Introducing the ClawCredit Agentic Fraud Bounty
$10,000 to find the cracks in our agent credit infrastructure.
27 Mar 2026
In March, a malicious actor registered over 130 fake AI agent identities on ClawCredit, fabricated transaction histories, and drained ~$430 USDC before our risk engine identified the pattern and contained it. We wrote about the whole thing publicly because transparency isn't optional when you're building trust infrastructure.
That attack was the most valuable stress test we've ever had. Every attack pattern the adversary used was recognized, learned from, and neutralized. Every subsequent attempt was blocked.
But we're not done. We want more.
Today we're launching the ClawCredit Agentic Fraud Bounty, a $10,000 reward pool for users, builders, and independent researchers who can find new ways to exploit, manipulate, or defraud ClawCredit's agent credit infrastructure.
Why we're doing this
The agentic economy is creating entirely new categories of financial fraud. These aren't just technical vulnerabilities — they're financial risks. Unchecked, they can cause real capital losses, undermine credit integrity, and erode trust across the entire agentic economy. AI agents that fabricate identities, autonomous systems that manipulate credit scores, coordinated multi-agent attacks that move faster than any human could. We've already seen these threats firsthand.
We believe the best way to build resilient financial infrastructure is to invite real-world pressure. Internal testing only goes so far. Real fraud attempts look different from anything you can simulate in-house. We want that perspective pointed at our system — on our terms, with responsible disclosure, and with real rewards on the table.
How to participate
Anyone can participate. If you use ClawCredit — as an agent, a builder, or an observer — and you spot something that looks like it could be exploited, gamed, or abused, that's exactly the kind of signal we want. You don't need to be a security researcher. You just need to be curious and honest about what you find.
What's in scope
We want you to get creative. Broadly, we're interested in anything that could let someone gain credit they shouldn't have, move funds they don't own, or manipulate how our system perceives an agent's trustworthiness. If you find something we haven't thought of — especially if it's novel — that's worth the most to us.
Reward tiers
Rewards are paid per valid finding based on severity and impact. The $10,000 represents our total committed budget for this program. Once the budget is fully allocated, we'll announce whether the program is being extended or closed.
| Severity | Reward | Description |
|---|---|---|
| Critical | $5,000 – $10,000 | Direct fund drainage, full risk engine bypass, or systemic exploits that could scale |
| High | $1,500 – $3,000 | Identity verification bypass, significant credit score manipulation, or payment validation circumvention |
| Medium | $500 – $1,000 | Scoring anomalies, partial data fabrication that evades detection, or logic flaws in credit issuance |
| Low | $100 – $500 | Minor inconsistencies, edge cases, or informational findings that improve system robustness |
Rewards are determined at our discretion based on the actual impact and quality of the report. Particularly creative or novel attack vectors may receive bonuses.
Rules of engagement
A few ground rules to keep this clean and productive:
- Responsible disclosure only. Report findings directly to us before sharing publicly. We'll work with you on a timeline for any disclosure you'd like to make.
- No collateral damage. Don't interfere with other users, real agents, or live production data beyond what's necessary to demonstrate the vulnerability.
- One report per vulnerability. Duplicate submissions will be credited to the first reporter based on email timestamp.
- Provide a clear proof of concept. Show us exactly what you did, how you did it, and why it matters. The better the report, the higher the reward.
- Be patient with us. We'll acknowledge your report within 72 hours and aim to validate within 7 days.
Safe harbor
We want people to probe our systems, not worry about legal exposure for doing it honestly. If you participate in good faith, stay within the defined scope, and follow responsible disclosure:
- We will not pursue legal action against you.
- We will not file complaints with law enforcement for your research activities under this program.
- If a third party initiates legal action against you for activities conducted under this program, we will take reasonable steps to make it known that your actions were authorized.
Good faith means: you're trying to find and report vulnerabilities, not exploit them for personal gain beyond the bounty reward. If you're ever unsure whether something is in scope, ask us first at bounty@t54.ai.
What's out of scope
To keep things focused, the following are not eligible for rewards:
- Social engineering or phishing attacks against the t54 team
- DDoS or volumetric attacks
- Vulnerabilities in third-party services or dependencies we don't control
- Issues already known or previously reported
- Theoretical attacks without a working proof of concept
Eligibility
This program is open to users, builders, and independent researchers worldwide, with the following restrictions:
- Participants must not be located in or acting on behalf of any jurisdiction subject to U.S., EU, or UN sanctions.
- Participants must be of legal age in their jurisdiction.
- Current t54 Labs employees, contractors, and their immediate family members are not eligible.
How to submit
Send your findings to bounty@t54.ai with the subject line: Agentic Fraud Bounty — [Brief Description]
Include:
- A clear description of the vulnerability
- Step-by-step reproduction instructions
- Evidence (screenshots, logs, transaction hashes, etc.)
- Your assessment of the potential impact
- Your preferred USDC wallet address and chain for payment (we support Base, Solana, and XRPL)
The bigger picture
We're building trust infrastructure for the agentic economy. That means our systems need to be hardened against threats that are evolving in real time as AI agents become more capable, more autonomous, and more embedded in financial systems.
This bounty isn't just about stress-testing a system. It's about building a shared understanding of what agentic financial fraud actually looks like, how it behaves, and how to stop it before it scales. Every valid submission makes ClawCredit more resilient and contributes to a body of knowledge that the entire agentic economy needs.
We got stress-tested once already. We came out stronger. Now we're inviting you to do it again.
The ClawCredit Agentic Fraud Bounty is live now. For more on ClawCredit and t54's trust infrastructure, visit claw.credit.
Stay ahead of financial innovation
Get the latest insights delivered directly to your inbox and
transform your financial strategy