3 Minutes Read
Updated:
Meet SynFutures
SynFutures is a decentralized perpetual futures protocol, facilitating open and transparent trading on any assets and listings instantly. The V3 Oyster AMM launched the industry first-ever unified AMM and on-chain order book model.
Check Out The Rewards
If you find a vulnerability according to the bounty rules, SynFutures will reward you:
- Critical: $6,000 – $10,000
- High: $5,000
- Medium: $2,000
- Low: $1,000
Join The Bounty Hunt
There is a WEB target to scope!
Make sure your reports contain info about these incidents:
Reward Calculation
For critical web/apps bug reports will be rewarded with USD 10 000, only if the impact leads to:
- A loss of funds involving an attack that does not require any user action
- Private key or private key generation leakage leading to unauthorized access to user funds
All other impacts that would be classified as Critical would be rewarded a flat amount of USD 5 000. The rest of the severity levels are paid out according to the Impact in Scope table.
Critical
- Execute arbitrary system commands
- Retrieve sensitive data / files from a running server, such as: / etc / shadow, database passwords, blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)
- Taking down the application / website
- Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as: Changing registration information, Commenting, Voting, Making trades, Withdrawals, etc.
- Subdomain takeover with already-connected wallet interaction
- Direct theft of user funds
- Malicious interactions with an already-connected wallet, such as: Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions
- Injection of malicious HTML or XSS through metadata
High
- Injecting / modifying the static content on the target application without JavaScript (persistent), such as: HTML injection without JavaScript, Replacing existing text with arbitrary text, Arbitrary file uploads, etc
- Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: Email, Password of the victim etc.
- Improperly disclosing confidential user information, such as: Email address, Phone number, Physical address, etc.
- Subdomain takeover without already-connected wallet interaction
Medium
- Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: Changing the name of user, Enabling / disabling notifications
- Injecting / modifying the static content on the target application without JavaScript (reflected), such as: Reflected HTML injection, Loading external site data
- Redirecting users to malicious websites (open redirect)
Low
- Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction, such as: Iframing leading to modifying the backend / browser state (demonstrate impact with PoC)
- Taking over broken or expired outgoing links, such as: Social media handles, etc.
- Temporarily disabling user to access target site, such as: Locking up the victim from login, Cookie bombing, etc.
Once you’re ready, click here to join the bounty hunt!
