Kleidi Adopts Immunefi Bug Bounty
Audits are snapshots. They review code at a fixed point in time, under a fixed set of assumptions, with a fixed scope. When the audit ends, the code keeps running. The threat landscape shifts. Kleidi's contracts are immutable, so they never change, and have been tested using over 7 different types of security tools.
Bug bounties fill the gap between audits. They create a standing, continuous financial incentive for any security researcher in the world to find vulnerabilities in production code and report them instead of exploiting them.
Kleidi's bug bounty program is now live on Immunefi, with a maximum payout of $50,000 for critical smart contract vulnerabilities.
Why Immunefi
Immunefi is the largest bug bounty platform in crypto. Over $125 million has been paid to whitehats through the platform since its launch. More than $190 billion in user funds is covered by active Immunefi programs across protocols like Optimism, Polygon, MakerDAO, and Chainlink.
Immunefi hosts over 45,000 onchain security researchers, adding another layer of security to our contracts by incentivizing whitehats to review the code. They know the submission process. They know what a valid finding looks like. They know how to write a clear proof of concept. That existing ecosystem means Kleidi's contracts are immediately visible to the people most likely to find issues in them.
Scope
The program covers Kleidi's deployed smart contracts. Researchers can review the source code, identify vulnerabilities, and submit findings through Immunefi's structured disclosure process. Payouts scale with severity.
Critical vulnerabilities in smart contracts are eligible for up to $50,000. The classification follows Immunefi's standardized severity framework, which maps directly to real-world impact: fund loss, unauthorized state changes, and contract manipulation.
Full program details, including scope, rules of engagement, and severity definitions, are available on our Immunefi program page.
Where This Fits
Bug bounties are one layer in a stack. They are not a substitute for the layers that come before them.
Kleidi's contracts went through unit tests, integration tests, and internal code review before they reached anyone outside the team. Beyond that, they're fuzz tested with randomized and adversarial inputs designed to break assumptions that structured tests don't cover. Critical invariants are formally verified, meaning they're mathematically proven to hold across all possible execution paths.
Independent auditors at Code4rena and Recon reviewed the contracts with the explicit goal of breaking them. External eyes, adversarial mindset, no shared assumptions with the development team. These auditors found no high or critical issues.
The bug bounty program adds continuous external scrutiny after all of those layers have been applied. If a vulnerability survives testing, formal verification, and two independent audits, there is a standing financial incentive for the person who finds it to report it rather than exploit it.
SEAL Safe Harbor extends the defense further. If a contract is being actively exploited and a whitehat researcher intervenes to rescue funds, they have pre-authorized legal protection to do so. Our Immunefi bug bounty closes the gap, enabling whitehats to pre-emptively disclose vulnerabilities before SEAL Safe Harbor is needed.
What This Means
Kleidi's security model does not depend on any single layer. It depends on the interaction between layers, each one covering failure modes that the previous one doesn't address. Testing catches implementation errors. Formal verification catches logical errors. Audits catch errors that the team's assumptions prevented them from seeing. Bug bounties catch errors that survive all three. Safe Harbor covers what happens when something gets past everything.
The bug bounty program is live. Program details are on Immunefi. Details on Kleidi's full security architecture are on our security page. Questions: contact us.