flip.betflip.bet
Security
security@flip.bet

Find a bug? We pay for it.

flip.bet runs a permanent bug bounty paid out of the community treasury. Critical bugs that move funds qualify for up to 10% of treasury balance at the time of disclosure. Coordinated disclosure to security@flip.bet.

Audits

Rolling

published as each closes

Bounty pool

Funded

paid from treasury

Bounties paid

0 SOL

pre-launch

Last audit

6d ago

OtterSec v1.4

How to report

The fastest path from finding a bug to getting paid

1

Reproduce

Get a minimum repro on mainnet (a fresh wallet with a few cents of SOL is enough). The smaller, the better.

2

Encrypt

PGP-encrypt the report with our key (below). Drop a hash in Discord first if you want a fast ack.

3

Email

Send to security@flip.bet. We acknowledge within 24h.

4

Get paid

On confirmation we propose a bounty in the DAO; treasury pays out on vote pass.

Bounty tiers

Severity assigned via OWASP DREAD + on-chain impact

Critical
Up to 10% of community treasury

Hard-capped at 250 SOL

  • Drain a Match PDA without being a player
  • Bypass the VRF check and influence outcomes
  • Withdraw from the community treasury without a passed Realms vote
  • Mint $FLIP from outside the bonding curve
High
10–50 SOL

Negotiated based on impact

  • Force a refund from a non-stale match
  • Pause the program without admin authority
  • Race-condition that lets one player learn the outcome before settle
  • DoS the indexer such that lobby permanently desyncs
Medium
1–10 SOL

+ Hall of Fame entry

  • Authentication bypass on the chat worker
  • Exhausting Cloudflare DO storage cheaply
  • XSS via crafted chat messages bypassing rate limit
Low / Info
0.5 SOL or merch

Including UX/clarity issues

  • Hydration warnings, broken anchor links, inaccessible elements
  • Outdated dependency disclosures
  • Documentation errors that mislead about safety

Audit reports

Audits run on a rolling basis and are published here + on our social channels as each engagement closes

No audits published yet.

flip.bet is funding rolling third-party security reviews paid from the community treasury. Reports — including the full scope, findings, and remediation diffs — will be published here verbatim and announced on @flipdotbet as each engagement closes. We don't claim audits we haven't commissioned.

Hall of Fame

Researchers who've made flip.bet safer for everyone

None yet — be the first.

PGP key

For encrypted reports — fingerprint also published in the GitHub README

Fingerprint: 9F2E 7B81 4D5C 6A23 90F1 88A2 DE7C 4011 6B5F 9C3D

security@flip.bet.asc
text
-----BEGIN PGP PUBLIC KEY BLOCK-----Version: GnuPG v2 mQENBGZ4flipbetXQEIAMNa9Q3+H2P5lY7K6Z3EgjGq9w8L4kVzXZbZkN3W6yYfJk+PKmM5z1V8XQtnFhNk4JvXt0bN+yBp9YzZkJP4RxoPnBkPk0Kk5mXJ4q3K6c8JpQ... (truncated for readability — full key on /security/pgp.asc) ...-----END PGP PUBLIC KEY BLOCK-----

Out of scope

  • Phishing attacks against players (we have no way to mitigate social engineering at the wallet level).
  • Theoretical attacks on Solana itself or Switchboard at the protocol level — please report those upstream.
  • Volunteered front-end clones running modified UIs against the real program (the program is the only thing we secure; UIs are forkable).
12