Paxos is putting $1 million on the table for security researchers who can break its infrastructure. The regulated blockchain company launched a comprehensive bug bounty program on Cantina, covering smart contracts for USDG, PYUSD, and PAXG, along with its Web2 services, APIs, and domains.

The top payout—$1 million in USDG—targets critical vulnerabilities that could compromise the company’s core systems. That’s not a marketing number. Paxos explicitly wants “the best researchers in the world going deep” on its code.

Scope Extends Beyond Smart Contracts

What makes this program notable is its breadth. Most crypto bug bounties focus narrowly on smart contracts. Paxos is including cross-chain infrastructure, public-facing products, and traditional web services—essentially mapping the program to how actual attackers would probe for weaknesses.

The timing connects to commitments Paxos made when launching USDG on Aave v3. The company told Aave, LlamaRisk, and the broader community it would formalize external security testing. This delivers on that promise.

Invitation-Only Launch

For now, the program remains restricted to researchers already active in Cantina’s network. Paxos chose the platform specifically for its Web3-native focus and community of specialists who understand the unique threat surface of tokenized assets.

Researchers outside the network can request access through Cantina’s program page. The company indicated it will expand access after the initial invitation-only phase.

Context on Paxos Assets

The covered tokens represent significant value. PAXG, the gold-backed token, currently sits at a market cap of approximately $2.33 billion with recent 24-hour gains of 1.85%. Just this week, Paxos executed a $4.38 million PAXG transfer to institutional market maker B2C2, signaling continued institutional activity around the token.

PYUSD, PayPal’s stablecoin built on Paxos infrastructure, adds another layer of exposure. Any vulnerability in these contracts could affect both retail and institutional users across multiple platforms.

Paxos operates under regulatory oversight from the OCC through its national trust charter, making security failures particularly costly from both financial and compliance perspectives.

The company is also hiring for its security team, suggesting this bounty program is part of a broader security infrastructure buildout rather than a one-off initiative.

Image source: Shutterstock