Bug bounty
Triaged by HackenProof

ShapeShift: Program info

ShapeShift

Company: Shape Shift
This program is active now
Program info

Explore the Defi Universe with ShapeShift. A free open source platform to trade, track, buy, and earn. Community-owned. Private. Non-custodial. Multi-chain.

In scope
TargetTypeSeverityReward
app.shapeshift.com

runs https://github.com/shapeshift/web

Web
Critical
Bounty
api.bitcoin.shapeshift.com

runs https://github.com/shapeshift/unchained

API
Critical
Bounty
api.ethereum.shapeshift.com

runs https://github.com/shapeshift/unchained

API
Critical
Bounty
shapeshift.com

hosted by WebFlow, a third-party

Web
None
Bounty
The ShapeShift Mobile App: https://apps.apple.com/us/app/shapeshift-buy-trade-crypto/id996569075

iOS Mobile App The application within the stated bounds of the bounty program.

Web
Critical
Bounty
The Shapeshift Mobile App: https://play.google.com/store/apps/details?id=com.shapeshift.droid_shapeshift&hl=en_US&gl=US

Android Mobile App The application within the stated bounds of the bounty program.

Android
Critical
Bounty
Target
app.shapeshift.com

runs https://github.com/shapeshift/web

TypeWeb
Severity
Critical
RewardBounty
Target
api.bitcoin.shapeshift.com

runs https://github.com/shapeshift/unchained

TypeAPI
Severity
Critical
RewardBounty
Target
api.ethereum.shapeshift.com

runs https://github.com/shapeshift/unchained

TypeAPI
Severity
Critical
RewardBounty
Target
shapeshift.com

hosted by WebFlow, a third-party

TypeWeb
Severity
None
RewardBounty
Target
The ShapeShift Mobile App: https://apps.apple.com/us/app/shapeshift-buy-trade-crypto/id996569075

iOS Mobile App The application within the stated bounds of the bounty program.

TypeWeb
Severity
Critical
RewardBounty
Target
The Shapeshift Mobile App: https://play.google.com/store/apps/details?id=com.shapeshift.droid_shapeshift&hl=en_US&gl=US

Android Mobile App The application within the stated bounds of the bounty program.

TypeAndroid
Severity
Critical
RewardBounty
Out of scope
TargetTypeSeverityReward
shapeshift.zendesk.com

hosted by ZenDesk, a third-party

Web
None
Bounty
shapeshift-io.hellonext.co

hosted by HelloNext, a third-party

Web
None
Bounty
beta.shapeshift.com

a legacy system maintained by the Fox Foundation, not the ShapeShift DAO

Web
None
Bounty
auth.shapeshift.com

a legacy system maintained by the Fox Foundation, not the ShapeShift DAO

Web
None
Bounty
portal.shapeshift.io

a legacy system maintained by the Fox Foundation, not the ShapeShift DAO

Web
None
Bounty
portis.io

Portis is now a separate company

Web
None
Bounty
coincap.io

CoinCap is now a separate company

Web
None
Bounty
Physical (or emulated!) KeepKey devices

KeepKey is now a separate company

Web
None
Bounty
Target
shapeshift.zendesk.com

hosted by ZenDesk, a third-party

TypeWeb
Severity
None
RewardBounty
Target
shapeshift-io.hellonext.co

hosted by HelloNext, a third-party

TypeWeb
Severity
None
RewardBounty
Target
beta.shapeshift.com

a legacy system maintained by the Fox Foundation, not the ShapeShift DAO

TypeWeb
Severity
None
RewardBounty
Target
auth.shapeshift.com

a legacy system maintained by the Fox Foundation, not the ShapeShift DAO

TypeWeb
Severity
None
RewardBounty
Target
portal.shapeshift.io

a legacy system maintained by the Fox Foundation, not the ShapeShift DAO

TypeWeb
Severity
None
RewardBounty
Target
portis.io

Portis is now a separate company

TypeWeb
Severity
None
RewardBounty
Target
coincap.io

CoinCap is now a separate company

TypeWeb
Severity
None
RewardBounty
Target
Physical (or emulated!) KeepKey devices

KeepKey is now a separate company

TypeWeb
Severity
None
RewardBounty

Focus Area

Not everything with the word "ShapeShift" on the tin is something the ShapeShift DAO maintains. For the avoidance of confusion, this program has a specifically defined scope; anything listed below is covered, anything that's not isn't.

