Swisstronik Core: Program Info

Triaged by HackenProof
Swisstronik

Ended 193 days ago

Swisstronik is an identity-based hybrid blockchain that lets Web 3.0 and traditional companies easily build compliant products thanks to on-chain KYC, AML & DPR solutions and blockchain privacy features.

This Bug Bounty is targeting Blockchain Core Developers (Go & Rust).

These bugs are code issues or bad implementation compromising the safe functionality of the Swisstronik chain and Swisstronik EVM Module, potentially leading to blockchain crashes, leakage of confidential data, or fund losses.

In Scope

Target Type Severity Reward
https://link.swisstronik.com/486

Swisstronik-chain repository

Other Critical Bounty
https://link.swisstronik.com/anb

Swisstronik-EVM-Module repository

Other Critical Bounty

IN-SCOPE VULNERABILITIES (BLOCKCHAIN)

  • Business logic issues
  • Payments manipulation
  • Transaction manipulation
  • Direct loss of funds
  • Permanent freezing of funds
  • Unintended permanent chain split requiring hard fork (Network partition requiring hard fork)
  • Any issues that could potentially cause non-deterministic behavior, leading to varying results among nodes.
  • Bugs that enable getting around checks on transactions - e.g. using endless gas, using more gas than paid for, or evading signature verification. (without DDoS or brute force)
  • Transactions or RPC calls which crash node or stops blocks production (without DDoS or brute force)
  • A bug in the respective layer 1 network code that results in unintended smart contract behavior with no concrete funds at direct risk
  • Send incorrect transactions that can be included in the mempool
  • Bugs which cause extreme resource usage e.g RAM / CPU / storage . (without DDoS or brute force)
  • Unauthorized transaction
  • Attacks on logic (behavior of the code is different from the business description)

OUT OF SCOPE: NON-BLOCKCHAIN RELATED ISSUES

  • Impacts caused by attacks requiring access to leaked keys/credentials
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
  • 3rd party issues (e.g., Cosmos SDK, Tendermint, CometBFT)
  • The code that's added only for testing purposes (i.e. example smart contracts)
  • We appreciate the inclusion of logging and additional unit tests in pull requests (PRs), but it's essential to note that issues related to these aspects are not considered as valid bugs within the scope of this program
  • DNS and other supporting services misconfigurations
  • Impacts involving centralization risks
  • Best practice recommendations
  • Theoretical vulnerabilities without any proof or demonstration
  • Old compiler version
  • Best practice issues
  • Redundant code
  • More details here https://link.swisstronik.com/e14628

Blockchain core bugs

Blockchain core bugs are code issues compromising the safe functionality of the Swisstronik chain and Swisstronik EVM Module, potentially leading to blockchain crashes, leakage of confidential data, or fund losses.
Some examples of these are(but not limited to):

  • Bugs that can cause the network to be unable to confirm new transactions, resulting in a total network shutdown
  • Bugs that can cause an unintended permanent chain split requiring hard fork (Network partition requiring hard fork)
  • Bugs that can cause direct loss of funds
  • Bugs that can cause a non-deterministic behavior, leading to varying results among nodes.
  • Bugs that allow bypassing transaction checks, like exploiting unlimited gas, surpassing paid gas limits, or evading signature verification (excluding DDoS or brute force attacks).
  • Transactions or RPC calls which crash node or stops blocks production (without DDoS or brute force)
  • Bugs affecting EVM functionality in the Swisstronik network, including opcodes and interactions with smart contracts, can qualify as blockchain core bugs (e.g, call or delegatecall not working properly)

General rules

  • Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
  • Make every effort not to damage or restrict the availability of products, services, or infrastructure
  • Avoid compromising any personal data, interruption, or degradation of any service
  • Don’t access or modify other user data, localize all tests to your accounts
  • Perform testing only within the scope
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
  • Don’t spam forms or account creation flows using automated scanners
  • In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
  • Don’t break any law and stay in the defined scope
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
  • Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
  • No vulnerability disclosure, including partial is allowed for the moment.
  • Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must not be a former or current employee of us or one of its contractor.
  • ONLY USE YOUR HackerProof ADDRESS (in case of violation, no bounty can be awarded)
  • Provide detailed but to-the point reproduction steps

The provision of KYC is required to receive a reward for this bug bounty program where the following information will be required to be provided: Email verification, photo/selfie, ID/Passport, country of residence & nationality

Restrictions on Security Researcher Eligibility:

Security researchers who fall under any of the following are ineligible for a reward.

  • US residents, citizens and/or holders of long-term residence/work permits etc
  • China residents, citizens and/or holders of long-term residence/work permits etc.
  • Individuals that are listed or associated with any person or entity listed on any of the US Department of Commerce’s denied persons or entity list, the US department of treasury’s specially designated nationals or blocked persons lists, the US Department of State’s debarred parties list, the EU Consolidated List of persons, groups and entities subject to EU financial sanctions or the Swiss SECO’s overall list of sanctioned individuals, entities and organizations or nationals as well as residents of, citizens of or located in geographic areas that is subject to UN-, US-, EU or Swiss sanctions or embargoes.
  1. Bug/Vulnerability Description
    Clearly state and describe the identified bug or vulnerability.

  2. Hardware and Software Specifications
    OS Name & version
    CPU Name & Brand
    Go version
    Rust version
    SGX version (optional)
    Docker environment

  3. Steps to Reproduce
    Provide clear and concise instructions to reproduce the reported bug or vulnerability.

  4. Impact Analysis
    Analyze the potential consequences of the bug or vulnerability on users, developers, and the organization.

  5. Code Fix Submission
    (Optional) If you have a suggestion for fixing the bug or vulnerability, provide a code fix or a proposed solution.

  6. Additional Context
    (Optional)Share any relevant context, screenshots, logs, or error messages that can facilitate problem-solving and comprehensive understanding.

Submission Criteria
Bug reports must adhere to the guidelines outlined in the Issue template to ensure effective resolution. (Note: This issue template has already been implemented in each repository under scope.)