ApeCoin is an ERC-20 governance and utility token used within the APE ecosystem to empower a decentralized community building at the forefront of web3. It allows its holders to participate in the ApeCoin DAO and provides access to exclusive games, merch, events, services, and more.
Earlier this year, the DAO voted to launch a staking system to incentivize engagement within the ecosystem. ApeCoin staking will allow users to stake their APE in various pools to gain rewards. Anyone holding ApeCoin can participate, however additional pools are available to holders who own NFTs within the Bored Ape Yacht Club ecosystem.
The program will continue for the life of the staking system (3 years).
Rewards by Threat Level
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.
Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily based on value at risk, but also PR and branding aspects. However, there is a minimum reward for critical vulnerabilities of USD 100 000.
High smart contract vulnerabilities are capped at 100% of economic damage, primarily based on value at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward for high vulnerabilities of USD 10 000.
All Critical and High Smart Contract bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.
All vulnerabilities marked acknowledged and accepted in the Halborn security review are not eligible for a reward.
ApeCoin requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. Recipients must provide their name, certificate of incorporation (if a company), physical address, email address, ethereum address to receive the funds, and confirmation on whether the ethereum address is at an exchange or other custodian, or owned directly by the recipient. They will also be required to sign the ApeCoin foundation’s standard grant agreement document. The collection of this information will be done by the project team.
Payouts are handled by the ApeCoin Foundation directly and are denominated in USD. However, all payouts are done in ApeCoin (APE).
- USD $100,000 to USD $3,500,000
- USD $10,000 to USD $50,000
- USD $2,500
- USD $1,000
Assets in scope
- Smart Contract - Apecoin StakingType
All smart contracts can be found in the staking github repo. However, only ApeCoinStaking.sol is in-scope for the bug bounty program. The repo is a hardhat project that contains a simple local deploy script that uses realistic config parameters.
If an impact can be caused to any other asset managed by ApeCoin that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.
Impacts in scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
- Direct theft of any user deposited ApeCoin or unclaimed staking yield, whether at-rest or in-motionCriticalImpact
- Permanent freezing of user deposited ApeCoin or unclaimed staking yield above $100,000 in valueCriticalImpact
- Permanent freezing of user deposited ApeCoin or unclaimed staking yield below $100,000 in valueHighImpact
- Temporary freezing of user deposited ApeCoin for at least 1 dayHighImpact
- Staking in the BAYC pool, MAYC pool, or paired pool without ownership of the required NFTsHighImpact
- Staking more than 10,094 per BAYC or 2,042 per MAYC in the BAYC pool, MAYC pool, or paired poolHighImpact
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)MediumImpact
- Minor accounting miscalculations for staking accrualMediumImpact
- Smart contract fails to deliver promised returns, but doesn’t lose valueLowImpact
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- User error that results in the loss of custody of a BAYC, MAYC, or BAKC which leads to the unintentional loss of staked ApeCoin
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
Smart Contracts and Blockchain
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks, which are in-scope
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
- Centralization risks
The following activities are prohibited by this bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty
- Vulnerabilities requiring access to the staking contract’s owner role Attacks that are a direct result of user error (e.g. using incorrect function arguments)