SynFutures dApp: Program info

IN SCOPE

Reward Calculation

For critical web/apps bug reports will be rewarded with USD 10 000, only if the impact leads to:

• A loss of funds involving an attack that does not require any user action
• Private key or private key generation leakage leading to unauthorized access to user funds

All other impacts that would be classified as Critical would be rewarded a flat amount of USD 5 000. The rest of the severity levels are paid out according to the Impact in Scope table.

Critical

• Execute arbitrary system commands
• Retrieve sensitive data / files from a running server, such as: / etc / shadow, database passwords, blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)
• Taking down the application / website
• Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as: Changing registration information, Commenting, Voting, Making trades, Withdrawals, etc.
• Subdomain takeover with already-connected wallet interaction
• Direct theft of user funds
• Malicious interactions with an already-connected wallet, such as: Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions
• Injection of malicious HTML or XSS through metadata

High

• Injecting / modifying the static content on the target application without JavaScript (persistent), such as: HTML injection without JavaScript, Replacing existing text with arbitrary text, Arbitrary file uploads, etc
• Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: Email, Password of the victim etc.
• Improperly disclosing confidential user information, such as: Email address, Phone number, Physical address, etc.
• Subdomain takeover without already-connected wallet interaction

Medium

• Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: Changing the name of user, Enabling / disabling notifications
• Injecting / modifying the static content on the target application without JavaScript (reflected), such as: Reflected HTML injection, Loading external site data
• Redirecting users to malicious websites (open redirect)

Low

• Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction, such as: Iframing leading to modifying the backend / browser state (demonstrate impact with PoC)
• Taking over broken or expired outgoing links, such as: Social media handles, etc.
• Temporarily disabling user to access target site, such as: Locking up the victim from login, Cookie bombing, etc.

OUT OF SCOPE

Web & App specific

• Theoretical impacts without any proof or demonstration
• Impacts involving attacks requiring physical access to the victim device
• Impacts involving attacks requiring access to the local network of the victim
• Reflected plain text injection (e.g. url parameters, path, etc.)
• This does not exclude reflected HTML injection with or without JavaScript
• This does not exclude persistent plain text injection
• Any impacts involving self-XSS
• Captcha bypass using OCR without impact demonstration
• CSRF with no state modifying security impact (e.g. logout CSRF)
• Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact
• Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces
• Impacts causing only the enumeration or confirmation of the existence of users or tenants
• Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows
• Lack of SSL / TLS best practices
• Impacts that only require DDoS
• UX and UI impacts that do not materially disrupt use of the platform
• Impacts primarily caused by browser/plugin defects
• Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)
• Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)
• SPF/DMARC misconfigured records)
• Missing HTTP Headers without demonstrated impact
• Automated scanner reports without demonstrated impact
• UI/UX best practice recommendations
• Non-future-proof NFT rendering

• KYC and Proof of Concept required
• Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
• Make every effort not to damage or restrict the availability of products, services, or infrastructure
• Avoid compromising any personal data, interruption, or degradation of any service
• Don’t access or modify other user data, localize all tests to your accounts
• Perform testing only within the scope
• Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
• Don’t spam forms or account creation flows using automated scanners
• In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
• Don’t break any law and stay in the defined scope
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
• No vulnerability disclosure, including partial is allowed for the moment.
• Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must not be a former or current employee of us or one of its contractor.
• ONLY USE the EMAIL under which you registered your HackenProof account (in case of violation, no bounty can be awarded)
• Provide detailed but to-the point reproduction steps