These documents are working drafts published transparently while LightChallenge completes its independent legal review. Material terms are not expected to change, but minor wording may be updated. The version date appears at the top of each page.

Security & Disclosure

LightChallenge custodies real LCAI on mainnet (chain ID 9200). We take security reports seriously and offer a bounty for reports that meet the criteria below.

How to report

Email security@lightchallenge.app with:

  • A clear description of the vulnerability.
  • Reproduction steps.
  • Suspected impact and blast radius.
  • (If applicable) a proof-of-concept and a suggested mitigation.

Please do not open public GitHub issues, post in Discord, or tweet about unpatched issues.

Coordinated-disclosure timeline

StepTarget
Acknowledgementwithin 48 h
Initial severity assessmentwithin 7 days
Fix in testingdepends on severity
Public disclosureby mutual agreement, default 90 days after report

Bounty

Reward sizing is at the discretion of the maintainers and depends on reproducibility, blast radius, originality, and quality of the report.

SeverityDefinitionReward (USD-equivalent in LCAI)
CriticalDirect theft of user funds, treasury drain, or permanent freezing of >1 % of TVL$5,000 – $25,000
HighTheft of yield/fees, denial-of-service requiring contract redeploy, attestor signer bypass$1,000 – $5,000
MediumTheft or freeze of <1 % of TVL, griefing requiring manual ops, off-chain auth bypass$250 – $1,000
LowInformation leak (non-PII), logic bugs without economic impact, gas griefing$100 – $250
InformationalCode-quality, optimisations, missing event emissionsswag / hall-of-fame credit

Safe harbor

The following actions are explicitly authorised under this policy:

  • Testing against the testnet (uat.lightchallenge.app, chain 8200) at any time.
  • Reading on-chain mainnet state, querying the public API, fuzzing testnet contracts.
  • Disclosing the issue to LightChallenge maintainers via the channel above.

We will not pursue civil or criminal action against researchers acting in good faith under this policy.

The following are out of scope for safe harbor:

  • Attacks against mainnet user funds or live mainnet state mutations.
  • DoS / load testing against production infrastructure.
  • Social engineering of staff or community members.
  • Phishing of users.
  • Physical attacks on infrastructure or personnel.

Scope

In scope

  • Smart contracts (contracts/) deployed on chain 9200 and 8200
  • Webapp API routes (webapp/app/api/) on lightchallenge.app and uat.lightchallenge.app
  • Off-chain workers and indexers (offchain/) running on Fly.io
  • iOS mobile app and the Discord bot

Out of scope

  • Third-party dependencies — please report upstream and CC us
  • LightChain protocol contracts (AIVM, validator infra, bridge) — report to the LightChain team
  • Frontend cosmetic / browser-compat issues
  • Findings reproducible only by an attacker who already controls the protocol owner key
  • The invest/ subtree — separate product, separate disclosure process

Audit status

An external audit is scheduled. See SECURITY.md in the repository for the full policy and current audit progress.

Hall of Fame

We publicly credit researchers who responsibly disclose. With your consent, your handle and a one-line summary will appear here after the issue is fixed and disclosed.

(empty — be the first!)