Pandora Smart Contract

Triaged by HackenProof
Pandora

273 days left

A next-gen decentralized ecosystem that aims to redefine and disrupt decentralized finance through AMM, NFTs, and GameFi.

In Scope

Target Type Severity Reward
https://github.com/PandoraDigital/smart-contract
Code High Bounty

IN-SCOPE – SMART CONTRACT VULNERABILITIES

We are looking for evidence and reasons for incorrect behavior of the smart contract, which could cause unintended functionality:

  • Stealing or loss of funds
  • Unauthorized transaction
  • Transaction manipulation
  • Attacks on logic (behavior of the code is different from the business description)
  • Reentrancy
  • Reordering
  • Over and underflows
  • Reentrancy
  • Logic errors
  • Including user authentication errors
  • Solidity/EVM details not considered
  • Including integer over-/under-flow
  • Including rounding errors
  • Including unhandled exceptions
  • Trusting trust/dependency vulnerabilities
  • Including composability vulnerabilities
  • Oracle failure/manipulation
  • Novel governance attacks
  • Economic/financial attacks
  • Including flash loan attacks
  • Congestion and scalability
  • Including running out of gas
  • Including block stuffing
  • Including susceptibility to frontrunning
  • Consensus failures
  • Cryptography problems
  • Signature malleability
  • Susceptibility to replay attacks
  • Weak randomness
  • Weak encryption
  • Susceptibility to block timestamp manipulation
  • Missing access controls
  • Unprotected internal functions

OUT OF SCOPE – SMART CONTRACT VULNERABILITIES

  • Testnet contracts are out of scope.
  • Theoretical vulnerabilities without any proof or demonstration
  • Old compiler version
  • The compiler version is not locked
  • Vulnerabilities in imported contracts
  • Code style guide violations
  • Redundant code
  • Gas optimizations
  • Best practice issues
  • We only accept smart contract reports corresponding to the latest commit on Github repository
  • We only accept smart contract reports that have not been published by audit companies which are hired by Pandora
  • Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
  • Make every effort not to damage or restrict the availability of products, services, or infrastructure
  • Avoid compromising any personal data, interruption, or degradation of any service
  • Don’t access or modify other user data, localize all tests to your accounts
  • Perform testing only within the scope
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
  • Don’t spam forms or account creation flows using automated scanners
  • In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
  • Don’t break any law and stay within the defined scope
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
  • As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
  • No vulnerability disclosure, including partial, is allowed for the moment.
  • Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports, which help us improve the security. However, only those who meet the following eligibility requirements may receive a monetary reward:

  • You must be the first vulnerability reporter.
  • The vulnerability must be a qualifying vulnerability
  • Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackenproof.com
  • You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.
  • You must not be a former or current employee of us or one of its contractors.
  • ONLY USE YOUR HackerProof ADDRESS (in case of violation, no bounty can be awarded)
  • Provide detailed but to-the-point reproduction steps