Toucan
Program Overview
Toucan is building technology to finance climate action at scale. They are developing infrastructure to move carbon credits onto open blockchains, which helps make carbon markets more transparent, efficient, accessible, and scalable.
Toucans infrastructure is composed of four key modules:
- The Carbon Bridge verifiably 1:1 tokenizes carbon credits from a supported registry and turns them into ERC-20 tokens that anyone can use. More than 20m carbon credits (or around 85 % of all on-chain carbon credits) have been tokenized using Toucans bridge
- Their Carbon Pools are a way of grouping together tokens linked to credits with similar attributes. The result: standardized and deeply liquid carbon reference tokens (like NCT) that can be easily priced and traded on cryptocurrency exchanges.
- Information about all tokenized carbon credits is stored on Toucans Open Carbon Registry. This is a unified global ledger with consistent data standards to be used across organizations. On the Open Carbon Registry, everyone can view the project information, trading history and retirement details of all tokenized carbon credits. The Open Carbon Registry brings much-needed transparency into a previously opaque market.
- The retirement module helps companies retire carbon credits with the full transparency of a public blockchain.
For more information about Toucan, please visit https://toucan.earth/.
Rewards by Threat Level
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.
All bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.
Rewards for critical smart contract vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of USD 50 000 and a maximum reward of USD 200 000.
Known issues highlighted in the following audit reports are considered out of scope:
- https://byterocket.com/audit/toucan-protocol
- https://byterocket.com/audit/toucan-protocol-nct
- https://byterocket.com/audit/toucan-protocol-retirement-certificates
Payouts are handled by the Toucan team directly and are denominated in USD. However, payouts are done in USDC (ERC20). All payouts require invoice with email and crypto wallet address.
Smart Contract
- Critical
- Level
- USD $50,000 to USD $200,000
- Payout
- High
- Level
- USD $40,000
- Payout
- Medium
- Level
- USD $7,500
- Payout
Assets in scope
- Smart Contract - BaseCarbonTonneType
- Smart Contract - CarbonOffsetBatchesType
- Smart Contract - CarbonProjectVintagesType
- Smart Contract - CarbonProjectsType
- Smart Contract - NatureCarbonTonneType
- Smart Contract - RetirementsCertificateType
- Smart Contract - ToucanCarbonOffsetsType
- Smart Contract - ToucanCarbonOffsetsFactoryType
- Smart Contract - ToucanContractRegistryType
- Smart Contract - ToucanCrosschainMessengerType
Though only the proxy contracts are listed as in-scope, current implementation and any further updates to the implementation contracts are considered in scope. When reporting a bug, please make sure to select the relevant proxy smart contract as the target.
All smart contracts of Toucan can be found at https://github.com/ToucanProtocol/contracts. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.
Impacts in scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
Smart Contract
- Direct theft of any funds belonging to specific users, whether at-rest or in-motion, other than unclaimed yieldCriticalImpact
- Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royaltiesCriticalImpact
- Permanent freezing of fundsCriticalImpact
- Permanent freezing of NFTsCriticalImpact
- Unauthorized minting of NFTs or tokensCriticalImpact
- Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)CriticalImpact
- Protocol insolvencyCriticalImpact
- Obtaining admin access or any other privileged role which can lead to abuse of the protocolCriticalImpact
- Theft of unclaimed yieldHighImpact
- Theft of unclaimed royaltiesHighImpact
- Permanent freezing of unclaimed yieldHighImpact
- Permanent freezing of unclaimed royaltiesHighImpact
- Temporary freezing of funds for at least 24 hoursHighImpact
- Temporary freezing NFTs for at least 24 hoursHighImpact
- Deposits of TCO2s into pools that exclude these TCO2sHighImpact
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)MediumImpact
- Permanent or temporary freezing of any functionality for less than 24 hoursMediumImpact
- Permanent or temporary freezing of any functionality not captured aboveMediumImpact
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
-
Attacks that the reporter has already exploited themselves, leading to damage
-
Attacks requiring access to leaked keys/credentials
-
Attacks requiring access to privileged addresses (governance, strategist)
-
Attacks involving functionality which is currently paused, e.g. the process of bridging credits from Verra, which includes:
- linking of batch NFTs in CarbonOffsetBatches contract with project vintages
- approval / rejection of batch NFTs in CarbonOffsetBatches contract
Nevertheless, any such attacks which are new discoveries may be eligible for discretionary payouts if they help harden future bridging when that resumes.
Smart Contracts and Blockchain
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
- Centralization risks
The following activities are prohibited by this bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty