Jenna Zenk
Mar 8 · 3 min read


Melonport is pleased to announce it has granted CHF 250,000 to the Melon Council for bug bounty purposes. This reward pool has been converted into DAI (247,989 DAI). The Melon Council will be able to use those funds to pay out bounties to people sharing security findings on the Melon protocol.


In order to test the security of our smart contracts and thereby to detect possible vulnerabilities in our code, we invite and challenge everyone out there to find attack vectors/security vulnerabilities in the Melon protocol.

A total reward pool of 247,989 DAI is available to pay out bounties. Bounties will be paid for all security vulnerabilities found and disclosed to the Melon Council, provided that:

  • You send a report around the full method in writing to (and later on to the Melon Council security email)
  • The vulnerability was not reported before.
  • The issue reported is not an acknowledged aspect of the system.

The bug bounty is subject to the following terms and conditions available on Github.

What does a good vulnerability submission look like?

A good submission should typically include:

  1. a good description of the bug
  2. a description of the attack scenario
  3. the impact of this scenario
  4. any other necessary components
  5. any other details that might be helpful
  6. a potential resolution or fix. Giving examples is always helpful!

What’s in there for me?

The total reward pool available is CHF 250,000. Rewards will be paid out in DAI. The value of rewards paid out will vary depending on severity and other factors. The severity is calculated according to the OWASP ( risk rating model based on Impact and Likelihood:

Reward sizes are guided by the rules above, but are, in the end, determined at the sole discretion of the Melon Council.

  • Critical: up to DAI 10,000
  • High: up to DAI 5,000
  • Low: up to DAI 500

A critical issue would include vulnerabilities resulting in the possibility of irreversibly locking up the assets, irreversibly destroying the fund or stealing the assets of the fund.

Ok, I’m in. Where do I start?

Repository (master branch):

Documentation available at:

You can check out this M-1 talk from Travis Jacobs, walking you through the smart contract architecture:

Below are the smart contracts in scope of the bug bounty. Any valid and previously unknown security vulnerability found and disclosed to the Melon Council will be rewarded.

Melon Engine




Fund components

Compliance (participation policy)

Risk management policies

Exchange adapters

Have fun, and reach out if you find anything!

Melon Protocol

A Blog Detailing the Endeavours of those within the Melon Protocol Ecosystem: A Blockchain Software for Digital Asset Management

Thanks to Mona El Isa

Jenna Zenk

Written by

CTO at Melonport AG; Fullstack engineer with extensive background in finance. #melonport #fintech #blockchain #ethereum #cryptocurrency #javascript #fullstack

Melon Protocol

A Blog Detailing the Endeavours of those within the Melon Protocol Ecosystem: A Blockchain Software for Digital Asset Management

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade