Bancor 3 Bug Bounty

Scope

The list below is not limited to the following submissions but it gives an overview of the issues we care about:

  • Stealing or loss of funds
  • Unauthorized transactions
  • Transaction manipulation
  • Price manipulation
  • Fee payment bypass
  • Balance manipulation
  • Privacy violation
  • Cryptographic flaws
  • Reentrancy
  • Logic errors (including user authentication errors)
  • Solidity details not considered, including integer over-/under-flow, rounding errors, unhandled exceptions)
  • Trusting trust/dependency vulnerabilities, including composability vulnerabilities)
  • Oracle failure/manipulation
  • Novel governance attacks and economic/financial attacks, including flash loan attacks
  • Congestion and scalability, including running out of gas, block stuffing, susceptibility to frontrunning
  • Consensus failures
  • Cryptography problems, e.g., signature malleability, susceptibility to replay attacks, weak randomness and weak encryption
  • Susceptibility to block timestamp manipulation
  • Missing access controls / unprotected internal or debugging interfaces
  • Issues arising from whitelisted tokens

Disclosure

Any vulnerability or bug discovered must be reported via the following email: bugbounty@bancor.network

  • The conditions on which reproducing the bug is contingent.
  • The steps needed to reproduce the bug or, preferably, a proof of concept.
  • The potential implications of the vulnerability being abused.

Eligibility

To be eligible for a reward under this Program, you must:

  • Discover a previously unreported, non-public vulnerability in Bancor V3 (but not on any third party platform interacting with Bancor V3) that is within the scope of this Program. Vulnerabilities must be distinct from issues covered in any of the official security audits.
  • Be the first to disclose the unique vulnerability to bugbounty@bancor.network, in compliance with the disclosure requirements above. If similar vulnerabilities are reported within the same 24 hour period, rewards will be split at the discretion of Bprotocol Foundation.
  • Provide sufficient information to enable contributors to reproduce and fix the vulnerability.
  • Not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.
  • Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
  • Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of Bancor V3.
  • Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.
  • Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this program.
  • Not be a current or former vendor, contractor or subcontractor to the Bprotocol Foundation
  • Not be subject to Swiss sanctions or reside in a Swiss-embargoed country.
  • Be at least 18 years of age or, if younger, submit your vulnerability with the consent of your parent or guardian.

Out of Scope & Rules

The following are not within the scope of the Program:

  • Bugs in any third party contract or platform that interacts with Bancor V3.
  • Vulnerabilities already reported and/or discovered in contracts built by third parties on Bancor V3. We reserve the right to keep private previous bug disclosures.
  • Any previously reported bugs.
  • Attacks that the reporter has already exploited themselves, leading to damage.
  • Attacks requiring access to leaked keys/credentials.
  • Attacks requiring access to privileged addresses (governance, strategist)
  • Incorrect data supplied by third party oracles (Note that oracle manipulation and flash loan attacks are included in the bounty)
  • Basic economic governance attacks (e.g. 51% attack)
  • Best practice critiques
  • Sybil attacks
  • Bugs in any third party contract or platform that interacts with the Bancor protocol (Note that oracle manipulation and flash loan attacks are included in the bounty)
  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets or private mainnet forks
  • Any testing with pricing oracles or third party smart contracts
  • Attempting phishing or other social engineering attacks against contributors and/or customers
  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty

Other Terms

By submitting your report, you grant the Bprotocol Foundation any and all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at the sole discretion of the Bprotocol Foundation. The terms and conditions of the Bancor 3 Bug Bounty Program may be altered at any time. The above scope, terms and rewards of the program are at the sole discretion of the Bprotocol Foundation.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bancor

Bancor

The only DeFi trading and staking protocol with Single-Sided Liquidity