ShapeShift

Triaged by HackenProof
Fox Foundation

The FOX Foundation is a not-for-profit organization dedicated to supporting the ShapeShift DAO in achieving full decentralization.

In Scope

Target Type Severity Reward
app.shapeshift.com

runs https://github.com/shapeshift/web

Web Critical Bounty
api.bitcoin.shapeshift.com

runs https://github.com/shapeshift/unchained

API Critical Bounty
api.ethereum.shapeshift.com

runs https://github.com/shapeshift/unchained

API Critical Bounty
shapeshift.com

hosted by WebFlow, a third-party

Web None Bounty
The ShapeShift Mobile App: https://apps.apple.com/us/app/shapeshift-buy-trade-crypto/id996569075

iOS Mobile App The application within the stated bounds of the bounty program.

Web Critical Bounty
The Shapeshift Mobile App: https://play.google.com/store/apps/details?id=com.shapeshift.droid_shapeshift&hl=en_US&gl=US

Android Mobile App The application within the stated bounds of the bounty program.

Android Critical Bounty

Out of scope

Target Type Severity
shapeshift.zendesk.com

hosted by ZenDesk, a third-party

Web None
shapeshift-io.hellonext.co

hosted by HelloNext, a third-party

Web None
beta.shapeshift.com

a legacy system maintained by the Fox Foundation, not the ShapeShift DAO

Web None
auth.shapeshift.com

a legacy system maintained by the Fox Foundation, not the ShapeShift DAO

Web None
portal.shapeshift.io

a legacy system maintained by the Fox Foundation, not the ShapeShift DAO

Web None
portis.io

Portis is now a separate company

Web None
coincap.io

CoinCap is now a separate company

Web None
Physical (or emulated!) KeepKey devices

KeepKey is now a separate company

Web None

Not everything with the word ShapeShift on the tin is something the ShapeShift DAO maintains. For the avoidance of confusion, this program has a specifically defined scope; anything listed below is covered, anything that's not isn't.

  • Any smart contract code developed by the DAO
  • Any smart contract code deployed by the DAO on-chain on a mainnet (i.e. L2s are in-scope, but not testnets)
  • The specific projects hosted at the following GitHub repositories:
  • shapeshift/web
  • shapeshift/lib
  • shapeshift/unchained
  • shapeshift/hdwallet
  • Any software hosted under the ShapeShift GitHub Org or the @shapeshiftoss NPM org, if it's a dependency of something else in-scope
  • Examples of dependencies that are in-scope: shapeshift/fiojs
  • Examples of things that are hosted in these locations, but aren't dependencies of something in-scope: shapeshift/cluster-launcher shapeshift/foxfarm keepkey/python-keepkey keepkey/device-protocol

Any valid, in-scope issues is covered under this program; however, what exactly valid means is at our sole discretion, and if you report an issue which we don't consider valid you will not receive a reward for that issue. To help set expectations, here's a few things that we don't consider valid:

  • Disclosure of API keys that aren't supposed to be kept secret
  • Clickjacking attacks against sites that don't maintain user login sessions
  • TLS settings which don't quite match someone-or-other's particular recommendations
  • Open S3 buckets which don't have any confidential information in them
  • Most non-critical findings from automated vulnerability scanners
  • Most Host header injections (the ability to attack yourself isn't a security issue)
  • Information disclosure issues that only disclose publicly available information (like stuff that's recorded on a blockchain)
  • Attacks which require physical access to a user's device (including KeepKey, which is not intended to be tamper-resistant)
  • Attacks which require arbitrary code execution on a user's computer (except KeepKey, where protecting against that sort of thing is the whole point)
  • This list is not exhaustive, and we'll update it with more salient examples as we discover points of confusion; still, hopefully it's relatively self-explanatory.

Whether an issue is valid usually boils down to one of threat model; if you'd like to discuss the threat model we use for the various in-scope projects, or get clarification about the status of a particular issue, feel free to drop into our Discord server and have a chat with our security team.

  • Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
  • Make every effort not to damage or restrict the availability of products, services, or infrastructure
  • Avoid compromising any personal data, interruption, or degradation of any service
  • Don’t access or modify other user data, localize all tests to your accounts
  • Perform testing only within the scope
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
  • Don’t spam forms or account creation flows using automated scanners
  • In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
  • Don’t break any law and stay in the defined scope
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission

We ask that you keep any issues confidential for a period of 90 days following your report to us, or until they are remediated, whichever is shorter. This is intended to allow us a window of opportunity to assess and remediate the underlying issues in advance of their public disclosure. Your participation in this program is contingent on this confidentiality; you may choose to disclose whatever you wish at any time, but doing so during the confidentiality period will forfeit any rewards you may have otherwise been eligible for.

All software the DAO maintains is open-source and available to the public, and you do not need special permission from us to perform security research on our software or systems. Rest assured that whether or not you choose to participate in our Responsible Disclosure Program, we will not pursue any legal action against you or your company for unlawful access of computer systems, access of confidential information, or damages to our systems. Still, we request that you follow Wheaton's Law and conduct your research in a manner respectful of us and our users.

  • Please refrain from attempting to cause denials of service by leveraging high volumes of traffic.
  • Please don't use any vulnerabilities you may find against any of our users if you don't have their permission.
  • Please avoid intentionally degrading our users' experience.

When in doubt, we do have some testing environments that may come in handy if you'd like to try stuff like this. Feel free to drop into our Discord server and chat with us in that case; we'll work with you.

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must not be a former or current employee of us or one of its contractor.
  • ONLY USE YOUR HackerProof ADDRESS (in case of violation, no bounty can be awarded)
  • Provide detailed but to-the point reproduction steps