Skip to main content

Bug Bounty Program

The Monolythium Bug Bounty Program rewards community members who discover and report bugs across our ecosystem. Reports are triaged by AI and reviewed by the core team.

Platform: issues.monolythium.com

How It Works

  1. Connect your wallet on the Mono Issues platform
  2. Submit a bug report — select the product, describe the issue, attach screenshots
  3. AI analyzes your report — Claude validates the submission, classifies severity, and checks for duplicates
  4. Team review — valid reports are reviewed by the Monolythium team
  5. Earn rewards — approved reports earn points that convert to LYTH tokens monthly

Reward Tiers

Points are awarded based on the severity of the bug:

SeverityPointsExamples
Critical100Security vulnerabilities, fund loss, data corruption
High50Major features broken, incorrect calculations
Medium20Minor feature issues, cosmetic bugs with workarounds
Low5Typos, minor visual issues, edge cases

Bonus Multiplier

If you submit a pull request (PR) with a fix alongside your bug report, you receive a 1.5x point multiplier.

Supported Products

You can report bugs for any product in the Monolythium ecosystem:

  • MonoHub — DeFi platform (swap, pump, farming)
  • Monoscan — Block explorer
  • Desktop Wallet — Tauri-based desktop wallet
  • Mobile Wallet — React Native mobile wallet
  • Browser Wallet — Chrome extension wallet
  • MonoPlay — Gaming storefront and launcher
  • Mono Card — Card management app
  • Smart Contracts — Solidity contracts
  • Indexer / API — Backend indexing services
  • Documentation — This documentation site

Monthly Distribution

At the end of each month, the team allocates a LYTH token pool. Each contributor's share is calculated proportionally based on their earned points:

your_share = (your_points / total_points) * monthly_pool

Leaderboard

Track your ranking and compete with other bug hunters on the public leaderboard.

Rules

  • One report per bug — duplicate submissions are flagged by AI
  • Reports must describe specific, reproducible issues
  • Spam, profanity, and non-bug submissions are automatically rejected
  • The team's decision on severity and approval is final
  • Maximum 5 reports per hour per wallet

Safe Harbor

Mono Labs R&D LLC will not pursue legal action against individuals who conduct security research in good faith and in compliance with this policy. Activities conducted consistent with this policy constitute authorized conduct under the Computer Fraud and Abuse Act (CFAA) and equivalent international laws.

In-Scope Activities

  • Testing smart contracts deployed on testnet — all contracts are deployed 1:1 on testnet and mainnet, so testnet is the preferred testing environment
  • Analyzing open-source code published in Monolythium GitHub repositories
  • Testing web applications listed under Supported Products connected to testnet
  • Reporting vulnerabilities through the designated platform (issues.monolythium.com)

Important: All security testing must be conducted on testnet. Testnet contracts mirror mainnet exactly. Researchers can obtain test tokens from the faucet. Findings discovered on testnet apply equally to mainnet and will be rewarded accordingly.

Out-of-Scope Activities (Not Authorized)

  • Any testing on mainnet — use testnet instead
  • Social engineering, phishing, or physical attacks against team members or users
  • Denial-of-service (DoS/DDoS) attacks against any infrastructure
  • Accessing, modifying, or exfiltrating user data or funds
  • Testing third-party services, infrastructure, or dependencies not operated by Mono Labs
  • Any activity that violates applicable law

Researcher Obligations

  • Report vulnerabilities promptly through the designated platform
  • Do not publicly disclose vulnerability details before a fix has been deployed or 90 days have passed since the report, whichever comes first
  • Make a good-faith effort to avoid privacy violations, service disruption, and destruction of data
  • Only interact with accounts you own or with explicit permission from the account holder

Our Commitment

  • We will acknowledge your report within 7 business days
  • We will not pursue legal action against researchers who comply with this policy
  • We will work with you to understand and resolve the issue
  • We will credit you (unless you prefer to remain anonymous) when we publicly disclose the fix

Disclaimer

The Monolythium Bug Bounty Program, including all reward distributions, is provided on an "as-is" basis at the sole discretion of Mono Labs R&D LLC. Participation in this program does not create an employment, contractor, or agency relationship. Mono Labs reserves the right to modify, suspend, or terminate this program at any time without notice. All reward amounts, eligibility criteria, and severity classifications are determined by Mono Labs and are final. LYTH token rewards have no guaranteed monetary value. By participating, you acknowledge that you do so at your own risk.

All Monolythium ecosystem products, including smart contracts, DeFi protocols, wallets, and related software, are provided "as-is" without warranty of any kind. Users interact with these products entirely at their own risk. Mono Labs R&D LLC is not liable for any loss of funds, data, or other damages arising from the use of or interaction with any Monolythium product.

Get Started

Visit issues.monolythium.com to submit your first bug report.