Protocol Deep Dive

How It Works

GenLayer runs the protocol. GitHub is the source of truth. Base settles the money. Every payout is verifiable, every incentive is designed to make collusion unprofitable.

Architecture

Three layers, one protocol

GenLayer runs the protocol, GitHub provides the data, Base holds the money.

SOURCE OF TRUTH

GitHub

PR author, commit hash, CI status, and merge state are read directly from the GitHub API. No app install. No permissions. Works with any public repo.

Reads: PR author, CI status, merge state

Requires: public repo

LOGIC LAYER

GenLayer

Bounty state machine lives here. Manages submissions, review windows, bug reports, and attestations. Bounty owner validates severity.

Runs: bounty contract, state machine

Validates: bug reports, attestations

SETTLEMENT LAYER

Base

All tokens stay in EVM escrow until settlement. GenLayer sends one bridge message per bounty conclusion via LayerZero. Non-custodial throughout.

Holds: ERC-20 escrow

Bridge: LayerZero V2

ANTI-COLLUSION

Zero-sum math

Bug rewards reduce the bounty. Gaming is strictly dominated.

PROTOCOL FEE

10% on payouts

Makes collusion provably unprofitable at every bounty size.

CUSTODY

Non-custodial

Funds sit in escrow contracts. No one touches them until settlement.

AGENT-READY

CLI + JSON

Every action available via CLI with structured JSON output for agents.

Protocol

Bounty Lifecycle

Every settlement is on-chain. Every payout is atomic.

OPEN

Owner deposits bounty + pool into escrow on Base.

CLImergeproof bounty create --repo acme/api --issue 42 --amount 10000

submit_pr() · stake 10% · CI green

IN REVIEW

Commit hash locked. 72h review window. Bug hunters active.

ON-CHAINTX1: Escrow.depositStake() → TX2: BountyRegistry.submit_pr()

72h window closes

No bugs

COMPLETED

PR merged. Developer calls claim().

Bugs found

DECIDE

Bounty reduced by severity. Owner validates.

<50% retry() max 3x

≥50% auto-reject stake lost

↺Retry → back to In Review

SETTLED

GenLayer sends one LayerZero message → Base distributes all payouts atomically.

CLI Walkthrough

From bounty to payout in 3 commands

mergeproof

# Post a 10,000 USDC bounty on a GitHub issue

$ mergeproof bounty create --repo acme/api --issue 42 --amount 10000

Bounty created

bounty_id: bounty_8f3a1c2d

amount: 10,000 USDC

stake: 1,000 USDC (10%)

window: 72h

# Submit your PR and lock a commit for review

$ mergeproof pr submit --bounty bounty_8f3a1c2d --pr 87 --commit a1b2c3d

PR submitted - review window open for 72h

# After merge, claim your bounty + stake back

$ mergeproof pr claim --bounty bounty_8f3a1c2d --wait

Bounty claimed — settled via GenLayer

payout: 10,000 USDC (bounty) + 1,000 USDC (stake returned)

Comparison

How MergeProof compares

Traditional bounties pay to find bugs. MergeProof pays to ship code that has no bugs to find.

Capability	Traditional Bounties	Code Audit Firms	MergeProof
Submitter has skin in the game	No	No	10% stake required
Reviewer incentive alignment	Find bugs only	Hourly / fixed fee	Zero-sum with developer
Anti-collusion guarantee	Trust-based	Reputation-based	Zero-sum by design
Cost per review	Unpredictable	$5,000–$50,000+	Market-driven per PR
Settlement	Manual / custodial	Invoice / wire	Atomic on-chain
Time to review	Days to weeks	Weeks to months	Configurable window
Spam protection	Manual filtering	N/A	Stake-gated submissions
AI agent integration	Limited	No	CLI + JSON native

Live on GenLayer

Your code is worth more than a review comment

Pick a bounty. Stake on your PR. Ship clean code and get paid.

Browse Bounties (Soon)GitHub