Cronos Smart Contracts: Program info

Extreme: Up to $250,000

If a report comes forward that the Cronos team believes deserves a larger reward, perhaps due to the novelty of the attack, the Cronos team will offer an additional $50,000.

IN-SCOPE: SMART CONTRACT VULNERABILITIES

Only the latest release version deployed to mainnet is considered as in-scope of the bug bounty program. Please note the following are out of scope: All folders and files labeled as “Mock” or “Test”

Impacts in scope Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Smart Contract

• Cryptographic flaws - Critical
• Cronos (blockchain), smart contracts and app with the focus on any vulnerabilities causing unintentional withdrawal/draining of funds/loss of user funds - Critical

OUT OF SCOPE: SMART CONTRACT VULNERABILITIES

The following vulnerabilities are excluded from the rewards for this bug bounty program:

• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks that rely on social engineering
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses

Smart Contracts

• Incorrect data supplied by third party oracles
• Not to exclude oracle manipulation/flash loan attacks
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Best practice critiques
• Sybil attacks
• Design issues that are not necessarily a security risk .
• Initialization or deployment difficulties solvable via redeployment.
• Reports that are suspected to be generated using automated or generative tools.
• Potential vulnerabilities that require intervention from a third party (e.g., adding a malicious liquidity pool) that is prohibited by existing policies (such as whitelisted pools only).
• Devaluing of protocol incentive rewards but do not result in the loss of user funds.
• Dilutions of protocol incentive rewards but do not result in the loss of user funds.
• Vulnerabilities found within developmental code on GitHub which is not currently in production.
• Assets not declared in the scope.
• Incorrect or missing contract settings that do not lead to user fund losses.
• Gas draining.
• Previously known attack vectors or vulnerabilities (resolved or not) for which a bounty has already been awarded, including those that are similar but not identical. e.g smart contract logic used in DApp1 and DApp2.
• Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).
• Previously known vulnerabilities in Tendermint and or/any other fork of these.
• Previously known vulnerabilities in cosmos-sdk and or/any other fork of these.
• Previously known vulnerable libraries without a working Proof of Concept.
• Previously known vulnerabilities in CometBFT and or/any other fork of these.
• Public Zero-day vulnerabilities
• Feature request
• Best practices
• VVS-Bench is Out of Scope
• Denial of service (DoS) / Distributed Denial of Service(DDOS) / Spamming
• Vulnerabilities that rely on pools or vaults with zero shares (empty).

• Any testing with mainnet or public testnet contracts is prohibited by this bug bounty program; all testing should be done on private testnets
• Any testing with pricing oracles or third party smart contracts is prohibited by this bug bounty program
• Attempting phishing or other social engineering attacks against our employees and/or customers is prohibited by this bug bounty program
• Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks) is prohibited by this bug bounty program
• Public disclosure of an unpatched vulnerability in an embargoed bounty is prohibited by this bug bounty program
• Avoid using web application scanners for automatic vulnerability searching or automated testing of services which generates massive traffic
• Make every effort not to damage or restrict the availability of products, services, or infrastructure
• Avoid compromising any personal data, interruption, or degradation of any service
• Don’t access or modify other user data, localize all tests to your accounts
• Perform testing only within the scope
• Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
• Don’t spam forms or account creation flows using automated scanners
• In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity
• Don’t break any law and stay in the defined scope
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
• No vulnerability disclosure, including partial is allowed for the moment
• Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability
• The vulnerability must be a qualifying vulnerability
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary
• You must not be a former or current employee of us or one of its contractor
• ONLY USE the EMAIL under which you registered your HackenProof account (in case of violation, no bounty can be awarded)