Reserve Contract Bug Bounty

The Flipcash Currency Creator

Flipcash is the only platform for creating digital currencies that are immediately used as real money. The moment a currency is created it can be sent, spent, or handed to someone as simply as physical cash. Every currency has guaranteed liquidity from day one, which is managed by the Reserve Contract.

The Reserve Contract

Every Flipcash currency is governed by the Reserve Contract, an on-chain contract that manages each currency’s supply and liquidity.

When a new currency is created, 21 million coins are minted and deposited into the Reserve Contract. Each currency has a fixed supply of 21 million coins, so there will never be more. The Reserve Contract then sells coins on a predefined pricing curve, accepting payment in USDF, a fully backed 1:1 USD stablecoin managed in partnership with Coinbase. 

The first coin sells for $0.01. With every $11,400 of coins purchased, the price per coin increases by roughly one penny until the 21 millionth coin sells for $1 million.

The Reserve Contract custodies the supply of each currency that hasn’t yet been sold. It also custodies the USDF received as payment for each coin, using that USDF to also buy coins on the same pricing curve. In doing so, the Reserve Contract acts as a guaranteed buyer, ensuring continuous liquidity without relying on market makers, order books, or liquidity providers, all in a fully trustless manner.

Over time, the Reserve Contract may ultimately hold billions of dollars of capital. Because the Reserve Contract is autonomous and trustless, any vulnerability could have severe consequences for the integrity of the Reserves. We have worked hard to ensure the security of the contract, but we want to do everything we can. This is where we could use your help.

Reserve Contract Bug Bounty

Because every Flipcash currency ultimately depends on the correctness and safety of the Reserve Contract, it represents the most critical security surface in the system. The contract holds and moves real value, sets prices, and guarantees continuous liquidity for users.

We have completed an independent audit of the Reserve Contract with Sec3, which you can find here. 

We are now inviting the security community to review the contract and report any exploitable vulnerabilities.

You can find the repository here: Flipcash Reserve Contract

Bounty Details

We are offering a $100,000 USD bounty to anyone who can provide a clear, reproducible proof-of-concept demonstrating any of the following:

• Steal or improperly withdraw funds from the Reserve Contract’s token vaults

• Reproducibly extract economic profit from the Reserve Contract by looping buys and/or sells, or otherwise manipulating pricing or execution

• Break the Reserve Contract such that it can no longer reliably sell tokens to or buy tokens from users

Submission Deadline: February 11, 2026 (23:59 UTC)

Referral Bonus: We are offering an additional $10,000 USD to anyone who refers a researcher that submits a valid, payout-eligible finding. (The researcher must credit you in their submission).

Submission Requirements

All submissions must include a working proof-of-concept, clear reproduction steps, and an explanation of the underlying issue. Economic attacks must demonstrate positive expected value under realistic conditions.

A submission must include a test case written in Rust. Example test cases that interact with the Reserve contract can be found here.

Submissions that rely on unrealistic assumptions, privileged access, or non-production configurations will not qualify. Submissions are first come first - any exploit found will only be paid out to the first submission. 

Submission Instructions

Please submit all findings via email to security@flipcash.com. Reports should be submitted privately and include sufficient detail for us to reproduce the issue.

We ask that you do not publicly disclose any vulnerabilities until they have been reviewed and resolved. Public disclosure of vulnerabilities prior to coordination may result in disqualification from the bounty.

Responsible Disclosure

We believe the Reserve Contract is robust, but given its central role in the system, we welcome rigorous adversarial review.

To support responsible disclosure, we will not pursue legal action against researchers who follow this policy, act in good faith, and avoid harming users or the protocol.

Note

Payment for a successful submission will be made in USDC. To remit payment, we must collect basic personal information.

As a US-based company, we cannot pay bounties to individuals residing in countries subject to US trade restrictions or export sanctions, as determined by the Office of Foreign Assets Control (OFAC).