CoinFLEX

Submit a Bug
03 August 2021
Live since
No
KYC required
$100,000
Maximum bounty

Program Overview

Founded in 2019, CoinFLEX is the home of crypto yields. The platform offers innovative solutions such as flexUSD — the world’s first interest bearing stablecoin — and AMM+, the most capital–efficient automated market maker for today’s investors.

CoinFLEX is backed by crypto heavyweights including Roger Ver, Mike Komaransky, Polychain Capital, and Digital Currency Group, amongst others. The exchange is dedicated to providing an easily accessible venue for users to earn and trade crypto with minimal friction.

For more information about CoinFLEX please visit https://coinflex.com/.

The bug bounty program covers its smart contracts, website, and apps and is focused on the prevention of the negative impacts stated in the Impacts in Scope section.

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

All web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.

Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into account the funds at risk. Other considerations such as PR and branding concerns may also be considered by the team at its discretion. However, there is no minimum reward for Critical impacts.

In order to be considered for a reward, all bug reports must include:

  • URLs affected
  • Description
  • Impact
  • Proof of concept (with screenshots or video if applicable)
  • Mitigation/recommended fix

Payouts are handled by the CoinFLEX team directly and are denominated in USD. Payouts are done in USDT, FLEX, or BTC, at the discretion of the CoinFLEX team.

Smart Contract

Critical
Level
Up to USD $100,000
Payout
High
Level
USD $10,000
Payout
Medium
Level
USD $5,000
Payout
Low
Level
USD $1,000
Payout

Websites and Applications

Critical
Level
USD $10,000
Payout
PoC Required
High
Level
USD $1,000
Payout
PoC Required

Assets in scope

Only web/app vulnerabilities that directly affect the web/app assets listed in this table are accepted within the bug bounty program. All others are out-of-scope. No other website page other than those specifically listed are in-scope of the bug bounty program.

For flexUSD, bug reports involving key compromise are out-of-scope of this bug bounty program.

The links to the apps are only provided as a guide to acquire the app. The Google and Apple websites are not in-scope of the bug bounty program.

Impacts in scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Smart Contract

  • Loss of governance funds
    Critical
    Impact
  • Any governance voting result manipulation
    Critical
    Impact
  • Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
    Critical
    Impact
  • Permanent freezing of funds
    Critical
    Impact
  • Miner-extractable value (MEV)
    Critical
    Impact
  • Insolvency
    Critical
    Impact
  • Loss of user funds staked (principal) by freezing or theft
    Critical
    Impact
  • Loss of user funds via incorrect trades, swaps, or other contact operations
    Critical
    Impact
  • Exposure of private keys or any other sensitive secrets
    Critical
    Impact
  • Theft of unclaimed yield
    High
    Impact
  • Temporary freezing of funds for any amount of time
    High
    Impact
  • Freezing of unclaimed yield
    High
    Impact
  • Permanent freezing of unclaimed yield
    High
    Impact
  • Unable to call smart contract
    Medium
    Impact
  • Smart contract gas drainage
    Medium
    Impact
  • Smart contract unable to operate due to lack of funds
    Medium
    Impact
  • Block stuffing for profit
    Medium
    Impact
  • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
    Medium
    Impact
  • Theft of gas
    Medium
    Impact
  • Unbounded gas consumption
    Medium
    Impact
  • Smart contract fails to deliver promised returns, but doesn’t lose value
    Low
    Impact
  • Vote manipulation
    Low
    Impact
  • Incorrect polling actions
    Low
    Impact

Websites and Applications

  • Ability to execute system commands
    Critical
    Impact
  • Remote code execution
    Critical
    Impact
  • Server shell access
    Critical
    Impact
  • Extract Sensitive data/files from the server such as /etc/passwd
    Critical
    Impact
  • Taking Down the application/website excluding Denial of Service
    Critical
    Impact
  • Bypassing Authentication leading to unauthorized access
    Critical
    Impact
  • Signing transactions for other users
    Critical
    Impact
  • Redirection of user deposits and withdrawals
    Critical
    Impact
  • Subdomain takeover resulting in financial loss (applicable for subdomains with addresses published)
    Critical
    Impact
  • Wallet interaction modification resulting in financial loss
    Critical
    Impact
  • Direct theft of user funds
    Critical
    Impact
  • Tampering with transactions submitted to the user’s wallet
    Critical
    Impact
  • Submitting malicious transactions to an already-connected wallet
    Critical
    Impact
  • Session hijacking/spoofing leading to account takeover
    Critical
    Impact
  • Unauthorized access
    Critical
    Impact
  • Triggering incorrect balance updates
    Critical
    Impact
  • Redirecting funds by address modification
    Critical
    Impact
  • User console actions leading to loss of funds
    Critical
    Impact
  • Accessing sensitive pages without authorization
    Critical
    Impact
  • Unauthorized access
    Critical
    Impact
  • SQL Injection except fuzzing (targeted only)
    Critical
    Impact
  • Chaining
    Critical
    Impact
  • Deletion or modification of user data
    Critical
    Impact
  • Triggering incorrect balance updates
    Critical
    Impact
  • Redirecting funds by address modification
    Critical
    Impact
  • Accessing sensitive pages without authorization
    Critical
    Impact
  • Spoofing content on the target application (Persistent)
    High
    Impact
  • Users Confidential information disclosure such as Email
    High
    Impact
  • Subdomain Takeover without financial loss (applicable for subdomains with no addresses published)
    High
    Impact
  • Privilege escalation to access unauthorized functionalities
    High
    Impact
  • Site going down - excluding denial of service
    High
    Impact
  • Leak of user data
    High
    Impact
  • Deletion or modification of user data
    High
    Impact
  • Injection of text
    High
    Impact
  • SQL injection
    High
    Impact
  • Users spoofing other users
    High
    Impact
  • Incorrect methods allowed
    High
    Impact
  • Unexpected behavior leading to a bug
    High
    Impact
  • Site going down - excluding denial of service
    High
    Impact
  • Leak of user data
    High
    Impact

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts and Blockchain

  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Best practice critiques
  • Sybil attacks

Websites and Apps

  • Cookie expiration
  • Cookie migration/sharing
  • Forgot password
  • Autologin token reuse
  • Same Site Scripting
  • Social Engineering
  • Phishing
  • Resource Exhaustion attacks
  • Denial of service attacks (DDoS)
  • Issues related to rate limiting
  • Services listening on port 80
  • Static content over HTTP
  • Internal IP address disclosure
  • Issues related to cross-domain policies without evidence of an exploitable vulnerability
  • Weak password policies
  • Vulnerabilities impacting only old/end-of-life browsers/plugins including:
  • Issues that have had a patch available from the vendor for at least 6 months
  • Issues on software that is no longer maintained (announced as unsupported/end-of-life or no patches issued in at least 6 months)
  • Vulnerabilities related to offline playback
  • Vulnerabilities primarily caused by browser/plugin defects and not representative of defects in the security of CoinFLEX systems or software (e.g. UXSS)
  • Reports relating to root certificates
  • Vulnerability reports related to the reported version numbers of web servers, services, or frameworks
  • Vulnerability reports relating to exposure of non critical files. E.G. robots.txt, sitemap.xml, .gitignore
  • Vulnerability reports relating to sites or network devices not owned by CoinFLEX
  • Vulnerability reports that require a large amount of user cooperation to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)

All bug bounty hunters are required to adhere to the following rules:

  • Do not access customer or employee personal information, pre-release CoinFLEX content, or confidential information. If you accidentally access any of these, please stop testing and submit the vulnerability.

  • Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.

  • Do not degrade the CoinFLEX user experience, disrupt production systems, or destroy data during security testing.

  • Perform research only within the scope and, for smart contracts, only on private testnets.

  • Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar.

  • When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.

  • Securely delete CoinFLEX information that may have been downloaded, cached, or otherwise stored on the systems used to perform the research.