Multipli Smart Contracts: Program info

In-Scope Vulnerabilities

We are looking for evidence and reasons for incorrect behavior in contract logic that can cause unintended execution. Examples include:

Critical / High-impact

• Theft or permanent loss of funds
• Unauthorized withdrawals or transfers
• Incorrect accounting leading to mint/burn imbalance
• Yield, rate, or share inflation/deflation bugs
• Logic inconsistencies that break protocol invariants
• Contract behavior diverging from business rules
• Upgradeable proxy misconfiguration
• wrong implementation slot
• unsafe delegatecall
• faulty UUPS/Beacon setup
• Bypassing admin/key/guardian checks
• Message passing or cross-module calls that skip verification
• Reentrancy (direct or cross-contract)
• Storage collision or shadowing leading to corruption

Medium / Low

• Integer overflows/underflows
• Balance manipulation via unexpected state changes
• Precision or rounding attacks with measurable impact
• Incorrect fee or reward distribution logic
• Time misalignment issues causing profit bypass
• Execution flow vulnerabilities in multiple call paths

Out-of-Scope Vulnerabilities

The following are NOT eligible unless they demonstrate clear fund loss or invariant break:

• Third-party library vulnerabilities (e.g., OpenZeppelin)
• Pure gas optimizations, style issues, best practices
• Test or mock contracts
• Minor rounding issues without financial impact
• MEV or frontrunning profit-only opportunities that do not break invariants
• Governance assumptions requiring owner privileges
• Issues requiring unrealistic liquidity or miner collusion
• Public zero-day announcements with no PoC
• Compiler version warnings without an exploit
• Theoretical vulnerabilities without demonstration
• Social engineering or non-on-chain vulnerabilities

• Do NOT use automated scanners that generate massive traffic.
• Do NOT attack infrastructure, DNS, frontend, API, or backend (this is a Smart Contract only program).
• Do NOT cause real fund damage on mainnet — use testnets when possible.
• Do NOT modify, freeze, or steal assets belonging to other users.
• Keep all tests localized to your own wallets.
• Follow the scope strictly.
• No DoS, DDoS, spamming, or destructive testing.
• Chain vulnerabilities (multi-bug chains) are rewarded only for highest severity.
• You must not break any laws or compliance requirements.
• Do not discuss vulnerabilities with anyone outside HackenProof and Multipli.

• No public disclosure is allowed.
• Do not tweet, blog, or discuss reports until you receive written approval.
• All PoCs, screenshots, and technical details must remain private.
• No partial or timeline disclosure is permitted at this time.

You must meet all criteria to be eligible for rewards:

• You must be the first reporter of the vulnerability.
• The vulnerability must be valid, in-scope, and demonstrable.
• Reports must be submitted within 24 hours of discovery.
• Submit exclusively through HackenProof.
• Provide a clear textual description, impact explanation, and a runnable PoC (Foundry/Hardhat preferred).
• You must be 18+ and legally allowed to participate.
• You must not be a past or current employee/contractor of Multipli.
• Use the same email associated with your HackenProof account.
• AI-generated reports without runnable PoC will be rejected.