This bug bounty program is focused on Cronos (blockchain) with the emphasis on any vulnerabilities causing unintentional withdrawal/draining of funds/loss of user funds. Cronos is the Ethereum Virtual Machine (EVM) chain running in parallel to the Cronos POS Chain (https://cronos-pos.org). It aims to massively scale the DeFi and decentralised application (DApp) ecosystem, by providing developers with the ability to instantly port apps from Ethereum and EVM-compatible chains.
In Scope
| Target | Type | Severity | Reward |
|---|---|---|---|
https://github.com/crypto-org-chain/cronos/releasesBlockchain/DLT - Cronos EVM |
Code | Critical | Bounty |
https://github.com/crypto-org-chain/ethermint/releasesBlockchain/DLT - Ethermint |
Other | Critical | Bounty |
https://github.com/crypto-org-chain/chain-main/releasesBlockchain/DLT - Cronos POS chain |
Other | Critical | Bounty |
In scope: Blockchain
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
Cryptographic flaws - Critical
Cronos (blockchain), smart contracts and app with the focus on any vulnerabilities causing unintentional withdrawal/draining of funds/loss of user funds - Critical
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks that rely on social engineering
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses
Blockchain
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
- Design issues that are not necessarily a security risk .
- Initialization or deployment difficulties solvable via redeployment.
- Reports that are suspected to be generated using automated or generative tools.
- Potential vulnerabilities that require intervention from a third party (e.g., adding a malicious liquidity pool) that is prohibited by existing policies (such as whitelisted pools only).
- Devaluing of protocol incentive rewards but do not result in the loss of user funds.
- Dilutions of protocol incentive rewards but do not result in the loss of user funds.
- Vulnerabilities found within developmental code on GitHub which is not currently in production.
- Assets not declared in the scope.
- Incorrect or missing contract settings that do not lead to user fund losses.
- Gas draining.
- Previously known attack vectors or vulnerabilities (resolved or not) for which a bounty has already been awarded, including those that are similar but not identical. e.g smart contract logic used in DApp1 and DApp2.
- Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).
- Previously known vulnerabilities in Tendermint and or/any other fork of these.
- Previously known vulnerabilities in cosmos-sdk and or/any other fork of these.
- Previously known vulnerable libraries without a working Proof of Concept.
- Previously known vulnerabilities in CometBFT and or/any other fork of these.
- Public Zero-day vulnerabilities
- Feature request
- Best practices
- VVS-Bench is Out of Scope
- Denial of service (DoS) / Distributed Denial of Service(DDOS) / Spamming
- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
- Make every effort not to damage or restrict the availability of products, services, or infrastructure
- Avoid compromising any personal data, interruption, or degradation of any service
- Don’t access or modify other user data, localize all tests to your accounts
- Perform testing only within the scope
- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
- Don’t spam forms or account creation flows using automated scanners
- In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity
- Don’t break any law and stay in the defined scope
- Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
- Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
- No vulnerability disclosure, including partial is allowed for the moment
- Please do NOT publish/discuss bugs
We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability
- The vulnerability must be a qualifying vulnerability
- Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
- You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary
- You must not be a former or current employee of us or one of its contractor
- ONLY USE the EMAIL under which you registered your HackenProof account (in case of violation, no bounty can be awarded)
All bug reports must come with a Proof-of-Concept (PoC) in order to be considered for a reward. The specific amount of the bounty will vary according to:
- The potential for abuse of the bug
- The detection complexity of an exploit of the bug
- The impact of the bug
- Whether or not the person who reports the bug suggests a solution to the bug or helps in its resolution
Critical blockchain vulnerabilities are capped at 10% of economic damage, primarily focused on the funds at risk. The vulnerability must be directly profitable by the attacker through some on-chain operation.
All vulnerabilities that directly affect the Cronos blockchain that directly cause unintentional withdrawals, draining of funds, or loss of user funds, are prioritized. Meaning, the team may choose to apply a temporary fix to the bug (or pause the contract) before resolving the bug report. This to ensure that the affected funds are safe while the team analyse the bug report, and NOT a confirmation of the bug report’s validity.
Payouts are handled by Cronos team and are denominated in USD. Payouts are done in USDC and USDT only, with the choice of the ratio at the discretion of the Cronos team.
Cronos team reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.