08 November 2021
Live since
Yes
KYC required
$1,337,133
Maximum bounty

Program Overview

Cronos core team announces a Cronos bug bounty program, with a maximum bounty of up to USD $1,337,133.7 sponsored by Blockchain accelerator Particle B to enhance on-chain security of the Cronos ecosystem. The security campaign, in partnership with Immunefi, is focused on discovering potential technical vulnerabilities and strengthening smart contract security.

The Cronos core team puts security as its top priority and has dedicated resources to ensure high incentives to attract the community-at-large to evaluate and safeguard the ecosystem. Whilst building Cronos, the team has engaged with industry leading cybersecurity audit firms specializing in Blockchain Security to help secure the codebase of Ethermint. We encourage smart contract developers, whitehat hackers to participate, evaluate the code base and hunt for bugs especially on issues that could potentially put users’ funds at risk. In exchange, the bug bounty program will reward up to USD 1,337,133.7 based on the vulnerability severity level.

This bug bounty program is focused on Cronos (blockchain), smart contracts and decentralised applications with the emphasis on any vulnerabilities causing unintentional withdrawal/draining of funds/loss of user funds. The program also extends to key projects in the Cronos ecosystem, including VVS Finance as the first project with more DeFi projects to come. Cronos is the Ethereum Virtual Machine (EVM) chain running in parallel to the Crypto.org Chain. It aims to massively scale the DeFi and decentralised application (DApp) ecosystem, by providing developers with the ability to instantly port apps from Ethereum and EVM-compatible chains. With low cost, high throughput, fast finality, and built-in interoperability, Cronos is poised to bring decentralized applications to the 10M+ user base of the Crypto.com ecosystem and beyond.

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on this severity classification system.

All bug reports must come with a PoC in order to be considered for a reward. For web/app bug reports, if the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to reproducibility and severity of the vulnerability, and the rewards amount may be reduced significantly. The specific amount of the bounty will vary according to:

  • The effect of the bug.
  • The cause of the bug.
  • Whether or not the person who reports the bug suggests a solution to the bug or helps in its resolution.

Critical smart contract and blockchain vulnerabilities are capped at 10% of economic damage, primarily focused on the funds at risk, but also taking into account branding and PR considerations, at the discretion of the team. However, there is a minimum reward of USD 50 000. High smart contract and blockchain vulnerabilities are capped up to 100% of the amount of funds that are affected with a minimum reward of USD 25 000. Medium smart contract and blockchain vulnerabilities are rewarded based on the level of impact at the discretion of the Cronos team.

All vulnerabilities that directly affect the Cronos blockchain, smart contract, and app that directly cause unintentional withdrawals, draining of funds, or loss of user funds, are considered as Critical.

The only web vulnerabilities in scope are those which will directly lead to loss of user funds, or breach of sensitive data, or deletion of site data. As stated in the severity classification system, the Cronos team will use CVSS calculator to figure out the severity and based on that they will determine the reward for the bounty.

All bug reports payments require KYC completed. In order to receive a payment, submitters must be prepared to do any one of the options listed below. Please indicate your preferred option in the bug report.

1) Create an invoice and fill out this form. When your bug report is deemed valid, please submit the form right away. 2) Register on the crypto.com app, complete any KYC required, and submit an address generated on the app 3) Sign up or log in to an external bug bounty platform and receive payment there.

Smart Contract

Critical
Level
Up to USD $1 337 133.70
Payout
PoC Required
High
Level
Up to USD $250 000
Payout
PoC Required
Medium
Level
Up to USD $25 000
Payout
PoC Required

Websites and Applications

Critical
Level
USD $15 000
Payout
PoC Required
High
Level
USD $7 500
Payout
PoC Required
Medium
Level
USD $1 000
Payout
PoC Required

Assets in scope

Only the latest release version deployed to mainnet is considered as in-scope of the bug bounty program. All folders and files labeled as "Mock" or "Test" are considered as out-of-scope of the bug bounty program.

Prioritized Vulnerabilities

Impacts in Scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Smart Contracts and Blockchain/DLT

Critical

  • Empty or freeze the contract's holdings (e.g. economic attacks, flash loans, reentrancy, logic errors, integer over-/under-flow).
  • Cryptographic flaws.
  • Cronos (blockchain), smart contracts and app with the focus on any vulnerabilities causing unintentional withdrawal/draining of funds/loss of user funds.

High

  • Token holders temporarily unable to transfer holdings.
  • User Impersonation
  • Theft of yield.
  • Transient consensus failures.

Medium

  • Contract consumes unbounded gas.
  • Block stuffing.
  • Griefing denial of service (i.e. attacker spends as much in gas as damage to the contract).
  • Gas griefing.

Web/App

Once the user submits a vulnerability report, Cronos will use the CVSS calculator to check the severity level and based on its determination and perceived risk they will be rewarded the bounty amount.

Once the user submits a vulnerability report, Cronos will calculate the severity through multiple attributes such as perceived risk and CVSS scores. Upon completion, this severity will be used to award the bounty amount.

Note: If the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to reproducibility and severity of the vulnerability, and the rewards amount may be reduced significantly. The specific amount of the bounty will vary according to:

  • The effect of the bug.
  • The cause of the bug.
  • Whether or not the person who reports the bug suggests a solution to the bug or helps in its resolution.

However, only the following impact is considered as in-scope, though the severity level may be Critical, High, or Medium based on the conditions above:

  • Impacts that directly lead to loss of user funds, or breach of sensitive data, or deletion of site data.

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks that rely on social engineering
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses

Smart Contracts and Blockchain

  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Best practice critiques
  • Sybil attacks
  • Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).
  • Previously known vulnerabilities in Tendermint and or/any other fork of these.
  • Previously known vulnerabilities in cosmos-sdk and or/any other fork of these.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Public Zero-day vulnerabilities
  • Feature request
  • Best practices
  • VVS-Bench is Out of Scope

Websites and Apps

  • Theoretical vulnerabilities without any proof or demonstration
  • Content spoofing/Text injection issues
  • Captcha bypass using OCR
  • CSRF with no security impact (logout CSRF, change language, etc.)
  • Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
  • Server-side information disclosure such as IPs, server names, directory listing without sensitive information, and most stack traces
  • Vulnerabilities used to enumerate or confirm the existence of users or tenants
  • Vulnerabilities requiring unlikely user actions
  • URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
  • Lack of SSL/TLS best practices
  • Attacks requiring privileged access from within the organization
  • Clickjacking/UI redressing with minimal security impact
  • Tab-nabbing / Self-XSS / Denial of service (DoS) / Spamming / Usability issues
  • Vulnerabilities only exploitable on out-of-date browsers or platforms
  • Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI
  • Reports from automated tools or scans, without exploitability demonstration
  • Vulnerabilities related to autofill web forms
  • Use of known vulnerable libraries without actual proof of concept
  • Vulnerabilities that require physical access to a user's device

The following activities are prohibited by this bug bounty program:

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
  • Any testing with pricing oracles or third party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty