Quadrata
Program Overview
Quadrata Web3 Passport is a privacy-preserving, sybil-resistant technology that brings identity, compliance, and reputation to DApps built on public blockchains.
For more information about Quadrata, please visit https://quadrata.com/.
KYC Requirement
The provision of KYC is required to receive a reward for this bug bounty program where the following information will be required to be provided:
- Government-issued ID or Passport
- Proof of residency
KYC information is only required on confirmation of the validity of a bug report.
Rewards by Threat Level
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.3. This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.
Reward Payment Terms
Payouts are handled by the Quadrata team directly and are denominated in USD. However, payouts are done in ETH or USDC, at the discretion of the team.
PoC Requirement and Guidelines
All bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.
All PoCs submitted must comply with the Immunefi-wide PoC Guidelines and Rules. Bug report submissions without a PoC when a PoC is required will not be provided with a reward.
For the purposes of determining report validity, this is a Primacy of Rules Program.
Quadrata adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms stated in this page.
Learn more about report validity best practices here: Best Practice - Primacy of Impact vs Primacy of Rules.
Responsible Publication Policy
Quadrata adheres to category 3. This Policy determines what information whitehats are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our Responsible Publication page.
Known Issue Assurance
Quadrata commits to providing Known Issue Assurance to bug submissions through their program. This means that Quadrata will either disclose known issues publicly or at the very least privately via a self-reported bug submission in order to allow for a more objective and streamlined mediation process to prove that an issue is known. Otherwise, assuming the bug report itself is valid, it would result in the bug report being considered in-scope and due 100% of the reward with respect to the bug bounty program terms.
Restrictions on Security Researcher Eligibility
Security researchers who fall under any of the following are ineligible for a reward
- OFAC-sanctioned country or region
- Does not pass Quadrata Identity Verification process (not able to mint a Quadrata Passport)
Known issues previously highlighted in the following audit reports are considered out of scope:
Smart Contract
- Critical
- Level
- USD $20,000
- Payout
- High
- Level
- USD $3,000
- Payout
Assets in scope
- Smart Contract - QuadPassportType
- Smart Contract - QuadGovernanceType
- Smart Contract - QuadReaderType
- Smart Contract - TimelockType
- Smart Contract - MultisigType
- TargetSmart Contract - QuadSoulboundType
- Smart Contract - StorageType
Though only the proxy contracts are listed as in-scope, current implementation and any further updates to the implementation contracts are considered in scope. When reporting a bug, please make sure to select the relevant proxy smart contract as the target.
Only those listed in the Assets in Scope table are considered to be in-scope of the bug bounty program.
Bugs found in contracts across multiple chains will only count as a single vulnerability.
All smart contracts of Quadrata can be found at https://github.com/QuadrataNetwork. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.
Impacts in scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
Smart Contract
- Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original resultsCriticalImpact
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yieldCriticalImpact
- Can permanently block Passport mintingCriticalImpact
- Can permanently block reading of Passport valuesCriticalImpact
- Passport manipulation such as changing attribute values, minting on behalf of an issuer and burning of passportsCriticalImpact
- Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)HighImpact
- Unauthorized transactionHighImpact
- Transaction manipulationHighImpact
- Quad Unit payment bypassHighImpact
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
Smart Contracts and Blockchain
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Any vulnerabilities found in testnet contracts
- Lack of liquidity
- Best practice critiques
- Sybil attacks
- Centralization risks
- Theoretical vulnerabilities without any proof or demonstration
- Old compiler version
- The compiler version is not locked
- Vulnerabilities in imported contracts
- Code style guide violations
- Redundant code
- Gas optimizations
- Best practice issues
Prohibited Activities
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty
Program Rules
- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
- Make every effort not to damage or restrict the availability of products, services, or infrastructure
- Avoid compromising any personal data, interruption, or degradation of any service
- Don’t access or modify other user data, localize all tests to your accounts
- Perform testing only within the scope
- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
- Don’t spam forms or account creation flows using automated scanners
- In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
- Don’t break any law and stay in the defined scope
- Any details of found vulnerabilities must not be communicated to anyone who is not an ImmuniFi employee without appropriate permission
Disclosure Guidelines
- Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
- No vulnerability disclosure, including partial is allowed for the moment.
- Do NOT publish/discuss bugs
Eligibility and Coordinated Disclosure
We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability.
- The vulnerability must be identified before it is discovered internally by the team.
- The vulnerability must be a qualifying vulnerability
- Any vulnerability found must be reported no later than 24 hours after discovery and exclusively to Immunefi Platform Dashboard
- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.
- You must not be a former or current employee of us or one of its contractors.
- Provide detailed but to-the point reproduction steps
- Monetary rewards will not be provided to persons or organizations who violate the Program Rules and Disclosure Guidelines