Kite AI
Powering AI agents with an EVM‑compatible payment chain for autonomous, onchain transactions.
View RepoKite AI Bug Bounty
- Read our guidelines for more details
- Submit findings using the C4 form
Smart Contracts:
| Risk score | Payout |
|---|---|
| Critical | Up to $10,000 in USDC |
| High | Up to $2,000 in USDC |
Websites and Apps:
| Risk score | Payout |
|---|---|
| Critical | Up to $10,000 in USDC |
| High | Up to $2,000 in USDC |
Payment terms:
- Bounty payouts will be processed after a 30‑day waiting period following the public deployment and announcement of a fix. This applies to all severity levels.
- KYC required for payout: If your bounty submission meets the criteria for a reward, you must complete Certification (ID verification)
Background on Kite AI
Kite AI is the first AI payment blockchain, an EVM‑compatible Layer 1 built specifically for the AI agent economy. It provides cryptographic identity, programmable payment flows, and support for stablecoins and the KITE token so autonomous agents can authenticate and transact onchain.
How Does It Work?
This bug bounty program is focused on KiteAI’s smart contracts and production web properties, with a focus on preventing:
- Loss of protocol or user funds
- Smart contract vulnerabilities impacting the KITE token or payment flows
- Denial of service issues for core protocol contracts
- Critical infrastructure vulnerabilities on gokite.ai
Further Technical Resources and Links
- Kite AI Docs: https://docs.gokite.ai/
- Kite AI Smart Contracts List: https://docs.gokite.ai/kite-chain/3-developing/smart-contracts-list
- Kite AI Website: https://gokite.ai/
- X: https://x.com/GoKiteAI
Scope and Severity Criteria
Smart Contracts in Scope
Source: https://docs.gokite.ai/kite-chain/3-developing/smart-contracts-list
Websites and Apps in Scope
- All production properties under .gokite.ai
- Including, for example, the main application and any hosted dashboards or configuration interfaces.
Out of Scope
Known Issues
Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. Every issue opened in the repo, closed PRs, previous contests and audits are out of scope.
All issues submitted by wardens to the Kite AI bounty will be added to this repo once they have been reviewed by the sponsors. These are considered known issues and are out-of-scope for bounty rewards.
The following are out of scope for this program, in addition to anything excluded by Code4rena’s standard bounty criteria:
- Contracts and applications not listed in the “Smart contracts in Scope” or “Websites and apps in Scope” sections.
- Staging, test, and non‑production environments at .gokite.ai are not in scope, unless explicitly added by Kite AI.
- Purely informational findings without demonstrable security impact, as per C4 criteria.
Previous Audits
Any previously reported vulnerabilities mentioned in past audit reports are not eligible for a reward.
- Halborn – GoKite Contracts Audit (2025)
- Halborn – Kite Core Contracts Audit (2025)
- Halborn - Kite Staking & Rewards Audit (2026)
Kite AI may add additional audits here over time.
Specific Types of Issues
The following types of issues are excluded from rewards for this bug bounty program unless they directly lead to one of the accepted impact types in the Code4rena criteria:
- Attacks that have been already exploited in a public main or test net.
- Attacks requiring access to compromised private keys or leaked credentials.
- Attacks that require full control of a trusted admin or governance key without an underlying code vulnerability.
- Generic best‑practice hardening suggestions without concrete exploitability.
- Issues only affecting non‑production environments.
For full details on in‑scope versus out‑of‑scope severity categories, see:
Prohibited Activities
The following activities are strictly prohibited under this bug bounty program:
- Any testing directly on Ethereum or Kite AI Mainnet that risks real user funds.
- Any testing involving third‑party contracts or oracles outside of the listed in‑scope assets.
- Phishing or social engineering attacks against KiteAI team members or users.
- Attacks against, or use of, third‑party infrastructure or services (for example, cloud providers, analytics, or email providers).
- Denial of service attacks against KiteAI infrastructure.
- Automated scanning or fuzzing that generates excessive traffic or degrades service for real users.
- Public disclosure of an unpatched vulnerability before KiteAI and Code4rena have confirmed remediation.
Additional Context
Miscellaneous
Employees of Kite AI and their family members are ineligible for bounties.
Reward amounts may be displayed using a dollar sign for simplicity, but the underlying valuation is based on a USD-pegged digital asset such as USDC. Because the displayed figure reflects a USD reference value rather than a fiat currency payment, the final amount delivered in the corresponding token may differ slightly at the time of payout.