This bug bounty program is focused on Cronos (blockchain) with the emphasis on any vulnerabilities causing unintentional withdrawal/draining of funds/loss of user funds. Cronos is the Ethereum Virtual Machine (EVM) chain running in parallel to the Cronos POS Chain (https://cronos-pos.org). It aims to massively scale the DeFi and decentralised application (DApp) ecosystem, by providing developers with the ability to instantly port apps from Ethereum and EVM-compatible chains.
Target | Type | Severity | Reward |
---|---|---|---|
https://github.com/crypto-org-chain/cronos/releases Copy Blockchain/DLT - Cronos EVM | Code | Critical | Bounty |
https://github.com/crypto-org-chain/ethermint/releases Copy Blockchain/DLT - Ethermint | Other | Critical | Bounty |
https://github.com/crypto-org-chain/chain-main/releases Copy Blockchain/DLT - Cronos POS chain | Other | Critical | Bounty |
Blockchain/DLT - Cronos EVM
Blockchain/DLT - Ethermint
Blockchain/DLT - Cronos POS chain
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
Cryptographic flaws - Critical Cronos (blockchain), smart contracts and app with the focus on any vulnerabilities causing unintentional withdrawal/draining of funds/loss of user funds - Critical
The following vulnerabilities are excluded from the rewards for this bug bounty program:
Blockchain
We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:
All bug reports must come with a Proof-of-Concept (PoC) in order to be considered for a reward. The specific amount of the bounty will vary according to:
Critical blockchain vulnerabilities are capped at 10% of economic damage, primarily focused on the funds at risk. The vulnerability must be directly profitable by the attacker through some on-chain operation.
All vulnerabilities that directly affect the Cronos blockchain that directly cause unintentional withdrawals, draining of funds, or loss of user funds, are prioritized. Meaning, the team may choose to apply a temporary fix to the bug (or pause the contract) before resolving the bug report. This to ensure that the affected funds are safe while the team analyse the bug report, and NOT a confirmation of the bug report’s validity.
Payouts are handled by Cronos team and are denominated in USD. Payouts are done in USDC and USDT only, with the choice of the ratio at the discretion of the Cronos team.
Cronos team reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.