In-Scope Vulnerabilities

We are interested in the following vulnerabilities:

• Reentrancy
• Logic errors
• Including user authentication errors
• Solidity/EVM details not considered
• Including integer over-/under-flow
• Including rounding errors
• Including unhandled exceptions
• Trusting trust/dependency vulnerabilities
• Including composability vulnerabilities
• Oracle failure/manipulation
• Novel governance attacks
• Economic/financial attacks
• Including flash loan attacks
• Congestion and scalability
• Including running out of gas
• Including block stuffing
• Including susceptibility to frontrunning
• Consensus failures
• Cryptography problems
• Signature malleability
• Susceptibility to replay attacks
• Weak randomness
• Weak encryption
• Susceptibility to block timestamp manipulation
• Missing access controls / unprotected internal or debugging interfaces

Out-of-Scope Vulnerabilities

Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold:

• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses (governance, strategist)
• Incorrect data supplied by third party oracles
• Not to exclude oracle manipulation/flash loan attacks
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Best practice critiques
• Sybil attacks

• Only those vulnerabilities that are original should be awarded a bounty. Meaning in case of a duplicate report or two users reporting the same bug, the fastest user who submitted the report FIRST shall be awarded.
• Public disclosure of the vulnerability, before the Nimbus team resolves it without explicit consent from the team, will make the bounty hunter ineligible for further participation.
• In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
• Don’t break any law and stay in the defined scope
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission