Toucan Bug Bounties

Program Overview

Toucan is building technology to finance climate action at scale. They are developing infrastructure to move carbon credits onto open blockchains, which helps make carbon markets more transparent, efficient, accessible, and scalable.

Toucans infrastructure is composed of four key modules:

The Carbon Bridge verifiably 1:1 tokenizes carbon credits from a supported registry and turns them into ERC-20 tokens that anyone can use. More than 20m carbon credits (or around 85 % of all on-chain carbon credits) have been tokenized using Toucans bridge
Their Carbon Pools are a way of grouping together tokens linked to credits with similar attributes. The result: standardized and deeply liquid carbon reference tokens (like NCT) that can be easily priced and traded on cryptocurrency exchanges.
Information about all tokenized carbon credits is stored on Toucans Open Carbon Registry. This is a unified global ledger with consistent data standards to be used across organizations. On the Open Carbon Registry, everyone can view the project information, trading history and retirement details of all tokenized carbon credits. The Open Carbon Registry brings much-needed transparency into a previously opaque market.
The retirement module helps companies retire carbon credits with the full transparency of a public blockchain.

For more information about Toucan, please visit https://toucan.earth/.

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.

All bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.

Rewards for critical smart contract vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of USD 50 000 and a maximum reward of USD 200 000.

Known issues highlighted in the following audit reports are considered out of scope:

Payouts are handled by the Toucan team directly and are denominated in USD. However, payouts are done in USDC (ERC20). All payouts require invoice with email and crypto wallet address.

Smart Contract

Critical
Level: USD $50,000 to USD $200,000
Payout

High
Level: USD $40,000
Payout

Medium
Level: USD $7,500
Payout

Assets in scope

https://polygonscan.com/address/0x2F800Db0fdb5223b3C3f354886d907A671414A7F
Target
Smart Contract - BaseCarbonTonne
Type
https://polygonscan.com/address/0x8A4d7458dDe3023A3B24225D62087701A88b09DD
Target
Smart Contract - CarbonOffsetBatches
Type
https://polygonscan.com/address/0x98a7840c33a9aa42FFE16F7Da9a0E6dd6Ea5f98f
Target
Smart Contract - CarbonProjectVintages
Type
https://polygonscan.com/address/0x599a978c43F5cEa1B26a399D28869Ad4690DC07d
Target
Smart Contract - CarbonProjects
Type
https://polygonscan.com/address/0xD838290e877E0188a4A44700463419ED96c16107
Target
Smart Contract - NatureCarbonTonne
Type
https://polygonscan.com/address/0x5e377f16E4ec6001652befD737341a28889Af002
Target
Smart Contract - RetirementsCertificate
Type
https://polygonscan.com/address/0xD46eE8815F141749834AF0Df21E744459eFEc75F
Target
Smart Contract - ToucanCarbonOffsets
Type
https://polygonscan.com/address/0x2359677E513Bc83106268514c5B2De3C29C849ea
Target
Smart Contract - ToucanCarbonOffsetsFactory
Type
https://polygonscan.com/address/0x263fA1c180889b3a3f46330F32a4a23287E99FC9
Target
Smart Contract - ToucanContractRegistry
Type
https://polygonscan.com/address/0xABaC3D6b281Bbe0Fc0F67b26247cB27994eaAcaf
Target
Smart Contract - ToucanCrosschainMessenger
Type

Though only the proxy contracts are listed as in-scope, current implementation and any further updates to the implementation contracts are considered in scope. When reporting a bug, please make sure to select the relevant proxy smart contract as the target.

All smart contracts of Toucan can be found at https://github.com/ToucanProtocol/contracts. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.

Impacts in scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Smart Contract

Direct theft of any funds belonging to specific users, whether at-rest or in-motion, other than unclaimed yield
Critical
Impact
Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties
Critical
Impact
Permanent freezing of funds
Critical
Impact
Permanent freezing of NFTs
Critical
Impact
Unauthorized minting of NFTs or tokens
Critical
Impact
Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)
Critical
Impact
Protocol insolvency
Critical
Impact
Obtaining admin access or any other privileged role which can lead to abuse of the protocol
Critical
Impact
Theft of unclaimed yield
High
Impact
Theft of unclaimed royalties
High
Impact
Permanent freezing of unclaimed yield
High
Impact
Permanent freezing of unclaimed royalties
High
Impact
Temporary freezing of funds for at least 24 hours
High
Impact
Temporary freezing NFTs for at least 24 hours
High
Impact
Deposits of TCO2s into pools that exclude these TCO2s
High
Impact
Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
Medium
Impact
Permanent or temporary freezing of any functionality for less than 24 hours
Medium
Impact
Permanent or temporary freezing of any functionality not captured above
Medium
Impact

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

Attacks that the reporter has already exploited themselves, leading to damage
Attacks requiring access to leaked keys/credentials
Attacks requiring access to privileged addresses (governance, strategist)
Attacks involving functionality which is currently paused, e.g. the process of bridging credits from Verra, which includes:
- linking of batch NFTs in CarbonOffsetBatches contract with project vintages
- approval / rejection of batch NFTs in CarbonOffsetBatches contract

Nevertheless, any such attacks which are new discoveries may be eligible for discretionary payouts if they help harden future bridging when that resumes.

Smart Contracts and Blockchain

Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
Basic economic governance attacks (e.g. 51% attack)
Lack of liquidity
Best practice critiques
Sybil attacks
Centralization risks

The following activities are prohibited by this bug bounty program:

Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
Any testing with pricing oracles or third party smart contracts
Attempting phishing or other social engineering attacks against our employees and/or customers
Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
Any denial of service attacks
Automated testing of services that generates significant amounts of traffic
Public disclosure of an unpatched vulnerability in an embargoed bounty