This bug bounty program is focused on smart contracts and decentralised applications in Cronos blockchain with the emphasis on any vulnerabilities causing unintentional withdrawal/draining of funds/loss of user funds. The program covers key projects in the Cronos ecosystem, including VVS Finance, Tectonic, and other DeFi projects. Cronos is the EVM chain running in parallel to the Cronos POS Chain (https://cronos-pos.org). It aims to massively scale the DeFi and decentralised application (DApp) ecosystem, by providing developers with the ability to instantly port apps from Ethereum and EVM-compatible chains.
In Scope
Target | Type | Severity | Reward |
---|---|---|---|
https://cronos.crypto.org/explorer/address/0x5C7F8A570d578ED84E63fdFA7b1eE72dEae1AE23Smart Contract - VVS - WCRO |
Smart Contract | Critical | Bounty |
https://cronos.crypto.org/explorer/address/0x3b44b2a187a7b3824131f8db5a74194d0a42fc15Smart Contract - VVS - Factory |
Smart Contract | Critical | Bounty |
https://cronos.crypto.org/explorer/address/0x145863Eb42Cf62847A6Ca784e6416C1682b1b2AeSmart Contract - VVS - Router |
Smart Contract | Critical | Bounty |
https://cronos.crypto.org/explorer/address/0x2D03bECE6747ADC00E1a131BBA1469C15fD11e03Smart Contract - VVS - Token |
Smart Contract | Critical | Bounty |
https://cronos.crypto.org/explorer/address/0x6a2d178585806De5A2e5E7F9acFCE44680637284Smart Contract - VVS - Workbench |
Smart Contract | Critical | Bounty |
https://cronos.crypto.org/explorer/address/0xDccd6455AE04b03d785F12196B492b18129564bcSmart Contract - VVS - Craftsman |
Smart Contract | Critical | Bounty |
https://cronos.crypto.org/explorer/address/0x5e954f5972EC6BFc7dECd75779F10d848230345FSmart Contract - VVS - Multicall2 |
Smart Contract | Critical | Bounty |
https://cronos.crypto.org/explorer/address/0xA6fF77fC8E839679D4F7408E8988B564dE1A2dcDSmart Contract - VVS - VVSVault |
Smart Contract | Critical | Bounty |
https://cronos.crypto.org/explorer/address/0xe61Db569E231B3f5530168Aa2C9D50246525b6d6Smart Contract - VVS - VVSPair - CRO-USDC |
Smart Contract | Critical | Bounty |
https://cronos.crypto.org/explorer/address/0x0A3e766c364D180A4cDB75E97390067ef8063d66Smart Contract - VVS - CraftmanAdmin |
Smart Contract | Critical | Bounty |
https://tectonic.gitbook.io/docs/developer/smart-contracts-and-securitySmart Contract - Tectonic Smart Contracts and Security |
Smart Contract | Critical | Bounty |
https://tectonic.gitbook.io/docs/developer/price-oracleSmart Contract - Tectonic Price Oracle |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0xbc149c62EFe8AFC61728fC58b1b66a0661712e76Smart Contract - VVS - CraftsmanV2 |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0x5C78a8dEAd748Ccfa3D1e70E72854D0CaB2eeAd0Smart Contract - VVS - Rewarder |
Smart Contract | Critical | Bounty |
https://cronoscan.com/address/0xb79dcd181bc79d1774df65658fcbe9916beda3a5Smart Contract - VVS - ConditionalLiquidity |
Smart Contract | Critical | Bounty |
https://cronoscan.com/address/0x8d13982c702fe7c6537529986df67dabeafc4c19Smart Contract - VVS - Zap |
Smart Contract | Critical | Bounty |
https://cronoscan.com/address/0x0a18b3430a6a1fa0d403bcc729e26040942b14e3Smart Contract - VVS ZapEstimator |
Smart Contract | Critical | Bounty |
https://cronoscan.com/address/0x8900A1D1eAb5e8Af142017aF8a7535979Db6E629Smart Contract - Ferro LPToken |
Smart Contract | Critical | Bounty |
https://cronoscan.com/address/0x99519D844e2F8B7eC6F4a9371c92e73020fc670DSmart Contract - Ferro AmplificationUtils |
Smart Contract | Critical | Bounty |
https://cronoscan.com/address/0x6eaeA0B1F9cc63ea88075edF49001166E5408916Smart Contract - Ferro SwapUtils |
Smart Contract | Critical | Bounty |
https://cronoscan.com/address/0xC4106bBA1a8752e54940bE71f7BD02c38e64f9E3Smart Contract - Ferro SwapDeployer |
Smart Contract | Critical | Bounty |
https://cronoscan.com/address/0x315Cc3e145EaC3AfCFFcDe537eDC9d280e165413Smart Contract - Ferro Swap |
Smart Contract | Critical | Bounty |
https://cronoscan.com/address/0xe8d13664a42B338F009812Fa5A75199A865dA5cDSmart Contract - Ferro USDBetaPool |
Smart Contract | Critical | Bounty |
https://cronoscan.com/address/0x441a99968427b09f9c9009366034997f55b77978Smart Contract - VVS IGODeployer |
Smart Contract | Critical | Bounty |
https://cronoscan.com/address/0xc4dc7c53bd7cd5ba25eab7fa5a2b68499dfcb434Smart Contract - VVS IGOV2 (Ferro Token) |
Smart Contract | Critical | Bounty |
https://cronoscan.com/address/0x5ce6c060661ad920895a8360c71332d68739625dSmart Contract - VVS IGOVesting (Ferro Token) |
Smart Contract | Critical | Bounty |
https://cronoscan.com/address/0xa43E50C3E8221D0065a6978Bb7cA90C6a0a3861F#codeSmart Contract - VVS IGOV2 (Minted Token) |
Smart Contract | Critical | Bounty |
https://cronoscan.com/address/0x5120ae9829f846395d086a9b03edf5723a278cb6#codeSmart Contract - VVS IGOVesting (Minted Token) |
Smart Contract | Critical | Bounty |
https://cronoscan.com/address/0x9fae23a2700feecd5b93e43fdbc03c76aa7c08a6Smart Contract - VNO - LCRO |
Smart Contract | Critical | Bounty |
https://cronoscan.com/address/0xdb7d0a1ec37de1de924f8e8adac6ed338d4404e9Smart Contract - VNO Token |
Smart Contract | Critical | Bounty |
https://cronoscan.com/address/0x21179329c1dcfd36ffe0862cca2c7e85538cca07Smart Contract - Veno Reservoir |
Smart Contract | Critical | Bounty |
https://cronoscan.com/address/0xb4be51216f4926ab09ddf4e64bc20f499fd6ca95Smart Contract - Veno Fountain |
Smart Contract | Critical | Bounty |
https://cronoscan.com/address/0x579206e4e49581ca8ada619e9e42641f61a84ac3Smart Contract - Veno Garden |
Smart Contract | Critical | Bounty |
https://cronoscan.com/address/0xb15533a0bc7c530d692a9660785226dfd3633965Smart Contract - Veno NFT |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0x50DCB4Fd921164C42B7129DA884D3F45a9f45917Smart Contract - Orby - ActivePool |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0x80d32B0FE29A56dd4b6eD5BdcfD2D488db4878fbSmart Contract - Orby - BorrowerOperations |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0x7A47cF15a1fCbAd09c66077d1D021430eed7AC65Smart Contract - Orby - TroveManager |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0xbCC0019DaE95B493382105ABDb4E5e0E21951762Smart Contract - Orby - CollSurplusPool |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0x436aD059e170E7eD1252D3D3F19D0Fb6EC16a588Smart Contract - Orby - StabilityPoolIssuance |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0x9A888Fba243570fCe8D82144A1f93712a1236940Smart Contract - Orby - DefaultPool |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0x6aBDda4D610cD61651E630e59141907390F08876Smart Contract - Orby - PriceFeed |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0x5Aa450927B199e519cd4B098461D0FF79D13A42dSmart Contract - Orby - SortedTroves |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0xF766505680a63b5e70616Ef21b72814Ec5649945Smart Contract - Orby - StabilityPool |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0x8C7Ef34aa54210c76D6d5E475f43e0c11f876098Smart Contract - Fulcrom -Vault |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0xcC46b79eBEaA1D834B707624977Ec261592E0C9aSmart Contract - Fulcrom -Router |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0xa8bEA47BCFc17Bb95f9510516B648833E3Cd0446Smart Contract - Fulcrom -Vault Price Feed |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0x6148107BcAC794d3fC94239B88fA77634983891FSmart Contract - Fulcrom -FLP Manager |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0xd996bE6DBdEaa8429Ff9E2D86725197Eb663148aSmart Contract - Fulcrom -Shorts Tracker |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0x1c29aeE30B5B101eDEa936Cd0cAeEc724e3B0045Smart Contract - Fulcrom -Order Book |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0x27fb69422c457452D8b6FDcb18899D9B53C3f940Smart Contract - Fulcrom -Position Router |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0xFC399dbb0Ed942D206Ee34Cc6FcbaF1CFd60dB16Smart Contract - Fulcrom -Position Manager |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0x8268Fe583bb27528CB86fFb622Fe496EeaF77022Smart Contract - Fulcrom -Fast Price Events |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0x54a16dc46dB7Fc5DC99E41d9d464196b06c74e6eSmart Contract - Fulcrom -Fast Price Feed |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0x725c5AF8bb360816C8ad2Cca020f9C63B83ABccbSmart Contract - Fulcrom -Vault Utils |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0x2a628916F85CaaF21daBa223ff2d93aA07816652Smart Contract - Fulcrom -Staked FUL Tracker |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0xF5027eaA9EC25056262b747Ab113CB48F5924050Smart Contract - Fulcrom -Staked FUL Distributor |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0xe006ab8c1796674786Ad8cf5937EfF1baA59fA15Smart Contract - Fulcrom -Bonus FUL Tracker |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0xD8ddC6b6EDDd7A33bAcc4cE580596C7Fa351BC4DSmart Contract - Fulcrom -Bonus FUL Distributor |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0x8fbD95D76EDe5a0d7EeBea756515F1A363A7f6f7Smart Contract - Fulcrom -Fee FUL Tracker |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0x1154973F8944751272EA2A19B9a9C5FB91135e4CSmart Contract - Fulcrom -Fee FUL Distributor |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0xd2985b8EBC2ce32664EF235ca1d16e5FE8AE13fDSmart Contract - Fulcrom -Fee FLP Tracker |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0xE0037027e9Ff83720f6Fa235c4C129169f690567Smart Contract - Fulcrom -FeeFlpDistributor |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0x6fCFD36A7D705608146cdD7773b531301952507ESmart Contract - Fulcrom -StakedFlpTracker |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0x629A8dd6BfF07844b25130ed659990d65e22BaaaSmart Contract - Fulcrom -StakedFlpDistributor |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0xA461fA4BF68C72369DB4fA8eD7cba4796598F2B0Smart Contract - Fulcrom -FulVester |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0x27E51D2B5A3283bEF4014519F095AB8dDCf023F6Smart Contract - Fulcrom -FlpVester |
Smart Contract | Critical | Bounty |
https://cronos.org/explorer/address/0x133B7f9570b3be8e51CCd5DA4654C3DDe7657Ae1Smart Contract - Fulcrom -RewardRouter |
Smart Contract | Critical | Bounty |
Extreme: Up to $250,000
If a report comes forward that the Cronos team believes deserves a larger reward, perhaps due to the novelty of the attack, the Cronos team will offer an additional $50,000.
IN-SCOPE: SMART CONTRACT VULNERABILITIES
Only the latest release version deployed to mainnet is considered as in-scope of the bug bounty program. Please note the following are out of scope:
All folders and files labeled as “Mock” or “Test”
Impacts in scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
Smart Contract
- Cryptographic flaws - Critical
- Cronos (blockchain), smart contracts and app with the focus on any vulnerabilities causing unintentional withdrawal/draining of funds/loss of user funds - Critical
OUT OF SCOPE: SMART CONTRACT VULNERABILITIES
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks that rely on social engineering
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses
Smart Contracts
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
- Design issues that are not necessarily a security risk .
- Initialization or deployment difficulties solvable via redeployment.
- Reports that are suspected to be generated using automated or generative tools.
- Potential vulnerabilities that require intervention from a third party (e.g., adding a malicious liquidity pool) that is prohibited by existing policies (such as whitelisted pools only).
- Devaluing of protocol incentive rewards but do not result in the loss of user funds.
- Dilutions of protocol incentive rewards but do not result in the loss of user funds.
- Vulnerabilities found within developmental code on GitHub which is not currently in production.
- Assets not declared in the scope.
- Incorrect or missing contract settings that do not lead to user fund losses.
- Gas draining.
- Previously known attack vectors or vulnerabilities (resolved or not) for which a bounty has already been awarded, including those that are similar but not identical. e.g smart contract logic used in DApp1 and DApp2.
- Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).
- Previously known vulnerabilities in Tendermint and or/any other fork of these.
- Previously known vulnerabilities in cosmos-sdk and or/any other fork of these.
- Previously known vulnerable libraries without a working Proof of Concept.
- Previously known vulnerabilities in CometBFT and or/any other fork of these.
- Public Zero-day vulnerabilities
- Feature request
- Best practices
- VVS-Bench is Out of Scope
- Denial of service (DoS) / Distributed Denial of Service(DDOS) / Spamming
- Any testing with mainnet or public testnet contracts is prohibited by this bug bounty program; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts is prohibited by this bug bounty program
- Attempting phishing or other social engineering attacks against our employees and/or customers is prohibited by this bug bounty program
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks) is prohibited by this bug bounty program
- Public disclosure of an unpatched vulnerability in an embargoed bounty is prohibited by this bug bounty program
- Avoid using web application scanners for automatic vulnerability searching or automated testing of services which generates massive traffic
- Make every effort not to damage or restrict the availability of products, services, or infrastructure
- Avoid compromising any personal data, interruption, or degradation of any service
- Don’t access or modify other user data, localize all tests to your accounts
- Perform testing only within the scope
- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
- Don’t spam forms or account creation flows using automated scanners
- In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity
- Don’t break any law and stay in the defined scope
- Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
- Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
- No vulnerability disclosure, including partial is allowed for the moment
- Please do NOT publish/discuss bugs
We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability
- The vulnerability must be a qualifying vulnerability
- Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
- You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary
- You must not be a former or current employee of us or one of its contractor
- ONLY USE the EMAIL under which you registered your HackenProof account (in case of violation, no bounty can be awarded)
All bug reports must come with a Proof-of-Concept (PoC) in order to be considered for a reward. For web/app bug reports, if the Report does not include a valid (PoC), the qualification of rewards will be decided according to reproducibility and severity of the vulnerability, and the rewards amount may be reduced significantly. The specific amount of the bounty will vary according to:
- The potential for abuse of the bug
- The detection complexity of an exploit of the bug
- The impact of the bug.
- Whether or not the person who reports the bug suggests a solution to the bug or helps in its resolution.
Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily focused on the funds at risk, but also taking into account branding and PR considerations, at the discretion of the team.
All vulnerabilities that directly affect the smart contract, and app that directly cause unintentional withdrawals, draining of funds, or loss of user funds, are prioritized. Meaning, the team may choose to apply a temporary fix to the bug (or pause the contract) before resolving the bug report. This to ensure that the affected funds are safe while the team analyse the bug report, and NOT a confirmation of the bug report’s validity.
The only web vulnerabilities in scope are those which will directly lead to loss of user funds, or breach of sensitive data, or deletion of site data. For web vulnerabilities, the Cronos team will use CVSS calculator to figure out the severity and based on that they will determine the reward for the bounty.
Cronos team requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. Once the report is deemed valid, you will need to fill up the KYC form here. The collection of this information will be done by the Cronos team.
Payouts are handled by Cronos team and are denominated in USD. Payouts are done in USDC and USDT only, with the choice of the ratio at the discretion of the Cronos team.
Guidelines for Critical
For a bug report to be considered for the Critical category under our bug bounty program, a valid Proof of Concept (PoC) will be needed. Please adhere to the following conditions and guidelines:
- Proof of Concept (PoC): Any report considered must include a comprehensive and valid PoC. This should include every step required to perform the attack, including any necessary staging or pre-work.
- Financial Limit: The maximum monetary value, unrelated to flash-loans, involved in the PoC should not exceed $300. This amount is assumed to cover gas expenses and is sufficient for executing the attack.
- Impersonation Restriction: The impersonation of wallets or contracts having considerable funds in the PoC is strictly forbidden.
- Specific Details: To avoid ambiguity, the exact block number utilized in the PoC must be explicitly specified.
- Staging and Transaction: Staging activities, such as creating a smart contract for the attack, is permissible. However, the actual exploit must occur within one transaction. The relevance and necessity of staging as part of the attack will ultimately be determined by the project team.
- Execution Certainty: Hypotheses that can’t be unequivocally executed, like phishing attacks aimed at obtaining private keys, are exempt from consideration.
-
Damage Calculation: The potential economic damage caused by the attack in the PoC will be computed as follows:
- Damage is gauged based on the net positive value post-attack.
- This value is derived after deducting any initial capital or flash loans.
- Non directly quantifiable consequences, such as immediate price drops or rewards dilution, will not be considered when calculating the potential damage scope.
There is also a discretionary bonus of up to $50,000. This is reserved for particularly ingenious findings that exemplify exceptional creativity or unveil significant potential impact on the project.
However, it’s crucial to understand that the award of this bonus is purely under the sole discretion of our project team and thus, may not be available for every qualifying submission. The bonus should not be regarded as a guaranteed reward, but rather a special recognition for exceptional findings.
Cronos team reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.