Cardano Foundation-logo

Cardano Foundation

The Cardano Foundation is tasked with advancing the public digital infrastructure Cardano, working to anchor it as a utility for financial and social systems.

Cardano
Blockchain
L1
Maximum Bounty
$10,000
Live Since
28 March 2024
Last Updated
03 December 2024
  • PoC required

Select the category you'd like to explore

Assets in Scope

Target
Type
Websites and Applications - Rosetta Java
Added on
3 December 2024
Target
Type
Websites and Applications - Wallet
Added on
28 March 2024

Impacts in Scope

Severity
Critical
Title

Direct theft of user funds

Severity
High
Title

Execute arbitrary system commands

Severity
High
Title

Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as: Changing registration information

Severity
High
Title

Injecting/modifying the static content on the target application without JavaScript (persistent), such as: HTML injection without JavaScript, Replacing existing text with arbitrary text, Arbitrary file uploads, etc

Severity
High
Title

Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: Email, Password of the victim etc.

Severity
High
Title

Improperly disclosing confidential user information, such as: Email address, Wallet addresses linked to protected users area, Other types of Sensitive PII, etc.

Severity
Medium
Title

Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: Changing the name of user, Enabling/disabling notifications

Severity
Medium
Title

Injecting/modifying the static content on the target application without JavaScript (reflected), such as: Reflected HTML injection, Loading external site data

Severity
Medium
Title

Redirecting users to malicious websites (open redirect)

Severity
Low
Title

Taking down the application/website

Out of scope

Program's Out of Scope information
  • Disclosure of any wallets publicly displayed in non-protected section of the explorer
Default Out of Scope and rules

Web & App specific

  • Theoretical impacts without any proof or demonstration
  • Impacts involving attacks requiring physical access to the victim device
  • Impacts involving attacks requiring access to the local network of the victim
  • Reflected plain text injection (e.g. url parameters, path, etc.)
    • This does not exclude reflected HTML injection with or without JavaScript
    • This does not exclude persistent plain text injection
  • Any impacts involving self-XSS
  • Captcha bypass using OCR without impact demonstration
  • CSRF with no state modifying security impact (e.g. logout CSRF)
  • Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact
  • Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces
  • Impacts causing only the enumeration or confirmation of the existence of users or tenants
  • Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows
  • Lack of SSL/TLS best practices
  • Impacts that only require DDoS
  • UX and UI impacts that do not materially disrupt use of the platform
  • Impacts primarily caused by browser/plugin defects
  • Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)
  • Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)
  • SPF/DMARC misconfigured records)
  • Missing HTTP Headers without demonstrated impact
  • Automated scanner reports without demonstrated impact
  • UI/UX best practice recommendations
  • Non-future-proof NFT rendering

All categories

  • Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
  • Impacts caused by attacks requiring access to leaked keys/credentials
  • Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
  • Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
  • Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
  • Best practice recommendations
  • Feature requests
  • Impacts on test files and configuration files unless stated otherwise in the bug bounty program
  • Impacts requiring phishing or other social engineering attacks against project's employees and/or customers
Severity
Min. - Max.
Critical
$10k
High
$5k
Medium
$2k
Low
$1k
Total Assets in Scope
2
Total Impacts in Scope
10