DeepFi Trade: Program info

Extreme severity level (Wallet Draining) - Bounty: $25,000+

An extreme severity issue is any vulnerability that can be used to steal funds from end users or protocol treasuries (direct wallet draining, private key extraction, signer/multisig compromise, irreversible bridge drain, or equivalent). Rewards for verified exploits start at $25,000 and scale with assets at risk, exploitability, and required attacker sophistication. Reporters must provide a safe proof-of-concept (see PoC rules). Exploits performed on mainnet without prior authorization will be disqualified - instead provide signed transactions or testnet exploits that are trivially repeatable by our team.

IN SCOPE VULNERABILITIES: WEB VULNERABILITIES

We are interested in the following vulnerabilities:

• Business logic issues
• Payments manipulation
• Remote code execution (RCE)
• Injection vulnerabilities (SQL, XXE)
• File inclusions (Local & Remote)
• Access Control Issues (IDOR, Privilege Escalation, etc)
• Leakage of sensitive information
• Server-Side Request Forgery (SSRF)
• Cross-Site Request Forgery (CSRF)
• Cross-Site Scripting (XSS)
• Directory traversal
• Other vulnerabilities with a clear potential loss

OUT OF SCOPE: WEB VULNERABILITIES

Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold:

• Vulnerabilities in third-party applications
• Assets that do not belong to the company
• Best practices concerns
• Recently (less than 30 days) disclosed 0day vulnerabilities
• Vulnerabilities affecting users of outdated browsers or platforms
• Social engineering, phishing, physical, or other fraud activities
• Publicly accessible login panels without proof of exploitation
• Reports that state that software is out of date/vulnerable without a proof of concept
• Reports generated by scanners or any automated or active exploit tools
• Vulnerabilities involving active content such as web browser add-ons
• Most brute-forcing issues without clear impact
• Denial of service (DoS/DDoS)
• Theoretical issues
• Moderately Sensitive Information Disclosure
• Spam (sms, email, etc)
• Missing HTTP security headers
• Infrastructure vulnerabilities, including:
  • Certificates/TLS/SSL-related issues;
  • DNS issues (i.e. MX records, SPF records, DMARC records etc.);
  • Server configuration issues (i.e., open ports, TLS, etc.)
• Open redirects
• Session fixation
• User account enumeration
• Clickjacking/Tapjacking and issues only exploitable through clickjacking/tapjacking
• Descriptive error messages (e.g. Stack Traces, application or server errors)
• Self-XSS that cannot be used to exploit other users
• Login & Logout CSRF
• Weak Captcha/Captcha Bypass
• Lack of Secure and HTTPOnly cookie flags
• Username/email enumeration via Login/Forgot Password Page error messages
• CSRF in forms that are available to anonymous users (e.g. the contact form)
• OPTIONS/TRACE HTTP method enabled
• Host header issues without proof-of-concept demonstrating clear security impact
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Content Spoofing without embedded links/HTML
• Reflected File Download (RFD)
• Mixed HTTP Content
• HTTPS Mixed Content Scripts
• Manipulation with Password Reset Token
• MitM and local attacks
• Response manipulations without demonstration of system state change

1. Scope & Authorization

• You are authorized to test only the assets and environments explicitly listed on the program page or provided to you by the DeepFi team (staging/testnet URLs and test accounts).
• Any testing outside those scopes is unauthorized and may be treated as malicious activity.

2. Use of Automated Tools

• Avoid using noisy web-application scanners or automated tools that produce large volumes of traffic against our services.
• If you must use automated tooling, contact us first to obtain explicit permission and guidance on rate limits and scope.

3. Minimize Impact & Service Safety

• Make every effort not to damage, degrade, or restrict the availability of production or staging products, services, or infrastructure.
• Do not exploit or weaponize vulnerabilities in a way that causes service interruption, data loss, or system instability.

4. Data & Account Safety

• Do not access, modify, or exfiltrate other users’ data. Localize all tests to accounts and resources you control or that have been explicitly provisioned for testing.
• Do not attempt to bypass or tamper with access controls to read or change other users’ information.

5. Allowed and Prohibited Testing Activities

• Perform testing only within the defined in-scope targets and according to the program’s scope rules.
• Do not perform Denial-of-Service (DoS/DDoS) attacks, stress tests, or other disruptive load-based testing.
• Do not engage in social engineering, phishing, SIM swapping, or any other activity that targets personnel or third parties.

6. Abuse of Input Flows & Automation

• Do not spam forms, account-creation endpoints, or other input channels with automated scripts at rates that cause service disruption.
• Avoid automated scraping at scale; use explicit, reasonable rate limits and only when permitted.

7. Blockchain / Chain Vulnerabilities

• If you find vulnerabilities strictly at the chain/protocol level (outside our dApp code), we will only pay for those that demonstrate the highest severity and clear business impact to DeepFi Games (e.g., direct loss of funds exploitable via our dApp flows).
• Protocol-only theoretical issues without a demonstrable dApp impact are not eligible for bounty rewards.

