ENVELOP Smart Contracts: Program Info

Triaged by HackenProof

Ended 114 days ago

Cross-chain protocol providing NFT2.0 features in a few clicks.

In Scope

Target Type Severity Reward
Smart Contract Critical Bounty
Smart Contract Critical Bounty
Smart Contract Critical Bounty
Smart Contract Critical Bounty


Documetation - https://docs.envelop.is/tech/smart-contracts/protocol/v1/wrapperv1

Known Issues/Identified Issues:

At Envelop, we classify bugs on a widely used scale. For version 1 of the protocol, we identify the following directions of attack:


  • Blocking to user unwrapping of wNFT and getting collateral
  • User`s funds losing during wrapping or adding collateral
  • Withdrawing tokens of collateral without unwrapping of own or someone else's wNFT
  • Withdrawing original NFT without unwrapping of own or someone else's wNFT
  • Getting collateral tokens during unwrapping of wNFT more than was added in it
  • Increasing amount of collateral tokens in accounting registers of smart contracts
  • Decreasing amount of collateral tokens in accounting registers of smart contracts
  • Changing owner of smart contracts
  • Withdrawing native tokens from smart contracts addresses of protocol
  • Withdrawing ERC20 tokens from smart contracts addresses of protocol
  • Withdrawing ERC721 or ERC1155 tokens from smart contracts addresses of protocol


  • Unauthorized Adding address of smart contract in whiteList
  • Unauthorized Adding address of smart contract in blackList


  • Unbounded gas consumption
  • Increasing of gas consumption with every next operation
  • Blocking possibility to wrap NFT
  • Blocking possibility to add collateral to wNFT


  • Creation of conditions to get-methods return wrong data


  • We are looking for evidence and reasons for incorrect behavior of the smart contract, which could cause unintended functionality:
  • Stealing or loss of funds
  • Unauthorized transaction
  • Transaction manipulation
  • Attacks on logic (behavior of the code is different from the business description)
  • Reentrancy
  • Reordering
  • Over and underflows


  • Theoretical vulnerabilities without any proof or demonstration
  • Old compiler version
  • The compiler version is not locked
  • Vulnerabilities in imported contracts
  • Code style guide violations
  • Redundant code
  • Gas optimizations
  • Best practice issues
  • Make every effort not to damage or restrict the availability of products, services, or infrastructure
  • Avoid compromising any personal data, interruption, or degradation of any service
  • Don’t access or modify other user data, localize all tests to your accounts
  • Perform testing only within the scope
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
  • Don’t spam forms or account creation flows using automated scanners
  • In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
  • Don’t break any law and stay in the defined scope
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
  • Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
  • No vulnerability disclosure, including partial is allowed for the moment.
  • Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must not be a former or current employee of us or one of its contractor.
  • ONLY USE YOUR HackenProof ADDRESS (in case of violation, no bounty can be awarded)
  • Provide detailed but to-the point reproduction steps

The Envelop protocol allows you to send liquid (can be sold at any time) NFTs with additional features (in this case, setting a lock on the withdrawal of collateral, before the deadline). We would prefer this method of payment.

Level Rewards, wNFT with NIFTSY Tokens Time-lock (Weeks)

  • Critical - 1000000 NIFTSY -40
  • High - 400000 NIFTSY -20
  • Medium - 100000 NIFTSY - 10
  • Low - 25000 NIFTSY - 4