Swisstronik Blockchain Stability: Program Info

Triaged by HackenProof
Swisstronik

Ended 193 days ago

Swisstronik is an identity-based hybrid blockchain that lets Web 3.0 and traditional companies easily build compliant products thanks to on-chain KYC, AML & DPR solutions and blockchain privacy features.

This Bug Bounty is targeting dApp and Smart contract developers (Javascript, Typescript & Solidity).

These bugs can arise when interacting with the blockchain by deploying contracts or making transactions/calls, and problems related to the accuracy or clarity of the documentation.

In Scope

Target Type Reward
https://link.swisstronik.com/nfj

SWTR Token Faucet

Other Bounty
https://link.swisstronik.com/m2k

Swisstronik-EVM Block Explorer

Other Bounty
https://link.swisstronik.com/04j

Swisstronik-Cosmos Block Explorer

Other Bounty
https://link.swisstronik.com/zky

Swisstronik Docs

Other Bounty
https://link.swisstronik.com/zs7

EVM JSON-RPC Link

Other Bounty
https://link.swisstronik.com/d0t

EVM WebSocket Link

Other Bounty

IN-SCOPE VULNERABILITIES (BLOCKCHAIN)

  • Business logic issues
  • Payments manipulation
  • Transaction manipulation
  • Direct loss of funds
  • Permanent freezing of funds
  • Unintended permanent chain split requiring hard fork (Network partition requiring hard fork)
  • Any issues that could potentially cause non-deterministic behavior, leading to varying results among nodes.
  • Bugs that enable getting around checks on transactions - e.g. using endless gas, using more gas than paid for, or evading signature verification. (without DDoS or brute force)
  • Transactions or RPC calls which crash node or stops blocks production (without DDoS or brute force)
  • A bug in the respective layer 1 network code that results in unintended smart contract behavior with no concrete funds at direct risk
  • Send incorrect transactions that can be included in the mempool
  • Bugs which cause extreme resource usage e.g RAM / CPU / storage . (without DDoS or brute force)
  • Unauthorized transaction
  • Attacks on logic (behavior of the code is different from the business description)

OUT OF SCOPE: NON-BLOCKCHAIN RELATED ISSUES

  • Website, Backend or GitHub management vulnerabilities
  • Impacts caused by attacks requiring access to leaked keys/credentials
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
  • 3rd party issues (e.g., Cosmos SDK, Tendermint, CometBFT)
  • The code that's added only for testing purposes (i.e. example smart contracts)
  • We appreciate the inclusion of logging and additional unit tests in pull requests (PRs), but it's essential to note that issues related to these aspects are not considered as valid bugs within the scope of this program
  • DNS and other supporting services misconfigurations
  • Impacts involving centralization risks
  • Best practice recommendations
  • Theoretical vulnerabilities without any proof or demonstration
  • Old compiler version
  • Best practice issues
  • Redundant code
  • More details here https://link.swisstronik.com/e14628

Blockchain stability & Informational bugs

These bugs can arise when interacting with the blockchain by deploying contracts or making transactions/calls, and problems related to the accuracy or clarity of the documentation. Bugs on the blockchain that can disrupt operations, causing technical glitches, transaction errors, and data inaccuracies.

Some examples of these are(but not limited to):

  • Swisstronik network encounters incompatibility with Solidity compiler versions above 0.8.20.
  • Proxies within Swisstronik fail to function (attributed to encryption of smart contract variables).
  • Incorrect input/output documentation causing confusion for developers.
  • Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
  • Make every effort not to damage or restrict the availability of products, services, or infrastructure
  • Avoid compromising any personal data, interruption, or degradation of any service
  • Don’t access or modify other user data, localize all tests to your accounts
  • Perform testing only within the scope
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
  • Don’t spam forms or account creation flows using automated scanners
  • In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
  • Don’t break any law and stay in the defined scope
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
  • Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
  • No vulnerability disclosure, including partial is allowed for the moment.
  • Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must not be a former or current employee of us or one of its contractor.
  • ONLY USE YOUR HackerProof ADDRESS (in case of violation, no bounty can be awarded)
  • Provide detailed but to-the point reproduction steps

The provision of KYC is required to receive a reward for this bug bounty program where the following information will be required to be provided: Email verification, photo/selfie, ID/Passport, country of residence & nationality

Restrictions on Security Researcher Eligibility:

Security researchers who fall under any of the following are ineligible for a reward.

  • US residents, citizens and/or holders of long-term residence/work permits etc
  • China residents, citizens and/or holders of long-term residence/work permits etc.
  • individuals that are listed or associated with any person or entity listed on any of the US Department of Commerce’s denied persons or entity list, the US department of treasury’s specially designated nationals or blocked persons lists, the US Department of State’s debarred parties list, the EU Consolidated List of persons, groups and entities subject to EU financial sanctions or the Swiss SECO’s overall list of sanctioned individuals, entities and organizations or nationals as well as residents of, citizens of or located in geographic areas that is subject to UN-, US-, EU or Swiss sanctions or embargoes.
  1. Bug/Vulnerability Description
    Clearly state and describe the identified bug or vulnerability.

  2. Hardware and Software Specifications
    OS Name & version
    CPU Name & Brand
    Go version
    Rust version
    SGX version (optional)
    Docker environment

  3. Steps to Reproduce
    Provide clear and concise instructions to reproduce the reported bug or vulnerability.

  4. Impact Analysis
    Analyze the potential consequences of the bug or vulnerability on users, developers, and the organization.

  5. Code Fix Submission
    (Optional) If you have a suggestion for fixing the bug or vulnerability, provide a code fix or a proposed solution.

  6. Additional Context
    (Optional)Share any relevant context, screenshots, logs, or error messages that can facilitate problem-solving and comprehensive understanding.

Submission Criteria
Bug reports must adhere to the guidelines outlined in the Issue template to ensure effective resolution. (Note: This issue template has already been implemented in each repository under scope.)