Security Programme

Bug Bounty

Help us keep QuantumDEX safe. Responsible disclosure of valid vulnerabilities is rewarded with QBIT and THI tokens.

Status ActiveMax Reward $50,000 USD equiv.Response 48h SLA

Reward Tiers

SeverityExamplesReward (USD equiv.)
CriticalDirect theft of user funds, complete bypass of reentrancy protection, bridge drain exploit$10,000 – $50,000
HighOracle manipulation enabling profitable attack, governance timelock bypass, flash loan uncapped fee bypass$2,500 – $10,000
MediumKarma score manipulation, liquidity provider fund risk, TWAP price manipulation under normal conditions$500 – $2,500
LowAccess control issues without fund risk, minor logic errors, gas inefficiencies$100 – $500
InformationalBest practice violations, non-exploitable findingsPublic acknowledgement
Testnet Phase: During testnet, rewards are issued in QBIT (testnet tokens with mainnet conversion commitment). Mainnet rewards in THI + QBIT at current market price.

In Scope

Smart Contracts (Highest Priority)

  • QuantumFactory.sol, QuantumPair.sol, QuantumRouter.sol
  • QuantumPerps.sol, QuantumFlashLoan.sol
  • QuantumBridge.sol (bridge contracts — Critical priority)
  • VotingEscrow.sol, QuantumGovernor.sol, TimelockController.sol
  • CommitRevealArbitrage.sol, QubismicArbitrage_V4.sol

Infrastructure

  • ThiChain RPC endpoint (testnet-rpc.thichain.io)
  • Bridge validator security
  • Faucet rate limiting / exploitation

Out of Scope

  • Theoretical attacks without practical exploit path
  • Issues requiring physical access to infrastructure
  • Third-party dApps built on QuantumDEX contracts
  • Social engineering attacks against team members
  • Spam or DoS attacks against the public interface (test responsibly)
  • Findings already disclosed in our public audit reports
  • Issues in test/development environments only

Programme Rules

Do not perform attacks that could harm the network or other users: no transaction spam, no state corruption, no attacks against testnet infrastructure that disrupts access for others.
  • Test only against our official testnet (Chain ID 420421) or local forks
  • Do not exfiltrate or publicly disclose data before coordinating with us
  • Provide clear reproduction steps and impact assessment
  • One submission per vulnerability — duplicate reports receive reduced reward
  • Rewards are at the sole discretion of Qubismic ApS
  • Qubismic team members and contractors are ineligible

How to Submit

Submission Template
Subject: [BUG BOUNTY] [Severity] Brief description

1. Vulnerability Summary
   Clear one-paragraph description of the issue

2. Affected Contract(s)
   File: ContractName.sol, Line: XXX

3. Attack Scenario
   Step-by-step reproduction

4. Impact
   What can an attacker achieve? Estimated funds at risk?

5. Suggested Fix
   Optional but appreciated

6. Your Wallet Address
   For reward payment

Send to: security@qubismic.io

PGP key available on request. We will acknowledge within 48 hours and provide reward decision within 14 days of patch confirmation.