Immunefi
Immunefi

ApeCoin Mainnet

Submit a Bug
07 December 2022
Live since
Yes
KYC required
$3,500,000
Maximum bounty
08 April 2024
Last updated

Program Overview

ApeCoin is an ERC-20 governance and utility token used within the APE ecosystem to empower a decentralized community building at the forefront of web3. It allows its holders to participate in the ApeCoin DAO and provides access to exclusive games, merch, events, services, and more.

Earlier this year, the DAO voted to launch a staking system to incentivize engagement within the ecosystem. ApeCoin staking will allow users to stake their APE in various pools to gain rewards. Anyone holding ApeCoin can participate, however additional pools are available to holders who own NFTs within the Bored Ape Yacht Club ecosystem.

For more information about Apecoin and staking, please visit https://apecoin.com and read AIP-21 and AIP-22.

The program will continue for the life of the staking system (3 years).

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.

Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily based on value at risk, but also PR and branding aspects. However, there is a minimum reward for critical vulnerabilities of USD 100 000.

All bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.

All vulnerabilities marked acknowledged and accepted in the Halborn security review are not eligible for a reward.

ApeCoin requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. Recipients must provide their name, certificate of incorporation (if a company), physical address, email address, ethereum address to receive the funds, and confirmation on whether the ethereum address is at an exchange or other custodian, or owned directly by the recipient. They will also be required to sign the ApeCoin foundation’s standard grant agreement document. The collection of this information will be done by the project team.

Payouts are handled by the ApeCoin Foundation directly and are denominated in USD. However, all payouts are done in ApeCoin (APE).

Smart Contract

Critical
Level
USD $100,000 to USD $3,500,000
Payout
PoC Required

Assets in scope

All smart contracts can be found in the staking github repo. However, only ApeCoinStaking.sol is in-scope for the bug bounty program. The repo is a hardhat project that contains a simple local deploy script that uses realistic config parameters.

If an impact can be caused to any other asset managed by ApeCoin that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.

Please watch the Horizen Labs Ape Staking Smart Contract Walk-Thru for a video overview of the staking contract and read the docs for further information, https://docs.apestake.io/.

Impacts in scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Smart Contract

  • Direct theft of any user deposited ApeCoin or unclaimed staking yield, whether at-rest or in-motion
    Critical
    Impact
  • Permanent freezing of user deposited ApeCoin or unclaimed staking yield above $100,000 in value
    Critical
    Impact

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • User error that results in the loss of custody of a BAYC, MAYC, or BAKC which leads to the unintentional loss of staked ApeCoin
  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts and Blockchain

  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks, which are in-scope
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Best practice critiques
  • Sybil attacks
  • Centralization risks

The following activities are prohibited by this bug bounty program:

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
  • Any testing with pricing oracles or third party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty
  • Vulnerabilities requiring access to the staking contract’s owner role Attacks that are a direct result of user error (e.g. using incorrect function arguments)