CoinFLEX

Founded in 2019, CoinFLEX is the home of crypto yields. The platform offers innovative solutions such as flexUSD — the world’s first interest bearing stablecoin — and AMM+, the most capital–efficient automated market maker for today’s investors.

CoinFLEX is backed by crypto heavyweights including Roger Ver, Mike Komaransky, Polychain Capital, and Digital Currency Group, amongst others. The exchange is dedicated to providing an easily accessible venue for users to earn and trade crypto with minimal friction.

For more information about CoinFLEX please visit https://coinflex.com/.

The bug bounty program covers its smart contracts, website, and apps and is focused on the prevention of the negative impacts stated in the Impacts in Scope section.

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

All web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.

Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into account the funds at risk. Other considerations such as PR and branding concerns may also be considered by the team at its discretion. However, there is no minimum reward for Critical impacts.

In order to be considered for a reward, all bug reports must include:

• URLs affected
• Description
• Impact
• Proof of concept (with screenshots or video if applicable)
• Mitigation/recommended fix

Payouts are handled by the CoinFLEX team directly and are denominated in USD. Payouts are done in USDT, FLEX, or BTC, at the discretion of the CoinFLEX team.

Smart Contract

Websites and Applications

Only web/app vulnerabilities that directly affect the web/app assets listed in this table are accepted within the bug bounty program. All others are out-of-scope. No other website page other than those specifically listed are in-scope of the bug bounty program.

For flexUSD, bug reports involving key compromise are out-of-scope of this bug bounty program.

The links to the apps are only provided as a guide to acquire the app. The Google and Apple websites are not in-scope of the bug bounty program.

The following vulnerabilities are excluded from the rewards for this bug bounty program:

• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts and Blockchain

• Incorrect data supplied by third party oracles
  • Not to exclude oracle manipulation/flash loan attacks
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Best practice critiques
• Sybil attacks

Websites and Apps

• Cookie expiration
• Cookie migration/sharing
• Forgot password
• Autologin token reuse
• Same Site Scripting
• Social Engineering
• Phishing
• Resource Exhaustion attacks
• Denial of service attacks (DDoS)
• Issues related to rate limiting
• Services listening on port 80
• Static content over HTTP
• Internal IP address disclosure
• Issues related to cross-domain policies without evidence of an exploitable vulnerability
• Weak password policies
• Vulnerabilities impacting only old/end-of-life browsers/plugins including:
• Issues that have had a patch available from the vendor for at least 6 months
• Issues on software that is no longer maintained (announced as unsupported/end-of-life or no patches issued in at least 6 months)
• Vulnerabilities related to offline playback
• Vulnerabilities primarily caused by browser/plugin defects and not representative of defects in the security of CoinFLEX systems or software (e.g. UXSS)
• Reports relating to root certificates
• Vulnerability reports related to the reported version numbers of web servers, services, or frameworks
• Vulnerability reports relating to exposure of non critical files. E.G. robots.txt, sitemap.xml, .gitignore
• Vulnerability reports relating to sites or network devices not owned by CoinFLEX
• Vulnerability reports that require a large amount of user cooperation to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)

All bug bounty hunters are required to adhere to the following rules:

• Do not access customer or employee personal information, pre-release CoinFLEX content, or confidential information. If you accidentally access any of these, please stop testing and submit the vulnerability.

• Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.

• Do not degrade the CoinFLEX user experience, disrupt production systems, or destroy data during security testing.

• Perform research only within the scope and, for smart contracts, only on private testnets.

• Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar.

• When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.

• Securely delete CoinFLEX information that may have been downloaded, cached, or otherwise stored on the systems used to perform the research.