Melon Bug Bounty Program

Jenna Zenk
Mar 8, 2019 · 3 min read


Melonport is pleased to announce it has granted CHF 250,000 to the Melon Council for bug bounty purposes. This reward pool has been converted into DAI (247,989 DAI). The Melon Council will be able to use those funds to pay out bounties to people sharing security findings on the Melon protocol.


In order to test the security of our smart contracts and thereby to detect possible vulnerabilities in our code, we invite and challenge everyone out there to find attack vectors/security vulnerabilities in the Melon protocol.

A total reward pool of 247,989 DAI is available to pay out bounties. Bounties will be paid for all security vulnerabilities found and disclosed to the Melon Council, provided that:

  • You send a report around the full method in writing to (and later on to the Melon Council security email)
  • The vulnerability was not reported before.
  • The issue reported is not an acknowledged aspect of the system.

The bug bounty is subject to the following terms and conditions available on Github.

What does a good vulnerability submission look like?

A good submission should typically include:

What’s in there for me?

The total reward pool available is CHF 250,000. Rewards will be paid out in DAI. The value of rewards paid out will vary depending on severity and other factors. The severity is calculated according to the OWASP ( risk rating model based on Impact and Likelihood:

Reward sizes are guided by the rules above, but are, in the end, determined at the sole discretion of the Melon Council.

  • Critical: up to DAI 10,000
  • High: up to DAI 5,000
  • Low: up to DAI 500

A critical issue would include vulnerabilities resulting in the possibility of irreversibly locking up the assets, irreversibly destroying the fund or stealing the assets of the fund.

Ok, I’m in. Where do I start?

Repository (master branch):

Documentation available at:

You can check out this M-1 talk from Travis Jacobs, walking you through the smart contract architecture:

Below are the smart contracts in scope of the bug bounty. Any valid and previously unknown security vulnerability found and disclosed to the Melon Council will be rewarded.

Melon Engine




Fund components

Compliance (participation policy)

Risk management policies

Exchange adapters

Have fun, and reach out if you find anything!

Enzyme Finance (formerly Melon)

A Blog Detailing the Endeavours of the Enzyme ecosystem…

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store