BlockchainSpace enables play-to-earn guilds to scale in the metaverse. We build tools to empower gaming communities and run academies to identify economic opportunities in the play-to-earn ecosystem.
For more information about BlockchainSpace, please visit https://www.blockchainspace.asia/.
This bug bounty program is focused on their smart contracts and is focused on preventing:
- Thefts and freezing of principal of any amount
- Thefts and freezing of unclaimed yield of any amount
- Theft of governance funds
- Governance activity disruption
Rewards by Threat Level
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.
All Low, Medium, High and Critical Smart Contract bug reports require a PoC and a suggestion for a fix to be eligible for a reward.
Payouts are handled by the BlockchainSpace team directly and are denominated in USD. However, payouts are done in ETH.
- USD $50,000
- USD $30,000
- USD $20,000
- USD $10,000
Assets in scope
- Smart Contract - COREType
- Smart Contract - Guild TokenType
In the Github link in the Assets in Scope table, only Exact Match Verified smart contracts are considered as in-scope of the bug bounty program.
Impacts in scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
- Loss of user funds staked (principal) by freezing or theftCriticalImpact
- Loss of governance fundsCriticalImpact
- Vote manipulationCriticalImpact
- Incorrect polling actionsCriticalImpact
- Theft of unclaimed yieldHighImpact
- Freezing of unclaimed yieldHighImpact
- Unable to call smart contractMediumImpact
- Smart contract gas drainageMediumImpact
- Smart contract fails to deliver promised returnsLowImpact
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
Smart Contracts and Blockchain
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
- Centralization risks
The following activities are prohibited by this bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty