Lachain is the Cross Chain DeFi protocol. It allows seamless
access to multitude of decentralized finance products on major blockchains without gas tokens management. Pay all fees and gas with LA token.
In Scope
| Target | Type | Severity | Reward |
|---|---|---|---|
app.lachain.io |
Web | Critical | Bounty |
ladex.exchange |
Web | Critical | Bounty |
https://github.com/LATOKEN/lachain |
Code | Critical | Bounty |
Out of scope
| Target | Type | Severity |
|---|---|---|
https://github.com/LATOKEN/lachain/tree/dev/src/Lachain.Consensus |
Code | None |
In-Scope Vulnerabilities
We are interested in the following vulnerabilities:
- Business logic issues
- Payments manipulation
- Remote code execution (RCE)
- Database vulnerability, SQLi
- File inclusions (Local & Remote)
- Access Control Issues (IDOR, Privilege Escalation, etc)
- Leakage of sensitive information
- Server-Side Request Forgery (SSRF)
- Other vulnerability with a clear potential loss
Out-of-Scope Vulnerabilities
OUT OF SCOPE - WEB
Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold:
- Vulnerabilities in third-party applications
- Best practices concerns
- Recently (less than 30 days) disclosed 0day vulnerabilities
- Vulnerabilities affecting users of outdated browsers or platforms
- Social engineering, phishing, physical, or other fraud activities
- Publicly accessible login panels without proof of exploitation
- Reports that state that software is out of date/vulnerable without a proof of concept
- Vulnerabilities involving active content such as web browser add-ons
- Most brute-forcing issues without clear impact
- Denial of service
- Theoretical issues
- Moderately Sensitive Information Disclosure
- Spam (sms, email, etc)
- Missing HTTP security headers
- Infrastructure vulnerabilities, including:
- Certificates/TLS/SSL related issues
- DNS issues (i.e. MX records, SPF records, DMARC records, etc.)
- Server configuration issues (i.e., open ports, TLS, etc.)
- Open redirects
- Session fixation
- User account enumeration
- Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
- Descriptive error messages (e.g. Stack Traces, application or server errors)
- Self-XSS that cannot be used to exploit other users
- Login & Logout CSRF
- Weak Captcha/Captcha Bypass
- Lack of Secure and HTTPOnly cookie flags
- Username/email enumeration via Login/Forgot Password Page error messages
- CSRF in forms that are available to anonymous users (e.g. the contact form)
- OPTIONS/TRACE HTTP method enabled
- Host header issues without proof-of-concept demonstrating the vulnerability
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Content Spoofing without embedded links/HTML
- Reflected File Download (RFD)
- Mixed HTTP Content
- HTTPS Mixed Content Scripts
- DoS/DDoS issues
- Manipulation with Password Reset Token
- MitM and local attacks
• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward
• Submit one vulnerability per report, unless you need to chain vulnerabilities to maximize impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Issues identified by our internal security testing prior to your report count as duplicates.
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Social engineering of our users, employees, partners, etc. (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
• Don’t spam forms or account creation flows using automated scanners
• In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
• Don’t break any law and stay in the defined scope
As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without explicit consent from us.
Temporary Out of Scope:
We are currently doing a security audit, after that it’ll move to ‘In Scope’:
• Consensus protocol compliance: Any flaws that would make our client(s) deviate from consensus
We already found issues, so we're rewriting it, afterwards it'll move to 'In Scope':
• Faucet Script (https://app.lachain.io/faucet / https://staging.lachain.io/olddesign/faucet / https://app.lachain.io/olddesign/faucet)
- Previously known vulnerable libraries without a working Proof of Concept
- Unauthenticated/logout/login CSRF
- Best practices concerns
- Vulnerabilities affecting users of outdated browsers of platforms
- Theoretical issues
- DoS/DDoS issues
- Our infrastructure; such as webpages, dns, emails, etc, are not part of the bounty-scope, for latoken.com bounties, check the bugbounty program at https://hackenproof.com/latoken
Web applications/libraries operated/created by third parties are only considered in scope under the following ways:
- If the usage of that third party component, is directly endangering the lachain blockchain (e.g. only if the part of the component which is used, is endangering lachain)