Attackathon | Stacks II
Stacks is a Bitcoin L2 enabling smart contracts & apps with Bitcoin as the secure base layer. This Attackathon focuses on Stacks’ sBTC upgrade.
Evaluating
Triaged by Immunefi
Step-by-step PoC Required
KYC required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Previous Audits
Stacks’s completed audit reports can be found at https://stacks.org/audits . As well as the sBTC audit here, which the 3rd audit report from the top of the list.
Unfixed vulnerabilities mentioned in these reports are not eligible for a reward.
Public Disclosure of Known Issues
Bug reports for publicly disclosed bugs are not eligible for a reward.
The Stacks team will label known issues with the label 'immunefi-scope' ( https://github.com/stacks-network/sbtc/labels/immunefi-scope ) to allow security researchers to easily filter them out.
Private Known Issues Reward Policy
Private known issues, meaning known issues that were not publicly disclosed, are valid for a reward.
Stacks’ Feasibility Limitations
In addition to our standard feasibility limitations, the following also apply:
- Non-Criticals which can be objectively determined to only be able to affect <1% of users may be downgraded by 1 severity.
- Non-Critical impacts that are dependent on execution to have a malicious signer involved, may be downgraded by 1 severity level.
- Vulnerabilities related to WSTS will only be considered in scope if they can be exploited in sBTC.
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Permanent freezing of funds
Protocol insolvency
Direct loss of funds
Permanent freezing of funds (fix requires hardfork)
Theft of unclaimed yield
Permanent freezing of unclaimed yield
Network not being able to confirm new transactions (total network shutdown)
Unintended permanent chain split requiring hard fork (network partition requiring hard fork)
Unintended chain split (network partition)
Temporary freezing of funds for at least 24h
A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk
Out of scope
Blockchain/DLT specific
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts
- Impacts from Sybil attacks
- Impacts involving centralization risks
All categories
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers