Immunefi
Immunefi
Back to Explore
Bitswift Cash-logo

Bitswift Cash

Focused on business applications, Bitswift comes with a community and support network of tech pros that have been working with blockchain since its inception. However, Bitswift is more than just a blockchain and token. Bitswift is composed of community, companies, and customers from all sectors including real estate, healthcare, governance, supply chain management, retail, and much more.

Infrastructure
DEX Aggregator
Maximum Bounty
$5,000
Live Since
04 February 2021
Last Updated
18 November 2024

  • PoC required

Submit a Bug
InformationScopeResources

Rewards

Bitswift Cash provides rewards in BTC, ETH, CASH or BITS on Ethereum, denominated in USD.

Rewards by Threat Level

Websites and Applications
Critical
USD $5,000

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System v2.3. This is a simplified 4-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

Repeatable Attack Limitations

In cases of repeatable attacks for smart contract bugs, only the first attack will be counted, regardless of whether the smart contract is upgradable, pausable, or killable.

Reward Payment Terms

Payouts are handled by the Bitswift team directly and are denominated in XXX. However, payments are done in XXX.

Critical-level payouts are only applicable when the vulnerability results in users being able to withdraw more than they are supposed to be able to or when their accounts are credited more than the actual deposit or when the user is able to claim more crypto than the stipulated time period allows. Additionally if a user is able to modify the database which modifies user balances in any unintended way. Otherwise, vulnerabilities may be classified as High.

Additionally, all web and app bug reports without proof of concept exploits with demonstrated impact, as well as recommendations for new features, are not accepted.

There is currently a total bounty pool of USD 5 000. Because of this, if there are valid bug reports covering different vulnerabilities submitted where the total reward amount is greater than the remaining bounty pool amount, the appropriate reward levels will be provided on a first-come-first-served basis, and the total bounty pool will be used to reward reports on this priority system until exhausted. This amount will be updated as rewards are paid out and rewards will adjust accordingly.

Payouts are handled by Bitswift directly. The USD amount published is just an estimate. In the event of a discrepancy between the CAD and USD exchange rates with the estimate provided on this page, the prevailing CAD rate will apply. However, payouts are done in BTC, ETH, CASH or BITS. Before any payout, the bug must first be verified and validated by Bitswift.

View impacts in scope

Program Overview

Focused on business applications, Bitswift comes with a community and support network of tech pros that have been working with blockchain since its inception. However, Bitswift is more than just a blockchain and token. Bitswift is composed of community, companies, and customers from all sectors including real estate, healthcare, governance, supply chain management, retail, and much more.

Bitswift.cash allows people to conveniently participate in the token economy, providing an accessible interface interconnecting blockchains, leaving the user in control of their own personal digital information.

The bug bounty program is focused around bugs that relate to the database modification and ability to exploit the deposit, withdrawal, and claim processes on https://bitswift.cash. Bitswift seeks to ensure its claim, deposit, and withdrawal systems are functioning as intended and cannot be exploited to any user's advantage.

Responsible Publication

Bitwift adheres to category 3 - Approval Required. This Policy determines what information researchers are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our Responsible Publication page.

Primacy of Impact vs Primacy of Rules

Bitswift adheres to the Primacy of Impact, which means the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see Best Practices: Primacy of Impact

Bitswift adheres to the Primacy of Impact for the following impacts:

Smart Contract Critical severity

Known Issue Assurance Bitswift commits to providing Known Issue Assurance to bug submissions through their program. This means that Bitswift will either disclose known issues publicly or at the very least privately via a self-reported bug submission.

In scenarios where there might be a mediation, this allows for a more objective and streamlined process to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.

Feasibility Limitations

The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.

Therefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.

Immunefi Standard Badge

Bitswift has satisfied the requirements for the Immunefi Standard Badge, which is given to projects that adhere to our best practices.

KYC not required

No KYC information is required for payout processing.

Proof of Concept

Proof of concept is always required for all severities.

Prohibited Activities

Default prohibited activities
  • Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
  • Any testing with pricing oracles or third-party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks that are executed against project assets
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty
  • Any other actions prohibited by the Immunefi Rules

Feasibility Limitations

The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity. Therefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.

Total Assets in Scope
1