Security
Perena takes the security of the USD* protocol and all associated smart contracts seriously. We appreciate the efforts of security researchers and community members who help us identify and responsibly disclose vulnerabilities.
Audits
The USD* protocol has undergone the following security audits. All relevant issues identified by auditors were addressed prior to deployment.
Reporting a Vulnerability
If you believe you have found a security vulnerability in the Perena protocol, please report it responsibly via one of the following channels:
Email: hi [x] perena.org
X.com or LinkedIn direct messaging.
Do not open a public GitHub issue for security vulnerabilities. Public disclosure of an unpatched vulnerability puts user funds at risk and will disqualify a report from any reward consideration.
What to Include
A good vulnerability report includes:
A clear description of the vulnerability and the affected component(s)
Steps to reproduce the issue or a proof of concept
The potential impact (e.g., loss of funds, unauthorized access, denial of service)
Any suggested mitigation or fix
Response Timeline
We aim to acknowledge receipt of your report within 48 hours and provide an initial assessment within 7 business days. We will keep you informed of our progress toward a fix and may ask for additional information or guidance.
Scope
In Scope
USD* smart contracts deployed on Solana mainnet
Core protocol logic including minting, redeeming, yield distribution, and pool management
Any vulnerability that could result in loss or theft of user funds, unauthorized minting, or manipulation of protocol state
Out of Scope
The following are not eligible for reward consideration:
Bugs in third-party contracts, bridges, or integrations not maintained by Perena
Frontend / UI bugs that do not lead to loss of funds or compromise of user data
Issues already identified in published audit reports (see above)
Known issues or design trade-offs that the team has already evaluated and accepted
Theoretical vulnerabilities without a working proof of concept or realistic attack scenario
Denial-of-service attacks on public infrastructure (RPCs, frontends)
Social engineering, phishing, or attacks on team members
Automated scanner output without manual verification and a demonstrated impact
Best-practice recommendations, gas optimizations, or code quality observations that do not constitute a security risk
Vulnerabilities requiring access to privileged keys or admin roles already held by the team
Rewards
Perena does not currently operate a formal bug bounty program with fixed reward tiers. However, we value responsible disclosure and may offer rewards at our sole discretion based on:
Severity: Does the vulnerability put user funds at direct risk?
Impact: How much capital is realistically affected?
Quality: Is the report clear, reproducible, and well-documented?
Novelty: Is this a new finding, or a known issue / previously reported?
Rewards, if any, will be evaluated on a case-by-case basis. Only vulnerabilities classified as Critical or High severity — specifically those that could lead to direct loss, theft, or permanent freezing of user funds — will be considered for monetary rewards. Medium and Low severity findings may be acknowledged with credit but are not guaranteed any payout.
We reserve the right to determine the final severity classification of any reported vulnerability.
As Perena grows, we intend to formalize a structured bug bounty program. In the meantime, researchers who submit high-quality, high-impact reports will be rewarded fairly.
Responsible Disclosure Guidelines
By submitting a vulnerability report, you agree to:
Allow Perena a reasonable amount of time (minimum 90 days) to address the issue before any public disclosure
Not exploit the vulnerability beyond what is necessary to demonstrate it
Not access, modify, or delete data belonging to other users
Conduct all testing against a local fork of mainnet — never against production or live deployments
Not use automated scanning tools that generate excessive traffic against Perena infrastructure
Submit one vulnerability per report (unless chaining is necessary to demonstrate impact)
Not share details of the vulnerability with any third party before Perena has addressed it
Safe Harbor
Perena will not pursue legal action against security researchers who:
Act in good faith and in accordance with this policy
Avoid actions that could harm Perena users, disrupt services, or destroy data
Do not profit from or exploit the vulnerability beyond proof-of-concept demonstration
Acknowledgments
We maintain a list of researchers who have contributed to the security of the Perena protocol through responsible disclosure. If you would like to be credited, please let us know in your report.
Last updated