SynergyX Bug Bounty Program

We're not paying for typos, UI glitches, or "the runes in your source code are scary." This is for real vulnerabilities with real impact:

• Fund Loss — Any path that allows unauthorized transfer of SYNX from a wallet
• Key Recovery — Extracting SPHINCS+ private keys, seed phrases, or master secrets from memory, disk, or network traffic
• Signature Forgery — Forging a valid SPHINCS+ signature without the private key
• Daemon Brick Bypass — Crashing or hijacking the daemon to manipulate consensus, balances, or block validation
• Escrow Drain — Exploiting Synergy Sea DEX escrow to steal funds from either party
• Nonce Collision — Producing an AES-256-GCM nonce reuse that leads to plaintext recovery
• Side-Channel Extraction — Timing attack, cache attack, power analysis, or memory forensics that recovers key material
• TLS Bypass — Defeating cert pinning to MITM wallet-daemon communication
• Staking Exploit — Manipulating stake rewards, double-staking, or phantom unstake
• DoS / Resource Exhaustion — Crashing the daemon or wallet with crafted input (not just "send a lot of requests")

Send your proof-of-concept to @SynergyXlabs on Telegram. Include:

• Description of the vulnerability
• Step-by-step reproduction instructions
• PoC code, scripts, or tooling used
• Video or terminal recording (optional but helps)
• Your preferred payout address and currency

Your exploit must work against the live SynergyX mainnet. Testnet-only bugs don't count. Genesis block hash for verification:

Contact @SynergyXlabs for the full genesis hash if you're ready to begin.

After we verify your PoC, you'll receive an escrow address. Payment is made on-chain — no PayPal, no wire transfers, no IOUs. $10,000 USD equivalent in USDC or your preferred supported crypto. Transparent and trustless, same as the protocol.

The following do not qualify:

• Informational findings ("this header is missing")
• Self-DoS (crashing your own wallet)
• Social engineering or phishing vectors
• "The obfuscated code looks weird" — yes, it's supposed to
• "The runes are scary" — they're Elder Futhark, not a hex curse (or maybe they are)
• Theoretical attacks without a working PoC
• Bugs in third-party dependencies unless you can chain them into a SynX-specific exploit

If your submission is "I decompiled the binary and the variable names gave me a headache" — that's by design, not a vulnerability. We reserve the right to reject submissions that don't demonstrate real-world exploitability.No demonstrating but look I can get into my own privatekey from my PC (yeah no shit goodjob it's self custodial)! No hard feelings. Come back when you have something real.

This bounty program is active for 90 days from March 1, 2026. Submissions received after May 30, 2026 are not guaranteed a payout under this program, though we may choose to honor exceptional findings at our discretion.