manages the triage and dispute resolution process. Reports should include a clear description of the vulnerability, the affected contracts and functions, steps to reproduce, and an assessment of potential impact. A proof of concept is strongly encouraged.
Publicly known bugs or issues reported in a previous audit are not eligible for a payout. Ensure your finding is novel before submitting.

Direct Disclosure

Under extraordinary circumstances, researchers may contact the Monolith team directly before submitting through Sherlock — for example, in cases of active exploitation risk. In such cases, reach out via the Inverse Finance Discord prior to submission to discuss the appropriate channel. Direct submissions are evaluated on a case-by-case basis and do not guarantee a reward outside the standard Sherlock process.

Audits

Review completed and ongoing third-party security audits.

Risk Disclosures

Understand the risks associated with using the Monolith protocol.