Blockz Smart Contract Audit Contest: Program info

IN SCOPE VULNERABILITIES

🟠 HIGH PRIORITY

• AssetManager: handles the deposit and withdraw on the platform
• BlockzExchange: is the marketplace itself (handling listings etc...)
• BlockzLending: is the lending and borrowing of ERC721 (NFTs)
• BlockzLendingERC20: ERC20 is the lending and borrowing of ERC20 tokens (USDC etc..)

🟡 MEDIUM PRIORITY

• NFTCollectible: is used for artists to launch their own collection
• Royalty: is used in the NFTCollectible for the artists Royalties (abstract contract won't be deployed)"

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

• Any governance voting result manipulation
• Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
• Permanent freezing of funds
• Insolvency
• Theft of unclaimed yield
• Permanent freezing of unclaimed yield
• Temporary freezing of funds
• Smart contract unable to operate due to lack of funds
• Block stuffing for profit
• Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
• Theft of gas
• Unbounded gas consumption
• Smart contract fails to deliver promised returns, but doesn’t lose value
• Functional correctness of implementation even if it's not directly impacting user funds
• Best practices, architectural flaws and other types of issues are included at discretion of the team.

OUT OF SCOPE

• Incorrect data supplied by third party oracles
• Not to exclude oracle manipulation/flash loan attacks
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Sybil attacks
• Centralization risks
• Frontend bugs unless leading to smart contract compromise
• Non-exploitable gas optimizations
• Bugs dependent on non-standard compiler settings

The following activities are prohibited by this contest event:

• Any testing with pricing oracles or third party smart contracts
• Attempting phishing or other social engineering attacks against employees and/or customers
• Any denial of service attacks
• Public disclosure of an unpatched vulnerability in an embargoed bounty
• Make every effort not to damage or restrict the availability of products, services, or infrastructure
• Avoid compromising any personal data, interruption, or degradation of any service
• Localize all tests to your accounts
• Perform testing only within the scope
• If multiple chain-level issues are discovered, only the most severe will be rewarded
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of BlockZ without appropriate permission
• Discussion

We use Discord as official communication channel: https://discord.gg/H3xEu57Cft Join the channel, and create #support ticket to be added for conversation.

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
• Rewards may be reduced or disqualified if details are publicly shared prior to fix.
• No vulnerability disclosure, including partial is allowed for the moment.
• Please do NOT publish/discuss bugs

We may offer coordinated disclosure opportunities after vulnerabilities are remediated and upon mutual agreement.

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• The vulnerability must be a qualifying vulnerability
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must not be a former or current employee of us or one of its contractor.
• Provide detailed but to-the point reproduction steps
• Automated submissions or AI-generated reports must include human validation.
• Duplicate reports will be rewarded.