8. Legal Compliance & Jurisdiction

• Do not break applicable laws. Researchers must comply with local and international law while conducting security research.
• If you are unsure about legal exposure, obtain written permission before proceeding.

9. Disclosure Rules & Confidentiality

• Do not disclose any details of found vulnerabilities to anyone other than the HackenProof triage team (if using the platform) or an authorized DeepFi employee without prior written permission.
• Public disclosure before coordinated remediation and explicit consent will forfeit bounty eligibility.

10. Reporting Requirements & Proof of Concept

• Provide a clear, reproducible PoC with step-by-step instructions, example requests/inputs, and evidence (screenshots/videos/logs) demonstrating the impact.
• Reports missing a working PoC may be triaged as informational only.

11. Remediation & Retest

• Do not attempt to remediate issues yourself. After we confirm and fix a reported vulnerability, we may request the researcher to validate the remediation.
• We reserve the right to request additional info or retesting before awarding any bounty.

12. Reward & Triage Discretion

• Bounty payments are awarded at the sole discretion of DeepFi after triage, taking severity, exploitability, and PoC quality into account.
• DeepFi reserves the right to withhold, reduce, or refuse payment for reports that violate these rules, lack a PoC, or are duplicate submissions.

13. Emergency Contact & Active Exploit Handling

• If you discover an active exploit that is being used in the wild or that is causing immediate loss, contact our emergency response channel immediately (details provided on the program page). Do not attempt to exploit it further.

14. Respect & Professional Conduct

• Interact professionally and respectfully with the DeepFi team and triage staff. Abusive or threatening behavior will result in report rejection and exclusion from the program.

To protect users and ensure responsible remediation, researchers must follow these disclosure and discussion rules:

• Confidentiality: Do not discuss this program, its scope, or any vulnerabilities (including resolved or duplicate ones) outside of the program without express written consent from DeepFi.

• No Public Disclosure: Do not publish, share, or discuss any discovered vulnerabilities, partial findings, or proof-of-concept details on social media, blogs, forums, or elsewhere at this time.

• Private Communication Only: All vulnerability discussions must take place exclusively within the HackenProof platform or through direct communication with authorized DeepFi security personnel.

• Future Disclosure: If public disclosure becomes permitted, DeepFi will issue explicit written approval and coordinated release instructions. Until that time, no disclosure of any kind is allowed.

Violation of these terms may result in disqualification from the program and forfeiture of any pending rewards.

We appreciate everyone who helps improve DeepFi Trade's security. To be eligible for a monetary reward, submissions must meet all of the following conditions:

• You must be the first reporter of the vulnerability (we do not pay duplicate reports).
• The vulnerability must be a qualifying vulnerability according to the program scope.
• Any vulnerability discovered must be reported no later than 24 hours after discovery and exclusively via your HackenProof account/submission form (reports submitted by other channels will not be eligible).
• Use the same email address you used to register your HackenProof account for all communications. Submissions from a different email address will be ineligible.
• You must not be a current or former employee, contractor, or consultant of DeepFi or any affiliated entity.
• Provide a clear textual description and detailed reproduction steps (exact URLs, request samples, example accounts, payloads). Keep instructions concise and actionable.
• Include a working Proof of Concept (PoC): screenshots, video, curl/Postman requests, logs, or code that demonstrates the issue and the state change it produces. For game-integrity bugs show before/after game state and any altered payouts or leaderboard evidence.
• State the environment used (staging or production; browser, OS, wallet version). If testing on production was required, explain why and describe safeguards taken.
• Include an impact assessment and a short suggested mitigation.
• Confirm compliance with program rules and safe-harbor in a disclosure statement (i.e., you did not exfiltrate real user funds or leak sensitive data).
• Reports missing any of the above will be triaged lower and may be closed without reward.
• Additional conditions and procedural notes:
• Automated scanner-only reports (no manual PoC) are low priority and may be rejected. Do not rely on noisy scanning that impacts availability.
• If your find required interacting with other users’ accounts or funds, stop testing immediately and contact us; we will coordinate remediation—do not move or steal funds.
• If you discover an active exploit in production, contact our emergency channel immediately per the program page. Do not attempt to exploit it further.

Triage & response timeline (what to expect)

Acknowledgement: We will acknowledge receipt of a valid HackenProof submission within 48 hours.

Initial triage: You will receive an initial triage decision (in-scope / out-of-scope / duplicate / needs PoC) within 5 business days

Validation: For accepted reports, we will validate the issue, remediate or schedule a fix, and coordinate retest with you.

Payment: Bounty payment decisions are made after validation and remediation; rewards are discretionary and based on severity, exploitability, and PoC quality. Reward eligibility is conditional on compliance with these rules. DeepFi reserves the right to refuse rewards for reports that violate program rules, lack a proper PoC, are duplicates, or involve illegal activity.

If you have any questions about scope, staging credentials, or legal exposure before testing, contact us through the HackenProof program message channel to obtain written guidance.