Skip to content

[BOUNTY $100] 🐜The Memanto Bug & Exploit Challenge #770

Description

@Xenogents

Description

In our last bounty, we asked the community to benchmark Memanto against the competition. You helped us prove that our active companion memory agent backed by our moorcheh.ai retrieval engine is uniquely resilient at handling shifting user preferences and maintaining long-term context without token bloat or memory degradation.

Now, we are doing the exact opposite.

We believe Memanto is production-ready. But the best way to prove that is to invite the smartest engineers and red teamers to try and tear it down.

We are launching the Memanto Bug Challenge to uncover edge cases, logic loops, memory inconsistencies, and security vulnerabilities. If you can break our memory management, we want to know about it.

The Bounty: $100 USD (Paid via BountyHub)


🎯 Threat Model & Scope

Your target is the memanto core package and its interaction with the moorcheh.ai serverless backend. We are specifically looking for vulnerabilities and logic flaws that affect memory integrity, context window stability, and retrieval accuracy.

✅ In Scope (What we want you to find)

  • Retrieval Quality & Accuracy: Fails to recall highly relevant facts, loses track of when an event occurred (timeline amnesia), hallucinates sources, or fails to properly resolve direct contradictions.
  • Architectural & Logic Flaws: Bad logic loops, poor contradiction handling, or inefficient background processes that severely slow down the agent.
  • Usability & Friction: Is it too hard to set up? Are there major UX roadblocks preventing adoption?
  • Missing Core Features: Missing support for critical use cases (e.g., lack of multi-agent support or complex workflows).
  • Security Vulnerabilities: Any traditional security flaws, data leaks, or prompt injections.
  • Anything Else: If you find a creative way to break or improve the memory layer, it's in scope!

🚫 Out of Scope (Do not test these)

  • Volumetric DDoS attacks against moorcheh.ai infrastructure.
  • General LLM hallucinations unrelated to Memanto's memory handling.
  • Attacks that require compromising the underlying operating system or Docker host to succeed.

🛠️ Implementation Guidelines:

To ensure your submission qualifies for the bounty, your execution must follow this exact flow:

  • 1. Find & Isolate: Discover a bug, logic flaw, missing feature, or vulnerability within the Memanto core package.
  • 2. Prove Reproducibility: You must provide clear steps, a minimal Python script, or a test case that allows the maintainers to reproduce the bug exactly as you experienced it. If we can't reproduce it, we can't score it.
  • 3. Implement the Fix (or Document the Flaw via PR): Because this bounty is hosted on BountyHub, all submissions must be Pull Requests. We highly encourage writing the actual code to resolve the bug. However, if an issue requires massive architectural changes or involves backend systems you cannot fix from your end, you can still submit a PR! Instead of a code fix, submit a PR that adds a reproducible failing test script (e.g., to tests/failing_tests/) or a detailed Markdown report (e.g., to docs/bounty_reports/) outlining the problem and a proposed structural solution.

📊 Judgment Method (The Success Matrix):

To ensure we reward actual engineering value and meaningful security research, submissions will be scored on a 100-point matrix split between Technical Rigor and Impact.

Criteria Max Points How it is Measured
Severity & Impact 60 pts How critical is the vulnerability, and does it affect a realistic production scenario? (e.g., highly relevant data corruption scores higher than a contrived edge case).
Reproducibility & Cleanliness 25 pts Is the exploit perfectly replicable? Are scripts, dependency files, and clear instructions provided? Does the PoC work consistently?
Social Amplification 15 pts Measured via public engagement metrics.

The Social Formula:

Social Points = (Reddit Upvotes x 4) + (Reddit Comments x 3) + (X Bookmarks x 5) + (X Retweets x 3) + (GitHub PR Reactions x 2)

🚨 Severity Guidelines

While any bug or flaw is in scope, we prioritize and score based on the following guidelines for issue severity:

Severity Description
Critical / High Poor recall accuracy, losing track of timelines/dates, missing source attribution, deeply flawed contradiction handling, severe logic loops, major security vulnerabilities, or extreme performance bottlenecks (e.g., core systems freezing).
Medium Missing features (e.g., lacks multi-agent support), setup friction, UX roadblocks, or moderate inefficiencies that degrade the user experience.
Low Minor CLI/UI display bugs, non-critical feature requests, or simple documentation errors.

🚀 Step-by-Step Instructions to Participate:

  1. Star the Repository: Help us clear our next star milestone this month! ⭐️
  2. Get Your Key: Sign up at moorcheh.ai and configure your environment variables.
  3. Hunt & Develop: Identify a bug, feature gap, or logic flaw. Write a minimal script, test case, or detailed report demonstrating it.
  4. Implement the Fix (or Document the Flaw): Write the code to fix the vulnerability or add the missing feature. If the fix is too massive or simply cannot be fixed from your end (e.g., backend API issues), write a reproducible failing test script or a comprehensive Markdown report detailing the problem and your proposed solution.
  5. Submit PR: Fork this repo and create a Pull Request (required by BountyHub). Commit either your code fix, your failing test script, or your Markdown report. Your PR description must contain a summary of the flaw, reproduction steps, and your fix or architectural proposal. (Note: If you uncover actual security vulnerabilities like data leaks, do not open a public PR. Please use GitHub's Private Vulnerability Reporting feature or email support@moorcheh.ai first).
  6. Amplify: Write an in-depth post on Reddit or X and mention @moorcheh_ai showing off your deep dive into Memanto's architecture and how you improved it.

📅 Deadline: All submissions must be submitted and active by Aug 1, 2026 (11:59 PM UTC) to be eligible for the success matrix audit.

Community and Support: Discord

Metadata

Metadata

Assignees

No one assigned

    Labels

    bountyThis issue has a bounty attached to it

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions