Skip to main content Exponent regularly allocates time and resources to third-party security audits to mitigate risks associated with smart contracts. Each major release or update is audited by at least two independent security firms.
Auditor Scope Completed Sec3 exponent_clmm Mar 2026 Sec3 exponent_orderbook Jan 2026 OtterSec exponent_clmm Jan 2026 Sec3 exponent_core Nov 2025 Offside Labs exponent_clmm Nov 2025 OtterSec exponent_orderbook Offside Labs exponent_orderbook Aug 2025 Certora exponent_core Jun 2025 OtterSec generic_standard Mar 2025 Offside Labs generic_standard Feb 2025 OtterSec jito_restaking_standard Jan 2025 Offside Labs perena_usd*_standard Jan 2025 Offside Labs jito_restaking_standard Dec 2024 Offside Labs kamino_lend_standard Oct 2024 Offside Labs marginfi_standard Oct 2024 Offside Labs exponent_core Oct 2024 OtterSec kamino_lend_standard Sep 2024 OtterSec marginfi_standard Sep 2024 OtterSec exponent_core Sep 2024
Exponent Bug Bounty Program Exponent offers a bug bounty program with rewards of up to $250,000 for critical vulnerabilities. Our goal is to encourage security researchers to identify and responsibly disclose issues that could affect the security or integrity of the Exponent protocol and its users.
We welcome submissions related to the core smart contracts, application logic, and integrations. If you believe you’ve discovered a vulnerability, please review the details below before submitting.
Scope The bounty program covers the following areas:
Core Exponent smart contracts (PT/YT tokens, CLMM, market creation, strategy vault, etc.)
Economic mechanisms related to yield trading, swaps, liquidity provision
Backend infra and APIs that affect the safety or availability of the protocol
Frontend and app vulnerabilities with financial or user impact
The primary focus is the prevention of fund loss , incorrect accounting, or protocol behavior that deviates from intended design.
Rewards Bug bounty rewards depend on severity, impact, and reproducibility. Please see below for more details:
Severity Program Application & Services Critical $250,000 $50,000 High $100,000 $10,000 Medium $10,000 $5,000 Low $2,500 $500
Out of Scope The following are excluded for bug bounty rewards:
Issues in third-party contracts or dependencies
Findings already disclosed in audits or public channels
UI/UX bugs without financial impact
Denial-of-service vectors fixable by upgrade and with no fund impact
Social engineering, phishing, or spam issues
Test contracts, scripts, and staging infra
Best practices, gas optimizations, or feature requests
SPL token compatibility edge cases without direct security impact
DNS or email intermittency and deliverability issues, including those caused by incorrect DKIM, SPF, or DMARC configurations
Eligibility Requirements To qualify for a reward:
The vulnerability must be previously unknown and unreported.
You must not exploit the bug beyond what’s necessary to prove the finding.
No public disclosure before the fix is confirmed. DO NOT POST security issues on social media, discussion forums, or other public channels.
You must include sufficient detail to reproduce the issue (PoC, screenshots, logs, or clear steps).
You must not be a current or former team member, contractor, or auditor with access to the relevant code.
You must not reside in or be subject to OFAC-sanctioned jurisdictions.
How to Submit
Send your report to: security@exponentlabs.xyz
Please include:
Your contact details
Clear description of the vulnerability
Reproduction steps or PoC (code, screenshots, or logs)
You’ll receive an acknowledgment within 24-48h
Eligible bounties are paid monthly in USDC on Solana
