voidly
Voidly Pay · Security

Find a vulnerability, get paid.

Voidly Pay handles real USDC on Base mainnet. We pay for help making it ironclad — on-chain or off-chain, vault contract or worker code or relayer service.

Scope

  • VoidlyPayVault at 0xb592512932a7b354969bb48039c2dc7ad6ad1c12 on Base mainnet
  • Voidly Pay worker — every /v1/pay/* route on api.voidly.ai
  • Voidly Pay relayer — any input that lets it mint credits or move USDC outside the rules
  • SDK@voidly/pay npm package, signature handling
  • x402 facilitator — quote signing + verification

Reward tiers

Critical
$10,000–$50,000
Vault drain, infinite credit mint, key extraction, governance bypass.
High
$2,000–$10,000
Settlement bypass, replay attack, signed-envelope forgery, race-condition double-spend.
Medium
$500–$2,000
Cap circumvention, webhook SSRF, anomaly-detector bypass, idempotency conflict misuse.
Low
$100–$500
DoS via expensive query, info disclosure that doesn't unlock the above.

Final reward depends on impact, exploitability, and quality of the report. We pay in USDC on Base or fiat at our discretion.

How to report

  1. Email security@voidly.ai with subject [bounty] <short title>.
  2. Include: a clear writeup, repro steps (or PoC), affected component, severity assessment, and your preferred payment method (USDC address on Base, or fiat).
  3. Optional: encrypt the report with our PGP key (fingerprint published on /security.txt).
  4. We acknowledge within 24 hours and triage within 72.

Rules of engagement

  • Test on testnet or sandbox first. Use /v1/pay/test/wallet/create for sandbox wallets. Avoid touching real funds in the vault unless you've confirmed an exploit on testnet.
  • Don't pause the vault unless you've already shown an exploit and the guardian role hasn't responded. We monitor pauses 24/7.
  • Don't move other people's funds beyond the minimum needed to demo. Return anything moved.
  • No DoS, brute-force, or social engineering against operators or employees.
  • Out of scope: rate limits as DoS, lost-key recovery, missing security headers on the marketing site.

Hardening already in place

  • Vault: per-tx + daily caps (immutable per-tx, governance-only raise on daily); CEI ordering; 2-step governance handover; non-upgradeable; role separation enforced in constructor.
  • Worker: 9-check rule per transfer; UNIQUE(from_did, nonce) DB-level replay protection; canonical JSON envelope verification with Ed25519; admin signing with 10-min validity windows.
  • Idempotency-Key middleware (Stripe-style) on all state-changing routes; cached responses don't double-settle.
  • Anomaly detection (rapid-drain, velocity spike, failed flood) with auto-freeze on high/critical severity.
  • Webhook delivery is HMAC-signed (timestamped) with SSRF guards.
  • Relayer keys: operator (hot, capped), guardian (pause-only), governance (multisig recommended).

Public hall of fame

Researchers who responsibly disclose are credited here (with their consent), with severity tier and report date. Coming soon — be first.