Skip to main content
Audits and formal verification catch bugs at specific points in time. But code is a living system — new deployments, parameter changes, and evolving market conditions create an ongoing attack surface. Bug bounties provide a continuous incentive for independent security researchers to find and responsibly disclose vulnerabilities. Kamino operates a $1.5M bug bounty program on ImmuneFi — the largest bug bounty on Solana at the time of its launch in October 2025. View the program on ImmuneFi →

Reward Structure

Smart Contract Vulnerabilities

SeverityReward
Critical10% of funds at risk, minimum $150,000, maximum $1,500,000
HighUp to $100,000 (scaled to funds at risk)
Medium$10,000 (fixed)
Critical rewards are calculated as 10% of the economic damage that the vulnerability could have caused if exploited. The minimum payout of $150,000 ensures that even theoretical critical findings are well-compensated, while the $1.5M cap applies to the most severe, protocol-threatening discoveries.

Web Application Vulnerabilities

SeverityReward
Critical$20,000 – $50,000
HighUp to $10,000

Assets in Scope

The program covers all core smart contracts and the Kamino web application:
  • KLend — Kamino Lending Program (core lending/borrowing)
  • KVault — Kamino Lending Vault Program (earn vaults)
  • KFarms — Kamino Farms Program (reward distribution)
  • Scope — Price Oracle Aggregator (including Switchboard, Meteora, JUP Perp, and RedStone interfaces)
  • Kamino Liquidity Program — Automated liquidity provisioning
  • Kamino App — The web application at kamino.com
In total, 17 assets are in scope.

Requirements

  • Proof of Concept (PoC) is mandatory for all submissions. Reports must include a working demonstration or detailed technical description of how the vulnerability could be exploited.
  • KYC is required for all payouts. Researchers must complete identity verification through ImmuneFi before receiving rewards.
  • Payments are made in USDC on Solana.
  • All submissions are triaged by ImmuneFi’s team before being forwarded to Kamino’s security team.

Out of Scope

The program does not cover:
  • Token-2022 related issues that do not result in irrecoverable loss of funds
  • Vulnerabilities caused by infrastructure failures (RPC outages, network congestion)
  • Issues in third-party dependencies that are not under Kamino’s control
  • Configuration-specific impacts (issues that only affect non-standard deployments)

Prior to ImmuneFi

Before launching the ImmuneFi program, Kamino operated self-hosted bug bounties for three years. The move to ImmuneFi in October 2025 formalized the program with standardized triage, reward scaling, and KYC compliance, while significantly increasing the maximum reward to $1.5M.

Responsible Disclosure

If you discover a potential vulnerability, report it through the ImmuneFi program page. Do not disclose vulnerabilities publicly before they have been triaged and resolved. Responsible disclosure protects users and ensures researchers receive their full reward.