  • Any smart contract code developed by the DAO
  • Any smart contract code deployed by the DAO on-chain on a mainnet (i.e. L2s are in-scope, but not testnets)
  • The specific projects hosted at the following GitHub repositories:
  1. shapeshift/web
  2. shapeshift/lib
  3. shapeshift/unchained
  4. shapeshift/hdwallet
  • Any software hosted under the ShapeShift GitHub Org or the @shapeshiftoss NPM org, if it's a dependency of something else in-scope
  • Examples of dependencies that are in-scope: shapeshift/fiojs
  • Examples of things that are hosted in these locations, but aren't dependencies of something in-scope: shapeshift/cluster-launcher shapeshift/foxfarm keepkey/python-keepkey keepkey/device-protocol

Any valid, in-scope issues is covered under this program; however, what exactly "valid" means is at our sole discretion, and if you report an issue which we don't consider valid you will not receive a reward for that issue. To help set expectations, here's a few things that we don't consider valid:

  • Disclosure of API keys that aren't supposed to be kept secret
  • Clickjacking attacks against sites that don't maintain user login sessions
  • TLS settings which don't quite match someone-or-other's particular recommendations
  • Open S3 buckets which don't have any confidential information in them
  • Most non-critical findings from automated vulnerability scanners
  • Most Host header injections (the ability to attack yourself isn't a security issue)
  • Information disclosure issues that only disclose publicly available information (like stuff that's recorded on a blockchain)
  • Attacks which require physical access to a user's device (including KeepKey, which is not intended to be tamper-resistant)
  • Attacks which require arbitrary code execution on a user's computer (except KeepKey, where protecting against that sort of thing is the whole point)
  • This list is not exhaustive, and we'll update it with more salient examples as we discover points of confusion; still, hopefully it's relatively self-explanatory.

Whether an issue is valid usually boils down to one of threat model; if you'd like to discuss the threat model we use for the various in-scope projects, or get clarification about the status of a particular issue, feel free to drop into our Discord server and have a chat with our security team.

Program Rules

  • Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
  • Make every effort not to damage or restrict the availability of products, services, or infrastructure
  • Avoid compromising any personal data, interruption, or degradation of any service
  • Don’t access or modify other user data, localize all tests to your accounts
  • Perform testing only within the scope
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
  • Don’t spam forms or account creation flows using automated scanners
  • In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
  • Don’t break any law and stay in the defined scope
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission

Disclosure Guidelines

We ask that you keep any issues confidential for a period of 90 days following your report to us, or until they are remediated, whichever is shorter. This is intended to allow us a window of opportunity to assess and remediate the underlying issues in advance of their public disclosure. Your participation in this program is contingent on this confidentiality; you may choose to disclose whatever you wish at any time, but doing so during the confidentiality period will forfeit any rewards you may have otherwise been eligible for.

All software the DAO maintains is open-source and available to the public, and you do not need special permission from us to perform security research on our software or systems. Rest assured that whether or not you choose to participate in our Responsible Disclosure Program, we will not pursue any legal action against you or your company for unlawful access of computer systems, access of confidential information, or damages to our systems. Still, we request that you follow Wheaton's Law and conduct your research in a manner respectful of us and our users.

  • Please refrain from attempting to cause denials of service by leveraging high volumes of traffic.
  • Please don't use any vulnerabilities you may find against any of our users if you don't have their permission.
  • Please avoid intentionally degrading our users' experience.

When in doubt, we do have some testing environments that may come in handy if you'd like to try stuff like this. Feel free to drop into our Discord server and chat with us in that case; we'll work with you.

Eligibility and Coordinated Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must not be a former or current employee of us or one of its contractor.
  • ONLY USE YOUR HackenProof ADDRESS (in case of violation, no bounty can be awarded)
  • Provide detailed but to-the point reproduction steps
Rewards
Range of bounty$50 - $10,000
Severity
Critical
$5,000 - $10,000
High
$2,000 - $5,000
Medium
$500 - $1,500
Low
$50 - $500
Stats
Total rewards$15,450
Bugs found115
Categories
Tools
Types
webAPI
SLA (Service Level Agreement)
Time within which the program's triage team must respond
Response TypeBusiness days
First Response3d
Triage Time3d
Reward Time3d
Resolution Time14d