The Sandbox is a virtual gaming world where players can build, own, and monetize gaming experiences in the metaverse.
Target | Type | Severity | Reward |
---|---|---|---|
https://polygonscan.com/address/0x3d49b60783dB5FA4341355f31e4D9CBa63E53035 Copy Smart Contract - InstantGiveaway | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x214d52880b1e4E17d020908cd8EAa988FfDD4020 Copy Smart Contract - MultiGiveaway | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xac531Eb26Ca1d21b85126De8FB87E80E09002DcF Copy Smart Contract - OFTAdapterForSand | Smart Contract | Critical | Bounty |
https://basescan.org/address/0xac531Eb26Ca1d21b85126De8FB87E80E09002DcF Copy Smart Contract - SAND on BASE | Smart Contract | Critical | Bounty |
https://bscscan.com/address/0xac531Eb26Ca1d21b85126De8FB87E80E09002DcF Copy Smart Contract - SAND on BSC | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xa342f5d851e866e18ff98f351f2c6637f4478db5 Copy Smart Contract - ASSET (Ethereum) | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0xafd5f5c6e72f0f6441e4abf2ae8ff23dee21a87a Copy Smart Contract - RoyaltySplitter | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x4063c6Ccd3D9541E53A514E83fba3843A7848E2F Copy Smart Contract - RoyaltyManager | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x687B573233791b96b51a47B6FCB8D7D9eceF118e Copy Smart Contract - Marketplace | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x1f980CFDf257792f2D85523094cD6B7210CAb509 Copy Smart Contract - CATALYST | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x58E0e4b0C6D99bEbC95a2be635a677D947b5C912 Copy Smart Contract - ASSETCreate | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0xDbc52cd5b8EdA1A7BCBABb838ca927d23E3673e5 Copy Smart Contract - ASSET (Polygon) | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x3eF580A4A6B862183558625126bcC186436bfF4a Copy Smart Contract - Collection Factory | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x90262e888bbf1f5f375a9286da324f2aeeeebec2 Copy Smart Contract - Avatar collections v2 | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0xD3A9CAa25393765c05ce9f332B5E33b5E33D8B8F Copy Smart Contract - Staking v4 - SAND Staking pool | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x6b4831e24F0cd73d4150EF4694aA87d6c104A774 Copy Smart Contract - Staking v4 - SAND Staking pool Contribution Rules | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x5cd67Daa17F708d6489E7Bb7648b7D0B823eA7bF Copy Smart Contract - Staking v4 - SAND Staking pool Rewards Calculator | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0xc3f3ef3929392fdc697c5800d6cd18af73377a8f Copy Smart Contract - Avatar collections | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x5CC5B05a8A13E3fBDB0BB9FcCd98D38e50F90c38 Copy Smart Contract - LAND | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x6cE82874EAf6E7602fD21Cf8bBDEd82705680A99 Copy Smart Contract - LAND Tunnel | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x3845badade8e6dff049820680d1f14bd3903a5d0 Copy Smart Contract - SAND | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x942DaEbbec2ab2307223E58E2C4360d4EBf88FA4 Copy Smart Contract - EstateSalesWithAuth | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0xa6e383bda26e4c52a3a3a3463552c42494669abd Copy Smart Contract - SAND Staking Pool | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x7695b9ac52e49f1a8c4c554a072edb225eebfe70 Copy Smart Contract - SAND Staking Pool Contribution Calculator | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0xbbba073c31bf03b8acf7c28ef0738decf3695683 Copy Smart Contract - SAND | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x9d305a42a3975ee4c1c57555bed5919889dce63f Copy Smart Contract - LAND | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x21B083e128fa7BcC31214a0c000B56Fd4372EEa8 Copy Smart Contract - LAND Tunnel | Smart Contract | Critical | Bounty |
Smart Contract - InstantGiveaway
Smart Contract - MultiGiveaway
Smart Contract - OFTAdapterForSand
Smart Contract - SAND on BASE
Smart Contract - SAND on BSC
Smart Contract - ASSET (Ethereum)
Smart Contract - RoyaltySplitter
Smart Contract - RoyaltyManager
Smart Contract - Marketplace
Smart Contract - CATALYST
Smart Contract - ASSETCreate
Smart Contract - ASSET (Polygon)
Smart Contract - Collection Factory
Smart Contract - Avatar collections v2
Smart Contract - Staking v4 - SAND Staking pool
Smart Contract - Staking v4 - SAND Staking pool Contribution Rules
Smart Contract - Staking v4 - SAND Staking pool Rewards Calculator
Smart Contract - Avatar collections
Smart Contract - LAND
Smart Contract - LAND Tunnel
Smart Contract - SAND
Smart Contract - EstateSalesWithAuth
Smart Contract - SAND Staking Pool
Smart Contract - SAND Staking Pool Contribution Calculator
Smart Contract - SAND
Smart Contract - LAND
Smart Contract - LAND Tunnel
Critical
High
Medium
Low Smart contract fails to deliver promised returns, but doesn’t lose value
Smart Contract specific
All categories
All bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.
Rewards for critical smart contract vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of USD 50 000 and a maximum reward of USD 200 000 for Critical smart contract bug reports. In cases of repeatable attacks, only the first attack is considered unless the smart contract cannot be upgraded or paused.
High severity smart contract vulnerabilities will be further capped at up to 100% of the funds affected. In the event of temporary freezing, the reward doubles for every additional 5 blocks that the funds could be temporarily frozen, rounded down to the nearest multiple of 5, up to the hard cap of 20 000 USD. This is implemented in order to account for the increased relative impact based on the duration of the freezing of funds.
All calculations of the amount of funds at risk are done based on the time the bug report is submitted.
The Sandbox requires all bug bounty hunters to complete the program’s KYC requirements if they are submitting a report and wanting a reward. The information needed is an ID photo along with a scan of a utility bill to show residency proof.
Bug reports from compensated team members of any The Sandbox core units will not be eligible for a reward. Employees and team members of third-party suppliers to core units that operate in a technical capacity and have assets covered in this bug bounty program will also not be eligible for a reward. All team members of the audit companies The Sandbox works with, and its third-party suppliers, are not eligible for a reward.
Bug reports from team members and third-party suppliers of businesses and organizations that are not a The Sandbox Core Unit but have assets considered as critical infrastructure covered under the bug bounty program are also not eligible for the bug bounty program.
Bug reports covering previously-discovered bugs are not eligible for the program. If a bug report covers a known issue, it may be rejected together with proof of the issue being known before escalation of the bug report.
The following issues are considered known and are not eligible for a reward:
All issues previously highlighted in the following audit reports are also considered out of scope: https://github.com/thesandboxgame/sandbox-smart-contracts/tree/master/packages/core/documentation/audits
For proxy contracts, only the current implementation and any further updates to the implementation contracts are considered in scope.
All smart contracts of The Sandbox can be found at https://github.com/thesandboxgame/sandbox-smart-contracts. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.
We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward: