Immunefi
Immunefi
Back to Explore
Celer-logo

Celer

Celer cBridge is a multi-chain interoperability system that provides the best-in-class cross-chain token bridging experience with deep liquidity for users, highly efficient and easy-to-use liquidity management for both cBridge node operators and Liquidity Providers who do not want to operate cBridge nodes, and developer-oriented features such as general message bridging for cases like cross-chain DEX and NFTs.

Arbitrum
Avalanche
BSC
Base
ETH
Fantom
Moonbeam
Optimism
Polygon
Blockchain
Defi
NFT
Crosschain Liquidity
L1
Wallet
JavaScript
Solidity
Maximum Bounty
$2,000,000
Live Since
18 November 2021
Last Updated
04 November 2024

  • PoC required

  • KYC required

Submit a Bug
InformationScopeResources

Select the category you'd like to explore

Assets in Scope

Target
Type
Websites and Applications - cBridge Web App
Added on
26 April 2022
Target
Type
Smart Contract - Boba 288
Added on
26 April 2022
Target
Type
Smart Contract - Optimism 10
Added on
26 April 2022
Target
Type
Smart Contract - Fantom 250
Added on
26 April 2022
Target
Type
Smart Contract - Avalanche 43114
Added on
26 April 2022
Target
Type
Smart Contract - Polygon 137
Added on
26 April 2022
Target
Type
Smart Contract - Arbitrum 42161
Added on
26 April 2022
Target
Type
Smart Contract - BSC 56
Added on
26 April 2022
Target
Type
Smart Contract - Ethereum 1
Added on
26 April 2022
Target
Type
Smart Contract - Viewer
Added on
26 April 2022
Target
Type
Smart Contract - Governance
Added on
26 April 2022
Target
Type
Smart Contract - Farming Rewards
Added on
26 April 2022

Impacts in Scope

Severity
Critical
Title

Thefts and permanent freezing of any funds in liquidity pool smart contract or staking contracts

Severity
Critical
Title

The only web vulnerabilities in scope are those which lead directly and unequivocally to loss of user funds, a direct breach of data, and the deletion of site data

Severity
Critical
Title

Thefts and permanent freezing of unclaimed yield rewards

View rewards

Out of scope

Program's Out of Scope information
  • Best practice critiques
Default Out of Scope and rules

Smart Contract specific

  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
  • Impacts requiring basic economic and governance attacks (e.g. 51% attack)
  • Lack of liquidity impacts
  • Impacts from Sybil attacks
  • Impacts involving centralization risks

All categories

  • Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
  • Impacts caused by attacks requiring access to leaked keys/credentials
  • Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
  • Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
  • Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
  • Best practice recommendations
  • Feature requests
  • Impacts on test files and configuration files unless stated otherwise in the bug bounty program
  • Impacts requiring phishing or other social engineering attacks against project's employees and/or customers
Severity
Min. - Max.
Critical
$15k -$2M
Total Assets in Scope
15
Total Impacts in Scope
3
Total paid

167k