Note: The bug bounty program is currently paused while the team works through a backlog of submissions. New submissions are not being accepted at this time. An update will be posted here when the program reopens.

Security

Here you'll find how we handle security reviews, where our audit reports live, and how our bug bounty works. For reporting steps, safe harbor, and legal terms, read our Security Policy.

On this page

↳Security audits ↳Bug bounty ↳Security policy and resources

Security audits

We work with external auditors on major releases and components, and we run internal security reviews as we ship. The full list of external and internal reports — with PDFs — lives in one place.

→Browse all audit reports on Espresso Systems' GitHub

A few recent examples — the repo has the full list, dates, and download links:

April 2026

Least Authority

TEE and OP integration smart contracts.

November 2025

Runtime Verification

Proof of Stake (staking) smart contracts.

May 2025

Cantina

Merkle tree and BLS signature scheme.

Bug bounty

We run a bug bounty to reward responsible disclosure of security issues in our smart contracts and other in-scope code. If you find something, please report it using the process in our Security Policy. Eligible reports can qualify for a reward.

Scope

Smart contracts

Stake table contracts

Reward claim

Light client

BLS and Schnorr (Ed-on-BN254) signature verification

PlonK verifier, verification keys, and merkle tree verifier libraries

ESP token and Fee contract

UUPS upgrades, access control, pausability, and timelocks

Earlier contract versions only where they affect upgrade safety

Relevant Rust components (if applicable)

Light client verification and state validation logic

Validator state management and reward merkle tree verification, where applicable

Severity and rewards

Reward tiers are a guide. Actual rewards depend on impact, how easy the issue is to exploit, and how clear your report is. Espresso Foundation decides final amounts.

Low

Up to$1,000

Non-critical edge cases with minimal or no financial impact

Medium

Up to$10,000

Limited-impact exploits

Edge-case logic flaws affecting correctness

High

Up to$100,000

Temporary locking of funds

Bypassing core protocol invariants

Unauthorized actions with meaningful impact

Critical

Up to$250,000

Loss or theft of funds

Permanent freezing of funds

Privilege escalation to admin-level control

Submission requirements

To be eligible for a reward, include the following. Incomplete reports may not qualify.

01Clear description of the vulnerability

02Affected contracts and functions

03Steps to reproduce

04Proof of concept (code, test, or script)

05Impact analysis

How to report

Use our Security Policy for where and how to send a report. We try to acknowledge new reports within a few business days.

Read the Security Policy↗

Responsible disclosure

When you submit a report, please follow our Security Policy. In short:

Don't go public with the issue until we've fixed it

Don't exploit it beyond what you need to show the impact

Don't touch other people's funds or data

Review process

Our security team triages reports, checks impact, assigns severity based on risk, and works with engineering on fixes. Timing depends on how complex the fix is. Triage, safe harbor, and payouts are all covered in the Security Policy.

Rewards and payment

We pay rewards after we've validated the issue and handled it under the program rules

When you get paid can depend on fix and deploy schedules

We usually pay in cryptocurrency

Additional notes

You're responsible for your own taxes

Espresso Systems makes the final call on severity and reward amount

Sanctioned individuals or entities are not eligible to participate in this bug bounty program or receive rewards