AssetMantle is a multi-tenant NFT marketplace framework that enables creators and collectors to securely mint, own, and trade digital assets on its fast-finality blockchain.
IN-SCOPE VULNERABILITIES (WEB, MOBILE)
PLEASE REFER TO https://github.com/AssetMantle/Bug-Bounty to understand the in scope assets
- We are interested in the following vulnerabilities:
- Business logic issues
- Payments manipulation
- Other vulnerability with a clear potential loss
OUT OF SCOPE VULNERABILITIES
- Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold:
- Vulnerabilities in third-party applications
- Best practices concerns
- Any GRPC gateway queries, the endpoints are exposed but not operational
- DDOS attacks
- Spamming
- Compromise or misuse of third party systems or services
- Any issues already raised in https://github.com/AssetMantle/modules/issues
- Any issues already documented in:-
- AssetMantle Smart Contract Final Audit Report
- Final AssetMantle Modules
- Final AssetMantle Web *Transaction failures in Orders/revoke, modify, immediate or deputize: https://github.com/AssetMantle/modules/tree/master/modules/orders/internal/transactions
- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
- In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
- https://github.com/AssetMantle/Bug-Bounty contains all the information required for the bug bounty including reward distribution and severity classifications, please go through the documents thoroughly
- https://github.com/AssetMantle/node/tree/AssetMantle/BugBounty/.rest contains all the REST requests for testing purposes
- https://github.com/AssetMantle/node/blob/AssetMantle/BugBounty/.jmeter/SuccessfulFlow.jmx is a jmeter script which can be used to perform a full end to run of the project, it shows how each REST request is to be created.
- https://github.com/AssetMantle/node/tree/AssetMantle/BugBounty/.run provides all the run configurations that can be used for CLI commands
- the testnet url for this bug bounty is https://rest.testnet.assetmantle.one/{transaction/query} - examples available in jmeter script
- The branches to be used for the setup are https://github.com/AssetMantle/node/tree/AssetMantle/BugBounty and https://github.com/AssetMantle/modules/tree/AssetMantle/BugBounty
- https://github.com/AssetMantle/Bug-Bounty/blob/master/SETUP.md provides a complete guide for setting up the project
- Please note: AssetMantle is entitled to make the payment in its native MNTL token
- Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
- Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
- No vulnerability disclosure, including partial is allowed for the moment.
- Please do NOT publish/discuss bugs
We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability
- Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
- You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
- You must not be a former or current employee of us or one of its contractor.
- ONLY USE YOUR HackerProof ADDRESS (in case of violation, no bounty can be awarded)
- Provide detailed but to-the point reproduction steps