Bug bounty

LACHAIN.IO: Program info

LACHAIN.IO

Company: Latoken
This program left 505 days ago
Program infoHackers

Lachain is the Cross Chain DeFi protocol. It allows seamless access to multitude of decentralized finance products on major blockchains without gas tokens management. Pay all fees and gas with LA token.

In scope
TargetTypeSeverityReward
app.lachain.io
Web
Critical
Bounty
ladex.exchange
Web
Critical
Bounty
https://github.com/LATOKEN/lachain
Code
Critical
Bounty
Target
app.lachain.io
TypeWeb
Severity
Critical
RewardBounty
Target
ladex.exchange
TypeWeb
Severity
Critical
RewardBounty
Target
https://github.com/LATOKEN/lachain
TypeCode
Severity
Critical
RewardBounty
Out of scope
TargetTypeSeverityReward
https://github.com/LATOKEN/lachain/tree/dev/src/Lachain.Consensus
Code
None
Bounty
Target
https://github.com/LATOKEN/lachain/tree/dev/src/Lachain.Consensus
TypeCode
Severity
None
RewardBounty

Focus Area

In-Scope Vulnerabilities

We are interested in the following vulnerabilities:

  • Business logic issues
  • Payments manipulation
  • Remote code execution (RCE)
  • Database vulnerability, SQLi
  • File inclusions (Local & Remote)
  • Access Control Issues (IDOR, Privilege Escalation, etc)
  • Leakage of sensitive information
  • Server-Side Request Forgery (SSRF)
  • Other vulnerability with a clear potential loss

Out-of-Scope Vulnerabilities

OUT OF SCOPE - WEB

Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold:

  • Vulnerabilities in third-party applications
  • Best practices concerns
  • Recently (less than 30 days) disclosed 0day vulnerabilities
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Social engineering, phishing, physical, or other fraud activities
  • Publicly accessible login panels without proof of exploitation
  • Reports that state that software is out of date/vulnerable without a proof of concept
  • Vulnerabilities involving active content such as web browser add-ons
  • Most brute-forcing issues without clear impact
  • Denial of service
  • Theoretical issues
  • Moderately Sensitive Information Disclosure
  • Spam (sms, email, etc)
  • Missing HTTP security headers
  • Infrastructure vulnerabilities, including:
    • Certificates/TLS/SSL related issues
    • DNS issues (i.e. MX records, SPF records, DMARC records, etc.)
    • Server configuration issues (i.e., open ports, TLS, etc.)
  • Open redirects
  • Session fixation
  • User account enumeration
  • Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • Self-XSS that cannot be used to exploit other users
  • Login & Logout CSRF
  • Weak Captcha/Captcha Bypass
  • Lack of Secure and HTTPOnly cookie flags
  • Username/email enumeration via Login/Forgot Password Page error messages
  • CSRF in forms that are available to anonymous users (e.g. the contact form)
  • OPTIONS/TRACE HTTP method enabled
  • Host header issues without proof-of-concept demonstrating the vulnerability
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Content Spoofing without embedded links/HTML
  • Reflected File Download (RFD)
  • Mixed HTTP Content
  • HTTPS Mixed Content Scripts
  • DoS/DDoS issues
  • Manipulation with Password Reset Token
  • MitM and local attacks

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward

• Submit one vulnerability per report, unless you need to chain vulnerabilities to maximize impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Issues identified by our internal security testing prior to your report count as duplicates.

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Social engineering of our users, employees, partners, etc. (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

• Don’t spam forms or account creation flows using automated scanners

• In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.

• Don’t break any law and stay in the defined scope

Disclosure Guidelines

As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without explicit consent from us.

TEMPORARY OUT OF SCOPE

Temporary Out of Scope:

We are currently doing a security audit, after that it’ll move to ‘In Scope’:

• Consensus protocol compliance: Any flaws that would make our client(s) deviate from consensus

We already found issues, so we're rewriting it, afterwards it'll move to 'In Scope':

• Faucet Script (https://app.lachain.io/faucet / https://staging.lachain.io/olddesign/faucet / https://app.lachain.io/olddesign/faucet)

OUT OF SCOPE

  • Previously known vulnerable libraries without a working Proof of Concept
  • Unauthenticated/logout/login CSRF
  • Best practices concerns
  • Vulnerabilities affecting users of outdated browsers of platforms
  • Theoretical issues
  • DoS/DDoS issues
  • Our infrastructure; such as webpages, dns, emails, etc, are not part of the bounty-scope, for latoken.com bounties, check the bugbounty program at https://hackenproof.com/latoken

Web applications/libraries operated/created by third parties are only considered in scope under the following ways:

  • If the usage of that third party component, is directly endangering the lachain blockchain (e.g. only if the part of the component which is used, is endangering lachain)
Rewards
Range of bounty$50 - $1,500
Severity
Critical
$1,500
High
$900
Medium
$300
Low
$50
Stats
Total rewards$2,550
Reports submitted92
Types
blockchainweb
Hackers (5) View all
Piyush Shukla
1
Huntinex
2
Rk Thakur 🇳🇵
3
Sanidhya Ved
4
DiMaX
5
SLA (Service Level Agreement)
Time within which the program's triage team must respond
Response TypeBusiness days
First Response5d
Triage Time5d
Reward Time3d
Resolution Time25d